Page MenuHomeFreeBSD
Files F84293161

No OneTemporary
Actions

View Options

This file is larger than 256 KB, so syntax highlighting was skipped.
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index 6484e7ea52bf..f6e01b982581 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -1,13695 +1,13732 @@
OpenSSL CHANGES
_______________
This is a high-level summary of the most important changes.
For a full list of changes, see the git commit log; for example,
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
+
+ *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever
+ for non-prime moduli.
+
+ Internally this function is used when parsing certificates that contain
+ elliptic curve public keys in compressed form or explicit elliptic curve
+ parameters with a base point encoded in compressed form.
+
+ It is possible to trigger the infinite loop by crafting a certificate that
+ has invalid explicit curve parameters.
+
+ Since certificate parsing happens prior to verification of the certificate
+ signature, any process that parses an externally supplied certificate may
+ thus be subject to a denial of service attack. The infinite loop can also
+ be reached when parsing crafted private keys as they can contain explicit
+ elliptic curve parameters.
+
+ Thus vulnerable situations include:
+
+ - TLS clients consuming server certificates
+ - TLS servers consuming client certificates
+ - Hosting providers taking certificates or private keys from customers
+ - Certificate authorities parsing certification requests from subscribers
+ - Anything else which parses ASN.1 elliptic curve parameters
+
+ Also any other applications that use the BN_mod_sqrt() where the attacker
+ can control the parameter values are vulnerable to this DoS issue.
+ (CVE-2022-0778)
+ [Tomáš Mráz]
+
+ *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489)
+ to the list of ciphersuites providing Perfect Forward Secrecy as
+ required by SECLEVEL >= 3.
+
+ [Dmitry Belyavskiy, Nicola Tuveri]
+
Changes between 1.1.1l and 1.1.1m [14 Dec 2021]
*) Avoid loading of a dynamic engine twice.
[Bernd Edlinger]
*) Fixed building on Debian with kfreebsd kernels
[Mattias Ellert]
*) Prioritise DANE TLSA issuer certs over peer certs
[Viktor Dukhovni]
*) Fixed random API for MacOS prior to 10.12
These MacOS versions don't support the CommonCrypto APIs
[Lenny Primak]
Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
*) Fixed an SM2 Decryption Buffer Overflow.
In order to decrypt SM2 encrypted data an application is expected to call the
API function EVP_PKEY_decrypt(). Typically an application will call this
function twice. The first time, on entry, the "out" parameter can be NULL and,
on exit, the "outlen" parameter is populated with the buffer size required to
hold the decrypted plaintext. The application can then allocate a sufficiently
sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
value for the "out" parameter.
A bug in the implementation of the SM2 decryption code means that the
calculation of the buffer size required to hold the plaintext returned by the
first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
called by the application a second time with a buffer that is too small.
A malicious attacker who is able present SM2 content for decryption to an
application could cause attacker chosen data to overflow the buffer by up to a
maximum of 62 bytes altering the contents of other data held after the
buffer, possibly changing application behaviour or causing the application to
crash. The location of the buffer is application dependent but is typically
heap allocated.
(CVE-2021-3711)
[Matt Caswell]
*) Fixed various read buffer overruns processing ASN.1 strings
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
structure which contains a buffer holding the string data and a field holding
the buffer length. This contrasts with normal C strings which are repesented as
a buffer for the string data which is terminated with a NUL (0) byte.
Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's
own "d2i" functions (and other similar parsing functions) as well as any string
whose value has been set with the ASN1_STRING_set() function will additionally
NUL terminate the byte array in the ASN1_STRING structure.
However, it is possible for applications to directly construct valid ASN1_STRING
structures which do not NUL terminate the byte array by directly setting the
"data" and "length" fields in the ASN1_STRING array. This can also happen by
using the ASN1_STRING_set0() function.
Numerous OpenSSL functions that print ASN.1 data have been found to assume that
the ASN1_STRING byte array will be NUL terminated, even though this is not
guaranteed for strings that have been directly constructed. Where an application
requests an ASN.1 structure to be printed, and where that ASN.1 structure
contains ASN1_STRINGs that have been directly constructed by the application
without NUL terminating the "data" field, then a read buffer overrun can occur.
The same thing can also occur during name constraints processing of certificates
(for example if a certificate has been directly constructed by the application
instead of loading it via the OpenSSL parsing functions, and the certificate
contains non NUL terminated ASN1_STRING structures). It can also occur in the
X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.
If a malicious actor can cause an application to directly construct an
ASN1_STRING and then process it through one of the affected OpenSSL functions
then this issue could be hit. This might result in a crash (causing a Denial of
Service attack). It could also result in the disclosure of private memory
contents (such as private keys, or sensitive plaintext).
(CVE-2021-3712)
[Matt Caswell]
Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
*) Fixed a problem with verifying a certificate chain when using the
X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks
of the certificates present in a certificate chain. It is not set by
default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates in
the chain that have explicitly encoded elliptic curve parameters was added
as an additional strict check.
An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.
If a "purpose" has been configured then there is a subsequent opportunity
for checks that the certificate is a valid CA. All of the named "purpose"
values implemented in libcrypto perform this check. Therefore, where
a purpose is set the certificate chain will still be rejected even when the
strict flag has been used. A purpose is set by default in libssl client and
server certificate verification routines, but it can be overridden or
removed by an application.
In order to be affected, an application must explicitly set the
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
for the certificate verification or, in the case of TLS client or server
applications, override the default purpose.
(CVE-2021-3450)
[Tomáš Mráz]
*) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client. If a TLSv1.2
renegotiation ClientHello omits the signature_algorithms extension (where
it was present in the initial ClientHello), but includes a
signature_algorithms_cert extension then a NULL pointer dereference will
result, leading to a crash and a denial of service attack.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
(which is the default configuration). OpenSSL TLS clients are not impacted
by this issue.
(CVE-2021-3449)
[Peter Kästle and Samuel Sapalski]
Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
*) Fixed the X509_issuer_and_serial_hash() function. It attempts to
create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it was failing to correctly
handle any errors that may occur while parsing the issuer field (which might
occur if the issuer field is maliciously constructed). This may subsequently
result in a NULL pointer deref and a crash leading to a potential denial of
service attack.
(CVE-2021-23841)
[Matt Caswell]
*) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
padding mode to correctly check for rollback attacks. This is considered a
bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
CVE-2021-23839.
[Matt Caswell]
*) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
functions. Previously they could overflow the output length argument in some
cases where the input length is close to the maximum permissable length for
an integer on the platform. In such cases the return value from the function
call would be 1 (indicating success), but the output length value would be
negative. This could cause applications to behave incorrectly or crash.
(CVE-2021-23840)
[Matt Caswell]
*) Fixed SRP_Calc_client_key so that it runs in constant time. The previous
implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
could be exploited in a side channel attack to recover the password. Since
the attack is local host only this is outside of the current OpenSSL
threat model and therefore no CVE is assigned.
Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
issue.
[Matt Caswell]
Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
*) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
If an attacker can control both items being compared then this could lead
to a possible denial of service attack. OpenSSL itself uses the
GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a
CRL distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the
timestamp authority name (exposed via the API functions
TS_RESP_verify_response and TS_RESP_verify_token)
(CVE-2020-1971)
[Matt Caswell]
*) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target.
[Stuart Carnie]
*) The security callback, which can be customised by application code, supports
the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
in the "other" parameter. In most places this is what is passed. All these
places occur server side. However there was one client side call of this
security operation and it passed a DH object instead. This is incorrect
according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
of the other locations. Therefore this client side call has been changed to
pass an EVP_PKEY instead.
[Matt Caswell]
*) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
when validating a certificate path. This check is restored in 1.1.1i.
[David von Oheimb]
Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
*) Certificates with explicit curve parameters are now disallowed in
verification chains if the X509_V_FLAG_X509_STRICT flag is used.
[Tomas Mraz]
*) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configuring DTLS-based contexts, and
conversely, silently ignore DTLS protocol version bounds when configuring
TLS-based contexts. The commands can be repeated to set bounds of both
types. The same applies with the corresponding "min_protocol" and
"max_protocol" command-line switches, in case some application uses both TLS
and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
[Viktor Dukhovni]
*) Handshake now fails if Extended Master Secret extension is dropped
on renegotiation.
[Tomas Mraz]
*) Accidentally, an expired trusted (root) certificate is not anymore rejected
when validating a certificate path.
[David von Oheimb]
*) The Oracle Developer Studio compiler will start reporting deprecated APIs
Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
*) Fixed segmentation fault in SSL_check_chain()
Server or client applications that call the SSL_check_chain() function
during or after a TLS 1.3 handshake may crash due to a NULL pointer
dereference as a result of incorrect handling of the
"signature_algorithms_cert" TLS extension. The crash occurs if an invalid
or unrecognised signature algorithm is received from the peer. This could
be exploited by a malicious peer in a Denial of Service attack.
(CVE-2020-1967)
[Benjamin Kaduk]
*) Added AES consttime code for no-asm configurations
an optional constant time support for AES was added
when building openssl for no-asm.
Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
At this time this feature is by default disabled.
It will be enabled by default in 3.0.
[Bernd Edlinger]
Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
*) Revert the change of EOF detection while reading in libssl to avoid
regressions in applications depending on the current way of reporting
the EOF. As the existing method is not fully accurate the change to
reporting the EOF via SSL_ERROR_SSL is kept on the current development
branch and will be present in the 3.0 release.
[Tomas Mraz]
*) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
when primes for RSA keys are computed.
Since we previously always generated primes == 2 (mod 3) for RSA keys,
the 2-prime and 3-prime RSA modules were easy to distinguish, since
N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
This avoids possible fingerprinting of newly generated RSA modules.
[Bernd Edlinger]
Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
*) Properly detect EOF while reading in libssl. Previously if we hit an EOF
while reading in libssl then we would report an error back to the
application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
an error to the stack (which means we instead return SSL_ERROR_SSL) and
therefore give a hint as to what went wrong.
[Matt Caswell]
*) Check that ed25519 and ed448 are allowed by the security level. Previously
signature algorithms not using an MD were not being checked that they were
allowed by the security level.
[Kurt Roeckx]
*) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
was not quite right. The behaviour was not consistent between resumption
and normal handshakes, and also not quite consistent with historical
behaviour. The behaviour in various scenarios has been clarified and
it has been updated to make it match historical behaviour as closely as
possible.
[Matt Caswell]
*) [VMS only] The header files that the VMS compilers include automatically,
__DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
the C++ compiler doesn't understand. This is a shortcoming in the
compiler, but can be worked around with __cplusplus guards.
C++ applications that use OpenSSL libraries must be compiled using the
qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
functions. Otherwise, only functions with symbols of less than 31
characters can be used, as the linker will not be able to successfully
resolve symbols with longer names.
[Richard Levitte]
*) Corrected the documentation of the return values from the EVP_DigestSign*
set of functions. The documentation mentioned negative values for some
errors, but this was never the case, so the mention of negative values
was removed.
Code that followed the documentation and thereby check with something
like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
[Richard Levitte]
*) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli. No EC algorithms are
affected. Analysis suggests that attacks against 2-prime RSA1024,
3-prime RSA1536, and DSA1024 as a result of this defect would be very
difficult to perform and are not believed likely. Attacks against DH512
are considered just feasible. However, for an attack the target would
have to re-use the DH512 private key, which is not recommended anyway.
Also applications directly using the low level API BN_mod_exp may be
affected if they use BN_FLG_CONSTTIME.
(CVE-2019-1551)
[Andy Polyakov]
*) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
The presence of this system service is determined at run-time.
[Richard Levitte]
*) Added newline escaping functionality to a filename when using openssl dgst.
This output format is to replicate the output format found in the '*sum'
checksum programs. This aims to preserve backward compatibility.
[Matt Eaton, Richard Levitte, and Paul Dale]
*) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
the first value.
[Jon Spillett]
Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
*) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
number generator (RNG). This was intended to include protection in the
event of a fork() system call in order to ensure that the parent and child
processes did not share the same RNG state. However this protection was not
being used in the default case.
A partial mitigation for this issue is that the output from a high
precision timer is mixed into the RNG state so the likelihood of a parent
and child process sharing state is significantly reduced.
If an application already calls OPENSSL_init_crypto() explicitly using
OPENSSL_INIT_ATFORK then this problem does not occur at all.
(CVE-2019-1549)
[Matthias St. Pierre]
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters, when loading a serialized key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
serialized, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
[Nicola Tuveri]
*) Compute ECC cofactors if not provided during EC_GROUP construction. Before
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
(CVE-2019-1547)
[Billy Bob Brumley]
*) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
(CVE-2019-1563)
[Bernd Edlinger]
*) Early start up entropy quality from the DEVRANDOM seed source has been
improved for older Linux systems. The RAND subsystem will wait for
/dev/random to be producing output before seeding from /dev/urandom.
The seeded state is stored for future library initialisations using
a system global shared memory segment. The shared memory identifier
can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
the desired value. The default identifier is 114.
[Paul Dale]
*) Correct the extended master secret constant on EBCDIC systems. Without this
fix TLS connections between an EBCDIC system and a non-EBCDIC system that
negotiate EMS will fail. Unfortunately this also means that TLS connections
between EBCDIC systems with this fix, and EBCDIC systems without this
fix will fail if they negotiate EMS.
[Matt Caswell]
*) Use Windows installation paths in the mingw builds
Mingw isn't a POSIX environment per se, which means that Windows
paths should be used for installation.
(CVE-2019-1552)
[Richard Levitte]
*) Changed DH_check to accept parameters with order q and 2q subgroups.
With order 2q subgroups the bit 0 of the private key is not secret
but DH_generate_key works around that by clearing bit 0 of the
private key for those. This avoids leaking bit 0 of the private key.
[Bernd Edlinger]
*) Significantly reduce secure memory usage by the randomness pools.
[Paul Dale]
*) Revert the DEVRANDOM_WAIT feature for Linux systems
The DEVRANDOM_WAIT feature added a select() call to wait for the
/dev/random device to become readable before reading from the
/dev/urandom device.
It turned out that this change had negative side effects on
performance which were not acceptable. After some discussion it
was decided to revert this feature and leave it up to the OS
resp. the platform maintainer to ensure a proper initialization
during early boot time.
[Matthias St. Pierre]
Changes between 1.1.1b and 1.1.1c [28 May 2019]
*) Add build tests for C++. These are generated files that only do one
thing, to include one public OpenSSL head file each. This tests that
the public header files can be usefully included in a C++ application.
This test isn't enabled by default. It can be enabled with the option
'enable-buildtest-c++'.
[Richard Levitte]
*) Enable SHA3 pre-hashing for ECDSA and DSA.
[Patrick Steuer]
*) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
This changes the size when using the genpkey app when no size is given. It
fixes an omission in earlier changes that changed all RSA, DSA and DH
generation apps to use 2048 bits by default.
[Kurt Roeckx]
*) Reorganize the manual pages to consistently have RETURN VALUES,
EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
util/fix-doc-nits accordingly.
[Paul Yang, Joshua Lock]
*) Add the missing accessor EVP_PKEY_get0_engine()
[Matt Caswell]
*) Have apps like 's_client' and 's_server' output the signature scheme
along with other cipher suite parameters when debugging.
[Lorinczy Zsigmond]
*) Make OPENSSL_config() error agnostic again.
[Richard Levitte]
*) Do the error handling in RSA decryption constant time.
[Bernd Edlinger]
*) Prevent over long nonces in ChaCha20-Poly1305.
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
for every encryption operation. RFC 7539 specifies that the nonce value
(IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
and front pads the nonce with 0 bytes if it is less than 12
bytes. However it also incorrectly allows a nonce to be set of up to 16
bytes. In this case only the last 12 bytes are significant and any
additional leading bytes are ignored.
It is a requirement of using this cipher that nonce values are
unique. Messages encrypted using a reused nonce value are susceptible to
serious confidentiality and integrity attacks. If an application changes
the default nonce length to be longer than 12 bytes and then makes a
change to the leading bytes of the nonce expecting the new value to be a
new unique nonce then such an application could inadvertently encrypt
messages with a reused nonce.
Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
is safe because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.
This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
Greef of Ronomon.
(CVE-2019-1543)
[Matt Caswell]
*) Add DEVRANDOM_WAIT feature for Linux systems
On older Linux systems where the getrandom() system call is not available,
OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
Contrary to getrandom(), the /dev/urandom device will not block during
early boot when the kernel CSPRNG has not been seeded yet.
To mitigate this known weakness, use select() to wait for /dev/random to
become readable before reading from /dev/urandom.
*) Ensure that SM2 only uses SM3 as digest algorithm
[Paul Yang]
Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
*) Added SCA hardening for modular field inversion in EC_GROUP through
a new dedicated field_inv() pointer in EC_METHOD.
This also addresses a leakage affecting conversions from projective
to affine coordinates.
[Billy Bob Brumley, Nicola Tuveri]
*) Change the info callback signals for the start and end of a post-handshake
message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
confused by this and assume that a TLSv1.2 renegotiation has started. This
can break KeyUpdate handling. Instead we no longer signal the start and end
of a post handshake message exchange (although the messages themselves are
still signalled). This could break some applications that were expecting
the old signals. However without this KeyUpdate is not usable for many
applications.
[Matt Caswell]
*) Fix a bug in the computation of the endpoint-pair shared secret used
by DTLS over SCTP. This breaks interoperability with older versions
of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
interoperability with such broken implementations. However, enabling
this switch breaks interoperability with correct implementations.
*) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
re-used X509_PUBKEY object if the second PUBKEY is malformed.
[Bernd Edlinger]
*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
[Richard Levitte]
*) Remove the 'dist' target and add a tarball building script. The
'dist' target has fallen out of use, and it shouldn't be
necessary to configure just to create a source distribution.
[Richard Levitte]
*) Added support for Linux Kernel TLS data-path. The Linux Kernel data-path
improves application performance by removing data copies and providing
applications with zero-copy system calls such as sendfile and splice.
[Boris Pismenny]
Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
*) Timing vulnerability in ECDSA signature generation
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
(CVE-2018-0735)
[Paul Dale]
*) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
are retained for backwards compatibility.
[Antoine Salon]
*) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
if its length exceeds 4096 bytes. The limit has been raised to a buffer size
of two gigabytes and the error handling improved.
This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
categorized as a normal bug, not a security issue, because the DRBG reseeds
automatically and is fully functional even without additional randomness
provided by the application.
Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
*) Add a new ClientHello callback. Provides a callback interface that gives
the application the ability to adjust the nascent SSL object at the
earliest stage of ClientHello processing, immediately after extensions have
been collected but before they have been processed. In particular, this
callback can adjust the supported TLS versions in response to the contents
of the ClientHello
[Benjamin Kaduk]
*) Add SM2 base algorithm support.
[Jack Lloyd]
*) s390x assembly pack: add (improved) hardware-support for the following
cryptographic primitives: sha3, shake, aes-gcm, aes-ccm, aes-ctr, aes-ofb,
aes-cfb/cfb8, aes-ecb.
[Patrick Steuer]
*) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
parameter is no longer accepted, as it leads to a corrupt table. NULL
pem_str is reserved for alias entries only.
[Richard Levitte]
*) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
step for prime curves. The new implementation is based on formulae from
differential addition-and-doubling in homogeneous projective coordinates
from Izu-Takagi "A fast parallel elliptic curve multiplication resistant
against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves
and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified
to work in projective coordinates.
[Billy Bob Brumley, Nicola Tuveri]
*) Change generating and checking of primes so that the error rate of not
being prime depends on the intended use based on the size of the input.
For larger primes this will result in more rounds of Miller-Rabin.
The maximal error rate for primes with more than 1080 bits is lowered
to 2^-128.
[Kurt Roeckx, Annie Yousar]
*) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
[Kurt Roeckx]
*) The 'tsget' script is renamed to 'tsget.pl', to avoid confusion when
moving between systems, and to avoid confusion when a Windows build is
done with mingw vs with MSVC. For POSIX installs, there's still a
symlink or copy named 'tsget' to avoid that confusion as well.
[Richard Levitte]
*) Revert blinding in ECDSA sign and instead make problematic addition
length-invariant. Switch even to fixed-length Montgomery multiplication.
[Andy Polyakov]
*) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder
step for binary curves. The new implementation is based on formulae from
differential addition-and-doubling in mixed Lopez-Dahab projective
coordinates, modified to independently blind the operands.
[Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
*) Add a scaffold to optionally enhance the Montgomery ladder implementation
for `ec_scalar_mul_ladder` (formerly `ec_mul_consttime`) allowing
EC_METHODs to implement their own specialized "ladder step", to take
advantage of more favorable coordinate systems or more efficient
differential addition-and-doubling algorithms.
[Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri]
*) Modified the random device based seed sources to keep the relevant
file descriptors open rather than reopening them on each access.
This allows such sources to operate in a chroot() jail without
the associated device nodes being available. This behaviour can be
controlled using RAND_keep_random_devices_open().
[Paul Dale]
*) Numerous side-channel attack mitigations have been applied. This may have
performance impacts for some algorithms for the benefit of improved
security. Specific changes are noted in this change log by their respective
authors.
[Matt Caswell]
*) AIX shared library support overhaul. Switch to AIX "natural" way of
handling shared libraries, which means collecting shared objects of
different versions and bitnesses in one common archive. This allows to
mitigate conflict between 1.0 and 1.1 side-by-side installations. It
doesn't affect the way 3rd party applications are linked, only how
multi-version installation is managed.
[Andy Polyakov]
*) Make ec_group_do_inverse_ord() more robust and available to other
EC cryptosystems, so that irrespective of BN_FLG_CONSTTIME, SCA
mitigations are applied to the fallback BN_mod_inverse().
When using this function rather than BN_mod_inverse() directly, new
EC cryptosystem implementations are then safer-by-default.
[Billy Bob Brumley]
*) Add coordinate blinding for EC_POINT and implement projective
coordinate blinding for generic prime curves as a countermeasure to
chosen point SCA attacks.
[Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
*) Add blinding to ECDSA and DSA signatures to protect against side channel
attacks discovered by Keegan Ryan (NCC Group).
[Matt Caswell]
*) Enforce checking in the pkeyutl command line app to ensure that the input
length does not exceed the maximum supported digest length when performing
a sign, verify or verifyrecover operation.
[Matt Caswell]
*) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
I/O in combination with something like select() or poll() will hang. This
can be turned off again using SSL_CTX_clear_mode().
Many applications do not properly handle non-application data records, and
TLS 1.3 sends more of such records. Setting SSL_MODE_AUTO_RETRY works
around the problems in those applications, but can also break some.
It's recommended to read the manpages about SSL_read(), SSL_write(),
SSL_get_error(), SSL_shutdown(), SSL_CTX_set_mode() and
SSL_CTX_set_read_ahead() again.
[Kurt Roeckx]
*) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
now allow empty (zero character) pass phrases.
[Richard Levitte]
*) Apply blinding to binary field modular inversion and remove patent
pending (OPENSSL_SUN_GF2M_DIV) BN_GF2m_mod_div implementation.
[Billy Bob Brumley]
*) Deprecate ec2_mult.c and unify scalar multiplication code paths for
binary and prime elliptic curves.
[Billy Bob Brumley]
*) Remove ECDSA nonce padding: EC_POINT_mul is now responsible for
constant time fixed point multiplication.
[Billy Bob Brumley]
*) Revise elliptic curve scalar multiplication with timing attack
defenses: ec_wNAF_mul redirects to a constant time implementation
when computing fixed point and variable point multiplication (which
in OpenSSL are mostly used with secret scalars in keygen, sign,
ECDH derive operations).
[Billy Bob Brumley, Nicola Tuveri, Cesar Pereida García,
Sohaib ul Hassan]
*) Updated CONTRIBUTING
[Rich Salz]
*) Updated DRBG / RAND to request nonce and additional low entropy
randomness from the system.
[Matthias St. Pierre]
*) Updated 'openssl rehash' to use OpenSSL consistent default.
[Richard Levitte]
*) Moved the load of the ssl_conf module to libcrypto, which helps
loading engines that libssl uses before libssl is initialised.
[Matt Caswell]
*) Added EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
[Matt Caswell]
*) Fixed X509_NAME_ENTRY_set to get multi-valued RDNs right in all cases.
[Ingo Schwarze, Rich Salz]
*) Added output of accepting IP address and port for 'openssl s_server'
[Richard Levitte]
*) Added a new API for TLSv1.3 ciphersuites:
SSL_CTX_set_ciphersuites()
SSL_set_ciphersuites()
[Matt Caswell]
*) Memory allocation failures consistently add an error to the error
stack.
[Rich Salz]
*) Don't use OPENSSL_ENGINES and OPENSSL_CONF environment values
in libcrypto when run as setuid/setgid.
[Bernd Edlinger]
*) Load any config file by default when libssl is used.
[Matt Caswell]
*) Added new public header file <openssl/rand_drbg.h> and documentation
for the RAND_DRBG API. See manual page RAND_DRBG(7) for an overview.
[Matthias St. Pierre]
*) QNX support removed (cannot find contributors to get their approval
for the license change).
[Rich Salz]
*) TLSv1.3 replay protection for early data has been implemented. See the
SSL_read_early_data() man page for further details.
[Matt Caswell]
*) Separated TLSv1.3 ciphersuite configuration out from TLSv1.2 ciphersuite
configuration. TLSv1.3 ciphersuites are not compatible with TLSv1.2 and
below. Similarly TLSv1.2 ciphersuites are not compatible with TLSv1.3.
In order to avoid issues where legacy TLSv1.2 ciphersuite configuration
would otherwise inadvertently disable all TLSv1.3 ciphersuites the
configuration has been separated out. See the ciphers man page or the
SSL_CTX_set_ciphersuites() man page for more information.
[Matt Caswell]
*) On POSIX (BSD, Linux, ...) systems the ocsp(1) command running
in responder mode now supports the new "-multi" option, which
spawns the specified number of child processes to handle OCSP
requests. The "-timeout" option now also limits the OCSP
responder's patience to wait to receive the full client request
on a newly accepted connection. Child processes are respawned
as needed, and the CA index file is automatically reloaded
when changed. This makes it possible to run the "ocsp" responder
as a long-running service, making the OpenSSL CA somewhat more
feature-complete. In this mode, most diagnostic messages logged
after entering the event loop are logged via syslog(3) rather than
written to stderr.
[Viktor Dukhovni]
*) Added support for X448 and Ed448. Heavily based on original work by
Mike Hamburg.
[Matt Caswell]
*) Extend OSSL_STORE with capabilities to search and to narrow the set of
objects loaded. This adds the functions OSSL_STORE_expect() and
OSSL_STORE_find() as well as needed tools to construct searches and
get the search data out of them.
[Richard Levitte]
*) Support for TLSv1.3 added. Note that users upgrading from an earlier
version of OpenSSL should review their configuration settings to ensure
that they are still appropriate for TLSv1.3. For further information see:
https://wiki.openssl.org/index.php/TLS1.3
[Matt Caswell]
*) Grand redesign of the OpenSSL random generator
The default RAND method now utilizes an AES-CTR DRBG according to
NIST standard SP 800-90Ar1. The new random generator is essentially
a port of the default random generator from the OpenSSL FIPS 2.0
object module. It is a hybrid deterministic random bit generator
using an AES-CTR bit stream and which seeds and reseeds itself
automatically using trusted system entropy sources.
Some of its new features are:
o Support for multiple DRBG instances with seed chaining.
o The default RAND method makes use of a DRBG.
o There is a public and private DRBG instance.
o The DRBG instances are fork-safe.
o Keep all global DRBG instances on the secure heap if it is enabled.
o The public and private DRBG instance are per thread for lock free
operation
[Paul Dale, Benjamin Kaduk, Kurt Roeckx, Rich Salz, Matthias St. Pierre]
*) Changed Configure so it only says what it does and doesn't dump
so much data. Instead, ./configdata.pm should be used as a script
to display all sorts of configuration data.
[Richard Levitte]
*) Added processing of "make variables" to Configure.
[Richard Levitte]
*) Added SHA512/224 and SHA512/256 algorithm support.
[Paul Dale]
*) The last traces of Netware support, first removed in 1.1.0, have
now been removed.
[Rich Salz]
*) Get rid of Makefile.shared, and in the process, make the processing
of certain files (rc.obj, or the .def/.map/.opt files produced from
the ordinal files) more visible and hopefully easier to trace and
debug (or make silent).
[Richard Levitte]
*) Make it possible to have environment variable assignments as
arguments to config / Configure.
[Richard Levitte]
*) Add multi-prime RSA (RFC 8017) support.
[Paul Yang]
*) Add SM3 implemented according to GB/T 32905-2016
[ Jack Lloyd <jack.lloyd@ribose.com>,
Ronald Tse <ronald.tse@ribose.com>,
Erick Borsboom <erick.borsboom@ribose.com> ]
*) Add 'Maximum Fragment Length' TLS extension negotiation and support
as documented in RFC6066.
Based on a patch from Tomasz Moń
[Filipe Raimundo da Silva]
*) Add SM4 implemented according to GB/T 32907-2016.
[ Jack Lloyd <jack.lloyd@ribose.com>,
Ronald Tse <ronald.tse@ribose.com>,
Erick Borsboom <erick.borsboom@ribose.com> ]
*) Reimplement -newreq-nodes and ERR_error_string_n; the
original author does not agree with the license change.
[Rich Salz]
*) Add ARIA AEAD TLS support.
[Jon Spillett]
*) Some macro definitions to support VS6 have been removed. Visual
Studio 6 has not worked since 1.1.0
[Rich Salz]
*) Add ERR_clear_last_mark(), to allow callers to clear the last mark
without clearing the errors.
[Richard Levitte]
*) Add "atfork" functions. If building on a system that without
pthreads, see doc/man3/OPENSSL_fork_prepare.pod for application
requirements. The RAND facility now uses/requires this.
[Rich Salz]
*) Add SHA3.
[Andy Polyakov]
*) The UI API becomes a permanent and integral part of libcrypto, i.e.
not possible to disable entirely. However, it's still possible to
disable the console reading UI method, UI_OpenSSL() (use UI_null()
as a fallback).
To disable, configure with 'no-ui-console'. 'no-ui' is still
possible to use as an alias. Check at compile time with the
macro OPENSSL_NO_UI_CONSOLE. The macro OPENSSL_NO_UI is still
possible to check and is an alias for OPENSSL_NO_UI_CONSOLE.
[Richard Levitte]
*) Add a STORE module, which implements a uniform and URI based reader of
stores that can contain keys, certificates, CRLs and numerous other
objects. The main API is loosely based on a few stdio functions,
and includes OSSL_STORE_open, OSSL_STORE_load, OSSL_STORE_eof,
OSSL_STORE_error and OSSL_STORE_close.
The implementation uses backends called "loaders" to implement arbitrary
URI schemes. There is one built in "loader" for the 'file' scheme.
[Richard Levitte]
*) Add devcrypto engine. This has been implemented against cryptodev-linux,
then adjusted to work on FreeBSD 8.4 as well.
Enable by configuring with 'enable-devcryptoeng'. This is done by default
on BSD implementations, as cryptodev.h is assumed to exist on all of them.
[Richard Levitte]
*) Module names can prefixed with OSSL_ or OPENSSL_. This affects
util/mkerr.pl, which is adapted to allow those prefixes, leading to
error code calls like this:
OSSL_FOOerr(OSSL_FOO_F_SOMETHING, OSSL_FOO_R_WHATEVER);
With this change, we claim the namespaces OSSL and OPENSSL in a manner
that can be encoded in C. For the foreseeable future, this will only
affect new modules.
[Richard Levitte and Tim Hudson]
*) Removed BSD cryptodev engine.
[Rich Salz]
*) Add a build target 'build_all_generated', to build all generated files
and only that. This can be used to prepare everything that requires
things like perl for a system that lacks perl and then move everything
to that system and do the rest of the build there.
[Richard Levitte]
*) In the UI interface, make it possible to duplicate the user data. This
can be used by engines that need to retain the data for a longer time
than just the call where this user data is passed.
[Richard Levitte]
*) Ignore the '-named_curve auto' value for compatibility of applications
with OpenSSL 1.0.2.
[Tomas Mraz <tmraz@fedoraproject.org>]
*) Fragmented SSL/TLS alerts are no longer accepted. An alert message is 2
bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
alerts across multiple records (some of which could be empty). In practice
it make no sense to send an empty alert record, or to fragment one. TLSv1.3
prohibits this altogether and other libraries (BoringSSL, NSS) do not
support this at all. Supporting it adds significant complexity to the
record layer, and its removal is unlikely to cause interoperability
issues.
[Matt Caswell]
*) Add the ASN.1 types INT32, UINT32, INT64, UINT64 and variants prefixed
with Z. These are meant to replace LONG and ZLONG and to be size safe.
The use of LONG and ZLONG is discouraged and scheduled for deprecation
in OpenSSL 1.2.0.
[Richard Levitte]
*) Add the 'z' and 'j' modifiers to BIO_printf() et al formatting string,
'z' is to be used for [s]size_t, and 'j' - with [u]int64_t.
[Richard Levitte, Andy Polyakov]
*) Add EC_KEY_get0_engine(), which does for EC_KEY what RSA_get0_engine()
does for RSA, etc.
[Richard Levitte]
*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
platform rather than 'mingw'.
[Richard Levitte]
*) The functions X509_STORE_add_cert and X509_STORE_add_crl return
success if they are asked to add an object which already exists
in the store. This change cascades to other functions which load
certificates and CRLs.
[Paul Dale]
*) x86_64 assembly pack: annotate code with DWARF CFI directives to
facilitate stack unwinding even from assembly subroutines.
[Andy Polyakov]
*) Remove VAX C specific definitions of OPENSSL_EXPORT, OPENSSL_EXTERN.
Also remove OPENSSL_GLOBAL entirely, as it became a no-op.
[Richard Levitte]
*) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
which is the minimum version we support.
[Richard Levitte]
*) Certificate time validation (X509_cmp_time) enforces stricter
compliance with RFC 5280. Fractional seconds and timezone offsets
are no longer allowed.
[Emilia Käsper]
*) Add support for ARIA
[Paul Dale]
*) s_client will now send the Server Name Indication (SNI) extension by
default unless the new "-noservername" option is used. The server name is
based on the host provided to the "-connect" option unless overridden by
using "-servername".
[Matt Caswell]
*) Add support for SipHash
[Todd Short]
*) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
prevent issues where no progress is being made and the peer continually
sends unrecognised record types, using up resources processing them.
[Matt Caswell]
*) 'openssl passwd' can now produce SHA256 and SHA512 based output,
using the algorithm defined in
https://www.akkadia.org/drepper/SHA-crypt.txt
[Richard Levitte]
*) Heartbeat support has been removed; the ABI is changed for now.
[Richard Levitte, Rich Salz]
*) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
[Emilia Käsper]
*) The RSA "null" method, which was partially supported to avoid patent
issues, has been replaced to always returns NULL.
[Rich Salz]
Changes between 1.1.0h and 1.1.0i [xx XXX xxxx]
*) Client DoS due to large DH parameter
During key agreement in a TLS handshake using a DH(E) based ciphersuite a
malicious server can send a very large prime value to the client. This will
cause the client to spend an unreasonably long period of time generating a
key for this prime resulting in a hang until the client has finished. This
could be exploited in a Denial Of Service attack.
This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
(CVE-2018-0732)
[Guido Vranken]
*) Cache timing vulnerability in RSA Key Generation
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
a cache timing side channel attack. An attacker with sufficient access to
mount cache timing attacks during the RSA key generation process could
recover the private key.
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
(CVE-2018-0737)
[Billy Brumley]
*) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
parameter is no longer accepted, as it leads to a corrupt table. NULL
pem_str is reserved for alias entries only.
[Richard Levitte]
*) Revert blinding in ECDSA sign and instead make problematic addition
length-invariant. Switch even to fixed-length Montgomery multiplication.
[Andy Polyakov]
*) Change generating and checking of primes so that the error rate of not
being prime depends on the intended use based on the size of the input.
For larger primes this will result in more rounds of Miller-Rabin.
The maximal error rate for primes with more than 1080 bits is lowered
to 2^-128.
[Kurt Roeckx, Annie Yousar]
*) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
[Kurt Roeckx]
*) Add blinding to ECDSA and DSA signatures to protect against side channel
attacks discovered by Keegan Ryan (NCC Group).
[Matt Caswell]
*) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
now allow empty (zero character) pass phrases.
[Richard Levitte]
*) Certificate time validation (X509_cmp_time) enforces stricter
compliance with RFC 5280. Fractional seconds and timezone offsets
are no longer allowed.
[Emilia Käsper]
*) Fixed a text canonicalisation bug in CMS
Where a CMS detached signature is used with text content the text goes
through a canonicalisation process first prior to signing or verifying a
signature. This process strips trailing space at the end of lines, converts
line terminators to CRLF and removes additional trailing line terminators
at the end of a file. A bug in the canonicalisation process meant that
some characters, such as form-feed, were incorrectly treated as whitespace
and removed. This is contrary to the specification (RFC5485). This fix
could mean that detached text data signed with an earlier version of
OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
signed with a fixed OpenSSL may fail to verify with an earlier version of
OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
and use the "-binary" flag (for the "cms" command line application) or set
the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
[Matt Caswell]
Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
*) Constructed ASN.1 types with a recursive definition could exceed the stack
Constructed ASN.1 types with a recursive definition (such as can be found
in PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack. There
are no such structures used within SSL/TLS that come from untrusted sources
so this is considered safe.
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
project.
(CVE-2018-0739)
[Matt Caswell]
*) Incorrect CRYPTO_memcmp on HP-UX PA-RISC
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
effectively reduced to only comparing the least significant bit of each
byte. This allows an attacker to forge messages that would be considered as
authenticated in an amount of tries lower than that guaranteed by the
security claims of the scheme. The module can only be compiled by the
HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
(IBM).
(CVE-2018-0733)
[Andy Polyakov]
*) Add a build target 'build_all_generated', to build all generated files
and only that. This can be used to prepare everything that requires
things like perl for a system that lacks perl and then move everything
to that system and do the rest of the build there.
[Richard Levitte]
*) Backport SSL_OP_NO_RENGOTIATION
OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
(undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
changes this is no longer possible in 1.1.0. Therefore the new
SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
1.1.0 to provide equivalent functionality.
Note that if an application built against 1.1.0h headers (or above) is run
using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
accepted but nothing will happen, i.e. renegotiation will not be prevented.
[Matt Caswell]
*) Removed the OS390-Unix config target. It relied on a script that doesn't
exist.
[Rich Salz]
*) rsaz_1024_mul_avx2 overflow bug on x86_64
There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this
defect would be very difficult to perform and are not believed likely.
Attacks against DH1024 are considered just feasible, because most of the
work necessary to deduce information about a private key may be performed
offline. The amount of resources required for such an attack would be
significant. However, for an attack on TLS to be meaningful, the server
would have to share the DH1024 private key among multiple clients, which is
no longer an option since CVE-2016-0701.
This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).
This issue was reported to OpenSSL by David Benjamin (Google). The issue
was originally found via the OSS-Fuzz project.
(CVE-2017-3738)
[Andy Polyakov]
Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
*) bn_sqrx8x_internal carry bug on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients.
This only affects processors that support the BMI1, BMI2 and ADX extensions
like Intel Broadwell (5th generation) and later or AMD Ryzen.
This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3736)
[Andy Polyakov]
*) Malformed X.509 IPAddressFamily could cause OOB read
If an X.509 certificate has a malformed IPAddressFamily extension,
OpenSSL could do a one-byte buffer overread. The most likely result
would be an erroneous display of the certificate in text format.
This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3735)
[Rich Salz]
Changes between 1.1.0e and 1.1.0f [25 May 2017]
*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
platform rather than 'mingw'.
[Richard Levitte]
*) Remove the VMS-specific reimplementation of gmtime from crypto/o_times.c.
VMS C's RTL has a fully up to date gmtime() and gmtime_r() since V7.1,
which is the minimum version we support.
[Richard Levitte]
Changes between 1.1.0d and 1.1.0e [16 Feb 2017]
*) Encrypt-Then-Mac renegotiation crash
During a renegotiation handshake if the Encrypt-Then-Mac extension is
negotiated where it was not in the original handshake (or vice-versa) then
this can cause OpenSSL to crash (dependant on ciphersuite). Both clients
and servers are affected.
This issue was reported to OpenSSL by Joe Orton (Red Hat).
(CVE-2017-3733)
[Matt Caswell]
Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
*) Truncated packet could crash via OOB read
If one side of an SSL/TLS path is running on a 32-bit host and a specific
cipher is being used, then a truncated packet can cause that host to
perform an out-of-bounds read, usually resulting in a crash.
This issue was reported to OpenSSL by Robert Święcki of Google.
(CVE-2017-3731)
[Andy Polyakov]
*) Bad (EC)DHE parameters cause a client crash
If a malicious server supplies bad parameters for a DHE or ECDHE key
exchange then this can result in the client attempting to dereference a
NULL pointer leading to a client crash. This could be exploited in a Denial
of Service attack.
This issue was reported to OpenSSL by Guido Vranken.
(CVE-2017-3730)
[Matt Caswell]
*) BN_mod_exp may produce incorrect results on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
similar to CVE-2015-3193 but must be treated as a separate problem.
This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3732)
[Andy Polyakov]
Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
*) ChaCha20/Poly1305 heap-buffer-overflow
TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
a DoS attack by corrupting larger payloads. This can result in an OpenSSL
crash. This issue is not considered to be exploitable beyond a DoS.
This issue was reported to OpenSSL by Robert Święcki (Google Security Team)
(CVE-2016-7054)
[Richard Levitte]
*) CMS Null dereference
Applications parsing invalid CMS structures can crash with a NULL pointer
dereference. This is caused by a bug in the handling of the ASN.1 CHOICE
type in OpenSSL 1.1.0 which can result in a NULL value being passed to the
structure callback if an attempt is made to free certain invalid encodings.
Only CHOICE structures using a callback which do not handle NULL value are
affected.
This issue was reported to OpenSSL by Tyler Nighswander of ForAllSecure.
(CVE-2016-7053)
[Stephen Henson]
*) Montgomery multiplication may produce incorrect results
There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits. Analysis suggests that attacks against RSA, DSA
and DH private keys are impossible. This is because the subroutine in
question is not used in operations with the private key itself and an input
of the attacker's direct choice. Otherwise the bug can manifest itself as
transient authentication and key negotiation failures or reproducible
erroneous outcome of public-key operations with specially crafted input.
Among EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation. Impact was not analyzed in
detail, because pre-requisites for attack are considered unlikely. Namely
multiple clients have to choose the curve in question and the server has to
share the private key among them, neither of which is default behaviour.
Even then only clients that chose the curve will be affected.
This issue was publicly reported as transient failures and was not
initially recognized as a security issue. Thanks to Richard Morgan for
providing reproducible case.
(CVE-2016-7055)
[Andy Polyakov]
*) Removed automatic addition of RPATH in shared libraries and executables,
as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
[Richard Levitte]
Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
*) Fix Use After Free for large message sizes
The patch applied to address CVE-2016-6307 resulted in an issue where if a
message larger than approx 16k is received then the underlying buffer to
store the incoming message is reallocated and moved. Unfortunately a
dangling pointer to the old location is left which results in an attempt to
write to the previously freed location. This is likely to result in a
crash, however it could potentially lead to execution of arbitrary code.
This issue only affects OpenSSL 1.1.0a.
This issue was reported to OpenSSL by Robert Święcki.
(CVE-2016-6309)
[Matt Caswell]
Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
*) OCSP Status Request extension unbounded memory growth
A malicious client can send an excessively large OCSP Status Request
extension. If that client continually requests renegotiation, sending a
large OCSP Status Request extension each time, then there will be unbounded
memory growth on the server. This will eventually lead to a Denial Of
Service attack through memory exhaustion. Servers with a default
configuration are vulnerable even if they do not support OCSP. Builds using
the "no-ocsp" build time option are not affected.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
(CVE-2016-6304)
[Matt Caswell]
*) SSL_peek() hang on empty record
OpenSSL 1.1.0 SSL/TLS will hang during a call to SSL_peek() if the peer
sends an empty record. This could be exploited by a malicious peer in a
Denial Of Service attack.
This issue was reported to OpenSSL by Alex Gaynor.
(CVE-2016-6305)
[Matt Caswell]
*) Excessive allocation of memory in tls_get_message_header() and
dtls1_preprocess_fragment()
A (D)TLS message includes 3 bytes for its length in the header for the
message. This would allow for messages up to 16Mb in length. Messages of
this length are excessive and OpenSSL includes a check to ensure that a
peer is sending reasonably sized messages in order to avoid too much memory
being consumed to service a connection. A flaw in the logic of version
1.1.0 means that memory for the message is allocated too early, prior to
the excessive message length check. Due to way memory is allocated in
OpenSSL this could mean an attacker could force up to 21Mb to be allocated
to service a connection. This could lead to a Denial of Service through
memory exhaustion. However, the excessive message length check still takes
place, and this would cause the connection to immediately fail. Assuming
that the application calls SSL_free() on the failed connection in a timely
manner then the 21Mb of allocated memory will then be immediately freed
again. Therefore the excessive memory allocation will be transitory in
nature. This then means that there is only a security impact if:
1) The application does not call SSL_free() in a timely manner in the event
that the connection fails
or
2) The application is working in a constrained environment where there is
very little free memory
or
3) The attacker initiates multiple connection attempts such that there are
multiple connections in a state where memory has been allocated for the
connection; SSL_free() has not yet been called; and there is insufficient
memory to service the multiple requests.
Except in the instance of (1) above any Denial Of Service is likely to be
transitory because as soon as the connection fails the memory is
subsequently freed again in the SSL_free() call. However there is an
increased risk during this period of application crashes due to the lack of
memory - which would then mean a more serious Denial of Service.
This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
(CVE-2016-6307 and CVE-2016-6308)
[Matt Caswell]
*) solaris-x86-cc, i.e. 32-bit configuration with vendor compiler,
had to be removed. Primary reason is that vendor assembler can't
assemble our modules with -KPIC flag. As result it, assembly
support, was not even available as option. But its lack means
lack of side-channel resistant code, which is incompatible with
security by todays standards. Fortunately gcc is readily available
prepackaged option, which we firmly point at...
[Andy Polyakov]
Changes between 1.0.2h and 1.1.0 [25 Aug 2016]
*) Windows command-line tool supports UTF-8 opt-in option for arguments
and console input. Setting OPENSSL_WIN32_UTF8 environment variable
(to any value) allows Windows user to access PKCS#12 file generated
with Windows CryptoAPI and protected with non-ASCII password, as well
as files generated under UTF-8 locale on Linux also protected with
non-ASCII password.
[Andy Polyakov]
*) To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites
have been disabled by default and removed from DEFAULT, just like RC4.
See the RC4 item below to re-enable both.
[Rich Salz]
*) The method for finding the storage location for the Windows RAND seed file
has changed. First we check %RANDFILE%. If that is not set then we check
the directories %HOME%, %USERPROFILE% and %SYSTEMROOT% in that order. If
all else fails we fall back to C:\.
[Matt Caswell]
*) The EVP_EncryptUpdate() function has had its return type changed from void
to int. A return of 0 indicates and error while a return of 1 indicates
success.
[Matt Caswell]
*) The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
off the constant time implementation for RSA, DSA and DH have been made
no-ops and deprecated.
[Matt Caswell]
*) Windows RAND implementation was simplified to only get entropy by
calling CryptGenRandom(). Various other RAND-related tickets
were also closed.
[Joseph Wylie Yandle, Rich Salz]
*) The stack and lhash API's were renamed to start with OPENSSL_SK_
and OPENSSL_LH_, respectively. The old names are available
with API compatibility. They new names are now completely documented.
[Rich Salz]
*) Unify TYPE_up_ref(obj) methods signature.
SSL_CTX_up_ref(), SSL_up_ref(), X509_up_ref(), EVP_PKEY_up_ref(),
X509_CRL_up_ref(), X509_OBJECT_up_ref_count() methods are now returning an
int (instead of void) like all others TYPE_up_ref() methods.
So now these methods also check the return value of CRYPTO_atomic_add(),
and the validity of object reference counter.
[fdasilvayy@gmail.com]
*) With Windows Visual Studio builds, the .pdb files are installed
alongside the installed libraries and executables. For a static
library installation, ossl_static.pdb is the associate compiler
generated .pdb file to be used when linking programs.
[Richard Levitte]
*) Remove openssl.spec. Packaging files belong with the packagers.
[Richard Levitte]
*) Automatic Darwin/OSX configuration has had a refresh, it will now
recognise x86_64 architectures automatically. You can still decide
to build for a different bitness with the environment variable
KERNEL_BITS (can be 32 or 64), for example:
KERNEL_BITS=32 ./config
[Richard Levitte]
*) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
256 bit AES and HMAC with SHA256.
[Steve Henson]
*) Remove support for MIPS o32 ABI on IRIX (and IRIX only).
[Andy Polyakov]
*) Triple-DES ciphers have been moved from HIGH to MEDIUM.
[Rich Salz]
*) To enable users to have their own config files and build file templates,
Configure looks in the directory indicated by the environment variable
OPENSSL_LOCAL_CONFIG_DIR as well as the in-source Configurations/
directory. On VMS, OPENSSL_LOCAL_CONFIG_DIR is expected to be a logical
name and is used as is.
[Richard Levitte]
*) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD. The unused type
X509_CERT_FILE_CTX was removed.
[Rich Salz]
*) "shared" builds are now the default. To create only static libraries use
the "no-shared" Configure option.
[Matt Caswell]
*) Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
All of these option have not worked for some while and are fundamental
algorithms.
[Matt Caswell]
*) Make various cleanup routines no-ops and mark them as deprecated. Most
global cleanup functions are no longer required because they are handled
via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
Explicitly de-initing can cause problems (e.g. where a library that uses
OpenSSL de-inits, but an application is still using it). The affected
functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(),
EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(),
RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
COMP_zlib_cleanup().
[Matt Caswell]
*) --strict-warnings no longer enables runtime debugging options
such as REF_DEBUG. Instead, debug options are automatically
enabled with '--debug' builds.
[Andy Polyakov, Emilia Käsper]
*) Made DH and DH_METHOD opaque. The structures for managing DH objects
have been moved out of the public header files. New functions for managing
these have been added.
[Matt Caswell]
*) Made RSA and RSA_METHOD opaque. The structures for managing RSA
objects have been moved out of the public header files. New
functions for managing these have been added.
[Richard Levitte]
*) Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
have been moved out of the public header files. New functions for managing
these have been added.
[Matt Caswell]
*) Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
moved out of the public header files. New functions for managing these
have been added.
[Matt Caswell]
*) Removed no-rijndael as a config option. Rijndael is an old name for AES.
[Matt Caswell]
*) Removed the mk1mf build scripts.
[Richard Levitte]
*) Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so
it is always safe to #include a header now.
[Rich Salz]
*) Removed the aged BC-32 config and all its supporting scripts
[Richard Levitte]
*) Removed support for Ultrix, Netware, and OS/2.
[Rich Salz]
*) Add support for HKDF.
[Alessandro Ghedini]
*) Add support for blake2b and blake2s
[Bill Cox]
*) Added support for "pipelining". Ciphers that have the
EVP_CIPH_FLAG_PIPELINE flag set have a capability to process multiple
encryptions/decryptions simultaneously. There are currently no built-in
ciphers with this property but the expectation is that engines will be able
to offer it to significantly improve throughput. Support has been extended
into libssl so that multiple records for a single connection can be
processed in one go (for >=TLS 1.1).
[Matt Caswell]
*) Added the AFALG engine. This is an async capable engine which is able to
offload work to the Linux kernel. In this initial version it only supports
AES128-CBC. The kernel must be version 4.1.0 or greater.
[Catriona Lucey]
*) OpenSSL now uses a new threading API. It is no longer necessary to
set locking callbacks to use OpenSSL in a multi-threaded environment. There
are two supported threading models: pthreads and windows threads. It is
also possible to configure OpenSSL at compile time for "no-threads". The
old threading API should no longer be used. The functions have been
replaced with "no-op" compatibility macros.
[Alessandro Ghedini, Matt Caswell]
*) Modify behavior of ALPN to invoke callback after SNI/servername
callback, such that updates to the SSL_CTX affect ALPN.
[Todd Short]
*) Add SSL_CIPHER queries for authentication and key-exchange.
[Todd Short]
*) Changes to the DEFAULT cipherlist:
- Prefer (EC)DHE handshakes over plain RSA.
- Prefer AEAD ciphers over legacy ciphers.
- Prefer ECDSA over RSA when both certificates are available.
- Prefer TLSv1.2 ciphers/PRF.
- Remove DSS, SEED, IDEA, CAMELLIA, and AES-CCM from the
default cipherlist.
[Emilia Käsper]
*) Change the ECC default curve list to be this, in order: x25519,
secp256r1, secp521r1, secp384r1.
[Rich Salz]
*) RC4 based libssl ciphersuites are now classed as "weak" ciphers and are
disabled by default. They can be re-enabled using the
enable-weak-ssl-ciphers option to Configure.
[Matt Caswell]
*) If the server has ALPN configured, but supports no protocols that the
client advertises, send a fatal "no_application_protocol" alert.
This behaviour is SHALL in RFC 7301, though it isn't universally
implemented by other servers.
[Emilia Käsper]
*) Add X25519 support.
Add ASN.1 and EVP_PKEY methods for X25519. This includes support
for public and private key encoding using the format documented in
draft-ietf-curdle-pkix-02. The corresponding EVP_PKEY method supports
key generation and key derivation.
TLS support complies with draft-ietf-tls-rfc4492bis-08 and uses
X25519(29).
[Steve Henson]
*) Deprecate SRP_VBASE_get_by_user.
SRP_VBASE_get_by_user had inconsistent memory management behaviour.
In order to fix an unavoidable memory leak (CVE-2016-0798),
SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP
seed, even if the seed is configured.
Users should use SRP_VBASE_get1_by_user instead. Note that in
SRP_VBASE_get1_by_user, caller must free the returned value. Note
also that even though configuring the SRP seed attempts to hide
invalid usernames by continuing the handshake with fake
credentials, this behaviour is not constant time and no strong
guarantees are made that the handshake is indistinguishable from
that of a valid user.
[Emilia Käsper]
*) Configuration change; it's now possible to build dynamic engines
without having to build shared libraries and vice versa. This
only applies to the engines in engines/, those in crypto/engine/
will always be built into libcrypto (i.e. "static").
Building dynamic engines is enabled by default; to disable, use
the configuration option "disable-dynamic-engine".
The only requirements for building dynamic engines are the
presence of the DSO module and building with position independent
code, so they will also automatically be disabled if configuring
with "disable-dso" or "disable-pic".
The macros OPENSSL_NO_STATIC_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE
are also taken away from openssl/opensslconf.h, as they are
irrelevant.
[Richard Levitte]
*) Configuration change; if there is a known flag to compile
position independent code, it will always be applied on the
libcrypto and libssl object files, and never on the application
object files. This means other libraries that use routines from
libcrypto / libssl can be made into shared libraries regardless
of how OpenSSL was configured.
If this isn't desirable, the configuration options "disable-pic"
or "no-pic" can be used to disable the use of PIC. This will
also disable building shared libraries and dynamic engines.
[Richard Levitte]
*) Removed JPAKE code. It was experimental and has no wide use.
[Rich Salz]
*) The INSTALL_PREFIX Makefile variable has been renamed to
DESTDIR. That makes for less confusion on what this variable
is for. Also, the configuration option --install_prefix is
removed.
[Richard Levitte]
*) Heartbeat for TLS has been removed and is disabled by default
for DTLS; configure with enable-heartbeats. Code that uses the
old #define's might need to be updated.
[Emilia Käsper, Rich Salz]
*) Rename REF_CHECK to REF_DEBUG.
[Rich Salz]
*) New "unified" build system
The "unified" build system is aimed to be a common system for all
platforms we support. With it comes new support for VMS.
This system builds supports building in a different directory tree
than the source tree. It produces one Makefile (for unix family
or lookalikes), or one descrip.mms (for VMS).
The source of information to make the Makefile / descrip.mms is
small files called 'build.info', holding the necessary
information for each directory with source to compile, and a
template in Configurations, like unix-Makefile.tmpl or
descrip.mms.tmpl.
With this change, the library names were also renamed on Windows
and on VMS. They now have names that are closer to the standard
on Unix, and include the major version number, and in certain
cases, the architecture they are built for. See "Notes on shared
libraries" in INSTALL.
We rely heavily on the perl module Text::Template.
[Richard Levitte]
*) Added support for auto-initialisation and de-initialisation of the library.
OpenSSL no longer requires explicit init or deinit routines to be called,
except in certain circumstances. See the OPENSSL_init_crypto() and
OPENSSL_init_ssl() man pages for further information.
[Matt Caswell]
*) The arguments to the DTLSv1_listen function have changed. Specifically the
"peer" argument is now expected to be a BIO_ADDR object.
*) Rewrite of BIO networking library. The BIO library lacked consistent
support of IPv6, and adding it required some more extensive
modifications. This introduces the BIO_ADDR and BIO_ADDRINFO types,
which hold all types of addresses and chains of address information.
It also introduces a new API, with functions like BIO_socket,
BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
have been adapted accordingly.
[Richard Levitte]
*) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
the leading 0-byte.
[Emilia Käsper]
*) CRIME protection: disable compression by default, even if OpenSSL is
compiled with zlib enabled. Applications can still enable compression
by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
using the SSL_CONF library to configure compression.
[Emilia Käsper]
*) The signature of the session callback configured with
SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
was explicitly marked as 'const unsigned char*' instead of
'unsigned char*'.
[Emilia Käsper]
*) Always DPURIFY. Remove the use of uninitialized memory in the
RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
[Emilia Käsper]
*) Removed many obsolete configuration items, including
DES_PTR, DES_RISC1, DES_RISC2, DES_INT
MD2_CHAR, MD2_INT, MD2_LONG
BF_PTR, BF_PTR2
IDEA_SHORT, IDEA_LONG
RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX
[Rich Salz, with advice from Andy Polyakov]
*) Many BN internals have been moved to an internal header file.
[Rich Salz with help from Andy Polyakov]
*) Configuration and writing out the results from it has changed.
Files such as Makefile include/openssl/opensslconf.h and are now
produced through general templates, such as Makefile.in and
crypto/opensslconf.h.in and some help from the perl module
Text::Template.
Also, the center of configuration information is no longer
Makefile. Instead, Configure produces a perl module in
configdata.pm which holds most of the config data (in the hash
table %config), the target data that comes from the target
configuration in one of the Configurations/*.conf files (in
%target).
[Richard Levitte]
*) To clarify their intended purposes, the Configure options
--prefix and --openssldir change their semantics, and become more
straightforward and less interdependent.
--prefix shall be used exclusively to give the location INSTALLTOP
where programs, scripts, libraries, include files and manuals are
going to be installed. The default is now /usr/local.
--openssldir shall be used exclusively to give the default
location OPENSSLDIR where certificates, private keys, CRLs are
managed. This is also where the default openssl.cnf gets
installed.
If the directory given with this option is a relative path, the
values of both the --prefix value and the --openssldir value will
be combined to become OPENSSLDIR.
The default for --openssldir is INSTALLTOP/ssl.
Anyone who uses --openssldir to specify where OpenSSL is to be
installed MUST change to use --prefix instead.
[Richard Levitte]
*) The GOST engine was out of date and therefore it has been removed. An up
to date GOST engine is now being maintained in an external repository.
See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
support for GOST ciphersuites (these are only activated if a GOST engine
is present).
[Matt Caswell]
*) EGD is no longer supported by default; use enable-egd when
configuring.
[Ben Kaduk and Rich Salz]
*) The distribution now has Makefile.in files, which are used to
create Makefile's when Configure is run. *Configure must be run
before trying to build now.*
[Rich Salz]
*) The return value for SSL_CIPHER_description() for error conditions
has changed.
[Rich Salz]
*) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
Obtaining and performing DNSSEC validation of TLSA records is
the application's responsibility. The application provides
the TLSA records of its choice to OpenSSL, and these are then
used to authenticate the peer.
The TLSA records need not even come from DNS. They can, for
example, be used to implement local end-entity certificate or
trust-anchor "pinning", where the "pin" data takes the form
of TLSA records, which can augment or replace verification
based on the usual WebPKI public certification authorities.
[Viktor Dukhovni]
*) Revert default OPENSSL_NO_DEPRECATED setting. Instead OpenSSL
continues to support deprecated interfaces in default builds.
However, applications are strongly advised to compile their
source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
the declarations of all interfaces deprecated in 0.9.8, 1.0.0
or the 1.1.0 releases.
In environments in which all applications have been ported to
not use any deprecated interfaces OpenSSL's Configure script
should be used with the --api=1.1.0 option to entirely remove
support for the deprecated features from the library and
unconditionally disable them in the installed headers.
Essentially the same effect can be achieved with the "no-deprecated"
argument to Configure, except that this will always restrict
the build to just the latest API, rather than a fixed API
version.
As applications are ported to future revisions of the API,
they should update their compile-time OPENSSL_API_COMPAT define
accordingly, but in most cases should be able to continue to
compile with later releases.
The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
0x10000000L and 0x00908000L, respectively. However those
versions did not support the OPENSSL_API_COMPAT feature, and
so applications are not typically tested for explicit support
of just the undeprecated features of either release.
[Viktor Dukhovni]
*) Add support for setting the minimum and maximum supported protocol.
It can bet set via the SSL_set_min_proto_version() and
SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
MaxProtocol. It's recommended to use the new APIs to disable
protocols instead of disabling individual protocols using
SSL_set_options() or SSL_CONF's Protocol. This change also
removes support for disabling TLS 1.2 in the OpenSSL TLS
client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT.
[Kurt Roeckx]
*) Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
[Andy Polyakov]
*) New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD
and integrates ECDSA and ECDH functionality into EC. Implementations can
now redirect key generation and no longer need to convert to or from
ECDSA_SIG format.
Note: the ecdsa.h and ecdh.h headers are now no longer needed and just
include the ec.h header file instead.
[Steve Henson]
*) Remove support for all 40 and 56 bit ciphers. This includes all the export
ciphers who are no longer supported and drops support the ephemeral RSA key
exchange. The LOW ciphers currently doesn't have any ciphers in it.
[Kurt Roeckx]
*) Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
opaque. For HMAC_CTX, the following constructors and destructors
were added:
HMAC_CTX *HMAC_CTX_new(void);
void HMAC_CTX_free(HMAC_CTX *ctx);
For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
destroy such methods has been added. See EVP_MD_meth_new(3) and
EVP_CIPHER_meth_new(3) for documentation.
Additional changes:
1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
HMAC_CTX_cleanup() were removed. HMAC_CTX_reset() and
EVP_MD_CTX_reset() should be called instead to reinitialise
an already created structure.
2) For consistency with the majority of our object creators and
destructors, EVP_MD_CTX_(create|destroy) were renamed to
EVP_MD_CTX_(new|free). The old names are retained as macros
for deprecated builds.
[Richard Levitte]
*) Added ASYNC support. Libcrypto now includes the async sub-library to enable
cryptographic operations to be performed asynchronously as long as an
asynchronous capable engine is used. See the ASYNC_start_job() man page for
further details. Libssl has also had this capability integrated with the
introduction of the new mode SSL_MODE_ASYNC and associated error
SSL_ERROR_WANT_ASYNC. See the SSL_CTX_set_mode() and SSL_get_error() man
pages. This work was developed in partnership with Intel Corp.
[Matt Caswell]
*) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
always enabled now. If you want to disable the support you should
exclude it using the list of supported ciphers. This also means that the
"-no_ecdhe" option has been removed from s_server.
[Kurt Roeckx]
*) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
SSL_{CTX_}set1_curves() which can set a list.
[Kurt Roeckx]
*) Remove support for SSL_{CTX_}set_tmp_ecdh_callback(). You should set the
curve you want to support using SSL_{CTX_}set1_curves().
[Kurt Roeckx]
*) State machine rewrite. The state machine code has been significantly
refactored in order to remove much duplication of code and solve issues
with the old code (see ssl/statem/README for further details). This change
does have some associated API changes. Notably the SSL_state() function
has been removed and replaced by SSL_get_state which now returns an
"OSSL_HANDSHAKE_STATE" instead of an int. SSL_set_state() has been removed
altogether. The previous handshake states defined in ssl.h and ssl3.h have
also been removed.
[Matt Caswell]
*) All instances of the string "ssleay" in the public API were replaced
with OpenSSL (case-matching; e.g., OPENSSL_VERSION for #define's)
Some error codes related to internal RSA_eay API's were renamed.
[Rich Salz]
*) The demo files in crypto/threads were moved to demo/threads.
[Rich Salz]
*) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
sureware and ubsec.
[Matt Caswell, Rich Salz]
*) New ASN.1 embed macro.
New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
structure is not allocated: it is part of the parent. That is instead of
FOO *x;
it must be:
FOO x;
This reduces memory fragmentation and make it impossible to accidentally
set a mandatory field to NULL.
This currently only works for some fields specifically a SEQUENCE, CHOICE,
or ASN1_STRING type which is part of a parent SEQUENCE. Since it is
equivalent to ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or
SEQUENCE OF.
[Steve Henson]
*) Remove EVP_CHECK_DES_KEY, a compile-time option that never compiled.
[Emilia Käsper]
*) Removed DES and RC4 ciphersuites from DEFAULT. Also removed RC2 although
in 1.0.2 EXPORT was already removed and the only RC2 ciphersuite is also
an EXPORT one. COMPLEMENTOFDEFAULT has been updated accordingly to add
DES and RC4 ciphersuites.
[Matt Caswell]
*) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
This changes the decoding behaviour for some invalid messages,
though the change is mostly in the more lenient direction, and
legacy behaviour is preserved as much as possible.
[Emilia Käsper]
*) Fix no-stdio build.
[ David Woodhouse <David.Woodhouse@intel.com> and also
Ivan Nestlerode <ivan.nestlerode@sonos.com> ]
*) New testing framework
The testing framework has been largely rewritten and is now using
perl and the perl modules Test::Harness and an extended variant of
Test::More called OpenSSL::Test to do its work. All test scripts in
test/ have been rewritten into test recipes, and all direct calls to
executables in test/Makefile have become individual recipes using the
simplified testing OpenSSL::Test::Simple.
For documentation on our testing modules, do:
perldoc test/testlib/OpenSSL/Test/Simple.pm
perldoc test/testlib/OpenSSL/Test.pm
[Richard Levitte]
*) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
are used; the latter aborts on memory leaks (usually checked on exit).
Some undocumented "set malloc, etc., hooks" functions were removed
and others were changed. All are now documented.
[Rich Salz]
*) In DSA_generate_parameters_ex, if the provided seed is too short,
return an error
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
*) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites
from RFC4279, RFC4785, RFC5487, RFC5489.
Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the
original RSA_PSK patch.
[Steve Henson]
*) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay
era flag was never set throughout the codebase (only read). Also removed
SSL3_FLAGS_POP_BUFFER which was only used if
SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set.
[Matt Caswell]
*) Changed the default name options in the "ca", "crl", "req" and "x509"
to be "oneline" instead of "compat".
[Richard Levitte]
*) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
not aware of clients that still exhibit this bug, and the workaround
hasn't been working properly for a while.
[Emilia Käsper]
*) The return type of BIO_number_read() and BIO_number_written() as well as
the corresponding num_read and num_write members in the BIO structure has
changed from unsigned long to uint64_t. On platforms where an unsigned
long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is
transferred.
[Matt Caswell]
*) Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed.
[Matt Caswell]
*) Removed support for the two export grade static DH ciphersuites
EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
were newly added (along with a number of other static DH ciphersuites) to
1.0.2. However the two export ones have *never* worked since they were
introduced. It seems strange in any case to be adding new export
ciphersuites, and given "logjam" it also does not seem correct to fix them.
[Matt Caswell]
*) Version negotiation has been rewritten. In particular SSLv23_method(),
SSLv23_client_method() and SSLv23_server_method() have been deprecated,
and turned into macros which simply call the new preferred function names
TLS_method(), TLS_client_method() and TLS_server_method(). All new code
should use the new names instead. Also as part of this change the ssl23.h
header file has been removed.
[Matt Caswell]
*) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This
code and the associated standard is no longer considered fit-for-purpose.
[Matt Caswell]
*) RT2547 was closed. When generating a private key, try to make the
output file readable only by the owner. This behavior change might
be noticeable when interacting with other software.
*) Documented all exdata functions. Added CRYPTO_free_ex_index.
Added a test.
[Rich Salz]
*) Added HTTP GET support to the ocsp command.
[Rich Salz]
*) Changed default digest for the dgst and enc commands from MD5 to
sha256
[Rich Salz]
*) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
[Matt Caswell]
*) Added support for TLS extended master secret from
draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an
initial patch which was a great help during development.
[Steve Henson]
*) All libssl internal structures have been removed from the public header
files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is
now redundant). Users should not attempt to access internal structures
directly. Instead they should use the provided API functions.
[Matt Caswell]
*) config has been changed so that by default OPENSSL_NO_DEPRECATED is used.
Access to deprecated functions can be re-enabled by running config with
"enable-deprecated". In addition applications wishing to use deprecated
functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour
will, by default, disable some transitive includes that previously existed
in the header files (e.g. ec.h will no longer, by default, include bn.h)
[Matt Caswell]
*) Added support for OCB mode. OpenSSL has been granted a patent license
compatible with the OpenSSL license for use of OCB. Details are available
at https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf. Support
for OCB can be removed by calling config with no-ocb.
[Matt Caswell]
*) SSLv2 support has been removed. It still supports receiving a SSLv2
compatible client hello.
[Kurt Roeckx]
*) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz],
done while fixing the error code for the key-too-small case.
[Annie Yousar <a.yousar@informatik.hu-berlin.de>]
*) CA.sh has been removed; use CA.pl instead.
[Rich Salz]
*) Removed old DES API.
[Rich Salz]
*) Remove various unsupported platforms:
Sony NEWS4
BEOS and BEOS_R5
NeXT
SUNOS
MPE/iX
Sinix/ReliantUNIX RM400
DGUX
NCR
Tandem
Cray
16-bit platforms such as WIN16
[Rich Salz]
*) Clean up OPENSSL_NO_xxx #define's
Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF
Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC
OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY
Remove MS_STATIC; it's a relic from platforms <32 bits.
[Rich Salz]
*) Cleaned up dead code
Remove all but one '#ifdef undef' which is to be looked at.
[Rich Salz]
*) Clean up calling of xxx_free routines.
Just like free(), fix most of the xxx_free routines to accept
NULL. Remove the non-null checks from callers. Save much code.
[Rich Salz]
*) Add secure heap for storage of private keys (when possible).
Add BIO_s_secmem(), CBIGNUM, etc.
Contributed by Akamai Technologies under our Corporate CLA.
[Rich Salz]
*) Experimental support for a new, fast, unbiased prime candidate generator,
bn_probable_prime_dh_coprime(). Not currently used by any prime generator.
[Felix Laurie von Massenbach <felix@erbridge.co.uk>]
*) New output format NSS in the sess_id command line tool. This allows
exporting the session id and the master key in NSS keylog format.
[Martin Kaiser <martin@kaiser.cx>]
*) Harmonize version and its documentation. -f flag is used to display
compilation flags.
[mancha <mancha1@zoho.com>]
*) Fix eckey_priv_encode so it immediately returns an error upon a failure
in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue.
[mancha <mancha1@zoho.com>]
*) Fix some double frees. These are not thought to be exploitable.
[mancha <mancha1@zoho.com>]
*) A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
[Adam Langley, Bodo Moeller]
*) Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140
Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
[Yuval Yarom and Naomi Benger]
*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
this fixes a limitation in previous versions of OpenSSL.
[Steve Henson]
*) Experimental encrypt-then-mac support.
Experimental support for encrypt then mac from
draft-gutmann-tls-encrypt-then-mac-02.txt
To enable it set the appropriate extension number (0x42 for the test
server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42
For non-compliant peers (i.e. just about everything) this should have no
effect.
WARNING: EXPERIMENTAL, SUBJECT TO CHANGE.
[Steve Henson]
*) Add EVP support for key wrapping algorithms, to avoid problems with
existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
algorithms and include tests cases.
[Steve Henson]
*) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for
enveloped data.
[Steve Henson]
*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
MGF1 digest and OAEP label.
[Steve Henson]
*) Make openssl verify return errors.
[Chris Palmer <palmer@google.com> and Ben Laurie]
*) New function ASN1_TIME_diff to calculate the difference between two
ASN1_TIME structures or one structure and the current time.
[Steve Henson]
*) Update fips_test_suite to support multiple command line options. New
test to induce all self test errors in sequence and check expected
failures.
[Steve Henson]
*) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and
sign or verify all in one operation.
[Steve Henson]
*) Add fips_algvs: a multicall fips utility incorporating all the algorithm
test programs and fips_test_suite. Includes functionality to parse
the minimal script output of fipsalgest.pl directly.
[Steve Henson]
*) Add authorisation parameter to FIPS_module_mode_set().
[Steve Henson]
*) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves.
[Steve Henson]
*) Use separate DRBG fields for internal and external flags. New function
FIPS_drbg_health_check() to perform on demand health checking. Add
generation tests to fips_test_suite with reduced health check interval to
demonstrate periodic health checking. Add "nodh" option to
fips_test_suite to skip very slow DH test.
[Steve Henson]
*) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers
based on NID.
[Steve Henson]
*) More extensive health check for DRBG checking many more failure modes.
New function FIPS_selftest_drbg_all() to handle every possible DRBG
combination: call this in fips_test_suite.
[Steve Henson]
*) Add support for canonical generation of DSA parameter 'g'. See
FIPS 186-3 A.2.3.
*) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and
POST to handle HMAC cases.
[Steve Henson]
*) Add functions FIPS_module_version() and FIPS_module_version_text()
to return numerical and string versions of the FIPS module number.
[Steve Henson]
*) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and
FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented
outside the validated module in the FIPS capable OpenSSL.
[Steve Henson]
*) Minor change to DRBG entropy callback semantics. In some cases
there is no multiple of the block length between min_len and
max_len. Allow the callback to return more than max_len bytes
of entropy but discard any extra: it is the callback's responsibility
to ensure that the extra data discarded does not impact the
requested amount of entropy.
[Steve Henson]
*) Add PRNG security strength checks to RSA, DSA and ECDSA using
information in FIPS186-3, SP800-57 and SP800-131A.
[Steve Henson]
*) CCM support via EVP. Interface is very similar to GCM case except we
must supply all data in one chunk (i.e. no update, final) and the
message length must be supplied if AAD is used. Add algorithm test
support.
[Steve Henson]
*) Initial version of POST overhaul. Add POST callback to allow the status
of POST to be monitored and/or failures induced. Modify fips_test_suite
to use callback. Always run all selftests even if one fails.
[Steve Henson]
*) XTS support including algorithm test driver in the fips_gcmtest program.
Note: this does increase the maximum key length from 32 to 64 bytes but
there should be no binary compatibility issues as existing applications
will never use XTS mode.
[Steve Henson]
*) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
performs algorithm blocking for unapproved PRNG types. Also do not
set PRNG type in FIPS_mode_set(): leave this to the application.
Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with
the standard OpenSSL PRNG: set additional data to a date time vector.
[Steve Henson]
*) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*.
This shouldn't present any incompatibility problems because applications
shouldn't be using these directly and any that are will need to rethink
anyway as the X9.31 PRNG is now deprecated by FIPS 140-2
[Steve Henson]
*) Extensive self tests and health checking required by SP800-90 DRBG.
Remove strength parameter from FIPS_drbg_instantiate and always
instantiate at maximum supported strength.
[Steve Henson]
*) Add ECDH code to fips module and fips_ecdhvs for primitives only testing.
[Steve Henson]
*) New algorithm test program fips_dhvs to handle DH primitives only testing.
[Steve Henson]
*) New function DH_compute_key_padded() to compute a DH key and pad with
leading zeroes if needed: this complies with SP800-56A et al.
[Steve Henson]
*) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by
anything, incomplete, subject to change and largely untested at present.
[Steve Henson]
*) Modify fipscanisteronly build option to only build the necessary object
files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile.
[Steve Henson]
*) Add experimental option FIPSSYMS to give all symbols in
fipscanister.o and FIPS or fips prefix. This will avoid
conflicts with future versions of OpenSSL. Add perl script
util/fipsas.pl to preprocess assembly language source files
and rename any affected symbols.
[Steve Henson]
*) Add selftest checks and algorithm block of non-fips algorithms in
FIPS mode. Remove DES2 from selftests.
[Steve Henson]
*) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just
return internal method without any ENGINE dependencies. Add new
tiny fips sign and verify functions.
[Steve Henson]
*) New build option no-ec2m to disable characteristic 2 code.
[Steve Henson]
*) New build option "fipscanisteronly". This only builds fipscanister.o
and (currently) associated fips utilities. Uses the file Makefile.fips
instead of Makefile.org as the prototype.
[Steve Henson]
*) Add some FIPS mode restrictions to GCM. Add internal IV generator.
Update fips_gcmtest to use IV generator.
[Steve Henson]
*) Initial, experimental EVP support for AES-GCM. AAD can be input by
setting output buffer to NULL. The *Final function must be
called although it will not retrieve any additional data. The tag
can be set or retrieved with a ctrl. The IV length is by default 12
bytes (96 bits) but can be set to an alternative value. If the IV
length exceeds the maximum IV length (currently 16 bytes) it cannot be
set before the key.
[Steve Henson]
*) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the
underlying do_cipher function handles all cipher semantics itself
including padding and finalisation. This is useful if (for example)
an ENGINE cipher handles block padding itself. The behaviour of
do_cipher is subtly changed if this flag is set: the return value
is the number of characters written to the output buffer (zero is
no longer an error code) or a negative error code. Also if the
input buffer is NULL and length 0 finalisation should be performed.
[Steve Henson]
*) If a candidate issuer certificate is already part of the constructed
path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case.
[Steve Henson]
*) Improve forward-security support: add functions
void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure))
void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure))
for use by SSL/TLS servers; the callback function will be called whenever a
new session is created, and gets to decide whether the session may be
cached to make it resumable (return 0) or not (return 1). (As by the
SSL/TLS protocol specifications, the session_id sent by the server will be
empty to indicate that the session is not resumable; also, the server will
not generate RFC 4507 (RFC 5077) session tickets.)
A simple reasonable callback implementation is to return is_forward_secure.
This parameter will be set to 1 or 0 depending on the ciphersuite selected
by the SSL/TLS server library, indicating whether it can provide forward
security.
[Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
*) New -verify_name option in command line utilities to set verification
parameters by name.
[Steve Henson]
*) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
Add CMAC pkey methods.
[Steve Henson]
*) Experimental renegotiation in s_server -www mode. If the client
browses /reneg connection is renegotiated. If /renegcert it is
renegotiated requesting a certificate.
[Steve Henson]
*) Add an "external" session cache for debugging purposes to s_server. This
should help trace issues which normally are only apparent in deployed
multi-process servers.
[Steve Henson]
*) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
return value is ignored. NB. The functions RAND_add(), RAND_seed(),
BIO_set_cipher() and some obscure PEM functions were changed so they
can now return an error. The RAND changes required a change to the
RAND_METHOD structure.
[Steve Henson]
*) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
a gcc attribute to warn if the result of a function is ignored. This
is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
whose return value is often ignored.
[Steve Henson]
*) New -noct, -requestct, -requirect and -ctlogfile options for s_client.
These allow SCTs (signed certificate timestamps) to be requested and
validated when establishing a connection.
[Rob Percival <robpercival@google.com>]
Changes between 1.0.2g and 1.0.2h [3 May 2016]
*) Prevent padding oracle in AES-NI CBC MAC check
A MITM attacker can use a padding oracle attack to decrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI.
This issue was introduced as part of the fix for Lucky 13 padding
attack (CVE-2013-0169). The padding check was rewritten to be in
constant time by making sure that always the same bytes are read and
compared against either the MAC or padding bytes. But it no longer
checked that there was enough data to have both the MAC and padding
bytes.
This issue was reported by Juraj Somorovsky using TLS-Attacker.
(CVE-2016-2107)
[Kurt Roeckx]
*) Fix EVP_EncodeUpdate overflow
An overflow can occur in the EVP_EncodeUpdate() function which is used for
Base64 encoding of binary data. If an attacker is able to supply very large
amounts of input data then a length check can overflow resulting in a heap
corruption.
Internally to OpenSSL the EVP_EncodeUpdate() function is primarily used by
the PEM_write_bio* family of functions. These are mainly used within the
OpenSSL command line applications, so any application which processes data
from an untrusted source and outputs it as a PEM file should be considered
vulnerable to this issue. User applications that call these APIs directly
with large amounts of untrusted data may also be vulnerable.
This issue was reported by Guido Vranken.
(CVE-2016-2105)
[Matt Caswell]
*) Fix EVP_EncryptUpdate overflow
An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
is able to supply very large amounts of input data after a previous call to
EVP_EncryptUpdate() with a partial block then a length check can overflow
resulting in a heap corruption. Following an analysis of all OpenSSL
internal usage of the EVP_EncryptUpdate() function all usage is one of two
forms. The first form is where the EVP_EncryptUpdate() call is known to be
the first called function after an EVP_EncryptInit(), and therefore that
specific call must be safe. The second form is where the length passed to
EVP_EncryptUpdate() can be seen from the code to be some small value and
therefore there is no possibility of an overflow. Since all instances are
one of these two forms, it is believed that there can be no overflows in
internal code due to this problem. It should be noted that
EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
of these calls have also been analysed too and it is believed there are no
instances in internal usage where an overflow could occur.
This issue was reported by Guido Vranken.
(CVE-2016-2106)
[Matt Caswell]
*) Prevent ASN.1 BIO excessive memory allocation
When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
a short invalid encoding can cause allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.
Any application parsing untrusted data through d2i BIO functions is
affected. The memory based functions such as d2i_X509() are *not* affected.
Since the memory based functions are used by the TLS library, TLS
applications are not affected.
This issue was reported by Brian Carpenter.
(CVE-2016-2109)
[Stephen Henson]
*) EBCDIC overread
ASN1 Strings that are over 1024 bytes can cause an overread in applications
using the X509_NAME_oneline() function on EBCDIC systems. This could result
in arbitrary stack data being returned in the buffer.
This issue was reported by Guido Vranken.
(CVE-2016-2176)
[Matt Caswell]
*) Modify behavior of ALPN to invoke callback after SNI/servername
callback, such that updates to the SSL_CTX affect ALPN.
[Todd Short]
*) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
default.
[Kurt Roeckx]
*) Only remove the SSLv2 methods with the no-ssl2-method option. When the
methods are enabled and ssl2 is disabled the methods return NULL.
[Kurt Roeckx]
Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
Builds that are not configured with "enable-weak-ssl-ciphers" will not
provide any "EXPORT" or "LOW" strength ciphers.
[Viktor Dukhovni]
* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
is by default disabled at build-time. Builds that are not configured with
"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
will need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client and
server variants, SSLv2 ciphers vulnerable to exhaustive search key
recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
ciphers, and SSLv2 56-bit DES are no longer available.
(CVE-2016-0800)
[Viktor Dukhovni]
*) Fix a double-free in DSA code
A double free bug was discovered when OpenSSL parses malformed DSA private
keys and could lead to a DoS attack or memory corruption for applications
that receive DSA private keys from untrusted sources. This scenario is
considered rare.
This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
libFuzzer.
(CVE-2016-0705)
[Stephen Henson]
*) Disable SRP fake user seed to address a server memory leak.
Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
SRP_VBASE_get_by_user had inconsistent memory management behaviour.
In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
was changed to ignore the "fake user" SRP seed, even if the seed
is configured.
Users should use SRP_VBASE_get1_by_user instead. Note that in
SRP_VBASE_get1_by_user, caller must free the returned value. Note
also that even though configuring the SRP seed attempts to hide
invalid usernames by continuing the handshake with fake
credentials, this behaviour is not constant time and no strong
guarantees are made that the handshake is indistinguishable from
that of a valid user.
(CVE-2016-0798)
[Emilia Käsper]
*) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
In the BN_hex2bn function the number of hex digits is calculated using an
int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
large values of |i| this can result in |bn_expand| not allocating any
memory because |i * 4| is negative. This can leave the internal BIGNUM data
field as NULL leading to a subsequent NULL ptr deref. For very large values
of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
In this case memory is allocated to the internal BIGNUM data field, but it
is insufficiently sized leading to heap corruption. A similar issue exists
in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
is ever called by user applications with very large untrusted hex/dec data.
This is anticipated to be a rare occurrence.
All OpenSSL internal usage of these functions use data that is not expected
to be untrusted, e.g. config file data or application command line
arguments. If user developed applications generate config file data based
on untrusted data then it is possible that this could also lead to security
consequences. This is also anticipated to be rare.
This issue was reported to OpenSSL by Guido Vranken.
(CVE-2016-0797)
[Matt Caswell]
*) Fix memory issues in BIO_*printf functions
The internal |fmtstr| function used in processing a "%s" format string in
the BIO_*printf functions could overflow while calculating the length of a
string and cause an OOB read when printing very long strings.
Additionally the internal |doapr_outch| function can attempt to write to an
OOB memory location (at an offset from the NULL pointer) in the event of a
memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
could be in processing a very long "%s" format string. Memory leaks can
also occur.
The first issue may mask the second issue dependent on compiler behaviour.
These problems could enable attacks where large amounts of untrusted data
is passed to the BIO_*printf functions. If applications use these functions
in this way then they could be vulnerable. OpenSSL itself uses these
functions when printing out human-readable dumps of ASN.1 data. Therefore
applications that print this data could be vulnerable if the data is from
untrusted sources. OpenSSL command line applications could also be
vulnerable where they print out ASN.1 data, or if untrusted data is passed
as command line arguments.
Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.
This issue was reported to OpenSSL Guido Vranken.
(CVE-2016-0799)
[Matt Caswell]
*) Side channel attack on modular exponentiation
A side-channel attack was found which makes use of cache-bank conflicts on
the Intel Sandy-Bridge microarchitecture which could lead to the recovery
of RSA keys. The ability to exploit this issue is limited as it relies on
an attacker who has control of code in a thread running on the same
hyper-threaded core as the victim thread which is performing decryptions.
This issue was reported to OpenSSL by Yuval Yarom, The University of
Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
Nadia Heninger, University of Pennsylvania with more information at
http://cachebleed.info.
(CVE-2016-0702)
[Andy Polyakov]
*) Change the req app to generate a 2048-bit RSA/DSA key by default,
if no keysize is specified with default_bits. This fixes an
omission in an earlier change that changed all RSA/DSA key generation
apps to use 2048 bits by default.
[Emilia Käsper]
Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
*) DH small subgroups
Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC 5114
support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that are
not "safe" then an attacker could use this fact to find a peer's private
DH exponent. This attack requires that the attacker complete multiple
handshakes in which the peer uses the same private DH exponent. For example
this could be used to discover a TLS server's private DH exponent if it's
reusing the private DH exponent or it's using a static DH ciphersuite.
OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
TLS. It is not on by default. If the option is not set then the server
reuses the same private DH exponent for the life of the server process and
would be vulnerable to this attack. It is believed that many popular
applications do set this option and would therefore not be at risk.
The fix for this issue adds an additional check where a "q" parameter is
available (as is the case in X9.42 based parameters). This detects the
only known attack, and is the only possible defense for static DH
ciphersuites. This could have some performance impact.
Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
default and cannot be disabled. This could have some performance impact.
This issue was reported to OpenSSL by Antonio Sanso (Adobe).
(CVE-2016-0701)
[Matt Caswell]
*) SSLv2 doesn't block disabled ciphers
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
and Sebastian Schinzel.
(CVE-2015-3197)
[Viktor Dukhovni]
Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
*) BN_mod_exp may produce incorrect results on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites.
This issue was reported to OpenSSL by Hanno Böck.
(CVE-2015-3193)
[Andy Polyakov]
*) Certificate verify crash with missing PSS parameter
The signature verification routines will crash with a NULL pointer
dereference if presented with an ASN.1 signature using the RSA PSS
algorithm and absent mask generation function parameter. Since these
routines are used to verify certificate signature algorithms this can be
used to crash any certificate verification operation and exploited in a
DoS attack. Any application which performs certificate verification is
vulnerable including OpenSSL clients and servers which enable client
authentication.
This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
(CVE-2015-3194)
[Stephen Henson]
*) X509_ATTRIBUTE memory leak
When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
memory. This structure is used by the PKCS#7 and CMS routines so any
application which reads PKCS#7 or CMS data from untrusted sources is
affected. SSL/TLS is not affected.
This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
libFuzzer.
(CVE-2015-3195)
[Stephen Henson]
*) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
This changes the decoding behaviour for some invalid messages,
though the change is mostly in the more lenient direction, and
legacy behaviour is preserved as much as possible.
[Emilia Käsper]
*) In DSA_generate_parameters_ex, if the provided seed is too short,
return an error
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
*) Alternate chains certificate forgery
During certificate verification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.
This issue was reported to OpenSSL by Adam Langley/David Benjamin
(Google/BoringSSL).
[Matt Caswell]
Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
*) Fix HMAC ABI incompatibility. The previous version introduced an ABI
incompatibility in the handling of HMAC. The previous ABI has now been
restored.
[Matt Caswell]
Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
*) Malformed ECParameters causes infinite loop
When processing an ECParameters structure OpenSSL enters an infinite loop
if the curve specified is over a specially malformed binary polynomial
field.
This can be used to perform denial of service against any
system which processes public keys, certificate requests or
certificates. This includes TLS clients and TLS servers with
client authentication enabled.
This issue was reported to OpenSSL by Joseph Barr-Pixton.
(CVE-2015-1788)
[Andy Polyakov]
*) Exploitable out-of-bounds read in X509_cmp_time
X509_cmp_time does not properly check the length of the ASN1_TIME
string and can read a few bytes out of bounds. In addition,
X509_cmp_time accepts an arbitrary number of fractional seconds in the
time string.
An attacker can use this to craft malformed certificates and CRLs of
various sizes and potentially cause a segmentation fault, resulting in
a DoS on applications that verify certificates or CRLs. TLS clients
that verify CRLs are affected. TLS clients and servers with client
authentication enabled may be affected if they use custom verification
callbacks.
This issue was reported to OpenSSL by Robert Swiecki (Google), and
independently by Hanno Böck.
(CVE-2015-1789)
[Emilia Käsper]
*) PKCS7 crash with missing EnvelopedContent
The PKCS#7 parsing code does not handle missing inner EncryptedContent
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs
with missing content and trigger a NULL pointer dereference on parsing.
Applications that decrypt PKCS#7 data or otherwise parse PKCS#7
structures from untrusted sources are affected. OpenSSL clients and
servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-1790)
[Emilia Käsper]
*) CMS verify infinite loop with unknown hash function
When verifying a signedData message the CMS code can enter an infinite loop
if presented with an unknown hash function OID. This can be used to perform
denial of service against any system which verifies signedData messages using
the CMS code.
This issue was reported to OpenSSL by Johannes Bauer.
(CVE-2015-1792)
[Stephen Henson]
*) Race condition handling NewSessionTicket
If a NewSessionTicket is received by a multi-threaded client when attempting to
reuse a previous ticket then a race condition can occur potentially leading to
a double free of the ticket data.
(CVE-2015-1791)
[Matt Caswell]
*) Only support 256-bit or stronger elliptic curves with the
'ecdh_auto' setting (server) or by default (client). Of supported
curves, prefer P-256 (both).
[Emilia Kasper]
Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
*) ClientHello sigalgs DoS fix
If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will
occur. This can be exploited in a DoS attack against the server.
This issue was was reported to OpenSSL by David Ramos of Stanford
University.
(CVE-2015-0291)
[Stephen Henson and Matt Caswell]
*) Multiblock corrupted pointer fix
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
feature only applies on 64 bit x86 architecture platforms that support AES
NI instructions. A defect in the implementation of "multiblock" can cause
OpenSSL's internal write buffer to become incorrectly set to NULL when
using non-blocking IO. Typically, when the user application is using a
socket BIO for writing, this will only result in a failed connection.
However if some other BIO is used then it is likely that a segmentation
fault will be triggered, thus enabling a potential DoS attack.
This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
(CVE-2015-0290)
[Matt Caswell]
*) Segmentation fault in DTLSv1_listen fix
The DTLSv1_listen function is intended to be stateless and processes the
initial ClientHello from many peers. It is common for user code to loop
over the call to DTLSv1_listen until a valid ClientHello is received with
an associated cookie. A defect in the implementation of DTLSv1_listen means
that state is preserved in the SSL object from one invocation to the next
that can lead to a segmentation fault. Errors processing the initial
ClientHello can trigger this scenario. An example of such an error could be
that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
server.
This issue was reported to OpenSSL by Per Allansson.
(CVE-2015-0207)
[Matt Caswell]
*) Segmentation fault in ASN1_TYPE_cmp fix
The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
(CVE-2015-0286)
[Stephen Henson]
*) Segmentation fault for invalid PSS parameters fix
The signature verification routines will crash with a NULL pointer
dereference if presented with an ASN.1 signature using the RSA PSS
algorithm and invalid parameters. Since these routines are used to verify
certificate signature algorithms this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
This issue was was reported to OpenSSL by Brian Carpenter.
(CVE-2015-0208)
[Stephen Henson]
*) ASN.1 structure reuse memory corruption fix
Reusing a structure in ASN.1 parsing may allow an attacker to cause
memory corruption via an invalid write. Such reuse is and has been
strongly discouraged and is believed to be rare.
Applications that parse structures containing CHOICE or ANY DEFINED BY
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.
(CVE-2015-0287)
[Stephen Henson]
*) PKCS7 NULL pointer dereferences fix
The PKCS#7 parsing code does not handle missing outer ContentInfo
correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
missing content and trigger a NULL pointer dereference on parsing.
Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
otherwise parse PKCS#7 structures from untrusted sources are
affected. OpenSSL clients and servers are not affected.
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-0289)
[Emilia Käsper]
*) DoS via reachable assert in SSLv2 servers fix
A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.
This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team).
(CVE-2015-0293)
[Emilia Käsper]
*) Empty CKE with client auth and DHE fix
If client auth is used then a server can seg fault in the event of a DHE
ciphersuite being selected and a zero length ClientKeyExchange message
being sent by the client. This could be exploited in a DoS attack.
(CVE-2015-1787)
[Matt Caswell]
*) Handshake with unseeded PRNG fix
Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
with an unseeded PRNG. The conditions are:
- The client is on a platform where the PRNG has not been seeded
automatically, and the user has not seeded manually
- A protocol specific client method version has been used (i.e. not
SSL_client_methodv23)
- A ciphersuite is used that does not require additional random data from
the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
If the handshake succeeds then the client random that has been used will
have been generated from a PRNG with insufficient entropy and therefore the
output may be predictable.
For example using the following command with an unseeded openssl will
succeed on an unpatched platform:
openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
(CVE-2015-0285)
[Matt Caswell]
*) Use After Free following d2i_ECPrivatekey error fix
A malformed EC private key file consumed via the d2i_ECPrivateKey function
could cause a use after free condition. This, in turn, could cause a double
free in several private key parsing functions (such as d2i_PrivateKey
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
for applications that receive EC private keys from untrusted
sources. This scenario is considered rare.
This issue was discovered by the BoringSSL project and fixed in their
commit 517073cd4b.
(CVE-2015-0209)
[Matt Caswell]
*) X509_to_X509_REQ NULL pointer deref fix
The function X509_to_X509_REQ will crash with a NULL pointer dereference if
the certificate key is invalid. This function is rarely used in practice.
This issue was discovered by Brian Carpenter.
(CVE-2015-0288)
[Stephen Henson]
*) Removed the export ciphers from the DEFAULT ciphers
[Kurt Roeckx]
Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
*) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
ARMv5 through ARMv8, as opposite to "locking" it to single one.
So far those who have to target multiple platforms would compromise
and argue that binary targeting say ARMv5 would still execute on
ARMv8. "Universal" build resolves this compromise by providing
near-optimal performance even on newer platforms.
[Andy Polyakov]
*) Accelerated NIST P-256 elliptic curve implementation for x86_64
(other platforms pending).
[Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
*) Add support for the SignedCertificateTimestampList certificate and
OCSP response extensions from RFC6962.
[Rob Stradling]
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
for corner cases. (Certain input points at infinity could lead to
bogus results, with non-infinity inputs mapped to infinity too.)
[Bodo Moeller]
*) Initial support for PowerISA 2.0.7, first implemented in POWER8.
This covers AES, SHA256/512 and GHASH. "Initial" means that most
common cases are optimized and there still is room for further
improvements. Vector Permutation AES for Altivec is also added.
[Andy Polyakov]
*) Add support for little-endian ppc64 Linux target.
[Marcelo Cerri (IBM)]
*) Initial support for AMRv8 ISA crypto extensions. This covers AES,
SHA1, SHA256 and GHASH. "Initial" means that most common cases
are optimized and there still is room for further improvements.
Both 32- and 64-bit modes are supported.
[Andy Polyakov, Ard Biesheuvel (Linaro)]
*) Improved ARMv7 NEON support.
[Andy Polyakov]
*) Support for SPARC Architecture 2011 crypto extensions, first
implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
SHA256/512, MD5, GHASH and modular exponentiation.
[Andy Polyakov, David Miller]
*) Accelerated modular exponentiation for Intel processors, a.k.a.
RSAZ.
[Shay Gueron & Vlad Krasnov (Intel Corp)]
*) Support for new and upcoming Intel processors, including AVX2,
BMI and SHA ISA extensions. This includes additional "stitched"
implementations, AESNI-SHA256 and GCM, and multi-buffer support
for TLS encrypt.
This work was sponsored by Intel Corp.
[Andy Polyakov]
*) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
supports both DTLS 1.2 and 1.0 and should use whatever version the peer
supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
[Steve Henson]
*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
this fixes a limitation in previous versions of OpenSSL.
[Steve Henson]
*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
MGF1 digest and OAEP label.
[Steve Henson]
*) Add EVP support for key wrapping algorithms, to avoid problems with
existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
algorithms and include tests cases.
[Steve Henson]
*) Add functions to allocate and set the fields of an ECDSA_METHOD
structure.
[Douglas E. Engert, Steve Henson]
*) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
difference in days and seconds between two tm or ASN1_TIME structures.
[Steve Henson]
*) Add -rev test option to s_server to just reverse order of characters
received by client and send back to server. Also prints an abbreviated
summary of the connection parameters.
[Steve Henson]
*) New option -brief for s_client and s_server to print out a brief summary
of connection parameters.
[Steve Henson]
*) Add callbacks for arbitrary TLS extensions.
[Trevor Perrin <trevp@trevp.net> and Ben Laurie]
*) New option -crl_download in several openssl utilities to download CRLs
from CRLDP extension in certificates.
[Steve Henson]
*) New options -CRL and -CRLform for s_client and s_server for CRLs.
[Steve Henson]
*) New function X509_CRL_diff to generate a delta CRL from the difference
of two full CRLs. Add support to "crl" utility.
[Steve Henson]
*) New functions to set lookup_crls function and to retrieve
X509_STORE from X509_STORE_CTX.
[Steve Henson]
*) Print out deprecated issuer and subject unique ID fields in
certificates.
[Steve Henson]
*) Extend OCSP I/O functions so they can be used for simple general purpose
HTTP as well as OCSP. New wrapper function which can be used to download
CRLs using the OCSP API.
[Steve Henson]
*) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
[Steve Henson]
*) SSL_CONF* functions. These provide a common framework for application
configuration using configuration files or command lines.
[Steve Henson]
*) SSL/TLS tracing code. This parses out SSL/TLS records using the
message callback and prints the results. Needs compile time option
"enable-ssl-trace". New options to s_client and s_server to enable
tracing.
[Steve Henson]
*) New ctrl and macro to retrieve supported points extensions.
Print out extension in s_server and s_client.
[Steve Henson]
*) New functions to retrieve certificate signature and signature
OID NID.
[Steve Henson]
*) Add functions to retrieve and manipulate the raw cipherlist sent by a
client to OpenSSL.
[Steve Henson]
*) New Suite B modes for TLS code. These use and enforce the requirements
of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
only use Suite B curves. The Suite B modes can be set by using the
strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
[Steve Henson]
*) New chain verification flags for Suite B levels of security. Check
algorithms are acceptable when flags are set in X509_verify_cert.
[Steve Henson]
*) Make tls1_check_chain return a set of flags indicating checks passed
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.
[Steve Henson]
*) If an attempt is made to use a signature algorithm not in the peer
preference list abort the handshake. If client has no suitable
signature algorithms in response to a certificate request do not
use the certificate.
[Steve Henson]
*) If server EC tmp key is not in client preference list abort handshake.
[Steve Henson]
*) Add support for certificate stores in CERT structure. This makes it
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distinct stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returning
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.
Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
[Steve Henson]
*) New function ssl_set_client_disabled to set a ciphersuite disabled
mask based on the current session, check mask when sending client
hello and checking the requested ciphersuite.
[Steve Henson]
*) New ctrls to retrieve and set certificate types in a certificate
request message. Print out received values in s_client. If certificate
types is not set with custom values set sensible values based on
supported signature algorithms.
[Steve Henson]
*) Support for distinct client and server supported signature algorithms.
[Steve Henson]
*) Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear an existing
certificate and specify the whole chain.
[Steve Henson]
*) Add new "valid_flags" field to CERT_PKEY structure which determines what
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.
Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
[Steve Henson]
*) Update and tidy signature algorithm extension processing. Work out
shared signature algorithms based on preferences and peer algorithms
and print them out in s_client and s_server. Abort handshake if no
shared signature algorithms.
[Steve Henson]
*) Add new functions to allow customised supported signature algorithms
for SSL and SSL_CTX structures. Add options to s_client and s_server
to support them.
[Steve Henson]
*) New function SSL_certs_clear() to delete all references to certificates
from an SSL structure. Before this once a certificate had been added
it couldn't be removed.
[Steve Henson]
*) Integrate hostname, email address and IP address checking with certificate
verification. New verify options supporting checking in openssl utility.
[Steve Henson]
*) Fixes and wildcard matching support to hostname and email checking
functions. Add manual page.
[Florian Weimer (Red Hat Product Security Team)]
*) New functions to check a hostname email or IP address against a
certificate. Add options x509 utility to print results of checks against
a certificate.
[Steve Henson]
*) Fix OCSP checking.
[Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
*) Initial experimental support for explicitly trusted non-root CAs.
OpenSSL still tries to build a complete chain to a root but if an
intermediate CA has a trust setting included that is used. The first
setting is used: whether to trust (e.g., -addtrust option to the x509
utility) or reject.
[Steve Henson]
*) Add -trusted_first option which attempts to find certificates in the
trusted store even if an untrusted chain is also supplied.
[Steve Henson]
*) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
platform support for Linux and Android.
[Andy Polyakov]
*) Support for linux-x32, ILP32 environment in x86_64 framework.
[Andy Polyakov]
*) Experimental multi-implementation support for FIPS capable OpenSSL.
When in FIPS mode the approved implementations are used as normal,
when not in FIPS mode the internal unapproved versions are used instead.
This means that the FIPS capable OpenSSL isn't forced to use the
(often lower performance) FIPS implementations outside FIPS mode.
[Steve Henson]
*) Transparently support X9.42 DH parameters when calling
PEM_read_bio_DHparameters. This means existing applications can handle
the new parameter format automatically.
[Steve Henson]
*) Initial experimental support for X9.42 DH parameter format: mainly
to support use of 'q' parameter for RFC5114 parameters.
[Steve Henson]
*) Add DH parameters from RFC5114 including test data to dhtest.
[Steve Henson]
*) Support for automatic EC temporary key parameter selection. If enabled
the most preferred EC parameters are automatically used instead of
hardcoded fixed parameters. Now a server just has to call:
SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
support ECDH and use the most appropriate parameters.
[Steve Henson]
*) Enhance and tidy EC curve and point format TLS extension code. Use
static structures instead of allocation if default values are used.
New ctrls to set curves we wish to support and to retrieve shared curves.
Print out shared curves in s_server. New options to s_server and s_client
to set list of supported curves.
[Steve Henson]
*) New ctrls to retrieve supported signature algorithms and
supported curve values as an array of NIDs. Extend openssl utility
to print out received values.
[Steve Henson]
*) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
between NIDs and the more common NIST names such as "P-256". Enhance
ecparam utility and ECC method to recognise the NIST names for curves.
[Steve Henson]
*) Enhance SSL/TLS certificate chain handling to support different
chains for each certificate instead of one chain in the parent SSL_CTX.
[Steve Henson]
*) Support for fixed DH ciphersuite client authentication: where both
server and client use DH certificates with common parameters.
[Steve Henson]
*) Support for fixed DH ciphersuites: those requiring DH server
certificates.
[Steve Henson]
*) New function i2d_re_X509_tbs for re-encoding the TBS portion of
the certificate.
Note: Related 1.0.2-beta specific macros X509_get_cert_info,
X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
X509_CINF_get_signature were reverted post internal team review.
Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
*) Build fixes for the Windows and OpenVMS platforms
[Matt Caswell and Richard Levitte]
Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
*) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
message can cause a segmentation fault in OpenSSL due to a NULL pointer
dereference. This could lead to a Denial Of Service attack. Thanks to
Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
(CVE-2014-3571)
[Steve Henson]
*) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
dtls1_buffer_record function under certain conditions. In particular this
could occur if an attacker sent repeated DTLS records with the same
sequence number but for the next epoch. The memory leak could be exploited
by an attacker in a Denial of Service attack through memory exhaustion.
Thanks to Chris Mueller for reporting this issue.
(CVE-2015-0206)
[Matt Caswell]
*) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
method would be set to NULL which could later result in a NULL pointer
dereference. Thanks to Frank Schmirler for reporting this issue.
(CVE-2014-3569)
[Kurt Roeckx]
*) Abort handshake if server key exchange message is omitted for ephemeral
ECDH ciphersuites.
Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
reporting this issue.
(CVE-2014-3572)
[Steve Henson]
*) Remove non-export ephemeral RSA code on client and server. This code
violated the TLS standard by allowing the use of temporary RSA keys in
non-export ciphersuites and could be used by a server to effectively
downgrade the RSA key length used to a value smaller than the server
certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
INRIA or reporting this issue.
(CVE-2015-0204)
[Steve Henson]
*) Fixed issue where DH client certificates are accepted without verification.
An OpenSSL server will accept a DH certificate for client authentication
without the certificate verify message. This effectively allows a client to
authenticate without the use of a private key. This only affects servers
which trust a client certificate authority which issues certificates
containing DH keys: these are extremely rare and hardly ever encountered.
Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
this issue.
(CVE-2015-0205)
[Steve Henson]
*) Ensure that the session ID context of an SSL is updated when its
SSL_CTX is updated via SSL_set_SSL_CTX.
The session ID context is typically set from the parent SSL_CTX,
and can vary with the CTX.
[Adam Langley]
*) Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.
1. Reject signatures with non zero unused bits.
If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.
2. Check certificate algorithm consistency.
Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.
Thanks to Konrad Kraszewski from Google for reporting this issue.
3. Check DSA/ECDSA signatures use DER.
Re-encode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.
This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).
Further analysis was conducted and fixes were developed by Stephen Henson
of the OpenSSL core team.
(CVE-2014-8275)
[Steve Henson]
*) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
results on some platforms, including x86_64. This bug occurs at random
with a very low probability, and is not known to be exploitable in any
way, though its exact impact is difficult to determine. Thanks to Pieter
Wuille (Blockstream) who reported this issue and also suggested an initial
fix. Further analysis was conducted by the OpenSSL development team and
Adam Langley of Google. The final fix was developed by Andy Polyakov of
the OpenSSL core team.
(CVE-2014-3570)
[Andy Polyakov]
*) Do not resume sessions on the server if the negotiated protocol
version does not match the session's version. Resuming with a different
version, while not strictly forbidden by the RFC, is of questionable
sanity and breaks all known clients.
[David Benjamin, Emilia Käsper]
*) Tighten handling of the ChangeCipherSpec (CCS) message: reject
early CCS messages during renegotiation. (Note that because
renegotiation is encrypted, this early CCS was not exploitable.)
[Emilia Käsper]
*) Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.
Similarly, ensure that the client requires a session ticket if one
was advertised in the ServerHello. Previously, a TLS client would
ignore a missing NewSessionTicket message.
[Emilia Käsper]
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
*) SRTP Memory Leak.
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL_NO_SRTP defined are not affected.
The fix was developed by the OpenSSL team.
(CVE-2014-3513)
[OpenSSL team]
*) Session Ticket Memory Leak.
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
(CVE-2014-3567)
[Steve Henson]
*) Build option no-ssl3 is incomplete.
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
(CVE-2014-3568)
[Akamai and the OpenSSL team]
*) Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
(CVE-2014-3566)
[Adam Langley, Bodo Moeller]
*) Add additional DigestInfo checks.
Re-encode DigestInto in DER and check against the original when
verifying RSA signature: this will reject any improperly encoded
DigestInfo structures.
Note: this is a precautionary measure and no attacks are currently known.
[Steve Henson]
Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
SRP code can be overrun an internal buffer. Add sanity check that
g, A, B < N to SRP code.
Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for discovering this issue.
(CVE-2014-3512)
[Steve Henson]
*) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
TLS 1.0 instead of higher protocol versions when the ClientHello message
is badly fragmented. This allows a man-in-the-middle attacker to force a
downgrade to TLS 1.0 even if both the server and the client support a
higher protocol version, by modifying the client's TLS records.
Thanks to David Benjamin and Adam Langley (Google) for discovering and
researching this issue.
(CVE-2014-3511)
[David Benjamin]
*) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
to a denial of service attack. A malicious server can crash the client
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.
Thanks to Felix Gröbert (Google) for discovering and researching this
issue.
(CVE-2014-3510)
[Emilia Käsper]
*) By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3507)
[Adam Langley]
*) An attacker can force openssl to consume large amounts of memory whilst
processing DTLS handshake messages. This can be exploited through a
Denial of Service attack.
Thanks to Adam Langley for discovering and researching this issue.
(CVE-2014-3506)
[Adam Langley]
*) An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This
can be exploited through a Denial of Service attack.
Thanks to Adam Langley and Wan-Teh Chang for discovering and researching
this issue.
(CVE-2014-3505)
[Adam Langley]
*) If a multithreaded client connects to a malicious server using a resumed
session and the server sends an ec point format extension it could write
up to 255 bytes to freed memory.
Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this
issue.
(CVE-2014-3509)
[Gabor Tyukasz]
*) A malicious server can crash an OpenSSL client with a null pointer
dereference (read) by specifying an SRP ciphersuite even though it was not
properly negotiated with the client. This can be exploited through a
Denial of Service attack.
Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
discovering and researching this issue.
(CVE-2014-5139)
[Steve Henson]
*) A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information
from the stack. Applications may be affected if they echo pretty printing
output to the attacker.
Thanks to Ivan Fratric (Google) for discovering this issue.
(CVE-2014-3508)
[Emilia Käsper, and Steve Henson]
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
for corner cases. (Certain input points at infinity could lead to
bogus results, with non-infinity inputs mapped to infinity too.)
[Bodo Moeller]
Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
*) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
handshake can force the use of weak keying material in OpenSSL
SSL/TLS clients and servers.
Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue. (CVE-2014-0224)
[KIKUCHI Masashi, Steve Henson]
*) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
OpenSSL DTLS client the code can be made to recurse eventually crashing
in a DoS attack.
Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
(CVE-2014-0221)
[Imre Rad, Steve Henson]
*) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.
Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
[Jüri Aedla, Steve Henson]
*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
are subject to a denial of service attack.
Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
this issue. (CVE-2014-3470)
[Felix Gröbert, Ivan Fratric, Steve Henson]
*) Harmonize version and its documentation. -f flag is used to display
compilation flags.
[mancha <mancha1@zoho.com>]
*) Fix eckey_priv_encode so it immediately returns an error upon a failure
in i2d_ECPrivateKey.
[mancha <mancha1@zoho.com>]
*) Fix some double frees. These are not thought to be exploitable.
[mancha <mancha1@zoho.com>]
Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
*) A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
[Adam Langley, Bodo Moeller]
*) Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140
Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
[Yuval Yarom and Naomi Benger]
*) TLS pad extension: draft-agl-tls-padding-03
Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
TLS client Hello record length value would otherwise be > 255 and
less that 512 pad with a dummy extension containing zeroes so it
is at least 512 bytes long.
[Adam Langley, Steve Henson]
Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
*) Fix for TLS record tampering bug. A carefully crafted invalid
handshake could crash OpenSSL with a NULL pointer exception.
Thanks to Anton Johansson for reporting this issues.
(CVE-2013-4353)
*) Keep original DTLS digest and encryption contexts in retransmission
structures so we can use the previous session parameters if they need
to be resent. (CVE-2013-6450)
[Steve Henson]
*) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
avoids preferring ECDHE-ECDSA ciphers when the client appears to be
Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for
several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug
is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
[Rob Stradling, Adam Langley]
Changes between 1.0.1d and 1.0.1e [11 Feb 2013]
*) Correct fix for CVE-2013-0169. The original didn't work on AES-NI
supporting platforms or when small records were transferred.
[Andy Polyakov, Steve Henson]
Changes between 1.0.1c and 1.0.1d [5 Feb 2013]
*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
This addresses the flaw in CBC record processing discovered by
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
at: http://www.isg.rhul.ac.uk/tls/
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Emilia Käsper for the initial patch.
(CVE-2013-0169)
[Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
*) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
ciphersuites which can be exploited in a denial of service attack.
Thanks go to and to Adam Langley <agl@chromium.org> for discovering
and detecting this bug and to Wolfgang Ettlinger
<wolfgang.ettlinger@gmail.com> for independently discovering this issue.
(CVE-2012-2686)
[Adam Langley]
*) Return an error when checking OCSP signatures when key is NULL.
This fixes a DoS attack. (CVE-2013-0166)
[Steve Henson]
*) Make openssl verify return errors.
[Chris Palmer <palmer@google.com> and Ben Laurie]
*) Call OCSP Stapling callback after ciphersuite has been chosen, so
the right response is stapled. Also change SSL_get_certificate()
so it returns the certificate actually sent.
See http://rt.openssl.org/Ticket/Display.html?id=2836.
[Rob Stradling <rob.stradling@comodo.com>]
*) Fix possible deadlock when decoding public keys.
[Steve Henson]
*) Don't use TLS 1.0 record version number in initial client hello
if renegotiating.
[Steve Henson]
Changes between 1.0.1b and 1.0.1c [10 May 2012]
*) Sanity check record length before skipping explicit IV in TLS
1.2, 1.1 and DTLS to fix DoS attack.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
[Steve Henson]
*) Initialise tkeylen properly when encrypting CMS messages.
Thanks to Solar Designer of Openwall for reporting this issue.
[Steve Henson]
*) In FIPS mode don't try to use composite ciphers as they are not
approved.
[Steve Henson]
Changes between 1.0.1a and 1.0.1b [26 Apr 2012]
*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
mean any application compiled against OpenSSL 1.0.0 headers setting
SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disabling
TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
0x10000000L Any application which was previously compiled against
OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
will need to be recompiled as a result. Letting be results in
inability to disable specifically TLS 1.1 and in client context,
in unlike event, limit maximum offered version to TLS 1.0 [see below].
[Steve Henson]
*) In order to ensure interoperability SSL_OP_NO_protocolX does not
disable just protocol X, but all protocols above X *if* there are
protocols *below* X still enabled. In more practical terms it means
that if application wants to disable TLS1.0 in favor of TLS1.1 and
above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
client side.
[Andy Polyakov]
Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
*) Check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.
Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it.
(CVE-2012-2110)
[Adam Langley (Google), Tavis Ormandy, Google Security Team]
*) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
[Adam Langley]
*) Workarounds for some broken servers that "hang" if a client hello
record length exceeds 255 bytes.
1. Do not use record version number > TLS 1.0 in initial client
hello: some (but not all) hanging servers will now work.
2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
the number of ciphers sent in the client hello. This should be
set to an even number, such as 50, for example by passing:
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
Most broken servers should now work.
3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
TLS 1.2 client support entirely.
[Steve Henson]
*) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
[Andy Polyakov]
Changes between 1.0.0h and 1.0.1 [14 Mar 2012]
*) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
STRING form instead of a DigestInfo.
[Steve Henson]
*) The format used for MDC2 RSA signatures is inconsistent between EVP
and the RSA_sign/RSA_verify functions. This was made more apparent when
OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
the correct format in RSA_verify so both forms transparently work.
[Steve Henson]
*) Some servers which support TLS 1.0 can choke if we initially indicate
support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
encrypted premaster secret. As a workaround use the maximum permitted
client version in client hello, this should keep such servers happy
and still work with previous versions of OpenSSL.
[Steve Henson]
*) Add support for TLS/DTLS heartbeats.
[Robin Seggelmann <seggelmann@fh-muenster.de>]
*) Add support for SCTP.
[Robin Seggelmann <seggelmann@fh-muenster.de>]
*) Improved PRNG seeding for VOS.
[Paul Green <Paul.Green@stratus.com>]
*) Extensive assembler packs updates, most notably:
- x86[_64]: AES-NI, PCLMULQDQ, RDRAND support;
- x86[_64]: SSSE3 support (SHA1, vector-permutation AES);
- x86_64: bit-sliced AES implementation;
- ARM: NEON support, contemporary platforms optimizations;
- s390x: z196 support;
- *: GHASH and GF(2^m) multiplication implementations;
[Andy Polyakov]
*) Make TLS-SRP code conformant with RFC 5054 API cleanup
(removal of unnecessary code)
[Peter Sylvester <peter.sylvester@edelweb.fr>]
*) Add TLS key material exporter from RFC 5705.
[Eric Rescorla]
*) Add DTLS-SRTP negotiation from RFC 5764.
[Eric Rescorla]
*) Add Next Protocol Negotiation,
http://tools.ietf.org/html/draft-agl-tls-nextprotoneg-00. Can be
disabled with a no-npn flag to config or Configure. Code donated
by Google.
[Adam Langley <agl@google.com> and Ben Laurie]
*) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
NIST-P256, NIST-P521, with constant-time single point multiplication on
typical inputs. Compiler support for the nonstandard type __uint128_t is
required to use this (present in gcc 4.4 and later, for 64-bit builds).
Code made available under Apache License version 2.0.
Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
line to include this in your build of OpenSSL, and run "make depend" (or
"make update"). This enables the following EC_METHODs:
EC_GFp_nistp224_method()
EC_GFp_nistp256_method()
EC_GFp_nistp521_method()
EC_GROUP_new_by_curve_name() will automatically use these (while
EC_GROUP_new_curve_GFp() currently prefers the more flexible
implementations).
[Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
*) Use type ossl_ssize_t instead of ssize_t which isn't available on
all platforms. Move ssize_t definition from e_os.h to the public
header file e_os2.h as it now appears in public header file cms.h
[Steve Henson]
*) New -sigopt option to the ca, req and x509 utilities. Additional
signature parameters can be passed using this option and in
particular PSS.
[Steve Henson]
*) Add RSA PSS signing function. This will generate and set the
appropriate AlgorithmIdentifiers for PSS based on those in the
corresponding EVP_MD_CTX structure. No application support yet.
[Steve Henson]
*) Support for companion algorithm specific ASN1 signing routines.
New function ASN1_item_sign_ctx() signs a pre-initialised
EVP_MD_CTX structure and sets AlgorithmIdentifiers based on
the appropriate parameters.
[Steve Henson]
*) Add new algorithm specific ASN1 verification initialisation function
to EVP_PKEY_ASN1_METHOD: this is not in EVP_PKEY_METHOD since the ASN1
handling will be the same no matter what EVP_PKEY_METHOD is used.
Add a PSS handler to support verification of PSS signatures: checked
against a number of sample certificates.
[Steve Henson]
*) Add signature printing for PSS. Add PSS OIDs.
[Steve Henson, Martin Kaiser <lists@kaiser.cx>]
*) Add algorithm specific signature printing. An individual ASN1 method
can now print out signatures instead of the standard hex dump.
More complex signatures (e.g. PSS) can print out more meaningful
information. Include DSA version that prints out the signature
parameters r, s.
[Steve Henson]
*) Password based recipient info support for CMS library: implementing
RFC3211.
[Steve Henson]
*) Split password based encryption into PBES2 and PBKDF2 functions. This
neatly separates the code into cipher and PBE sections and is required
for some algorithms that split PBES2 into separate pieces (such as
password based CMS).
[Steve Henson]
*) Session-handling fixes:
- Fix handling of connections that are resuming with a session ID,
but also support Session Tickets.
- Fix a bug that suppressed issuing of a new ticket if the client
presented a ticket with an expired session.
- Try to set the ticket lifetime hint to something reasonable.
- Make tickets shorter by excluding irrelevant information.
- On the client side, don't ignore renewed tickets.
[Adam Langley, Bodo Moeller (Google)]
*) Fix PSK session representation.
[Bodo Moeller]
*) Add RC4-MD5 and AESNI-SHA1 "stitched" implementations.
This work was sponsored by Intel.
[Andy Polyakov]
*) Add GCM support to TLS library. Some custom code is needed to split
the IV between the fixed (from PRF) and explicit (from TLS record)
portions. This adds all GCM ciphersuites supported by RFC5288 and
RFC5289. Generalise some AES* cipherstrings to include GCM and
add a special AESGCM string for GCM only.
[Steve Henson]
*) Expand range of ctrls for AES GCM. Permit setting invocation
field on decrypt and retrieval of invocation field only on encrypt.
[Steve Henson]
*) Add HMAC ECC ciphersuites from RFC5289. Include SHA384 PRF support.
As required by RFC5289 these ciphersuites cannot be used if for
versions of TLS earlier than 1.2.
[Steve Henson]
*) For FIPS capable OpenSSL interpret a NULL default public key method
as unset and return the appropriate default but do *not* set the default.
This means we can return the appropriate method in applications that
switch between FIPS and non-FIPS modes.
[Steve Henson]
*) Redirect HMAC and CMAC operations to FIPS module in FIPS mode. If an
ENGINE is used then we cannot handle that in the FIPS module so we
keep original code iff non-FIPS operations are allowed.
[Steve Henson]
*) Add -attime option to openssl utilities.
[Peter Eckersley <pde@eff.org>, Ben Laurie and Steve Henson]
*) Redirect DSA and DH operations to FIPS module in FIPS mode.
[Steve Henson]
*) Redirect ECDSA and ECDH operations to FIPS module in FIPS mode. Also use
FIPS EC methods unconditionally for now.
[Steve Henson]
*) New build option no-ec2m to disable characteristic 2 code.
[Steve Henson]
*) Backport libcrypto audit of return value checking from 1.1.0-dev; not
all cases can be covered as some introduce binary incompatibilities.
[Steve Henson]
*) Redirect RSA operations to FIPS module including keygen,
encrypt, decrypt, sign and verify. Block use of non FIPS RSA methods.
[Steve Henson]
*) Add similar low level API blocking to ciphers.
[Steve Henson]
*) Low level digest APIs are not approved in FIPS mode: any attempt
to use these will cause a fatal error. Applications that *really* want
to use them can use the private_* version instead.
[Steve Henson]
*) Redirect cipher operations to FIPS module for FIPS builds.
[Steve Henson]
*) Redirect digest operations to FIPS module for FIPS builds.
[Steve Henson]
*) Update build system to add "fips" flag which will link in fipscanister.o
for static and shared library builds embedding a signature if needed.
[Steve Henson]
*) Output TLS supported curves in preference order instead of numerical
order. This is currently hardcoded for the highest order curves first.
This should be configurable so applications can judge speed vs strength.
[Steve Henson]
*) Add TLS v1.2 server support for client authentication.
[Steve Henson]
*) Add support for FIPS mode in ssl library: disable SSLv3, non-FIPS ciphers
and enable MD5.
[Steve Henson]
*) Functions FIPS_mode_set() and FIPS_mode() which call the underlying
FIPS modules versions.
[Steve Henson]
*) Add TLS v1.2 client side support for client authentication. Keep cache
of handshake records longer as we don't know the hash algorithm to use
until after the certificate request message is received.
[Steve Henson]
*) Initial TLS v1.2 client support. Add a default signature algorithms
extension including all the algorithms we support. Parse new signature
format in client key exchange. Relax some ECC signing restrictions for
TLS v1.2 as indicated in RFC5246.
[Steve Henson]
*) Add server support for TLS v1.2 signature algorithms extension. Switch
to new signature format when needed using client digest preference.
All server ciphersuites should now work correctly in TLS v1.2. No client
support yet and no support for client certificates.
[Steve Henson]
*) Initial TLS v1.2 support. Add new SHA256 digest to ssl code, switch
to SHA256 for PRF when using TLS v1.2 and later. Add new SHA256 based
ciphersuites. At present only RSA key exchange ciphersuites work with
TLS v1.2. Add new option for TLS v1.2 replacing the old and obsolete
SSL_OP_PKCS1_CHECK flags with SSL_OP_NO_TLSv1_2. New TLSv1.2 methods
and version checking.
[Steve Henson]
*) New option OPENSSL_NO_SSL_INTERN. If an application can be compiled
with this defined it will not be affected by any changes to ssl internal
structures. Add several utility functions to allow openssl application
to work with OPENSSL_NO_SSL_INTERN defined.
[Steve Henson]
*) A long standing patch to add support for SRP from EdelWeb (Peter
Sylvester and Christophe Renou) was integrated.
[Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester
<peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and
Ben Laurie]
*) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
[Steve Henson]
*) Permit abbreviated handshakes when renegotiating using the function
SSL_renegotiate_abbreviated().
[Robin Seggelmann <seggelmann@fh-muenster.de>]
*) Add call to ENGINE_register_all_complete() to
ENGINE_load_builtin_engines(), so some implementations get used
automatically instead of needing explicit application support.
[Steve Henson]
*) Add support for TLS key exporter as described in RFC5705.
[Robin Seggelmann <seggelmann@fh-muenster.de>, Steve Henson]
*) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
a few changes are required:
Add SSL_OP_NO_TLSv1_1 flag.
Add TLSv1_1 methods.
Update version checking logic to handle version 1.1.
Add explicit IV handling (ported from DTLS code).
Add command line options to s_client/s_server.
[Steve Henson]
Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
in CMS and PKCS7 code. When RSA decryption fails use a random key for
content decryption and always return the same error. Note: this attack
needs on average 2^20 messages so it only affects automated senders. The
old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
an MMA defence is not necessary.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this issue. (CVE-2012-0884)
[Steve Henson]
*) Fix CVE-2011-4619: make sure we really are receiving a
client hello before rejecting multiple SGC restarts. Thanks to
Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
[Steve Henson]
Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
[Antonio Martin]
Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
of the Vaudenay padding oracle attack on CBC mode encryption
which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. Their attack exploits timing
differences arising during decryption processing. A research
paper describing this attack can be found at:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
for preparing the fix. (CVE-2011-4108)
[Robin Seggelmann, Michael Tuexen]
*) Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576)
[Adam Langley (Google)]
*) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
Kadianakis <desnacked@gmail.com> for discovering this issue and
Adam Langley for preparing the fix. (CVE-2011-4619)
[Adam Langley (Google)]
*) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
[Andrey Kulikov <amdeich@gmail.com>]
*) Prevent malformed RFC3779 data triggering an assertion failure.
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
[Rob Austein <sra@hactrn.net>]
*) Improved PRNG seeding for VOS.
[Paul Green <Paul.Green@stratus.com>]
*) Fix ssl_ciph.c set-up race.
[Adam Langley (Google)]
*) Fix spurious failures in ecdsatest.c.
[Emilia Käsper (Google)]
*) Fix the BIO_f_buffer() implementation (which was mixing different
interpretations of the '..._len' fields).
[Adam Langley (Google)]
*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
threads won't reuse the same blinding coefficients.
This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
lock to call BN_BLINDING_invert_ex, and avoids one use of
BN_BLINDING_update for each BN_BLINDING structure (previously,
the last update always remained unused).
[Emilia Käsper (Google)]
*) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
[Bob Buckholz (Google)]
Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
*) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
by initialising X509_STORE_CTX properly. (CVE-2011-3207)
[Kaspar Brand <ossl@velox.ch>]
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH. (CVE-2011-3210)
[Adam Langley (Google)]
*) Fix x509_name_ex_d2i memory leak on bad inputs.
[Bodo Moeller]
*) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
signature public key algorithm by using OID xref utilities instead.
Before this you could only use some ECC ciphersuites with SHA1 only.
[Steve Henson]
*) Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
Changes between 1.0.0c and 1.0.0d [8 Feb 2011]
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
[Neel Mehta, Adam Langley, Bodo Moeller (Google)]
*) Fix bug in string printing code: if *any* escaping is enabled we must
escape the escape character (backslash) or the resulting string is
ambiguous.
[Steve Henson]
Changes between 1.0.0b and 1.0.0c [2 Dec 2010]
*) Disable code workaround for ancient and obsolete Netscape browsers
and servers: an attacker can use it in a ciphersuite downgrade attack.
Thanks to Martin Rex for discovering this bug. CVE-2010-4180
[Steve Henson]
*) Fixed J-PAKE implementation error, originally discovered by
Sebastien Martini, further info and confirmation from Stefan
Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
[Ben Laurie]
Changes between 1.0.0a and 1.0.0b [16 Nov 2010]
*) Fix extension code to avoid race conditions which can result in a buffer
overrun vulnerability: resumed sessions must not be modified as they can
be shared by multiple threads. CVE-2010-3864
[Steve Henson]
*) Fix WIN32 build system to correctly link an ENGINE directory into
a DLL.
[Steve Henson]
Changes between 1.0.0 and 1.0.0a [01 Jun 2010]
*) Check return value of int_rsa_verify in pkey_rsa_verifyrecover
(CVE-2010-1633)
[Steve Henson, Peter-Michael Hager <hager@dortmund.net>]
Changes between 0.9.8n and 1.0.0 [29 Mar 2010]
*) Add "missing" function EVP_CIPHER_CTX_copy(). This copies a cipher
context. The operation can be customised via the ctrl mechanism in
case ENGINEs want to include additional functionality.
[Steve Henson]
*) Tolerate yet another broken PKCS#8 key format: private key value negative.
[Steve Henson]
*) Add new -subject_hash_old and -issuer_hash_old options to x509 utility to
output hashes compatible with older versions of OpenSSL.
[Willy Weisz <weisz@vcpc.univie.ac.at>]
*) Fix compression algorithm handling: if resuming a session use the
compression algorithm of the resumed session instead of determining
it from client hello again. Don't allow server to change algorithm.
[Steve Henson]
*) Add load_crls() function to apps tidying load_certs() too. Add option
to verify utility to allow additional CRLs to be included.
[Steve Henson]
*) Update OCSP request code to permit adding custom headers to the request:
some responders need this.
[Steve Henson]
*) The function EVP_PKEY_sign() returns <=0 on error: check return code
correctly.
[Julia Lawall <julia@diku.dk>]
*) Update verify callback code in apps/s_cb.c and apps/verify.c, it
needlessly dereferenced structures, used obsolete functions and
didn't handle all updated verify codes correctly.
[Steve Henson]
*) Disable MD2 in the default configuration.
[Steve Henson]
*) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
indicate the initial BIO being pushed or popped. This makes it possible
to determine whether the BIO is the one explicitly called or as a result
of the ctrl being passed down the chain. Fix BIO_pop() and SSL BIOs so
it handles reference counts correctly and doesn't zero out the I/O bio
when it is not being explicitly popped. WARNING: applications which
included workarounds for the old buggy behaviour will need to be modified
or they could free up already freed BIOs.
[Steve Henson]
*) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni
renaming to all platforms (within the 0.9.8 branch, this was
done conditionally on Netware platforms to avoid a name clash).
[Guenter <lists@gknw.net>]
*) Add ECDHE and PSK support to DTLS.
[Michael Tuexen <tuexen@fh-muenster.de>]
*) Add CHECKED_STACK_OF macro to safestack.h, otherwise safestack can't
be used on C++.
[Steve Henson]
*) Add "missing" function EVP_MD_flags() (without this the only way to
retrieve a digest flags is by accessing the structure directly. Update
EVP_MD_do_all*() and EVP_CIPHER_do_all*() to include the name a digest
or cipher is registered as in the "from" argument. Print out all
registered digests in the dgst usage message instead of manually
attempting to work them out.
[Steve Henson]
*) If no SSLv2 ciphers are used don't use an SSLv2 compatible client hello:
this allows the use of compression and extensions. Change default cipher
string to remove SSLv2 ciphersuites. This effectively avoids ancient SSLv2
by default unless an application cipher string requests it.
[Steve Henson]
*) Alter match criteria in PKCS12_parse(). It used to try to use local
key ids to find matching certificates and keys but some PKCS#12 files
don't follow the (somewhat unwritten) rules and this strategy fails.
Now just gather all certificates together and the first private key
then look for the first certificate that matches the key.
[Steve Henson]
*) Support use of registered digest and cipher names for dgst and cipher
commands instead of having to add each one as a special case. So now
you can do:
openssl sha256 foo
as well as:
openssl dgst -sha256 foo
and this works for ENGINE based algorithms too.
[Steve Henson]
*) Update Gost ENGINE to support parameter files.
[Victor B. Wagner <vitus@cryptocom.ru>]
*) Support GeneralizedTime in ca utility.
[Oliver Martin <oliver@volatilevoid.net>, Steve Henson]
*) Enhance the hash format used for certificate directory links. The new
form uses the canonical encoding (meaning equivalent names will work
even if they aren't identical) and uses SHA1 instead of MD5. This form
is incompatible with the older format and as a result c_rehash should
be used to rebuild symbolic links.
[Steve Henson]
*) Make PKCS#8 the default write format for private keys, replacing the
traditional format. This form is standardised, more secure and doesn't
include an implicit MD5 dependency.
[Steve Henson]
*) Add a $gcc_devteam_warn option to Configure. The idea is that any code
committed to OpenSSL should pass this lot as a minimum.
[Steve Henson]
*) Add session ticket override functionality for use by EAP-FAST.
[Jouni Malinen <j@w1.fi>]
*) Modify HMAC functions to return a value. Since these can be implemented
in an ENGINE errors can occur.
[Steve Henson]
*) Type-checked OBJ_bsearch_ex.
[Ben Laurie]
*) Type-checked OBJ_bsearch. Also some constification necessitated
by type-checking. Still to come: TXT_DB, bsearch(?),
OBJ_bsearch_ex, qsort, CRYPTO_EX_DATA, ASN1_VALUE, ASN1_STRING,
CONF_VALUE.
[Ben Laurie]
*) New function OPENSSL_gmtime_adj() to add a specific number of days and
seconds to a tm structure directly, instead of going through OS
specific date routines. This avoids any issues with OS routines such
as the year 2038 bug. New *_adj() functions for ASN1 time structures
and X509_time_adj_ex() to cover the extended range. The existing
X509_time_adj() is still usable and will no longer have any date issues.
[Steve Henson]
*) Delta CRL support. New use deltas option which will attempt to locate
and search any appropriate delta CRLs available.
This work was sponsored by Google.
[Steve Henson]
*) Support for CRLs partitioned by reason code. Reorganise CRL processing
code and add additional score elements. Validate alternate CRL paths
as part of the CRL checking and indicate a new error "CRL path validation
error" in this case. Applications wanting additional details can use
the verify callback and check the new "parent" field. If this is not
NULL CRL path validation is taking place. Existing applications won't
see this because it requires extended CRL support which is off by
default.
This work was sponsored by Google.
[Steve Henson]
*) Support for freshest CRL extension.
This work was sponsored by Google.
[Steve Henson]
*) Initial indirect CRL support. Currently only supported in the CRLs
passed directly and not via lookup. Process certificate issuer
CRL entry extension and lookup CRL entries by bother issuer name
and serial number. Check and process CRL issuer entry in IDP extension.
This work was sponsored by Google.
[Steve Henson]
*) Add support for distinct certificate and CRL paths. The CRL issuer
certificate is validated separately in this case. Only enabled if
an extended CRL support flag is set: this flag will enable additional
CRL functionality in future.
This work was sponsored by Google.
[Steve Henson]
*) Add support for policy mappings extension.
This work was sponsored by Google.
[Steve Henson]
*) Fixes to pathlength constraint, self issued certificate handling,
policy processing to align with RFC3280 and PKITS tests.
This work was sponsored by Google.
[Steve Henson]
*) Support for name constraints certificate extension. DN, email, DNS
and URI types are currently supported.
This work was sponsored by Google.
[Steve Henson]
*) To cater for systems that provide a pointer-based thread ID rather
than numeric, deprecate the current numeric thread ID mechanism and
replace it with a structure and associated callback type. This
mechanism allows a numeric "hash" to be extracted from a thread ID in
either case, and on platforms where pointers are larger than 'long',
mixing is done to help ensure the numeric 'hash' is usable even if it
can't be guaranteed unique. The default mechanism is to use "&errno"
as a pointer-based thread ID to distinguish between threads.
Applications that want to provide their own thread IDs should now use
CRYPTO_THREADID_set_callback() to register a callback that will call
either CRYPTO_THREADID_set_numeric() or CRYPTO_THREADID_set_pointer().
Note that ERR_remove_state() is now deprecated, because it is tied
to the assumption that thread IDs are numeric. ERR_remove_state(0)
to free the current thread's error state should be replaced by
ERR_remove_thread_state(NULL).
(This new approach replaces the functions CRYPTO_set_idptr_callback(),
CRYPTO_get_idptr_callback(), and CRYPTO_thread_idptr() that existed in
OpenSSL 0.9.9-dev between June 2006 and August 2008. Also, if an
application was previously providing a numeric thread callback that
was inappropriate for distinguishing threads, then uniqueness might
have been obtained with &errno that happened immediately in the
intermediate development versions of OpenSSL; this is no longer the
case, the numeric thread callback will now override the automatic use
of &errno.)
[Geoff Thorpe, with help from Bodo Moeller]
*) Initial support for different CRL issuing certificates. This covers a
simple case where the self issued certificates in the chain exist and
the real CRL issuer is higher in the existing chain.
This work was sponsored by Google.
[Steve Henson]
*) Removed effectively defunct crypto/store from the build.
[Ben Laurie]
*) Revamp of STACK to provide stronger type-checking. Still to come:
TXT_DB, bsearch(?), OBJ_bsearch, qsort, CRYPTO_EX_DATA, ASN1_VALUE,
ASN1_STRING, CONF_VALUE.
[Ben Laurie]
*) Add a new SSL_MODE_RELEASE_BUFFERS mode flag to release unused buffer
RAM on SSL connections. This option can save about 34k per idle SSL.
[Nick Mathewson]
*) Revamp of LHASH to provide stronger type-checking. Still to come:
STACK, TXT_DB, bsearch, qsort.
[Ben Laurie]
*) Initial support for Cryptographic Message Syntax (aka CMS) based
on RFC3850, RFC3851 and RFC3852. New cms directory and cms utility,
support for data, signedData, compressedData, digestedData and
encryptedData, envelopedData types included. Scripts to check against
RFC4134 examples draft and interop and consistency checks of many
content types and variants.
[Steve Henson]
*) Add options to enc utility to support use of zlib compression BIO.
[Steve Henson]
*) Extend mk1mf to support importing of options and assembly language
files from Configure script, currently only included in VC-WIN32.
The assembly language rules can now optionally generate the source
files from the associated perl scripts.
[Steve Henson]
*) Implement remaining functionality needed to support GOST ciphersuites.
Interop testing has been performed using CryptoPro implementations.
[Victor B. Wagner <vitus@cryptocom.ru>]
*) s390x assembler pack.
[Andy Polyakov]
*) ARMv4 assembler pack. ARMv4 refers to v4 and later ISA, not CPU
"family."
[Andy Polyakov]
*) Implement Opaque PRF Input TLS extension as specified in
draft-rescorla-tls-opaque-prf-input-00.txt. Since this is not an
official specification yet and no extension type assignment by
IANA exists, this extension (for now) will have to be explicitly
enabled when building OpenSSL by providing the extension number
to use. For example, specify an option
-DTLSEXT_TYPE_opaque_prf_input=0x9527
to the "config" or "Configure" script to enable the extension,
assuming extension number 0x9527 (which is a completely arbitrary
and unofficial assignment based on the MD5 hash of the Internet
Draft). Note that by doing so, you potentially lose
interoperability with other TLS implementations since these might
be using the same extension number for other purposes.
SSL_set_tlsext_opaque_prf_input(ssl, src, len) is used to set the
opaque PRF input value to use in the handshake. This will create
an internal copy of the length-'len' string at 'src', and will
return non-zero for success.
To get more control and flexibility, provide a callback function
by using
SSL_CTX_set_tlsext_opaque_prf_input_callback(ctx, cb)
SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(ctx, arg)
where
int (*cb)(SSL *, void *peerinput, size_t len, void *arg);
void *arg;
Callback function 'cb' will be called in handshakes, and is
expected to use SSL_set_tlsext_opaque_prf_input() as appropriate.
Argument 'arg' is for application purposes (the value as given to
SSL_CTX_set_tlsext_opaque_prf_input_callback_arg() will directly
be provided to the callback function). The callback function
has to return non-zero to report success: usually 1 to use opaque
PRF input just if possible, or 2 to enforce use of the opaque PRF
input. In the latter case, the library will abort the handshake
if opaque PRF input is not successfully negotiated.
Arguments 'peerinput' and 'len' given to the callback function
will always be NULL and 0 in the case of a client. A server will
see the client's opaque PRF input through these variables if
available (NULL and 0 otherwise). Note that if the server
provides an opaque PRF input, the length must be the same as the
length of the client's opaque PRF input.
Note that the callback function will only be called when creating
a new session (session resumption can resume whatever was
previously negotiated), and will not be called in SSL 2.0
handshakes; thus, SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) or
SSL_set_options(ssl, SSL_OP_NO_SSLv2) is especially recommended
for applications that need to enforce opaque PRF input.
[Bodo Moeller]
*) Update ssl code to support digests other than SHA1+MD5 for handshake
MAC.
[Victor B. Wagner <vitus@cryptocom.ru>]
*) Add RFC4507 support to OpenSSL. This includes the corrections in
RFC4507bis. The encrypted ticket format is an encrypted encoded
SSL_SESSION structure, that way new session features are automatically
supported.
If a client application caches session in an SSL_SESSION structure
support is transparent because tickets are now stored in the encoded
SSL_SESSION.
The SSL_CTX structure automatically generates keys for ticket
protection in servers so again support should be possible
with no application modification.
If a client or server wishes to disable RFC4507 support then the option
SSL_OP_NO_TICKET can be set.
Add a TLS extension debugging callback to allow the contents of any client
or server extensions to be examined.
This work was sponsored by Google.
[Steve Henson]
*) Final changes to avoid use of pointer pointer casts in OpenSSL.
OpenSSL should now compile cleanly on gcc 4.2
[Peter Hartley <pdh@utter.chaos.org.uk>, Steve Henson]
*) Update SSL library to use new EVP_PKEY MAC API. Include generic MAC
support including streaming MAC support: this is required for GOST
ciphersuite support.
[Victor B. Wagner <vitus@cryptocom.ru>, Steve Henson]
*) Add option -stream to use PKCS#7 streaming in smime utility. New
function i2d_PKCS7_bio_stream() and PEM_write_PKCS7_bio_stream()
to output in BER and PEM format.
[Steve Henson]
*) Experimental support for use of HMAC via EVP_PKEY interface. This
allows HMAC to be handled via the EVP_DigestSign*() interface. The
EVP_PKEY "key" in this case is the HMAC key, potentially allowing
ENGINE support for HMAC keys which are unextractable. New -mac and
-macopt options to dgst utility.
[Steve Henson]
*) New option -sigopt to dgst utility. Update dgst to use
EVP_Digest{Sign,Verify}*. These two changes make it possible to use
alternative signing parameters such as X9.31 or PSS in the dgst
utility.
[Steve Henson]
*) Change ssl_cipher_apply_rule(), the internal function that does
the work each time a ciphersuite string requests enabling
("foo+bar"), moving ("+foo+bar"), disabling ("-foo+bar", or
removing ("!foo+bar") a class of ciphersuites: Now it maintains
the order of disabled ciphersuites such that those ciphersuites
that most recently went from enabled to disabled not only stay
in order with respect to each other, but also have higher priority
than other disabled ciphersuites the next time ciphersuites are
enabled again.
This means that you can now say, e.g., "PSK:-PSK:HIGH" to enable
the same ciphersuites as with "HIGH" alone, but in a specific
order where the PSK ciphersuites come first (since they are the
most recently disabled ciphersuites when "HIGH" is parsed).
Also, change ssl_create_cipher_list() (using this new
functionality) such that between otherwise identical
ciphersuites, ephemeral ECDH is preferred over ephemeral DH in
the default order.
[Bodo Moeller]
*) Change ssl_create_cipher_list() so that it automatically
arranges the ciphersuites in reasonable order before starting
to process the rule string. Thus, the definition for "DEFAULT"
(SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
This makes it much easier to arrive at a reasonable default order
in applications for which anonymous ciphers are OK (meaning
that you can't actually use DEFAULT).
[Bodo Moeller; suggested by Victor Duchovni]
*) Split the SSL/TLS algorithm mask (as used for ciphersuite string
processing) into multiple integers instead of setting
"SSL_MKEY_MASK" bits, "SSL_AUTH_MASK" bits, "SSL_ENC_MASK",
"SSL_MAC_MASK", and "SSL_SSL_MASK" bits all in a single integer.
(These masks as well as the individual bit definitions are hidden
away into the non-exported interface ssl/ssl_locl.h, so this
change to the definition of the SSL_CIPHER structure shouldn't
affect applications.) This give us more bits for each of these
categories, so there is no longer a need to coagulate AES128 and
AES256 into a single algorithm bit, and to coagulate Camellia128
and Camellia256 into a single algorithm bit, which has led to all
kinds of kludges.
Thus, among other things, the kludge introduced in 0.9.7m and
0.9.8e for masking out AES256 independently of AES128 or masking
out Camellia256 independently of AES256 is not needed here in 0.9.9.
With the change, we also introduce new ciphersuite aliases that
so far were missing: "AES128", "AES256", "CAMELLIA128", and
"CAMELLIA256".
[Bodo Moeller]
*) Add support for dsa-with-SHA224 and dsa-with-SHA256.
Use the leftmost N bytes of the signature input if the input is
larger than the prime q (with N being the size in bytes of q).
[Nils Larsch]
*) Very *very* experimental PKCS#7 streaming encoder support. Nothing uses
it yet and it is largely untested.
[Steve Henson]
*) Add support for the ecdsa-with-SHA224/256/384/512 signature types.
[Nils Larsch]
*) Initial incomplete changes to avoid need for function casts in OpenSSL
some compilers (gcc 4.2 and later) reject their use. Safestack is
reimplemented. Update ASN1 to avoid use of legacy functions.
[Steve Henson]
*) Win32/64 targets are linked with Winsock2.
[Andy Polyakov]
*) Add an X509_CRL_METHOD structure to allow CRL processing to be redirected
to external functions. This can be used to increase CRL handling
efficiency especially when CRLs are very large by (for example) storing
the CRL revoked certificates in a database.
[Steve Henson]
*) Overhaul of by_dir code. Add support for dynamic loading of CRLs so
new CRLs added to a directory can be used. New command line option
-verify_return_error to s_client and s_server. This causes real errors
to be returned by the verify callback instead of carrying on no matter
what. This reflects the way a "real world" verify callback would behave.
[Steve Henson]
*) GOST engine, supporting several GOST algorithms and public key formats.
Kindly donated by Cryptocom.
[Cryptocom]
*) Partial support for Issuing Distribution Point CRL extension. CRLs
partitioned by DP are handled but no indirect CRL or reason partitioning
(yet). Complete overhaul of CRL handling: now the most suitable CRL is
selected via a scoring technique which handles IDP and AKID in CRLs.
[Steve Henson]
*) New X509_STORE_CTX callbacks lookup_crls() and lookup_certs() which
will ultimately be used for all verify operations: this will remove the
X509_STORE dependency on certificate verification and allow alternative
lookup methods. X509_STORE based implementations of these two callbacks.
[Steve Henson]
*) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.
Modify get_crl() to find a valid (unexpired) CRL if possible.
[Steve Henson]
*) New function X509_CRL_match() to check if two CRLs are identical. Normally
this would be called X509_CRL_cmp() but that name is already used by
a function that just compares CRL issuer names. Cache several CRL
extensions in X509_CRL structure and cache CRLDP in X509.
[Steve Henson]
*) Store a "canonical" representation of X509_NAME structure (ASN1 Name)
this maps equivalent X509_NAME structures into a consistent structure.
Name comparison can then be performed rapidly using memcmp().
[Steve Henson]
*) Non-blocking OCSP request processing. Add -timeout option to ocsp
utility.
[Steve Henson]
*) Allow digests to supply their own micalg string for S/MIME type using
the ctrl EVP_MD_CTRL_MICALG.
[Steve Henson]
*) During PKCS7 signing pass the PKCS7 SignerInfo structure to the
EVP_PKEY_METHOD before and after signing via the EVP_PKEY_CTRL_PKCS7_SIGN
ctrl. It can then customise the structure before and/or after signing
if necessary.
[Steve Henson]
*) New function OBJ_add_sigid() to allow application defined signature OIDs
to be added to OpenSSLs internal tables. New function OBJ_sigid_free()
to free up any added signature OIDs.
[Steve Henson]
*) New functions EVP_CIPHER_do_all(), EVP_CIPHER_do_all_sorted(),
EVP_MD_do_all() and EVP_MD_do_all_sorted() to enumerate internal
digest and cipher tables. New options added to openssl utility:
list-message-digest-algorithms and list-cipher-algorithms.
[Steve Henson]
*) Change the array representation of binary polynomials: the list
of degrees of non-zero coefficients is now terminated with -1.
Previously it was terminated with 0, which was also part of the
value; thus, the array representation was not applicable to
polynomials where t^0 has coefficient zero. This change makes
the array representation useful in a more general context.
[Douglas Stebila]
*) Various modifications and fixes to SSL/TLS cipher string
handling. For ECC, the code now distinguishes between fixed ECDH
with RSA certificates on the one hand and with ECDSA certificates
on the other hand, since these are separate ciphersuites. The
unused code for Fortezza ciphersuites has been removed.
For consistency with EDH, ephemeral ECDH is now called "EECDH"
(not "ECDHE"). For consistency with the code for DH
certificates, use of ECDH certificates is now considered ECDH
authentication, not RSA or ECDSA authentication (the latter is
merely the CA's signing algorithm and not actively used in the
protocol).
The temporary ciphersuite alias "ECCdraft" is no longer
available, and ECC ciphersuites are no longer excluded from "ALL"
and "DEFAULT". The following aliases now exist for RFC 4492
ciphersuites, most of these by analogy with the DH case:
kECDHr - ECDH cert, signed with RSA
kECDHe - ECDH cert, signed with ECDSA
kECDH - ECDH cert (signed with either RSA or ECDSA)
kEECDH - ephemeral ECDH
ECDH - ECDH cert or ephemeral ECDH
aECDH - ECDH cert
aECDSA - ECDSA cert
ECDSA - ECDSA cert
AECDH - anonymous ECDH
EECDH - non-anonymous ephemeral ECDH (equivalent to "kEECDH:-AECDH")
[Bodo Moeller]
*) Add additional S/MIME capabilities for AES and GOST ciphers if supported.
Use correct micalg parameters depending on digest(s) in signed message.
[Steve Henson]
*) Add engine support for EVP_PKEY_ASN1_METHOD. Add functions to process
an ENGINE asn1 method. Support ENGINE lookups in the ASN1 code.
[Steve Henson]
*) Initial engine support for EVP_PKEY_METHOD. New functions to permit
an engine to register a method. Add ENGINE lookups for methods and
functional reference processing.
[Steve Henson]
*) New functions EVP_Digest{Sign,Verify)*. These are enhanced versions of
EVP_{Sign,Verify}* which allow an application to customise the signature
process.
[Steve Henson]
*) New -resign option to smime utility. This adds one or more signers
to an existing PKCS#7 signedData structure. Also -md option to use an
alternative message digest algorithm for signing.
[Steve Henson]
*) Tidy up PKCS#7 routines and add new functions to make it easier to
create PKCS7 structures containing multiple signers. Update smime
application to support multiple signers.
[Steve Henson]
*) New -macalg option to pkcs12 utility to allow setting of an alternative
digest MAC.
[Steve Henson]
*) Initial support for PKCS#5 v2.0 PRFs other than default SHA1 HMAC.
Reorganize PBE internals to lookup from a static table using NIDs,
add support for HMAC PBE OID translation. Add a EVP_CIPHER ctrl:
EVP_CTRL_PBE_PRF_NID this allows a cipher to specify an alternative
PRF which will be automatically used with PBES2.
[Steve Henson]
*) Replace the algorithm specific calls to generate keys in "req" with the
new API.
[Steve Henson]
*) Update PKCS#7 enveloped data routines to use new API. This is now
supported by any public key method supporting the encrypt operation. A
ctrl is added to allow the public key algorithm to examine or modify
the PKCS#7 RecipientInfo structure if it needs to: for RSA this is
a no op.
[Steve Henson]
*) Add a ctrl to asn1 method to allow a public key algorithm to express
a default digest type to use. In most cases this will be SHA1 but some
algorithms (such as GOST) need to specify an alternative digest. The
return value indicates how strong the preference is 1 means optional and
2 is mandatory (that is it is the only supported type). Modify
ASN1_item_sign() to accept a NULL digest argument to indicate it should
use the default md. Update openssl utilities to use the default digest
type for signing if it is not explicitly indicated.
[Steve Henson]
*) Use OID cross reference table in ASN1_sign() and ASN1_verify(). New
EVP_MD flag EVP_MD_FLAG_PKEY_METHOD_SIGNATURE. This uses the relevant
signing method from the key type. This effectively removes the link
between digests and public key types.
[Steve Henson]
*) Add an OID cross reference table and utility functions. Its purpose is to
translate between signature OIDs such as SHA1WithrsaEncryption and SHA1,
rsaEncryption. This will allow some of the algorithm specific hackery
needed to use the correct OID to be removed.
[Steve Henson]
*) Remove algorithm specific dependencies when setting PKCS7_SIGNER_INFO
structures for PKCS7_sign(). They are now set up by the relevant public
key ASN1 method.
[Steve Henson]
*) Add provisional EC pkey method with support for ECDSA and ECDH.
[Steve Henson]
*) Add support for key derivation (agreement) in the API, DH method and
pkeyutl.
[Steve Henson]
*) Add DSA pkey method and DH pkey methods, extend DH ASN1 method to support
public and private key formats. As a side effect these add additional
command line functionality not previously available: DSA signatures can be
generated and verified using pkeyutl and DH key support and generation in
pkey, genpkey.
[Steve Henson]
*) BeOS support.
[Oliver Tappe <zooey@hirschkaefer.de>]
*) New make target "install_html_docs" installs HTML renditions of the
manual pages.
[Oliver Tappe <zooey@hirschkaefer.de>]
*) New utility "genpkey" this is analogous to "genrsa" etc except it can
generate keys for any algorithm. Extend and update EVP_PKEY_METHOD to
support key and parameter generation and add initial key generation
functionality for RSA.
[Steve Henson]
*) Add functions for main EVP_PKEY_method operations. The undocumented
functions EVP_PKEY_{encrypt,decrypt} have been renamed to
EVP_PKEY_{encrypt,decrypt}_old.
[Steve Henson]
*) Initial definitions for EVP_PKEY_METHOD. This will be a high level public
key API, doesn't do much yet.
[Steve Henson]
*) New function EVP_PKEY_asn1_get0_info() to retrieve information about
public key algorithms. New option to openssl utility:
"list-public-key-algorithms" to print out info.
[Steve Henson]
*) Implement the Supported Elliptic Curves Extension for
ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
[Douglas Stebila]
*) Don't free up OIDs in OBJ_cleanup() if they are in use by EVP_MD or
EVP_CIPHER structures to avoid later problems in EVP_cleanup().
[Steve Henson]
*) New utilities pkey and pkeyparam. These are similar to algorithm specific
utilities such as rsa, dsa, dsaparam etc except they process any key
type.
[Steve Henson]
*) Transfer public key printing routines to EVP_PKEY_ASN1_METHOD. New
functions EVP_PKEY_print_public(), EVP_PKEY_print_private(),
EVP_PKEY_print_param() to print public key data from an EVP_PKEY
structure.
[Steve Henson]
*) Initial support for pluggable public key ASN1.
De-spaghettify the public key ASN1 handling. Move public and private
key ASN1 handling to a new EVP_PKEY_ASN1_METHOD structure. Relocate
algorithm specific handling to a single module within the relevant
algorithm directory. Add functions to allow (near) opaque processing
of public and private key structures.
[Steve Henson]
*) Implement the Supported Point Formats Extension for
ECC ciphersuites from draft-ietf-tls-ecc-12.txt.
[Douglas Stebila]
*) Add initial support for RFC 4279 PSK TLS ciphersuites. Add members
for the psk identity [hint] and the psk callback functions to the
SSL_SESSION, SSL and SSL_CTX structure.
New ciphersuites:
PSK-RC4-SHA, PSK-3DES-EDE-CBC-SHA, PSK-AES128-CBC-SHA,
PSK-AES256-CBC-SHA
New functions:
SSL_CTX_use_psk_identity_hint
SSL_get_psk_identity_hint
SSL_get_psk_identity
SSL_use_psk_identity_hint
[Mika Kousa and Pasi Eronen of Nokia Corporation]
*) Add RFC 3161 compliant time stamp request creation, response generation
and response verification functionality.
[Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]
*) Add initial support for TLS extensions, specifically for the server_name
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
have new members for a host name. The SSL data structure has an
additional member SSL_CTX *initial_ctx so that new sessions can be
stored in that context to allow for session resumption, even after the
SSL has been switched to a new SSL_CTX in reaction to a client's
server_name extension.
New functions (subject to change):
SSL_get_servername()
SSL_get_servername_type()
SSL_set_SSL_CTX()
New CTRL codes and macros (subject to change):
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
- SSL_CTX_set_tlsext_servername_callback()
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
- SSL_CTX_set_tlsext_servername_arg()
SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
openssl s_client has a new '-servername ...' option.
openssl s_server has new options '-servername_host ...', '-cert2 ...',
'-key2 ...', '-servername_fatal' (subject to change). This allows
testing the HostName extension for a specific single host name ('-cert'
and '-key' remain fallbacks for handshakes without HostName
negotiation). If the unrecognized_name alert has to be sent, this by
default is a warning; it becomes fatal with the '-servername_fatal'
option.
[Peter Sylvester, Remy Allais, Christophe Renou]
*) Whirlpool hash implementation is added.
[Andy Polyakov]
*) BIGNUM code on 64-bit SPARCv9 targets is switched from bn(64,64) to
bn(64,32). Because of instruction set limitations it doesn't have
any negative impact on performance. This was done mostly in order
to make it possible to share assembler modules, such as bn_mul_mont
implementations, between 32- and 64-bit builds without hassle.
[Andy Polyakov]
*) Move code previously exiled into file crypto/ec/ec2_smpt.c
to ec2_smpl.c, and no longer require the OPENSSL_EC_BIN_PT_COMP
macro.
[Bodo Moeller]
*) New candidate for BIGNUM assembler implementation, bn_mul_mont,
dedicated Montgomery multiplication procedure, is introduced.
BN_MONT_CTX is modified to allow bn_mul_mont to reach for higher
"64-bit" performance on certain 32-bit targets.
[Andy Polyakov]
*) New option SSL_OP_NO_COMP to disable use of compression selectively
in SSL structures. New SSL ctrl to set maximum send fragment size.
Save memory by setting the I/O buffer sizes dynamically instead of
using the maximum available value.
[Steve Henson]
*) New option -V for 'openssl ciphers'. This prints the ciphersuite code
in addition to the text details.
[Bodo Moeller]
*) Very, very preliminary EXPERIMENTAL support for printing of general
ASN1 structures. This currently produces rather ugly output and doesn't
handle several customised structures at all.
[Steve Henson]
*) Integrated support for PVK file format and some related formats such
as MS PUBLICKEYBLOB and PRIVATEKEYBLOB. Command line switches to support
these in the 'rsa' and 'dsa' utilities.
[Steve Henson]
*) Support for PKCS#1 RSAPublicKey format on rsa utility command line.
[Steve Henson]
*) Remove the ancient ASN1_METHOD code. This was only ever used in one
place for the (very old) "NETSCAPE" format certificates which are now
handled using new ASN1 code equivalents.
[Steve Henson]
*) Let the TLSv1_method() etc. functions return a 'const' SSL_METHOD
pointer and make the SSL_METHOD parameter in SSL_CTX_new,
SSL_CTX_set_ssl_version and SSL_set_ssl_method 'const'.
[Nils Larsch]
*) Modify CRL distribution points extension code to print out previously
unsupported fields. Enhance extension setting code to allow setting of
all fields.
[Steve Henson]
*) Add print and set support for Issuing Distribution Point CRL extension.
[Steve Henson]
*) Change 'Configure' script to enable Camellia by default.
[NTT]
Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
*) When rejecting SSL/TLS records due to an incorrect version number, never
update s->server with a new major version number. As of
- OpenSSL 0.9.8m if 'short' is a 16-bit type,
- OpenSSL 0.9.8f if 'short' is longer than 16 bits,
the previous behavior could result in a read attempt at NULL when
receiving specific incorrect SSL/TLS records once record payload
protection is active. (CVE-2010-0740)
[Bodo Moeller, Adam Langley <agl@chromium.org>]
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
[Tomas Hoger <thoger@redhat.com>]
Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
*) Always check bn_wexpand() return values for failure. (CVE-2009-3245)
[Martin Olsson, Neel Mehta]
*) Fix X509_STORE locking: Every 'objs' access requires a lock (to
accommodate for stack sorting, always a write lock!).
[Bodo Moeller]
*) On some versions of WIN32 Heap32Next is very slow. This can cause
excessive delays in the RAND_poll(): over a minute. As a workaround
include a time check in the inner Heap32Next loop too.
[Steve Henson]
*) The code that handled flushing of data in SSL/TLS originally used the
BIO_CTRL_INFO ctrl to see if any data was pending first. This caused
the problem outlined in PR#1949. The fix suggested there however can
trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions
of Apache). So instead simplify the code to flush unconditionally.
This should be fine since flushing with no data to flush is a no op.
[Steve Henson]
*) Handle TLS versions 2.0 and later properly and correctly use the
highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
off ancient servers have a habit of sticking around for a while...
[Steve Henson]
*) Modify compression code so it frees up structures without using the
ex_data callbacks. This works around a problem where some applications
call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when
restarting) then use compression (e.g. SSL with compression) later.
This results in significant per-connection memory leaks and
has caused some security issues including CVE-2008-1678 and
CVE-2009-4355.
[Steve Henson]
*) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
change when encrypting or decrypting.
[Bodo Moeller]
*) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
connect and renegotiate with servers which do not support RI.
Until RI is more widely deployed this option is enabled by default.
[Steve Henson]
*) Add "missing" ssl ctrls to clear options and mode.
[Steve Henson]
*) If client attempts to renegotiate and doesn't support RI respond with
a no_renegotiation alert as required by RFC5746. Some renegotiating
TLS clients will continue a connection gracefully when they receive
the alert. Unfortunately OpenSSL mishandled this alert and would hang
waiting for a server hello which it will never receive. Now we treat a
received no_renegotiation alert as a fatal error. This is because
applications requesting a renegotiation might well expect it to succeed
and would have no code in place to handle the server denying it so the
only safe thing to do is to terminate the connection.
[Steve Henson]
*) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
peer supports secure renegotiation and 0 otherwise. Print out peer
renegotiation support in s_client/s_server.
[Steve Henson]
*) Replace the highly broken and deprecated SPKAC certification method with
the updated NID creation version. This should correctly handle UTF8.
[Steve Henson]
*) Implement RFC5746. Re-enable renegotiation but require the extension
as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
turns out to be a bad idea. It has been replaced by
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
SSL_CTX_set_options(). This is really not recommended unless you
know what you are doing.
[Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson]
*) Fixes to stateless session resumption handling. Use initial_ctx when
issuing and attempting to decrypt tickets in case it has changed during
servername handling. Use a non-zero length session ID when attempting
stateless session resumption: this makes it possible to determine if
a resumption has occurred immediately after receiving server hello
(several places in OpenSSL subtly assume this) instead of later in
the handshake.
[Steve Henson]
*) The functions ENGINE_ctrl(), OPENSSL_isservice(),
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
fixes for a few places where the return code is not checked
correctly.
[Julia Lawall <julia@diku.dk>]
*) Add --strict-warnings option to Configure script to include devteam
warnings in other configurations.
[Steve Henson]
*) Add support for --libdir option and LIBDIR variable in makefiles. This
makes it possible to install openssl libraries in locations which
have names other than "lib", for example "/usr/lib64" which some
systems need.
[Steve Henson, based on patch from Jeremy Utley]
*) Don't allow the use of leading 0x80 in OIDs. This is a violation of
X690 8.9.12 and can produce some misleading textual output of OIDs.
[Steve Henson, reported by Dan Kaminsky]
*) Delete MD2 from algorithm tables. This follows the recommendation in
several standards that it is not used in new applications due to
several cryptographic weaknesses. For binary compatibility reasons
the MD2 API is still compiled in by default.
[Steve Henson]
*) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
and restored.
[Steve Henson]
*) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
clash.
[Guenter <lists@gknw.net>]
*) Fix the server certificate chain building code to use X509_verify_cert(),
it used to have an ad-hoc builder which was unable to cope with anything
other than a simple chain.
[David Woodhouse <dwmw2@infradead.org>, Steve Henson]
*) Don't check self signed certificate signatures in X509_verify_cert()
by default (a flag can override this): it just wastes time without
adding any security. As a useful side effect self signed root CAs
with non-FIPS digests are now usable in FIPS mode.
[Steve Henson]
*) In dtls1_process_out_of_seq_message() the check if the current message
is already buffered was missing. For every new message was memory
allocated, allowing an attacker to perform an denial of service attack
with sending out of seq handshake messages until there is no memory
left. Additionally every future message was buffered, even if the
sequence number made no sense and would be part of another handshake.
So only messages with sequence numbers less than 10 in advance will be
buffered. (CVE-2009-1378)
[Robin Seggelmann, discovered by Daniel Mentz]
*) Records are buffered if they arrive with a future epoch to be
processed after finishing the corresponding handshake. There is
currently no limitation to this buffer allowing an attacker to perform
a DOS attack with sending records with future epochs until there is no
memory left. This patch adds the pqueue_size() function to determine
the size of a buffer and limits the record buffer to 100 entries.
(CVE-2009-1377)
[Robin Seggelmann, discovered by Daniel Mentz]
*) Keep a copy of frag->msg_header.frag_len so it can be used after the
parent structure is freed. (CVE-2009-1379)
[Daniel Mentz]
*) Handle non-blocking I/O properly in SSL_shutdown() call.
[Darryl Miles <darryl-mailinglists@netbauds.net>]
*) Add 2.5.4.* OIDs
[Ilya O. <vrghost@gmail.com>]
Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
*) Disable renegotiation completely - this fixes a severe security
problem (CVE-2009-3555) at the cost of breaking all
renegotiation. Renegotiation can be re-enabled by setting
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
run-time. This is really not recommended unless you know what
you're doing.
[Ben Laurie]
Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
*) Don't set val to NULL when freeing up structures, it is freed up by
underlying code. If sizeof(void *) > sizeof(long) this can result in
zeroing past the valid field. (CVE-2009-0789)
[Paolo Ganci <Paolo.Ganci@AdNovum.CH>]
*) Fix bug where return value of CMS_SignerInfo_verify_content() was not
checked correctly. This would allow some invalid signed attributes to
appear to verify correctly. (CVE-2009-0591)
[Ivan Nestlerode <inestlerode@us.ibm.com>]
*) Reject UniversalString and BMPString types with invalid lengths. This
prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
a legal length. (CVE-2009-0590)
[Steve Henson]
*) Set S/MIME signing as the default purpose rather than setting it
unconditionally. This allows applications to override it at the store
level.
[Steve Henson]
*) Permit restricted recursion of ASN1 strings. This is needed in practice
to handle some structures.
[Steve Henson]
*) Improve efficiency of mem_gets: don't search whole buffer each time
for a '\n'
[Jeremy Shapiro <jnshapir@us.ibm.com>]
*) New -hex option for openssl rand.
[Matthieu Herrb]
*) Print out UTF8String and NumericString when parsing ASN1.
[Steve Henson]
*) Support NumericString type for name components.
[Steve Henson]
*) Allow CC in the environment to override the automatically chosen
compiler. Note that nothing is done to ensure flags work with the
chosen compiler.
[Ben Laurie]
Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
*) Properly check EVP_VerifyFinal() and similar return values
(CVE-2008-5077).
[Ben Laurie, Bodo Moeller, Google Security Team]
*) Enable TLS extensions by default.
[Ben Laurie]
*) Allow the CHIL engine to be loaded, whether the application is
multithreaded or not. (This does not release the developer from the
obligation to set up the dynamic locking callbacks.)
[Sander Temme <sander@temme.net>]
*) Use correct exit code if there is an error in dgst command.
[Steve Henson; problem pointed out by Roland Dirlewanger]
*) Tweak Configure so that you need to say "experimental-jpake" to enable
JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
[Bodo Moeller]
*) Add experimental JPAKE support, including demo authentication in
s_client and s_server.
[Ben Laurie]
*) Set the comparison function in v3_addr_canonize().
[Rob Austein <sra@hactrn.net>]
*) Add support for XMPP STARTTLS in s_client.
[Philip Paeps <philip@freebsd.org>]
*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
to ensure that even with this option, only ciphersuites in the
server's preference list will be accepted. (Note that the option
applies only when resuming a session, so the earlier behavior was
just about the algorithm choice for symmetric cryptography.)
[Bodo Moeller]
Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
*) Fix NULL pointer dereference if a DTLS server received
ChangeCipherSpec as first record (CVE-2009-1386).
[PR #1679]
*) Fix a state transition in s3_srvr.c and d1_srvr.c
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
[Nagendra Modadugu]
*) The fix in 0.9.8c that supposedly got rid of unsafe
double-checked locking was incomplete for RSA blinding,
addressing just one layer of what turns out to have been
doubly unsafe triple-checked locking.
So now fix this for real by retiring the MONT_HELPER macro
in crypto/rsa/rsa_eay.c.
[Bodo Moeller; problem pointed out by Marius Schilder]
*) Various precautionary measures:
- Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
- Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
(NB: This would require knowledge of the secret session ticket key
to exploit, in which case you'd be SOL either way.)
- Change bn_nist.c so that it will properly handle input BIGNUMs
outside the expected range.
- Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
builds.
[Neel Mehta, Bodo Moeller]
*) Allow engines to be "soft loaded" - i.e. optionally don't die if
the load fails. Useful for distros.
[Ben Laurie and the FreeBSD team]
*) Add support for Local Machine Keyset attribute in PKCS#12 files.
[Steve Henson]
*) Fix BN_GF2m_mod_arr() top-bit cleanup code.
[Huang Ying]
*) Expand ENGINE to support engine supplied SSL client certificate functions.
This work was sponsored by Logica.
[Steve Henson]
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
keystores. Support for SSL/TLS client authentication too.
Not compiled unless enable-capieng specified to Configure.
This work was sponsored by Logica.
[Steve Henson]
*) Fix bug in X509_ATTRIBUTE creation: don't set attribute using
ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
attribute creation routines such as certificate requests and PKCS#12
files.
[Steve Henson]
Changes between 0.9.8g and 0.9.8h [28 May 2008]
*) Fix flaw if 'Server Key exchange message' is omitted from a TLS
handshake which could lead to a client crash as found using the
Codenomicon TLS test suite (CVE-2008-1672)
[Steve Henson, Mark Cox]
*) Fix double free in TLS server name extensions which could lead to
a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
[Joe Orton]
*) Clear error queue in SSL_CTX_use_certificate_chain_file()
Clear the error queue to ensure that error entries left from
older function calls do not interfere with the correct operation.
[Lutz Jaenicke, Erik de Castro Lopo]
*) Remove root CA certificates of commercial CAs:
The OpenSSL project does not recommend any specific CA and does not
have any policy with respect to including or excluding any CA.
Therefore it does not make any sense to ship an arbitrary selection
of root CA certificates with the OpenSSL software.
[Lutz Jaenicke]
*) RSA OAEP patches to fix two separate invalid memory reads.
The first one involves inputs when 'lzero' is greater than
'SHA_DIGEST_LENGTH' (it would read about SHA_DIGEST_LENGTH bytes
before the beginning of from). The second one involves inputs where
the 'db' section contains nothing but zeroes (there is a one-byte
invalid read after the end of 'db').
[Ivan Nestlerode <inestlerode@us.ibm.com>]
*) Partial backport from 0.9.9-dev:
Introduce bn_mul_mont (dedicated Montgomery multiplication
procedure) as a candidate for BIGNUM assembler implementation.
While 0.9.9-dev uses assembler for various architectures, only
x86_64 is available by default here in the 0.9.8 branch, and
32-bit x86 is available through a compile-time setting.
To try the 32-bit x86 assembler implementation, use Configure
option "enable-montasm" (which exists only for this backport).
As "enable-montasm" for 32-bit x86 disclaims code stability
anyway, in this constellation we activate additional code
backported from 0.9.9-dev for further performance improvements,
namely BN_from_montgomery_word. (To enable this otherwise,
e.g. x86_64, try "-DMONT_FROM_WORD___NON_DEFAULT_0_9_8_BUILD".)
[Andy Polyakov (backport partially by Bodo Moeller)]
*) Add TLS session ticket callback. This allows an application to set
TLS ticket cipher and HMAC keys rather than relying on hardcoded fixed
values. This is useful for key rollover for example where several key
sets may exist with different names.
[Steve Henson]
*) Reverse ENGINE-internal logic for caching default ENGINE handles.
This was broken until now in 0.9.8 releases, such that the only way
a registered ENGINE could be used (assuming it initialises
successfully on the host) was to explicitly set it as the default
for the relevant algorithms. This is in contradiction with 0.9.7
behaviour and the documentation. With this fix, when an ENGINE is
registered into a given algorithm's table of implementations, the
'uptodate' flag is reset so that auto-discovery will be used next
time a new context for that algorithm attempts to select an
implementation.
[Ian Lister (tweaked by Geoff Thorpe)]
*) Backport of CMS code to OpenSSL 0.9.8. This differs from the 0.9.9
implementation in the following ways:
Lack of EVP_PKEY_ASN1_METHOD means algorithm parameters have to be
hard coded.
Lack of BER streaming support means one pass streaming processing is
only supported if data is detached: setting the streaming flag is
ignored for embedded content.
CMS support is disabled by default and must be explicitly enabled
with the enable-cms configuration option.
[Steve Henson]
*) Update the GMP engine glue to do direct copies between BIGNUM and
mpz_t when openssl and GMP use the same limb size. Otherwise the
existing "conversion via a text string export" trick is still used.
[Paul Sheer <paulsheer@gmail.com>]
*) Zlib compression BIO. This is a filter BIO which compressed and
uncompresses any data passed through it.
[Steve Henson]
*) Add AES_wrap_key() and AES_unwrap_key() functions to implement
RFC3394 compatible AES key wrapping.
[Steve Henson]
*) Add utility functions to handle ASN1 structures. ASN1_STRING_set0():
sets string data without copying. X509_ALGOR_set0() and
X509_ALGOR_get0(): set and retrieve X509_ALGOR (AlgorithmIdentifier)
data. Attribute function X509at_get0_data_by_OBJ(): retrieves data
from an X509_ATTRIBUTE structure optionally checking it occurs only
once. ASN1_TYPE_set1(): set and ASN1_TYPE structure copying supplied
data.
[Steve Henson]
*) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
to get the expected BN_FLG_CONSTTIME behavior.
[Bodo Moeller (Google)]
*) Netware support:
- fixed wrong usage of ioctlsocket() when build for LIBC BSD sockets
- fixed do_tests.pl to run the test suite with CLIB builds too (CLIB_OPT)
- added some more tests to do_tests.pl
- fixed RunningProcess usage so that it works with newer LIBC NDKs too
- removed usage of BN_LLONG for CLIB builds to avoid runtime dependency
- added new Configure targets netware-clib-bsdsock, netware-clib-gcc,
netware-clib-bsdsock-gcc, netware-libc-bsdsock-gcc
- various changes to netware.pl to enable gcc-cross builds on Win32
platform
- changed crypto/bio/b_sock.c to work with macro functions (CLIB BSD)
- various changes to fix missing prototype warnings
- fixed x86nasm.pl to create correct asm files for NASM COFF output
- added AES, WHIRLPOOL and CPUID assembler code to build files
- added missing AES assembler make rules to mk1mf.pl
- fixed order of includes in apps/ocsp.c so that e_os.h settings apply
[Guenter Knauf <eflash@gmx.net>]
*) Implement certificate status request TLS extension defined in RFC3546.
A client can set the appropriate parameters and receive the encoded
OCSP response via a callback. A server can query the supplied parameters
and set the encoded OCSP response in the callback. Add simplified examples
to s_client and s_server.
[Steve Henson]
Changes between 0.9.8f and 0.9.8g [19 Oct 2007]
*) Fix various bugs:
+ Binary incompatibility of ssl_ctx_st structure
+ DTLS interoperation with non-compliant servers
+ Don't call get_session_cb() without proposed session
+ Fix ia64 assembler code
[Andy Polyakov, Steve Henson]
Changes between 0.9.8e and 0.9.8f [11 Oct 2007]
*) DTLS Handshake overhaul. There were longstanding issues with
OpenSSL DTLS implementation, which were making it impossible for
RFC 4347 compliant client to communicate with OpenSSL server.
Unfortunately just fixing these incompatibilities would "cut off"
pre-0.9.8f clients. To allow for hassle free upgrade post-0.9.8e
server keeps tolerating non RFC compliant syntax. The opposite is
not true, 0.9.8f client can not communicate with earlier server.
This update even addresses CVE-2007-4995.
[Andy Polyakov]
*) Changes to avoid need for function casts in OpenSSL: some compilers
(gcc 4.2 and later) reject their use.
[Kurt Roeckx <kurt@roeckx.be>, Peter Hartley <pdh@utter.chaos.org.uk>,
Steve Henson]
*) Add RFC4507 support to OpenSSL. This includes the corrections in
RFC4507bis. The encrypted ticket format is an encrypted encoded
SSL_SESSION structure, that way new session features are automatically
supported.
If a client application caches session in an SSL_SESSION structure
support is transparent because tickets are now stored in the encoded
SSL_SESSION.
The SSL_CTX structure automatically generates keys for ticket
protection in servers so again support should be possible
with no application modification.
If a client or server wishes to disable RFC4507 support then the option
SSL_OP_NO_TICKET can be set.
Add a TLS extension debugging callback to allow the contents of any client
or server extensions to be examined.
This work was sponsored by Google.
[Steve Henson]
*) Add initial support for TLS extensions, specifically for the server_name
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
have new members for a host name. The SSL data structure has an
additional member SSL_CTX *initial_ctx so that new sessions can be
stored in that context to allow for session resumption, even after the
SSL has been switched to a new SSL_CTX in reaction to a client's
server_name extension.
New functions (subject to change):
SSL_get_servername()
SSL_get_servername_type()
SSL_set_SSL_CTX()
New CTRL codes and macros (subject to change):
SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
- SSL_CTX_set_tlsext_servername_callback()
SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG
- SSL_CTX_set_tlsext_servername_arg()
SSL_CTRL_SET_TLSEXT_HOSTNAME - SSL_set_tlsext_host_name()
openssl s_client has a new '-servername ...' option.
openssl s_server has new options '-servername_host ...', '-cert2 ...',
'-key2 ...', '-servername_fatal' (subject to change). This allows
testing the HostName extension for a specific single host name ('-cert'
and '-key' remain fallbacks for handshakes without HostName
negotiation). If the unrecognized_name alert has to be sent, this by
default is a warning; it becomes fatal with the '-servername_fatal'
option.
[Peter Sylvester, Remy Allais, Christophe Renou, Steve Henson]
*) Add AES and SSE2 assembly language support to VC++ build.
[Steve Henson]
*) Mitigate attack on final subtraction in Montgomery reduction.
[Andy Polyakov]
*) Fix crypto/ec/ec_mult.c to work properly with scalars of value 0
(which previously caused an internal error).
[Bodo Moeller]
*) Squeeze another 10% out of IGE mode when in != out.
[Ben Laurie]
*) AES IGE mode speedup.
[Dean Gaudet (Google)]
*) Add the Korean symmetric 128-bit cipher SEED (see
http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and
add SEED ciphersuites from RFC 4162:
TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA"
TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA"
TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA"
TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA"
To minimize changes between patchlevels in the OpenSSL 0.9.8
series, SEED remains excluded from compilation unless OpenSSL
is configured with 'enable-seed'.
[KISA, Bodo Moeller]
*) Mitigate branch prediction attacks, which can be practical if a
single processor is shared, allowing a spy process to extract
information. For detailed background information, see
http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron,
J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL
and Necessary Software Countermeasures"). The core of the change
are new versions BN_div_no_branch() and
BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(),
respectively, which are slower, but avoid the security-relevant
conditional branches. These are automatically called by BN_div()
and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one
of the input BIGNUMs. Also, BN_is_bit_set() has been changed to
remove a conditional branch.
BN_FLG_CONSTTIME is the new name for the previous
BN_FLG_EXP_CONSTTIME flag, since it now affects more than just
modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag
in the exponent causes BN_mod_exp_mont() to use the alternative
implementation in BN_mod_exp_mont_consttime().) The old name
remains as a deprecated alias.
Similarly, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general
RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses
constant-time implementations for more than just exponentiation.
Here too the old name is kept as a deprecated alias.
BN_BLINDING_new() will now use BN_dup() for the modulus so that
the BN_BLINDING structure gets an independent copy of the
modulus. This means that the previous "BIGNUM *m" argument to
BN_BLINDING_new() and to BN_BLINDING_create_param() now
essentially becomes "const BIGNUM *m", although we can't actually
change this in the header file before 0.9.9. It allows
RSA_setup_blinding() to use BN_with_flags() on the modulus to
enable BN_FLG_CONSTTIME.
[Matthew D Wood (Intel Corp)]
*) In the SSL/TLS server implementation, be strict about session ID
context matching (which matters if an application uses a single
external cache for different purposes). Previously,
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
set. This did ensure strict client verification, but meant that,
with applications using a single external cache for quite
different requirements, clients could circumvent ciphersuite
restrictions for a given session ID context by starting a session
in a different context.
[Bodo Moeller]
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
a ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.
[Bodo Moeller]
*) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
not complete and could lead to a possible single byte overflow
(CVE-2007-5135) [Ben Laurie]
Changes between 0.9.8d and 0.9.8e [23 Feb 2007]
*) Since AES128 and AES256 (and similarly Camellia128 and
Camellia256) share a single mask bit in the logic of
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
kludge to work properly if AES128 is available and AES256 isn't
(or if Camellia128 is available and Camellia256 isn't).
[Victor Duchovni]
*) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c
(within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters):
When a point or a seed is encoded in a BIT STRING, we need to
prevent the removal of trailing zero bits to get the proper DER
encoding. (By default, crypto/asn1/a_bitstr.c assumes the case
of a NamedBitList, for which trailing 0 bits need to be removed.)
[Bodo Moeller]
*) Have SSL/TLS server implementation tolerate "mismatched" record
protocol version while receiving ClientHello even if the
ClientHello is fragmented. (The server can't insist on the
particular protocol version it has chosen before the ServerHello
message has informed the client about his choice.)
[Bodo Moeller]
*) Add RFC 3779 support.
[Rob Austein for ARIN, Ben Laurie]
*) Load error codes if they are not already present instead of using a
static variable. This allows them to be cleanly unloaded and reloaded.
Improve header file function name parsing.
[Steve Henson]
*) extend SMTP and IMAP protocol emulation in s_client to use EHLO
or CAPABILITY handshake as required by RFCs.
[Goetz Babin-Ebell]
Changes between 0.9.8c and 0.9.8d [28 Sep 2006]
*) Introduce limits to prevent malicious keys being able to
cause a denial of service. (CVE-2006-2940)
[Steve Henson, Bodo Moeller]
*) Fix ASN.1 parsing of certain invalid structures that can result
in a denial of service. (CVE-2006-2937) [Steve Henson]
*) Fix buffer overflow in SSL_get_shared_ciphers() function.
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
*) Fix SSL client code which could crash if connecting to a
malicious SSLv2 server. (CVE-2006-4343)
[Tavis Ormandy and Will Drewry, Google Security Team]
*) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
match only those. Before that, "AES256-SHA" would be interpreted
as a pattern and match "AES128-SHA" too (since AES128-SHA got
the same strength classification in 0.9.7h) as we currently only
have a single AES bit in the ciphersuite description bitmap.
That change, however, also applied to ciphersuite strings such as
"RC4-MD5" that intentionally matched multiple ciphersuites --
namely, SSL 2.0 ciphersuites in addition to the more common ones
from SSL 3.0/TLS 1.0.
So we change the selection algorithm again: Naming an explicit
ciphersuite selects this one ciphersuite, and any other similar
ciphersuite (same bitmap) from *other* protocol versions.
Thus, "RC4-MD5" again will properly select both the SSL 2.0
ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
Since SSL 2.0 does not have any ciphersuites for which the
128/256 bit distinction would be relevant, this works for now.
The proper fix will be to use different bits for AES128 and
AES256, which would have avoided the problems from the beginning;
however, bits are scarce, so we can only do this in a new release
(not just a patchlevel) when we can change the SSL_CIPHER
definition to split the single 'unsigned long mask' bitmap into
multiple values to extend the available space.
[Bodo Moeller]
Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
(CVE-2006-4339) [Ben Laurie and Google Security Team]
*) Add AES IGE and biIGE modes.
[Ben Laurie]
*) Change the Unix randomness entropy gathering to use poll() when
possible instead of select(), since the latter has some
undesirable limitations.
[Darryl Miles via Richard Levitte and Bodo Moeller]
*) Disable "ECCdraft" ciphersuites more thoroughly. Now special
treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
cannot be implicitly activated as part of, e.g., the "AES" alias.
However, please upgrade to OpenSSL 0.9.9[-dev] for
non-experimental use of the ECC ciphersuites to get TLS extension
support, which is required for curve and point format negotiation
to avoid potential handshake problems.
[Bodo Moeller]
*) Disable rogue ciphersuites:
- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
- SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
- SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
The latter two were purportedly from
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
appear there.
Also deactivate the remaining ciphersuites from
draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
unofficial, and the ID has long expired.
[Bodo Moeller]
*) Fix RSA blinding Heisenbug (problems sometimes occurred on
dual-core machines) and other potential thread-safety issues.
[Bodo Moeller]
*) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
versions), which is now available for royalty-free use
(see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
Also, add Camellia TLS ciphersuites from RFC 4132.
To minimize changes between patchlevels in the OpenSSL 0.9.8
series, Camellia remains excluded from compilation unless OpenSSL
is configured with 'enable-camellia'.
[NTT]
*) Disable the padding bug check when compression is in use. The padding
bug check assumes the first packet is of even length, this is not
necessarily true if compression is enabled and can result in false
positives causing handshake failure. The actual bug test is ancient
code so it is hoped that implementations will either have fixed it by
now or any which still have the bug do not support compression.
[Steve Henson]
Changes between 0.9.8a and 0.9.8b [04 May 2006]
*) When applying a cipher rule check to see if string match is an explicit
cipher suite and only match that one cipher suite if it is.
[Steve Henson]
*) Link in manifests for VC++ if needed.
[Austin Ziegler <halostatue@gmail.com>]
*) Update support for ECC-based TLS ciphersuites according to
draft-ietf-tls-ecc-12.txt with proposed changes (but without
TLS extensions, which are supported starting with the 0.9.9
branch, not in the OpenSSL 0.9.8 branch).
[Douglas Stebila]
*) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
opaque EVP_CIPHER_CTX handling.
[Steve Henson]
*) Fixes and enhancements to zlib compression code. We now only use
"zlib1.dll" and use the default __cdecl calling convention on Win32
to conform with the standards mentioned here:
http://www.zlib.net/DLL_FAQ.txt
Static zlib linking now works on Windows and the new --with-zlib-include
--with-zlib-lib options to Configure can be used to supply the location
of the headers and library. Gracefully handle case where zlib library
can't be loaded.
[Steve Henson]
*) Several fixes and enhancements to the OID generation code. The old code
sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
handle numbers larger than ULONG_MAX, truncated printing and had a
non standard OBJ_obj2txt() behaviour.
[Steve Henson]
*) Add support for building of engines under engine/ as shared libraries
under VC++ build system.
[Steve Henson]
*) Corrected the numerous bugs in the Win32 path splitter in DSO.
Hopefully, we will not see any false combination of paths any more.
[Richard Levitte]
Changes between 0.9.8 and 0.9.8a [11 Oct 2005]
*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
(part of SSL_OP_ALL). This option used to disable the
countermeasure against man-in-the-middle protocol-version
rollback in the SSL 2.0 server implementation, which is a bad
idea. (CVE-2005-2969)
[Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
for Information Security, National Institute of Advanced Industrial
Science and Technology [AIST], Japan)]
*) Add two function to clear and return the verify parameter flags.
[Steve Henson]
*) Keep cipherlists sorted in the source instead of sorting them at
runtime, thus removing the need for a lock.
[Nils Larsch]
*) Avoid some small subgroup attacks in Diffie-Hellman.
[Nick Mathewson and Ben Laurie]
*) Add functions for well-known primes.
[Nick Mathewson]
*) Extended Windows CE support.
[Satoshi Nakamura and Andy Polyakov]
*) Initialize SSL_METHOD structures at compile time instead of during
runtime, thus removing the need for a lock.
[Steve Henson]
*) Make PKCS7_decrypt() work even if no certificate is supplied by
attempting to decrypt each encrypted key in turn. Add support to
smime utility.
[Steve Henson]
Changes between 0.9.7h and 0.9.8 [05 Jul 2005]
[NB: OpenSSL 0.9.7i and later 0.9.7 patch levels were released after
OpenSSL 0.9.8.]
*) Add libcrypto.pc and libssl.pc for those who feel they need them.
[Richard Levitte]
*) Change CA.sh and CA.pl so they don't bundle the CSR and the private
key into the same file any more.
[Richard Levitte]
*) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
[Andy Polyakov]
*) Add -utf8 command line and config file option to 'ca'.
[Stefan <stf@udoma.org]
*) Removed the macro des_crypt(), as it seems to conflict with some
libraries. Use DES_crypt().
[Richard Levitte]
*) Correct naming of the 'chil' and '4758cca' ENGINEs. This
involves renaming the source and generated shared-libs for
both. The engines will accept the corrected or legacy ids
('ncipher' and '4758_cca' respectively) when binding. NB,
this only applies when building 'shared'.
[Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe]
*) Add attribute functions to EVP_PKEY structure. Modify
PKCS12_create() to recognize a CSP name attribute and
use it. Make -CSP option work again in pkcs12 utility.
[Steve Henson]
*) Add new functionality to the bn blinding code:
- automatic re-creation of the BN_BLINDING parameters after
a fixed number of uses (currently 32)
- add new function for parameter creation
- introduce flags to control the update behaviour of the
BN_BLINDING parameters
- hide BN_BLINDING structure
Add a second BN_BLINDING slot to the RSA structure to improve
performance when a single RSA object is shared among several
threads.
[Nils Larsch]
*) Add support for DTLS.
[Nagendra Modadugu <nagendra@cs.stanford.edu> and Ben Laurie]
*) Add support for DER encoded private keys (SSL_FILETYPE_ASN1)
to SSL_CTX_use_PrivateKey_file() and SSL_use_PrivateKey_file()
[Walter Goulet]
*) Remove buggy and incomplete DH cert support from
ssl/ssl_rsa.c and ssl/s3_both.c
[Nils Larsch]
*) Use SHA-1 instead of MD5 as the default digest algorithm for
the apps/openssl applications.
[Nils Larsch]
*) Compile clean with "-Wall -Wmissing-prototypes
-Wstrict-prototypes -Wmissing-declarations -Werror". Currently
DEBUG_SAFESTACK must also be set.
[Ben Laurie]
*) Change ./Configure so that certain algorithms can be disabled by default.
The new counterpiece to "no-xxx" is "enable-xxx".
The patented RC5 and MDC2 algorithms will now be disabled unless
"enable-rc5" and "enable-mdc2", respectively, are specified.
(IDEA remains enabled despite being patented. This is because IDEA
is frequently required for interoperability, and there is no license
fee for non-commercial use. As before, "no-idea" can be used to
avoid this algorithm.)
[Bodo Moeller]
*) Add processing of proxy certificates (see RFC 3820). This work was
sponsored by KTH (The Royal Institute of Technology in Stockholm) and
EGEE (Enabling Grids for E-science in Europe).
[Richard Levitte]
*) RC4 performance overhaul on modern architectures/implementations, such
as Intel P4, IA-64 and AMD64.
[Andy Polyakov]
*) New utility extract-section.pl. This can be used specify an alternative
section number in a pod file instead of having to treat each file as
a separate case in Makefile. This can be done by adding two lines to the
pod file:
=for comment openssl_section:XXX
The blank line is mandatory.
[Steve Henson]
*) New arguments -certform, -keyform and -pass for s_client and s_server
to allow alternative format key and certificate files and passphrase
sources.
[Steve Henson]
*) New structure X509_VERIFY_PARAM which combines current verify parameters,
update associated structures and add various utility functions.
Add new policy related verify parameters, include policy checking in
standard verify code. Enhance 'smime' application with extra parameters
to support policy checking and print out.
[Steve Henson]
*) Add a new engine to support VIA PadLock ACE extensions in the VIA C3
Nehemiah processors. These extensions support AES encryption in hardware
as well as RNG (though RNG support is currently disabled).
[Michal Ludvig <michal@logix.cz>, with help from Andy Polyakov]
*) Deprecate BN_[get|set]_params() functions (they were ignored internally).
[Geoff Thorpe]
*) New FIPS 180-2 algorithms, SHA-224/-256/-384/-512 are implemented.
[Andy Polyakov and a number of other people]
*) Improved PowerPC platform support. Most notably BIGNUM assembler
implementation contributed by IBM.
[Suresh Chari, Peter Waltenberg, Andy Polyakov]
*) The new 'RSA_generate_key_ex' function now takes a BIGNUM for the public
exponent rather than 'unsigned long'. There is a corresponding change to
the new 'rsa_keygen' element of the RSA_METHOD structure.
[Jelte Jansen, Geoff Thorpe]
*) Functionality for creating the initial serial number file is now
moved from CA.pl to the 'ca' utility with a new option -create_serial.
(Before OpenSSL 0.9.7e, CA.pl used to initialize the serial
number file to 1, which is bound to cause problems. To avoid
the problems while respecting compatibility between different 0.9.7
patchlevels, 0.9.7e employed 'openssl x509 -next_serial' in
CA.pl for serial number initialization. With the new release 0.9.8,
we can fix the problem directly in the 'ca' utility.)
[Steve Henson]
*) Reduced header interdependencies by declaring more opaque objects in
ossl_typ.h. As a consequence, including some headers (eg. engine.h) will
give fewer recursive includes, which could break lazy source code - so
this change is covered by the OPENSSL_NO_DEPRECATED symbol. As always,
developers should define this symbol when building and using openssl to
ensure they track the recommended behaviour, interfaces, [etc], but
backwards-compatible behaviour prevails when this isn't defined.
[Geoff Thorpe]
*) New function X509_POLICY_NODE_print() which prints out policy nodes.
[Steve Henson]
*) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality.
This will generate a random key of the appropriate length based on the
cipher context. The EVP_CIPHER can provide its own random key generation
routine to support keys of a specific form. This is used in the des and
3des routines to generate a key of the correct parity. Update S/MIME
code to use new functions and hence generate correct parity DES keys.
Add EVP_CHECK_DES_KEY #define to return an error if the key is not
valid (weak or incorrect parity).
[Steve Henson]
*) Add a local set of CRLs that can be used by X509_verify_cert() as well
as looking them up. This is useful when the verified structure may contain
CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs
present unless the new PKCS7_NO_CRL flag is asserted.
[Steve Henson]
*) Extend ASN1 oid configuration module. It now additionally accepts the
syntax:
shortName = some long name, 1.2.3.4
[Steve Henson]
*) Reimplemented the BN_CTX implementation. There is now no more static
limitation on the number of variables it can handle nor the depth of the
"stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack
information can now expand as required, and rather than having a single
static array of bignums, BN_CTX now uses a linked-list of such arrays
allowing it to expand on demand whilst maintaining the usefulness of
BN_CTX's "bundling".
[Geoff Thorpe]
*) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD
to allow all RSA operations to function using a single BN_CTX.
[Geoff Thorpe]
*) Preliminary support for certificate policy evaluation and checking. This
is initially intended to pass the tests outlined in "Conformance Testing
of Relying Party Client Certificate Path Processing Logic" v1.07.
[Steve Henson]
*) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and
remained unused and not that useful. A variety of other little bignum
tweaks and fixes have also been made continuing on from the audit (see
below).
[Geoff Thorpe]
*) Constify all or almost all d2i, c2i, s2i and r2i functions, along with
associated ASN1, EVP and SSL functions and old ASN1 macros.
[Richard Levitte]
*) BN_zero() only needs to set 'top' and 'neg' to zero for correct results,
and this should never fail. So the return value from the use of
BN_set_word() (which can fail due to needless expansion) is now deprecated;
if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro.
[Geoff Thorpe]
*) BN_CTX_get() should return zero-valued bignums, providing the same
initialised value as BN_new().
[Geoff Thorpe, suggested by Ulf Möller]
*) Support for inhibitAnyPolicy certificate extension.
[Steve Henson]
*) An audit of the BIGNUM code is underway, for which debugging code is
enabled when BN_DEBUG is defined. This makes stricter enforcements on what
is considered valid when processing BIGNUMs, and causes execution to
assert() when a problem is discovered. If BN_DEBUG_RAND is defined,
further steps are taken to deliberately pollute unused data in BIGNUM
structures to try and expose faulty code further on. For now, openssl will
(in its default mode of operation) continue to tolerate the inconsistent
forms that it has tolerated in the past, but authors and packagers should
consider trying openssl and their own applications when compiled with
these debugging symbols defined. It will help highlight potential bugs in
their own code, and will improve the test coverage for OpenSSL itself. At
some point, these tighter rules will become openssl's default to improve
maintainability, though the assert()s and other overheads will remain only
in debugging configurations. See bn.h for more details.
[Geoff Thorpe, Nils Larsch, Ulf Möller]
*) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
that can only be obtained through BN_CTX_new() (which implicitly
initialises it). The presence of this function only made it possible
to overwrite an existing structure (and cause memory leaks).
[Geoff Thorpe]
*) Because of the callback-based approach for implementing LHASH as a
template type, lh_insert() adds opaque objects to hash-tables and
lh_doall() or lh_doall_arg() are typically used with a destructor callback
to clean up those corresponding objects before destroying the hash table
(and losing the object pointers). So some over-zealous constifications in
LHASH have been relaxed so that lh_insert() does not take (nor store) the
objects as "const" and the lh_doall[_arg] callback wrappers are not
prototyped to have "const" restrictions on the object pointers they are
given (and so aren't required to cast them away any more).
[Geoff Thorpe]
*) The tmdiff.h API was so ugly and minimal that our own timing utility
(speed) prefers to use its own implementation. The two implementations
haven't been consolidated as yet (volunteers?) but the tmdiff API has had
its object type properly exposed (MS_TM) instead of casting to/from "char
*". This may still change yet if someone realises MS_TM and "ms_time_***"
aren't necessarily the greatest nomenclatures - but this is what was used
internally to the implementation so I've used that for now.
[Geoff Thorpe]
*) Ensure that deprecated functions do not get compiled when
OPENSSL_NO_DEPRECATED is defined. Some "openssl" subcommands and a few of
the self-tests were still using deprecated key-generation functions so
these have been updated also.
[Geoff Thorpe]
*) Reorganise PKCS#7 code to separate the digest location functionality
into PKCS7_find_digest(), digest addition into PKCS7_bio_add_digest().
New function PKCS7_set_digest() to set the digest type for PKCS#7
digestedData type. Add additional code to correctly generate the
digestedData type and add support for this type in PKCS7 initialization
functions.
[Steve Henson]
*) New function PKCS7_set0_type_other() this initializes a PKCS7
structure of type "other".
[Steve Henson]
*) Fix prime generation loop in crypto/bn/bn_prime.pl by making
sure the loop does correctly stop and breaking ("division by zero")
modulus operations are not performed. The (pre-generated) prime
table crypto/bn/bn_prime.h was already correct, but it could not be
re-generated on some platforms because of the "division by zero"
situation in the script.
[Ralf S. Engelschall]
*) Update support for ECC-based TLS ciphersuites according to
draft-ietf-tls-ecc-03.txt: the KDF1 key derivation function with
SHA-1 now is only used for "small" curves (where the
representation of a field element takes up to 24 bytes); for
larger curves, the field element resulting from ECDH is directly
used as premaster secret.
[Douglas Stebila (Sun Microsystems Laboratories)]
*) Add code for kP+lQ timings to crypto/ec/ectest.c, and add SEC2
curve secp160r1 to the tests.
[Douglas Stebila (Sun Microsystems Laboratories)]
*) Add the possibility to load symbols globally with DSO.
[Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte]
*) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
control of the error stack.
[Richard Levitte]
*) Add support for STORE in ENGINE.
[Richard Levitte]
*) Add the STORE type. The intention is to provide a common interface
to certificate and key stores, be they simple file-based stores, or
HSM-type store, or LDAP stores, or...
NOTE: The code is currently UNTESTED and isn't really used anywhere.
[Richard Levitte]
*) Add a generic structure called OPENSSL_ITEM. This can be used to
pass a list of arguments to any function as well as provide a way
for a function to pass data back to the caller.
[Richard Levitte]
*) Add the functions BUF_strndup() and BUF_memdup(). BUF_strndup()
works like BUF_strdup() but can be used to duplicate a portion of
a string. The copy gets NUL-terminated. BUF_memdup() duplicates
a memory area.
[Richard Levitte]
*) Add the function sk_find_ex() which works like sk_find(), but will
return an index to an element even if an exact match couldn't be
found. The index is guaranteed to point at the element where the
searched-for key would be inserted to preserve sorting order.
[Richard Levitte]
*) Add the function OBJ_bsearch_ex() which works like OBJ_bsearch() but
takes an extra flags argument for optional functionality. Currently,
the following flags are defined:
OBJ_BSEARCH_VALUE_ON_NOMATCH
This one gets OBJ_bsearch_ex() to return a pointer to the first
element where the comparing function returns a negative or zero
number.
OBJ_BSEARCH_FIRST_VALUE_ON_MATCH
This one gets OBJ_bsearch_ex() to return a pointer to the first
element where the comparing function returns zero. This is useful
if there are more than one element where the comparing function
returns zero.
[Richard Levitte]
*) Make it possible to create self-signed certificates with 'openssl ca'
in such a way that the self-signed certificate becomes part of the
CA database and uses the same mechanisms for serial number generation
as all other certificate signing. The new flag '-selfsign' enables
this functionality. Adapt CA.sh and CA.pl.in.
[Richard Levitte]
*) Add functionality to check the public key of a certificate request
against a given private. This is useful to check that a certificate
request can be signed by that key (self-signing).
[Richard Levitte]
*) Make it possible to have multiple active certificates with the same
subject in the CA index file. This is done only if the keyword
'unique_subject' is set to 'no' in the main CA section (default
if 'CA_default') of the configuration file. The value is saved
with the database itself in a separate index attribute file,
named like the index file with '.attr' appended to the name.
[Richard Levitte]
*) Generate multi-valued AVAs using '+' notation in config files for
req and dirName.
[Steve Henson]
*) Support for nameConstraints certificate extension.
[Steve Henson]
*) Support for policyConstraints certificate extension.
[Steve Henson]
*) Support for policyMappings certificate extension.
[Steve Henson]
*) Make sure the default DSA_METHOD implementation only uses its
dsa_mod_exp() and/or bn_mod_exp() handlers if they are non-NULL,
and change its own handlers to be NULL so as to remove unnecessary
indirection. This lets alternative implementations fallback to the
default implementation more easily.
[Geoff Thorpe]
*) Support for directoryName in GeneralName related extensions
in config files.
[Steve Henson]
*) Make it possible to link applications using Makefile.shared.
Make that possible even when linking against static libraries!
[Richard Levitte]
*) Support for single pass processing for S/MIME signing. This now
means that S/MIME signing can be done from a pipe, in addition
cleartext signing (multipart/signed type) is effectively streaming
and the signed data does not need to be all held in memory.
This is done with a new flag PKCS7_STREAM. When this flag is set
PKCS7_sign() only initializes the PKCS7 structure and the actual signing
is done after the data is output (and digests calculated) in
SMIME_write_PKCS7().
[Steve Henson]
*) Add full support for -rpath/-R, both in shared libraries and
applications, at least on the platforms where it's known how
to do it.
[Richard Levitte]
*) In crypto/ec/ec_mult.c, implement fast point multiplication with
precomputation, based on wNAF splitting: EC_GROUP_precompute_mult()
will now compute a table of multiples of the generator that
makes subsequent invocations of EC_POINTs_mul() or EC_POINT_mul()
faster (notably in the case of a single point multiplication,
scalar * generator).
[Nils Larsch, Bodo Moeller]
*) IPv6 support for certificate extensions. The various extensions
which use the IP:a.b.c.d can now take IPv6 addresses using the
formats of RFC1884 2.2 . IPv6 addresses are now also displayed
correctly.
[Steve Henson]
*) Added an ENGINE that implements RSA by performing private key
exponentiations with the GMP library. The conversions to and from
GMP's mpz_t format aren't optimised nor are any montgomery forms
cached, and on x86 it appears OpenSSL's own performance has caught up.
However there are likely to be other architectures where GMP could
provide a boost. This ENGINE is not built in by default, but it can be
specified at Configure time and should be accompanied by the necessary
linker additions, eg;
./config -DOPENSSL_USE_GMP -lgmp
[Geoff Thorpe]
*) "openssl engine" will not display ENGINE/DSO load failure errors when
testing availability of engines with "-t" - the old behaviour is
produced by increasing the feature's verbosity with "-tt".
[Geoff Thorpe]
*) ECDSA routines: under certain error conditions uninitialized BN objects
could be freed. Solution: make sure initialization is performed early
enough. (Reported and fix supplied by Nils Larsch <nla@trustcenter.de>
via PR#459)
[Lutz Jaenicke]
*) Key-generation can now be implemented in RSA_METHOD, DSA_METHOD
and DH_METHOD (eg. by ENGINE implementations) to override the normal
software implementations. For DSA and DH, parameter generation can
also be overridden by providing the appropriate method callbacks.
[Geoff Thorpe]
*) Change the "progress" mechanism used in key-generation and
primality testing to functions that take a new BN_GENCB pointer in
place of callback/argument pairs. The new API functions have "_ex"
postfixes and the older functions are reimplemented as wrappers for
the new ones. The OPENSSL_NO_DEPRECATED symbol can be used to hide
declarations of the old functions to help (graceful) attempts to
migrate to the new functions. Also, the new key-generation API
functions operate on a caller-supplied key-structure and return
success/failure rather than returning a key or NULL - this is to
help make "keygen" another member function of RSA_METHOD etc.
Example for using the new callback interface:
int (*my_callback)(int a, int b, BN_GENCB *cb) = ...;
void *my_arg = ...;
BN_GENCB my_cb;
BN_GENCB_set(&my_cb, my_callback, my_arg);
return BN_is_prime_ex(some_bignum, BN_prime_checks, NULL, &cb);
/* For the meaning of a, b in calls to my_callback(), see the
* documentation of the function that calls the callback.
* cb will point to my_cb; my_arg can be retrieved as cb->arg.
* my_callback should return 1 if it wants BN_is_prime_ex()
* to continue, or 0 to stop.
*/
[Geoff Thorpe]
*) Change the ZLIB compression method to be stateful, and make it
available to TLS with the number defined in
draft-ietf-tls-compression-04.txt.
[Richard Levitte]
*) Add the ASN.1 structures and functions for CertificatePair, which
is defined as follows (according to X.509_4thEditionDraftV6.pdf):
CertificatePair ::= SEQUENCE {
forward [0] Certificate OPTIONAL,
reverse [1] Certificate OPTIONAL,
-- at least one of the pair shall be present -- }
Also implement the PEM functions to read and write certificate
pairs, and defined the PEM tag as "CERTIFICATE PAIR".
This needed to be defined, mostly for the sake of the LDAP
attribute crossCertificatePair, but may prove useful elsewhere as
well.
[Richard Levitte]
*) Make it possible to inhibit symlinking of shared libraries in
Makefile.shared, for Cygwin's sake.
[Richard Levitte]
*) Extend the BIGNUM API by creating a function
void BN_set_negative(BIGNUM *a, int neg);
and a macro that behave like
int BN_is_negative(const BIGNUM *a);
to avoid the need to access 'a->neg' directly in applications.
[Nils Larsch]
*) Implement fast modular reduction for pseudo-Mersenne primes
used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c).
EC_GROUP_new_curve_GFp() will now automatically use this
if applicable.
[Nils Larsch <nla@trustcenter.de>]
*) Add new lock type (CRYPTO_LOCK_BN).
[Bodo Moeller]
*) Change the ENGINE framework to automatically load engines
dynamically from specific directories unless they could be
found to already be built in or loaded. Move all the
current engines except for the cryptodev one to a new
directory engines/.
The engines in engines/ are built as shared libraries if
the "shared" options was given to ./Configure or ./config.
Otherwise, they are inserted in libcrypto.a.
/usr/local/ssl/engines is the default directory for dynamic
engines, but that can be overridden at configure time through
the usual use of --prefix and/or --openssldir, and at run
time with the environment variable OPENSSL_ENGINES.
[Geoff Thorpe and Richard Levitte]
*) Add Makefile.shared, a helper makefile to build shared
libraries. Adapt Makefile.org.
[Richard Levitte]
*) Add version info to Win32 DLLs.
[Peter 'Luna' Runestig" <peter@runestig.com>]
*) Add new 'medium level' PKCS#12 API. Certificates and keys
can be added using this API to created arbitrary PKCS#12
files while avoiding the low level API.
New options to PKCS12_create(), key or cert can be NULL and
will then be omitted from the output file. The encryption
algorithm NIDs can be set to -1 for no encryption, the mac
iteration count can be set to 0 to omit the mac.
Enhance pkcs12 utility by making the -nokeys and -nocerts
options work when creating a PKCS#12 file. New option -nomac
to omit the mac, NONE can be set for an encryption algorithm.
New code is modified to use the enhanced PKCS12_create()
instead of the low level API.
[Steve Henson]
*) Extend ASN1 encoder to support indefinite length constructed
encoding. This can output sequences tags and octet strings in
this form. Modify pk7_asn1.c to support indefinite length
encoding. This is experimental and needs additional code to
be useful, such as an ASN1 bio and some enhanced streaming
PKCS#7 code.
Extend template encode functionality so that tagging is passed
down to the template encoder.
[Steve Henson]
*) Let 'openssl req' fail if an argument to '-newkey' is not
recognized instead of using RSA as a default.
[Bodo Moeller]
*) Add support for ECC-based ciphersuites from draft-ietf-tls-ecc-01.txt.
As these are not official, they are not included in "ALL";
the "ECCdraft" ciphersuite group alias can be used to select them.
[Vipul Gupta and Sumit Gupta (Sun Microsystems Laboratories)]
*) Add ECDH engine support.
[Nils Gura and Douglas Stebila (Sun Microsystems Laboratories)]
*) Add ECDH in new directory crypto/ecdh/.
[Douglas Stebila (Sun Microsystems Laboratories)]
*) Let BN_rand_range() abort with an error after 100 iterations
without success (which indicates a broken PRNG).
[Bodo Moeller]
*) Change BN_mod_sqrt() so that it verifies that the input value
is really the square of the return value. (Previously,
BN_mod_sqrt would show GIGO behaviour.)
[Bodo Moeller]
*) Add named elliptic curves over binary fields from X9.62, SECG,
and WAP/WTLS; add OIDs that were still missing.
[Sheueling Chang Shantz and Douglas Stebila
(Sun Microsystems Laboratories)]
*) Extend the EC library for elliptic curves over binary fields
(new files ec2_smpl.c, ec2_smpt.c, ec2_mult.c in crypto/ec/).
New EC_METHOD:
EC_GF2m_simple_method
New API functions:
EC_GROUP_new_curve_GF2m
EC_GROUP_set_curve_GF2m
EC_GROUP_get_curve_GF2m
EC_POINT_set_affine_coordinates_GF2m
EC_POINT_get_affine_coordinates_GF2m
EC_POINT_set_compressed_coordinates_GF2m
Point compression for binary fields is disabled by default for
patent reasons (compile with OPENSSL_EC_BIN_PT_COMP defined to
enable it).
As binary polynomials are represented as BIGNUMs, various members
of the EC_GROUP and EC_POINT data structures can be shared
between the implementations for prime fields and binary fields;
the above ..._GF2m functions (except for EX_GROUP_new_curve_GF2m)
are essentially identical to their ..._GFp counterparts.
(For simplicity, the '..._GFp' prefix has been dropped from
various internal method names.)
An internal 'field_div' method (similar to 'field_mul' and
'field_sqr') has been added; this is used only for binary fields.
[Sheueling Chang Shantz and Douglas Stebila
(Sun Microsystems Laboratories)]
*) Optionally dispatch EC_POINT_mul(), EC_POINT_precompute_mult()
through methods ('mul', 'precompute_mult').
The generic implementations (now internally called 'ec_wNAF_mul'
and 'ec_wNAF_precomputed_mult') remain the default if these
methods are undefined.
[Sheueling Chang Shantz and Douglas Stebila
(Sun Microsystems Laboratories)]
*) New function EC_GROUP_get_degree, which is defined through
EC_METHOD. For curves over prime fields, this returns the bit
length of the modulus.
[Sheueling Chang Shantz and Douglas Stebila
(Sun Microsystems Laboratories)]
*) New functions EC_GROUP_dup, EC_POINT_dup.
(These simply call ..._new and ..._copy).
[Sheueling Chang Shantz and Douglas Stebila
(Sun Microsystems Laboratories)]
*) Add binary polynomial arithmetic software in crypto/bn/bn_gf2m.c.
Polynomials are represented as BIGNUMs (where the sign bit is not
used) in the following functions [macros]:
BN_GF2m_add
BN_GF2m_sub [= BN_GF2m_add]
BN_GF2m_mod [wrapper for BN_GF2m_mod_arr]
BN_GF2m_mod_mul [wrapper for BN_GF2m_mod_mul_arr]
BN_GF2m_mod_sqr [wrapper for BN_GF2m_mod_sqr_arr]
BN_GF2m_mod_inv
BN_GF2m_mod_exp [wrapper for BN_GF2m_mod_exp_arr]
BN_GF2m_mod_sqrt [wrapper for BN_GF2m_mod_sqrt_arr]
BN_GF2m_mod_solve_quad [wrapper for BN_GF2m_mod_solve_quad_arr]
BN_GF2m_cmp [= BN_ucmp]
(Note that only the 'mod' functions are actually for fields GF(2^m).
BN_GF2m_add() is misnomer, but this is for the sake of consistency.)
For some functions, an the irreducible polynomial defining a
field can be given as an 'unsigned int[]' with strictly
decreasing elements giving the indices of those bits that are set;
i.e., p[] represents the polynomial
f(t) = t^p[0] + t^p[1] + ... + t^p[k]
where
p[0] > p[1] > ... > p[k] = 0.
This applies to the following functions:
BN_GF2m_mod_arr
BN_GF2m_mod_mul_arr
BN_GF2m_mod_sqr_arr
BN_GF2m_mod_inv_arr [wrapper for BN_GF2m_mod_inv]
BN_GF2m_mod_div_arr [wrapper for BN_GF2m_mod_div]
BN_GF2m_mod_exp_arr
BN_GF2m_mod_sqrt_arr
BN_GF2m_mod_solve_quad_arr
BN_GF2m_poly2arr
BN_GF2m_arr2poly
Conversion can be performed by the following functions:
BN_GF2m_poly2arr
BN_GF2m_arr2poly
bntest.c has additional tests for binary polynomial arithmetic.
Two implementations for BN_GF2m_mod_div() are available.
The default algorithm simply uses BN_GF2m_mod_inv() and
BN_GF2m_mod_mul(). The alternative algorithm is compiled in only
if OPENSSL_SUN_GF2M_DIV is defined (patent pending; read the
copyright notice in crypto/bn/bn_gf2m.c before enabling it).
[Sheueling Chang Shantz and Douglas Stebila
(Sun Microsystems Laboratories)]
*) Add new error code 'ERR_R_DISABLED' that can be used when some
functionality is disabled at compile-time.
[Douglas Stebila <douglas.stebila@sun.com>]
*) Change default behaviour of 'openssl asn1parse' so that more
information is visible when viewing, e.g., a certificate:
Modify asn1_parse2 (crypto/asn1/asn1_par.c) so that in non-'dump'
mode the content of non-printable OCTET STRINGs is output in a
style similar to INTEGERs, but with '[HEX DUMP]' prepended to
avoid the appearance of a printable string.
[Nils Larsch <nla@trustcenter.de>]
*) Add 'asn1_flag' and 'asn1_form' member to EC_GROUP with access
functions
EC_GROUP_set_asn1_flag()
EC_GROUP_get_asn1_flag()
EC_GROUP_set_point_conversion_form()
EC_GROUP_get_point_conversion_form()
These control ASN1 encoding details:
- Curves (i.e., groups) are encoded explicitly unless asn1_flag
has been set to OPENSSL_EC_NAMED_CURVE.
- Points are encoded in uncompressed form by default; options for
asn1_for are as for point2oct, namely
POINT_CONVERSION_COMPRESSED
POINT_CONVERSION_UNCOMPRESSED
POINT_CONVERSION_HYBRID
Also add 'seed' and 'seed_len' members to EC_GROUP with access
functions
EC_GROUP_set_seed()
EC_GROUP_get0_seed()
EC_GROUP_get_seed_len()
This is used only for ASN1 purposes (so far).
[Nils Larsch <nla@trustcenter.de>]
*) Add 'field_type' member to EC_METHOD, which holds the NID
of the appropriate field type OID. The new function
EC_METHOD_get_field_type() returns this value.
[Nils Larsch <nla@trustcenter.de>]
*) Add functions
EC_POINT_point2bn()
EC_POINT_bn2point()
EC_POINT_point2hex()
EC_POINT_hex2point()
providing useful interfaces to EC_POINT_point2oct() and
EC_POINT_oct2point().
[Nils Larsch <nla@trustcenter.de>]
*) Change internals of the EC library so that the functions
EC_GROUP_set_generator()
EC_GROUP_get_generator()
EC_GROUP_get_order()
EC_GROUP_get_cofactor()
are implemented directly in crypto/ec/ec_lib.c and not dispatched
to methods, which would lead to unnecessary code duplication when
adding different types of curves.
[Nils Larsch <nla@trustcenter.de> with input by Bodo Moeller]
*) Implement compute_wNAF (crypto/ec/ec_mult.c) without BIGNUM
arithmetic, and such that modified wNAFs are generated
(which avoid length expansion in many cases).
[Bodo Moeller]
*) Add a function EC_GROUP_check_discriminant() (defined via
EC_METHOD) that verifies that the curve discriminant is non-zero.
Add a function EC_GROUP_check() that makes some sanity tests
on a EC_GROUP, its generator and order. This includes
EC_GROUP_check_discriminant().
[Nils Larsch <nla@trustcenter.de>]
*) Add ECDSA in new directory crypto/ecdsa/.
Add applications 'openssl ecparam' and 'openssl ecdsa'
(these are based on 'openssl dsaparam' and 'openssl dsa').
ECDSA support is also included in various other files across the
library. Most notably,
- 'openssl req' now has a '-newkey ecdsa:file' option;
- EVP_PKCS82PKEY (crypto/evp/evp_pkey.c) now can handle ECDSA;
- X509_PUBKEY_get (crypto/asn1/x_pubkey.c) and
d2i_PublicKey (crypto/asn1/d2i_pu.c) have been modified to make
them suitable for ECDSA where domain parameters must be
extracted before the specific public key;
- ECDSA engine support has been added.
[Nils Larsch <nla@trustcenter.de>]
*) Include some named elliptic curves, and add OIDs from X9.62,
SECG, and WAP/WTLS. Each curve can be obtained from the new
function
EC_GROUP_new_by_curve_name(),
and the list of available named curves can be obtained with
EC_get_builtin_curves().
Also add a 'curve_name' member to EC_GROUP objects, which can be
accessed via
EC_GROUP_set_curve_name()
EC_GROUP_get_curve_name()
[Nils Larsch <larsch@trustcenter.de, Bodo Moeller]
*) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
was actually never needed) and in BN_mul(). The removal in BN_mul()
required a small change in bn_mul_part_recursive() and the addition
of the functions bn_cmp_part_words(), bn_sub_part_words() and
bn_add_part_words(), which do the same thing as bn_cmp_words(),
bn_sub_words() and bn_add_words() except they take arrays with
differing sizes.
[Richard Levitte]
Changes between 0.9.7l and 0.9.7m [23 Feb 2007]
*) Cleanse PEM buffers before freeing them since they may contain
sensitive data.
[Benjamin Bennett <ben@psc.edu>]
*) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that
a ciphersuite string such as "DEFAULT:RSA" cannot enable
authentication-only ciphersuites.
[Bodo Moeller]
*) Since AES128 and AES256 share a single mask bit in the logic of
ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a
kludge to work properly if AES128 is available and AES256 isn't.
[Victor Duchovni]
*) Expand security boundary to match 1.1.1 module.
[Steve Henson]
*) Remove redundant features: hash file source, editing of test vectors
modify fipsld to use external fips_premain.c signature.
[Steve Henson]
*) New perl script mkfipsscr.pl to create shell scripts or batch files to
run algorithm test programs.
[Steve Henson]
*) Make algorithm test programs more tolerant of whitespace.
[Steve Henson]
*) Have SSL/TLS server implementation tolerate "mismatched" record
protocol version while receiving ClientHello even if the
ClientHello is fragmented. (The server can't insist on the
particular protocol version it has chosen before the ServerHello
message has informed the client about his choice.)
[Bodo Moeller]
*) Load error codes if they are not already present instead of using a
static variable. This allows them to be cleanly unloaded and reloaded.
[Steve Henson]
Changes between 0.9.7k and 0.9.7l [28 Sep 2006]
*) Introduce limits to prevent malicious keys being able to
cause a denial of service. (CVE-2006-2940)
[Steve Henson, Bodo Moeller]
*) Fix ASN.1 parsing of certain invalid structures that can result
in a denial of service. (CVE-2006-2937) [Steve Henson]
*) Fix buffer overflow in SSL_get_shared_ciphers() function.
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
*) Fix SSL client code which could crash if connecting to a
malicious SSLv2 server. (CVE-2006-4343)
[Tavis Ormandy and Will Drewry, Google Security Team]
*) Change ciphersuite string processing so that an explicit
ciphersuite selects this one ciphersuite (so that "AES256-SHA"
will no longer include "AES128-SHA"), and any other similar
ciphersuite (same bitmap) from *other* protocol versions (so that
"RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
SSL 3.0/TLS 1.0 ciphersuite). This is a backport combining
changes from 0.9.8b and 0.9.8d.
[Bodo Moeller]
Changes between 0.9.7j and 0.9.7k [05 Sep 2006]
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
(CVE-2006-4339) [Ben Laurie and Google Security Team]
*) Change the Unix randomness entropy gathering to use poll() when
possible instead of select(), since the latter has some
undesirable limitations.
[Darryl Miles via Richard Levitte and Bodo Moeller]
*) Disable rogue ciphersuites:
- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
- SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
- SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
The latter two were purportedly from
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
appear there.
Also deactivate the remaining ciphersuites from
draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
unofficial, and the ID has long expired.
[Bodo Moeller]
*) Fix RSA blinding Heisenbug (problems sometimes occurred on
dual-core machines) and other potential thread-safety issues.
[Bodo Moeller]
Changes between 0.9.7i and 0.9.7j [04 May 2006]
*) Adapt fipsld and the build system to link against the validated FIPS
module in FIPS mode.
[Steve Henson]
*) Fixes for VC++ 2005 build under Windows.
[Steve Henson]
*) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make
from a Windows bash shell such as MSYS. It is autodetected from the
"config" script when run from a VC++ environment. Modify standard VC++
build to use fipscanister.o from the GNU make build.
[Steve Henson]
Changes between 0.9.7h and 0.9.7i [14 Oct 2005]
*) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
The value now differs depending on if you build for FIPS or not.
BEWARE! A program linked with a shared FIPSed libcrypto can't be
safely run with a non-FIPSed libcrypto, as it may crash because of
the difference induced by this change.
[Andy Polyakov]
Changes between 0.9.7g and 0.9.7h [11 Oct 2005]
*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
(part of SSL_OP_ALL). This option used to disable the
countermeasure against man-in-the-middle protocol-version
rollback in the SSL 2.0 server implementation, which is a bad
idea. (CVE-2005-2969)
[Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
for Information Security, National Institute of Advanced Industrial
Science and Technology [AIST], Japan)]
*) Minimal support for X9.31 signatures and PSS padding modes. This is
mainly for FIPS compliance and not fully integrated at this stage.
[Steve Henson]
*) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform
the exponentiation using a fixed-length exponent. (Otherwise,
the information leaked through timing could expose the secret key
after many signatures; cf. Bleichenbacher's attack on DSA with
biased k.)
[Bodo Moeller]
*) Make a new fixed-window mod_exp implementation the default for
RSA, DSA, and DH private-key operations so that the sequence of
squares and multiplies and the memory access pattern are
independent of the particular secret key. This will mitigate
cache-timing and potential related attacks.
BN_mod_exp_mont_consttime() is the new exponentiation implementation,
and this is automatically used by BN_mod_exp_mont() if the new flag
BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH
will use this BN flag for private exponents unless the flag
RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
[Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]
*) Change the client implementation for SSLv23_method() and
SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
(Previously, the SSL 2.0 backwards compatible Client Hello
message format would be used even with SSL_OP_NO_SSLv2.)
[Bodo Moeller]
*) Add support for smime-type MIME parameter in S/MIME messages which some
clients need.
[Steve Henson]
*) New function BN_MONT_CTX_set_locked() to set montgomery parameters in
a threadsafe manner. Modify rsa code to use new function and add calls
to dsa and dh code (which had race conditions before).
[Steve Henson]
*) Include the fixed error library code in the C error file definitions
instead of fixing them up at runtime. This keeps the error code
structures constant.
[Steve Henson]
Changes between 0.9.7f and 0.9.7g [11 Apr 2005]
[NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
OpenSSL 0.9.8.]
*) Fixes for newer kerberos headers. NB: the casts are needed because
the 'length' field is signed on one version and unsigned on another
with no (?) obvious way to tell the difference, without these VC++
complains. Also the "definition" of FAR (blank) is no longer included
nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
some needed definitions.
[Steve Henson]
*) Undo Cygwin change.
[Ulf Möller]
*) Added support for proxy certificates according to RFC 3820.
Because they may be a security thread to unaware applications,
they must be explicitly allowed in run-time. See
docs/HOWTO/proxy_certificates.txt for further information.
[Richard Levitte]
Changes between 0.9.7e and 0.9.7f [22 Mar 2005]
*) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating
server and client random values. Previously
(SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in
less random data when sizeof(time_t) > 4 (some 64 bit platforms).
This change has negligible security impact because:
1. Server and client random values still have 24 bytes of pseudo random
data.
2. Server and client random values are sent in the clear in the initial
handshake.
3. The master secret is derived using the premaster secret (48 bytes in
size for static RSA ciphersuites) as well as client server and random
values.
The OpenSSL team would like to thank the UK NISCC for bringing this issue
to our attention.
[Stephen Henson, reported by UK NISCC]
*) Use Windows randomness collection on Cygwin.
[Ulf Möller]
*) Fix hang in EGD/PRNGD query when communication socket is closed
prematurely by EGD/PRNGD.
[Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014]
*) Prompt for pass phrases when appropriate for PKCS12 input format.
[Steve Henson]
*) Back-port of selected performance improvements from development
branch, as well as improved support for PowerPC platforms.
[Andy Polyakov]
*) Add lots of checks for memory allocation failure, error codes to indicate
failure and freeing up memory if a failure occurs.
[Nauticus Networks SSL Team <openssl@nauticusnet.com>, Steve Henson]
*) Add new -passin argument to dgst.
[Steve Henson]
*) Perform some character comparisons of different types in X509_NAME_cmp:
this is needed for some certificates that re-encode DNs into UTF8Strings
(in violation of RFC3280) and can't or won't issue name rollover
certificates.
[Steve Henson]
*) Make an explicit check during certificate validation to see that
the CA setting in each certificate on the chain is correct. As a
side effect always do the following basic checks on extensions,
not just when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user
has chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has
been given)
[Richard Levitte]
Changes between 0.9.7d and 0.9.7e [25 Oct 2004]
*) Avoid a race condition when CRLs are checked in a multi threaded
environment. This would happen due to the reordering of the revoked
entries during signature checking and serial number lookup. Now the
encoding is cached and the serial number sort performed under a lock.
Add new STACK function sk_is_sorted().
[Steve Henson]
*) Add Delta CRL to the extension code.
[Steve Henson]
*) Various fixes to s3_pkt.c so alerts are sent properly.
[David Holmes <d.holmes@f5.com>]
*) Reduce the chances of duplicate issuer name and serial numbers (in
violation of RFC3280) using the OpenSSL certificate creation utilities.
This is done by creating a random 64 bit value for the initial serial
number when a serial number file is created or when a self signed
certificate is created using 'openssl req -x509'. The initial serial
number file is created using 'openssl x509 -next_serial' in CA.pl
rather than being initialized to 1.
[Steve Henson]
Changes between 0.9.7c and 0.9.7d [17 Mar 2004]
*) Fix null-pointer assignment in do_change_cipher_spec() revealed
by using the Codenomicon TLS Test Tool (CVE-2004-0079)
[Joe Orton, Steve Henson]
*) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
(CVE-2004-0112)
[Joe Orton, Steve Henson]
*) Make it possible to have multiple active certificates with the same
subject in the CA index file. This is done only if the keyword
'unique_subject' is set to 'no' in the main CA section (default
if 'CA_default') of the configuration file. The value is saved
with the database itself in a separate index attribute file,
named like the index file with '.attr' appended to the name.
[Richard Levitte]
*) X509 verify fixes. Disable broken certificate workarounds when
X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
keyUsage extension present. Don't accept CRLs with unhandled critical
extensions: since verify currently doesn't process CRL extensions this
rejects a CRL with *any* critical extensions. Add new verify error codes
for these cases.
[Steve Henson]
*) When creating an OCSP nonce use an OCTET STRING inside the extnValue.
A clarification of RFC2560 will require the use of OCTET STRINGs and
some implementations cannot handle the current raw format. Since OpenSSL
copies and compares OCSP nonces as opaque blobs without any attempt at
parsing them this should not create any compatibility issues.
[Steve Henson]
*) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when
calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without
this HMAC (and other) operations are several times slower than OpenSSL
< 0.9.7.
[Steve Henson]
*) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().
[Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
*) Use the correct content when signing type "other".
[Steve Henson]
Changes between 0.9.7b and 0.9.7c [30 Sep 2003]
*) Fix various bugs revealed by running the NISCC test suite:
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CVE-2003-0543 and CVE-2003-0544).
Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545).
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
[Steve Henson]
*) New -ignore_err option in ocsp application to stop the server
exiting on the first error in a request.
[Steve Henson]
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
if the server requested one: as stated in TLS 1.0 and SSL 3.0
specifications.
[Steve Henson]
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
extra data after the compression methods not only for TLS 1.0
but also for SSL 3.0 (as required by the specification).
[Bodo Moeller; problem pointed out by Matthias Loepfe]
*) Change X509_certificate_type() to mark the key as exported/exportable
when it's 512 *bits* long, not 512 bytes.
[Richard Levitte]
*) Change AES_cbc_encrypt() so it outputs exact multiple of
blocks during encryption.
[Richard Levitte]
*) Various fixes to base64 BIO and non blocking I/O. On write
flushes were not handled properly if the BIO retried. On read
data was not being buffered properly and had various logic bugs.
This also affects blocking I/O when the data being decoded is a
certain size.
[Steve Henson]
*) Various S/MIME bugfixes and compatibility changes:
output correct application/pkcs7 MIME type if
PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
of files as .eml work). Correctly handle very long lines in MIME
parser.
[Steve Henson]
Changes between 0.9.7a and 0.9.7b [10 Apr 2003]
*) Countermeasure against the Klima-Pokorny-Rosa extension of
Bleichbacher's attack on PKCS #1 v1.5 padding: treat
a protocol version number mismatch like a decryption error
in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
[Bodo Moeller]
*) Turn on RSA blinding by default in the default implementation
to avoid a timing attack. Applications that don't want it can call
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
They would be ill-advised to do so in most cases.
[Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
*) Change RSA blinding code so that it works when the PRNG is not
seeded (in this case, the secret RSA exponent is abused as
an unpredictable seed -- if it is not unpredictable, there
is no point in blinding anyway). Make RSA blinding thread-safe
by remembering the creator's thread ID in rsa->blinding and
having all other threads use local one-time blinding factors
(this requires more computation than sharing rsa->blinding, but
avoids excessive locking; and if an RSA object is not shared
between threads, blinding will still be very fast).
[Bodo Moeller]
*) Fixed a typo bug that would cause ENGINE_set_default() to set an
ENGINE as defaults for all supported algorithms irrespective of
the 'flags' parameter. 'flags' is now honoured, so applications
should make sure they are passing it correctly.
[Geoff Thorpe]
*) Target "mingw" now allows native Windows code to be generated in
the Cygwin environment as well as with the MinGW compiler.
[Ulf Moeller]
Changes between 0.9.7 and 0.9.7a [19 Feb 2003]
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
via timing by performing a MAC computation even if incorrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CVE-2003-0078)
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
Martin Vuagnoux (EPFL, Ilion)]
*) Make the no-err option work as intended. The intention with no-err
is not to have the whole error stack handling routines removed from
libcrypto, it's only intended to remove all the function name and
reason texts, thereby removing some of the footprint that may not
be interesting if those errors aren't displayed anyway.
NOTE: it's still possible for any application or module to have its
own set of error texts inserted. The routines are there, just not
used by default when no-err is given.
[Richard Levitte]
*) Add support for FreeBSD on IA64.
[dirk.meyer@dinoex.sub.org via Richard Levitte, resolves #454]
*) Adjust DES_cbc_cksum() so it returns the same value as the MIT
Kerberos function mit_des_cbc_cksum(). Before this change,
the value returned by DES_cbc_cksum() was like the one from
mit_des_cbc_cksum(), except the bytes were swapped.
[Kevin Greaney <Kevin.Greaney@hp.com> and Richard Levitte]
*) Allow an application to disable the automatic SSL chain building.
Before this a rather primitive chain build was always performed in
ssl3_output_cert_chain(): an application had no way to send the
correct chain if the automatic operation produced an incorrect result.
Now the chain builder is disabled if either:
1. Extra certificates are added via SSL_CTX_add_extra_chain_cert().
2. The mode flag SSL_MODE_NO_AUTO_CHAIN is set.
The reasoning behind this is that an application would not want the
auto chain building to take place if extra chain certificates are
present and it might also want a means of sending no additional
certificates (for example the chain has two certificates and the
root is omitted).
[Steve Henson]
*) Add the possibility to build without the ENGINE framework.
[Steven Reddie <smr@essemer.com.au> via Richard Levitte]
*) Under Win32 gmtime() can return NULL: check return value in
OPENSSL_gmtime(). Add error code for case where gmtime() fails.
[Steve Henson]
*) DSA routines: under certain error conditions uninitialized BN objects
could be freed. Solution: make sure initialization is performed early
enough. (Reported and fix supplied by Ivan D Nestlerode <nestler@MIT.EDU>,
Nils Larsch <nla@trustcenter.de> via PR#459)
[Lutz Jaenicke]
*) Another fix for SSLv2 session ID handling: the session ID was incorrectly
checked on reconnect on the client side, therefore session resumption
could still fail with a "ssl session id is different" error. This
behaviour is masked when SSL_OP_ALL is used due to
SSL_OP_MICROSOFT_SESS_ID_BUG being set.
Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
followup to PR #377.
[Lutz Jaenicke]
*) IA-32 assembler support enhancements: unified ELF targets, support
for SCO/Caldera platforms, fix for Cygwin shared build.
[Andy Polyakov]
*) Add support for FreeBSD on sparc64. As a consequence, support for
FreeBSD on non-x86 processors is separate from x86 processors on
the config script, much like the NetBSD support.
[Richard Levitte & Kris Kennaway <kris@obsecurity.org>]
Changes between 0.9.6h and 0.9.7 [31 Dec 2002]
[NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
OpenSSL 0.9.7.]
*) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
code (06) was taken as the first octet of the session ID and the last
octet was ignored consequently. As a result SSLv2 client side session
caching could not have worked due to the session ID mismatch between
client and server.
Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
PR #377.
[Lutz Jaenicke]
*) Change the declaration of needed Kerberos libraries to use EX_LIBS
instead of the special (and badly supported) LIBKRB5. LIBKRB5 is
removed entirely.
[Richard Levitte]
*) The hw_ncipher.c engine requires dynamic locks. Unfortunately, it
seems that in spite of existing for more than a year, many application
author have done nothing to provide the necessary callbacks, which
means that this particular engine will not work properly anywhere.
This is a very unfortunate situation which forces us, in the name
of usability, to give the hw_ncipher.c a static lock, which is part
of libcrypto.
NOTE: This is for the 0.9.7 series ONLY. This hack will never
appear in 0.9.8 or later. We EXPECT application authors to have
dealt properly with this when 0.9.8 is released (unless we actually
make such changes in the libcrypto locking code that changes will
have to be made anyway).
[Richard Levitte]
*) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content
octets have been read, EOF or an error occurs. Without this change
some truncated ASN1 structures will not produce an error.
[Steve Henson]
*) Disable Heimdal support, since it hasn't been fully implemented.
Still give the possibility to force the use of Heimdal, but with
warnings and a request that patches get sent to openssl-dev.
[Richard Levitte]
*) Add the VC-CE target, introduce the WINCE sysname, and add
INSTALL.WCE and appropriate conditionals to make it build.
[Steven Reddie <smr@essemer.com.au> via Richard Levitte]
*) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
cygssl-x.y.z.dll, where x, y and z are the major, minor and
edit numbers of the version.
[Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
*) Introduce safe string copy and catenation functions
(BUF_strlcpy() and BUF_strlcat()).
[Ben Laurie (CHATS) and Richard Levitte]
*) Avoid using fixed-size buffers for one-line DNs.
[Ben Laurie (CHATS)]
*) Add BUF_MEM_grow_clean() to avoid information leakage when
resizing buffers containing secrets, and use where appropriate.
[Ben Laurie (CHATS)]
*) Avoid using fixed size buffers for configuration file location.
[Ben Laurie (CHATS)]
*) Avoid filename truncation for various CA files.
[Ben Laurie (CHATS)]
*) Use sizeof in preference to magic numbers.
[Ben Laurie (CHATS)]
*) Avoid filename truncation in cert requests.
[Ben Laurie (CHATS)]
*) Add assertions to check for (supposedly impossible) buffer
overflows.
[Ben Laurie (CHATS)]
*) Don't cache truncated DNS entries in the local cache (this could
potentially lead to a spoofing attack).
[Ben Laurie (CHATS)]
*) Fix various buffers to be large enough for hex/decimal
representations in a platform independent manner.
[Ben Laurie (CHATS)]
*) Add CRYPTO_realloc_clean() to avoid information leakage when
resizing buffers containing secrets, and use where appropriate.
[Ben Laurie (CHATS)]
*) Add BIO_indent() to avoid much slightly worrying code to do
indents.
[Ben Laurie (CHATS)]
*) Convert sprintf()/BIO_puts() to BIO_printf().
[Ben Laurie (CHATS)]
*) buffer_gets() could terminate with the buffer only half
full. Fixed.
[Ben Laurie (CHATS)]
*) Add assertions to prevent user-supplied crypto functions from
overflowing internal buffers by having large block sizes, etc.
[Ben Laurie (CHATS)]
*) New OPENSSL_assert() macro (similar to assert(), but enabled
unconditionally).
[Ben Laurie (CHATS)]
*) Eliminate unused copy of key in RC4.
[Ben Laurie (CHATS)]
*) Eliminate unused and incorrectly sized buffers for IV in pem.h.
[Ben Laurie (CHATS)]
*) Fix off-by-one error in EGD path.
[Ben Laurie (CHATS)]
*) If RANDFILE path is too long, ignore instead of truncating.
[Ben Laurie (CHATS)]
*) Eliminate unused and incorrectly sized X.509 structure
CBCParameter.
[Ben Laurie (CHATS)]
*) Eliminate unused and dangerous function knumber().
[Ben Laurie (CHATS)]
*) Eliminate unused and dangerous structure, KSSL_ERR.
[Ben Laurie (CHATS)]
*) Protect against overlong session ID context length in an encoded
session object. Since these are local, this does not appear to be
exploitable.
[Ben Laurie (CHATS)]
*) Change from security patch (see 0.9.6e below) that did not affect
the 0.9.6 release series:
Remote buffer overflow in SSL3 protocol - an attacker could
supply an oversized master key in Kerberos-enabled versions.
(CVE-2002-0657)
[Ben Laurie (CHATS)]
*) Change the SSL kerb5 codes to match RFC 2712.
[Richard Levitte]
*) Make -nameopt work fully for req and add -reqopt switch.
[Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson]
*) The "block size" for block ciphers in CFB and OFB mode should be 1.
[Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>]
*) Make sure tests can be performed even if the corresponding algorithms
have been removed entirely. This was also the last step to make
OpenSSL compilable with DJGPP under all reasonable conditions.
[Richard Levitte, Doug Kaufman <dkaufman@rahul.net>]
*) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
to allow version independent disabling of normally unselected ciphers,
which may be activated as a side-effect of selecting a single cipher.
(E.g., cipher list string "RSA" enables ciphersuites that are left
out of "ALL" because they do not provide symmetric encryption.
"RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
[Lutz Jaenicke, Bodo Moeller]
*) Add appropriate support for separate platform-dependent build
directories. The recommended way to make a platform-dependent
build directory is the following (tested on Linux), maybe with
some local tweaks:
# Place yourself outside of the OpenSSL source tree. In
# this example, the environment variable OPENSSL_SOURCE
# is assumed to contain the absolute OpenSSL source directory.
mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
cd objtree/"`uname -s`-`uname -r`-`uname -m`"
(cd $OPENSSL_SOURCE; find . -type f) | while read F; do
mkdir -p `dirname $F`
ln -s $OPENSSL_SOURCE/$F $F
done
To be absolutely sure not to disturb the source tree, a "make clean"
is a good thing. If it isn't successful, don't worry about it,
it probably means the source directory is very clean.
[Richard Levitte]
*) Make sure any ENGINE control commands make local copies of string
pointers passed to them whenever necessary. Otherwise it is possible
the caller may have overwritten (or deallocated) the original string
data when a later ENGINE operation tries to use the stored values.
[Götz Babin-Ebell <babinebell@trustcenter.de>]
*) Improve diagnostics in file reading and command-line digests.
[Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>]
*) Add AES modes CFB and OFB to the object database. Correct an
error in AES-CFB decryption.
[Richard Levitte]
*) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this
allows existing EVP_CIPHER_CTX structures to be reused after
calling EVP_*Final(). This behaviour is used by encryption
BIOs and some applications. This has the side effect that
applications must explicitly clean up cipher contexts with
EVP_CIPHER_CTX_cleanup() or they will leak memory.
[Steve Henson]
*) Check the values of dna and dnb in bn_mul_recursive before calling
bn_mul_comba (a non zero value means the a or b arrays do not contain
n2 elements) and fallback to bn_mul_normal if either is not zero.
[Steve Henson]
*) Fix escaping of non-ASCII characters when using the -subj option
of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>)
[Lutz Jaenicke]
*) Make object definitions compliant to LDAP (RFC2256): SN is the short
form for "surname", serialNumber has no short form.
Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
therefore remove "mail" short name for "internet 7".
The OID for unique identifiers in X509 certificates is
x500UniqueIdentifier, not uniqueIdentifier.
Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
[Lutz Jaenicke]
*) Add an "init" command to the ENGINE config module and auto initialize
ENGINEs. Without any "init" command the ENGINE will be initialized
after all ctrl commands have been executed on it. If init=1 the
ENGINE is initialized at that point (ctrls before that point are run
on the uninitialized ENGINE and after on the initialized one). If
init=0 then the ENGINE will not be initialized at all.
[Steve Henson]
*) Fix the 'app_verify_callback' interface so that the user-defined
argument is actually passed to the callback: In the
SSL_CTX_set_cert_verify_callback() prototype, the callback
declaration has been changed from
int (*cb)()
into
int (*cb)(X509_STORE_CTX *,void *);
in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
i=s->ctx->app_verify_callback(&ctx)
has been changed into
i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
To update applications using SSL_CTX_set_cert_verify_callback(),
a dummy argument can be added to their callback functions.
[D. K. Smetters <smetters@parc.xerox.com>]
*) Added the '4758cca' ENGINE to support IBM 4758 cards.
[Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe]
*) Add and OPENSSL_LOAD_CONF define which will cause
OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
This allows older applications to transparently support certain
OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
Two new functions OPENSSL_add_all_algorithms_noconf() which will never
load the config file and OPENSSL_add_all_algorithms_conf() which will
always load it have also been added.
[Steve Henson]
*) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
Adjust NIDs and EVP layer.
[Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
*) Config modules support in openssl utility.
Most commands now load modules from the config file,
though in a few (such as version) this isn't done
because it couldn't be used for anything.
In the case of ca and req the config file used is
the same as the utility itself: that is the -config
command line option can be used to specify an
alternative file.
[Steve Henson]
*) Move default behaviour from OPENSSL_config(). If appname is NULL
use "openssl_conf" if filename is NULL use default openssl config file.
[Steve Henson]
*) Add an argument to OPENSSL_config() to allow the use of an alternative
config section name. Add a new flag to tolerate a missing config file
and move code to CONF_modules_load_file().
[Steve Henson]
*) Support for crypto accelerator cards from Accelerated Encryption
Processing, www.aep.ie. (Use engine 'aep')
The support was copied from 0.9.6c [engine] and adapted/corrected
to work with the new engine framework.
[AEP Inc. and Richard Levitte]
*) Support for SureWare crypto accelerator cards from Baltimore
Technologies. (Use engine 'sureware')
The support was copied from 0.9.6c [engine] and adapted
to work with the new engine framework.
[Richard Levitte]
*) Have the CHIL engine fork-safe (as defined by nCipher) and actually
make the newer ENGINE framework commands for the CHIL engine work.
[Toomas Kiisk <vix@cyber.ee> and Richard Levitte]
*) Make it possible to produce shared libraries on ReliantUNIX.
[Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte]
*) Add the configuration target debug-linux-ppro.
Make 'openssl rsa' use the general key loading routines
implemented in apps.c, and make those routines able to
handle the key format FORMAT_NETSCAPE and the variant
FORMAT_IISSGC.
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
*) Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
*) Add -keyform to rsautl, and document -engine.
[Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>]
*) Change BIO_new_file (crypto/bio/bss_file.c) to use new
BIO_R_NO_SUCH_FILE error code rather than the generic
ERR_R_SYS_LIB error code if fopen() fails with ENOENT.
[Ben Laurie]
*) Add new functions
ERR_peek_last_error
ERR_peek_last_error_line
ERR_peek_last_error_line_data.
These are similar to
ERR_peek_error
ERR_peek_error_line
ERR_peek_error_line_data,
but report on the latest error recorded rather than the first one
still in the error queue.
[Ben Laurie, Bodo Moeller]
*) default_algorithms option in ENGINE config module. This allows things
like:
default_algorithms = ALL
default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
[Steve Henson]
*) Preliminary ENGINE config module.
[Steve Henson]
*) New experimental application configuration code.
[Steve Henson]
*) Change the AES code to follow the same name structure as all other
symmetric ciphers, and behave the same way. Move everything to
the directory crypto/aes, thereby obsoleting crypto/rijndael.
[Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
*) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
[Ben Laurie and Theo de Raadt]
*) Add option to output public keys in req command.
[Massimiliano Pala madwolf@openca.org]
*) Use wNAFs in EC_POINTs_mul() for improved efficiency
(up to about 10% better than before for P-192 and P-224).
[Bodo Moeller]
*) New functions/macros
SSL_CTX_set_msg_callback(ctx, cb)
SSL_CTX_set_msg_callback_arg(ctx, arg)
SSL_set_msg_callback(ssl, cb)
SSL_set_msg_callback_arg(ssl, arg)
to request calling a callback function
void cb(int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl, void *arg)
whenever a protocol message has been completely received
(write_p == 0) or sent (write_p == 1). Here 'version' is the
protocol version according to which the SSL library interprets
the current protocol message (SSL2_VERSION, SSL3_VERSION, or
TLS1_VERSION). 'content_type' is 0 in the case of SSL 2.0, or
the content type as defined in the SSL 3.0/TLS 1.0 protocol
specification (change_cipher_spec(20), alert(21), handshake(22)).
'buf' and 'len' point to the actual message, 'ssl' to the
SSL object, and 'arg' is the application-defined value set by
SSL[_CTX]_set_msg_callback_arg().
'openssl s_client' and 'openssl s_server' have new '-msg' options
to enable a callback that displays all protocol messages.
[Bodo Moeller]
*) Change the shared library support so shared libraries are built as
soon as the corresponding static library is finished, and thereby get
openssl and the test programs linked against the shared library.
This still only happens when the keyword "shard" has been given to
the configuration scripts.
NOTE: shared library support is still an experimental thing, and
backward binary compatibility is still not guaranteed.
["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte]
*) Add support for Subject Information Access extension.
[Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
*) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
additional bytes when new memory had to be allocated, not just
when reusing an existing buffer.
[Bodo Moeller]
*) New command line and configuration option 'utf8' for the req command.
This allows field values to be specified as UTF8 strings.
[Steve Henson]
*) Add -multi and -mr options to "openssl speed" - giving multiple parallel
runs for the former and machine-readable output for the latter.
[Ben Laurie]
*) Add '-noemailDN' option to 'openssl ca'. This prevents inclusion
of the e-mail address in the DN (i.e., it will go into a certificate
extension only). The new configuration file option 'email_in_dn = no'
has the same effect.
[Massimiliano Pala madwolf@openca.org]
*) Change all functions with names starting with des_ to be starting
with DES_ instead. Add wrappers that are compatible with libdes,
but are named _ossl_old_des_*. Finally, add macros that map the
des_* symbols to the corresponding _ossl_old_des_* if libdes
compatibility is desired. If OpenSSL 0.9.6c compatibility is
desired, the des_* symbols will be mapped to DES_*, with one
exception.
Since we provide two compatibility mappings, the user needs to
define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes
compatibility is desired. The default (i.e., when that macro
isn't defined) is OpenSSL 0.9.6c compatibility.
There are also macros that enable and disable the support of old
des functions altogether. Those are OPENSSL_ENABLE_OLD_DES_SUPPORT
and OPENSSL_DISABLE_OLD_DES_SUPPORT. If none or both of those
are defined, the default will apply: to support the old des routines.
In either case, one must include openssl/des.h to get the correct
definitions. Do not try to just include openssl/des_old.h, that
won't work.
NOTE: This is a major break of an old API into a new one. Software
authors are encouraged to switch to the DES_ style functions. Some
time in the future, des_old.h and the libdes compatibility functions
will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the
default), and then completely removed.
[Richard Levitte]
*) Test for certificates which contain unsupported critical extensions.
If such a certificate is found during a verify operation it is
rejected by default: this behaviour can be overridden by either
handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
X509_supported_extension() has also been added which returns 1 if a
particular extension is supported.
[Steve Henson]
*) Modify the behaviour of EVP cipher functions in similar way to digests
to retain compatibility with existing code.
[Steve Henson]
*) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
compatibility with existing code. In particular the 'ctx' parameter does
not have to be to be initialized before the call to EVP_DigestInit() and
it is tidied up after a call to EVP_DigestFinal(). New function
EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
EVP_MD_CTX_copy() changed to not require the destination to be
initialized valid and new function EVP_MD_CTX_copy_ex() added which
requires the destination to be valid.
Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
[Steve Henson]
*) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
so that complete 'Handshake' protocol structures are kept in memory
instead of overwriting 'msg_type' and 'length' with 'body' data.
[Bodo Moeller]
*) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
[Massimo Santin via Richard Levitte]
*) Major restructuring to the underlying ENGINE code. This includes
reduction of linker bloat, separation of pure "ENGINE" manipulation
(initialisation, etc) from functionality dealing with implementations
of specific crypto interfaces. This change also introduces integrated
support for symmetric ciphers and digest implementations - so ENGINEs
can now accelerate these by providing EVP_CIPHER and EVP_MD
implementations of their own. This is detailed in crypto/engine/README
as it couldn't be adequately described here. However, there are a few
API changes worth noting - some RSA, DSA, DH, and RAND functions that
were changed in the original introduction of ENGINE code have now
reverted back - the hooking from this code to ENGINE is now a good
deal more passive and at run-time, operations deal directly with
RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
dereferencing through an ENGINE pointer any more. Also, the ENGINE
functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
they were not being used by the framework as there is no concept of a
BIGNUM_METHOD and they could not be generalised to the new
'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
ENGINE_cpy() has been removed as it cannot be consistently defined in
the new code.
[Geoff Thorpe]
*) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
[Steve Henson]
*) Change mkdef.pl to sort symbols that get the same entry number,
and make sure the automatically generated functions ERR_load_*
become part of libeay.num as well.
[Richard Levitte]
*) New function SSL_renegotiate_pending(). This returns true once
renegotiation has been requested (either SSL_renegotiate() call
or HelloRequest/ClientHello received from the peer) and becomes
false once a handshake has been completed.
(For servers, SSL_renegotiate() followed by SSL_do_handshake()
sends a HelloRequest, but does not ensure that a handshake takes
place. SSL_renegotiate_pending() is useful for checking if the
client has followed the request.)
[Bodo Moeller]
*) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
By default, clients may request session resumption even during
renegotiation (if session ID contexts permit); with this option,
session resumption is possible only in the first handshake.
SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL. This makes
more bits available for options that should not be part of
SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION).
[Bodo Moeller]
*) Add some demos for certificate and certificate request creation.
[Steve Henson]
*) Make maximum certificate chain size accepted from the peer application
settable (SSL*_get/set_max_cert_list()), as proposed by
"Douglas E. Engert" <deengert@anl.gov>.
[Lutz Jaenicke]
*) Add support for shared libraries for Unixware-7
(Boyd Lynn Gerber <gerberb@zenez.com>).
[Lutz Jaenicke]
*) Add a "destroy" handler to ENGINEs that allows structural cleanup to
be done prior to destruction. Use this to unload error strings from
ENGINEs that load their own error strings. NB: This adds two new API
functions to "get" and "set" this destroy handler in an ENGINE.
[Geoff Thorpe]
*) Alter all existing ENGINE implementations (except "openssl" and
"openbsd") to dynamically instantiate their own error strings. This
makes them more flexible to be built both as statically-linked ENGINEs
and self-contained shared-libraries loadable via the "dynamic" ENGINE.
Also, add stub code to each that makes building them as self-contained
shared-libraries easier (see README.ENGINE).
[Geoff Thorpe]
*) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
implementations into applications that are completely implemented in
self-contained shared-libraries. The "dynamic" ENGINE exposes control
commands that can be used to configure what shared-library to load and
to control aspects of the way it is handled. Also, made an update to
the README.ENGINE file that brings its information up-to-date and
provides some information and instructions on the "dynamic" ENGINE
(ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
[Geoff Thorpe]
*) Make it possible to unload ranges of ERR strings with a new
"ERR_unload_strings" function.
[Geoff Thorpe]
*) Add a copy() function to EVP_MD.
[Ben Laurie]
*) Make EVP_MD routines take a context pointer instead of just the
md_data void pointer.
[Ben Laurie]
*) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
that the digest can only process a single chunk of data
(typically because it is provided by a piece of
hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
is only going to provide a single chunk of data, and hence the
framework needn't accumulate the data for oneshot drivers.
[Ben Laurie]
*) As with "ERR", make it possible to replace the underlying "ex_data"
functions. This change also alters the storage and management of global
ex_data state - it's now all inside ex_data.c and all "class" code (eg.
RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
index counters. The API functions that use this state have been changed
to take a "class_index" rather than pointers to the class's local STACK
and counter, and there is now an API function to dynamically create new
classes. This centralisation allows us to (a) plug a lot of the
thread-safety problems that existed, and (b) makes it possible to clean
up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b)
such data would previously have always leaked in application code and
workarounds were in place to make the memory debugging turn a blind eye
to it. Application code that doesn't use this new function will still
leak as before, but their memory debugging output will announce it now
rather than letting it slide.
Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change
induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now
has a return value to indicate success or failure.
[Geoff Thorpe]
*) Make it possible to replace the underlying "ERR" functions such that the
global state (2 LHASH tables and 2 locks) is only used by the "default"
implementation. This change also adds two functions to "get" and "set"
the implementation prior to it being automatically set the first time
any other ERR function takes place. Ie. an application can call "get",
pass the return value to a module it has just loaded, and that module
can call its own "set" function using that value. This means the
module's "ERR" operations will use (and modify) the error state in the
application and not in its own statically linked copy of OpenSSL code.
[Geoff Thorpe]
*) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment
reference counts. This performs normal REF_PRINT/REF_CHECK macros on
the operation, and provides a more encapsulated way for external code
(crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
to use these functions rather than manually incrementing the counts.
Also rename "DSO_up()" function to more descriptive "DSO_up_ref()".
[Geoff Thorpe]
*) Add EVP test program.
[Ben Laurie]
*) Add symmetric cipher support to ENGINE. Expect the API to change!
[Ben Laurie]
*) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(),
X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
These allow a CRL to be built without having to access X509_CRL fields
directly. Modify 'ca' application to use new functions.
[Steve Henson]
*) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
bug workarounds. Rollback attack detection is a security feature.
The problem will only arise on OpenSSL servers when TLSv1 is not
available (sslv3_server_method() or SSL_OP_NO_TLSv1).
Software authors not wanting to support TLSv1 will have special reasons
for their choice and can explicitly enable this option.
[Bodo Moeller, Lutz Jaenicke]
*) Rationalise EVP so it can be extended: don't include a union of
cipher/digest structures, add init/cleanup functions for EVP_MD_CTX
(similar to those existing for EVP_CIPHER_CTX).
Usage example:
EVP_MD_CTX md;
EVP_MD_CTX_init(&md); /* new function call */
EVP_DigestInit(&md, EVP_sha1());
EVP_DigestUpdate(&md, in, len);
EVP_DigestFinal(&md, out, NULL);
EVP_MD_CTX_cleanup(&md); /* new function call */
[Ben Laurie]
*) Make DES key schedule conform to the usual scheme, as well as
correcting its structure. This means that calls to DES functions
now have to pass a pointer to a des_key_schedule instead of a
plain des_key_schedule (which was actually always a pointer
anyway): E.g.,
des_key_schedule ks;
des_set_key_checked(..., &ks);
des_ncbc_encrypt(..., &ks, ...);
(Note that a later change renames 'des_...' into 'DES_...'.)
[Ben Laurie]
*) Initial reduction of linker bloat: the use of some functions, such as
PEM causes large amounts of unused functions to be linked in due to
poor organisation. For example pem_all.c contains every PEM function
which has a knock on effect of linking in large amounts of (unused)
ASN1 code. Grouping together similar functions and splitting unrelated
functions prevents this.
[Steve Henson]
*) Cleanup of EVP macros.
[Ben Laurie]
*) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
correct _ecb suffix.
[Ben Laurie]
*) Add initial OCSP responder support to ocsp application. The
revocation information is handled using the text based index
use by the ca application. The responder can either handle
requests generated internally, supplied in files (for example
via a CGI script) or using an internal minimal server.
[Steve Henson]
*) Add configuration choices to get zlib compression for TLS.
[Richard Levitte]
*) Changes to Kerberos SSL for RFC 2712 compliance:
1. Implemented real KerberosWrapper, instead of just using
KRB5 AP_REQ message. [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
2. Implemented optional authenticator field of KerberosWrapper.
Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
and authenticator structs; see crypto/krb5/.
Generalized Kerberos calls to support multiple Kerberos libraries.
[Vern Staats <staatsvr@asc.hpc.mil>,
Jeffrey Altman <jaltman@columbia.edu>
via Richard Levitte]
*) Cause 'openssl speed' to use fully hard-coded DSA keys as it
already does with RSA. testdsa.h now has 'priv_key/pub_key'
values for each of the key sizes rather than having just
parameters (and 'speed' generating keys each time).
[Geoff Thorpe]
*) Speed up EVP routines.
Before:
encrypt
type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
des-cbc 4408.85k 5560.51k 5778.46k 5862.20k 5825.16k
des-cbc 4389.55k 5571.17k 5792.23k 5846.91k 5832.11k
des-cbc 4394.32k 5575.92k 5807.44k 5848.37k 5841.30k
decrypt
des-cbc 3482.66k 5069.49k 5496.39k 5614.16k 5639.28k
des-cbc 3480.74k 5068.76k 5510.34k 5609.87k 5635.52k
des-cbc 3483.72k 5067.62k 5504.60k 5708.01k 5724.80k
After:
encrypt
des-cbc 4660.16k 5650.19k 5807.19k 5827.13k 5783.32k
decrypt
des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Ben Laurie]
*) Added the OS2-EMX target.
["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]
*) Rewrite apps to use NCONF routines instead of the old CONF. New functions
to support NCONF routines in extension code. New function CONF_set_nconf()
to allow functions which take an NCONF to also handle the old LHASH
structure: this means that the old CONF compatible routines can be
retained (in particular wrt extensions) without having to duplicate the
code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
[Steve Henson]
*) Enhance the general user interface with mechanisms for inner control
and with possibilities to have yes/no kind of prompts.
[Richard Levitte]
*) Change all calls to low level digest routines in the library and
applications to use EVP. Add missing calls to HMAC_cleanup() and
don't assume HMAC_CTX can be copied using memcpy().
[Verdon Walker <VWalker@novell.com>, Steve Henson]
*) Add the possibility to control engines through control names but with
arbitrary arguments instead of just a string.
Change the key loaders to take a UI_METHOD instead of a callback
function pointer. NOTE: this breaks binary compatibility with earlier
versions of OpenSSL [engine].
Adapt the nCipher code for these new conditions and add a card insertion
callback.
[Richard Levitte]
*) Enhance the general user interface with mechanisms to better support
dialog box interfaces, application-defined prompts, the possibility
to use defaults (for example default passwords from somewhere else)
and interrupts/cancellations.
[Richard Levitte]
*) Tidy up PKCS#12 attribute handling. Add support for the CSP name
attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
[Steve Henson]
*) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
tidy up some unnecessarily weird code in 'sk_new()').
[Geoff, reported by Diego Tartara <dtartara@novamens.com>]
*) Change the key loading routines for ENGINEs to use the same kind
callback (pem_password_cb) as all other routines that need this
kind of callback.
[Richard Levitte]
*) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
256 bit (=32 byte) keys. Of course seeding with more entropy bytes
than this minimum value is recommended.
[Lutz Jaenicke]
*) New random seeder for OpenVMS, using the system process statistics
that are easily reachable.
[Richard Levitte]
*) Windows apparently can't transparently handle global
variables defined in DLLs. Initialisations such as:
const ASN1_ITEM *it = &ASN1_INTEGER_it;
won't compile. This is used by the any applications that need to
declare their own ASN1 modules. This was fixed by adding the option
EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
needed for static libraries under Win32.
[Steve Henson]
*) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
setting of purpose and trust fields. New X509_STORE trust and
purpose functions and tidy up setting in other SSL functions.
[Steve Henson]
*) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
structure. These are inherited by X509_STORE_CTX when it is
initialised. This allows various defaults to be set in the
X509_STORE structure (such as flags for CRL checking and custom
purpose or trust settings) for functions which only use X509_STORE_CTX
internally such as S/MIME.
Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
trust settings if they are not set in X509_STORE. This allows X509_STORE
purposes and trust (in S/MIME for example) to override any set by default.
Add command line options for CRL checking to smime, s_client and s_server
applications.
[Steve Henson]
*) Initial CRL based revocation checking. If the CRL checking flag(s)
are set then the CRL is looked up in the X509_STORE structure and
its validity and signature checked, then if the certificate is found
in the CRL the verify fails with a revoked error.
Various new CRL related callbacks added to X509_STORE_CTX structure.
Command line options added to 'verify' application to support this.
This needs some additional work, such as being able to handle multiple
CRLs with different times, extension based lookup (rather than just
by subject name) and ultimately more complete V2 CRL extension
handling.
[Steve Henson]
*) Add a general user interface API (crypto/ui/). This is designed
to replace things like des_read_password and friends (backward
compatibility functions using this new API are provided).
The purpose is to remove prompting functions from the DES code
section as well as provide for prompting through dialog boxes in
a window system and the like.
[Richard Levitte]
*) Add "ex_data" support to ENGINE so implementations can add state at a
per-structure level rather than having to store it globally.
[Geoff]
*) Make it possible for ENGINE structures to be copied when retrieved by
ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
This causes the "original" ENGINE structure to act like a template,
analogous to the RSA vs. RSA_METHOD type of separation. Because of this
operational state can be localised to each ENGINE structure, despite the
fact they all share the same "methods". New ENGINE structures returned in
this case have no functional references and the return value is the single
structural reference. This matches the single structural reference returned
by ENGINE_by_id() normally, when it is incremented on the pre-existing
ENGINE structure.
[Geoff]
*) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
needs to match any other type at all we need to manually clear the
tag cache.
[Steve Henson]
*) Changes to the "openssl engine" utility to include;
- verbosity levels ('-v', '-vv', and '-vvv') that provide information
about an ENGINE's available control commands.
- executing control commands from command line arguments using the
'-pre' and '-post' switches. '-post' is only used if '-t' is
specified and the ENGINE is successfully initialised. The syntax for
the individual commands are colon-separated, for example;
openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
[Geoff]
*) New dynamic control command support for ENGINEs. ENGINEs can now
declare their own commands (numbers), names (strings), descriptions,
and input types for run-time discovery by calling applications. A
subset of these commands are implicitly classed as "executable"
depending on their input type, and only these can be invoked through
the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
can be based on user input, config files, etc). The distinction is
that "executable" commands cannot return anything other than a boolean
result and can only support numeric or string input, whereas some
discoverable commands may only be for direct use through
ENGINE_ctrl(), eg. supporting the exchange of binary data, function
pointers, or other custom uses. The "executable" commands are to
support parameterisations of ENGINE behaviour that can be
unambiguously defined by ENGINEs and used consistently across any
OpenSSL-based application. Commands have been added to all the
existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
control over shared-library paths without source code alterations.
[Geoff]
*) Changed all ENGINE implementations to dynamically allocate their
ENGINEs rather than declaring them statically. Apart from this being
necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
this also allows the implementations to compile without using the
internal engine_int.h header.
[Geoff]
*) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
'const' value. Any code that should be able to modify a RAND_METHOD
should already have non-const pointers to it (ie. they should only
modify their own ones).
[Geoff]
*) Made a variety of little tweaks to the ENGINE code.
- "atalla" and "ubsec" string definitions were moved from header files
to C code. "nuron" string definitions were placed in variables
rather than hard-coded - allowing parameterisation of these values
later on via ctrl() commands.
- Removed unused "#if 0"'d code.
- Fixed engine list iteration code so it uses ENGINE_free() to release
structural references.
- Constified the RAND_METHOD element of ENGINE structures.
- Constified various get/set functions as appropriate and added
missing functions (including a catch-all ENGINE_cpy that duplicates
all ENGINE values onto a new ENGINE except reference counts/state).
- Removed NULL parameter checks in get/set functions. Setting a method
or function to NULL is a way of cancelling out a previously set
value. Passing a NULL ENGINE parameter is just plain stupid anyway
and doesn't justify the extra error symbols and code.
- Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
flags from engine_int.h to engine.h.
- Changed prototypes for ENGINE handler functions (init(), finish(),
ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
[Geoff]
*) Implement binary inversion algorithm for BN_mod_inverse in addition
to the algorithm using long division. The binary algorithm can be
used only if the modulus is odd. On 32-bit systems, it is faster
only for relatively small moduli (roughly 20-30% for 128-bit moduli,
roughly 5-15% for 256-bit moduli), so we use it only for moduli
up to 450 bits. In 64-bit environments, the binary algorithm
appears to be advantageous for much longer moduli; here we use it
for moduli up to 2048 bits.
[Bodo Moeller]
*) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
could not support the combine flag in choice fields.
[Steve Henson]
*) Add a 'copy_extensions' option to the 'ca' utility. This copies
extensions from a certificate request to the certificate.
[Steve Henson]
*) Allow multiple 'certopt' and 'nameopt' options to be separated
by commas. Add 'namopt' and 'certopt' options to the 'ca' config
file: this allows the display of the certificate about to be
signed to be customised, to allow certain fields to be included
or excluded and extension details. The old system didn't display
multicharacter strings properly, omitted fields not in the policy
and couldn't display additional details such as extensions.
[Steve Henson]
*) Function EC_POINTs_mul for multiple scalar multiplication
of an arbitrary number of elliptic curve points
\sum scalars[i]*points[i],
optionally including the generator defined for the EC_GROUP:
scalar*generator + \sum scalars[i]*points[i].
EC_POINT_mul is a simple wrapper function for the typical case
that the point list has just one item (besides the optional
generator).
[Bodo Moeller]
*) First EC_METHODs for curves over GF(p):
EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
operations and provides various method functions that can also
operate with faster implementations of modular arithmetic.
EC_GFp_mont_method() reuses most functions that are part of
EC_GFp_simple_method, but uses Montgomery arithmetic.
[Bodo Moeller; point addition and point doubling
implementation directly derived from source code provided by
Lenka Fibikova <fibikova@exp-math.uni-essen.de>]
*) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
crypto/ec/ec_lib.c):
Curves are EC_GROUP objects (with an optional group generator)
based on EC_METHODs that are built into the library.
Points are EC_POINT objects based on EC_GROUP objects.
Most of the framework would be able to handle curves over arbitrary
finite fields, but as there are no obvious types for fields other
than GF(p), some functions are limited to that for now.
[Bodo Moeller]
*) Add the -HTTP option to s_server. It is similar to -WWW, but requires
that the file contains a complete HTTP response.
[Richard Levitte]
*) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
change the def and num file printf format specifier from "%-40sXXX"
to "%-39s XXX". The latter will always guarantee a space after the
field while the former will cause them to run together if the field
is 40 of more characters long.
[Steve Henson]
*) Constify the cipher and digest 'method' functions and structures
and modify related functions to take constant EVP_MD and EVP_CIPHER
pointers.
[Steve Henson]
*) Hide BN_CTX structure details in bn_lcl.h instead of publishing them
in <openssl/bn.h>. Also further increase BN_CTX_NUM to 32.
[Bodo Moeller]
*) Modify EVP_Digest*() routines so they now return values. Although the
internal software routines can never fail additional hardware versions
might.
[Steve Henson]
*) Clean up crypto/err/err.h and change some error codes to avoid conflicts:
Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
(= ERR_R_PKCS7_LIB); it is now 64 instead of 32.
ASN1 error codes
ERR_R_NESTED_ASN1_ERROR
...
ERR_R_MISSING_ASN1_EOS
were 4 .. 9, conflicting with
ERR_LIB_RSA (= ERR_R_RSA_LIB)
...
ERR_LIB_PEM (= ERR_R_PEM_LIB).
They are now 58 .. 63 (i.e., just below ERR_R_FATAL).
Add new error code 'ERR_R_INTERNAL_ERROR'.
[Bodo Moeller]
*) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock
suffices.
[Bodo Moeller]
*) New option '-subj arg' for 'openssl req' and 'openssl ca'. This
sets the subject name for a new request or supersedes the
subject name in a given request. Formats that can be parsed are
'CN=Some Name, OU=myOU, C=IT'
and
'CN=Some Name/OU=myOU/C=IT'.
Add options '-batch' and '-verbose' to 'openssl req'.
[Massimiliano Pala <madwolf@hackmasters.net>]
*) Introduce the possibility to access global variables through
functions on platform were that's the best way to handle exporting
global variables in shared libraries. To enable this functionality,
one must configure with "EXPORT_VAR_AS_FN" or defined the C macro
"OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter
is normally done by Configure or something similar).
To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
in the source file (foo.c) like this:
OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
OPENSSL_IMPLEMENT_GLOBAL(double,bar);
To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
OPENSSL_DECLARE_GLOBAL(int,foo);
#define foo OPENSSL_GLOBAL_REF(foo)
OPENSSL_DECLARE_GLOBAL(double,bar);
#define bar OPENSSL_GLOBAL_REF(bar)
The #defines are very important, and therefore so is including the
header file everywhere where the defined globals are used.
The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition
of ASN.1 items, but that structure is a bit different.
The largest change is in util/mkdef.pl which has been enhanced with
better and easier to understand logic to choose which symbols should
go into the Windows .def files as well as a number of fixes and code
cleanup (among others, algorithm keywords are now sorted
lexicographically to avoid constant rewrites).
[Richard Levitte]
*) In BN_div() keep a copy of the sign of 'num' before writing the
result to 'rm' because if rm==num the value will be overwritten
and produce the wrong result if 'num' is negative: this caused
problems with BN_mod() and BN_nnmod().
[Steve Henson]
*) Function OCSP_request_verify(). This checks the signature on an
OCSP request and verifies the signer certificate. The signer
certificate is just checked for a generic purpose and OCSP request
trust settings.
[Steve Henson]
*) Add OCSP_check_validity() function to check the validity of OCSP
responses. OCSP responses are prepared in real time and may only
be a few seconds old. Simply checking that the current time lies
between thisUpdate and nextUpdate max reject otherwise valid responses
caused by either OCSP responder or client clock inaccuracy. Instead
we allow thisUpdate and nextUpdate to fall within a certain period of
the current time. The age of the response can also optionally be
checked. Two new options -validity_period and -status_age added to
ocsp utility.
[Steve Henson]
*) If signature or public key algorithm is unrecognized print out its
OID rather that just UNKNOWN.
[Steve Henson]
*) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
ID to be generated from the issuer certificate alone which can then be
passed to OCSP_id_issuer_cmp().
[Steve Henson]
*) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
ASN1 modules to export functions returning ASN1_ITEM pointers
instead of the ASN1_ITEM structures themselves. This adds several
new macros which allow the underlying ASN1 function/structure to
be accessed transparently. As a result code should not use ASN1_ITEM
references directly (such as &X509_it) but instead use the relevant
macros (such as ASN1_ITEM_rptr(X509)). This option is to allow
use of the new ASN1 code on platforms where exporting structures
is problematical (for example in shared libraries) but exporting
functions returning pointers to structures is not.
[Steve Henson]
*) Add support for overriding the generation of SSL/TLS session IDs.
These callbacks can be registered either in an SSL_CTX or per SSL.
The purpose of this is to allow applications to control, if they wish,
the arbitrary values chosen for use as session IDs, particularly as it
can be useful for session caching in multiple-server environments. A
command-line switch for testing this (and any client code that wishes
to use such a feature) has been added to "s_server".
[Geoff Thorpe, Lutz Jaenicke]
*) Modify mkdef.pl to recognise and parse preprocessor conditionals
of the form '#if defined(...) || defined(...) || ...' and
'#if !defined(...) && !defined(...) && ...'. This also avoids
the growing number of special cases it was previously handling.
[Richard Levitte]
*) Make all configuration macros available for application by making
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.
Additionally, it is now possible to define configuration/platform-
specific names (called "system identities"). In the C code, these
are prefixed with "OPENSSL_SYSNAME_". e_os2.h will create another
macro with the name beginning with "OPENSSL_SYS_", which is determined
from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on
what is available.
[Richard Levitte]
*) New option -set_serial to 'req' and 'x509' this allows the serial
number to use to be specified on the command line. Previously self
signed certificates were hard coded with serial number 0 and the
CA options of 'x509' had to use a serial number in a file which was
auto incremented.
[Steve Henson]
*) New options to 'ca' utility to support V2 CRL entry extensions.
Currently CRL reason, invalidity date and hold instruction are
supported. Add new CRL extensions to V3 code and some new objects.
[Steve Henson]
*) New function EVP_CIPHER_CTX_set_padding() this is used to
disable standard block padding (aka PKCS#5 padding) in the EVP
API, which was previously mandatory. This means that the data is
not padded in any way and so the total length much be a multiple
of the block size, otherwise an error occurs.
[Steve Henson]
*) Initial (incomplete) OCSP SSL support.
[Steve Henson]
*) New function OCSP_parse_url(). This splits up a URL into its host,
port and path components: primarily to parse OCSP URLs. New -url
option to ocsp utility.
[Steve Henson]
*) New nonce behavior. The return value of OCSP_check_nonce() now
reflects the various checks performed. Applications can decide
whether to tolerate certain situations such as an absent nonce
in a response when one was present in a request: the ocsp application
just prints out a warning. New function OCSP_add1_basic_nonce()
this is to allow responders to include a nonce in a response even if
the request is nonce-less.
[Steve Henson]
*) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
skipped when using openssl x509 multiple times on a single input file,
e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs".
[Bodo Moeller]
*) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
set string type: to handle setting ASN1_TIME structures. Fix ca
utility to correctly initialize revocation date of CRLs.
[Steve Henson]
*) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
the clients preferred ciphersuites and rather use its own preferences.
Should help to work around M$ SGC (Server Gated Cryptography) bug in
Internet Explorer by ensuring unchanged hash method during stepup.
(Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.)
[Lutz Jaenicke]
*) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
to aes and add a new 'exist' option to print out symbols that don't
appear to exist.
[Steve Henson]
*) Additional options to ocsp utility to allow flags to be set and
additional certificates supplied.
[Steve Henson]
*) Add the option -VAfile to 'openssl ocsp', so the user can give the
OCSP client a number of certificate to only verify the response
signature against.
[Richard Levitte]
*) Update Rijndael code to version 3.0 and change EVP AES ciphers to
handle the new API. Currently only ECB, CBC modes supported. Add new
AES OIDs.
Add TLS AES ciphersuites as described in RFC3268, "Advanced
Encryption Standard (AES) Ciphersuites for Transport Layer
Security (TLS)". (In beta versions of OpenSSL 0.9.7, these were
not enabled by default and were not part of the "ALL" ciphersuite
alias because they were not yet official; they could be
explicitly requested by specifying the "AESdraft" ciphersuite
group alias. In the final release of OpenSSL 0.9.7, the group
alias is called "AES" and is part of "ALL".)
[Ben Laurie, Steve Henson, Bodo Moeller]
*) New function OCSP_copy_nonce() to copy nonce value (if present) from
request to response.
[Steve Henson]
*) Functions for OCSP responders. OCSP_request_onereq_count(),
OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
extract information from a certificate request. OCSP_response_create()
creates a response and optionally adds a basic response structure.
OCSP_basic_add1_status() adds a complete single response to a basic
response and returns the OCSP_SINGLERESP structure just added (to allow
extensions to be included for example). OCSP_basic_add1_cert() adds a
certificate to a basic response and OCSP_basic_sign() signs a basic
response with various flags. New helper functions ASN1_TIME_check()
(checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
(converts ASN1_TIME to GeneralizedTime).
[Steve Henson]
*) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
structure from a certificate. X509_pubkey_digest() digests the public_key
contents: this is used in various key identifiers.
[Steve Henson]
*) Make sk_sort() tolerate a NULL argument.
[Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>]
*) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
passed by the function are trusted implicitly. If any of them signed the
response then it is assumed to be valid and is not verified.
[Steve Henson]
*) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
to data. This was previously part of the PKCS7 ASN1 code. This
was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
[Steve Henson, reported by Kenneth R. Robinette
<support@securenetterm.com>]
*) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
routines: without these tracing memory leaks is very painful.
Fix leaks in PKCS12 and PKCS7 routines.
[Steve Henson]
*) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
effectively meant GeneralizedTime would never be used. Now it
is initialised to -1 but X509_time_adj() now has to check the value
and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
[Steve Henson, reported by Kenneth R. Robinette
<support@securenetterm.com>]
*) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
result in a zero length in the ASN1_INTEGER structure which was
not consistent with the structure when d2i_ASN1_INTEGER() was used
and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
where it did not print out a minus for negative ASN1_INTEGER.
[Steve Henson]
*) Add summary printout to ocsp utility. The various functions which
convert status values to strings have been renamed to:
OCSP_response_status_str(), OCSP_cert_status_str() and
OCSP_crl_reason_str() and are no longer static. New options
to verify nonce values and to disable verification. OCSP response
printout format cleaned up.
[Steve Henson]
*) Add additional OCSP certificate checks. These are those specified
in RFC2560. This consists of two separate checks: the CA of the
certificate being checked must either be the OCSP signer certificate
or the issuer of the OCSP signer certificate. In the latter case the
OCSP signer certificate must contain the OCSP signing extended key
usage. This check is performed by attempting to match the OCSP
signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
in the OCSP_CERTID structures of the response.
[Steve Henson]
*) Initial OCSP certificate verification added to OCSP_basic_verify()
and related routines. This uses the standard OpenSSL certificate
verify routines to perform initial checks (just CA validity) and
to obtain the certificate chain. Then additional checks will be
performed on the chain. Currently the root CA is checked to see
if it is explicitly trusted for OCSP signing. This is used to set
a root CA as a global signing root: that is any certificate that
chains to that CA is an acceptable OCSP signing certificate.
[Steve Henson]
*) New '-extfile ...' option to 'openssl ca' for reading X.509v3
extensions from a separate configuration file.
As when reading extensions from the main configuration file,
the '-extensions ...' option may be used for specifying the
section to use.
[Massimiliano Pala <madwolf@comune.modena.it>]
*) New OCSP utility. Allows OCSP requests to be generated or
read. The request can be sent to a responder and the output
parsed, outputted or printed in text form. Not complete yet:
still needs to check the OCSP response validity.
[Steve Henson]
*) New subcommands for 'openssl ca':
'openssl ca -status <serial>' prints the status of the cert with
the given serial number (according to the index file).
'openssl ca -updatedb' updates the expiry status of certificates
in the index file.
[Massimiliano Pala <madwolf@comune.modena.it>]
*) New '-newreq-nodes' command option to CA.pl. This is like
'-newreq', but calls 'openssl req' with the '-nodes' option
so that the resulting key is not encrypted.
[Damien Miller <djm@mindrot.org>]
*) New configuration for the GNU Hurd.
[Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte]
*) Initial code to implement OCSP basic response verify. This
is currently incomplete. Currently just finds the signer's
certificate and verifies the signature on the response.
[Steve Henson]
*) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
value of OPENSSLDIR. This is available via the new '-d' option
to 'openssl version', and is also included in 'openssl version -a'.
[Bodo Moeller]
*) Allowing defining memory allocation callbacks that will be given
file name and line number information in additional arguments
(a const char* and an int). The basic functionality remains, as
well as the original possibility to just replace malloc(),
realloc() and free() by functions that do not know about these
additional arguments. To register and find out the current
settings for extended allocation functions, the following
functions are provided:
CRYPTO_set_mem_ex_functions
CRYPTO_set_locked_mem_ex_functions
CRYPTO_get_mem_ex_functions
CRYPTO_get_locked_mem_ex_functions
These work the same way as CRYPTO_set_mem_functions and friends.
CRYPTO_get_[locked_]mem_functions now writes 0 where such an
extended allocation function is enabled.
Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
a conventional allocation function is enabled.
[Richard Levitte, Bodo Moeller]
*) Finish off removing the remaining LHASH function pointer casts.
There should no longer be any prototype-casting required when using
the LHASH abstraction, and any casts that remain are "bugs". See
the callback types and macros at the head of lhash.h for details
(and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
[Geoff Thorpe]
*) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
If /dev/[u]random devices are not available or do not return enough
entropy, EGD style sockets (served by EGD or PRNGD) will automatically
be queried.
The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
/etc/entropy will be queried once each in this sequence, querying stops
when enough entropy was collected without querying more sockets.
[Lutz Jaenicke]
*) Change the Unix RAND_poll() variant to be able to poll several
random devices, as specified by DEVRANDOM, until a sufficient amount
of data has been collected. We spend at most 10 ms on each file
(select timeout) and read in non-blocking mode. DEVRANDOM now
defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
(previously it was just the string "/dev/urandom"), so on typical
platforms the 10 ms delay will never occur.
Also separate out the Unix variant to its own file, rand_unix.c.
For VMS, there's a currently-empty rand_vms.c.
[Richard Levitte]
*) Move OCSP client related routines to ocsp_cl.c. These
provide utility functions which an application needing
to issue a request to an OCSP responder and analyse the
response will typically need: as opposed to those which an
OCSP responder itself would need which will be added later.
OCSP_request_sign() signs an OCSP request with an API similar
to PKCS7_sign(). OCSP_response_status() returns status of OCSP
response. OCSP_response_get1_basic() extracts basic response
from response. OCSP_resp_find_status(): finds and extracts status
information from an OCSP_CERTID structure (which will be created
when the request structure is built). These are built from lower
level functions which work on OCSP_SINGLERESP structures but
won't normally be used unless the application wishes to examine
extensions in the OCSP response for example.
Replace nonce routines with a pair of functions.
OCSP_request_add1_nonce() adds a nonce value and optionally
generates a random value. OCSP_check_nonce() checks the
validity of the nonce in an OCSP response.
[Steve Henson]
*) Change function OCSP_request_add() to OCSP_request_add0_id().
This doesn't copy the supplied OCSP_CERTID and avoids the
need to free up the newly created id. Change return type
to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
This can then be used to add extensions to the request.
Deleted OCSP_request_new(), since most of its functionality
is now in OCSP_REQUEST_new() (and the case insensitive name
clash) apart from the ability to set the request name which
will be added elsewhere.
[Steve Henson]
*) Update OCSP API. Remove obsolete extensions argument from
various functions. Extensions are now handled using the new
OCSP extension code. New simple OCSP HTTP function which
can be used to send requests and parse the response.
[Steve Henson]
*) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
uses the special reorder version of SET OF to sort the attributes
and reorder them to match the encoded order. This resolves a long
standing problem: a verify on a PKCS7 structure just after signing
it used to fail because the attribute order did not match the
encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
it uses the received order. This is necessary to tolerate some broken
software that does not order SET OF. This is handled by encoding
as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
to produce the required SET OF.
[Steve Henson]
*) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
files to get correct declarations of the ASN.1 item variables.
[Richard Levitte]
*) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
ASN1_ITEM and no wrapper functions.
[Steve Henson]
*) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
replace the old function pointer based I/O routines. Change most of
the *_d2i_bio() and *_d2i_fp() functions to use these.
[Steve Henson]
*) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
lines, recognize more "algorithms" that can be deselected, and make
it complain about algorithm deselection that isn't recognised.
[Richard Levitte]
*) New ASN1 functions to handle dup, sign, verify, digest, pack and
unpack operations in terms of ASN1_ITEM. Modify existing wrappers
to use new functions. Add NO_ASN1_OLD which can be set to remove
some old style ASN1 functions: this can be used to determine if old
code will still work when these eventually go away.
[Steve Henson]
*) New extension functions for OCSP structures, these follow the
same conventions as certificates and CRLs.
[Steve Henson]
*) New function X509V3_add1_i2d(). This automatically encodes and
adds an extension. Its behaviour can be customised with various
flags to append, replace or delete. Various wrappers added for
certificates and CRLs.
[Steve Henson]
*) Fix to avoid calling the underlying ASN1 print routine when
an extension cannot be parsed. Correct a typo in the
OCSP_SERVICELOC extension. Tidy up print OCSP format.
[Steve Henson]
*) Make mkdef.pl parse some of the ASN1 macros and add appropriate
entries for variables.
[Steve Henson]
*) Add functionality to apps/openssl.c for detecting locking
problems: As the program is single-threaded, all we have
to do is register a locking callback using an array for
storing which locks are currently held by the program.
[Bodo Moeller]
*) Use a lock around the call to CRYPTO_get_ex_new_index() in
SSL_get_ex_data_X509_STORE_idx(), which is used in
ssl_verify_cert_chain() and thus can be called at any time
during TLS/SSL handshakes so that thread-safety is essential.
Unfortunately, the ex_data design is not at all suited
for multi-threaded use, so it probably should be abolished.
[Bodo Moeller]
*) Added Broadcom "ubsec" ENGINE to OpenSSL.
[Broadcom, tweaked and integrated by Geoff Thorpe]
*) Move common extension printing code to new function
X509V3_print_extensions(). Reorganise OCSP print routines and
implement some needed OCSP ASN1 functions. Add OCSP extensions.
[Steve Henson]
*) New function X509_signature_print() to remove duplication in some
print routines.
[Steve Henson]
*) Add a special meaning when SET OF and SEQUENCE OF flags are both
set (this was treated exactly the same as SET OF previously). This
is used to reorder the STACK representing the structure to match the
encoding. This will be used to get round a problem where a PKCS7
structure which was signed could not be verified because the STACK
order did not reflect the encoded order.
[Steve Henson]
*) Reimplement the OCSP ASN1 module using the new code.
[Steve Henson]
*) Update the X509V3 code to permit the use of an ASN1_ITEM structure
for its ASN1 operations. The old style function pointers still exist
for now but they will eventually go away.
[Steve Henson]
*) Merge in replacement ASN1 code from the ASN1 branch. This almost
completely replaces the old ASN1 functionality with a table driven
encoder and decoder which interprets an ASN1_ITEM structure describing
the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
largely maintained. Almost all of the old asn1_mac.h macro based ASN1
has also been converted to the new form.
[Steve Henson]
*) Change BN_mod_exp_recp so that negative moduli are tolerated
(the sign is ignored). Similarly, ignore the sign in BN_MONT_CTX_set
so that BN_mod_exp_mont and BN_mod_exp_mont_word work
for negative moduli.
[Bodo Moeller]
*) Fix BN_uadd and BN_usub: Always return non-negative results instead
of not touching the result's sign bit.
[Bodo Moeller]
*) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
set.
[Bodo Moeller]
*) Changed the LHASH code to use prototypes for callbacks, and created
macros to declare and implement thin (optionally static) functions
that provide type-safety and avoid function pointer casting for the
type-specific callbacks.
[Geoff Thorpe]
*) Added Kerberos Cipher Suites to be used with TLS, as written in
RFC 2712.
[Veers Staats <staatsvr@asc.hpc.mil>,
Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte]
*) Reformat the FAQ so the different questions and answers can be divided
in sections depending on the subject.
[Richard Levitte]
*) Have the zlib compression code load ZLIB.DLL dynamically under
Windows.
[Richard Levitte]
*) New function BN_mod_sqrt for computing square roots modulo a prime
(using the probabilistic Tonelli-Shanks algorithm unless
p == 3 (mod 4) or p == 5 (mod 8), which are cases that can
be handled deterministically).
[Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
*) Make BN_mod_inverse faster by explicitly handling small quotients
in the Euclid loop. (Speed gain about 20% for small moduli [256 or
512 bits], about 30% for larger ones [1024 or 2048 bits].)
[Bodo Moeller]
*) New function BN_kronecker.
[Bodo Moeller]
*) Fix BN_gcd so that it works on negative inputs; the result is
positive unless both parameters are zero.
Previously something reasonably close to an infinite loop was
possible because numbers could be growing instead of shrinking
in the implementation of Euclid's algorithm.
[Bodo Moeller]
*) Fix BN_is_word() and BN_is_one() macros to take into account the
sign of the number in question.
Fix BN_is_word(a,w) to work correctly for w == 0.
The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
because its test if the absolute value of 'a' equals 'w'.
Note that BN_abs_is_word does *not* handle w == 0 reliably;
it exists mostly for use in the implementations of BN_is_zero(),
BN_is_one(), and BN_is_word().
[Bodo Moeller]
*) New function BN_swap.
[Bodo Moeller]
*) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
the exponentiation functions are more likely to produce reasonable
results on negative inputs.
[Bodo Moeller]
*) Change BN_mod_mul so that the result is always non-negative.
Previously, it could be negative if one of the factors was negative;
I don't think anyone really wanted that behaviour.
[Bodo Moeller]
*) Move BN_mod_... functions into new file crypto/bn/bn_mod.c
(except for exponentiation, which stays in crypto/bn/bn_exp.c,
and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
and add new functions:
BN_nnmod
BN_mod_sqr
BN_mod_add
BN_mod_add_quick
BN_mod_sub
BN_mod_sub_quick
BN_mod_lshift1
BN_mod_lshift1_quick
BN_mod_lshift
BN_mod_lshift_quick
These functions always generate non-negative results.
BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder r
such that |m| < r < 0, BN_nnmod will output rem + |m| instead).
BN_mod_XXX_quick(r, a, [b,] m) generates the same result as
BN_mod_XXX(r, a, [b,] m, ctx), but requires that a [and b]
be reduced modulo m.
[Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
#if 0
The following entry accidentally appeared in the CHANGES file
distributed with OpenSSL 0.9.7. The modifications described in
it do *not* apply to OpenSSL 0.9.7.
*) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
was actually never needed) and in BN_mul(). The removal in BN_mul()
required a small change in bn_mul_part_recursive() and the addition
of the functions bn_cmp_part_words(), bn_sub_part_words() and
bn_add_part_words(), which do the same thing as bn_cmp_words(),
bn_sub_words() and bn_add_words() except they take arrays with
differing sizes.
[Richard Levitte]
#endif
*) In 'openssl passwd', verify passwords read from the terminal
unless the '-salt' option is used (which usually means that
verification would just waste user's time since the resulting
hash is going to be compared with some given password hash)
or the new '-noverify' option is used.
This is an incompatible change, but it does not affect
non-interactive use of 'openssl passwd' (passwords on the command
line, '-stdin' option, '-in ...' option) and thus should not
cause any problems.
[Bodo Moeller]
*) Remove all references to RSAref, since there's no more need for it.
[Richard Levitte]
*) Make DSO load along a path given through an environment variable
(SHLIB_PATH) with shl_load().
[Richard Levitte]
*) Constify the ENGINE code as a result of BIGNUM constification.
Also constify the RSA code and most things related to it. In a
few places, most notable in the depth of the ASN.1 code, ugly
casts back to non-const were required (to be solved at a later
time)
[Richard Levitte]
*) Make it so the openssl application has all engines loaded by default.
[Richard Levitte]
*) Constify the BIGNUM routines a little more.
[Richard Levitte]
*) Add the following functions:
ENGINE_load_cswift()
ENGINE_load_chil()
ENGINE_load_atalla()
ENGINE_load_nuron()
ENGINE_load_builtin_engines()
That way, an application can itself choose if external engines that
are built-in in OpenSSL shall ever be used or not. The benefit is
that applications won't have to be linked with libdl or other dso
libraries unless it's really needed.
Changed 'openssl engine' to load all engines on demand.
Changed the engine header files to avoid the duplication of some
declarations (they differed!).
[Richard Levitte]
*) 'openssl engine' can now list capabilities.
[Richard Levitte]
*) Better error reporting in 'openssl engine'.
[Richard Levitte]
*) Never call load_dh_param(NULL) in s_server.
[Bodo Moeller]
*) Add engine application. It can currently list engines by name and
identity, and test if they are actually available.
[Richard Levitte]
*) Improve RPM specification file by forcing symbolic linking and making
sure the installed documentation is also owned by root.root.
[Damien Miller <djm@mindrot.org>]
*) Give the OpenSSL applications more possibilities to make use of
keys (public as well as private) handled by engines.
[Richard Levitte]
*) Add OCSP code that comes from CertCo.
[Richard Levitte]
*) Add VMS support for the Rijndael code.
[Richard Levitte]
*) Added untested support for Nuron crypto accelerator.
[Ben Laurie]
*) Add support for external cryptographic devices. This code was
previously distributed separately as the "engine" branch.
[Geoff Thorpe, Richard Levitte]
*) Rework the filename-translation in the DSO code. It is now possible to
have far greater control over how a "name" is turned into a filename
depending on the operating environment and any oddities about the
different shared library filenames on each system.
[Geoff Thorpe]
*) Support threads on FreeBSD-elf in Configure.
[Richard Levitte]
*) Fix for SHA1 assembly problem with MASM: it produces
warnings about corrupt line number information when assembling
with debugging information. This is caused by the overlapping
of two sections.
[Bernd Matthes <mainbug@celocom.de>, Steve Henson]
*) NCONF changes.
NCONF_get_number() has no error checking at all. As a replacement,
NCONF_get_number_e() is defined (_e for "error checking") and is
promoted strongly. The old NCONF_get_number is kept around for
binary backward compatibility.
Make it possible for methods to load from something other than a BIO,
by providing a function pointer that is given a name instead of a BIO.
For example, this could be used to load configuration data from an
LDAP server.
[Richard Levitte]
*) Fix for non blocking accept BIOs. Added new I/O special reason
BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
with non blocking I/O was not possible because no retry code was
implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
this case.
[Steve Henson]
*) Added the beginnings of Rijndael support.
[Ben Laurie]
*) Fix for bug in DirectoryString mask setting. Add support for
X509_NAME_print_ex() in 'req' and X509_print_ex() function
to allow certificate printing to more controllable, additional
'certopt' option to 'x509' to allow new printing options to be
set.
[Steve Henson]
*) Clean old EAY MD5 hack from e_os.h.
[Richard Levitte]
Changes between 0.9.6l and 0.9.6m [17 Mar 2004]
*) Fix null-pointer assignment in do_change_cipher_spec() revealed
by using the Codenomicon TLS Test Tool (CVE-2004-0079)
[Joe Orton, Steve Henson]
Changes between 0.9.6k and 0.9.6l [04 Nov 2003]
*) Fix additional bug revealed by the NISCC test suite:
Stop bug triggering large recursion when presented with
certain ASN.1 tags (CVE-2003-0851)
[Steve Henson]
Changes between 0.9.6j and 0.9.6k [30 Sep 2003]
*) Fix various bugs revealed by running the NISCC test suite:
Stop out of bounds reads in the ASN1 code when presented with
invalid tags (CVE-2003-0543 and CVE-2003-0544).
If verify callback ignores invalid public key errors don't try to check
certificate signature with the NULL public key.
[Steve Henson]
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
if the server requested one: as stated in TLS 1.0 and SSL 3.0
specifications.
[Steve Henson]
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
extra data after the compression methods not only for TLS 1.0
but also for SSL 3.0 (as required by the specification).
[Bodo Moeller; problem pointed out by Matthias Loepfe]
*) Change X509_certificate_type() to mark the key as exported/exportable
when it's 512 *bits* long, not 512 bytes.
[Richard Levitte]
Changes between 0.9.6i and 0.9.6j [10 Apr 2003]
*) Countermeasure against the Klima-Pokorny-Rosa extension of
Bleichbacher's attack on PKCS #1 v1.5 padding: treat
a protocol version number mismatch like a decryption error
in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
[Bodo Moeller]
*) Turn on RSA blinding by default in the default implementation
to avoid a timing attack. Applications that don't want it can call
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
They would be ill-advised to do so in most cases.
[Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
*) Change RSA blinding code so that it works when the PRNG is not
seeded (in this case, the secret RSA exponent is abused as
an unpredictable seed -- if it is not unpredictable, there
is no point in blinding anyway). Make RSA blinding thread-safe
by remembering the creator's thread ID in rsa->blinding and
having all other threads use local one-time blinding factors
(this requires more computation than sharing rsa->blinding, but
avoids excessive locking; and if an RSA object is not shared
between threads, blinding will still be very fast).
[Bodo Moeller]
Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
via timing by performing a MAC computation even if incorrect
block cipher padding has been found. This is a countermeasure
against active attacks where the attacker has to distinguish
between bad padding and a MAC verification error. (CVE-2003-0078)
[Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
Martin Vuagnoux (EPFL, Ilion)]
Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
*) New function OPENSSL_cleanse(), which is used to cleanse a section of
memory from its contents. This is done with a counter that will
place alternating values in each byte. This can be used to solve
two issues: 1) the removal of calls to memset() by highly optimizing
compilers, and 2) cleansing with other values than 0, since those can
be read through on certain media, for example a swap space on disk.
[Geoff Thorpe]
*) Bugfix: client side session caching did not work with external caching,
because the session->cipher setting was not restored when reloading
from the external cache. This problem was masked, when
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
(Found by Steve Haslam <steve@araqnid.ddts.net>.)
[Lutz Jaenicke]
*) Fix client_certificate (ssl/s2_clnt.c): The permissible total
length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
[Zeev Lieber <zeev-l@yahoo.com>]
*) Undo an undocumented change introduced in 0.9.6e which caused
repeated calls to OpenSSL_add_all_ciphers() and
OpenSSL_add_all_digests() to be ignored, even after calling
EVP_cleanup().
[Richard Levitte]
*) Change the default configuration reader to deal with last line not
being properly terminated.
[Richard Levitte]
*) Change X509_NAME_cmp() so it applies the special rules on handling
DN values that are of type PrintableString, as well as RDNs of type
emailAddress where the value has the type ia5String.
[stefank@valicert.com via Richard Levitte]
*) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
the bitwise-OR of the two for use by the majority of applications
wanting this behaviour, and update the docs. The documented
behaviour and actual behaviour were inconsistent and had been
changing anyway, so this is more a bug-fix than a behavioural
change.
[Geoff Thorpe, diagnosed by Nadav Har'El]
*) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
(the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
[Bodo Moeller]
*) Fix initialization code race conditions in
SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(),
SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(),
SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(),
TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(),
ssl2_get_cipher_by_char(),
ssl3_get_cipher_by_char().
[Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
*) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
the cached sessions are flushed, as the remove_cb() might use ex_data
contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
(see [openssl.org #212]).
[Geoff Thorpe, Lutz Jaenicke]
*) Fix typo in OBJ_txt2obj which incorrectly passed the content
length, instead of the encoding length to d2i_ASN1_OBJECT.
[Steve Henson]
Changes between 0.9.6f and 0.9.6g [9 Aug 2002]
*) [In 0.9.6g-engine release:]
Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall').
[Lynn Gazis <lgazis@rainbow.com>]
Changes between 0.9.6e and 0.9.6f [8 Aug 2002]
*) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
and get fix the header length calculation.
[Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
Alon Kantor <alonk@checkpoint.com> (and others),
Steve Henson]
*) Use proper error handling instead of 'assertions' in buffer
overflow checks added in 0.9.6e. This prevents DoS (the
assertions could call abort()).
[Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller]
Changes between 0.9.6d and 0.9.6e [30 Jul 2002]
*) Add various sanity checks to asn1_get_length() to reject
the ASN1 length bytes if they exceed sizeof(long), will appear
negative or the content length exceeds the length of the
supplied buffer.
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
*) Fix cipher selection routines: ciphers without encryption had no flags
for the cipher strength set and where therefore not handled correctly
by the selection routines (PR #130).
[Lutz Jaenicke]
*) Fix EVP_dsa_sha macro.
[Nils Larsch]
*) New option
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
that was added in OpenSSL 0.9.6d.
As the countermeasure turned out to be incompatible with some
broken SSL implementations, the new option is part of SSL_OP_ALL.
SSL_OP_ALL is usually employed when compatibility with weird SSL
implementations is desired (e.g. '-bugs' option to 's_client' and
's_server'), so the new option is automatically set in many
applications.
[Bodo Moeller]
*) Changes in security patch:
Changes marked "(CHATS)" were sponsored by the Defense Advanced
Research Projects Agency (DARPA) and Air Force Research Laboratory,
Air Force Materiel Command, USAF, under agreement number
F30602-01-2-0537.
*) Add various sanity checks to asn1_get_length() to reject
the ASN1 length bytes if they exceed sizeof(long), will appear
negative or the content length exceeds the length of the
supplied buffer. (CVE-2002-0659)
[Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
*) Assertions for various potential buffer overflows, not known to
happen in practice.
[Ben Laurie (CHATS)]
*) Various temporary buffers to hold ASCII versions of integers were
too small for 64 bit platforms. (CVE-2002-0655)
[Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
*) Remote buffer overflow in SSL3 protocol - an attacker could
supply an oversized session ID to a client. (CVE-2002-0656)
[Ben Laurie (CHATS)]
*) Remote buffer overflow in SSL2 protocol - an attacker could
supply an oversized client master key. (CVE-2002-0656)
[Ben Laurie (CHATS)]
Changes between 0.9.6c and 0.9.6d [9 May 2002]
*) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not
encoded as NULL) with id-dsa-with-sha1.
[Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller]
*) Check various X509_...() return values in apps/req.c.
[Nils Larsch <nla@trustcenter.de>]
*) Fix BASE64 decode (EVP_DecodeUpdate) for data with CR/LF ended lines:
an end-of-file condition would erroneously be flagged, when the CRLF
was just at the end of a processed block. The bug was discovered when
processing data through a buffering memory BIO handing the data to a
BASE64-decoding BIO. Bug fund and patch submitted by Pavel Tsekov
<ptsekov@syntrex.com> and Nedelcho Stanev.
[Lutz Jaenicke]
*) Implement a countermeasure against a vulnerability recently found
in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
before application data chunks to avoid the use of known IVs
with data potentially chosen by the attacker.
[Bodo Moeller]
*) Fix length checks in ssl3_get_client_hello().
[Bodo Moeller]
*) TLS/SSL library bugfix: use s->s3->in_read_app_data differently
to prevent ssl3_read_internal() from incorrectly assuming that
ssl3_read_bytes() found application data while handshake
processing was enabled when in fact s->s3->in_read_app_data was
merely automatically cleared during the initial handshake.
[Bodo Moeller; problem pointed out by Arne Ansper <arne@ats.cyber.ee>]
*) Fix object definitions for Private and Enterprise: they were not
recognized in their shortname (=lowercase) representation. Extend
obj_dat.pl to issue an error when using undefined keywords instead
of silently ignoring the problem (Svenning Sorensen
<sss@sss.dnsalias.net>).
[Lutz Jaenicke]
*) Fix DH_generate_parameters() so that it works for 'non-standard'
generators, i.e. generators other than 2 and 5. (Previously, the
code did not properly initialise the 'add' and 'rem' values to
BN_generate_prime().)
In the new general case, we do not insist that 'generator' is
actually a primitive root: This requirement is rather pointless;
a generator of the order-q subgroup is just as good, if not
better.
[Bodo Moeller]
*) Map new X509 verification errors to alerts. Discovered and submitted by
Tom Wu <tom@arcot.com>.
[Lutz Jaenicke]
*) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
returning non-zero before the data has been completely received
when using non-blocking I/O.
[Bodo Moeller; problem pointed out by John Hughes]
*) Some of the ciphers missed the strength entry (SSL_LOW etc).
[Ben Laurie, Lutz Jaenicke]
*) Fix bug in SSL_clear(): bad sessions were not removed (found by
Yoram Zahavi <YoramZ@gilian.com>).
[Lutz Jaenicke]
*) Add information about CygWin 1.3 and on, and preserve proper
configuration for the versions before that.
[Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
*) Make removal from session cache (SSL_CTX_remove_session()) more robust:
check whether we deal with a copy of a session and do not delete from
the cache in this case. Problem reported by "Izhar Shoshani Levi"
<izhar@checkpoint.com>.
[Lutz Jaenicke]
*) Do not store session data into the internal session cache, if it
is never intended to be looked up (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
flag is set). Proposed by Aslam <aslam@funk.com>.
[Lutz Jaenicke]
*) Have ASN1_BIT_STRING_set_bit() really clear a bit when the requested
value is 0.
[Richard Levitte]
*) [In 0.9.6d-engine release:]
Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
[Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
*) Add the configuration target linux-s390x.
[Neale Ferguson <Neale.Ferguson@SoftwareAG-USA.com> via Richard Levitte]
*) The earlier bugfix for the SSL3_ST_SW_HELLO_REQ_C case of
ssl3_accept (ssl/s3_srvr.c) incorrectly used a local flag
variable as an indication that a ClientHello message has been
received. As the flag value will be lost between multiple
invocations of ssl3_accept when using non-blocking I/O, the
function may not be aware that a handshake has actually taken
place, thus preventing a new session from being added to the
session cache.
To avoid this problem, we now set s->new_session to 2 instead of
using a local variable.
[Lutz Jaenicke, Bodo Moeller]
*) Bugfix: Return -1 from ssl3_get_server_done (ssl3/s3_clnt.c)
if the SSL_R_LENGTH_MISMATCH error is detected.
[Geoff Thorpe, Bodo Moeller]
*) New 'shared_ldflag' column in Configure platform table.
[Richard Levitte]
*) Fix EVP_CIPHER_mode macro.
["Dan S. Camper" <dan@bti.net>]
*) Fix ssl3_read_bytes (ssl/s3_pkt.c): To ignore messages of unknown
type, we must throw them away by setting rr->length to 0.
[D P Chang <dpc@qualys.com>]
Changes between 0.9.6b and 0.9.6c [21 dec 2001]
*) Fix BN_rand_range bug pointed out by Dominikus Scherkl
<Dominikus.Scherkl@biodata.com>. (The previous implementation
worked incorrectly for those cases where range = 10..._2 and
3*range is two bits longer than range.)
[Bodo Moeller]
*) Only add signing time to PKCS7 structures if it is not already
present.
[Steve Henson]
*) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
OBJ_ld_ce should be OBJ_id_ce.
Also some ip-pda OIDs in crypto/objects/objects.txt were
incorrect (cf. RFC 3039).
[Matt Cooper, Frederic Giudicelli, Bodo Moeller]
*) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
returns early because it has nothing to do.
[Andy Schneider <andy.schneider@bjss.co.uk>]
*) [In 0.9.6c-engine release:]
Fix mutex callback return values in crypto/engine/hw_ncipher.c.
[Andy Schneider <andy.schneider@bjss.co.uk>]
*) [In 0.9.6c-engine release:]
Add support for Cryptographic Appliance's keyserver technology.
(Use engine 'keyclient')
[Cryptographic Appliances and Geoff Thorpe]
*) Add a configuration entry for OS/390 Unix. The C compiler 'c89'
is called via tools/c89.sh because arguments have to be
rearranged (all '-L' options must appear before the first object
modules).
[Richard Shapiro <rshapiro@abinitio.com>]
*) [In 0.9.6c-engine release:]
Add support for Broadcom crypto accelerator cards, backported
from 0.9.7.
[Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
*) [In 0.9.6c-engine release:]
Add support for SureWare crypto accelerator cards from
Baltimore Technologies. (Use engine 'sureware')
[Baltimore Technologies and Mark Cox]
*) [In 0.9.6c-engine release:]
Add support for crypto accelerator cards from Accelerated
Encryption Processing, www.aep.ie. (Use engine 'aep')
[AEP Inc. and Mark Cox]
*) Add a configuration entry for gcc on UnixWare.
[Gary Benson <gbenson@redhat.com>]
*) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
messages are stored in a single piece (fixed-length part and
variable-length part combined) and fix various bugs found on the way.
[Bodo Moeller]
*) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
instead. BIO_gethostbyname() does not know what timeouts are
appropriate, so entries would stay in cache even when they have
become invalid.
[Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
*) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
faced with a pathologically small ClientHello fragment that does
not contain client_version: Instead of aborting with an error,
simply choose the highest available protocol version (i.e.,
TLS 1.0 unless it is disabled). In practice, ClientHello
messages are never sent like this, but this change gives us
strictly correct behaviour at least for TLS.
[Bodo Moeller]
*) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
never resets s->method to s->ctx->method when called from within
one of the SSL handshake functions.
[Bodo Moeller; problem pointed out by Niko Baric]
*) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
(sent using the client's version number) if client_version is
smaller than the protocol version in use. Also change
ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
the client will at least see that alert.
[Bodo Moeller]
*) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
correctly.
[Bodo Moeller]
*) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
client receives HelloRequest while in a handshake.
[Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
*) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
should end in 'break', not 'goto end' which circumvents various
cleanups done in state SSL_ST_OK. But session related stuff
must be disabled for SSL_ST_OK in the case that we just sent a
HelloRequest.
Also avoid some overhead by not calling ssl_init_wbio_buffer()
before just sending a HelloRequest.
[Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
*) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
reveal whether illegal block cipher padding was found or a MAC
verification error occurred. (Neither SSLerr() codes nor alerts
are directly visible to potential attackers, but the information
may leak via logfiles.)
Similar changes are not required for the SSL 2.0 implementation
because the number of padding bytes is sent in clear for SSL 2.0,
and the extra bytes are just ignored. However ssl/s2_pkt.c
failed to verify that the purported number of padding bytes is in
the legal range.
[Bodo Moeller]
*) Add OpenUNIX-8 support including shared libraries
(Boyd Lynn Gerber <gerberb@zenez.com>).
[Lutz Jaenicke]
*) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
'wristwatch attack' using huge encoding parameters (cf.
James H. Manger's CRYPTO 2001 paper). Note that the
RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
encoding parameters and hence was not vulnerable.
[Bodo Moeller]
*) BN_sqr() bug fix.
[Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
*) Rabin-Miller test analyses assume uniformly distributed witnesses,
so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
followed by modular reduction.
[Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]
*) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
equivalent based on BN_pseudo_rand() instead of BN_rand().
[Bodo Moeller]
*) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
This function was broken, as the check for a new client hello message
to handle SGC did not allow these large messages.
(Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
[Lutz Jaenicke]
*) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
[Lutz Jaenicke]
*) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
[Lutz Jaenicke]
*) Rework the configuration and shared library support for Tru64 Unix.
The configuration part makes use of modern compiler features and
still retains old compiler behavior for those that run older versions
of the OS. The shared library support part includes a variant that
uses the RPATH feature, and is available through the special
configuration target "alpha-cc-rpath", which will never be selected
automatically.
[Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
*) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
with the same message size as in ssl3_get_certificate_request().
Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
messages might inadvertently be reject as too long.
[Petr Lampa <lampa@fee.vutbr.cz>]
*) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
[Andy Polyakov]
*) Modified SSL library such that the verify_callback that has been set
specifically for an SSL object with SSL_set_verify() is actually being
used. Before the change, a verify_callback set with this function was
ignored and the verify_callback() set in the SSL_CTX at the time of
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
to allow the necessary settings.
[Lutz Jaenicke]
*) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
explicitly to NULL, as at least on Solaris 8 this seems not always to be
done automatically (in contradiction to the requirements of the C
standard). This made problems when used from OpenSSH.
[Lutz Jaenicke]
*) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
dh->length and always used
BN_rand_range(priv_key, dh->p).
BN_rand_range() is not necessary for Diffie-Hellman, and this
specific range makes Diffie-Hellman unnecessarily inefficient if
dh->length (recommended exponent length) is much smaller than the
length of dh->p. We could use BN_rand_range() if the order of
the subgroup was stored in the DH structure, but we only have
dh->length.
So switch back to
BN_rand(priv_key, l, ...)
where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
otherwise.
[Bodo Moeller]
*) In
RSA_eay_public_encrypt
RSA_eay_private_decrypt
RSA_eay_private_encrypt (signing)
RSA_eay_public_decrypt (signature verification)
(default implementations for RSA_public_encrypt,
RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
always reject numbers >= n.
[Bodo Moeller]
*) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
to synchronize access to 'locking_thread'. This is necessary on
systems where access to 'locking_thread' (an 'unsigned long'
variable) is not atomic.
[Bodo Moeller]
*) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
*before* setting the 'crypto_lock_rand' flag. The previous code had
a race condition if 0 is a valid thread ID.
[Travis Vitek <vitek@roguewave.com>]
*) Add support for shared libraries under Irix.
[Albert Chin-A-Young <china@thewrittenword.com>]
*) Add configuration option to build on Linux on both big-endian and
little-endian MIPS.
[Ralf Baechle <ralf@uni-koblenz.de>]
*) Add the possibility to create shared libraries on HP-UX.
[Richard Levitte]
Changes between 0.9.6a and 0.9.6b [9 Jul 2001]
*) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>:
PRNG state recovery was possible based on the output of
one PRNG request appropriately sized to gain knowledge on
'md' followed by enough consecutive 1-byte PRNG requests
to traverse all of 'state'.
1. When updating 'md_local' (the current thread's copy of 'md')
during PRNG output generation, hash all of the previous
'md_local' value, not just the half used for PRNG output.
2. Make the number of bytes from 'state' included into the hash
independent from the number of PRNG bytes requested.
The first measure alone would be sufficient to avoid
Markku-Juhani's attack. (Actually it had never occurred
to me that the half of 'md_local' used for chaining was the
half from which PRNG output bytes were taken -- I had always
assumed that the secret half would be used.) The second
measure makes sure that additional data from 'state' is never
mixed into 'md_local' in small portions; this heuristically
further strengthens the PRNG.
[Bodo Moeller]
*) Fix crypto/bn/asm/mips3.s.
[Andy Polyakov]
*) When only the key is given to "enc", the IV is undefined. Print out
an error message in this case.
[Lutz Jaenicke]
*) Handle special case when X509_NAME is empty in X509 printing routines.
[Steve Henson]
*) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
positive and less than q.
[Bodo Moeller]
*) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
used: it isn't thread safe and the add_lock_callback should handle
that itself.
[Paul Rose <Paul.Rose@bridge.com>]
*) Verify that incoming data obeys the block size in
ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c).
[Bodo Moeller]
*) Fix OAEP check.
[Ulf Möller, Bodo Möller]
*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
when fixing the server behaviour for backwards-compatible 'client
hello' messages. (Note that the attack is impractical against
SSL 3.0 and TLS 1.0 anyway because length and version checking
means that the probability of guessing a valid ciphertext is
around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
paper.)
Before 0.9.5, the countermeasure (hide the error by generating a
random 'decryption result') did not work properly because
ERR_clear_error() was missing, meaning that SSL_get_error() would
detect the supposedly ignored error.
Both problems are now fixed.
[Bodo Moeller]
*) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
(previously it was 1024).
[Bodo Moeller]
*) Fix for compatibility mode trust settings: ignore trust settings
unless some valid trust or reject settings are present.
[Steve Henson]
*) Fix for blowfish EVP: its a variable length cipher.
[Steve Henson]
*) Fix various bugs related to DSA S/MIME verification. Handle missing
parameters in DSA public key structures and return an error in the
DSA routines if parameters are absent.
[Steve Henson]
*) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd"
in the current directory if neither $RANDFILE nor $HOME was set.
RAND_file_name() in 0.9.6a returned NULL in this case. This has
caused some confusion to Windows users who haven't defined $HOME.
Thus RAND_file_name() is changed again: e_os.h can define a
DEFAULT_HOME, which will be used if $HOME is not set.
For Windows, we use "C:"; on other platforms, we still require
environment variables.
*) Move 'if (!initialized) RAND_poll()' into regions protected by
CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids
having multiple threads call RAND_poll() concurrently.
[Bodo Moeller]
*) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a
combination of a flag and a thread ID variable.
Otherwise while one thread is in ssleay_rand_bytes (which sets the
flag), *other* threads can enter ssleay_add_bytes without obeying
the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
that they do not hold after the first thread unsets add_do_not_lock).
[Bodo Moeller]
*) Change bctest again: '-x' expressions are not available in all
versions of 'test'.
[Bodo Moeller]
Changes between 0.9.6 and 0.9.6a [5 Apr 2001]
*) Fix a couple of memory leaks in PKCS7_dataDecode()
[Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>]
*) Change Configure and Makefiles to provide EXE_EXT, which will contain
the default extension for executables, if any. Also, make the perl
scripts that use symlink() to test if it really exists and use "cp"
if it doesn't. All this made OpenSSL compilable and installable in
CygWin.
[Richard Levitte]
*) Fix for asn1_GetSequence() for indefinite length constructed data.
If SEQUENCE is length is indefinite just set c->slen to the total
amount of data available.
[Steve Henson, reported by shige@FreeBSD.org]
[This change does not apply to 0.9.7.]
*) Change bctest to avoid here-documents inside command substitution
(workaround for FreeBSD /bin/sh bug).
For compatibility with Ultrix, avoid shell functions (introduced
in the bctest version that searches along $PATH).
[Bodo Moeller]
*) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes
with des_encrypt() defined on some operating systems, like Solaris
and UnixWare.
[Richard Levitte]
*) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton:
On the Importance of Eliminating Errors in Cryptographic
Computations, J. Cryptology 14 (2001) 2, 101-119,
http://theory.stanford.edu/~dabo/papers/faults.ps.gz).
[Ulf Moeller]
*) MIPS assembler BIGNUM division bug fix.
[Andy Polyakov]
*) Disabled incorrect Alpha assembler code.
[Richard Levitte]
*) Fix PKCS#7 decode routines so they correctly update the length
after reading an EOC for the EXPLICIT tag.
[Steve Henson]
[This change does not apply to 0.9.7.]
*) Fix bug in PKCS#12 key generation routines. This was triggered
if a 3DES key was generated with a 0 initial byte. Include
PKCS12_BROKEN_KEYGEN compilation option to retain the old
(but broken) behaviour.
[Steve Henson]
*) Enhance bctest to search for a working bc along $PATH and print
it when found.
[Tim Rice <tim@multitalents.net> via Richard Levitte]
*) Fix memory leaks in err.c: free err_data string if necessary;
don't write to the wrong index in ERR_set_error_data.
[Bodo Moeller]
*) Implement ssl23_peek (analogous to ssl23_read), which previously
did not exist.
[Bodo Moeller]
*) Replace rdtsc with _emit statements for VC++ version 5.
[Jeremy Cooper <jeremy@baymoo.org>]
*) Make it possible to reuse SSLv2 sessions.
[Richard Levitte]
*) In copy_email() check for >= 0 as a return value for
X509_NAME_get_index_by_NID() since 0 is a valid index.
[Steve Henson reported by Massimiliano Pala <madwolf@opensca.org>]
*) Avoid coredump with unsupported or invalid public keys by checking if
X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when
PKCS7_verify() fails with non detached data.
[Steve Henson]
*) Don't use getenv in library functions when run as setuid/setgid.
New function OPENSSL_issetugid().
[Ulf Moeller]
*) Avoid false positives in memory leak detection code (crypto/mem_dbg.c)
due to incorrect handling of multi-threading:
1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl().
2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on().
3. Count how many times MemCheck_off() has been called so that
nested use can be treated correctly. This also avoids
inband-signalling in the previous code (which relied on the
assumption that thread ID 0 is impossible).
[Bodo Moeller]
*) Add "-rand" option also to s_client and s_server.
[Lutz Jaenicke]
*) Fix CPU detection on Irix 6.x.
[Kurt Hockenbury <khockenb@stevens-tech.edu> and
"Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
*) Fix X509_NAME bug which produced incorrect encoding if X509_NAME
was empty.
[Steve Henson]
[This change does not apply to 0.9.7.]
*) Use the cached encoding of an X509_NAME structure rather than
copying it. This is apparently the reason for the libsafe "errors"
but the code is actually correct.
[Steve Henson]
*) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
Bleichenbacher's DSA attack.
Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits
to be set and top=0 forces the highest bit to be set; top=-1 is new
and leaves the highest bit random.
[Ulf Moeller, Bodo Moeller]
*) In the NCONF_...-based implementations for CONF_... queries
(crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using
a temporary CONF structure with the data component set to NULL
(which gives segmentation faults in lh_retrieve).
Instead, use NULL for the CONF pointer in CONF_get_string and
CONF_get_number (which may use environment variables) and directly
return NULL from CONF_get_section.
[Bodo Moeller]
*) Fix potential buffer overrun for EBCDIC.
[Ulf Moeller]
*) Tolerate nonRepudiation as being valid for S/MIME signing and certSign
keyUsage if basicConstraints absent for a CA.
[Steve Henson]
*) Make SMIME_write_PKCS7() write mail header values with a format that
is more generally accepted (no spaces before the semicolon), since
some programs can't parse those values properly otherwise. Also make
sure BIO's that break lines after each write do not create invalid
headers.
[Richard Levitte]
*) Make the CRL encoding routines work with empty SEQUENCE OF. The
macros previously used would not encode an empty SEQUENCE OF
and break the signature.
[Steve Henson]
[This change does not apply to 0.9.7.]
*) Zero the premaster secret after deriving the master secret in
DH ciphersuites.
[Steve Henson]
*) Add some EVP_add_digest_alias registrations (as found in
OpenSSL_add_all_digests()) to SSL_library_init()
aka OpenSSL_add_ssl_algorithms(). This provides improved
compatibility with peers using X.509 certificates
with unconventional AlgorithmIdentifier OIDs.
[Bodo Moeller]
*) Fix for Irix with NO_ASM.
["Bruce W. Forsberg" <bruce.forsberg@baesystems.com>]
*) ./config script fixes.
[Ulf Moeller, Richard Levitte]
*) Fix 'openssl passwd -1'.
[Bodo Moeller]
*) Change PKCS12_key_gen_asc() so it can cope with non null
terminated strings whose length is passed in the passlen
parameter, for example from PEM callbacks. This was done
by adding an extra length parameter to asc2uni().
[Steve Henson, reported by <oddissey@samsung.co.kr>]
*) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn
call failed, free the DSA structure.
[Bodo Moeller]
*) Fix to uni2asc() to cope with zero length Unicode strings.
These are present in some PKCS#12 files.
[Steve Henson]
*) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c).
Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits
when writing a 32767 byte record.
[Bodo Moeller; problem reported by Eric Day <eday@concentric.net>]
*) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c),
obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}.
(RSA objects have a reference count access to which is protected
by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c],
so they are meant to be shared between threads.)
[Bodo Moeller, Geoff Thorpe; original patch submitted by
"Reddie, Steven" <Steven.Reddie@ca.com>]
*) Fix a deadlock in CRYPTO_mem_leaks().
[Bodo Moeller]
*) Use better test patterns in bntest.
[Ulf Möller]
*) rand_win.c fix for Borland C.
[Ulf Möller]
*) BN_rshift bugfix for n == 0.
[Bodo Moeller]
*) Add a 'bctest' script that checks for some known 'bc' bugs
so that 'make test' does not abort just because 'bc' is broken.
[Bodo Moeller]
*) Store verify_result within SSL_SESSION also for client side to
avoid potential security hole. (Re-used sessions on the client side
always resulted in verify_result==X509_V_OK, not using the original
result of the server certificate verification.)
[Lutz Jaenicke]
*) Fix ssl3_pending: If the record in s->s3->rrec is not of type
SSL3_RT_APPLICATION_DATA, return 0.
Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true.
[Bodo Moeller]
*) Fix SSL_peek:
Both ssl2_peek and ssl3_peek, which were totally broken in earlier
releases, have been re-implemented by renaming the previous
implementations of ssl2_read and ssl3_read to ssl2_read_internal
and ssl3_read_internal, respectively, and adding 'peek' parameters
to them. The new ssl[23]_{read,peek} functions are calls to
ssl[23]_read_internal with the 'peek' flag set appropriately.
A 'peek' parameter has also been added to ssl3_read_bytes, which
does the actual work for ssl3_read_internal.
[Bodo Moeller]
*) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling
the method-specific "init()" handler. Also clean up ex_data after
calling the method-specific "finish()" handler. Previously, this was
happening the other way round.
[Geoff Thorpe]
*) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16.
The previous value, 12, was not always sufficient for BN_mod_exp().
[Bodo Moeller]
*) Make sure that shared libraries get the internal name engine with
the full version number and not just 0. This should mark the
shared libraries as not backward compatible. Of course, this should
be changed again when we can guarantee backward binary compatibility.
[Richard Levitte]
*) Fix typo in get_cert_by_subject() in by_dir.c
[Jean-Marc Desperrier <jean-marc.desperrier@certplus.com>]
*) Rework the system to generate shared libraries:
- Make note of the expected extension for the shared libraries and
if there is a need for symbolic links from for example libcrypto.so.0
to libcrypto.so.0.9.7. There is extended info in Configure for
that.
- Make as few rebuilds of the shared libraries as possible.
- Still avoid linking the OpenSSL programs with the shared libraries.
- When installing, install the shared libraries separately from the
static ones.
[Richard Levitte]
*) Fix SSL_CTX_set_read_ahead macro to actually use its argument.
Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new
and not in SSL_clear because the latter is also used by the
accept/connect functions; previously, the settings made by
SSL_set_read_ahead would be lost during the handshake.
[Bodo Moeller; problems reported by Anders Gertz <gertz@epact.se>]
*) Correct util/mkdef.pl to be selective about disabled algorithms.
Previously, it would create entries for disabled algorithms no
matter what.
[Richard Levitte]
*) Added several new manual pages for SSL_* function.
[Lutz Jaenicke]
Changes between 0.9.5a and 0.9.6 [24 Sep 2000]
*) In ssl23_get_client_hello, generate an error message when faced
with an initial SSL 3.0/TLS record that is too small to contain the
first two bytes of the ClientHello message, i.e. client_version.
(Note that this is a pathologic case that probably has never happened
in real life.) The previous approach was to use the version number
from the record header as a substitute; but our protocol choice
should not depend on that one because it is not authenticated
by the Finished messages.
[Bodo Moeller]
*) More robust randomness gathering functions for Windows.
[Jeffrey Altman <jaltman@columbia.edu>]
*) For compatibility reasons if the flag X509_V_FLAG_ISSUER_CHECK is
not set then we don't setup the error code for issuer check errors
to avoid possibly overwriting other errors which the callback does
handle. If an application does set the flag then we assume it knows
what it is doing and can handle the new informational codes
appropriately.
[Steve Henson]
*) Fix for a nasty bug in ASN1_TYPE handling. ASN1_TYPE is used for
a general "ANY" type, as such it should be able to decode anything
including tagged types. However it didn't check the class so it would
wrongly interpret tagged types in the same way as their universal
counterpart and unknown types were just rejected. Changed so that the
tagged and unknown types are handled in the same way as a SEQUENCE:
that is the encoding is stored intact. There is also a new type
"V_ASN1_OTHER" which is used when the class is not universal, in this
case we have no idea what the actual type is so we just lump them all
together.
[Steve Henson]
*) On VMS, stdout may very well lead to a file that is written to
in a record-oriented fashion. That means that every write() will
write a separate record, which will be read separately by the
programs trying to read from it. This can be very confusing.
The solution is to put a BIO filter in the way that will buffer
text until a linefeed is reached, and then write everything a
line at a time, so every record written will be an actual line,
not chunks of lines and not (usually doesn't happen, but I've
seen it once) several lines in one record. BIO_f_linebuffer() is
the answer.
Currently, it's a VMS-only method, because that's where it has
been tested well enough.
[Richard Levitte]
*) Remove 'optimized' squaring variant in BN_mod_mul_montgomery,
it can return incorrect results.
(Note: The buggy variant was not enabled in OpenSSL 0.9.5a,
but it was in 0.9.6-beta[12].)
[Bodo Moeller]
*) Disable the check for content being present when verifying detached
signatures in pk7_smime.c. Some versions of Netscape (wrongly)
include zero length content when signing messages.
[Steve Henson]
*) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
BIO_ctrl (for BIO pairs).
[Bodo Möller]
*) Add DSO method for VMS.
[Richard Levitte]
*) Bug fix: Montgomery multiplication could produce results with the
wrong sign.
[Ulf Möller]
*) Add RPM specification openssl.spec and modify it to build three
packages. The default package contains applications, application
documentation and run-time libraries. The devel package contains
include files, static libraries and function documentation. The
doc package contains the contents of the doc directory. The original
openssl.spec was provided by Damien Miller <djm@mindrot.org>.
[Richard Levitte]
*) Add a large number of documentation files for many SSL routines.
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
*) Add a configuration entry for Sony News 4.
[NAKAJI Hiroyuki <nakaji@tutrp.tut.ac.jp>]
*) Don't set the two most significant bits to one when generating a
random number < q in the DSA library.
[Ulf Möller]
*) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default
behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
the underlying transport is blocking) if a handshake took place.
(The default behaviour is needed by applications such as s_client
and s_server that use select() to determine when to use SSL_read;
but for applications that know in advance when to expect data, it
just makes things more complicated.)
[Bodo Moeller]
*) Add RAND_egd_bytes(), which gives control over the number of bytes read
from EGD.
[Ben Laurie]
*) Add a few more EBCDIC conditionals that make `req' and `x509'
work better on such systems.
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
*) Add two demo programs for PKCS12_parse() and PKCS12_create().
Update PKCS12_parse() so it copies the friendlyName and the
keyid to the certificates aux info.
[Steve Henson]
*) Fix bug in PKCS7_verify() which caused an infinite loop
if there was more than one signature.
[Sven Uszpelkat <su@celocom.de>]
*) Major change in util/mkdef.pl to include extra information
about each symbol, as well as presenting variables as well
as functions. This change means that there's n more need
to rebuild the .num files when some algorithms are excluded.
[Richard Levitte]
*) Allow the verify time to be set by an application,
rather than always using the current time.
[Steve Henson]
*) Phase 2 verify code reorganisation. The certificate
verify code now looks up an issuer certificate by a
number of criteria: subject name, authority key id
and key usage. It also verifies self signed certificates
by the same criteria. The main comparison function is
X509_check_issued() which performs these checks.
Lot of changes were necessary in order to support this
without completely rewriting the lookup code.
Authority and subject key identifier are now cached.
The LHASH 'certs' is X509_STORE has now been replaced
by a STACK_OF(X509_OBJECT). This is mainly because an
LHASH can't store or retrieve multiple objects with
the same hash value.
As a result various functions (which were all internal
use only) have changed to handle the new X509_STORE
structure. This will break anything that messed round
with X509_STORE internally.
The functions X509_STORE_add_cert() now checks for an
exact match, rather than just subject name.
The X509_STORE API doesn't directly support the retrieval
of multiple certificates matching a given criteria, however
this can be worked round by performing a lookup first
(which will fill the cache with candidate certificates)
and then examining the cache for matches. This is probably
the best we can do without throwing out X509_LOOKUP
entirely (maybe later...).
The X509_VERIFY_CTX structure has been enhanced considerably.
All certificate lookup operations now go via a get_issuer()
callback. Although this currently uses an X509_STORE it
can be replaced by custom lookups. This is a simple way
to bypass the X509_STORE hackery necessary to make this
work and makes it possible to use more efficient techniques
in future. A very simple version which uses a simple
STACK for its trusted certificate store is also provided
using X509_STORE_CTX_trusted_stack().
The verify_cb() and verify() callbacks now have equivalents
in the X509_STORE_CTX structure.
X509_STORE_CTX also has a 'flags' field which can be used
to customise the verify behaviour.
[Steve Henson]
*) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which
excludes S/MIME capabilities.
[Steve Henson]
*) When a certificate request is read in keep a copy of the
original encoding of the signed data and use it when outputting
again. Signatures then use the original encoding rather than
a decoded, encoded version which may cause problems if the
request is improperly encoded.
[Steve Henson]
*) For consistency with other BIO_puts implementations, call
buffer_write(b, ...) directly in buffer_puts instead of calling
BIO_write(b, ...).
In BIO_puts, increment b->num_write as in BIO_write.
[Peter.Sylvester@EdelWeb.fr]
*) Fix BN_mul_word for the case where the word is 0. (We have to use
BN_zero, we may not return a BIGNUM with an array consisting of
words set to zero.)
[Bodo Moeller]
*) Avoid calling abort() from within the library when problems are
detected, except if preprocessor symbols have been defined
(such as REF_CHECK, BN_DEBUG etc.).
[Bodo Moeller]
*) New openssl application 'rsautl'. This utility can be
used for low level RSA operations. DER public key
BIO/fp routines also added.
[Steve Henson]
*) New Configure entry and patches for compiling on QNX 4.
[Andreas Schneider <andreas@ds3.etech.fh-hamburg.de>]
*) A demo state-machine implementation was sponsored by
Nuron (http://www.nuron.com/) and is now available in
demos/state_machine.
[Ben Laurie]
*) New options added to the 'dgst' utility for signature
generation and verification.
[Steve Henson]
*) Unrecognized PKCS#7 content types are now handled via a
catch all ASN1_TYPE structure. This allows unsupported
types to be stored as a "blob" and an application can
encode and decode it manually.
[Steve Henson]
*) Fix various signed/unsigned issues to make a_strex.c
compile under VC++.
[Oscar Jacobsson <oscar.jacobsson@celocom.com>]
*) ASN1 fixes. i2d_ASN1_OBJECT was not returning the correct
length if passed a buffer. ASN1_INTEGER_to_BN failed
if passed a NULL BN and its argument was negative.
[Steve Henson, pointed out by Sven Heiberg <sven@tartu.cyber.ee>]
*) Modification to PKCS#7 encoding routines to output definite
length encoding. Since currently the whole structures are in
memory there's not real point in using indefinite length
constructed encoding. However if OpenSSL is compiled with
the flag PKCS7_INDEFINITE_ENCODING the old form is used.
[Steve Henson]
*) Added BIO_vprintf() and BIO_vsnprintf().
[Richard Levitte]
*) Added more prefixes to parse for in the strings written
through a logging bio, to cover all the levels that are available
through syslog. The prefixes are now:
PANIC, EMERG, EMR => LOG_EMERG
ALERT, ALR => LOG_ALERT
CRIT, CRI => LOG_CRIT
ERROR, ERR => LOG_ERR
WARNING, WARN, WAR => LOG_WARNING
NOTICE, NOTE, NOT => LOG_NOTICE
INFO, INF => LOG_INFO
DEBUG, DBG => LOG_DEBUG
and as before, if none of those prefixes are present at the
beginning of the string, LOG_ERR is chosen.
On Win32, the LOG_* levels are mapped according to this:
LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR => EVENTLOG_ERROR_TYPE
LOG_WARNING => EVENTLOG_WARNING_TYPE
LOG_NOTICE, LOG_INFO, LOG_DEBUG => EVENTLOG_INFORMATION_TYPE
[Richard Levitte]
*) Made it possible to reconfigure with just the configuration
argument "reconf" or "reconfigure". The command line arguments
are stored in Makefile.ssl in the variable CONFIGURE_ARGS,
and are retrieved from there when reconfiguring.
[Richard Levitte]
*) MD4 implemented.
[Assar Westerlund <assar@sics.se>, Richard Levitte]
*) Add the arguments -CAfile and -CApath to the pkcs12 utility.
[Richard Levitte]
*) The obj_dat.pl script was messing up the sorting of object
names. The reason was that it compared the quoted version
of strings as a result "OCSP" > "OCSP Signing" because
" > SPACE. Changed script to store unquoted versions of
names and add quotes on output. It was also omitting some
names from the lookup table if they were given a default
value (that is if SN is missing it is given the same
value as LN and vice versa), these are now added on the
grounds that if an object has a name we should be able to
look it up. Finally added warning output when duplicate
short or long names are found.
[Steve Henson]
*) Changes needed for Tandem NSK.
[Scott Uroff <scott@xypro.com>]
*) Fix SSL 2.0 rollback checking: Due to an off-by-one error in
RSA_padding_check_SSLv23(), special padding was never detected
and thus the SSL 3.0/TLS 1.0 countermeasure against protocol
version rollback attacks was not effective.
In s23_clnt.c, don't use special rollback-attack detection padding
(RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the
client; similarly, in s23_srvr.c, don't do the rollback check if
SSL 2.0 is the only protocol enabled in the server.
[Bodo Moeller]
*) Make it possible to get hexdumps of unprintable data with 'openssl
asn1parse'. By implication, the functions ASN1_parse_dump() and
BIO_dump_indent() are added.
[Richard Levitte]
*) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex()
these print out strings and name structures based on various
flags including RFC2253 support and proper handling of
multibyte characters. Added options to the 'x509' utility
to allow the various flags to be set.
[Steve Henson]
*) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME.
Also change the functions X509_cmp_current_time() and
X509_gmtime_adj() work with an ASN1_TIME structure,
this will enable certificates using GeneralizedTime in validity
dates to be checked.
[Steve Henson]
*) Make the NEG_PUBKEY_BUG code (which tolerates invalid
negative public key encodings) on by default,
NO_NEG_PUBKEY_BUG can be set to disable it.
[Steve Henson]
*) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT
content octets. An i2c_ASN1_OBJECT is unnecessary because
the encoding can be trivially obtained from the structure.
[Steve Henson]
*) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock),
not read locks (CRYPTO_r_[un]lock).
[Bodo Moeller]
*) A first attempt at creating official support for shared
libraries through configuration. I've kept it so the
default is static libraries only, and the OpenSSL programs
are always statically linked for now, but there are
preparations for dynamic linking in place.
This has been tested on Linux and Tru64.
[Richard Levitte]
*) Randomness polling function for Win9x, as described in:
Peter Gutmann, Software Generation of Practically Strong
Random Numbers.
[Ulf Möller]
*) Fix so PRNG is seeded in req if using an already existing
DSA key.
[Steve Henson]
*) New options to smime application. -inform and -outform
allow alternative formats for the S/MIME message including
PEM and DER. The -content option allows the content to be
specified separately. This should allow things like Netscape
form signing output easier to verify.
[Steve Henson]
*) Fix the ASN1 encoding of tags using the 'long form'.
[Steve Henson]
*) New ASN1 functions, i2c_* and c2i_* for INTEGER and BIT
STRING types. These convert content octets to and from the
underlying type. The actual tag and length octets are
already assumed to have been read in and checked. These
are needed because all other string types have virtually
identical handling apart from the tag. By having versions
of the ASN1 functions that just operate on content octets
IMPLICIT tagging can be handled properly. It also allows
the ASN1_ENUMERATED code to be cut down because ASN1_ENUMERATED
and ASN1_INTEGER are identical apart from the tag.
[Steve Henson]
*) Change the handling of OID objects as follows:
- New object identifiers are inserted in objects.txt, following
the syntax given in objects.README.
- objects.pl is used to process obj_mac.num and create a new
obj_mac.h.
- obj_dat.pl is used to create a new obj_dat.h, using the data in
obj_mac.h.
This is currently kind of a hack, and the perl code in objects.pl
isn't very elegant, but it works as I intended. The simplest way
to check that it worked correctly is to look in obj_dat.h and
check the array nid_objs and make sure the objects haven't moved
around (this is important!). Additions are OK, as well as
consistent name changes.
[Richard Levitte]
*) Add BSD-style MD5-based passwords to 'openssl passwd' (option '-1').
[Bodo Moeller]
*) Addition of the command line parameter '-rand file' to 'openssl req'.
The given file adds to whatever has already been seeded into the
random pool through the RANDFILE configuration file option or
environment variable, or the default random state file.
[Richard Levitte]
*) mkstack.pl now sorts each macro group into lexical order.
Previously the output order depended on the order the files
appeared in the directory, resulting in needless rewriting
of safestack.h .
[Steve Henson]
*) Patches to make OpenSSL compile under Win32 again. Mostly
work arounds for the VC++ problem that it treats func() as
func(void). Also stripped out the parts of mkdef.pl that
added extra typesafe functions: these no longer exist.
[Steve Henson]
*) Reorganisation of the stack code. The macros are now all
collected in safestack.h . Each macro is defined in terms of
a "stack macro" of the form SKM_<name>(type, a, b). The
DEBUG_SAFESTACK is now handled in terms of function casts,
this has the advantage of retaining type safety without the
use of additional functions. If DEBUG_SAFESTACK is not defined
then the non typesafe macros are used instead. Also modified the
mkstack.pl script to handle the new form. Needs testing to see
if which (if any) compilers it chokes and maybe make DEBUG_SAFESTACK
the default if no major problems. Similar behaviour for ASN1_SET_OF
and PKCS12_STACK_OF.
[Steve Henson]
*) When some versions of IIS use the 'NET' form of private key the
key derivation algorithm is different. Normally MD5(password) is
used as a 128 bit RC4 key. In the modified case
MD5(MD5(password) + "SGCKEYSALT") is used instead. Added some
new functions i2d_RSA_NET(), d2i_RSA_NET() etc which are the same
as the old Netscape_RSA functions except they have an additional
'sgckey' parameter which uses the modified algorithm. Also added
an -sgckey command line option to the rsa utility. Thanks to
Adrian Peck <bertie@ncipher.com> for posting details of the modified
algorithm to openssl-dev.
[Steve Henson]
*) The evp_local.h macros were using 'c.##kname' which resulted in
invalid expansion on some systems (SCO 5.0.5 for example).
Corrected to 'c.kname'.
[Phillip Porch <root@theporch.com>]
*) New X509_get1_email() and X509_REQ_get1_email() functions that return
a STACK of email addresses from a certificate or request, these look
in the subject name and the subject alternative name extensions and
omit any duplicate addresses.
[Steve Henson]
*) Re-implement BN_mod_exp2_mont using independent (and larger) windows.
This makes DSA verification about 2 % faster.
[Bodo Moeller]
*) Increase maximum window size in BN_mod_exp_... to 6 bits instead of 5
(meaning that now 2^5 values will be precomputed, which is only 4 KB
plus overhead for 1024 bit moduli).
This makes exponentiations about 0.5 % faster for 1024 bit
exponents (as measured by "openssl speed rsa2048").
[Bodo Moeller]
*) Rename memory handling macros to avoid conflicts with other
software:
Malloc => OPENSSL_malloc
Malloc_locked => OPENSSL_malloc_locked
Realloc => OPENSSL_realloc
Free => OPENSSL_free
[Richard Levitte]
*) New function BN_mod_exp_mont_word for small bases (roughly 15%
faster than BN_mod_exp_mont, i.e. 7% for a full DH exchange).
[Bodo Moeller]
*) CygWin32 support.
[John Jarvie <jjarvie@newsguy.com>]
*) The type-safe stack code has been rejigged. It is now only compiled
in when OpenSSL is configured with the DEBUG_SAFESTACK option and
by default all type-specific stack functions are "#define"d back to
standard stack functions. This results in more streamlined output
but retains the type-safety checking possibilities of the original
approach.
[Geoff Thorpe]
*) The STACK code has been cleaned up, and certain type declarations
that didn't make a lot of sense have been brought in line. This has
also involved a cleanup of sorts in safestack.h to more correctly
map type-safe stack functions onto their plain stack counterparts.
This work has also resulted in a variety of "const"ifications of
lots of the code, especially "_cmp" operations which should normally
be prototyped with "const" parameters anyway.
[Geoff Thorpe]
*) When generating bytes for the first time in md_rand.c, 'stir the pool'
by seeding with STATE_SIZE dummy bytes (with zero entropy count).
(The PRNG state consists of two parts, the large pool 'state' and 'md',
where all of 'md' is used each time the PRNG is used, but 'state'
is used only indexed by a cyclic counter. As entropy may not be
well distributed from the beginning, 'md' is important as a
chaining variable. However, the output function chains only half
of 'md', i.e. 80 bits. ssleay_rand_add, on the other hand, chains
all of 'md', and seeding with STATE_SIZE dummy bytes will result
in all of 'state' being rewritten, with the new values depending
on virtually all of 'md'. This overcomes the 80 bit limitation.)
[Bodo Moeller]
*) In ssl/s2_clnt.c and ssl/s3_clnt.c, call ERR_clear_error() when
the handshake is continued after ssl_verify_cert_chain();
otherwise, if SSL_VERIFY_NONE is set, remaining error codes
can lead to 'unexplainable' connection aborts later.
[Bodo Moeller; problem tracked down by Lutz Jaenicke]
*) Major EVP API cipher revision.
Add hooks for extra EVP features. This allows various cipher
parameters to be set in the EVP interface. Support added for variable
key length ciphers via the EVP_CIPHER_CTX_set_key_length() function and
setting of RC2 and RC5 parameters.
Modify EVP_OpenInit() and EVP_SealInit() to cope with variable key length
ciphers.
Remove lots of duplicated code from the EVP library. For example *every*
cipher init() function handles the 'iv' in the same way according to the
cipher mode. They also all do nothing if the 'key' parameter is NULL and
for CFB and OFB modes they zero ctx->num.
New functionality allows removal of S/MIME code RC2 hack.
Most of the routines have the same form and so can be declared in terms
of macros.
By shifting this to the top level EVP_CipherInit() it can be removed from
all individual ciphers. If the cipher wants to handle IVs or keys
differently it can set the EVP_CIPH_CUSTOM_IV or EVP_CIPH_ALWAYS_CALL_INIT
flags.
Change lots of functions like EVP_EncryptUpdate() to now return a
value: although software versions of the algorithms cannot fail
any installed hardware versions can.
[Steve Henson]
*) Implement SSL_OP_TLS_ROLLBACK_BUG: In ssl3_get_client_key_exchange, if
this option is set, tolerate broken clients that send the negotiated
protocol version number instead of the requested protocol version
number.
[Bodo Moeller]
*) Call dh_tmp_cb (set by ..._TMP_DH_CB) with correct 'is_export' flag;
i.e. non-zero for export ciphersuites, zero otherwise.
Previous versions had this flag inverted, inconsistent with
rsa_tmp_cb (..._TMP_RSA_CB).
[Bodo Moeller; problem reported by Amit Chopra]
*) Add missing DSA library text string. Work around for some IIS
key files with invalid SEQUENCE encoding.
[Steve Henson]
*) Add a document (doc/standards.txt) that list all kinds of standards
and so on that are implemented in OpenSSL.
[Richard Levitte]
*) Enhance c_rehash script. Old version would mishandle certificates
with the same subject name hash and wouldn't handle CRLs at all.
Added -fingerprint option to crl utility, to support new c_rehash
features.
[Steve Henson]
*) Eliminate non-ANSI declarations in crypto.h and stack.h.
[Ulf Möller]
*) Fix for SSL server purpose checking. Server checking was
rejecting certificates which had extended key usage present
but no ssl client purpose.
[Steve Henson, reported by Rene Grosser <grosser@hisolutions.com>]
*) Make PKCS#12 code work with no password. The PKCS#12 spec
is a little unclear about how a blank password is handled.
Since the password in encoded as a BMPString with terminating
double NULL a zero length password would end up as just the
double NULL. However no password at all is different and is
handled differently in the PKCS#12 key generation code. NS
treats a blank password as zero length. MSIE treats it as no
password on export: but it will try both on import. We now do
the same: PKCS12_parse() tries zero length and no password if
the password is set to "" or NULL (NULL is now a valid password:
it wasn't before) as does the pkcs12 application.
[Steve Henson]
*) Bugfixes in apps/x509.c: Avoid a memory leak; and don't use
perror when PEM_read_bio_X509_REQ fails, the error message must
be obtained from the error queue.
[Bodo Moeller]
*) Avoid 'thread_hash' memory leak in crypto/err/err.c by freeing
it in ERR_remove_state if appropriate, and change ERR_get_state
accordingly to avoid race conditions (this is necessary because
thread_hash is no longer constant once set).
[Bodo Moeller]
*) Bugfix for linux-elf makefile.one.
[Ulf Möller]
*) RSA_get_default_method() will now cause a default
RSA_METHOD to be chosen if one doesn't exist already.
Previously this was only set during a call to RSA_new()
or RSA_new_method(NULL) meaning it was possible for
RSA_get_default_method() to return NULL.
[Geoff Thorpe]
*) Added native name translation to the existing DSO code
that will convert (if the flag to do so is set) filenames
that are sufficiently small and have no path information
into a canonical native form. Eg. "blah" converted to
"libblah.so" or "blah.dll" etc.
[Geoff Thorpe]
*) New function ERR_error_string_n(e, buf, len) which is like
ERR_error_string(e, buf), but writes at most 'len' bytes
including the 0 terminator. For ERR_error_string_n, 'buf'
may not be NULL.
[Damien Miller <djm@mindrot.org>, Bodo Moeller]
*) CONF library reworked to become more general. A new CONF
configuration file reader "class" is implemented as well as a
new functions (NCONF_*, for "New CONF") to handle it. The now
old CONF_* functions are still there, but are reimplemented to
work in terms of the new functions. Also, a set of functions
to handle the internal storage of the configuration data is
provided to make it easier to write new configuration file
reader "classes" (I can definitely see something reading a
configuration file in XML format, for example), called _CONF_*,
or "the configuration storage API"...
The new configuration file reading functions are:
NCONF_new, NCONF_free, NCONF_load, NCONF_load_fp, NCONF_load_bio,
NCONF_get_section, NCONF_get_string, NCONF_get_numbre
NCONF_default, NCONF_WIN32
NCONF_dump_fp, NCONF_dump_bio
NCONF_default and NCONF_WIN32 are method (or "class") choosers,
NCONF_new creates a new CONF object. This works in the same way
as other interfaces in OpenSSL, like the BIO interface.
NCONF_dump_* dump the internal storage of the configuration file,
which is useful for debugging. All other functions take the same
arguments as the old CONF_* functions with the exception of the
first that must be a `CONF *' instead of a `LHASH *'.
To make it easier to use the new classes with the old CONF_* functions,
the function CONF_set_default_method is provided.
[Richard Levitte]
*) Add '-tls1' option to 'openssl ciphers', which was already
mentioned in the documentation but had not been implemented.
(This option is not yet really useful because even the additional
experimental TLS 1.0 ciphers are currently treated as SSL 3.0 ciphers.)
[Bodo Moeller]
*) Initial DSO code added into libcrypto for letting OpenSSL (and
OpenSSL-based applications) load shared libraries and bind to
them in a portable way.
[Geoff Thorpe, with contributions from Richard Levitte]
Changes between 0.9.5 and 0.9.5a [1 Apr 2000]
*) Make sure _lrotl and _lrotr are only used with MSVC.
*) Use lock CRYPTO_LOCK_RAND correctly in ssleay_rand_status
(the default implementation of RAND_status).
*) Rename openssl x509 option '-crlext', which was added in 0.9.5,
to '-clrext' (= clear extensions), as intended and documented.
[Bodo Moeller; inconsistency pointed out by Michael Attili
<attili@amaxo.com>]
*) Fix for HMAC. It wasn't zeroing the rest of the block if the key length
was larger than the MD block size.
[Steve Henson, pointed out by Yost William <YostW@tce.com>]
*) Modernise PKCS12_parse() so it uses STACK_OF(X509) for its ca argument
fix a leak when the ca argument was passed as NULL. Stop X509_PUBKEY_set()
using the passed key: if the passed key was a private key the result
of X509_print(), for example, would be to print out all the private key
components.
[Steve Henson]
*) des_quad_cksum() byte order bug fix.
[Ulf Möller, using the problem description in krb4-0.9.7, where
the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>]
*) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
discouraged.
[Steve Henson, pointed out by Brian Korver <briank@cs.stanford.edu>]
*) For easily testing in shell scripts whether some command
'openssl XXX' exists, the new pseudo-command 'openssl no-XXX'
returns with exit code 0 iff no command of the given name is available.
'no-XXX' is printed in this case, 'XXX' otherwise. In both cases,
the output goes to stdout and nothing is printed to stderr.
Additional arguments are always ignored.
Since for each cipher there is a command of the same name,
the 'no-cipher' compilation switches can be tested this way.
('openssl no-XXX' is not able to detect pseudo-commands such
as 'quit', 'list-XXX-commands', or 'no-XXX' itself.)
[Bodo Moeller]
*) Update test suite so that 'make test' succeeds in 'no-rsa' configuration.
[Bodo Moeller]
*) For SSL_[CTX_]set_tmp_dh, don't create a DH key if SSL_OP_SINGLE_DH_USE
is set; it will be thrown away anyway because each handshake creates
its own key.
ssl_cert_dup, which is used by SSL_new, now copies DH keys in addition
to parameters -- in previous versions (since OpenSSL 0.9.3) the
'default key' from SSL_CTX_set_tmp_dh would always be lost, meaning
you effectively got SSL_OP_SINGLE_DH_USE when using this macro.
[Bodo Moeller]
*) New s_client option -ign_eof: EOF at stdin is ignored, and
'Q' and 'R' lose their special meanings (quit/renegotiate).
This is part of what -quiet does; unlike -quiet, -ign_eof
does not suppress any output.
[Richard Levitte]
*) Add compatibility options to the purpose and trust code. The
purpose X509_PURPOSE_ANY is "any purpose" which automatically
accepts a certificate or CA, this was the previous behaviour,
with all the associated security issues.
X509_TRUST_COMPAT is the old trust behaviour: only and
automatically trust self signed roots in certificate store. A
new trust setting X509_TRUST_DEFAULT is used to specify that
a purpose has no associated trust setting and it should instead
use the value in the default purpose.
[Steve Henson]
*) Fix the PKCS#8 DSA private key code so it decodes keys again
and fix a memory leak.
[Steve Henson]
*) In util/mkerr.pl (which implements 'make errors'), preserve
reason strings from the previous version of the .c file, as
the default to have only downcase letters (and digits) in
automatically generated reasons codes is not always appropriate.
[Bodo Moeller]
*) In ERR_load_ERR_strings(), build an ERR_LIB_SYS error reason table
using strerror. Previously, ERR_reason_error_string() returned
library names as reason strings for SYSerr; but SYSerr is a special
case where small numbers are errno values, not library numbers.
[Bodo Moeller]
*) Add '-dsaparam' option to 'openssl dhparam' application. This
converts DSA parameters into DH parameters. (When creating parameters,
DSA_generate_parameters is used.)
[Bodo Moeller]
*) Include 'length' (recommended exponent length) in C code generated
by 'openssl dhparam -C'.
[Bodo Moeller]
*) The second argument to set_label in perlasm was already being used
so couldn't be used as a "file scope" flag. Moved to third argument
which was free.
[Steve Henson]
*) In PEM_ASN1_write_bio and some other functions, use RAND_pseudo_bytes
instead of RAND_bytes for encryption IVs and salts.
[Bodo Moeller]
*) Include RAND_status() into RAND_METHOD instead of implementing
it only for md_rand.c Otherwise replacing the PRNG by calling
RAND_set_rand_method would be impossible.
[Bodo Moeller]
*) Don't let DSA_generate_key() enter an infinite loop if the random
number generation fails.
[Bodo Moeller]
*) New 'rand' application for creating pseudo-random output.
[Bodo Moeller]
*) Added configuration support for Linux/IA64
[Rolf Haberrecker <rolf@suse.de>]
*) Assembler module support for Mingw32.
[Ulf Möller]
*) Shared library support for HPUX (in shlib/).
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous]
*) Shared library support for Solaris gcc.
[Lutz Behnke <behnke@trustcenter.de>]
Changes between 0.9.4 and 0.9.5 [28 Feb 2000]
*) PKCS7_encrypt() was adding text MIME headers twice because they
were added manually and by SMIME_crlf_copy().
[Steve Henson]
*) In bntest.c don't call BN_rand with zero bits argument.
[Steve Henson, pointed out by Andrew W. Gray <agray@iconsinc.com>]
*) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
case was implemented. This caused BN_div_recp() to fail occasionally.
[Ulf Möller]
*) Add an optional second argument to the set_label() in the perl
assembly language builder. If this argument exists and is set
to 1 it signals that the assembler should use a symbol whose
scope is the entire file, not just the current function. This
is needed with MASM which uses the format label:: for this scope.
[Steve Henson, pointed out by Peter Runestig <peter@runestig.com>]
*) Change the ASN1 types so they are typedefs by default. Before
almost all types were #define'd to ASN1_STRING which was causing
STACK_OF() problems: you couldn't declare STACK_OF(ASN1_UTF8STRING)
for example.
[Steve Henson]
*) Change names of new functions to the new get1/get0 naming
convention: After 'get1', the caller owns a reference count
and has to call ..._free; 'get0' returns a pointer to some
data structure without incrementing reference counters.
(Some of the existing 'get' functions increment a reference
counter, some don't.)
Similarly, 'set1' and 'add1' functions increase reference
counters or duplicate objects.
[Steve Henson]
*) Allow for the possibility of temp RSA key generation failure:
the code used to assume it always worked and crashed on failure.
[Steve Henson]
*) Fix potential buffer overrun problem in BIO_printf().
[Ulf Möller, using public domain code by Patrick Powell; problem
pointed out by David Sacerdote <das33@cornell.edu>]
*) Support EGD <http://www.lothar.com/tech/crypto/>. New functions
RAND_egd() and RAND_status(). In the command line application,
the EGD socket can be specified like a seed file using RANDFILE
or -rand.
[Ulf Möller]
*) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
Some CAs (e.g. Verisign) distribute certificates in this form.
[Steve Henson]
*) Remove the SSL_ALLOW_ADH compile option and set the default cipher
list to exclude them. This means that no special compilation option
is needed to use anonymous DH: it just needs to be included in the
cipher list.
[Steve Henson]
*) Change the EVP_MD_CTX_type macro so its meaning consistent with
EVP_MD_type. The old functionality is available in a new macro called
EVP_MD_md(). Change code that uses it and update docs.
[Steve Henson]
*) ..._ctrl functions now have corresponding ..._callback_ctrl functions
where the 'void *' argument is replaced by a function pointer argument.
Previously 'void *' was abused to point to functions, which works on
many platforms, but is not correct. As these functions are usually
called by macros defined in OpenSSL header files, most source code
should work without changes.
[Richard Levitte]
*) <openssl/opensslconf.h> (which is created by Configure) now contains
sections with information on -D... compiler switches used for
compiling the library so that applications can see them. To enable
one of these sections, a pre-processor symbol OPENSSL_..._DEFINES
must be defined. E.g.,
#define OPENSSL_ALGORITHM_DEFINES
#include <openssl/opensslconf.h>
defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
[Richard Levitte, Ulf and Bodo Möller]
*) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
record layer.
[Bodo Moeller]
*) Change the 'other' type in certificate aux info to a STACK_OF
X509_ALGOR. Although not an AlgorithmIdentifier as such it has
the required ASN1 format: arbitrary types determined by an OID.
[Steve Henson]
*) Add some PEM_write_X509_REQ_NEW() functions and a command line
argument to 'req'. This is not because the function is newer or
better than others it just uses the work 'NEW' in the certificate
request header lines. Some software needs this.
[Steve Henson]
*) Reorganise password command line arguments: now passwords can be
obtained from various sources. Delete the PEM_cb function and make
it the default behaviour: i.e. if the callback is NULL and the
usrdata argument is not NULL interpret it as a null terminated pass
phrase. If usrdata and the callback are NULL then the pass phrase
is prompted for as usual.
[Steve Henson]
*) Add support for the Compaq Atalla crypto accelerator. If it is installed,
the support is automatically enabled. The resulting binaries will
autodetect the card and use it if present.
[Ben Laurie and Compaq Inc.]
*) Work around for Netscape hang bug. This sends certificate request
and server done in one record. Since this is perfectly legal in the
SSL/TLS protocol it isn't a "bug" option and is on by default. See
the bugs/SSLv3 entry for more info.
[Steve Henson]
*) HP-UX tune-up: new unified configs, HP C compiler bug workaround.
[Andy Polyakov]
*) Add -rand argument to smime and pkcs12 applications and read/write
of seed file.
[Steve Henson]
*) New 'passwd' tool for crypt(3) and apr1 password hashes.
[Bodo Moeller]
*) Add command line password options to the remaining applications.
[Steve Henson]
*) Bug fix for BN_div_recp() for numerators with an even number of
bits.
[Ulf Möller]
*) More tests in bntest.c, and changed test_bn output.
[Ulf Möller]
*) ./config recognizes MacOS X now.
[Andy Polyakov]
*) Bug fix for BN_div() when the first words of num and divisor are
equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
[Ulf Möller]
*) Add support for various broken PKCS#8 formats, and command line
options to produce them.
[Steve Henson]
*) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
get temporary BIGNUMs from a BN_CTX.
[Ulf Möller]
*) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
for p == 0.
[Ulf Möller]
*) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
include a #define from the old name to the new. The original intent
was that statically linked binaries could for example just call
SSLeay_add_all_ciphers() to just add ciphers to the table and not
link with digests. This never worked because SSLeay_add_all_digests()
and SSLeay_add_all_ciphers() were in the same source file so calling
one would link with the other. They are now in separate source files.
[Steve Henson]
*) Add a new -notext option to 'ca' and a -pubkey option to 'spkac'.
[Steve Henson]
*) Use a less unusual form of the Miller-Rabin primality test (it used
a binary algorithm for exponentiation integrated into the Miller-Rabin
loop, our standard modexp algorithms are faster).
[Bodo Moeller]
*) Support for the EBCDIC character set completed.
[Martin Kraemer <Martin.Kraemer@Mch.SNI.De>]
*) Source code cleanups: use const where appropriate, eliminate casts,
use void * instead of char * in lhash.
[Ulf Möller]
*) Bugfix: ssl3_send_server_key_exchange was not restartable
(the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
this the server could overwrite ephemeral keys that the client
has already seen).
[Bodo Moeller]
*) Turn DSA_is_prime into a macro that calls BN_is_prime,
using 50 iterations of the Rabin-Miller test.
DSA_generate_parameters now uses BN_is_prime_fasttest (with 50
iterations of the Rabin-Miller test as required by the appendix
to FIPS PUB 186[-1]) instead of DSA_is_prime.
As BN_is_prime_fasttest includes trial division, DSA parameter
generation becomes much faster.
This implies a change for the callback functions in DSA_is_prime
and DSA_generate_parameters: The callback function is called once
for each positive witness in the Rabin-Miller test, not just
occasionally in the inner loop; and the parameters to the
callback function now provide an iteration count for the outer
loop rather than for the current invocation of the inner loop.
DSA_generate_parameters additionally can call the callback
function with an 'iteration count' of -1, meaning that a
candidate has passed the trial division test (when q is generated
from an application-provided seed, trial division is skipped).
[Bodo Moeller]
*) New function BN_is_prime_fasttest that optionally does trial
division before starting the Rabin-Miller test and has
an additional BN_CTX * argument (whereas BN_is_prime always
has to allocate at least one BN_CTX).
'callback(1, -1, cb_arg)' is called when a number has passed the
trial division stage.
[Bodo Moeller]
*) Fix for bug in CRL encoding. The validity dates weren't being handled
as ASN1_TIME.
[Steve Henson]
*) New -pkcs12 option to CA.pl script to write out a PKCS#12 file.
[Steve Henson]
*) New function BN_pseudo_rand().
[Ulf Möller]
*) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
bignum version of BN_from_montgomery() with the working code from
SSLeay 0.9.0 (the word based version is faster anyway), and clean up
the comments.
[Ulf Möller]
*) Avoid a race condition in s2_clnt.c (function get_server_hello) that
made it impossible to use the same SSL_SESSION data structure in
SSL2 clients in multiple threads.
[Bodo Moeller]
*) The return value of RAND_load_file() no longer counts bytes obtained
by stat(). RAND_load_file(..., -1) is new and uses the complete file
to seed the PRNG (previously an explicit byte count was required).
[Ulf Möller, Bodo Möller]
*) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
used (char *) instead of (void *) and had casts all over the place.
[Steve Henson]
*) Make BN_generate_prime() return NULL on error if ret!=NULL.
[Ulf Möller]
*) Retain source code compatibility for BN_prime_checks macro:
BN_is_prime(..., BN_prime_checks, ...) now uses
BN_prime_checks_for_size to determine the appropriate number of
Rabin-Miller iterations.
[Ulf Möller]
*) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
DH_CHECK_P_NOT_SAFE_PRIME.
(Check if this is true? OpenPGP calls them "strong".)
[Ulf Möller]
*) Merge the functionality of "dh" and "gendh" programs into a new program
"dhparam". The old programs are retained for now but will handle DH keys
(instead of parameters) in future.
[Steve Henson]
*) Make the ciphers, s_server and s_client programs check the return values
when a new cipher list is set.
[Steve Henson]
*) Enhance the SSL/TLS cipher mechanism to correctly handle the TLS 56bit
ciphers. Before when the 56bit ciphers were enabled the sorting was
wrong.
The syntax for the cipher sorting has been extended to support sorting by
cipher-strength (using the strength_bits hard coded in the tables).
The new command is "@STRENGTH" (see also doc/apps/ciphers.pod).
Fix a bug in the cipher-command parser: when supplying a cipher command
string with an "undefined" symbol (neither command nor alphanumeric
[A-Za-z0-9], ssl_set_cipher_list used to hang in an endless loop. Now
an error is flagged.
Due to the strength-sorting extension, the code of the
ssl_create_cipher_list() function was completely rearranged. I hope that
the readability was also increased :-)
[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>]
*) Minor change to 'x509' utility. The -CAcreateserial option now uses 1
for the first serial number and places 2 in the serial number file. This
avoids problems when the root CA is created with serial number zero and
the first user certificate has the same issuer name and serial number
as the root CA.
[Steve Henson]
*) Fixes to X509_ATTRIBUTE utilities, change the 'req' program so it uses
the new code. Add documentation for this stuff.
[Steve Henson]
*) Changes to X509_ATTRIBUTE utilities. These have been renamed from
X509_*() to X509at_*() on the grounds that they don't handle X509
structures and behave in an analogous way to the X509v3 functions:
they shouldn't be called directly but wrapper functions should be used
instead.
So we also now have some wrapper functions that call the X509at functions
when passed certificate requests. (TO DO: similar things can be done with
PKCS#7 signed and unsigned attributes, PKCS#12 attributes and a few other
things. Some of these need some d2i or i2d and print functionality
because they handle more complex structures.)
[Steve Henson]
*) Add missing #ifndefs that caused missing symbols when building libssl
as a shared library without RSA. Use #ifndef NO_SSL2 instead of
NO_RSA in ssl/s2*.c.
[Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
*) Precautions against using the PRNG uninitialized: RAND_bytes() now
has a return value which indicates the quality of the random data
(1 = ok, 0 = not seeded). Also an error is recorded on the thread's
error queue. New function RAND_pseudo_bytes() generates output that is
guaranteed to be unique but not unpredictable. RAND_add is like
RAND_seed, but takes an extra argument for an entropy estimate
(RAND_seed always assumes full entropy).
[Ulf Möller]
*) Do more iterations of Rabin-Miller probable prime test (specifically,
3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
instead of only 2 for all lengths; see BN_prime_checks_for_size definition
in crypto/bn/bn_prime.c for the complete table). This guarantees a
false-positive rate of at most 2^-80 for random input.
[Bodo Moeller]
*) Rewrite ssl3_read_n (ssl/s3_pkt.c) avoiding a couple of bugs.
[Bodo Moeller]
*) New function X509_CTX_rget_chain() (renamed to X509_CTX_get1_chain
in the 0.9.5 release), this returns the chain
from an X509_CTX structure with a dup of the stack and all
the X509 reference counts upped: so the stack will exist
after X509_CTX_cleanup() has been called. Modify pkcs12.c
to use this.
Also make SSL_SESSION_print() print out the verify return
code.
[Steve Henson]
*) Add manpage for the pkcs12 command. Also change the default
behaviour so MAC iteration counts are used unless the new
-nomaciter option is used. This improves file security and
only older versions of MSIE (4.0 for example) need it.
[Steve Henson]
*) Honor the no-xxx Configure options when creating .DEF files.
[Ulf Möller]
*) Add PKCS#10 attributes to field table: challengePassword,
unstructuredName and unstructuredAddress. These are taken from
draft PKCS#9 v2.0 but are compatible with v1.2 provided no
international characters are used.
More changes to X509_ATTRIBUTE code: allow the setting of types
based on strings. Remove the 'loc' parameter when adding
attributes because these will be a SET OF encoding which is sorted
in ASN1 order.
[Steve Henson]
*) Initial changes to the 'req' utility to allow request generation
automation. This will allow an application to just generate a template
file containing all the field values and have req construct the
request.
Initial support for X509_ATTRIBUTE handling. Stacks of these are
used all over the place including certificate requests and PKCS#7
structures. They are currently handled manually where necessary with
some primitive wrappers for PKCS#7. The new functions behave in a
manner analogous to the X509 extension functions: they allow
attributes to be looked up by NID and added.
Later something similar to the X509V3 code would be desirable to
automatically handle the encoding, decoding and printing of the
more complex types. The string types like challengePassword can
be handled by the string table functions.
Also modified the multi byte string table handling. Now there is
a 'global mask' which masks out certain types. The table itself
can use the flag STABLE_NO_MASK to ignore the mask setting: this
is useful when for example there is only one permissible type
(as in countryName) and using the mask might result in no valid
types at all.
[Steve Henson]
*) Clean up 'Finished' handling, and add functions SSL_get_finished and
SSL_get_peer_finished to allow applications to obtain the latest
Finished messages sent to the peer or expected from the peer,
respectively. (SSL_get_peer_finished is usually the Finished message
actually received from the peer, otherwise the protocol will be aborted.)
As the Finished message are message digests of the complete handshake
(with a total of 192 bits for TLS 1.0 and more for SSL 3.0), they can
be used for external authentication procedures when the authentication
provided by SSL/TLS is not desired or is not enough.
[Bodo Moeller]
*) Enhanced support for Alpha Linux is added. Now ./config checks if
the host supports BWX extension and if Compaq C is present on the
$PATH. Just exploiting of the BWX extension results in 20-30%
performance kick for some algorithms, e.g. DES and RC4 to mention
a couple. Compaq C in turn generates ~20% faster code for MD5 and
SHA1.
[Andy Polyakov]
*) Add support for MS "fast SGC". This is arguably a violation of the
SSL3/TLS protocol. Netscape SGC does two handshakes: the first with
weak crypto and after checking the certificate is SGC a second one
with strong crypto. MS SGC stops the first handshake after receiving
the server certificate message and sends a second client hello. Since
a server will typically do all the time consuming operations before
expecting any further messages from the client (server key exchange
is the most expensive) there is little difference between the two.
To get OpenSSL to support MS SGC we have to permit a second client
hello message after we have sent server done. In addition we have to
reset the MAC if we do get this second client hello.
[Steve Henson]
*) Add a function 'd2i_AutoPrivateKey()' this will automatically decide
if a DER encoded private key is RSA or DSA traditional format. Changed
d2i_PrivateKey_bio() to use it. This is only needed for the "traditional"
format DER encoded private key. Newer code should use PKCS#8 format which
has the key type encoded in the ASN1 structure. Added DER private key
support to pkcs8 application.
[Steve Henson]
*) SSL 3/TLS 1 servers now don't request certificates when an anonymous
ciphersuites has been selected (as required by the SSL 3/TLS 1
specifications). Exception: When SSL_VERIFY_FAIL_IF_NO_PEER_CERT
is set, we interpret this as a request to violate the specification
(the worst that can happen is a handshake failure, and 'correct'
behaviour would result in a handshake failure anyway).
[Bodo Moeller]
*) In SSL_CTX_add_session, take into account that there might be multiple
SSL_SESSION structures with the same session ID (e.g. when two threads
concurrently obtain them from an external cache).
The internal cache can handle only one SSL_SESSION with a given ID,
so if there's a conflict, we now throw out the old one to achieve
consistency.
[Bodo Moeller]
*) Add OIDs for idea and blowfish in CBC mode. This will allow both
to be used in PKCS#5 v2.0 and S/MIME. Also add checking to
some routines that use cipher OIDs: some ciphers do not have OIDs
defined and so they cannot be used for S/MIME and PKCS#5 v2.0 for
example.
[Steve Henson]
*) Simplify the trust setting structure and code. Now we just have
two sequences of OIDs for trusted and rejected settings. These will
typically have values the same as the extended key usage extension
and any application specific purposes.
The trust checking code now has a default behaviour: it will just
check for an object with the same NID as the passed id. Functions can
be provided to override either the default behaviour or the behaviour
for a given id. SSL client, server and email already have functions
in place for compatibility: they check the NID and also return "trusted"
if the certificate is self signed.
[Steve Henson]
*) Add d2i,i2d bio/fp functions for PrivateKey: these convert the
traditional format into an EVP_PKEY structure.
[Steve Henson]
*) Add a password callback function PEM_cb() which either prompts for
a password if usr_data is NULL or otherwise assumes it is a null
terminated password. Allow passwords to be passed on command line
environment or config files in a few more utilities.
[Steve Henson]
*) Add a bunch of DER and PEM functions to handle PKCS#8 format private
keys. Add some short names for PKCS#8 PBE algorithms and allow them
to be specified on the command line for the pkcs8 and pkcs12 utilities.
Update documentation.
[Steve Henson]
*) Support for ASN1 "NULL" type. This could be handled before by using
ASN1_TYPE but there wasn't any function that would try to read a NULL
and produce an error if it couldn't. For compatibility we also have
ASN1_NULL_new() and ASN1_NULL_free() functions but these are faked and
don't allocate anything because they don't need to.
[Steve Henson]
*) Initial support for MacOS is now provided. Examine INSTALL.MacOS
for details.
[Andy Polyakov, Roy Woods <roy@centicsystems.ca>]
*) Rebuild of the memory allocation routines used by OpenSSL code and
possibly others as well. The purpose is to make an interface that
provide hooks so anyone can build a separate set of allocation and
deallocation routines to be used by OpenSSL, for example memory
pool implementations, or something else, which was previously hard
since Malloc(), Realloc() and Free() were defined as macros having
the values malloc, realloc and free, respectively (except for Win32
compilations). The same is provided for memory debugging code.
OpenSSL already comes with functionality to find memory leaks, but
this gives people a chance to debug other memory problems.
With these changes, a new set of functions and macros have appeared:
CRYPTO_set_mem_debug_functions() [F]
CRYPTO_get_mem_debug_functions() [F]
CRYPTO_dbg_set_options() [F]
CRYPTO_dbg_get_options() [F]
CRYPTO_malloc_debug_init() [M]
The memory debug functions are NULL by default, unless the library
is compiled with CRYPTO_MDEBUG or friends is defined. If someone
wants to debug memory anyway, CRYPTO_malloc_debug_init() (which
gives the standard debugging functions that come with OpenSSL) or
CRYPTO_set_mem_debug_functions() (tells OpenSSL to use functions
provided by the library user) must be used. When the standard
debugging functions are used, CRYPTO_dbg_set_options can be used to
request additional information:
CRYPTO_dbg_set_options(V_CYRPTO_MDEBUG_xxx) corresponds to setting
the CRYPTO_MDEBUG_xxx macro when compiling the library.
Also, things like CRYPTO_set_mem_functions will always give the
expected result (the new set of functions is used for allocation
and deallocation) at all times, regardless of platform and compiler
options.
To finish it up, some functions that were never use in any other
way than through macros have a new API and new semantic:
CRYPTO_dbg_malloc()
CRYPTO_dbg_realloc()
CRYPTO_dbg_free()
All macros of value have retained their old syntax.
[Richard Levitte and Bodo Moeller]
*) Some S/MIME fixes. The OID for SMIMECapabilities was wrong, the
ordering of SMIMECapabilities wasn't in "strength order" and there
was a missing NULL in the AlgorithmIdentifier for the SHA1 signature
algorithm.
[Steve Henson]
*) Some ASN1 types with illegal zero length encoding (INTEGER,
ENUMERATED and OBJECT IDENTIFIER) choked the ASN1 routines.
[Frans Heymans <fheymans@isaserver.be>, modified by Steve Henson]
*) Merge in my S/MIME library for OpenSSL. This provides a simple
S/MIME API on top of the PKCS#7 code, a MIME parser (with enough
functionality to handle multipart/signed properly) and a utility
called 'smime' to call all this stuff. This is based on code I
originally wrote for Celo who have kindly allowed it to be
included in OpenSSL.
[Steve Henson]
*) Add variants des_set_key_checked and des_set_key_unchecked of
des_set_key (aka des_key_sched). Global variable des_check_key
decides which of these is called by des_set_key; this way
des_check_key behaves as it always did, but applications and
the library itself, which was buggy for des_check_key == 1,
have a cleaner way to pick the version they need.
[Bodo Moeller]
*) New function PKCS12_newpass() which changes the password of a
PKCS12 structure.
[Steve Henson]
*) Modify X509_TRUST and X509_PURPOSE so it also uses a static and
dynamic mix. In both cases the ids can be used as an index into the
table. Also modified the X509_TRUST_add() and X509_PURPOSE_add()
functions so they accept a list of the field values and the
application doesn't need to directly manipulate the X509_TRUST
structure.
[Steve Henson]
*) Modify the ASN1_STRING_TABLE stuff so it also uses bsearch and doesn't
need initialising.
[Steve Henson]
*) Modify the way the V3 extension code looks up extensions. This now
works in a similar way to the object code: we have some "standard"
extensions in a static table which is searched with OBJ_bsearch()
and the application can add dynamic ones if needed. The file
crypto/x509v3/ext_dat.h now has the info: this file needs to be
updated whenever a new extension is added to the core code and kept
in ext_nid order. There is a simple program 'tabtest.c' which checks
this. New extensions are not added too often so this file can readily
be maintained manually.
There are two big advantages in doing things this way. The extensions
can be looked up immediately and no longer need to be "added" using
X509V3_add_standard_extensions(): this function now does nothing.
[Side note: I get *lots* of email saying the extension code doesn't
work because people forget to call this function]
Also no dynamic allocation is done unless new extensions are added:
so if we don't add custom extensions there is no need to call
X509V3_EXT_cleanup().
[Steve Henson]
*) Modify enc utility's salting as follows: make salting the default. Add a
magic header, so unsalted files fail gracefully instead of just decrypting
to garbage. This is because not salting is a big security hole, so people
should be discouraged from doing it.
[Ben Laurie]
*) Fixes and enhancements to the 'x509' utility. It allowed a message
digest to be passed on the command line but it only used this
parameter when signing a certificate. Modified so all relevant
operations are affected by the digest parameter including the
-fingerprint and -x509toreq options. Also -x509toreq choked if a
DSA key was used because it didn't fix the digest.
[Steve Henson]
*) Initial certificate chain verify code. Currently tests the untrusted
certificates for consistency with the verify purpose (which is set
when the X509_STORE_CTX structure is set up) and checks the pathlength.
There is a NO_CHAIN_VERIFY compilation option to keep the old behaviour:
this is because it will reject chains with invalid extensions whereas
every previous version of OpenSSL and SSLeay made no checks at all.
Trust code: checks the root CA for the relevant trust settings. Trust
settings have an initial value consistent with the verify purpose: e.g.
if the verify purpose is for SSL client use it expects the CA to be
trusted for SSL client use. However the default value can be changed to
permit custom trust settings: one example of this would be to only trust
certificates from a specific "secure" set of CAs.
Also added X509_STORE_CTX_new() and X509_STORE_CTX_free() functions
which should be used for version portability: especially since the
verify structure is likely to change more often now.
SSL integration. Add purpose and trust to SSL_CTX and SSL and functions
to set them. If not set then assume SSL clients will verify SSL servers
and vice versa.
Two new options to the verify program: -untrusted allows a set of
untrusted certificates to be passed in and -purpose which sets the
intended purpose of the certificate. If a purpose is set then the
new chain verify code is used to check extension consistency.
[Steve Henson]
*) Support for the authority information access extension.
[Steve Henson]
*) Modify RSA and DSA PEM read routines to transparently handle
PKCS#8 format private keys. New *_PUBKEY_* functions that handle
public keys in a format compatible with certificate
SubjectPublicKeyInfo structures. Unfortunately there were already
functions called *_PublicKey_* which used various odd formats so
these are retained for compatibility: however the DSA variants were
never in a public release so they have been deleted. Changed dsa/rsa
utilities to handle the new format: note no releases ever handled public
keys so we should be OK.
The primary motivation for this change is to avoid the same fiasco
that dogs private keys: there are several incompatible private key
formats some of which are standard and some OpenSSL specific and
require various evil hacks to allow partial transparent handling and
even then it doesn't work with DER formats. Given the option anything
other than PKCS#8 should be dumped: but the other formats have to
stay in the name of compatibility.
With public keys and the benefit of hindsight one standard format
is used which works with EVP_PKEY, RSA or DSA structures: though
it clearly returns an error if you try to read the wrong kind of key.
Added a -pubkey option to the 'x509' utility to output the public key.
Also rename the EVP_PKEY_get_*() to EVP_PKEY_rget_*()
(renamed to EVP_PKEY_get1_*() in the OpenSSL 0.9.5 release) and add
EVP_PKEY_rset_*() functions (renamed to EVP_PKEY_set1_*())
that do the same as the EVP_PKEY_assign_*() except they up the
reference count of the added key (they don't "swallow" the
supplied key).
[Steve Henson]
*) Fixes to crypto/x509/by_file.c the code to read in certificates and
CRLs would fail if the file contained no certificates or no CRLs:
added a new function to read in both types and return the number
read: this means that if none are read it will be an error. The
DER versions of the certificate and CRL reader would always fail
because it isn't possible to mix certificates and CRLs in DER format
without choking one or the other routine. Changed this to just read
a certificate: this is the best we can do. Also modified the code
in apps/verify.c to take notice of return codes: it was previously
attempting to read in certificates from NULL pointers and ignoring
any errors: this is one reason why the cert and CRL reader seemed
to work. It doesn't check return codes from the default certificate
routines: these may well fail if the certificates aren't installed.
[Steve Henson]
*) Code to support otherName option in GeneralName.
[Steve Henson]
*) First update to verify code. Change the verify utility
so it warns if it is passed a self signed certificate:
for consistency with the normal behaviour. X509_verify
has been modified to it will now verify a self signed
certificate if *exactly* the same certificate appears
in the store: it was previously impossible to trust a
single self signed certificate. This means that:
openssl verify ss.pem
now gives a warning about a self signed certificate but
openssl verify -CAfile ss.pem ss.pem
is OK.
[Steve Henson]
*) For servers, store verify_result in SSL_SESSION data structure
(and add it to external session representation).
This is needed when client certificate verifications fails,
but an application-provided verification callback (set by
SSL_CTX_set_cert_verify_callback) allows accepting the session
anyway (i.e. leaves x509_store_ctx->error != X509_V_OK
but returns 1): When the session is reused, we have to set
ssl->verify_result to the appropriate error code to avoid
security holes.
[Bodo Moeller, problem pointed out by Lutz Jaenicke]
*) Fix a bug in the new PKCS#7 code: it didn't consider the
case in PKCS7_dataInit() where the signed PKCS7 structure
didn't contain any existing data because it was being created.
[Po-Cheng Chen <pocheng@nst.com.tw>, slightly modified by Steve Henson]
*) Add a salt to the key derivation routines in enc.c. This
forms the first 8 bytes of the encrypted file. Also add a
-S option to allow a salt to be input on the command line.
[Steve Henson]
*) New function X509_cmp(). Oddly enough there wasn't a function
to compare two certificates. We do this by working out the SHA1
hash and comparing that. X509_cmp() will be needed by the trust
code.
[Steve Henson]
*) SSL_get1_session() is like SSL_get_session(), but increments
the reference count in the SSL_SESSION returned.
[Geoff Thorpe <geoff@eu.c2.net>]
*) Fix for 'req': it was adding a null to request attributes.
Also change the X509_LOOKUP and X509_INFO code to handle
certificate auxiliary information.
[Steve Henson]
*) Add support for 40 and 64 bit RC2 and RC4 algorithms: document
the 'enc' command.
[Steve Henson]
*) Add the possibility to add extra information to the memory leak
detecting output, to form tracebacks, showing from where each
allocation was originated: CRYPTO_push_info("constant string") adds
the string plus current file name and line number to a per-thread
stack, CRYPTO_pop_info() does the obvious, CRYPTO_remove_all_info()
is like calling CYRPTO_pop_info() until the stack is empty.
Also updated memory leak detection code to be multi-thread-safe.
[Richard Levitte]
*) Add options -text and -noout to pkcs7 utility and delete the
encryption options which never did anything. Update docs.
[Steve Henson]
*) Add options to some of the utilities to allow the pass phrase
to be included on either the command line (not recommended on
OSes like Unix) or read from the environment. Update the
manpages and fix a few bugs.
[Steve Henson]
*) Add a few manpages for some of the openssl commands.
[Steve Henson]
*) Fix the -revoke option in ca. It was freeing up memory twice,
leaking and not finding already revoked certificates.
[Steve Henson]
*) Extensive changes to support certificate auxiliary information.
This involves the use of X509_CERT_AUX structure and X509_AUX
functions. An X509_AUX function such as PEM_read_X509_AUX()
can still read in a certificate file in the usual way but it
will also read in any additional "auxiliary information". By
doing things this way a fair degree of compatibility can be
retained: existing certificates can have this information added
using the new 'x509' options.
Current auxiliary information includes an "alias" and some trust
settings. The trust settings will ultimately be used in enhanced
certificate chain verification routines: currently a certificate
can only be trusted if it is self signed and then it is trusted
for all purposes.
[Steve Henson]
*) Fix assembler for Alpha (tested only on DEC OSF not Linux or *BSD).
The problem was that one of the replacement routines had not been working
since SSLeay releases. For now the offending routine has been replaced
with non-optimised assembler. Even so, this now gives around 95%
performance improvement for 1024 bit RSA signs.
[Mark Cox]
*) Hack to fix PKCS#7 decryption when used with some unorthodox RC2
handling. Most clients have the effective key size in bits equal to
the key length in bits: so a 40 bit RC2 key uses a 40 bit (5 byte) key.
A few however don't do this and instead use the size of the decrypted key
to determine the RC2 key length and the AlgorithmIdentifier to determine
the effective key length. In this case the effective key length can still
be 40 bits but the key length can be 168 bits for example. This is fixed
by manually forcing an RC2 key into the EVP_PKEY structure because the
EVP code can't currently handle unusual RC2 key sizes: it always assumes
the key length and effective key length are equal.
[Steve Henson]
*) Add a bunch of functions that should simplify the creation of
X509_NAME structures. Now you should be able to do:
X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, "Steve", -1, -1, 0);
and have it automatically work out the correct field type and fill in
the structures. The more adventurous can try:
X509_NAME_add_entry_by_txt(nm, field, MBSTRING_UTF8, str, -1, -1, 0);
and it will (hopefully) work out the correct multibyte encoding.
[Steve Henson]
*) Change the 'req' utility to use the new field handling and multibyte
copy routines. Before the DN field creation was handled in an ad hoc
way in req, ca, and x509 which was rather broken and didn't support
BMPStrings or UTF8Strings. Since some software doesn't implement
BMPStrings or UTF8Strings yet, they can be enabled using the config file
using the dirstring_type option. See the new comment in the default
openssl.cnf for more info.
[Steve Henson]
*) Make crypto/rand/md_rand.c more robust:
- Assure unique random numbers after fork().
- Make sure that concurrent threads access the global counter and
md serializably so that we never lose entropy in them
or use exactly the same state in multiple threads.
Access to the large state is not always serializable because
the additional locking could be a performance killer, and
md should be large enough anyway.
[Bodo Moeller]
*) New file apps/app_rand.c with commonly needed functionality
for handling the random seed file.
Use the random seed file in some applications that previously did not:
ca,
dsaparam -genkey (which also ignored its '-rand' option),
s_client,
s_server,
x509 (when signing).
Except on systems with /dev/urandom, it is crucial to have a random
seed file at least for key creation, DSA signing, and for DH exchanges;
for RSA signatures we could do without one.
gendh and gendsa (unlike genrsa) used to read only the first byte
of each file listed in the '-rand' option. The function as previously
found in genrsa is now in app_rand.c and is used by all programs
that support '-rand'.
[Bodo Moeller]
*) In RAND_write_file, use mode 0600 for creating files;
don't just chmod when it may be too late.
[Bodo Moeller]
*) Report an error from X509_STORE_load_locations
when X509_LOOKUP_load_file or X509_LOOKUP_add_dir failed.
[Bill Perry]
*) New function ASN1_mbstring_copy() this copies a string in either
ASCII, Unicode, Universal (4 bytes per character) or UTF8 format
into an ASN1_STRING type. A mask of permissible types is passed
and it chooses the "minimal" type to use or an error if not type
is suitable.
[Steve Henson]
*) Add function equivalents to the various macros in asn1.h. The old
macros are retained with an M_ prefix. Code inside the library can
use the M_ macros. External code (including the openssl utility)
should *NOT* in order to be "shared library friendly".
[Steve Henson]
*) Add various functions that can check a certificate's extensions
to see if it usable for various purposes such as SSL client,
server or S/MIME and CAs of these types. This is currently
VERY EXPERIMENTAL but will ultimately be used for certificate chain
verification. Also added a -purpose flag to x509 utility to
print out all the purposes.
[Steve Henson]
*) Add a CRYPTO_EX_DATA to X509 certificate structure and associated
functions.
[Steve Henson]
*) New X509V3_{X509,CRL,REVOKED}_get_d2i() functions. These will search
for, obtain and decode and extension and obtain its critical flag.
This allows all the necessary extension code to be handled in a
single function call.
[Steve Henson]
*) RC4 tune-up featuring 30-40% performance improvement on most RISC
platforms. See crypto/rc4/rc4_enc.c for further details.
[Andy Polyakov]
*) New -noout option to asn1parse. This causes no output to be produced
its main use is when combined with -strparse and -out to extract data
from a file (which may not be in ASN.1 format).
[Steve Henson]
*) Fix for pkcs12 program. It was hashing an invalid certificate pointer
when producing the local key id.
[Richard Levitte <levitte@stacken.kth.se>]
*) New option -dhparam in s_server. This allows a DH parameter file to be
stated explicitly. If it is not stated then it tries the first server
certificate file. The previous behaviour hard coded the filename
"server.pem".
[Steve Henson]
*) Add -pubin and -pubout options to the rsa and dsa commands. These allow
a public key to be input or output. For example:
openssl rsa -in key.pem -pubout -out pubkey.pem
Also added necessary DSA public key functions to handle this.
[Steve Henson]
*) Fix so PKCS7_dataVerify() doesn't crash if no certificates are contained
in the message. This was handled by allowing
X509_find_by_issuer_and_serial() to tolerate a NULL passed to it.
[Steve Henson, reported by Sampo Kellomaki <sampo@mail.neuronio.pt>]
*) Fix for bug in d2i_ASN1_bytes(): other ASN1 functions add an extra null
to the end of the strings whereas this didn't. This would cause problems
if strings read with d2i_ASN1_bytes() were later modified.
[Steve Henson, reported by Arne Ansper <arne@ats.cyber.ee>]
*) Fix for base64 decode bug. When a base64 bio reads only one line of
data and it contains EOF it will end up returning an error. This is
caused by input 46 bytes long. The cause is due to the way base64
BIOs find the start of base64 encoded data. They do this by trying a
trial decode on each line until they find one that works. When they
do a flag is set and it starts again knowing it can pass all the
data directly through the decoder. Unfortunately it doesn't reset
the context it uses. This means that if EOF is reached an attempt
is made to pass two EOFs through the context and this causes the
resulting error. This can also cause other problems as well. As is
usual with these problems it takes *ages* to find and the fix is
trivial: move one line.
[Steve Henson, reported by ian@uns.ns.ac.yu (Ivan Nejgebauer) ]
*) Ugly workaround to get s_client and s_server working under Windows. The
old code wouldn't work because it needed to select() on sockets and the
tty (for keypresses and to see if data could be written). Win32 only
supports select() on sockets so we select() with a 1s timeout on the
sockets and then see if any characters are waiting to be read, if none
are present then we retry, we also assume we can always write data to
the tty. This isn't nice because the code then blocks until we've
received a complete line of data and it is effectively polling the
keyboard at 1s intervals: however it's quite a bit better than not
working at all :-) A dedicated Windows application might handle this
with an event loop for example.
[Steve Henson]
*) Enhance RSA_METHOD structure. Now there are two extra methods, rsa_sign
and rsa_verify. When the RSA_FLAGS_SIGN_VER option is set these functions
will be called when RSA_sign() and RSA_verify() are used. This is useful
if rsa_pub_dec() and rsa_priv_enc() equivalents are not available.
For this to work properly RSA_public_decrypt() and RSA_private_encrypt()
should *not* be used: RSA_sign() and RSA_verify() must be used instead.
This necessitated the support of an extra signature type NID_md5_sha1
for SSL signatures and modifications to the SSL library to use it instead
of calling RSA_public_decrypt() and RSA_private_encrypt().
[Steve Henson]
*) Add new -verify -CAfile and -CApath options to the crl program, these
will lookup a CRL issuers certificate and verify the signature in a
similar way to the verify program. Tidy up the crl program so it
no longer accesses structures directly. Make the ASN1 CRL parsing a bit
less strict. It will now permit CRL extensions even if it is not
a V2 CRL: this will allow it to tolerate some broken CRLs.
[Steve Henson]
*) Initialize all non-automatic variables each time one of the openssl
sub-programs is started (this is necessary as they may be started
multiple times from the "OpenSSL>" prompt).
[Lennart Bang, Bodo Moeller]
*) Preliminary compilation option RSA_NULL which disables RSA crypto without
removing all other RSA functionality (this is what NO_RSA does). This
is so (for example) those in the US can disable those operations covered
by the RSA patent while allowing storage and parsing of RSA keys and RSA
key generation.
[Steve Henson]
*) Non-copying interface to BIO pairs.
(still largely untested)
[Bodo Moeller]
*) New function ANS1_tag2str() to convert an ASN1 tag to a descriptive
ASCII string. This was handled independently in various places before.
[Steve Henson]
*) New functions UTF8_getc() and UTF8_putc() that parse and generate
UTF8 strings a character at a time.
[Steve Henson]
*) Use client_version from client hello to select the protocol
(s23_srvr.c) and for RSA client key exchange verification
(s3_srvr.c), as required by the SSL 3.0/TLS 1.0 specifications.
[Bodo Moeller]
*) Add various utility functions to handle SPKACs, these were previously
handled by poking round in the structure internals. Added new function
NETSCAPE_SPKI_print() to print out SPKAC and a new utility 'spkac' to
print, verify and generate SPKACs. Based on an original idea from
Massimiliano Pala <madwolf@comune.modena.it> but extensively modified.
[Steve Henson]
*) RIPEMD160 is operational on all platforms and is back in 'make test'.
[Andy Polyakov]
*) Allow the config file extension section to be overwritten on the
command line. Based on an original idea from Massimiliano Pala
<madwolf@comune.modena.it>. The new option is called -extensions
and can be applied to ca, req and x509. Also -reqexts to override
the request extensions in req and -crlexts to override the crl extensions
in ca.
[Steve Henson]
*) Add new feature to the SPKAC handling in ca. Now you can include
the same field multiple times by preceding it by "XXXX." for example:
1.OU="Unit name 1"
2.OU="Unit name 2"
this is the same syntax as used in the req config file.
[Steve Henson]
*) Allow certificate extensions to be added to certificate requests. These
are specified in a 'req_extensions' option of the req section of the
config file. They can be printed out with the -text option to req but
are otherwise ignored at present.
[Steve Henson]
*) Fix a horrible bug in enc_read() in crypto/evp/bio_enc.c: if the first
data read consists of only the final block it would not decrypted because
EVP_CipherUpdate() would correctly report zero bytes had been decrypted.
A misplaced 'break' also meant the decrypted final block might not be
copied until the next read.
[Steve Henson]
*) Initial support for DH_METHOD. Again based on RSA_METHOD. Also added
a few extra parameters to the DH structure: these will be useful if
for example we want the value of 'q' or implement X9.42 DH.
[Steve Henson]
*) Initial support for DSA_METHOD. This is based on the RSA_METHOD and
provides hooks that allow the default DSA functions or functions on a
"per key" basis to be replaced. This allows hardware acceleration and
hardware key storage to be handled without major modification to the
library. Also added low level modexp hooks and CRYPTO_EX structure and
associated functions.
[Steve Henson]
*) Add a new flag to memory BIOs, BIO_FLAG_MEM_RDONLY. This marks the BIO
as "read only": it can't be written to and the buffer it points to will
not be freed. Reading from a read only BIO is much more efficient than
a normal memory BIO. This was added because there are several times when
an area of memory needs to be read from a BIO. The previous method was
to create a memory BIO and write the data to it, this results in two
copies of the data and an O(n^2) reading algorithm. There is a new
function BIO_new_mem_buf() which creates a read only memory BIO from
an area of memory. Also modified the PKCS#7 routines to use read only
memory BIOs.
[Steve Henson]
*) Bugfix: ssl23_get_client_hello did not work properly when called in
state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
but a retry condition occurred while trying to read the rest.
[Bodo Moeller]
*) The PKCS7_ENC_CONTENT_new() function was setting the content type as
NID_pkcs7_encrypted by default: this was wrong since this should almost
always be NID_pkcs7_data. Also modified the PKCS7_set_type() to handle
the encrypted data type: this is a more sensible place to put it and it
allows the PKCS#12 code to be tidied up that duplicated this
functionality.
[Steve Henson]
*) Changed obj_dat.pl script so it takes its input and output files on
the command line. This should avoid shell escape redirection problems
under Win32.
[Steve Henson]
*) Initial support for certificate extension requests, these are included
in things like Xenroll certificate requests. Included functions to allow
extensions to be obtained and added.
[Steve Henson]
*) -crlf option to s_client and s_server for sending newlines as
CRLF (as required by many protocols).
[Bodo Moeller]
Changes between 0.9.3a and 0.9.4 [09 Aug 1999]
*) Install libRSAglue.a when OpenSSL is built with RSAref.
[Ralf S. Engelschall]
*) A few more ``#ifndef NO_FP_API / #endif'' pairs for consistency.
[Andrija Antonijevic <TheAntony2@bigfoot.com>]
*) Fix -startdate and -enddate (which was missing) arguments to 'ca'
program.
[Steve Henson]
*) New function DSA_dup_DH, which duplicates DSA parameters/keys as
DH parameters/keys (q is lost during that conversion, but the resulting
DH parameters contain its length).
For 1024-bit p, DSA_generate_parameters followed by DSA_dup_DH is
much faster than DH_generate_parameters (which creates parameters
where p = 2*q + 1), and also the smaller q makes DH computations
much more efficient (160-bit exponentiation instead of 1024-bit
exponentiation); so this provides a convenient way to support DHE
ciphersuites in SSL/TLS servers (see ssl/ssltest.c). It is of
utter importance to use
SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
or
SSL_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
when such DH parameters are used, because otherwise small subgroup
attacks may become possible!
[Bodo Moeller]
*) Avoid memory leak in i2d_DHparams.
[Bodo Moeller]
*) Allow the -k option to be used more than once in the enc program:
this allows the same encrypted message to be read by multiple recipients.
[Steve Henson]
*) New function OBJ_obj2txt(buf, buf_len, a, no_name), this converts
an ASN1_OBJECT to a text string. If the "no_name" parameter is set then
it will always use the numerical form of the OID, even if it has a short
or long name.
[Steve Henson]
*) Added an extra RSA flag: RSA_FLAG_EXT_PKEY. Previously the rsa_mod_exp
method only got called if p,q,dmp1,dmq1,iqmp components were present,
otherwise bn_mod_exp was called. In the case of hardware keys for example
no private key components need be present and it might store extra data
in the RSA structure, which cannot be accessed from bn_mod_exp.
By setting RSA_FLAG_EXT_PKEY rsa_mod_exp will always be called for
private key operations.
[Steve Henson]
*) Added support for SPARC Linux.
[Andy Polyakov]
*) pem_password_cb function type incompatibly changed from
typedef int pem_password_cb(char *buf, int size, int rwflag);
to
....(char *buf, int size, int rwflag, void *userdata);
so that applications can pass data to their callbacks:
The PEM[_ASN1]_{read,write}... functions and macros now take an
additional void * argument, which is just handed through whenever
the password callback is called.
[Damien Miller <dmiller@ilogic.com.au>; tiny changes by Bodo Moeller]
New function SSL_CTX_set_default_passwd_cb_userdata.
Compatibility note: As many C implementations push function arguments
onto the stack in reverse order, the new library version is likely to
interoperate with programs that have been compiled with the old
pem_password_cb definition (PEM_whatever takes some data that
happens to be on the stack as its last argument, and the callback
just ignores this garbage); but there is no guarantee whatsoever that
this will work.
*) The -DPLATFORM="\"$(PLATFORM)\"" definition and the similar -DCFLAGS=...
(both in crypto/Makefile.ssl for use by crypto/cversion.c) caused
problems not only on Windows, but also on some Unix platforms.
To avoid problematic command lines, these definitions are now in an
auto-generated file crypto/buildinf.h (created by crypto/Makefile.ssl
for standard "make" builds, by util/mk1mf.pl for "mk1mf" builds).
[Bodo Moeller]
*) MIPS III/IV assembler module is reimplemented.
[Andy Polyakov]
*) More DES library cleanups: remove references to srand/rand and
delete an unused file.
[Ulf Möller]
*) Add support for the free Netwide assembler (NASM) under Win32,
since not many people have MASM (ml) and it can be hard to obtain.
This is currently experimental but it seems to work OK and pass all
the tests. Check out INSTALL.W32 for info.
[Steve Henson]
*) Fix memory leaks in s3_clnt.c: All non-anonymous SSL3/TLS1 connections
without temporary keys kept an extra copy of the server key,
and connections with temporary keys did not free everything in case
of an error.
[Bodo Moeller]
*) New function RSA_check_key and new openssl rsa option -check
for verifying the consistency of RSA keys.
[Ulf Moeller, Bodo Moeller]
*) Various changes to make Win32 compile work:
1. Casts to avoid "loss of data" warnings in p5_crpt2.c
2. Change unsigned int to int in b_dump.c to avoid "signed/unsigned
comparison" warnings.
3. Add sk_<TYPE>_sort to DEF file generator and do make update.
[Steve Henson]
*) Add a debugging option to PKCS#5 v2 key generation function: when
you #define DEBUG_PKCS5V2 passwords, salts, iteration counts and
derived keys are printed to stderr.
[Steve Henson]
*) Copy the flags in ASN1_STRING_dup().
[Roman E. Pavlov <pre@mo.msk.ru>]
*) The x509 application mishandled signing requests containing DSA
keys when the signing key was also DSA and the parameters didn't match.
It was supposed to omit the parameters when they matched the signing key:
the verifying software was then supposed to automatically use the CA's
parameters if they were absent from the end user certificate.
Omitting parameters is no longer recommended. The test was also
the wrong way round! This was probably due to unusual behaviour in
EVP_cmp_parameters() which returns 1 if the parameters match.
This meant that parameters were omitted when they *didn't* match and
the certificate was useless. Certificates signed with 'ca' didn't have
this bug.
[Steve Henson, reported by Doug Erickson <Doug.Erickson@Part.NET>]
*) Memory leak checking (-DCRYPTO_MDEBUG) had some problems.
The interface is as follows:
Applications can use
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON) aka MemCheck_start(),
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF) aka MemCheck_stop();
"off" is now the default.
The library internally uses
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE) aka MemCheck_off(),
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ENABLE) aka MemCheck_on()
to disable memory-checking temporarily.
Some inconsistent states that previously were possible (and were
even the default) are now avoided.
-DCRYPTO_MDEBUG_TIME is new and additionally stores the current time
with each memory chunk allocated; this is occasionally more helpful
than just having a counter.
-DCRYPTO_MDEBUG_THREAD is also new and adds the thread ID.
-DCRYPTO_MDEBUG_ALL enables all of the above, plus any future
extensions.
[Bodo Moeller]
*) Introduce "mode" for SSL structures (with defaults in SSL_CTX),
which largely parallels "options", but is for changing API behaviour,
whereas "options" are about protocol behaviour.
Initial "mode" flags are:
SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when
a single record has been written.
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write
retries use the same buffer location.
(But all of the contents must be
copied!)
[Bodo Moeller]
*) Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options
worked.
*) Fix problems with no-hmac etc.
[Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>]
*) New functions RSA_get_default_method(), RSA_set_method() and
RSA_get_method(). These allows replacement of RSA_METHODs without having
to mess around with the internals of an RSA structure.
[Steve Henson]
*) Fix memory leaks in DSA_do_sign and DSA_is_prime.
Also really enable memory leak checks in openssl.c and in some
test programs.
[Chad C. Mulligan, Bodo Moeller]
*) Fix a bug in d2i_ASN1_INTEGER() and i2d_ASN1_INTEGER() which can mess
up the length of negative integers. This has now been simplified to just
store the length when it is first determined and use it later, rather
than trying to keep track of where data is copied and updating it to
point to the end.
[Steve Henson, reported by Brien Wheeler
<bwheeler@authentica-security.com>]
*) Add a new function PKCS7_signatureVerify. This allows the verification
of a PKCS#7 signature but with the signing certificate passed to the
function itself. This contrasts with PKCS7_dataVerify which assumes the
certificate is present in the PKCS#7 structure. This isn't always the
case: certificates can be omitted from a PKCS#7 structure and be
distributed by "out of band" means (such as a certificate database).
[Steve Henson]
*) Complete the PEM_* macros with DECLARE_PEM versions to replace the
function prototypes in pem.h, also change util/mkdef.pl to add the
necessary function names.
[Steve Henson]
*) mk1mf.pl (used by Windows builds) did not properly read the
options set by Configure in the top level Makefile, and Configure
was not even able to write more than one option correctly.
Fixed, now "no-idea no-rc5 -DCRYPTO_MDEBUG" etc. works as intended.
[Bodo Moeller]
*) New functions CONF_load_bio() and CONF_load_fp() to allow a config
file to be loaded from a BIO or FILE pointer. The BIO version will
for example allow memory BIOs to contain config info.
[Steve Henson]
*) New function "CRYPTO_num_locks" that returns CRYPTO_NUM_LOCKS.
Whoever hopes to achieve shared-library compatibility across versions
must use this, not the compile-time macro.
(Exercise 0.9.4: Which is the minimum library version required by
such programs?)
Note: All this applies only to multi-threaded programs, others don't
need locks.
[Bodo Moeller]
*) Add missing case to s3_clnt.c state machine -- one of the new SSL tests
through a BIO pair triggered the default case, i.e.
SSLerr(...,SSL_R_UNKNOWN_STATE).
[Bodo Moeller]
*) New "BIO pair" concept (crypto/bio/bss_bio.c) so that applications
can use the SSL library even if none of the specific BIOs is
appropriate.
[Bodo Moeller]
*) Fix a bug in i2d_DSAPublicKey() which meant it returned the wrong value
for the encoded length.
[Jeon KyoungHo <khjeon@sds.samsung.co.kr>]
*) Add initial documentation of the X509V3 functions.
[Steve Henson]
*) Add a new pair of functions PEM_write_PKCS8PrivateKey() and
PEM_write_bio_PKCS8PrivateKey() that are equivalent to
PEM_write_PrivateKey() and PEM_write_bio_PrivateKey() but use the more
secure PKCS#8 private key format with a high iteration count.
[Steve Henson]
*) Fix determination of Perl interpreter: A perl or perl5
_directory_ in $PATH was also accepted as the interpreter.
[Ralf S. Engelschall]
*) Fix demos/sign/sign.c: well there wasn't anything strictly speaking
wrong with it but it was very old and did things like calling
PEM_ASN1_read() directly and used MD5 for the hash not to mention some
unusual formatting.
[Steve Henson]
*) Fix demos/selfsign.c: it used obsolete and deleted functions, changed
to use the new extension code.
[Steve Henson]
*) Implement the PEM_read/PEM_write functions in crypto/pem/pem_all.c
with macros. This should make it easier to change their form, add extra
arguments etc. Fix a few PEM prototypes which didn't have cipher as a
constant.
[Steve Henson]
*) Add to configuration table a new entry that can specify an alternative
name for unistd.h (for pre-POSIX systems); we need this for NeXTstep,
according to Mark Crispin <MRC@Panda.COM>.
[Bodo Moeller]
#if 0
*) DES CBC did not update the IV. Weird.
[Ben Laurie]
#else
des_cbc_encrypt does not update the IV, but des_ncbc_encrypt does.
Changing the behaviour of the former might break existing programs --
where IV updating is needed, des_ncbc_encrypt can be used.
#endif
*) When bntest is run from "make test" it drives bc to check its
calculations, as well as internally checking them. If an internal check
fails, it needs to cause bc to give a non-zero result or make test carries
on without noticing the failure. Fixed.
[Ben Laurie]
*) DES library cleanups.
[Ulf Möller]
*) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be
used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit
ciphers. NOTE: although the key derivation function has been verified
against some published test vectors it has not been extensively tested
yet. Added a -v2 "cipher" option to pkcs8 application to allow the use
of v2.0.
[Steve Henson]
*) Instead of "mkdir -p", which is not fully portable, use new
Perl script "util/mkdir-p.pl".
[Bodo Moeller]
*) Rewrite the way password based encryption (PBE) is handled. It used to
assume that the ASN1 AlgorithmIdentifier parameter was a PBEParameter
structure. This was true for the PKCS#5 v1.5 and PKCS#12 PBE algorithms
but doesn't apply to PKCS#5 v2.0 where it can be something else. Now
the 'parameter' field of the AlgorithmIdentifier is passed to the
underlying key generation function so it must do its own ASN1 parsing.
This has also changed the EVP_PBE_CipherInit() function which now has a
'parameter' argument instead of literal salt and iteration count values
and the function EVP_PBE_ALGOR_CipherInit() has been deleted.
[Steve Henson]
*) Support for PKCS#5 v1.5 compatible password based encryption algorithms
and PKCS#8 functionality. New 'pkcs8' application linked to openssl.
Needed to change the PEM_STRING_EVP_PKEY value which was just "PRIVATE
KEY" because this clashed with PKCS#8 unencrypted string. Since this
value was just used as a "magic string" and not used directly its
value doesn't matter.
[Steve Henson]
*) Introduce some semblance of const correctness to BN. Shame C doesn't
support mutable.
[Ben Laurie]
*) "linux-sparc64" configuration (ultrapenguin).
[Ray Miller <ray.miller@oucs.ox.ac.uk>]
"linux-sparc" configuration.
[Christian Forster <fo@hawo.stw.uni-erlangen.de>]
*) config now generates no-xxx options for missing ciphers.
[Ulf Möller]
*) Support the EBCDIC character set (work in progress).
File ebcdic.c not yet included because it has a different license.
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
*) Support BS2000/OSD-POSIX.
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>]
*) Make callbacks for key generation use void * instead of char *.
[Ben Laurie]
*) Make S/MIME samples compile (not yet tested).
[Ben Laurie]
*) Additional typesafe stacks.
[Ben Laurie]
*) New configuration variants "bsdi-elf-gcc" (BSD/OS 4.x).
[Bodo Moeller]
Changes between 0.9.3 and 0.9.3a [29 May 1999]
*) New configuration variant "sco5-gcc".
*) Updated some demos.
[Sean O Riordain, Wade Scholine]
*) Add missing BIO_free at exit of pkcs12 application.
[Wu Zhigang]
*) Fix memory leak in conf.c.
[Steve Henson]
*) Updates for Win32 to assembler version of MD5.
[Steve Henson]
*) Set #! path to perl in apps/der_chop to where we found it
instead of using a fixed path.
[Bodo Moeller]
*) SHA library changes for irix64-mips4-cc.
[Andy Polyakov]
*) Improvements for VMS support.
[Richard Levitte]
Changes between 0.9.2b and 0.9.3 [24 May 1999]
*) Bignum library bug fix. IRIX 6 passes "make test" now!
This also avoids the problems with SC4.2 and unpatched SC5.
[Andy Polyakov <appro@fy.chalmers.se>]
*) New functions sk_num, sk_value and sk_set to replace the previous macros.
These are required because of the typesafe stack would otherwise break
existing code. If old code used a structure member which used to be STACK
and is now STACK_OF (for example cert in a PKCS7_SIGNED structure) with
sk_num or sk_value it would produce an error because the num, data members
are not present in STACK_OF. Now it just produces a warning. sk_set
replaces the old method of assigning a value to sk_value
(e.g. sk_value(x, i) = y) which the library used in a few cases. Any code
that does this will no longer work (and should use sk_set instead) but
this could be regarded as a "questionable" behaviour anyway.
[Steve Henson]
*) Fix most of the other PKCS#7 bugs. The "experimental" code can now
correctly handle encrypted S/MIME data.
[Steve Henson]
*) Change type of various DES function arguments from des_cblock
(which means, in function argument declarations, pointer to char)
to des_cblock * (meaning pointer to array with 8 char elements),
which allows the compiler to do more typechecking; it was like
that back in SSLeay, but with lots of ugly casts.
Introduce new type const_des_cblock.
[Bodo Moeller]
*) Reorganise the PKCS#7 library and get rid of some of the more obvious
problems: find RecipientInfo structure that matches recipient certificate
and initialise the ASN1 structures properly based on passed cipher.
[Steve Henson]
*) Belatedly make the BN tests actually check the results.
[Ben Laurie]
*) Fix the encoding and decoding of negative ASN1 INTEGERS and conversion
to and from BNs: it was completely broken. New compilation option
NEG_PUBKEY_BUG to allow for some broken certificates that encode public
key elements as negative integers.
[Steve Henson]
*) Reorganize and speed up MD5.
[Andy Polyakov <appro@fy.chalmers.se>]
*) VMS support.
[Richard Levitte <richard@levitte.org>]
*) New option -out to asn1parse to allow the parsed structure to be
output to a file. This is most useful when combined with the -strparse
option to examine the output of things like OCTET STRINGS.
[Steve Henson]
*) Make SSL library a little more fool-proof by not requiring any longer
that SSL_set_{accept,connect}_state be called before
SSL_{accept,connect} may be used (SSL_set_..._state is omitted
in many applications because usually everything *appeared* to work as
intended anyway -- now it really works as intended).
[Bodo Moeller]
*) Move openssl.cnf out of lib/.
[Ulf Möller]
*) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
-Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
-Wmissing-declarations -Wnested-externs -Winline'' with EGCS 1.1.2+
[Ralf S. Engelschall]
*) Various fixes to the EVP and PKCS#7 code. It may now be able to
handle PKCS#7 enveloped data properly.
[Sebastian Akerman <sak@parallelconsulting.com>, modified by Steve]
*) Create a duplicate of the SSL_CTX's CERT in SSL_new instead of
copying pointers. The cert_st handling is changed by this in
various ways (and thus what used to be known as ctx->default_cert
is now called ctx->cert, since we don't resort to s->ctx->[default_]cert
any longer when s->cert does not give us what we need).
ssl_cert_instantiate becomes obsolete by this change.
As soon as we've got the new code right (possibly it already is?),
we have solved a couple of bugs of the earlier code where s->cert
was used as if it could not have been shared with other SSL structures.
Note that using the SSL API in certain dirty ways now will result
in different behaviour than observed with earlier library versions:
Changing settings for an SSL_CTX *ctx after having done s = SSL_new(ctx)
does not influence s as it used to.
In order to clean up things more thoroughly, inside SSL_SESSION
we don't use CERT any longer, but a new structure SESS_CERT
that holds per-session data (if available); currently, this is
the peer's certificate chain and, for clients, the server's certificate
and temporary key. CERT holds only those values that can have
meaningful defaults in an SSL_CTX.
[Bodo Moeller]
*) New function X509V3_EXT_i2d() to create an X509_EXTENSION structure
from the internal representation. Various PKCS#7 fixes: remove some
evil casts and set the enc_dig_alg field properly based on the signing
key type.
[Steve Henson]
*) Allow PKCS#12 password to be set from the command line or the
environment. Let 'ca' get its config file name from the environment
variables "OPENSSL_CONF" or "SSLEAY_CONF" (for consistency with 'req'
and 'x509').
[Steve Henson]
*) Allow certificate policies extension to use an IA5STRING for the
organization field. This is contrary to the PKIX definition but
VeriSign uses it and IE5 only recognises this form. Document 'x509'
extension option.
[Steve Henson]
*) Add PEDANTIC compiler flag to allow compilation with gcc -pedantic,
without disallowing inline assembler and the like for non-pedantic builds.
[Ben Laurie]
*) Support Borland C++ builder.
[Janez Jere <jj@void.si>, modified by Ulf Möller]
*) Support Mingw32.
[Ulf Möller]
*) SHA-1 cleanups and performance enhancements.
[Andy Polyakov <appro@fy.chalmers.se>]
*) Sparc v8plus assembler for the bignum library.
[Andy Polyakov <appro@fy.chalmers.se>]
*) Accept any -xxx and +xxx compiler options in Configure.
[Ulf Möller]
*) Update HPUX configuration.
[Anonymous]
*) Add missing sk_<type>_unshift() function to safestack.h
[Ralf S. Engelschall]
*) New function SSL_CTX_use_certificate_chain_file that sets the
"extra_cert"s in addition to the certificate. (This makes sense
only for "PEM" format files, as chains as a whole are not
DER-encoded.)
[Bodo Moeller]
*) Support verify_depth from the SSL API.
x509_vfy.c had what can be considered an off-by-one-error:
Its depth (which was not part of the external interface)
was actually counting the number of certificates in a chain;
now it really counts the depth.
[Bodo Moeller]
*) Bugfix in crypto/x509/x509_cmp.c: The SSLerr macro was used
instead of X509err, which often resulted in confusing error
messages since the error codes are not globally unique
(e.g. an alleged error in ssl3_accept when a certificate
didn't match the private key).
*) New function SSL_CTX_set_session_id_context that allows to set a default
value (so that you don't need SSL_set_session_id_context for each
connection using the SSL_CTX).
[Bodo Moeller]
*) OAEP decoding bug fix.
[Ulf Möller]
*) Support INSTALL_PREFIX for package builders, as proposed by
David Harris.
[Bodo Moeller]
*) New Configure options "threads" and "no-threads". For systems
where the proper compiler options are known (currently Solaris
and Linux), "threads" is the default.
[Bodo Moeller]
*) New script util/mklink.pl as a faster substitute for util/mklink.sh.
[Bodo Moeller]
*) Install various scripts to $(OPENSSLDIR)/misc, not to
$(INSTALLTOP)/bin -- they shouldn't clutter directories
such as /usr/local/bin.
[Bodo Moeller]
*) "make linux-shared" to build shared libraries.
[Niels Poppe <niels@netbox.org>]
*) New Configure option no-<cipher> (rsa, idea, rc5, ...).
[Ulf Möller]
*) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for
extension adding in x509 utility.
[Steve Henson]
*) Remove NOPROTO sections and error code comments.
[Ulf Möller]
*) Partial rewrite of the DEF file generator to now parse the ANSI
prototypes.
[Steve Henson]
*) New Configure options --prefix=DIR and --openssldir=DIR.
[Ulf Möller]
*) Complete rewrite of the error code script(s). It is all now handled
by one script at the top level which handles error code gathering,
header rewriting and C source file generation. It should be much better
than the old method: it now uses a modified version of Ulf's parser to
read the ANSI prototypes in all header files (thus the old K&R definitions
aren't needed for error creation any more) and do a better job of
translating function codes into names. The old 'ASN1 error code embedded
in a comment' is no longer necessary and it doesn't use .err files which
have now been deleted. Also the error code call doesn't have to appear all
on one line (which resulted in some large lines...).
[Steve Henson]
*) Change #include filenames from <foo.h> to <openssl/foo.h>.
[Bodo Moeller]
*) Change behaviour of ssl2_read when facing length-0 packets: Don't return
0 (which usually indicates a closed connection), but continue reading.
[Bodo Moeller]
*) Fix some race conditions.
[Bodo Moeller]
*) Add support for CRL distribution points extension. Add Certificate
Policies and CRL distribution points documentation.
[Steve Henson]
*) Move the autogenerated header file parts to crypto/opensslconf.h.
[Ulf Möller]
*) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
8 of keying material. Merlin has also confirmed interop with this fix
between OpenSSL and Baltimore C/SSL 2.0 and J/SSL 2.0.
[Merlin Hughes <merlin@baltimore.ie>]
*) Fix lots of warnings.
[Richard Levitte <levitte@stacken.kth.se>]
*) In add_cert_dir() in crypto/x509/by_dir.c, break out of the loop if
the directory spec didn't end with a LIST_SEPARATOR_CHAR.
[Richard Levitte <levitte@stacken.kth.se>]
*) Fix problems with sizeof(long) == 8.
[Andy Polyakov <appro@fy.chalmers.se>]
*) Change functions to ANSI C.
[Ulf Möller]
*) Fix typos in error codes.
[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller]
*) Remove defunct assembler files from Configure.
[Ulf Möller]
*) SPARC v8 assembler BIGNUM implementation.
[Andy Polyakov <appro@fy.chalmers.se>]
*) Support for Certificate Policies extension: both print and set.
Various additions to support the r2i method this uses.
[Steve Henson]
*) A lot of constification, and fix a bug in X509_NAME_oneline() that could
return a const string when you are expecting an allocated buffer.
[Ben Laurie]
*) Add support for ASN1 types UTF8String and VISIBLESTRING, also the CHOICE
types DirectoryString and DisplayText.
[Steve Henson]
*) Add code to allow r2i extensions to access the configuration database,
add an LHASH database driver and add several ctx helper functions.
[Steve Henson]
*) Fix an evil bug in bn_expand2() which caused various BN functions to
fail when they extended the size of a BIGNUM.
[Steve Henson]
*) Various utility functions to handle SXNet extension. Modify mkdef.pl to
support typesafe stack.
[Steve Henson]
*) Fix typo in SSL_[gs]et_options().
[Nils Frostberg <nils@medcom.se>]
*) Delete various functions and files that belonged to the (now obsolete)
old X509V3 handling code.
[Steve Henson]
*) New Configure option "rsaref".
[Ulf Möller]
*) Don't auto-generate pem.h.
[Bodo Moeller]
*) Introduce type-safe ASN.1 SETs.
[Ben Laurie]
*) Convert various additional casted stacks to type-safe STACK_OF() variants.
[Ben Laurie, Ralf S. Engelschall, Steve Henson]
*) Introduce type-safe STACKs. This will almost certainly break lots of code
that links with OpenSSL (well at least cause lots of warnings), but fear
not: the conversion is trivial, and it eliminates loads of evil casts. A
few STACKed things have been converted already. Feel free to convert more.
In the fullness of time, I'll do away with the STACK type altogether.
[Ben Laurie]
*) Add `openssl ca -revoke <certfile>' facility which revokes a certificate
specified in <certfile> by updating the entry in the index.txt file.
This way one no longer has to edit the index.txt file manually for
revoking a certificate. The -revoke option does the gory details now.
[Massimiliano Pala <madwolf@openca.org>, Ralf S. Engelschall]
*) Fix `openssl crl -noout -text' combination where `-noout' killed the
`-text' option at all and this way the `-noout -text' combination was
inconsistent in `openssl crl' with the friends in `openssl x509|rsa|dsa'.
[Ralf S. Engelschall]
*) Make sure a corresponding plain text error message exists for the
X509_V_ERR_CERT_REVOKED/23 error number which can occur when a
verify callback function determined that a certificate was revoked.
[Ralf S. Engelschall]
*) Bugfix: In test/testenc, don't test "openssl <cipher>" for
ciphers that were excluded, e.g. by -DNO_IDEA. Also, test
all available ciphers including rc5, which was forgotten until now.
In order to let the testing shell script know which algorithms
are available, a new (up to now undocumented) command
"openssl list-cipher-commands" is used.
[Bodo Moeller]
*) Bugfix: s_client occasionally would sleep in select() when
it should have checked SSL_pending() first.
[Bodo Moeller]
*) New functions DSA_do_sign and DSA_do_verify to provide access to
the raw DSA values prior to ASN.1 encoding.
[Ulf Möller]
*) Tweaks to Configure
[Niels Poppe <niels@netbox.org>]
*) Add support for PKCS#5 v2.0 ASN1 PBES2 structures. No other support,
yet...
[Steve Henson]
*) New variables $(RANLIB) and $(PERL) in the Makefiles.
[Ulf Möller]
*) New config option to avoid instructions that are illegal on the 80386.
The default code is faster, but requires at least a 486.
[Ulf Möller]
*) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
SSL2_SERVER_VERSION (not used at all) macros, which are now the
same as SSL2_VERSION anyway.
[Bodo Moeller]
*) New "-showcerts" option for s_client.
[Bodo Moeller]
*) Still more PKCS#12 integration. Add pkcs12 application to openssl
application. Various cleanups and fixes.
[Steve Henson]
*) More PKCS#12 integration. Add new pkcs12 directory with Makefile.ssl and
modify error routines to work internally. Add error codes and PBE init
to library startup routines.
[Steve Henson]
*) Further PKCS#12 integration. Added password based encryption, PKCS#8 and
packing functions to asn1 and evp. Changed function names and error
codes along the way.
[Steve Henson]
*) PKCS12 integration: and so it begins... First of several patches to
slowly integrate PKCS#12 functionality into OpenSSL. Add PKCS#12
objects to objects.h
[Steve Henson]
*) Add a new 'indent' option to some X509V3 extension code. Initial ASN1
and display support for Thawte strong extranet extension.
[Steve Henson]
*) Add LinuxPPC support.
[Jeff Dubrule <igor@pobox.org>]
*) Get rid of redundant BN file bn_mulw.c, and rename bn_div64 to
bn_div_words in alpha.s.
[Hannes Reinecke <H.Reinecke@hw.ac.uk> and Ben Laurie]
*) Make sure the RSA OAEP test is skipped under -DRSAref because
OAEP isn't supported when OpenSSL is built with RSAref.
[Ulf Moeller <ulf@fitug.de>]
*) Move definitions of IS_SET/IS_SEQUENCE inside crypto/asn1/asn1.h
so they no longer are missing under -DNOPROTO.
[Soren S. Jorvang <soren@t.dk>]
Changes between 0.9.1c and 0.9.2b [22 Mar 1999]
*) Make SSL_get_peer_cert_chain() work in servers. Unfortunately, it still
doesn't work when the session is reused. Coming soon!
[Ben Laurie]
*) Fix a security hole, that allows sessions to be reused in the wrong
context thus bypassing client cert protection! All software that uses
client certs and session caches in multiple contexts NEEDS PATCHING to
allow session reuse! A fuller solution is in the works.
[Ben Laurie, problem pointed out by Holger Reif, Bodo Moeller (and ???)]
*) Some more source tree cleanups (removed obsolete files
crypto/bf/asm/bf586.pl, test/test.txt and crypto/sha/asm/f.s; changed
permission on "config" script to be executable) and a fix for the INSTALL
document.
[Ulf Moeller <ulf@fitug.de>]
*) Remove some legacy and erroneous uses of malloc, free instead of
Malloc, Free.
[Lennart Bang <lob@netstream.se>, with minor changes by Steve]
*) Make rsa_oaep_test return non-zero on error.
[Ulf Moeller <ulf@fitug.de>]
*) Add support for native Solaris shared libraries. Configure
solaris-sparc-sc4-pic, make, then run shlib/solaris-sc4.sh. It'd be nice
if someone would make that last step automatic.
[Matthias Loepfe <Matthias.Loepfe@AdNovum.CH>]
*) ctx_size was not built with the right compiler during "make links". Fixed.
[Ben Laurie]
*) Change the meaning of 'ALL' in the cipher list. It now means "everything
except NULL ciphers". This means the default cipher list will no longer
enable NULL ciphers. They need to be specifically enabled e.g. with
the string "DEFAULT:eNULL".
[Steve Henson]
*) Fix to RSA private encryption routines: if p < q then it would
occasionally produce an invalid result. This will only happen with
externally generated keys because OpenSSL (and SSLeay) ensure p > q.
[Steve Henson]
*) Be less restrictive and allow also `perl util/perlpath.pl
/path/to/bin/perl' in addition to `perl util/perlpath.pl /path/to/bin',
because this way one can also use an interpreter named `perl5' (which is
usually the name of Perl 5.xxx on platforms where an Perl 4.x is still
installed as `perl').
[Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
*) Let util/clean-depend.pl work also with older Perl 5.00x versions.
[Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
*) Fix Makefile.org so CC,CFLAG etc are passed to 'make links' add
advapi32.lib to Win32 build and change the pem test comparison
to fc.exe (thanks to Ulrich Kroener <kroneru@yahoo.com> for the
suggestion). Fix misplaced ASNI prototypes and declarations in evp.h
and crypto/des/ede_cbcm_enc.c.
[Steve Henson]
*) DES quad checksum was broken on big-endian architectures. Fixed.
[Ben Laurie]
*) Comment out two functions in bio.h that aren't implemented. Fix up the
Win32 test batch file so it (might) work again. The Win32 test batch file
is horrible: I feel ill....
[Steve Henson]
*) Move various #ifdefs around so NO_SYSLOG, NO_DIRENT etc are now selected
in e_os.h. Audit of header files to check ANSI and non ANSI
sections: 10 functions were absent from non ANSI section and not exported
from Windows DLLs. Fixed up libeay.num for new functions.
[Steve Henson]
*) Make `openssl version' output lines consistent.
[Ralf S. Engelschall]
*) Fix Win32 symbol export lists for BIO functions: Added
BIO_get_ex_new_index, BIO_get_ex_num, BIO_get_ex_data and BIO_set_ex_data
to ms/libeay{16,32}.def.
[Ralf S. Engelschall]
*) Second round of fixing the OpenSSL perl/ stuff. It now at least compiled
fine under Unix and passes some trivial tests I've now added. But the
whole stuff is horribly incomplete, so a README.1ST with a disclaimer was
added to make sure no one expects that this stuff really works in the
OpenSSL 0.9.2 release. Additionally I've started to clean the XS sources
up and fixed a few little bugs and inconsistencies in OpenSSL.{pm,xs} and
openssl_bio.xs.
[Ralf S. Engelschall]
*) Fix the generation of two part addresses in perl.
[Kenji Miyake <kenji@miyake.org>, integrated by Ben Laurie]
*) Add config entry for Linux on MIPS.
[John Tobey <jtobey@channel1.com>]
*) Make links whenever Configure is run, unless we are on Windoze.
[Ben Laurie]
*) Permit extensions to be added to CRLs using crl_section in openssl.cnf.
Currently only issuerAltName and AuthorityKeyIdentifier make any sense
in CRLs.
[Steve Henson]
*) Add a useful kludge to allow package maintainers to specify compiler and
other platforms details on the command line without having to patch the
Configure script every time: One now can use ``perl Configure
<id>:<details>'', i.e. platform ids are allowed to have details appended
to them (separated by colons). This is treated as there would be a static
pre-configured entry in Configure's %table under key <id> with value
<details> and ``perl Configure <id>'' is called. So, when you want to
perform a quick test-compile under FreeBSD 3.1 with pgcc and without
assembler stuff you can use ``perl Configure "FreeBSD-elf:pgcc:-O6:::"''
now, which overrides the FreeBSD-elf entry on-the-fly.
[Ralf S. Engelschall]
*) Disable new TLS1 ciphersuites by default: they aren't official yet.
[Ben Laurie]
*) Allow DSO flags like -fpic, -fPIC, -KPIC etc. to be specified
on the `perl Configure ...' command line. This way one can compile
OpenSSL libraries with Position Independent Code (PIC) which is needed
for linking it into DSOs.
[Ralf S. Engelschall]
*) Remarkably, export ciphers were totally broken and no-one had noticed!
Fixed.
[Ben Laurie]
*) Cleaned up the LICENSE document: The official contact for any license
questions now is the OpenSSL core team under openssl-core@openssl.org.
And add a paragraph about the dual-license situation to make sure people
recognize that _BOTH_ the OpenSSL license _AND_ the SSLeay license apply
to the OpenSSL toolkit.
[Ralf S. Engelschall]
*) General source tree makefile cleanups: Made `making xxx in yyy...'
display consistent in the source tree and replaced `/bin/rm' by `rm'.
Additionally cleaned up the `make links' target: Remove unnecessary
semicolons, subsequent redundant removes, inline point.sh into mklink.sh
to speed processing and no longer clutter the display with confusing
stuff. Instead only the actually done links are displayed.
[Ralf S. Engelschall]
*) Permit null encryption ciphersuites, used for authentication only. It used
to be necessary to set the preprocessor define SSL_ALLOW_ENULL to do this.
It is now necessary to set SSL_FORBID_ENULL to prevent the use of null
encryption.
[Ben Laurie]
*) Add a bunch of fixes to the PKCS#7 stuff. It used to sometimes reorder
signed attributes when verifying signatures (this would break them),
the detached data encoding was wrong and public keys obtained using
X509_get_pubkey() weren't freed.
[Steve Henson]
*) Add text documentation for the BUFFER functions. Also added a work around
to a Win95 console bug. This was triggered by the password read stuff: the
last character typed gets carried over to the next fread(). If you were
generating a new cert request using 'req' for example then the last
character of the passphrase would be CR which would then enter the first
field as blank.
[Steve Henson]
*) Added the new `Includes OpenSSL Cryptography Software' button as
doc/openssl_button.{gif,html} which is similar in style to the old SSLeay
button and can be used by applications based on OpenSSL to show the
relationship to the OpenSSL project.
[Ralf S. Engelschall]
*) Remove confusing variables in function signatures in files
ssl/ssl_lib.c and ssl/ssl.h.
[Lennart Bong <lob@kulthea.stacken.kth.se>]
*) Don't install bss_file.c under PREFIX/include/
[Lennart Bong <lob@kulthea.stacken.kth.se>]
*) Get the Win32 compile working again. Modify mkdef.pl so it can handle
functions that return function pointers and has support for NT specific
stuff. Fix mk1mf.pl and VC-32.pl to support NT differences also. Various
#ifdef WIN32 and WINNTs sprinkled about the place and some changes from
unsigned to signed types: this was killing the Win32 compile.
[Steve Henson]
*) Add new certificate file to stack functions,
SSL_add_dir_cert_subjects_to_stack() and
SSL_add_file_cert_subjects_to_stack(). These largely supplant
SSL_load_client_CA_file(), and can be used to add multiple certs easily
to a stack (usually this is then handed to SSL_CTX_set_client_CA_list()).
This means that Apache-SSL and similar packages don't have to mess around
to add as many CAs as they want to the preferred list.
[Ben Laurie]
*) Experiment with doxygen documentation. Currently only partially applied to
ssl/ssl_lib.c.
See http://www.stack.nl/~dimitri/doxygen/index.html, and run doxygen with
openssl.doxy as the configuration file.
[Ben Laurie]
*) Get rid of remaining C++-style comments which strict C compilers hate.
[Ralf S. Engelschall, pointed out by Carlos Amengual]
*) Changed BN_RECURSION in bn_mont.c to BN_RECURSION_MONT so it is not
compiled in by default: it has problems with large keys.
[Steve Henson]
*) Add a bunch of SSL_xxx() functions for configuring the temporary RSA and
DH private keys and/or callback functions which directly correspond to
their SSL_CTX_xxx() counterparts but work on a per-connection basis. This
is needed for applications which have to configure certificates on a
per-connection basis (e.g. Apache+mod_ssl) instead of a per-context basis
(e.g. s_server).
For the RSA certificate situation is makes no difference, but
for the DSA certificate situation this fixes the "no shared cipher"
problem where the OpenSSL cipher selection procedure failed because the
temporary keys were not overtaken from the context and the API provided
no way to reconfigure them.
The new functions now let applications reconfigure the stuff and they
are in detail: SSL_need_tmp_RSA, SSL_set_tmp_rsa, SSL_set_tmp_dh,
SSL_set_tmp_rsa_callback and SSL_set_tmp_dh_callback. Additionally a new
non-public-API function ssl_cert_instantiate() is used as a helper
function and also to reduce code redundancy inside ssl_rsa.c.
[Ralf S. Engelschall]
*) Move s_server -dcert and -dkey options out of the undocumented feature
area because they are useful for the DSA situation and should be
recognized by the users.
[Ralf S. Engelschall]
*) Fix the cipher decision scheme for export ciphers: the export bits are
*not* within SSL_MKEY_MASK or SSL_AUTH_MASK, they are within
SSL_EXP_MASK. So, the original variable has to be used instead of the
already masked variable.
[Richard Levitte <levitte@stacken.kth.se>]
*) Fix 'port' variable from `int' to `unsigned int' in crypto/bio/b_sock.c
[Richard Levitte <levitte@stacken.kth.se>]
*) Change type of another md_len variable in pk7_doit.c:PKCS7_dataFinal()
from `int' to `unsigned int' because it's a length and initialized by
EVP_DigestFinal() which expects an `unsigned int *'.
[Richard Levitte <levitte@stacken.kth.se>]
*) Don't hard-code path to Perl interpreter on shebang line of Configure
script. Instead use the usual Shell->Perl transition trick.
[Ralf S. Engelschall]
*) Make `openssl x509 -noout -modulus' functional also for DSA certificates
(in addition to RSA certificates) to match the behaviour of `openssl dsa
-noout -modulus' as it's already the case for `openssl rsa -noout
-modulus'. For RSA the -modulus is the real "modulus" while for DSA
currently the public key is printed (a decision which was already done by
`openssl dsa -modulus' in the past) which serves a similar purpose.
Additionally the NO_RSA no longer completely removes the whole -modulus
option; it now only avoids using the RSA stuff. Same applies to NO_DSA
now, too.
[Ralf S. Engelschall]
*) Add Arne Ansper's reliable BIO - this is an encrypted, block-digested
BIO. See the source (crypto/evp/bio_ok.c) for more info.
[Arne Ansper <arne@ats.cyber.ee>]
*) Dump the old yucky req code that tried (and failed) to allow raw OIDs
to be added. Now both 'req' and 'ca' can use new objects defined in the
config file.
[Steve Henson]
*) Add cool BIO that does syslog (or event log on NT).
[Arne Ansper <arne@ats.cyber.ee>, integrated by Ben Laurie]
*) Add support for new TLS ciphersuites, TLS_RSA_EXPORT56_WITH_RC4_56_MD5,
TLS_RSA_EXPORT56_WITH_RC2_CBC_56_MD5 and
TLS_RSA_EXPORT56_WITH_DES_CBC_SHA, as specified in "56-bit Export Cipher
Suites For TLS", draft-ietf-tls-56-bit-ciphersuites-00.txt.
[Ben Laurie]
*) Add preliminary config info for new extension code.
[Steve Henson]
*) Make RSA_NO_PADDING really use no padding.
[Ulf Moeller <ulf@fitug.de>]
*) Generate errors when private/public key check is done.
[Ben Laurie]
*) Overhaul for 'crl' utility. New function X509_CRL_print. Partial support
for some CRL extensions and new objects added.
[Steve Henson]
*) Really fix the ASN1 IMPLICIT bug this time... Partial support for private
key usage extension and fuller support for authority key id.
[Steve Henson]
*) Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved
padding method for RSA, which is recommended for new applications in PKCS
#1 v2.0 (RFC 2437, October 1998).
OAEP (Optimal Asymmetric Encryption Padding) has better theoretical
foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
against Bleichbacher's attack on RSA.
[Ulf Moeller <ulf@fitug.de>, reformatted, corrected and integrated by
Ben Laurie]
*) Updates to the new SSL compression code
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
*) Fix so that the version number in the master secret, when passed
via RSA, checks that if TLS was proposed, but we roll back to SSLv3
(because the server will not accept higher), that the version number
is 0x03,0x01, not 0x03,0x00
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
*) Run extensive memory leak checks on SSL apps. Fixed *lots* of memory
leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes
in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c
[Steve Henson]
*) Support for RAW extensions where an arbitrary extension can be
created by including its DER encoding. See apps/openssl.cnf for
an example.
[Steve Henson]
*) Make sure latest Perl versions don't interpret some generated C array
code as Perl array code in the crypto/err/err_genc.pl script.
[Lars Weber <3weber@informatik.uni-hamburg.de>]
*) Modify ms/do_ms.bat to not generate assembly language makefiles since
not many people have the assembler. Various Win32 compilation fixes and
update to the INSTALL.W32 file with (hopefully) more accurate Win32
build instructions.
[Steve Henson]
*) Modify configure script 'Configure' to automatically create crypto/date.h
file under Win32 and also build pem.h from pem.org. New script
util/mkfiles.pl to create the MINFO file on environments that can't do a
'make files': perl util/mkfiles.pl >MINFO should work.
[Steve Henson]
*) Major rework of DES function declarations, in the pursuit of correctness
and purity. As a result, many evil casts evaporated, and some weirdness,
too. You may find this causes warnings in your code. Zapping your evil
casts will probably fix them. Mostly.
[Ben Laurie]
*) Fix for a typo in asn1.h. Bug fix to object creation script
obj_dat.pl. It considered a zero in an object definition to mean
"end of object": none of the objects in objects.h have any zeros
so it wasn't spotted.
[Steve Henson, reported by Erwann ABALEA <eabalea@certplus.com>]
*) Add support for Triple DES Cipher Block Chaining with Output Feedback
Masking (CBCM). In the absence of test vectors, the best I have been able
to do is check that the decrypt undoes the encrypt, so far. Send me test
vectors if you have them.
[Ben Laurie]
*) Correct calculation of key length for export ciphers (too much space was
allocated for null ciphers). This has not been tested!
[Ben Laurie]
*) Modifications to the mkdef.pl for Win32 DEF file creation. The usage
message is now correct (it understands "crypto" and "ssl" on its
command line). There is also now an "update" option. This will update
the util/ssleay.num and util/libeay.num files with any new functions.
If you do a:
perl util/mkdef.pl crypto ssl update
it will update them.
[Steve Henson]
*) Overhauled the Perl interface (perl/*):
- ported BN stuff to OpenSSL's different BN library
- made the perl/ source tree CVS-aware
- renamed the package from SSLeay to OpenSSL (the files still contain
their history because I've copied them in the repository)
- removed obsolete files (the test scripts will be replaced
by better Test::Harness variants in the future)
[Ralf S. Engelschall]
*) First cut for a very conservative source tree cleanup:
1. merge various obsolete readme texts into doc/ssleay.txt
where we collect the old documents and readme texts.
2. remove the first part of files where I'm already sure that we no
longer need them because of three reasons: either they are just temporary
files which were left by Eric or they are preserved original files where
I've verified that the diff is also available in the CVS via "cvs diff
-rSSLeay_0_8_1b" or they were renamed (as it was definitely the case for
the crypto/md/ stuff).
[Ralf S. Engelschall]
*) More extension code. Incomplete support for subject and issuer alt
name, issuer and authority key id. Change the i2v function parameters
and add an extra 'crl' parameter in the X509V3_CTX structure: guess
what that's for :-) Fix to ASN1 macro which messed up
IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED.
[Steve Henson]
*) Preliminary support for ENUMERATED type. This is largely copied from the
INTEGER code.
[Steve Henson]
*) Add new function, EVP_MD_CTX_copy() to replace frequent use of memcpy.
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
*) Make sure `make rehash' target really finds the `openssl' program.
[Ralf S. Engelschall, Matthias Loepfe <Matthias.Loepfe@adnovum.ch>]
*) Squeeze another 7% of speed out of MD5 assembler, at least on a P2. I'd
like to hear about it if this slows down other processors.
[Ben Laurie]
*) Add CygWin32 platform information to Configure script.
[Alan Batie <batie@aahz.jf.intel.com>]
*) Fixed ms/32all.bat script: `no_asm' -> `no-asm'
[Rainer W. Gerling <gerling@mpg-gv.mpg.de>]
*) New program nseq to manipulate netscape certificate sequences
[Steve Henson]
*) Modify crl2pkcs7 so it supports multiple -certfile arguments. Fix a
few typos.
[Steve Henson]
*) Fixes to BN code. Previously the default was to define BN_RECURSION
but the BN code had some problems that would cause failures when
doing certificate verification and some other functions.
[Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)]
*) Add ASN1 and PEM code to support netscape certificate sequences.
[Steve Henson]
*) Add ASN1 and PEM code to support netscape certificate sequences.
[Steve Henson]
*) Add several PKIX and private extended key usage OIDs.
[Steve Henson]
*) Modify the 'ca' program to handle the new extension code. Modify
openssl.cnf for new extension format, add comments.
[Steve Henson]
*) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req'
and add a sample to openssl.cnf so req -x509 now adds appropriate
CA extensions.
[Steve Henson]
*) Continued X509 V3 changes. Add to other makefiles, integrate with the
error code, add initial support to X509_print() and x509 application.
[Steve Henson]
*) Takes a deep breath and start adding X509 V3 extension support code. Add
files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this
stuff is currently isolated and isn't even compiled yet.
[Steve Henson]
*) Continuing patches for GeneralizedTime. Fix up certificate and CRL
ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print.
Removed the versions check from X509 routines when loading extensions:
this allows certain broken certificates that don't set the version
properly to be processed.
[Steve Henson]
*) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another
Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
can still be regenerated with "make depend".
[Ben Laurie]
*) Spelling mistake in C version of CAST-128.
[Ben Laurie, reported by Jeremy Hylton <jeremy@cnri.reston.va.us>]
*) Changes to the error generation code. The perl script err-code.pl
now reads in the old error codes and retains the old numbers, only
adding new ones if necessary. It also only changes the .err files if new
codes are added. The makefiles have been modified to only insert errors
when needed (to avoid needlessly modifying header files). This is done
by only inserting errors if the .err file is newer than the auto generated
C file. To rebuild all the error codes from scratch (the old behaviour)
either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
or delete all the .err files.
[Steve Henson]
*) CAST-128 was incorrectly implemented for short keys. The C version has
been fixed, but is untested. The assembler versions are also fixed, but
new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
to regenerate it if needed.
[Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
Hagino <itojun@kame.net>]
*) File was opened incorrectly in randfile.c.
[Ulf Möller <ulf@fitug.de>]
*) Beginning of support for GeneralizedTime. d2i, i2d, check and print
functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
GeneralizedTime. ASN1_TIME is the proper type used in certificates et
al: it's just almost always a UTCTime. Note this patch adds new error
codes so do a "make errors" if there are problems.
[Steve Henson]
*) Correct Linux 1 recognition in config.
[Ulf Möller <ulf@fitug.de>]
*) Remove pointless MD5 hash when using DSA keys in ca.
[Anonymous <nobody@replay.com>]
*) Generate an error if given an empty string as a cert directory. Also
generate an error if handed NULL (previously returned 0 to indicate an
error, but didn't set one).
[Ben Laurie, reported by Anonymous <nobody@replay.com>]
*) Add prototypes to SSL methods. Make SSL_write's buffer const, at last.
[Ben Laurie]
*) Fix the dummy function BN_ref_mod_exp() in rsaref.c to have the correct
parameters. This was causing a warning which killed off the Win32 compile.
[Steve Henson]
*) Remove C++ style comments from crypto/bn/bn_local.h.
[Neil Costigan <neil.costigan@celocom.com>]
*) The function OBJ_txt2nid was broken. It was supposed to return a nid
based on a text string, looking up short and long names and finally
"dot" format. The "dot" format stuff didn't work. Added new function
OBJ_txt2obj to do the same but return an ASN1_OBJECT and rewrote
OBJ_txt2nid to use it. OBJ_txt2obj can also return objects even if the
OID is not part of the table.
[Steve Henson]
*) Add prototypes to X509 lookup/verify methods, fixing a bug in
X509_LOOKUP_by_alias().
[Ben Laurie]
*) Sort openssl functions by name.
[Ben Laurie]
*) Get the gendsa program working (hopefully) and add it to app list. Remove
encryption from sample DSA keys (in case anyone is interested the password
was "1234").
[Steve Henson]
*) Make _all_ *_free functions accept a NULL pointer.
[Frans Heymans <fheymans@isaserver.be>]
*) If a DH key is generated in s3_srvr.c, don't blow it by trying to use
NULL pointers.
[Anonymous <nobody@replay.com>]
*) s_server should send the CAfile as acceptable CAs, not its own cert.
[Bodo Moeller <3moeller@informatik.uni-hamburg.de>]
*) Don't blow it for numeric -newkey arguments to apps/req.
[Bodo Moeller <3moeller@informatik.uni-hamburg.de>]
*) Temp key "for export" tests were wrong in s3_srvr.c.
[Anonymous <nobody@replay.com>]
*) Add prototype for temp key callback functions
SSL_CTX_set_tmp_{rsa,dh}_callback().
[Ben Laurie]
*) Make DH_free() tolerate being passed a NULL pointer (like RSA_free() and
DSA_free()). Make X509_PUBKEY_set() check for errors in d2i_PublicKey().
[Steve Henson]
*) X509_name_add_entry() freed the wrong thing after an error.
[Arne Ansper <arne@ats.cyber.ee>]
*) rsa_eay.c would attempt to free a NULL context.
[Arne Ansper <arne@ats.cyber.ee>]
*) BIO_s_socket() had a broken should_retry() on Windoze.
[Arne Ansper <arne@ats.cyber.ee>]
*) BIO_f_buffer() didn't pass on BIO_CTRL_FLUSH.
[Arne Ansper <arne@ats.cyber.ee>]
*) Make sure the already existing X509_STORE->depth variable is initialized
in X509_STORE_new(), but document the fact that this variable is still
unused in the certificate verification process.
[Ralf S. Engelschall]
*) Fix the various library and apps files to free up pkeys obtained from
X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions.
[Steve Henson]
*) Fix reference counting in X509_PUBKEY_get(). This makes
demos/maurice/example2.c work, amongst others, probably.
[Steve Henson and Ben Laurie]
*) First cut of a cleanup for apps/. First the `ssleay' program is now named
`openssl' and second, the shortcut symlinks for the `openssl <command>'
are no longer created. This way we have a single and consistent command
line interface `openssl <command>', similar to `cvs <command>'.
[Ralf S. Engelschall, Paul Sutton and Ben Laurie]
*) ca.c: move test for DSA keys inside #ifndef NO_DSA. Make pubkey
BIT STRING wrapper always have zero unused bits.
[Steve Henson]
*) Add CA.pl, perl version of CA.sh, add extended key usage OID.
[Steve Henson]
*) Make the top-level INSTALL documentation easier to understand.
[Paul Sutton]
*) Makefiles updated to exit if an error occurs in a sub-directory
make (including if user presses ^C) [Paul Sutton]
*) Make Montgomery context stuff explicit in RSA data structure.
[Ben Laurie]
*) Fix build order of pem and err to allow for generated pem.h.
[Ben Laurie]
*) Fix renumbering bug in X509_NAME_delete_entry().
[Ben Laurie]
*) Enhanced the err-ins.pl script so it makes the error library number
global and can add a library name. This is needed for external ASN1 and
other error libraries.
[Steve Henson]
*) Fixed sk_insert which never worked properly.
[Steve Henson]
*) Fix ASN1 macros so they can handle indefinite length constructed
EXPLICIT tags. Some non standard certificates use these: they can now
be read in.
[Steve Henson]
*) Merged the various old/obsolete SSLeay documentation files (doc/xxx.doc)
into a single doc/ssleay.txt bundle. This way the information is still
preserved but no longer messes up this directory. Now it's new room for
the new set of documentation files.
[Ralf S. Engelschall]
*) SETs were incorrectly DER encoded. This was a major pain, because they
shared code with SEQUENCEs, which aren't coded the same. This means that
almost everything to do with SETs or SEQUENCEs has either changed name or
number of arguments.
[Ben Laurie, based on a partial fix by GP Jayan <gp@nsj.co.jp>]
*) Fix test data to work with the above.
[Ben Laurie]
*) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
was already fixed by Eric for 0.9.1 it seems.
[Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>]
*) Autodetect FreeBSD3.
[Ben Laurie]
*) Fix various bugs in Configure. This affects the following platforms:
nextstep
ncr-scde
unixware-2.0
unixware-2.0-pentium
sco5-cc.
[Ben Laurie]
*) Eliminate generated files from CVS. Reorder tests to regenerate files
before they are needed.
[Ben Laurie]
*) Generate Makefile.ssl from Makefile.org (to keep CVS happy).
[Ben Laurie]
Changes between 0.9.1b and 0.9.1c [23-Dec-1998]
*) Added OPENSSL_VERSION_NUMBER to crypto/crypto.h and
changed SSLeay to OpenSSL in version strings.
[Ralf S. Engelschall]
*) Some fixups to the top-level documents.
[Paul Sutton]
*) Fixed the nasty bug where rsaref.h was not found under compile-time
because the symlink to include/ was missing.
[Ralf S. Engelschall]
*) Incorporated the popular no-RSA/DSA-only patches
which allow to compile a RSA-free SSLeay.
[Andrew Cooke / Interrader Ldt., Ralf S. Engelschall]
*) Fixed nasty rehash problem under `make -f Makefile.ssl links'
when "ssleay" is still not found.
[Ralf S. Engelschall]
*) Added more platforms to Configure: Cray T3E, HPUX 11,
[Ralf S. Engelschall, Beckmann <beckman@acl.lanl.gov>]
*) Updated the README file.
[Ralf S. Engelschall]
*) Added various .cvsignore files in the CVS repository subdirs
to make a "cvs update" really silent.
[Ralf S. Engelschall]
*) Recompiled the error-definition header files and added
missing symbols to the Win32 linker tables.
[Ralf S. Engelschall]
*) Cleaned up the top-level documents;
o new files: CHANGES and LICENSE
o merged VERSION, HISTORY* and README* files a CHANGES.SSLeay
o merged COPYRIGHT into LICENSE
o removed obsolete TODO file
o renamed MICROSOFT to INSTALL.W32
[Ralf S. Engelschall]
*) Removed dummy files from the 0.9.1b source tree:
crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi
crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f
crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f
crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f
util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f
[Ralf S. Engelschall]
*) Added various platform portability fixes.
[Mark J. Cox]
*) The Genesis of the OpenSSL rpject:
We start with the latest (unreleased) SSLeay version 0.9.1b which Eric A.
Young and Tim J. Hudson created while they were working for C2Net until
summer 1998.
[The OpenSSL Project]
Changes between 0.9.0b and 0.9.1b [not released]
*) Updated a few CA certificates under certs/
[Eric A. Young]
*) Changed some BIGNUM api stuff.
[Eric A. Young]
*) Various platform ports: OpenBSD, Ultrix, IRIX 64bit, NetBSD,
DGUX x86, Linux Alpha, etc.
[Eric A. Young]
*) New COMP library [crypto/comp/] for SSL Record Layer Compression:
RLE (dummy implemented) and ZLIB (really implemented when ZLIB is
available).
[Eric A. Young]
*) Add -strparse option to asn1pars program which parses nested
binary structures
[Dr Stephen Henson <shenson@bigfoot.com>]
*) Added "oid_file" to ssleay.cnf for "ca" and "req" programs.
[Eric A. Young]
*) DSA fix for "ca" program.
[Eric A. Young]
*) Added "-genkey" option to "dsaparam" program.
[Eric A. Young]
*) Added RIPE MD160 (rmd160) message digest.
[Eric A. Young]
*) Added -a (all) option to "ssleay version" command.
[Eric A. Young]
*) Added PLATFORM define which is the id given to Configure.
[Eric A. Young]
*) Added MemCheck_XXXX functions to crypto/mem.c for memory checking.
[Eric A. Young]
*) Extended the ASN.1 parser routines.
[Eric A. Young]
*) Extended BIO routines to support REUSEADDR, seek, tell, etc.
[Eric A. Young]
*) Added a BN_CTX to the BN library.
[Eric A. Young]
*) Fixed the weak key values in DES library
[Eric A. Young]
*) Changed API in EVP library for cipher aliases.
[Eric A. Young]
*) Added support for RC2/64bit cipher.
[Eric A. Young]
*) Converted the lhash library to the crypto/mem.c functions.
[Eric A. Young]
*) Added more recognized ASN.1 object ids.
[Eric A. Young]
*) Added more RSA padding checks for SSL/TLS.
[Eric A. Young]
*) Added BIO proxy/filter functionality.
[Eric A. Young]
*) Added extra_certs to SSL_CTX which can be used
send extra CA certificates to the client in the CA cert chain sending
process. It can be configured with SSL_CTX_add_extra_chain_cert().
[Eric A. Young]
*) Now Fortezza is denied in the authentication phase because
this is key exchange mechanism is not supported by SSLeay at all.
[Eric A. Young]
*) Additional PKCS1 checks.
[Eric A. Young]
*) Support the string "TLSv1" for all TLS v1 ciphers.
[Eric A. Young]
*) Added function SSL_get_ex_data_X509_STORE_CTX_idx() which gives the
ex_data index of the SSL context in the X509_STORE_CTX ex_data.
[Eric A. Young]
*) Fixed a few memory leaks.
[Eric A. Young]
*) Fixed various code and comment typos.
[Eric A. Young]
*) A minor bug in ssl/s3_clnt.c where there would always be 4 0
bytes sent in the client random.
[Edward Bishop <ebishop@spyglass.com>]
diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure
index c1e2591b660a..92e59b9ce7a6 100755
--- a/crypto/openssl/Configure
+++ b/crypto/openssl/Configure
@@ -1,3644 +1,3644 @@
#! /usr/bin/env perl
# -*- mode: perl; -*-
# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
## Configure -- OpenSSL source tree configuration script
use 5.10.0;
use strict;
use Config;
use FindBin;
use lib "$FindBin::Bin/util/perl";
use File::Basename;
use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs/;
use File::Path qw/mkpath/;
use OpenSSL::Glob;
# see INSTALL for instructions.
my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler;
my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
# Options:
#
# --config add the given configuration file, which will be read after
# any "Configurations*" files that are found in the same
# directory as this script.
# --prefix prefix for the OpenSSL installation, which includes the
# directories bin, lib, include, share/man, share/doc/openssl
# This becomes the value of INSTALLTOP in Makefile
# (Default: /usr/local)
# --openssldir OpenSSL data area, such as openssl.cnf, certificates and keys.
# If it's a relative directory, it will be added on the directory
# given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C.
# (Default: PREFIX/ssl)
#
# --cross-compile-prefix Add specified prefix to binutils components.
#
# --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for
# interfaces deprecated as of the specified OpenSSL version.
#
# no-hw-xxx do not compile support for specific crypto hardware.
# Generic OpenSSL-style methods relating to this support
# are always compiled but return NULL if the hardware
# support isn't compiled.
# no-hw do not compile support for any crypto hardware.
# [no-]threads [don't] try to create a library that is suitable for
# multithreaded applications (default is "threads" if we
# know how to do it)
# [no-]shared [don't] try to create shared libraries when supported.
# [no-]pic [don't] try to build position independent code when supported.
# If disabled, it also disables shared and dynamic-engine.
# no-asm do not use assembler
# no-egd do not compile support for the entropy-gathering daemon APIs
# [no-]zlib [don't] compile support for zlib compression.
# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared
# library and will be loaded in run-time by the OpenSSL library.
# sctp include SCTP support
# enable-weak-ssl-ciphers
# Enable weak ciphers that are disabled by default.
# 386 generate 80386 code in assembly modules
# no-sse2 disables IA-32 SSE2 code in assembly modules, the above
# mentioned '386' option implies this one
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> All options which are unknown to the 'Configure' script are
# /<xxx> passed through to the compiler. Unix-style options beginning
# with a '-' or '+' are recognized, as well as Windows-style
# options beginning with a '/'. If the option contains arguments
# separated by spaces, then the URL-style notation %20 can be
# used for the space character in order to avoid having to quote
# the option. For example, -opt%20arg gets expanded to -opt arg.
# In fact, any ASCII character can be encoded as %xx using its
# hexadecimal encoding.
# -static while -static is also a pass-through compiler option (and
# as such is limited to environments where it's actually
# meaningful), it triggers a number configuration options,
# namely no-pic, no-shared and no-threads. It is
# argued that the only reason to produce statically linked
# binaries (and in context it means executables linked with
# -static flag, and not just executables linked with static
# libcrypto.a) is to eliminate dependency on specific run-time,
# a.k.a. libc version. The mentioned config options are meant
# to achieve just that. Unfortunately on Linux it's impossible
# to eliminate the dependency completely for openssl executable
# because of getaddrinfo and gethostbyname calls, which can
# invoke dynamically loadable library facility anyway to meet
# the lookup requests. For this reason on Linux statically
# linked openssl executable has rather debugging value than
# production quality.
#
# BN_LLONG use the type 'long long' in crypto/bn/bn.h
# RC4_CHAR use 'char' instead of 'int' for RC4_INT in crypto/rc4/rc4.h
# Following are set automatically by this script
#
# MD5_ASM use some extra md5 assembler,
# SHA1_ASM use some extra sha1 assembler, must define L_ENDIAN for x86
# RMD160_ASM use some extra ripemd160 assembler,
# SHA256_ASM sha256_block is implemented in assembler
# SHA512_ASM sha512_block is implemented in assembler
# AES_ASM AES_[en|de]crypt is implemented in assembler
# Minimum warning options... any contributions to OpenSSL should at least
# get past these. Note that we only use these with C compilers, not with
# C++ compilers.
# DEBUG_UNUSED enables __owur (warn unused result) checks.
# -DPEDANTIC complements -pedantic and is meant to mask code that
# is not strictly standard-compliant and/or implementation-specific,
# e.g. inline assembly, disregards to alignment requirements, such
# that -pedantic would complain about. Incidentally -DPEDANTIC has
# to be used even in sanitized builds, because sanitizer too is
# supposed to and does take notice of non-standard behaviour. Then
# -pedantic with pre-C9x compiler would also complain about 'long
# long' not being supported. As 64-bit algorithms are common now,
# it grew impossible to resolve this without sizeable additional
# code, so we just tell compiler to be pedantic about everything
# but 'long long' type.
my @gcc_devteam_warn = qw(
-DDEBUG_UNUSED
-DPEDANTIC -pedantic -Wno-long-long
-Wall
-Wextra
-Wno-unused-parameter
-Wno-missing-field-initializers
-Wswitch
-Wsign-compare
-Wshadow
-Wformat
-Wtype-limits
-Wundef
-Werror
-Wmissing-prototypes
-Wstrict-prototypes
);
# These are used in addition to $gcc_devteam_warn when the compiler is clang.
# TODO(openssl-team): fix problems and investigate if (at least) the
# following warnings can also be enabled:
# -Wcast-align
# -Wunreachable-code -- no, too ugly/compiler-specific
# -Wlanguage-extension-token -- no, we use asm()
# -Wunused-macros -- no, too tricky for BN and _XOPEN_SOURCE etc
# -Wextended-offsetof -- no, needed in CMS ASN1 code
my @clang_devteam_warn = qw(
-Wno-unknown-warning-option
-Wswitch-default
-Wno-parentheses-equality
-Wno-language-extension-token
-Wno-extended-offsetof
-Wconditional-uninitialized
-Wincompatible-pointer-types-discards-qualifiers
-Wmissing-variable-declarations
);
my @cl_devteam_warn = qw(
/WX
);
# This adds backtrace information to the memory leak info. Is only used
# when crypto-mdebug-backtrace is enabled.
my $memleak_devteam_backtrace = "-rdynamic";
my $strict_warnings = 0;
# As for $BSDthreads. Idea is to maintain "collective" set of flags,
# which would cover all BSD flavors. -pthread applies to them all,
# but is treated differently. OpenBSD expands is as -D_POSIX_THREAD
# -lc_r, which is sufficient. FreeBSD 4.x expands it as -lc_r,
# which has to be accompanied by explicit -D_THREAD_SAFE and
# sometimes -D_REENTRANT. FreeBSD 5.x expands it as -lc_r, which
# seems to be sufficient?
our $BSDthreads="-pthread -D_THREAD_SAFE -D_REENTRANT";
#
# API compatibility name to version number mapping.
#
my $maxapi = "1.1.0"; # API for "no-deprecated" builds
my $apitable = {
"1.1.0" => "0x10100000L",
"1.0.0" => "0x10000000L",
"0.9.8" => "0x00908000L",
};
our %table = ();
our %config = ();
our %withargs = ();
our $now_printing; # set to current entry's name in print_table_entry
# (todo: right thing would be to encapsulate name
# into %target [class] and make print_table_entry
# a method)
# Forward declarations ###############################################
# read_config(filename)
#
# Reads a configuration file and populates %table with the contents
# (which the configuration file places in %targets).
sub read_config;
# resolve_config(target)
#
# Resolves all the late evaluations, inheritances and so on for the
# chosen target and any target it inherits from.
sub resolve_config;
# Information collection #############################################
# Unified build supports separate build dir
my $srcdir = catdir(absolutedir(dirname($0))); # catdir ensures local syntax
my $blddir = catdir(absolutedir(".")); # catdir ensures local syntax
# File::Spec::Unix doesn't detect case insensitivity, so we make sure to
# check if the source and build directory are really the same, and make
# them so. This avoids all kinds of confusion later on.
# We must check @File::Spec::ISA rather than using File::Spec->isa() to
# know if File::Spec ended up loading File::Spec::Unix.
$srcdir = $blddir
if (grep(/::Unix$/, @File::Spec::ISA)
&& samedir($srcdir, $blddir));
my $dofile = abs2rel(catfile($srcdir, "util/dofile.pl"));
my $local_config_envname = 'OPENSSL_LOCAL_CONFIG_DIR';
$config{sourcedir} = abs2rel($srcdir, $blddir);
$config{builddir} = abs2rel($blddir, $blddir);
# Collect reconfiguration information if needed
my @argvcopy=@ARGV;
if (grep /^reconf(igure)?$/, @argvcopy) {
die "reconfiguring with other arguments present isn't supported"
if scalar @argvcopy > 1;
if (-f "./configdata.pm") {
my $file = "./configdata.pm";
unless (my $return = do $file) {
die "couldn't parse $file: $@" if $@;
die "couldn't do $file: $!" unless defined $return;
die "couldn't run $file" unless $return;
}
@argvcopy = defined($configdata::config{perlargv}) ?
@{$configdata::config{perlargv}} : ();
die "Incorrect data to reconfigure, please do a normal configuration\n"
if (grep(/^reconf/,@argvcopy));
$config{perlenv} = $configdata::config{perlenv} // {};
} else {
die "Insufficient data to reconfigure, please do a normal configuration\n";
}
}
$config{perlargv} = [ @argvcopy ];
# Collect version numbers
$config{version} = "unknown";
$config{version_num} = "unknown";
$config{shlib_version_number} = "unknown";
$config{shlib_version_history} = "unknown";
collect_information(
collect_from_file(catfile($srcdir,'include/openssl/opensslv.h')),
qr/OPENSSL.VERSION.TEXT.*OpenSSL (\S+) / => sub { $config{version} = $1; },
qr/OPENSSL.VERSION.NUMBER.*(0x\S+)/ => sub { $config{version_num}=$1 },
qr/SHLIB_VERSION_NUMBER *"([^"]+)"/ => sub { $config{shlib_version_number}=$1 },
qr/SHLIB_VERSION_HISTORY *"([^"]*)"/ => sub { $config{shlib_version_history}=$1 }
);
if ($config{shlib_version_history} ne "") { $config{shlib_version_history} .= ":"; }
($config{major}, $config{minor})
= ($config{version} =~ /^([0-9]+)\.([0-9\.]+)/);
($config{shlib_major}, $config{shlib_minor})
= ($config{shlib_version_number} =~ /^([0-9]+)\.([0-9\.]+)/);
die "erroneous version information in opensslv.h: ",
"$config{major}, $config{minor}, $config{shlib_major}, $config{shlib_minor}\n"
if ($config{major} eq "" || $config{minor} eq ""
|| $config{shlib_major} eq "" || $config{shlib_minor} eq "");
# Collect target configurations
my $pattern = catfile(dirname($0), "Configurations", "*.conf");
foreach (sort glob($pattern)) {
&read_config($_);
}
if (defined env($local_config_envname)) {
if ($^O eq 'VMS') {
# VMS environment variables are logical names,
# which can be used as is
$pattern = $local_config_envname . ':' . '*.conf';
} else {
$pattern = catfile(env($local_config_envname), '*.conf');
}
foreach (sort glob($pattern)) {
&read_config($_);
}
}
# Save away perl command information
$config{perl_cmd} = $^X;
$config{perl_version} = $Config{version};
$config{perl_archname} = $Config{archname};
$config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
# Top level directories to build
$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "util", "tools", "fuzz" ];
# crypto/ subdirectories to build
$config{sdirs} = [
"objects",
"md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3",
"des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes",
"bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine",
"buffer", "bio", "stack", "lhash", "rand", "err",
"evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",
"cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
];
# test/ subdirectories to build
$config{tdirs} = [ "ossl_shim" ];
# Known TLS and DTLS protocols
my @tls = qw(ssl3 tls1 tls1_1 tls1_2 tls1_3);
my @dtls = qw(dtls1 dtls1_2);
# Explicitly known options that are possible to disable. They can
# be regexps, and will be used like this: /^no-${option}$/
# For developers: keep it sorted alphabetically
my @disablables = (
"afalgeng",
"aria",
"asan",
"asm",
"async",
"autoalginit",
"autoerrinit",
"autoload-config",
"bf",
"blake2",
"buildtest-c\\+\\+",
"camellia",
"capieng",
"cast",
"chacha",
"cmac",
"cms",
"comp",
"crypto-mdebug",
"crypto-mdebug-backtrace",
"ct",
"deprecated",
"des",
"devcryptoeng",
"dgram",
"dh",
"dsa",
"dso",
"dtls",
"dynamic-engine",
"ec",
"ec2m",
"ecdh",
"ecdsa",
"ec_nistp_64_gcc_128",
"egd",
"engine",
"err",
"external-tests",
"filenames",
"fuzz-libfuzzer",
"fuzz-afl",
"gost",
"heartbeats",
"hw(-.+)?",
"idea",
"ktls",
"makedepend",
"md2",
"md4",
"mdc2",
"msan",
"multiblock",
"nextprotoneg",
"pinshared",
"ocb",
"ocsp",
"pic",
"poly1305",
"posix-io",
"psk",
"rc2",
"rc4",
"rc5",
"rdrand",
"rfc3779",
"rmd160",
"scrypt",
"sctp",
"seed",
"shared",
"siphash",
"sm2",
"sm3",
"sm4",
"sock",
"srp",
"srtp",
"sse2",
"ssl",
"ssl-trace",
"static-engine",
"stdio",
"tests",
"threads",
"tls",
"ts",
"ubsan",
"ui-console",
"unit-test",
"whirlpool",
"weak-ssl-ciphers",
"zlib",
"zlib-dynamic",
);
foreach my $proto ((@tls, @dtls))
{
push(@disablables, $proto);
push(@disablables, "$proto-method") unless $proto eq "tls1_3";
}
my %deprecated_disablables = (
"ssl2" => undef,
"buf-freelists" => undef,
"ripemd" => "rmd160",
"ui" => "ui-console",
);
# All of the following are disabled by default:
our %disabled = ( # "what" => "comment"
"asan" => "default",
"buildtest-c++" => "default",
"crypto-mdebug" => "default",
"crypto-mdebug-backtrace" => "default",
"devcryptoeng" => "default",
"ec_nistp_64_gcc_128" => "default",
"egd" => "default",
"external-tests" => "default",
"fuzz-libfuzzer" => "default",
"fuzz-afl" => "default",
"heartbeats" => "default",
"md2" => "default",
"msan" => "default",
"rc5" => "default",
"sctp" => "default",
"ssl-trace" => "default",
"ssl3" => "default",
"ssl3-method" => "default",
"ubsan" => "default",
"unit-test" => "default",
"weak-ssl-ciphers" => "default",
"zlib" => "default",
"zlib-dynamic" => "default",
"ktls" => "default",
);
# Note: => pair form used for aesthetics, not to truly make a hash table
my @disable_cascades = (
# "what" => [ "cascade", ... ]
sub { $config{processor} eq "386" }
=> [ "sse2" ],
"ssl" => [ "ssl3" ],
"ssl3-method" => [ "ssl3" ],
"zlib" => [ "zlib-dynamic" ],
"des" => [ "mdc2" ],
"ec" => [ "ecdsa", "ecdh" ],
"dgram" => [ "dtls", "sctp" ],
"sock" => [ "dgram" ],
"dtls" => [ @dtls ],
sub { 0 == scalar grep { !$disabled{$_} } @dtls }
=> [ "dtls" ],
"tls" => [ @tls ],
sub { 0 == scalar grep { !$disabled{$_} } @tls }
=> [ "tls" ],
"crypto-mdebug" => [ "crypto-mdebug-backtrace" ],
# Without position independent code, there can be no shared libraries or DSOs
"pic" => [ "shared" ],
"shared" => [ "dynamic-engine" ],
"dso" => [ "dynamic-engine" ],
"engine" => [ "afalgeng", "devcryptoeng" ],
# no-autoalginit is only useful when building non-shared
"autoalginit" => [ "shared", "apps" ],
"stdio" => [ "apps", "capieng", "egd" ],
"apps" => [ "tests" ],
"tests" => [ "external-tests" ],
"comp" => [ "zlib" ],
"ec" => [ "tls1_3", "sm2" ],
"sm3" => [ "sm2" ],
sub { !$disabled{"unit-test"} } => [ "heartbeats" ],
sub { !$disabled{"msan"} } => [ "asm" ],
);
# Avoid protocol support holes. Also disable all versions below N, if version
# N is disabled while N+1 is enabled.
#
my @list = (reverse @tls);
while ((my $first, my $second) = (shift @list, shift @list)) {
last unless @list;
push @disable_cascades, ( sub { !$disabled{$first} && $disabled{$second} }
=> [ @list ] );
unshift @list, $second;
}
my @list = (reverse @dtls);
while ((my $first, my $second) = (shift @list, shift @list)) {
last unless @list;
push @disable_cascades, ( sub { !$disabled{$first} && $disabled{$second} }
=> [ @list ] );
unshift @list, $second;
}
# Explicit "no-..." options will be collected in %disabled along with the defaults.
# To remove something from %disabled, use "enable-foo".
# For symmetry, "disable-foo" is a synonym for "no-foo".
&usage if ($#ARGV < 0);
# For the "make variables" CPPINCLUDES and CPPDEFINES, we support lists with
# platform specific list separators. Users from those platforms should
# recognise those separators from how you set up the PATH to find executables.
# The default is the Unix like separator, :, but as an exception, we also
# support the space as separator.
my $list_separator_re =
{ VMS => qr/(?<!\^),/,
MSWin32 => qr/(?<!\\);/ } -> {$^O} // qr/(?<!\\)[:\s]/;
# All the "make variables" we support
# Some get pre-populated for the sake of backward compatibility
# (we supported those before the change to "make variable" support.
my %user = (
AR => env('AR'),
ARFLAGS => [],
AS => undef,
ASFLAGS => [],
CC => env('CC'),
CFLAGS => [ env('CFLAGS') || () ],
CXX => env('CXX'),
CXXFLAGS => [ env('CXXFLAGS') || () ],
CPP => undef,
CPPFLAGS => [ env('CPPFLAGS') || () ], # -D, -I, -Wp,
CPPDEFINES => [], # Alternative for -D
CPPINCLUDES => [], # Alternative for -I
CROSS_COMPILE => env('CROSS_COMPILE'),
HASHBANGPERL=> env('HASHBANGPERL') || env('PERL'),
LD => undef,
LDFLAGS => [ env('LDFLAGS') || () ], # -L, -Wl,
LDLIBS => [ env('LDLIBS') || () ], # -l
MT => undef,
MTFLAGS => [],
PERL => env('PERL') || ($^O ne "VMS" ? $^X : "perl"),
RANLIB => env('RANLIB'),
RC => env('RC') || env('WINDRES'),
RCFLAGS => [ env('RCFLAGS') || () ],
RM => undef,
);
# Info about what "make variables" may be prefixed with the cross compiler
# prefix. This should NEVER mention any such variable with a list for value.
my @user_crossable = qw ( AR AS CC CXX CPP LD MT RANLIB RC );
# The same but for flags given as Configure options. These are *additional*
# input, as opposed to the VAR=string option that override the corresponding
# config target attributes
my %useradd = (
CPPDEFINES => [],
CPPINCLUDES => [],
CPPFLAGS => [],
CFLAGS => [],
CXXFLAGS => [],
LDFLAGS => [],
LDLIBS => [],
RCFLAGS => [],
);
my %user_synonyms = (
HASHBANGPERL=> 'PERL',
RC => 'WINDRES',
);
# Some target attributes have been renamed, this is the translation table
my %target_attr_translate =(
ar => 'AR',
as => 'AS',
cc => 'CC',
cxx => 'CXX',
cpp => 'CPP',
hashbangperl => 'HASHBANGPERL',
ld => 'LD',
mt => 'MT',
ranlib => 'RANLIB',
rc => 'RC',
rm => 'RM',
);
# Initialisers coming from 'config' scripts
$config{defines} = [ split(/$list_separator_re/, env('__CNF_CPPDEFINES')) ];
$config{includes} = [ split(/$list_separator_re/, env('__CNF_CPPINCLUDES')) ];
$config{cppflags} = [ env('__CNF_CPPFLAGS') || () ];
$config{cflags} = [ env('__CNF_CFLAGS') || () ];
$config{cxxflags} = [ env('__CNF_CXXFLAGS') || () ];
$config{lflags} = [ env('__CNF_LDFLAGS') || () ];
$config{ex_libs} = [ env('__CNF_LDLIBS') || () ];
$config{openssl_api_defines}=[];
$config{openssl_algorithm_defines}=[];
$config{openssl_thread_defines}=[];
$config{openssl_sys_defines}=[];
$config{openssl_other_defines}=[];
$config{options}="";
$config{build_type} = "release";
my $target="";
my %cmdvars = (); # Stores FOO='blah' type arguments
my %unsupported_options = ();
my %deprecated_options = ();
# If you change this, update apps/version.c
my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom);
my @seed_sources = ();
while (@argvcopy)
{
$_ = shift @argvcopy;
# Support env variable assignments among the options
if (m|^(\w+)=(.+)?$|)
{
$cmdvars{$1} = $2;
# Every time a variable is given as a configuration argument,
# it acts as a reset if the variable.
if (exists $user{$1})
{
$user{$1} = ref $user{$1} eq "ARRAY" ? [] : undef;
}
#if (exists $useradd{$1})
# {
# $useradd{$1} = [];
# }
next;
}
# VMS is a case insensitive environment, and depending on settings
# out of our control, we may receive options uppercased. Let's
# downcase at least the part before any equal sign.
if ($^O eq "VMS")
{
s/^([^=]*)/lc($1)/e;
}
# some people just can't read the instructions, clang people have to...
s/^-no-(?!integrated-as)/no-/;
# rewrite some options in "enable-..." form
s /^-?-?shared$/enable-shared/;
s /^sctp$/enable-sctp/;
s /^threads$/enable-threads/;
s /^zlib$/enable-zlib/;
s /^zlib-dynamic$/enable-zlib-dynamic/;
if (/^(no|disable|enable)-(.+)$/)
{
my $word = $2;
if (!exists $deprecated_disablables{$word}
&& !grep { $word =~ /^${_}$/ } @disablables)
{
$unsupported_options{$_} = 1;
next;
}
}
if (/^no-(.+)$/ || /^disable-(.+)$/)
{
foreach my $proto ((@tls, @dtls))
{
if ($1 eq "$proto-method")
{
$disabled{"$proto"} = "option($proto-method)";
last;
}
}
if ($1 eq "dtls")
{
foreach my $proto (@dtls)
{
$disabled{$proto} = "option(dtls)";
}
$disabled{"dtls"} = "option(dtls)";
}
elsif ($1 eq "ssl")
{
# Last one of its kind
$disabled{"ssl3"} = "option(ssl)";
}
elsif ($1 eq "tls")
{
# XXX: Tests will fail if all SSL/TLS
# protocols are disabled.
foreach my $proto (@tls)
{
$disabled{$proto} = "option(tls)";
}
}
elsif ($1 eq "static-engine")
{
delete $disabled{"dynamic-engine"};
}
elsif ($1 eq "dynamic-engine")
{
$disabled{"dynamic-engine"} = "option";
}
elsif (exists $deprecated_disablables{$1})
{
if ($deprecated_disablables{$1} ne "")
{
$deprecated_options{$_} = 1;
if (defined $deprecated_disablables{$1})
{
$disabled{$deprecated_disablables{$1}} = "option";
}
}
}
else
{
$disabled{$1} = "option";
}
# No longer an automatic choice
$auto_threads = 0 if ($1 eq "threads");
}
elsif (/^enable-(.+)$/)
{
if ($1 eq "static-engine")
{
$disabled{"dynamic-engine"} = "option";
}
elsif ($1 eq "dynamic-engine")
{
delete $disabled{"dynamic-engine"};
}
elsif ($1 eq "zlib-dynamic")
{
delete $disabled{"zlib"};
}
my $algo = $1;
delete $disabled{$algo};
# No longer an automatic choice
$auto_threads = 0 if ($1 eq "threads");
}
elsif (/^--strict-warnings$/)
{
# Pretend that our strict flags is a C flag, and replace it
# with the proper flags later on
push @{$useradd{CFLAGS}}, '--ossl-strict-warnings';
$strict_warnings=1;
}
elsif (/^--debug$/)
{
$config{build_type} = "debug";
}
elsif (/^--release$/)
{
$config{build_type} = "release";
}
elsif (/^386$/)
{ $config{processor}=386; }
elsif (/^fips$/)
{
die "FIPS mode not supported\n";
}
elsif (/^rsaref$/)
{
# No RSAref support any more since it's not needed.
# The check for the option is there so scripts aren't
# broken
}
elsif (/^nofipscanistercheck$/)
{
die "FIPS mode not supported\n";
}
elsif (m|^[-+/]|)
{
if (/^--prefix=(.*)$/)
{
$config{prefix}=$1;
die "Directory given with --prefix MUST be absolute\n"
unless file_name_is_absolute($config{prefix});
}
elsif (/^--api=(.*)$/)
{
$config{api}=$1;
}
elsif (/^--libdir=(.*)$/)
{
$config{libdir}=$1;
}
elsif (/^--openssldir=(.*)$/)
{
$config{openssldir}=$1;
}
elsif (/^--with-zlib-lib=(.*)$/)
{
$withargs{zlib_lib}=$1;
}
elsif (/^--with-zlib-include=(.*)$/)
{
$withargs{zlib_include}=$1;
}
elsif (/^--with-fuzzer-lib=(.*)$/)
{
$withargs{fuzzer_lib}=$1;
}
elsif (/^--with-fuzzer-include=(.*)$/)
{
$withargs{fuzzer_include}=$1;
}
elsif (/^--with-rand-seed=(.*)$/)
{
foreach my $x (split(m|,|, $1))
{
die "Unknown --with-rand-seed choice $x\n"
if ! grep { $x eq $_ } @known_seed_sources;
push @seed_sources, $x;
}
}
elsif (/^--cross-compile-prefix=(.*)$/)
{
$user{CROSS_COMPILE}=$1;
}
elsif (/^--config=(.*)$/)
{
read_config $1;
}
elsif (/^-l(.*)$/)
{
push @{$useradd{LDLIBS}}, $_;
}
elsif (/^-framework$/)
{
push @{$useradd{LDLIBS}}, $_, shift(@argvcopy);
}
elsif (/^-L(.*)$/ or /^-Wl,/)
{
push @{$useradd{LDFLAGS}}, $_;
}
elsif (/^-rpath$/ or /^-R$/)
# -rpath is the OSF1 rpath flag
# -R is the old Solaris rpath flag
{
my $rpath = shift(@argvcopy) || "";
$rpath .= " " if $rpath ne "";
push @{$useradd{LDFLAGS}}, $_, $rpath;
}
elsif (/^-static$/)
{
push @{$useradd{LDFLAGS}}, $_;
}
elsif (m|^[-/]D(.*)$|)
{
push @{$useradd{CPPDEFINES}}, $1;
}
elsif (m|^[-/]I(.*)$|)
{
push @{$useradd{CPPINCLUDES}}, $1;
}
elsif (/^-Wp,$/)
{
push @{$useradd{CPPFLAGS}}, $1;
}
else # common if (/^[-+]/), just pass down...
{
# Treat %xx as an ASCII code (e.g. replace %20 by a space character).
# This provides a simple way to pass options with arguments separated
# by spaces without quoting (e.g. -opt%20arg translates to -opt arg).
$_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei;
push @{$useradd{CFLAGS}}, $_;
push @{$useradd{CXXFLAGS}}, $_;
}
}
elsif (m|^/|)
{
# Treat %xx as an ASCII code (e.g. replace %20 by a space character).
# This provides a simple way to pass options with arguments separated
# by spaces without quoting (e.g. /opt%20arg translates to /opt arg).
$_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei;
push @{$useradd{CFLAGS}}, $_;
push @{$useradd{CXXFLAGS}}, $_;
}
else
{
die "target already defined - $target (offending arg: $_)\n" if ($target ne "");
$target=$_;
}
unless ($_ eq $target || /^no-/ || /^disable-/)
{
# "no-..." follows later after implied deactivations
# have been derived. (Don't take this too seriously,
# we really only write OPTIONS to the Makefile out of
# nostalgia.)
if ($config{options} eq "")
{ $config{options} = $_; }
else
{ $config{options} .= " ".$_; }
}
}
if (defined($config{api}) && !exists $apitable->{$config{api}}) {
die "***** Unsupported api compatibility level: $config{api}\n",
}
if (keys %deprecated_options)
{
warn "***** Deprecated options: ",
join(", ", keys %deprecated_options), "\n";
}
if (keys %unsupported_options)
{
die "***** Unsupported options: ",
join(", ", keys %unsupported_options), "\n";
}
# If any %useradd entry has been set, we must check that the "make
# variables" haven't been set. We start by checking of any %useradd entry
# is set.
if (grep { scalar @$_ > 0 } values %useradd) {
# Hash of env / make variables names. The possible values are:
# 1 - "make vars"
# 2 - %useradd entry set
# 3 - both set
my %detected_vars =
map { my $v = 0;
$v += 1 if $cmdvars{$_};
$v += 2 if @{$useradd{$_}};
$_ => $v }
keys %useradd;
# If any of the corresponding "make variables" is set, we error
if (grep { $_ & 1 } values %detected_vars) {
my $names = join(', ', grep { $detected_vars{$_} > 0 }
sort keys %detected_vars);
die <<"_____";
***** Mixing make variables and additional compiler/linker flags as
***** configure command line option is not permitted.
***** Affected make variables: $names
_____
}
}
# Check through all supported command line variables to see if any of them
# were set, and canonicalise the values we got. If no compiler or linker
# flag or anything else that affects %useradd was set, we also check the
# environment for values.
my $anyuseradd =
grep { defined $_ && (ref $_ ne 'ARRAY' || @$_) } values %useradd;
foreach (keys %user) {
my $value = $cmdvars{$_};
$value //= env($_) unless $anyuseradd;
$value //=
defined $user_synonyms{$_} ? $cmdvars{$user_synonyms{$_}} : undef;
$value //= defined $user_synonyms{$_} ? env($user_synonyms{$_}) : undef
unless $anyuseradd;
if (defined $value) {
if (ref $user{$_} eq 'ARRAY') {
if ($_ eq 'CPPDEFINES' || $_ eq 'CPPINCLUDES') {
$user{$_} = [ split /$list_separator_re/, $value ];
} else {
$user{$_} = [ $value ];
}
} elsif (!defined $user{$_}) {
$user{$_} = $value;
}
}
}
if (grep { /-rpath\b/ } ($user{LDFLAGS} ? @{$user{LDFLAGS}} : ())
&& !$disabled{shared}
&& !($disabled{asan} && $disabled{msan} && $disabled{ubsan})) {
die "***** Cannot simultaneously use -rpath, shared libraries, and\n",
"***** any of asan, msan or ubsan\n";
}
sub disable {
my $disable_type = shift;
for (@_) {
$disabled{$_} = $disable_type;
}
my @tocheckfor = (@_ ? @_ : keys %disabled);
while (@tocheckfor) {
my %new_tocheckfor = ();
my @cascade_copy = (@disable_cascades);
while (@cascade_copy) {
my ($test, $descendents) =
(shift @cascade_copy, shift @cascade_copy);
if (ref($test) eq "CODE" ? $test->() : defined($disabled{$test})) {
foreach (grep { !defined($disabled{$_}) } @$descendents) {
$new_tocheckfor{$_} = 1; $disabled{$_} = "cascade";
}
}
}
@tocheckfor = (keys %new_tocheckfor);
}
}
disable(); # First cascade run
our $die = sub { die @_; };
if ($target eq "TABLE") {
local $die = sub { warn @_; };
foreach (sort keys %table) {
print_table_entry($_, "TABLE");
}
exit 0;
}
if ($target eq "LIST") {
foreach (sort keys %table) {
print $_,"\n" unless $table{$_}->{template};
}
exit 0;
}
if ($target eq "HASH") {
local $die = sub { warn @_; };
print "%table = (\n";
foreach (sort keys %table) {
print_table_entry($_, "HASH");
}
exit 0;
}
print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
print "for $target\n";
if (scalar(@seed_sources) == 0) {
print "Using os-specific seed configuration\n";
push @seed_sources, 'os';
}
if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) {
delete $disabled{'egd'};
}
if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
warn <<_____ if scalar(@seed_sources) == 1;
============================== WARNING ===============================
You have selected the --with-rand-seed=none option, which effectively
disables automatic reseeding of the OpenSSL random generator.
All operations depending on the random generator such as creating keys
will not work unless the random generator is seeded manually by the
application.
Please read the 'Note on random number generation' section in the
INSTALL instructions and the RAND_DRBG(7) manual page for more details.
============================== WARNING ===============================
_____
}
push @{$config{openssl_other_defines}},
map { (my $x = $_) =~ tr|[\-a-z]|[_A-Z]|; "OPENSSL_RAND_SEED_$x" }
@seed_sources;
# Backward compatibility?
if ($target =~ m/^CygWin32(-.*)$/) {
$target = "Cygwin".$1;
}
# Support for legacy targets having a name starting with 'debug-'
my ($d, $t) = $target =~ m/^(debug-)?(.*)$/;
if ($d) {
$config{build_type} = "debug";
# If we do not find debug-foo in the table, the target is set to foo.
if (!$table{$target}) {
$target = $t;
}
}
&usage if !$table{$target} || $table{$target}->{template};
$config{target} = $target;
my %target = resolve_config($target);
foreach (keys %target_attr_translate) {
$target{$target_attr_translate{$_}} = $target{$_}
if $target{$_};
delete $target{$_};
}
%target = ( %{$table{DEFAULTS}}, %target );
my %conf_files = map { $_ => 1 } (@{$target{_conf_fname_int}});
$config{conf_files} = [ sort keys %conf_files ];
# Using sub disable within these loops may prove fragile, so we run
# a cascade afterwards
foreach my $feature (@{$target{disable}}) {
if (exists $deprecated_disablables{$feature}) {
warn "***** config $target disables deprecated feature $feature\n";
} elsif (!grep { $feature eq $_ } @disablables) {
die "***** config $target disables unknown feature $feature\n";
}
$disabled{$feature} = 'config';
}
foreach my $feature (@{$target{enable}}) {
if ("default" eq ($disabled{$feature} // "")) {
if (exists $deprecated_disablables{$feature}) {
warn "***** config $target enables deprecated feature $feature\n";
} elsif (!grep { $feature eq $_ } @disablables) {
die "***** config $target enables unknown feature $feature\n";
}
delete $disabled{$feature};
}
}
disable(); # Run a cascade now
$target{CXXFLAGS}//=$target{CFLAGS} if $target{CXX};
$target{cxxflags}//=$target{cflags} if $target{CXX};
$target{exe_extension}="";
$target{exe_extension}=".exe" if ($config{target} eq "DJGPP"
|| $config{target} =~ /^(?:Cygwin|mingw)/);
$target{exe_extension}=".pm" if ($config{target} =~ /vos/);
($target{shared_extension_simple}=$target{shared_extension})
=~ s|\.\$\(SHLIB_VERSION_NUMBER\)||
unless defined($target{shared_extension_simple});
$target{dso_extension}//=$target{shared_extension_simple};
($target{shared_import_extension}=$target{shared_extension_simple}.".a")
if ($config{target} =~ /^(?:Cygwin|mingw)/);
# Fill %config with values from %user, and in case those are undefined or
# empty, use values from %target (acting as a default).
foreach (keys %user) {
my $ref_type = ref $user{$_};
# Temporary function. Takes an intended ref type (empty string or "ARRAY")
# and a value that's to be coerced into that type.
my $mkvalue = sub {
my $type = shift;
my $value = shift;
my $undef_p = shift;
die "Too many arguments for \$mkvalue" if @_;
while (ref $value eq 'CODE') {
$value = $value->();
}
if ($type eq 'ARRAY') {
return undef unless defined $value;
return undef if ref $value ne 'ARRAY' && !$value;
return undef if ref $value eq 'ARRAY' && !@$value;
return [ $value ] unless ref $value eq 'ARRAY';
}
return undef unless $value;
return $value;
};
$config{$_} =
$mkvalue->($ref_type, $user{$_})
|| $mkvalue->($ref_type, $target{$_});
delete $config{$_} unless defined $config{$_};
}
# Finish up %config by appending things the user gave us on the command line
# apart from "make variables"
foreach (keys %useradd) {
# The must all be lists, so we assert that here
die "internal error: \$useradd{$_} isn't an ARRAY\n"
unless ref $useradd{$_} eq 'ARRAY';
if (defined $config{$_}) {
push @{$config{$_}}, @{$useradd{$_}};
} else {
$config{$_} = [ @{$useradd{$_}} ];
}
}
# At this point, we can forget everything about %user and %useradd,
# because it's now all been merged into the corresponding $config entry
if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) {
disable('static', 'pic', 'threads');
}
# Allow overriding the build file name
$config{build_file} = env('BUILDFILE') || $target{build_file} || "Makefile";
# Make sure build_scheme is consistent.
$target{build_scheme} = [ $target{build_scheme} ]
if ref($target{build_scheme}) ne "ARRAY";
my ($builder, $builder_platform, @builder_opts) =
@{$target{build_scheme}};
foreach my $checker (($builder_platform."-".$target{build_file}."-checker.pm",
$builder_platform."-checker.pm")) {
my $checker_path = catfile($srcdir, "Configurations", $checker);
if (-f $checker_path) {
my $fn = $ENV{CONFIGURE_CHECKER_WARN}
? sub { warn $@; } : sub { die $@; };
if (! do $checker_path) {
if ($@) {
$fn->($@);
} elsif ($!) {
$fn->($!);
} else {
$fn->("The detected tools didn't match the platform\n");
}
}
last;
}
}
push @{$config{defines}}, "NDEBUG" if $config{build_type} eq "release";
if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
{
push @{$config{cflags}}, "-mno-cygwin";
push @{$config{cxxflags}}, "-mno-cygwin" if $config{CXX};
push @{$config{shared_ldflag}}, "-mno-cygwin";
}
if ($target =~ /linux.*-mips/ && !$disabled{asm}
&& !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
# minimally required architecture flags for assembly modules
my $value;
$value = '-mips2' if ($target =~ /mips32/);
$value = '-mips3' if ($target =~ /mips64/);
unshift @{$config{cflags}}, $value;
unshift @{$config{cxxflags}}, $value if $config{CXX};
}
# If threads aren't disabled, check how possible they are
unless ($disabled{threads}) {
if ($auto_threads) {
# Enabled by default, disable it forcibly if unavailable
if ($target{thread_scheme} eq "(unknown)") {
disable("unavailable", 'threads');
}
} else {
# The user chose to enable threads explicitly, let's see
# if there's a chance that's possible
if ($target{thread_scheme} eq "(unknown)") {
# If the user asked for "threads" and we don't have internal
# knowledge how to do it, [s]he is expected to provide any
# system-dependent compiler options that are necessary. We
# can't truly check that the given options are correct, but
# we expect the user to know what [s]He is doing.
if (!@{$config{CFLAGS}} && !@{$config{CPPDEFINES}}) {
die "You asked for multi-threading support, but didn't\n"
,"provide any system-specific compiler options\n";
}
}
}
}
# If threads still aren't disabled, add a C macro to ensure the source
# code knows about it. Any other flag is taken care of by the configs.
unless($disabled{threads}) {
push @{$config{openssl_thread_defines}}, "OPENSSL_THREADS";
}
# With "deprecated" disable all deprecated features.
if (defined($disabled{"deprecated"})) {
$config{api} = $maxapi;
}
my $no_shared_warn=0;
if ($target{shared_target} eq "")
{
$no_shared_warn = 1
if (!$disabled{shared} || !$disabled{"dynamic-engine"});
disable('no-shared-target', 'pic');
}
if ($disabled{"dynamic-engine"}) {
$config{dynamic_engines} = 0;
} else {
$config{dynamic_engines} = 1;
}
unless ($disabled{asan}) {
push @{$config{cflags}}, "-fsanitize=address";
push @{$config{cxxflags}}, "-fsanitize=address" if $config{CXX};
}
unless ($disabled{ubsan}) {
# -DPEDANTIC or -fnosanitize=alignment may also be required on some
# platforms.
push @{$config{cflags}}, "-fsanitize=undefined", "-fno-sanitize-recover=all";
push @{$config{cxxflags}}, "-fsanitize=undefined", "-fno-sanitize-recover=all" if $config{CXX};
}
unless ($disabled{msan}) {
push @{$config{cflags}}, "-fsanitize=memory";
push @{$config{cxxflags}}, "-fsanitize=memory" if $config{CXX};
}
unless ($disabled{"fuzz-libfuzzer"} && $disabled{"fuzz-afl"}
&& $disabled{asan} && $disabled{ubsan} && $disabled{msan}) {
push @{$config{cflags}}, "-fno-omit-frame-pointer", "-g";
push @{$config{cxxflags}}, "-fno-omit-frame-pointer", "-g" if $config{CXX};
}
#
# Platform fix-ups
#
# This saves the build files from having to check
if ($disabled{pic})
{
foreach (qw(shared_cflag shared_cxxflag shared_cppflag
shared_defines shared_includes shared_ldflag
module_cflags module_cxxflags module_cppflags
module_defines module_includes module_lflags))
{
delete $config{$_};
$target{$_} = "";
}
}
else
{
push @{$config{lib_defines}}, "OPENSSL_PIC";
}
if ($target{sys_id} ne "")
{
push @{$config{openssl_sys_defines}}, "OPENSSL_SYS_$target{sys_id}";
}
unless ($disabled{asm}) {
$target{cpuid_asm_src}=$table{DEFAULTS}->{cpuid_asm_src} if ($config{processor} eq "386");
push @{$config{lib_defines}}, "OPENSSL_CPUID_OBJ" if ($target{cpuid_asm_src} ne "mem_clr.c");
$target{bn_asm_src} =~ s/\w+-gf2m.c// if (defined($disabled{ec2m}));
# bn-586 is the only one implementing bn_*_part_words
push @{$config{lib_defines}}, "OPENSSL_BN_ASM_PART_WORDS" if ($target{bn_asm_src} =~ /bn-586/);
push @{$config{lib_defines}}, "OPENSSL_IA32_SSE2" if (!$disabled{sse2} && $target{bn_asm_src} =~ /86/);
push @{$config{lib_defines}}, "OPENSSL_BN_ASM_MONT" if ($target{bn_asm_src} =~ /-mont/);
push @{$config{lib_defines}}, "OPENSSL_BN_ASM_MONT5" if ($target{bn_asm_src} =~ /-mont5/);
push @{$config{lib_defines}}, "OPENSSL_BN_ASM_GF2m" if ($target{bn_asm_src} =~ /-gf2m/);
push @{$config{lib_defines}}, "BN_DIV3W" if ($target{bn_asm_src} =~ /-div3w/);
if ($target{sha1_asm_src}) {
push @{$config{lib_defines}}, "SHA1_ASM" if ($target{sha1_asm_src} =~ /sx86/ || $target{sha1_asm_src} =~ /sha1/);
push @{$config{lib_defines}}, "SHA256_ASM" if ($target{sha1_asm_src} =~ /sha256/);
push @{$config{lib_defines}}, "SHA512_ASM" if ($target{sha1_asm_src} =~ /sha512/);
}
if ($target{keccak1600_asm_src} ne $table{DEFAULTS}->{keccak1600_asm_src}) {
push @{$config{lib_defines}}, "KECCAK1600_ASM";
}
if ($target{rc4_asm_src} ne $table{DEFAULTS}->{rc4_asm_src}) {
push @{$config{lib_defines}}, "RC4_ASM";
}
if ($target{md5_asm_src}) {
push @{$config{lib_defines}}, "MD5_ASM";
}
$target{cast_asm_src}=$table{DEFAULTS}->{cast_asm_src} unless $disabled{pic}; # CAST assembler is not PIC
if ($target{rmd160_asm_src}) {
push @{$config{lib_defines}}, "RMD160_ASM";
}
if ($target{aes_asm_src}) {
push @{$config{lib_defines}}, "AES_ASM" if ($target{aes_asm_src} =~ m/\baes-/);;
push @{$config{lib_defines}}, "AESNI_ASM" if ($target{aes_asm_src} =~ m/\baesni-/);;
# aes-ctr.fake is not a real file, only indication that assembler
# module implements AES_ctr32_encrypt...
push @{$config{lib_defines}}, "AES_CTR_ASM" if ($target{aes_asm_src} =~ s/\s*aes-ctr\.fake//);
# aes-xts.fake indicates presence of AES_xts_[en|de]crypt...
push @{$config{lib_defines}}, "AES_XTS_ASM" if ($target{aes_asm_src} =~ s/\s*aes-xts\.fake//);
$target{aes_asm_src} =~ s/\s*(vpaes|aesni)-x86\.s//g if ($disabled{sse2});
push @{$config{lib_defines}}, "VPAES_ASM" if ($target{aes_asm_src} =~ m/vpaes/);
push @{$config{lib_defines}}, "BSAES_ASM" if ($target{aes_asm_src} =~ m/bsaes/);
}
if ($target{wp_asm_src} =~ /mmx/) {
if ($config{processor} eq "386") {
$target{wp_asm_src}=$table{DEFAULTS}->{wp_asm_src};
} elsif (!$disabled{"whirlpool"}) {
push @{$config{lib_defines}}, "WHIRLPOOL_ASM";
}
}
if ($target{modes_asm_src} =~ /ghash-/) {
push @{$config{lib_defines}}, "GHASH_ASM";
}
if ($target{ec_asm_src} =~ /ecp_nistz256/) {
push @{$config{lib_defines}}, "ECP_NISTZ256_ASM";
}
if ($target{ec_asm_src} =~ /x25519/) {
push @{$config{lib_defines}}, "X25519_ASM";
}
if ($target{padlock_asm_src} ne $table{DEFAULTS}->{padlock_asm_src}) {
push @{$config{dso_defines}}, "PADLOCK_ASM";
}
if ($target{poly1305_asm_src} ne "") {
push @{$config{lib_defines}}, "POLY1305_ASM";
}
}
my %predefined_C = compiler_predefined($config{CROSS_COMPILE}.$config{CC});
my %predefined_CXX = $config{CXX}
? compiler_predefined($config{CROSS_COMPILE}.$config{CXX})
: ();
# Check for makedepend capabilities.
if (!$disabled{makedepend}) {
if ($config{target} =~ /^(VC|vms)-/) {
# For VC- and vms- targets, there's nothing more to do here. The
# functionality is hard coded in the corresponding build files for
# cl (Windows) and CC/DECC (VMS).
} elsif (($predefined_C{__GNUC__} // -1) >= 3
&& !($predefined_C{__APPLE_CC__} && !$predefined_C{__clang__})) {
# We know that GNU C version 3 and up as well as all clang
# versions support dependency generation, but Xcode did not
# handle $cc -M before clang support (but claims __GNUC__ = 3)
$config{makedepprog} = "\$(CROSS_COMPILE)$config{CC}";
} else {
# In all other cases, we look for 'makedepend', and disable the
# capability if not found.
$config{makedepprog} = which('makedepend');
disable('unavailable', 'makedepend') unless $config{makedepprog};
}
}
if (!$disabled{asm} && !$predefined_C{__MACH__} && $^O ne 'VMS') {
# probe for -Wa,--noexecstack option...
if ($predefined_C{__clang__}) {
# clang has builtin assembler, which doesn't recognize --help,
# but it apparently recognizes the option in question on all
# supported platforms even when it's meaningless. In other words
# probe would fail, but probed option always accepted...
push @{$config{cflags}}, "-Wa,--noexecstack", "-Qunused-arguments";
} else {
my $cc = $config{CROSS_COMPILE}.$config{CC};
open(PIPE, "$cc -Wa,--help -c -o null.$$.o -x assembler /dev/null 2>&1 |");
while(<PIPE>) {
if (m/--noexecstack/) {
push @{$config{cflags}}, "-Wa,--noexecstack";
last;
}
}
close(PIPE);
unlink("null.$$.o");
}
}
# Deal with bn_ops ###################################################
$config{bn_ll} =0;
$config{export_var_as_fn} =0;
my $def_int="unsigned int";
$config{rc4_int} =$def_int;
($config{b64l},$config{b64},$config{b32})=(0,0,1);
my $count = 0;
foreach (sort split(/\s+/,$target{bn_ops})) {
$count++ if /SIXTY_FOUR_BIT|SIXTY_FOUR_BIT_LONG|THIRTY_TWO_BIT/;
$config{export_var_as_fn}=1 if $_ eq 'EXPORT_VAR_AS_FN';
$config{bn_ll}=1 if $_ eq 'BN_LLONG';
$config{rc4_int}="unsigned char" if $_ eq 'RC4_CHAR';
($config{b64l},$config{b64},$config{b32})
=(0,1,0) if $_ eq 'SIXTY_FOUR_BIT';
($config{b64l},$config{b64},$config{b32})
=(1,0,0) if $_ eq 'SIXTY_FOUR_BIT_LONG';
($config{b64l},$config{b64},$config{b32})
=(0,0,1) if $_ eq 'THIRTY_TWO_BIT';
}
die "Exactly one of SIXTY_FOUR_BIT|SIXTY_FOUR_BIT_LONG|THIRTY_TWO_BIT can be set in bn_ops\n"
if $count > 1;
# Hack cflags for better warnings (dev option) #######################
# "Stringify" the C and C++ flags string. This permits it to be made part of
# a string and works as well on command lines.
$config{cflags} = [ map { (my $x = $_) =~ s/([\\\"])/\\$1/g; $x }
@{$config{cflags}} ];
$config{cxxflags} = [ map { (my $x = $_) =~ s/([\\\"])/\\$1/g; $x }
@{$config{cxxflags}} ] if $config{CXX};
if (defined($config{api})) {
$config{openssl_api_defines} = [ "OPENSSL_MIN_API=".$apitable->{$config{api}} ];
my $apiflag = sprintf("OPENSSL_API_COMPAT=%s", $apitable->{$config{api}});
push @{$config{defines}}, $apiflag;
}
my @strict_warnings_collection=();
if ($strict_warnings)
{
my $wopt;
my $gccver = $predefined_C{__GNUC__} // -1;
if ($gccver >= 4)
{
push @strict_warnings_collection, @gcc_devteam_warn;
push @strict_warnings_collection, @clang_devteam_warn
if (defined($predefined_C{__clang__}));
}
elsif ($config{target} =~ /^VC-/)
{
push @strict_warnings_collection, @cl_devteam_warn;
}
else
{
warn "WARNING --strict-warnings requires gcc[>=4] or gcc-alike, or MSVC"
}
}
$config{CFLAGS} = [ map { $_ eq '--ossl-strict-warnings'
? @strict_warnings_collection
: ( $_ ) }
@{$config{CFLAGS}} ];
unless ($disabled{"crypto-mdebug-backtrace"})
{
foreach my $wopt (split /\s+/, $memleak_devteam_backtrace)
{
push @{$config{cflags}}, $wopt
unless grep { $_ eq $wopt } @{$config{cflags}};
}
if ($target =~ /^BSD-/)
{
push @{$config{ex_libs}}, "-lexecinfo";
}
}
unless ($disabled{afalgeng}) {
$config{afalgeng}="";
if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
my $minver = 4*10000 + 1*100 + 0;
if ($config{CROSS_COMPILE} eq "") {
my $verstr = `uname -r`;
my ($ma, $mi1, $mi2) = split("\\.", $verstr);
($mi2) = $mi2 =~ /(\d+)/;
my $ver = $ma*10000 + $mi1*100 + $mi2;
if ($ver < $minver) {
disable('too-old-kernel', 'afalgeng');
} else {
push @{$config{engdirs}}, "afalg";
}
} else {
disable('cross-compiling', 'afalgeng');
}
} else {
disable('not-linux', 'afalgeng');
}
}
unless ($disabled{devcryptoeng}) {
if ($target =~ m/^BSD/) {
my $maxver = 5*100 + 7;
my $sysstr = `uname -s`;
my $verstr = `uname -r`;
$sysstr =~ s|\R$||;
$verstr =~ s|\R$||;
my ($ma, $mi, @rest) = split m|\.|, $verstr;
my $ver = $ma*100 + $mi;
if ($sysstr eq 'OpenBSD' && $ver >= $maxver) {
disable('too-new-kernel', 'devcryptoeng');
}
}
}
unless ($disabled{ktls}) {
$config{ktls}="";
if ($target =~ m/^linux/) {
my $usr = "/usr/$config{cross_compile_prefix}";
chop($usr);
if ($config{cross_compile_prefix} eq "") {
$usr = "/usr";
}
my $minver = (4 << 16) + (13 << 8) + 0;
my @verstr = split(" ",`cat $usr/include/linux/version.h | grep LINUX_VERSION_CODE`);
if ($verstr[2] < $minver) {
disable('too-old-kernel', 'ktls');
}
} elsif ($target =~ m/^BSD/) {
my $cc = $config{CROSS_COMPILE}.$config{CC};
system("printf '#include <sys/types.h>\n#include <sys/ktls.h>' | $cc -E - >/dev/null 2>&1");
if ($? != 0) {
disable('too-old-freebsd', 'ktls');
}
} else {
disable('not-linux-or-freebsd', 'ktls');
}
}
push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls});
# Get the extra flags used when building shared libraries and modules. We
# do this late because some of them depend on %disabled.
# Make the flags to build DSOs the same as for shared libraries unless they
# are already defined
$target{module_cflags} = $target{shared_cflag} unless defined $target{module_cflags};
$target{module_cxxflags} = $target{shared_cxxflag} unless defined $target{module_cxxflags};
$target{module_ldflags} = $target{shared_ldflag} unless defined $target{module_ldflags};
{
my $shared_info_pl =
catfile(dirname($0), "Configurations", "shared-info.pl");
my %shared_info = read_eval_file($shared_info_pl);
push @{$target{_conf_fname_int}}, $shared_info_pl;
my $si = $target{shared_target};
while (ref $si ne "HASH") {
last if ! defined $si;
if (ref $si eq "CODE") {
$si = $si->();
} else {
$si = $shared_info{$si};
}
}
# Some of the 'shared_target' values don't have any entries in
# %shared_info. That's perfectly fine, AS LONG AS the build file
# template knows how to handle this. That is currently the case for
# Windows and VMS.
if (defined $si) {
# Just as above, copy certain shared_* attributes to the corresponding
# module_ attribute unless the latter is already defined
$si->{module_cflags} = $si->{shared_cflag} unless defined $si->{module_cflags};
$si->{module_cxxflags} = $si->{shared_cxxflag} unless defined $si->{module_cxxflags};
$si->{module_ldflags} = $si->{shared_ldflag} unless defined $si->{module_ldflags};
foreach (sort keys %$si) {
$target{$_} = defined $target{$_}
? add($si->{$_})->($target{$_})
: $si->{$_};
}
}
}
# ALL MODIFICATIONS TO %disabled, %config and %target MUST BE DONE FROM HERE ON
my %disabled_info = (); # For configdata.pm
foreach my $what (sort keys %disabled) {
$config{options} .= " no-$what";
if (!grep { $what eq $_ } ( 'buildtest-c++', 'threads', 'shared', 'pic',
'dynamic-engine', 'makedepend',
'zlib-dynamic', 'zlib', 'sse2' )) {
(my $WHAT = uc $what) =~ s|-|_|g;
# Fix up C macro end names
$WHAT = "RMD160" if $what eq "ripemd";
# fix-up crypto/directory name(s)
$what = "ripemd" if $what eq "rmd160";
$what = "whrlpool" if $what eq "whirlpool";
my $macro = $disabled_info{$what}->{macro} = "OPENSSL_NO_$WHAT";
if ((grep { $what eq $_ } @{$config{sdirs}})
&& $what ne 'async' && $what ne 'err' && $what ne 'dso') {
@{$config{sdirs}} = grep { $what ne $_} @{$config{sdirs}};
$disabled_info{$what}->{skipped} = [ catdir('crypto', $what) ];
if ($what ne 'engine') {
push @{$config{openssl_algorithm_defines}}, $macro;
} else {
@{$config{dirs}} = grep !/^engines$/, @{$config{dirs}};
push @{$disabled_info{engine}->{skipped}}, catdir('engines');
push @{$config{openssl_other_defines}}, $macro;
}
} else {
push @{$config{openssl_other_defines}}, $macro;
}
}
}
if ($disabled{"dynamic-engine"}) {
push @{$config{openssl_other_defines}}, "OPENSSL_NO_DYNAMIC_ENGINE";
} else {
push @{$config{openssl_other_defines}}, "OPENSSL_NO_STATIC_ENGINE";
}
# If we use the unified build, collect information from build.info files
my %unified_info = ();
my $buildinfo_debug = defined($ENV{CONFIGURE_DEBUG_BUILDINFO});
if ($builder eq "unified") {
use with_fallback qw(Text::Template);
sub cleandir {
my $base = shift;
my $dir = shift;
my $relativeto = shift || ".";
$dir = catdir($base,$dir) unless isabsolute($dir);
# Make sure the directories we're building in exists
mkpath($dir);
my $res = abs2rel(absolutedir($dir), rel2abs($relativeto));
#print STDERR "DEBUG[cleandir]: $dir , $base => $res\n";
return $res;
}
sub cleanfile {
my $base = shift;
my $file = shift;
my $relativeto = shift || ".";
$file = catfile($base,$file) unless isabsolute($file);
my $d = dirname($file);
my $f = basename($file);
# Make sure the directories we're building in exists
mkpath($d);
my $res = abs2rel(catfile(absolutedir($d), $f), rel2abs($relativeto));
#print STDERR "DEBUG[cleanfile]: $d , $f => $res\n";
return $res;
}
# Store the name of the template file we will build the build file from
# in %config. This may be useful for the build file itself.
my @build_file_template_names =
( $builder_platform."-".$target{build_file}.".tmpl",
$target{build_file}.".tmpl" );
my @build_file_templates = ();
# First, look in the user provided directory, if given
if (defined env($local_config_envname)) {
@build_file_templates =
map {
if ($^O eq 'VMS') {
# VMS environment variables are logical names,
# which can be used as is
$local_config_envname . ':' . $_;
} else {
catfile(env($local_config_envname), $_);
}
}
@build_file_template_names;
}
# Then, look in our standard directory
push @build_file_templates,
( map { cleanfile($srcdir, catfile("Configurations", $_), $blddir) }
@build_file_template_names );
my $build_file_template;
for $_ (@build_file_templates) {
$build_file_template = $_;
last if -f $build_file_template;
$build_file_template = undef;
}
if (!defined $build_file_template) {
die "*** Couldn't find any of:\n", join("\n", @build_file_templates), "\n";
}
$config{build_file_templates}
= [ cleanfile($srcdir, catfile("Configurations", "common0.tmpl"),
$blddir),
$build_file_template,
cleanfile($srcdir, catfile("Configurations", "common.tmpl"),
$blddir) ];
my @build_infos = ( [ ".", "build.info" ] );
foreach (@{$config{dirs}}) {
push @build_infos, [ $_, "build.info" ]
if (-f catfile($srcdir, $_, "build.info"));
}
foreach (@{$config{sdirs}}) {
push @build_infos, [ catdir("crypto", $_), "build.info" ]
if (-f catfile($srcdir, "crypto", $_, "build.info"));
}
foreach (@{$config{engdirs}}) {
push @build_infos, [ catdir("engines", $_), "build.info" ]
if (-f catfile($srcdir, "engines", $_, "build.info"));
}
foreach (@{$config{tdirs}}) {
push @build_infos, [ catdir("test", $_), "build.info" ]
if (-f catfile($srcdir, "test", $_, "build.info"));
}
$config{build_infos} = [ ];
my %ordinals = ();
foreach (@build_infos) {
my $sourced = catdir($srcdir, $_->[0]);
my $buildd = catdir($blddir, $_->[0]);
mkpath($buildd);
my $f = $_->[1];
# The basic things we're trying to build
my @programs = ();
my @programs_install = ();
my @libraries = ();
my @libraries_install = ();
my @engines = ();
my @engines_install = ();
my @scripts = ();
my @scripts_install = ();
my @extra = ();
my @overrides = ();
my @intermediates = ();
my @rawlines = ();
my %sources = ();
my %shared_sources = ();
my %includes = ();
my %depends = ();
my %renames = ();
my %sharednames = ();
my %generate = ();
# We want to detect configdata.pm in the source tree, so we
# don't use it if the build tree is different.
my $src_configdata = cleanfile($srcdir, "configdata.pm", $blddir);
push @{$config{build_infos}}, catfile(abs2rel($sourced, $blddir), $f);
my $template =
Text::Template->new(TYPE => 'FILE',
SOURCE => catfile($sourced, $f),
PREPEND => qq{use lib "$FindBin::Bin/util/perl";});
die "Something went wrong with $sourced/$f: $!\n" unless $template;
my @text =
split /^/m,
$template->fill_in(HASH => { config => \%config,
target => \%target,
disabled => \%disabled,
withargs => \%withargs,
builddir => abs2rel($buildd, $blddir),
sourcedir => abs2rel($sourced, $blddir),
buildtop => abs2rel($blddir, $blddir),
sourcetop => abs2rel($srcdir, $blddir) },
DELIMITERS => [ "{-", "-}" ]);
# The top item of this stack has the following values
# -2 positive already run and we found ELSE (following ELSIF should fail)
# -1 positive already run (skip until ENDIF)
# 0 negatives so far (if we're at a condition, check it)
# 1 last was positive (don't skip lines until next ELSE, ELSIF or ENDIF)
# 2 positive ELSE (following ELSIF should fail)
my @skip = ();
collect_information(
collect_from_array([ @text ],
qr/\\$/ => sub { my $l1 = shift; my $l2 = shift;
$l1 =~ s/\\$//; $l1.$l2 }),
# Info we're looking for
qr/^\s*IF\[((?:\\.|[^\\\]])*)\]\s*$/
=> sub {
if (! @skip || $skip[$#skip] > 0) {
push @skip, !! $1;
} else {
push @skip, -1;
}
},
qr/^\s*ELSIF\[((?:\\.|[^\\\]])*)\]\s*$/
=> sub { die "ELSIF out of scope" if ! @skip;
die "ELSIF following ELSE" if abs($skip[$#skip]) == 2;
$skip[$#skip] = -1 if $skip[$#skip] != 0;
$skip[$#skip] = !! $1
if $skip[$#skip] == 0; },
qr/^\s*ELSE\s*$/
=> sub { die "ELSE out of scope" if ! @skip;
$skip[$#skip] = -2 if $skip[$#skip] != 0;
$skip[$#skip] = 2 if $skip[$#skip] == 0; },
qr/^\s*ENDIF\s*$/
=> sub { die "ENDIF out of scope" if ! @skip;
pop @skip; },
qr/^\s*PROGRAMS(_NO_INST)?\s*=\s*(.*)\s*$/
=> sub {
if (!@skip || $skip[$#skip] > 0) {
my $install = $1;
my @x = tokenize($2);
push @programs, @x;
push @programs_install, @x unless $install;
}
},
qr/^\s*LIBS(_NO_INST)?\s*=\s*(.*)\s*$/
=> sub {
if (!@skip || $skip[$#skip] > 0) {
my $install = $1;
my @x = tokenize($2);
push @libraries, @x;
push @libraries_install, @x unless $install;
}
},
qr/^\s*ENGINES(_NO_INST)?\s*=\s*(.*)\s*$/
=> sub {
if (!@skip || $skip[$#skip] > 0) {
my $install = $1;
my @x = tokenize($2);
push @engines, @x;
push @engines_install, @x unless $install;
}
},
qr/^\s*SCRIPTS(_NO_INST)?\s*=\s*(.*)\s*$/
=> sub {
if (!@skip || $skip[$#skip] > 0) {
my $install = $1;
my @x = tokenize($2);
push @scripts, @x;
push @scripts_install, @x unless $install;
}
},
qr/^\s*EXTRA\s*=\s*(.*)\s*$/
=> sub { push @extra, tokenize($1)
if !@skip || $skip[$#skip] > 0 },
qr/^\s*OVERRIDES\s*=\s*(.*)\s*$/
=> sub { push @overrides, tokenize($1)
if !@skip || $skip[$#skip] > 0 },
qr/^\s*ORDINALS\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/,
=> sub { push @{$ordinals{$1}}, tokenize($2)
if !@skip || $skip[$#skip] > 0 },
qr/^\s*SOURCE\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/
=> sub { push @{$sources{$1}}, tokenize($2)
if !@skip || $skip[$#skip] > 0 },
qr/^\s*SHARED_SOURCE\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/
=> sub { push @{$shared_sources{$1}}, tokenize($2)
if !@skip || $skip[$#skip] > 0 },
qr/^\s*INCLUDE\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/
=> sub { push @{$includes{$1}}, tokenize($2)
if !@skip || $skip[$#skip] > 0 },
qr/^\s*DEPEND\[((?:\\.|[^\\\]])*)\]\s*=\s*(.*)\s*$/
=> sub { push @{$depends{$1}}, tokenize($2)
if !@skip || $skip[$#skip] > 0 },
qr/^\s*GENERATE\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/
=> sub { push @{$generate{$1}}, $2
if !@skip || $skip[$#skip] > 0 },
qr/^\s*RENAME\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/
=> sub { push @{$renames{$1}}, tokenize($2)
if !@skip || $skip[$#skip] > 0 },
qr/^\s*SHARED_NAME\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/
=> sub { push @{$sharednames{$1}}, tokenize($2)
if !@skip || $skip[$#skip] > 0 },
qr/^\s*BEGINRAW\[((?:\\.|[^\\\]])+)\]\s*$/
=> sub {
my $lineiterator = shift;
my $target_kind = $1;
while (defined $lineiterator->()) {
s|\R$||;
if (/^\s*ENDRAW\[((?:\\.|[^\\\]])+)\]\s*$/) {
die "ENDRAW doesn't match BEGINRAW"
if $1 ne $target_kind;
last;
}
next if @skip && $skip[$#skip] <= 0;
push @rawlines, $_
if ($target_kind eq $target{build_file}
|| $target_kind eq $target{build_file}."(".$builder_platform.")");
}
},
qr/^\s*(?:#.*)?$/ => sub { },
"OTHERWISE" => sub { die "Something wrong with this line:\n$_\nat $sourced/$f" },
"BEFORE" => sub {
if ($buildinfo_debug) {
print STDERR "DEBUG: Parsing ",join(" ", @_),"\n";
print STDERR "DEBUG: ... before parsing, skip stack is ",join(" ", map { int($_) } @skip),"\n";
}
},
"AFTER" => sub {
if ($buildinfo_debug) {
print STDERR "DEBUG: .... after parsing, skip stack is ",join(" ", map { int($_) } @skip),"\n";
}
},
);
die "runaway IF?" if (@skip);
foreach (keys %renames) {
die "$_ renamed to more than one thing: "
,join(" ", @{$renames{$_}}),"\n"
if scalar @{$renames{$_}} > 1;
my $dest = cleanfile($buildd, $_, $blddir);
my $to = cleanfile($buildd, $renames{$_}->[0], $blddir);
die "$dest renamed to more than one thing: "
,$unified_info{rename}->{$dest}, $to
unless !defined($unified_info{rename}->{$dest})
or $unified_info{rename}->{$dest} eq $to;
$unified_info{rename}->{$dest} = $to;
}
foreach (@programs) {
my $program = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$program}) {
$program = $unified_info{rename}->{$program};
}
$unified_info{programs}->{$program} = 1;
}
foreach (@programs_install) {
my $program = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$program}) {
$program = $unified_info{rename}->{$program};
}
$unified_info{install}->{programs}->{$program} = 1;
}
foreach (@libraries) {
my $library = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$library}) {
$library = $unified_info{rename}->{$library};
}
$unified_info{libraries}->{$library} = 1;
}
foreach (@libraries_install) {
my $library = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$library}) {
$library = $unified_info{rename}->{$library};
}
$unified_info{install}->{libraries}->{$library} = 1;
}
die <<"EOF" if scalar @engines and !$config{dynamic_engines};
ENGINES can only be used if configured with 'dynamic-engine'.
This is usually a fault in a build.info file.
EOF
foreach (@engines) {
my $library = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$library}) {
$library = $unified_info{rename}->{$library};
}
$unified_info{engines}->{$library} = 1;
}
foreach (@engines_install) {
my $library = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$library}) {
$library = $unified_info{rename}->{$library};
}
$unified_info{install}->{engines}->{$library} = 1;
}
foreach (@scripts) {
my $script = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$script}) {
$script = $unified_info{rename}->{$script};
}
$unified_info{scripts}->{$script} = 1;
}
foreach (@scripts_install) {
my $script = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$script}) {
$script = $unified_info{rename}->{$script};
}
$unified_info{install}->{scripts}->{$script} = 1;
}
foreach (@extra) {
my $extra = cleanfile($buildd, $_, $blddir);
$unified_info{extra}->{$extra} = 1;
}
foreach (@overrides) {
my $override = cleanfile($buildd, $_, $blddir);
$unified_info{overrides}->{$override} = 1;
}
push @{$unified_info{rawlines}}, @rawlines;
unless ($disabled{shared}) {
# Check sharednames.
foreach (keys %sharednames) {
my $dest = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$dest}) {
$dest = $unified_info{rename}->{$dest};
}
die "shared_name for $dest with multiple values: "
,join(" ", @{$sharednames{$_}}),"\n"
if scalar @{$sharednames{$_}} > 1;
my $to = cleanfile($buildd, $sharednames{$_}->[0], $blddir);
die "shared_name found for a library $dest that isn't defined\n"
unless $unified_info{libraries}->{$dest};
die "shared_name for $dest with multiple values: "
,$unified_info{sharednames}->{$dest}, ", ", $to
unless !defined($unified_info{sharednames}->{$dest})
or $unified_info{sharednames}->{$dest} eq $to;
$unified_info{sharednames}->{$dest} = $to;
}
# Additionally, we set up sharednames for libraries that don't
# have any, as themselves. Only for libraries that aren't
# explicitly static.
foreach (grep !/\.a$/, keys %{$unified_info{libraries}}) {
if (!defined $unified_info{sharednames}->{$_}) {
$unified_info{sharednames}->{$_} = $_
}
}
# Check that we haven't defined any library as both shared and
# explicitly static. That is forbidden.
my @doubles = ();
foreach (grep /\.a$/, keys %{$unified_info{libraries}}) {
(my $l = $_) =~ s/\.a$//;
push @doubles, $l if defined $unified_info{sharednames}->{$l};
}
die "these libraries are both explicitly static and shared:\n ",
join(" ", @doubles), "\n"
if @doubles;
}
foreach (keys %sources) {
my $dest = $_;
my $ddest = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$ddest}) {
$ddest = $unified_info{rename}->{$ddest};
}
foreach (@{$sources{$dest}}) {
my $s = cleanfile($sourced, $_, $blddir);
# If it isn't in the source tree, we assume it's generated
# in the build tree
if ($s eq $src_configdata || ! -f $s || $generate{$_}) {
$s = cleanfile($buildd, $_, $blddir);
}
# We recognise C++, C and asm files
if ($s =~ /\.(cc|cpp|c|s|S)$/) {
my $o = $_;
$o =~ s/\.[csS]$/.o/; # C and assembler
$o =~ s/\.(cc|cpp)$/_cc.o/; # C++
$o = cleanfile($buildd, $o, $blddir);
$unified_info{sources}->{$ddest}->{$o} = 1;
$unified_info{sources}->{$o}->{$s} = 1;
} elsif ($s =~ /\.rc$/) {
# We also recognise resource files
my $o = $_;
$o =~ s/\.rc$/.res/; # Resource configuration
my $o = cleanfile($buildd, $o, $blddir);
$unified_info{sources}->{$ddest}->{$o} = 1;
$unified_info{sources}->{$o}->{$s} = 1;
} else {
$unified_info{sources}->{$ddest}->{$s} = 1;
}
}
}
foreach (keys %shared_sources) {
my $dest = $_;
my $ddest = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$ddest}) {
$ddest = $unified_info{rename}->{$ddest};
}
foreach (@{$shared_sources{$dest}}) {
my $s = cleanfile($sourced, $_, $blddir);
# If it isn't in the source tree, we assume it's generated
# in the build tree
if ($s eq $src_configdata || ! -f $s || $generate{$_}) {
$s = cleanfile($buildd, $_, $blddir);
}
if ($s =~ /\.(cc|cpp|c|s|S)$/) {
# We recognise C++, C and asm files
my $o = $_;
$o =~ s/\.[csS]$/.o/; # C and assembler
$o =~ s/\.(cc|cpp)$/_cc.o/; # C++
$o = cleanfile($buildd, $o, $blddir);
$unified_info{shared_sources}->{$ddest}->{$o} = 1;
$unified_info{sources}->{$o}->{$s} = 1;
} elsif ($s =~ /\.rc$/) {
# We also recognise resource files
my $o = $_;
$o =~ s/\.rc$/.res/; # Resource configuration
my $o = cleanfile($buildd, $o, $blddir);
$unified_info{shared_sources}->{$ddest}->{$o} = 1;
$unified_info{sources}->{$o}->{$s} = 1;
} elsif ($s =~ /\.(def|map|opt)$/) {
# We also recognise .def / .map / .opt files
# We know they are generated files
my $def = cleanfile($buildd, $s, $blddir);
$unified_info{shared_sources}->{$ddest}->{$def} = 1;
} else {
die "unrecognised source file type for shared library: $s\n";
}
}
}
foreach (keys %generate) {
my $dest = $_;
my $ddest = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$ddest}) {
$ddest = $unified_info{rename}->{$ddest};
}
die "more than one generator for $dest: "
,join(" ", @{$generate{$_}}),"\n"
if scalar @{$generate{$_}} > 1;
my @generator = split /\s+/, $generate{$dest}->[0];
$generator[0] = cleanfile($sourced, $generator[0], $blddir),
$unified_info{generate}->{$ddest} = [ @generator ];
}
foreach (keys %depends) {
my $dest = $_;
my $ddest = $dest eq "" ? "" : cleanfile($sourced, $_, $blddir);
# If the destination doesn't exist in source, it can only be
# a generated file in the build tree.
if ($ddest ne "" && ($ddest eq $src_configdata || ! -f $ddest)) {
$ddest = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$ddest}) {
$ddest = $unified_info{rename}->{$ddest};
}
}
foreach (@{$depends{$dest}}) {
my $d = cleanfile($sourced, $_, $blddir);
# If we know it's generated, or assume it is because we can't
# find it in the source tree, we set file we depend on to be
# in the build tree rather than the source tree, and assume
# and that there are lines to build it in a BEGINRAW..ENDRAW
# section or in the Makefile template.
if ($d eq $src_configdata
|| ! -f $d
|| (grep { $d eq $_ }
map { cleanfile($srcdir, $_, $blddir) }
grep { /\.h$/ } keys %{$unified_info{generate}})) {
$d = cleanfile($buildd, $_, $blddir);
}
# Take note if the file to depend on is being renamed
# Take extra care with files ending with .a, they should
# be treated without that extension, and the extension
# should be added back after treatment.
$d =~ /(\.a)?$/;
my $e = $1 // "";
$d = $`;
if ($unified_info{rename}->{$d}) {
$d = $unified_info{rename}->{$d};
}
$d .= $e;
$unified_info{depends}->{$ddest}->{$d} = 1;
}
}
foreach (keys %includes) {
my $dest = $_;
my $ddest = cleanfile($sourced, $_, $blddir);
# If the destination doesn't exist in source, it can only be
# a generated file in the build tree.
if ($ddest eq $src_configdata || ! -f $ddest) {
$ddest = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$ddest}) {
$ddest = $unified_info{rename}->{$ddest};
}
}
foreach (@{$includes{$dest}}) {
my $is = cleandir($sourced, $_, $blddir);
my $ib = cleandir($buildd, $_, $blddir);
push @{$unified_info{includes}->{$ddest}->{source}}, $is
unless grep { $_ eq $is } @{$unified_info{includes}->{$ddest}->{source}};
push @{$unified_info{includes}->{$ddest}->{build}}, $ib
unless grep { $_ eq $ib } @{$unified_info{includes}->{$ddest}->{build}};
}
}
}
my $ordinals_text = join(', ', sort keys %ordinals);
warn <<"EOF" if $ordinals_text;
WARNING: ORDINALS were specified for $ordinals_text
They are ignored and should be replaced with a combination of GENERATE,
DEPEND and SHARED_SOURCE.
EOF
# Massage the result
# If the user configured no-shared, we allow no shared sources
if ($disabled{shared}) {
foreach (keys %{$unified_info{shared_sources}}) {
foreach (keys %{$unified_info{shared_sources}->{$_}}) {
delete $unified_info{sources}->{$_};
}
}
$unified_info{shared_sources} = {};
}
# If we depend on a header file or a perl module, add an inclusion of
# its directory to allow smoothe inclusion
foreach my $dest (keys %{$unified_info{depends}}) {
next if $dest eq "";
foreach my $d (keys %{$unified_info{depends}->{$dest}}) {
next unless $d =~ /\.(h|pm)$/;
my $i = dirname($d);
my $spot =
$d eq "configdata.pm" || defined($unified_info{generate}->{$d})
? 'build' : 'source';
push @{$unified_info{includes}->{$dest}->{$spot}}, $i
unless grep { $_ eq $i } @{$unified_info{includes}->{$dest}->{$spot}};
}
}
# Trickle down includes placed on libraries, engines and programs to
# their sources (i.e. object files)
foreach my $dest (keys %{$unified_info{engines}},
keys %{$unified_info{libraries}},
keys %{$unified_info{programs}}) {
foreach my $k (("source", "build")) {
next unless defined($unified_info{includes}->{$dest}->{$k});
my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}};
foreach my $obj (grep /\.o$/,
(keys %{$unified_info{sources}->{$dest} // {}},
keys %{$unified_info{shared_sources}->{$dest} // {}})) {
foreach my $inc (@incs) {
unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc
unless grep { $_ eq $inc } @{$unified_info{includes}->{$obj}->{$k}};
}
}
}
delete $unified_info{includes}->{$dest};
}
### Make unified_info a bit more efficient
# One level structures
foreach (("programs", "libraries", "engines", "scripts", "extra", "overrides")) {
$unified_info{$_} = [ sort keys %{$unified_info{$_}} ];
}
# Two level structures
foreach my $l1 (("install", "sources", "shared_sources", "ldadd", "depends")) {
foreach my $l2 (sort keys %{$unified_info{$l1}}) {
$unified_info{$l1}->{$l2} =
[ sort keys %{$unified_info{$l1}->{$l2}} ];
}
}
# Includes
foreach my $dest (sort keys %{$unified_info{includes}}) {
if (defined($unified_info{includes}->{$dest}->{build})) {
my @source_includes = ();
@source_includes = ( @{$unified_info{includes}->{$dest}->{source}} )
if defined($unified_info{includes}->{$dest}->{source});
$unified_info{includes}->{$dest} =
[ @{$unified_info{includes}->{$dest}->{build}} ];
foreach my $inc (@source_includes) {
push @{$unified_info{includes}->{$dest}}, $inc
unless grep { $_ eq $inc } @{$unified_info{includes}->{$dest}};
}
} else {
$unified_info{includes}->{$dest} =
[ @{$unified_info{includes}->{$dest}->{source}} ];
}
}
# For convenience collect information regarding directories where
# files are generated, those generated files and the end product
# they end up in where applicable. Then, add build rules for those
# directories
my %loopinfo = ( "lib" => [ @{$unified_info{libraries}} ],
"dso" => [ @{$unified_info{engines}} ],
"bin" => [ @{$unified_info{programs}} ],
"script" => [ @{$unified_info{scripts}} ] );
foreach my $type (keys %loopinfo) {
foreach my $product (@{$loopinfo{$type}}) {
my %dirs = ();
my $pd = dirname($product);
foreach (@{$unified_info{sources}->{$product} // []},
@{$unified_info{shared_sources}->{$product} // []}) {
my $d = dirname($_);
# We don't want to create targets for source directories
# when building out of source
next if ($config{sourcedir} ne $config{builddir}
&& $d =~ m|^\Q$config{sourcedir}\E|);
# We already have a "test" target, and the current directory
# is just silly to make a target for
next if $d eq "test" || $d eq ".";
$dirs{$d} = 1;
push @{$unified_info{dirinfo}->{$d}->{deps}}, $_
if $d ne $pd;
}
foreach (keys %dirs) {
push @{$unified_info{dirinfo}->{$_}->{products}->{$type}},
$product;
}
}
}
}
# For the schemes that need it, we provide the old *_obj configs
# from the *_asm_obj ones
foreach (grep /_(asm|aux)_src$/, keys %target) {
my $src = $_;
(my $obj = $_) =~ s/_(asm|aux)_src$/_obj/;
$target{$obj} = $target{$src};
$target{$obj} =~ s/\.[csS]\b/.o/g; # C and assembler
$target{$obj} =~ s/\.(cc|cpp)\b/_cc.o/g; # C++
}
# Write down our configuration where it fits #########################
print "Creating configdata.pm\n";
open(OUT,">configdata.pm") || die "unable to create configdata.pm: $!\n";
print OUT <<"EOF";
#! $config{HASHBANGPERL}
package configdata;
use strict;
use warnings;
use Exporter;
#use vars qw(\@ISA \@EXPORT);
our \@ISA = qw(Exporter);
our \@EXPORT = qw(\%config \%target \%disabled \%withargs \%unified_info \@disablables);
EOF
print OUT "our %config = (\n";
foreach (sort keys %config) {
if (ref($config{$_}) eq "ARRAY") {
print OUT " ", $_, " => [ ", join(", ",
map { quotify("perl", $_) }
@{$config{$_}}), " ],\n";
} elsif (ref($config{$_}) eq "HASH") {
print OUT " ", $_, " => {";
if (scalar keys %{$config{$_}} > 0) {
print OUT "\n";
foreach my $key (sort keys %{$config{$_}}) {
print OUT " ",
join(" => ",
quotify("perl", $key),
defined $config{$_}->{$key}
? quotify("perl", $config{$_}->{$key})
: "undef");
print OUT ",\n";
}
print OUT " ";
}
print OUT "},\n";
} else {
print OUT " ", $_, " => ", quotify("perl", $config{$_}), ",\n"
}
}
print OUT <<"EOF";
);
EOF
print OUT "our %target = (\n";
foreach (sort keys %target) {
if (ref($target{$_}) eq "ARRAY") {
print OUT " ", $_, " => [ ", join(", ",
map { quotify("perl", $_) }
@{$target{$_}}), " ],\n";
} else {
print OUT " ", $_, " => ", quotify("perl", $target{$_}), ",\n"
}
}
print OUT <<"EOF";
);
EOF
print OUT "our \%available_protocols = (\n";
print OUT " tls => [ ", join(", ", map { quotify("perl", $_) } @tls), " ],\n";
print OUT " dtls => [ ", join(", ", map { quotify("perl", $_) } @dtls), " ],\n";
print OUT <<"EOF";
);
EOF
print OUT "our \@disablables = (\n";
foreach (@disablables) {
print OUT " ", quotify("perl", $_), ",\n";
}
print OUT <<"EOF";
);
EOF
print OUT "our \%disabled = (\n";
foreach (sort keys %disabled) {
print OUT " ", quotify("perl", $_), " => ", quotify("perl", $disabled{$_}), ",\n";
}
print OUT <<"EOF";
);
EOF
print OUT "our %withargs = (\n";
foreach (sort keys %withargs) {
if (ref($withargs{$_}) eq "ARRAY") {
print OUT " ", $_, " => [ ", join(", ",
map { quotify("perl", $_) }
@{$withargs{$_}}), " ],\n";
} else {
print OUT " ", $_, " => ", quotify("perl", $withargs{$_}), ",\n"
}
}
print OUT <<"EOF";
);
EOF
if ($builder eq "unified") {
my $recurse;
$recurse = sub {
my $indent = shift;
foreach (@_) {
if (ref $_ eq "ARRAY") {
print OUT " "x$indent, "[\n";
foreach (@$_) {
$recurse->($indent + 4, $_);
}
print OUT " "x$indent, "],\n";
} elsif (ref $_ eq "HASH") {
my %h = %$_;
print OUT " "x$indent, "{\n";
foreach (sort keys %h) {
if (ref $h{$_} eq "") {
print OUT " "x($indent + 4), quotify("perl", $_), " => ", quotify("perl", $h{$_}), ",\n";
} else {
print OUT " "x($indent + 4), quotify("perl", $_), " =>\n";
$recurse->($indent + 8, $h{$_});
}
}
print OUT " "x$indent, "},\n";
} else {
print OUT " "x$indent, quotify("perl", $_), ",\n";
}
}
};
print OUT "our %unified_info = (\n";
foreach (sort keys %unified_info) {
if (ref $unified_info{$_} eq "") {
print OUT " "x4, quotify("perl", $_), " => ", quotify("perl", $unified_info{$_}), ",\n";
} else {
print OUT " "x4, quotify("perl", $_), " =>\n";
$recurse->(8, $unified_info{$_});
}
}
print OUT <<"EOF";
);
EOF
}
print OUT
"# The following data is only used when this files is use as a script\n";
print OUT "my \@makevars = (\n";
foreach (sort keys %user) {
print OUT " '",$_,"',\n";
}
print OUT ");\n";
print OUT "my \%disabled_info = (\n";
foreach my $what (sort keys %disabled_info) {
print OUT " '$what' => {\n";
foreach my $info (sort keys %{$disabled_info{$what}}) {
if (ref $disabled_info{$what}->{$info} eq 'ARRAY') {
print OUT " $info => [ ",
join(', ', map { "'$_'" } @{$disabled_info{$what}->{$info}}),
" ],\n";
} else {
print OUT " $info => '", $disabled_info{$what}->{$info},
"',\n";
}
}
print OUT " },\n";
}
print OUT ");\n";
print OUT 'my @user_crossable = qw( ', join (' ', @user_crossable), " );\n";
print OUT << 'EOF';
# If run directly, we can give some answers, and even reconfigure
unless (caller) {
use Getopt::Long;
use File::Spec::Functions;
use File::Basename;
use Pod::Usage;
my $here = dirname($0);
my $dump = undef;
my $cmdline = undef;
my $options = undef;
my $target = undef;
my $envvars = undef;
my $makevars = undef;
my $buildparams = undef;
my $reconf = undef;
my $verbose = undef;
my $help = undef;
my $man = undef;
GetOptions('dump|d' => \$dump,
'command-line|c' => \$cmdline,
'options|o' => \$options,
'target|t' => \$target,
'environment|e' => \$envvars,
'make-variables|m' => \$makevars,
'build-parameters|b' => \$buildparams,
'reconfigure|reconf|r' => \$reconf,
'verbose|v' => \$verbose,
'help' => \$help,
'man' => \$man)
or die "Errors in command line arguments\n";
unless ($dump || $cmdline || $options || $target || $envvars || $makevars
|| $buildparams || $reconf || $verbose || $help || $man) {
print STDERR <<"_____";
You must give at least one option.
For more information, do '$0 --help'
_____
exit(2);
}
if ($help) {
pod2usage(-exitval => 0,
-verbose => 1);
}
if ($man) {
pod2usage(-exitval => 0,
-verbose => 2);
}
if ($dump || $cmdline) {
print "\nCommand line (with current working directory = $here):\n\n";
print ' ',join(' ',
$config{PERL},
catfile($config{sourcedir}, 'Configure'),
@{$config{perlargv}}), "\n";
print "\nPerl information:\n\n";
print ' ',$config{perl_cmd},"\n";
print ' ',$config{perl_version},' for ',$config{perl_archname},"\n";
}
if ($dump || $options) {
my $longest = 0;
my $longest2 = 0;
foreach my $what (@disablables) {
$longest = length($what) if $longest < length($what);
$longest2 = length($disabled{$what})
if $disabled{$what} && $longest2 < length($disabled{$what});
}
print "\nEnabled features:\n\n";
foreach my $what (@disablables) {
print " $what\n"
unless grep { $_ =~ /^${what}$/ } keys %disabled;
}
print "\nDisabled features:\n\n";
foreach my $what (@disablables) {
my @what2 = grep { $_ =~ /^${what}$/ } keys %disabled;
my $what3 = $what2[0];
if ($what3) {
print " $what3", ' ' x ($longest - length($what3) + 1),
"[$disabled{$what3}]", ' ' x ($longest2 - length($disabled{$what3}) + 1);
print $disabled_info{$what3}->{macro}
if $disabled_info{$what3}->{macro};
print ' (skip ',
join(', ', @{$disabled_info{$what3}->{skipped}}),
')'
if $disabled_info{$what3}->{skipped};
print "\n";
}
}
}
if ($dump || $target) {
print "\nConfig target attributes:\n\n";
foreach (sort keys %target) {
next if $_ =~ m|^_| || $_ eq 'template';
my $quotify = sub {
map { (my $x = $_) =~ s|([\\\$\@"])|\\$1|g; "\"$x\""} @_;
};
print ' ', $_, ' => ';
if (ref($target{$_}) eq "ARRAY") {
print '[ ', join(', ', $quotify->(@{$target{$_}})), " ],\n";
} else {
print $quotify->($target{$_}), ",\n"
}
}
}
if ($dump || $envvars) {
print "\nRecorded environment:\n\n";
foreach (sort keys %{$config{perlenv}}) {
print ' ',$_,' = ',($config{perlenv}->{$_} || ''),"\n";
}
}
if ($dump || $makevars) {
print "\nMakevars:\n\n";
foreach my $var (@makevars) {
my $prefix = '';
$prefix = $config{CROSS_COMPILE}
if grep { $var eq $_ } @user_crossable;
$prefix //= '';
print ' ',$var,' ' x (16 - length $var),'= ',
(ref $config{$var} eq 'ARRAY'
? join(' ', @{$config{$var}})
: $prefix.$config{$var}),
"\n"
if defined $config{$var};
}
my @buildfile = ($config{builddir}, $config{build_file});
unshift @buildfile, $here
unless file_name_is_absolute($config{builddir});
my $buildfile = canonpath(catdir(@buildfile));
print <<"_____";
NOTE: These variables only represent the configuration view. The build file
template may have processed these variables further, please have a look at the
build file for more exact data:
$buildfile
_____
}
if ($dump || $buildparams) {
my @buildfile = ($config{builddir}, $config{build_file});
unshift @buildfile, $here
unless file_name_is_absolute($config{builddir});
print "\nbuild file:\n\n";
print " ", canonpath(catfile(@buildfile)),"\n";
print "\nbuild file templates:\n\n";
foreach (@{$config{build_file_templates}}) {
my @tmpl = ($_);
unshift @tmpl, $here
unless file_name_is_absolute($config{sourcedir});
print ' ',canonpath(catfile(@tmpl)),"\n";
}
}
if ($reconf) {
if ($verbose) {
print 'Reconfiguring with: ', join(' ',@{$config{perlargv}}), "\n";
foreach (sort keys %{$config{perlenv}}) {
print ' ',$_,' = ',($config{perlenv}->{$_} || ""),"\n";
}
}
chdir $here;
exec $^X,catfile($config{sourcedir}, 'Configure'),'reconf';
}
}
1;
__END__
=head1 NAME
configdata.pm - configuration data for OpenSSL builds
=head1 SYNOPSIS
Interactive:
perl configdata.pm [options]
As data bank module:
use configdata;
=head1 DESCRIPTION
This module can be used in two modes, interactively and as a module containing
all the data recorded by OpenSSL's Configure script.
When used interactively, simply run it as any perl script, with at least one
option, and you will get the information you ask for. See L</OPTIONS> below.
When loaded as a module, you get a few databanks with useful information to
perform build related tasks. The databanks are:
%config Configured things.
%target The OpenSSL config target with all inheritances
resolved.
%disabled The features that are disabled.
@disablables The list of features that can be disabled.
%withargs All data given through --with-THING options.
%unified_info All information that was computed from the build.info
files.
=head1 OPTIONS
=over 4
=item B<--help>
Print a brief help message and exit.
=item B<--man>
Print the manual page and exit.
=item B<--dump> | B<-d>
Print all relevant configuration data. This is equivalent to B<--command-line>
B<--options> B<--target> B<--environment> B<--make-variables>
B<--build-parameters>.
=item B<--command-line> | B<-c>
Print the current configuration command line.
=item B<--options> | B<-o>
Print the features, both enabled and disabled, and display defined macro and
skipped directories where applicable.
=item B<--target> | B<-t>
Print the config attributes for this config target.
=item B<--environment> | B<-e>
Print the environment variables and their values at the time of configuration.
=item B<--make-variables> | B<-m>
Print the main make variables generated in the current configuration
=item B<--build-parameters> | B<-b>
Print the build parameters, i.e. build file and build file templates.
=item B<--reconfigure> | B<--reconf> | B<-r>
Redo the configuration.
=item B<--verbose> | B<-v>
Verbose output.
=back
=cut
EOF
close(OUT);
if ($builder_platform eq 'unix') {
my $mode = (0755 & ~umask);
chmod $mode, 'configdata.pm'
or warn sprintf("WARNING: Couldn't change mode for 'configdata.pm' to 0%03o: %s\n",$mode,$!);
}
my %builders = (
unified => sub {
print 'Creating ',$target{build_file},"\n";
run_dofile(catfile($blddir, $target{build_file}),
@{$config{build_file_templates}});
},
);
$builders{$builder}->($builder_platform, @builder_opts);
$SIG{__DIE__} = $orig_death_handler;
print <<"EOF" if ($disabled{threads} eq "unavailable");
The library could not be configured for supporting multi-threaded
applications as the compiler options required on this system are not known.
See file INSTALL for details if you need multi-threading.
EOF
print <<"EOF" if ($no_shared_warn);
The options 'shared', 'pic' and 'dynamic-engine' aren't supported on this
platform, so we will pretend you gave the option 'no-pic', which also disables
'shared' and 'dynamic-engine'. If you know how to implement shared libraries
or position independent code, please let us know (but please first make sure
you have tried with a current version of OpenSSL).
EOF
print <<"EOF";
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
EOF
exit(0);
######################################################################
#
# Helpers and utility functions
#
# Death handler, to print a helpful message in case of failure #######
#
sub death_handler {
die @_ if $^S; # To prevent the added message in eval blocks
my $build_file = $target{build_file} // "build file";
my @message = ( <<"_____", @_ );
Failure! $build_file wasn't produced.
Please read INSTALL and associated NOTES files. You may also have to look over
your available compiler tool chain or change your configuration.
_____
# Dying is terminal, so it's ok to reset the signal handler here.
$SIG{__DIE__} = $orig_death_handler;
die @message;
}
# Configuration file reading #########################################
# Note: All of the helper functions are for lazy evaluation. They all
# return a CODE ref, which will return the intended value when evaluated.
# Thus, whenever there's mention of a returned value, it's about that
# intended value.
# Helper function to implement conditional inheritance depending on the
# value of $disabled{asm}. Used in inherit_from values as follows:
#
# inherit_from => [ "template", asm("asm_tmpl") ]
#
sub asm {
my @x = @_;
sub {
$disabled{asm} ? () : @x;
}
}
# Helper function to implement conditional value variants, with a default
# plus additional values based on the value of $config{build_type}.
# Arguments are given in hash table form:
#
# picker(default => "Basic string: ",
# debug => "debug",
# release => "release")
#
# When configuring with --debug, the resulting string will be
# "Basic string: debug", and when not, it will be "Basic string: release"
#
# This can be used to create variants of sets of flags according to the
# build type:
#
# cflags => picker(default => "-Wall",
# debug => "-g -O0",
# release => "-O3")
#
sub picker {
my %opts = @_;
return sub { add($opts{default} || (),
$opts{$config{build_type}} || ())->(); }
}
# Helper function to combine several values of different types into one.
# This is useful if you want to combine a string with the result of a
# lazy function, such as:
#
# cflags => combine("-Wall", sub { $disabled{zlib} ? () : "-DZLIB" })
#
sub combine {
my @stuff = @_;
return sub { add(@stuff)->(); }
}
# Helper function to implement conditional values depending on the value
# of $disabled{threads}. Can be used as follows:
#
# cflags => combine("-Wall", threads("-pthread"))
#
sub threads {
my @flags = @_;
return sub { add($disabled{threads} ? () : @flags)->(); }
}
sub shared {
my @flags = @_;
return sub { add($disabled{shared} ? () : @flags)->(); }
}
our $add_called = 0;
# Helper function to implement adding values to already existing configuration
# values. It handles elements that are ARRAYs, CODEs and scalars
sub _add {
my $separator = shift;
# If there's any ARRAY in the collection of values OR the separator
# is undef, we will return an ARRAY of combined values, otherwise a
# string of joined values with $separator as the separator.
my $found_array = !defined($separator);
my @values =
map {
my $res = $_;
while (ref($res) eq "CODE") {
$res = $res->();
}
if (defined($res)) {
if (ref($res) eq "ARRAY") {
$found_array = 1;
@$res;
} else {
$res;
}
} else {
();
}
} (@_);
$add_called = 1;
if ($found_array) {
[ @values ];
} else {
join($separator, grep { defined($_) && $_ ne "" } @values);
}
}
sub add_before {
my $separator = " ";
if (ref($_[$#_]) eq "HASH") {
my $opts = pop;
$separator = $opts->{separator};
}
my @x = @_;
sub { _add($separator, @x, @_) };
}
sub add {
my $separator = " ";
if (ref($_[$#_]) eq "HASH") {
my $opts = pop;
$separator = $opts->{separator};
}
my @x = @_;
sub { _add($separator, @_, @x) };
}
sub read_eval_file {
my $fname = shift;
my $content;
my @result;
open F, "< $fname" or die "Can't open '$fname': $!\n";
{
undef local $/;
$content = <F>;
}
close F;
{
local $@;
@result = ( eval $content );
warn $@ if $@;
}
return wantarray ? @result : $result[0];
}
# configuration reader, evaluates the input file as a perl script and expects
# it to fill %targets with target configurations. Those are then added to
# %table.
sub read_config {
my $fname = shift;
my %targets;
{
# Protect certain tables from tampering
local %table = ();
%targets = read_eval_file($fname);
}
my %preexisting = ();
foreach (sort keys %targets) {
$preexisting{$_} = 1 if $table{$_};
}
die <<"EOF",
The following config targets from $fname
shadow pre-existing config targets with the same name:
EOF
map { " $_\n" } sort keys %preexisting
if %preexisting;
# For each target, check that it's configured with a hash table.
foreach (keys %targets) {
if (ref($targets{$_}) ne "HASH") {
if (ref($targets{$_}) eq "") {
warn "Deprecated target configuration for $_, ignoring...\n";
} else {
warn "Misconfigured target configuration for $_ (should be a hash table), ignoring...\n";
}
delete $targets{$_};
} else {
$targets{$_}->{_conf_fname_int} = add([ $fname ]);
}
}
%table = (%table, %targets);
}
# configuration resolver. Will only resolve all the lazy evaluation
# codeblocks for the chosen target and all those it inherits from,
# recursively
sub resolve_config {
my $target = shift;
my @breadcrumbs = @_;
# my $extra_checks = defined($ENV{CONFIGURE_EXTRA_CHECKS});
if (grep { $_ eq $target } @breadcrumbs) {
die "inherit_from loop! target backtrace:\n "
,$target,"\n ",join("\n ", @breadcrumbs),"\n";
}
if (!defined($table{$target})) {
warn "Warning! target $target doesn't exist!\n";
return ();
}
# Recurse through all inheritances. They will be resolved on the
# fly, so when this operation is done, they will all just be a
# bunch of attributes with string values.
# What we get here, though, are keys with references to lists of
# the combined values of them all. We will deal with lists after
# this stage is done.
my %combined_inheritance = ();
if ($table{$target}->{inherit_from}) {
my @inherit_from =
map { ref($_) eq "CODE" ? $_->() : $_ } @{$table{$target}->{inherit_from}};
foreach (@inherit_from) {
my %inherited_config = resolve_config($_, $target, @breadcrumbs);
# 'template' is a marker that's considered private to
# the config that had it.
delete $inherited_config{template};
foreach (keys %inherited_config) {
if (!$combined_inheritance{$_}) {
$combined_inheritance{$_} = [];
}
push @{$combined_inheritance{$_}}, $inherited_config{$_};
}
}
}
# We won't need inherit_from in this target any more, since we've
# resolved all the inheritances that lead to this
delete $table{$target}->{inherit_from};
# Now is the time to deal with those lists. Here's the place to
# decide what shall be done with those lists, all based on the
# values of the target we're currently dealing with.
# - If a value is a coderef, it will be executed with the list of
# inherited values as arguments.
# - If the corresponding key doesn't have a value at all or is the
# empty string, the inherited value list will be run through the
# default combiner (below), and the result becomes this target's
# value.
# - Otherwise, this target's value is assumed to be a string that
# will simply override the inherited list of values.
my $default_combiner = add();
my %all_keys =
map { $_ => 1 } (keys %combined_inheritance,
keys %{$table{$target}});
sub process_values {
my $object = shift;
my $inherited = shift; # Always a [ list ]
my $target = shift;
my $entry = shift;
$add_called = 0;
while(ref($object) eq "CODE") {
$object = $object->(@$inherited);
}
if (!defined($object)) {
return ();
}
elsif (ref($object) eq "ARRAY") {
local $add_called; # To make sure recursive calls don't affect it
return [ map { process_values($_, $inherited, $target, $entry) }
@$object ];
} elsif (ref($object) eq "") {
return $object;
} else {
die "cannot handle reference type ",ref($object)
," found in target ",$target," -> ",$entry,"\n";
}
}
- foreach (sort keys %all_keys) {
- my $previous = $combined_inheritance{$_};
+ foreach my $key (sort keys %all_keys) {
+ my $previous = $combined_inheritance{$key};
# Current target doesn't have a value for the current key?
# Assign it the default combiner, the rest of this loop body
# will handle it just like any other coderef.
- if (!exists $table{$target}->{$_}) {
- $table{$target}->{$_} = $default_combiner;
+ if (!exists $table{$target}->{$key}) {
+ $table{$target}->{$key} = $default_combiner;
}
- $table{$target}->{$_} = process_values($table{$target}->{$_},
- $combined_inheritance{$_},
- $target, $_);
- unless(defined($table{$target}->{$_})) {
- delete $table{$target}->{$_};
+ $table{$target}->{$key} = process_values($table{$target}->{$key},
+ $combined_inheritance{$key},
+ $target, $key);
+ unless(defined($table{$target}->{$key})) {
+ delete $table{$target}->{$key};
}
# if ($extra_checks &&
-# $previous && !($add_called || $previous ~~ $table{$target}->{$_})) {
-# warn "$_ got replaced in $target\n";
+# $previous && !($add_called || $previous ~~ $table{$target}->{$key})) {
+# warn "$key got replaced in $target\n";
# }
}
# Finally done, return the result.
return %{$table{$target}};
}
sub usage
{
print STDERR $usage;
print STDERR "\npick os/compiler from:\n";
my $j=0;
my $i;
my $k=0;
foreach $i (sort keys %table)
{
next if $table{$i}->{template};
next if $i =~ /^debug/;
$k += length($i) + 1;
if ($k > 78)
{
print STDERR "\n";
$k=length($i);
}
print STDERR $i . " ";
}
foreach $i (sort keys %table)
{
next if $table{$i}->{template};
next if $i !~ /^debug/;
$k += length($i) + 1;
if ($k > 78)
{
print STDERR "\n";
$k=length($i);
}
print STDERR $i . " ";
}
print STDERR "\n\nNOTE: If in doubt, on Unix-ish systems use './config'.\n";
exit(1);
}
sub run_dofile
{
my $out = shift;
my @templates = @_;
unlink $out || warn "Can't remove $out, $!"
if -f $out;
foreach (@templates) {
die "Can't open $_, $!" unless -f $_;
}
my $perlcmd = (quotify("maybeshell", $config{PERL}))[0];
my $cmd = "$perlcmd \"-I.\" \"-Mconfigdata\" \"$dofile\" -o\"Configure\" \"".join("\" \"",@templates)."\" > \"$out.new\"";
#print STDERR "DEBUG[run_dofile]: \$cmd = $cmd\n";
system($cmd);
exit 1 if $? != 0;
rename("$out.new", $out) || die "Can't rename $out.new, $!";
}
sub compiler_predefined {
state %predefined;
my $cc = shift;
return () if $^O eq 'VMS';
die 'compiler_predefined called without a compiler command'
unless $cc;
if (! $predefined{$cc}) {
$predefined{$cc} = {};
# collect compiler pre-defines from gcc or gcc-alike...
open(PIPE, "$cc -dM -E -x c /dev/null 2>&1 |");
while (my $l = <PIPE>) {
$l =~ m/^#define\s+(\w+(?:\(\w+\))?)(?:\s+(.+))?/ or last;
$predefined{$cc}->{$1} = $2 // '';
}
close(PIPE);
}
return %{$predefined{$cc}};
}
sub which
{
my ($name)=@_;
if (eval { require IPC::Cmd; 1; }) {
IPC::Cmd->import();
return scalar IPC::Cmd::can_run($name);
} else {
# if there is $directories component in splitpath,
# then it's not something to test with $PATH...
return $name if (File::Spec->splitpath($name))[1];
foreach (File::Spec->path()) {
my $fullpath = catfile($_, "$name$target{exe_extension}");
if (-f $fullpath and -x $fullpath) {
return $fullpath;
}
}
}
}
sub env
{
my $name = shift;
my %opts = @_;
unless ($opts{cacheonly}) {
# Note that if $ENV{$name} doesn't exist or is undefined,
# $config{perlenv}->{$name} will be created with the value
# undef. This is intentional.
$config{perlenv}->{$name} = $ENV{$name}
if ! exists $config{perlenv}->{$name};
}
return $config{perlenv}->{$name};
}
# Configuration printer ##############################################
sub print_table_entry
{
local $now_printing = shift;
my %target = resolve_config($now_printing);
my $type = shift;
# Don't print the templates
return if $target{template};
my @sequence = (
"sys_id",
"cpp",
"cppflags",
"defines",
"includes",
"cc",
"cflags",
"unistd",
"ld",
"lflags",
"loutflag",
"ex_libs",
"bn_ops",
"apps_aux_src",
"cpuid_asm_src",
"uplink_aux_src",
"bn_asm_src",
"ec_asm_src",
"des_asm_src",
"aes_asm_src",
"bf_asm_src",
"md5_asm_src",
"cast_asm_src",
"sha1_asm_src",
"rc4_asm_src",
"rmd160_asm_src",
"rc5_asm_src",
"wp_asm_src",
"cmll_asm_src",
"modes_asm_src",
"padlock_asm_src",
"chacha_asm_src",
"poly1035_asm_src",
"thread_scheme",
"perlasm_scheme",
"dso_scheme",
"shared_target",
"shared_cflag",
"shared_defines",
"shared_ldflag",
"shared_rcflag",
"shared_extension",
"dso_extension",
"obj_extension",
"exe_extension",
"ranlib",
"ar",
"arflags",
"aroutflag",
"rc",
"rcflags",
"rcoutflag",
"mt",
"mtflags",
"mtinflag",
"mtoutflag",
"multilib",
"build_scheme",
);
if ($type eq "TABLE") {
print "\n";
print "*** $now_printing\n";
foreach (@sequence) {
if (ref($target{$_}) eq "ARRAY") {
printf "\$%-12s = %s\n", $_, join(" ", @{$target{$_}});
} else {
printf "\$%-12s = %s\n", $_, $target{$_};
}
}
} elsif ($type eq "HASH") {
my $largest =
length((sort { length($a) <=> length($b) } @sequence)[-1]);
print " '$now_printing' => {\n";
foreach (@sequence) {
if ($target{$_}) {
if (ref($target{$_}) eq "ARRAY") {
print " '",$_,"'"," " x ($largest - length($_))," => [ ",join(", ", map { "'$_'" } @{$target{$_}})," ],\n";
} else {
print " '",$_,"'"," " x ($largest - length($_))," => '",$target{$_},"',\n";
}
}
}
print " },\n";
}
}
# Utility routines ###################################################
# On VMS, if the given file is a logical name, File::Spec::Functions
# will consider it an absolute path. There are cases when we want a
# purely syntactic check without checking the environment.
sub isabsolute {
my $file = shift;
# On non-platforms, we just use file_name_is_absolute().
return file_name_is_absolute($file) unless $^O eq "VMS";
# If the file spec includes a device or a directory spec,
# file_name_is_absolute() is perfectly safe.
return file_name_is_absolute($file) if $file =~ m|[:\[]|;
# Here, we know the given file spec isn't absolute
return 0;
}
# Makes a directory absolute and cleans out /../ in paths like foo/../bar
# On some platforms, this uses rel2abs(), while on others, realpath() is used.
# realpath() requires that at least all path components except the last is an
# existing directory. On VMS, the last component of the directory spec must
# exist.
sub absolutedir {
my $dir = shift;
# realpath() is quite buggy on VMS. It uses LIB$FID_TO_NAME, which
# will return the volume name for the device, no matter what. Also,
# it will return an incorrect directory spec if the argument is a
# directory that doesn't exist.
if ($^O eq "VMS") {
return rel2abs($dir);
}
# We use realpath() on Unix, since no other will properly clean out
# a directory spec.
use Cwd qw/realpath/;
return realpath($dir);
}
# Check if all paths are one and the same, using stat. They must both exist
# We need this for the cases when File::Spec doesn't detect case insensitivity
# (File::Spec::Unix assumes case sensitivity)
sub samedir {
die "samedir expects two arguments\n" unless scalar @_ == 2;
my @stat0 = stat($_[0]); # First argument
my @stat1 = stat($_[1]); # Second argument
die "Couldn't stat $_[0]" unless @stat0;
die "Couldn't stat $_[1]" unless @stat1;
# Compare device number
return 0 unless ($stat0[0] == $stat1[0]);
# Compare "inode". The perl manual recommends comparing as
# string rather than as number.
return 0 unless ($stat0[1] eq $stat1[1]);
return 1; # All the same
}
sub quotify {
my %processors = (
perl => sub { my $x = shift;
$x =~ s/([\\\$\@"])/\\$1/g;
return '"'.$x.'"'; },
maybeshell => sub { my $x = shift;
(my $y = $x) =~ s/([\\\"])/\\$1/g;
if ($x ne $y || $x =~ m|\s|) {
return '"'.$y.'"';
} else {
return $x;
}
},
);
my $for = shift;
my $processor =
defined($processors{$for}) ? $processors{$for} : sub { shift; };
return map { $processor->($_); } @_;
}
# collect_from_file($filename, $line_concat_cond_re, $line_concat)
# $filename is a file name to read from
# $line_concat_cond_re is a regexp detecting a line continuation ending
# $line_concat is a CODEref that takes care of concatenating two lines
sub collect_from_file {
my $filename = shift;
my $line_concat_cond_re = shift;
my $line_concat = shift;
open my $fh, $filename || die "unable to read $filename: $!\n";
return sub {
my $saved_line = "";
$_ = "";
while (<$fh>) {
s|\R$||;
if (defined $line_concat) {
$_ = $line_concat->($saved_line, $_);
$saved_line = "";
}
if (defined $line_concat_cond_re && /$line_concat_cond_re/) {
$saved_line = $_;
next;
}
return $_;
}
die "$filename ending with continuation line\n" if $_;
close $fh;
return undef;
}
}
# collect_from_array($array, $line_concat_cond_re, $line_concat)
# $array is an ARRAYref of lines
# $line_concat_cond_re is a regexp detecting a line continuation ending
# $line_concat is a CODEref that takes care of concatenating two lines
sub collect_from_array {
my $array = shift;
my $line_concat_cond_re = shift;
my $line_concat = shift;
my @array = (@$array);
return sub {
my $saved_line = "";
$_ = "";
while (defined($_ = shift @array)) {
s|\R$||;
if (defined $line_concat) {
$_ = $line_concat->($saved_line, $_);
$saved_line = "";
}
if (defined $line_concat_cond_re && /$line_concat_cond_re/) {
$saved_line = $_;
next;
}
return $_;
}
die "input text ending with continuation line\n" if $_;
return undef;
}
}
# collect_information($lineiterator, $line_continue, $regexp => $CODEref, ...)
# $lineiterator is a CODEref that delivers one line at a time.
# All following arguments are regex/CODEref pairs, where the regexp detects a
# line and the CODEref does something with the result of the regexp.
sub collect_information {
my $lineiterator = shift;
my %collectors = @_;
while(defined($_ = $lineiterator->())) {
s|\R$||;
my $found = 0;
if ($collectors{"BEFORE"}) {
$collectors{"BEFORE"}->($_);
}
foreach my $re (keys %collectors) {
if ($re !~ /^OTHERWISE|BEFORE|AFTER$/ && /$re/) {
$collectors{$re}->($lineiterator);
$found = 1;
};
}
if ($collectors{"OTHERWISE"}) {
$collectors{"OTHERWISE"}->($lineiterator, $_)
unless $found || !defined $collectors{"OTHERWISE"};
}
if ($collectors{"AFTER"}) {
$collectors{"AFTER"}->($_);
}
}
}
# tokenize($line)
# $line is a line of text to split up into tokens
# returns a list of tokens
#
# Tokens are divided by spaces. If the tokens include spaces, they
# have to be quoted with single or double quotes. Double quotes
# inside a double quoted token must be escaped. Escaping is done
# with backslash.
# Basically, the same quoting rules apply for " and ' as in any
# Unix shell.
sub tokenize {
my $line = my $debug_line = shift;
my @result = ();
while ($line =~ s|^\s+||, $line ne "") {
my $token = "";
while ($line ne "" && $line !~ m|^\s|) {
if ($line =~ m/^"((?:[^"\\]+|\\.)*)"/) {
$token .= $1;
$line = $';
} elsif ($line =~ m/^'([^']*)'/) {
$token .= $1;
$line = $';
} elsif ($line =~ m/^(\S+)/) {
$token .= $1;
$line = $';
}
}
push @result, $token;
}
if ($ENV{CONFIGURE_DEBUG_TOKENIZE}) {
print STDERR "DEBUG[tokenize]: Parsed '$debug_line' into:\n";
print STDERR "DEBUG[tokenize]: ('", join("', '", @result), "')\n";
}
return @result;
}
diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index 0769464fefa2..f4ac262888ad 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS
@@ -1,1007 +1,1012 @@
NEWS
====
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022]
+
+ o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
+ forever for non-prime moduli ([CVE-2022-0778])
+
Major changes between OpenSSL 1.1.1l and OpenSSL 1.1.1m [14 Dec 2021]
o None
Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]
o Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711)
o Fixed various read buffer overruns processing ASN.1 strings (CVE-2021-3712)
Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]
o Fixed a problem with verifying a certificate chain when using the
X509_V_FLAG_X509_STRICT flag (CVE-2021-3450)
o Fixed an issue where an OpenSSL TLS server may crash if sent a
maliciously crafted renegotiation ClientHello message from a client
(CVE-2021-3449)
Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
function (CVE-2021-23841)
o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
padding mode to correctly check for rollback attacks
o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
EVP_DecryptUpdate functions (CVE-2021-23840)
o Fixed SRP_Calc_client_key so that it runs in constant time
Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]
o Disallow explicit curve parameters in verifications chains when
X509_V_FLAG_X509_STRICT is used
o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS
contexts
o Oracle Developer Studio will start reporting deprecation warnings
Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)
Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]
o Revert the unexpected EOF reporting via SSL_ERROR_SSL
Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]
o Fixed an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli (CVE-2019-1551)
o Properly detect unexpected EOF while reading in libssl and report
it via SSL_ERROR_SSL
Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]
o Fixed a fork protection issue (CVE-2019-1549)
o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
(CVE-2019-1563)
o For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters
o Compute ECC cofactors if not provided during EC_GROUP construction
(CVE-2019-1547)
o Early start up entropy quality from the DEVRANDOM seed source has been
improved for older Linux systems
o Correct the extended master secret constant on EBCDIC systems
o Use Windows installation paths in the mingw builds (CVE-2019-1552)
o Changed DH_check to accept parameters with order q and 2q subgroups
o Significantly reduce secure memory usage by the randomness pools
o Revert the DEVRANDOM_WAIT feature for Linux systems
Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019]
o Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]
o Change the info callback signals for the start and end of a post-handshake
message exchange in TLSv1.3.
o Fix a bug in DTLS over SCTP. This breaks interoperability with older versions
of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2.
Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
o Timing vulnerability in DSA signature generation (CVE-2018-0734)
o Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]
o Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3
for further important information). The TLSv1.3 implementation includes:
o Fully compliant implementation of RFC8446 (TLSv1.3) on by default
o Early data (0-RTT)
o Post-handshake authentication and key update
o Middlebox Compatibility Mode
o TLSv1.3 PSKs
o Support for all five RFC8446 ciphersuites
o RSA-PSS signature algorithms (backported to TLSv1.2)
o Configurable session ticket support
o Stateless server support
o Rewrite of the packet construction code for "safer" packet handling
o Rewrite of the extension handling code
o Complete rewrite of the OpenSSL random number generator to introduce the
following capabilities
o The default RAND method now utilizes an AES-CTR DRBG according to
NIST standard SP 800-90Ar1.
o Support for multiple DRBG instances with seed chaining.
o There is a public and private DRBG instance.
o The DRBG instances are fork-safe.
o Keep all global DRBG instances on the secure heap if it is enabled.
o The public and private DRBG instance are per thread for lock free
operation
o Support for various new cryptographic algorithms including:
o SHA3
o SHA512/224 and SHA512/256
o EdDSA (both Ed25519 and Ed448) including X509 and TLS support
o X448 (adding to the existing X25519 support in 1.1.0)
o Multi-prime RSA
o SM2
o SM3
o SM4
o SipHash
o ARIA (including TLS support)
o Significant Side-Channel attack security improvements
o Add a new ClientHello callback to provide the ability to adjust the SSL
object at an early stage.
o Add 'Maximum Fragment Length' TLS extension negotiation and support
o A new STORE module, which implements a uniform and URI based reader of
stores that can contain keys, certificates, CRLs and numerous other
objects.
o Move the display of configuration data to configdata.pm.
o Allow GNU style "make variables" to be used with Configure.
o Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
o Rewrite of devcrypto engine
Major changes between OpenSSL 1.1.0h and OpenSSL 1.1.0i [under development]
o Client DoS due to large DH parameter (CVE-2018-0732)
o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
Major changes between OpenSSL 1.1.0g and OpenSSL 1.1.0h [under development]
o Constructed ASN.1 types with a recursive definition could exceed the
stack (CVE-2018-0739)
o Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733)
o rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
Major changes between OpenSSL 1.1.0f and OpenSSL 1.1.0g [2 Nov 2017]
o bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
o Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
Major changes between OpenSSL 1.1.0e and OpenSSL 1.1.0f [25 May 2017]
o config now recognises 64-bit mingw and chooses mingw64 instead of mingw
Major changes between OpenSSL 1.1.0d and OpenSSL 1.1.0e [16 Feb 2017]
o Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)
Major changes between OpenSSL 1.1.0c and OpenSSL 1.1.0d [26 Jan 2017]
o Truncated packet could crash via OOB read (CVE-2017-3731)
o Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
Major changes between OpenSSL 1.1.0b and OpenSSL 1.1.0c [10 Nov 2016]
o ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
o CMS Null dereference (CVE-2016-7053)
o Montgomery multiplication may produce incorrect results (CVE-2016-7055)
Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016]
o Fix Use After Free for large message sizes (CVE-2016-6309)
Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016]
o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
o SSL_peek() hang on empty record (CVE-2016-6305)
o Excessive allocation of memory in tls_get_message_header()
(CVE-2016-6307)
o Excessive allocation of memory in dtls1_preprocess_fragment()
(CVE-2016-6308)
Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [25 Aug 2016]
o Copyright text was shrunk to a boilerplate that points to the license
o "shared" builds are now the default when possible
o Added support for "pipelining"
o Added the AFALG engine
o New threading API implemented
o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
o Support for extended master secret
o CCM ciphersuites
o Reworked test suite, now based on perl, Test::Harness and Test::More
o *Most* libcrypto and libssl public structures were made opaque,
including:
BIGNUM and associated types, EC_KEY and EC_KEY_METHOD,
DH and DH_METHOD, DSA and DSA_METHOD, RSA and RSA_METHOD,
BIO and BIO_METHOD, EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX,
EVP_CIPHER, EVP_PKEY and associated types, HMAC_CTX,
X509, X509_CRL, X509_OBJECT, X509_STORE_CTX, X509_STORE,
X509_LOOKUP, X509_LOOKUP_METHOD
o libssl internal structures made opaque
o SSLv2 support removed
o Kerberos ciphersuite support removed
o RC4 removed from DEFAULT ciphersuites in libssl
o 40 and 56 bit cipher support removed from libssl
o All public header files moved to include/openssl, no more symlinking
o SSL/TLS state machine, version negotiation and record layer rewritten
o EC revision: now operations use new EC_KEY_METHOD.
o Support for OCB mode added to libcrypto
o Support for asynchronous crypto operations added to libcrypto and libssl
o Deprecated interfaces can now be disabled at build time either
relative to the latest release via the "no-deprecated" Configure
argument, or via the "--api=1.1.0|1.0.0|0.9.8" option.
o Application software can be compiled with -DOPENSSL_API_COMPAT=version
to ensure that features deprecated in that version are not exposed.
o Support for RFC6698/RFC7671 DANE TLSA peer authentication
o Change of Configure to use --prefix as the main installation
directory location rather than --openssldir. The latter becomes
the directory for certs, private key and openssl.cnf exclusively.
o Reworked BIO networking library, with full support for IPv6.
o New "unified" build system
o New security levels
o Support for scrypt algorithm
o Support for X25519
o Extended SSL_CONF support using configuration files
o KDF algorithm support. Implement TLS PRF as a KDF.
o Support for Certificate Transparency
o HKDF support.
Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
o EBCDIC overread (CVE-2016-2176)
o Modify behavior of ALPN to invoke callback after SNI/servername
callback, such that updates to the SSL_CTX affect ALPN.
o Remove LOW from the DEFAULT cipher list. This removes singles DES from
the default.
o Only remove the SSLv2 methods with the no-ssl2-method option.
Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
o Disable SSLv2 default build, default negotiation and weak ciphers
(CVE-2016-0800)
o Fix a double-free in DSA code (CVE-2016-0705)
o Disable SRP fake user seed to address a server memory leak
(CVE-2016-0798)
o Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
(CVE-2016-0797)
o Fix memory issues in BIO_*printf functions (CVE-2016-0799)
o Fix side channel attack on modular exponentiation (CVE-2016-0702)
Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
o DH small subgroups (CVE-2016-0701)
o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
o X509_ATTRIBUTE memory leak (CVE-2015-3195)
o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
o In DSA_generate_parameters_ex, if the provided seed is too short,
return an error
Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]
o Alternate chains certificate forgery (CVE-2015-1793)
o Race condition handling PSK identify hint (CVE-2015-3196)
Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
o Fix HMAC ABI incompatibility
Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]
o Malformed ECParameters causes infinite loop (CVE-2015-1788)
o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
o Race condition handling NewSessionTicket (CVE-2015-1791)
Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]
o OpenSSL 1.0.2 ClientHello sigalgs DoS fix (CVE-2015-0291)
o Multiblock corrupted pointer fix (CVE-2015-0290)
o Segmentation fault in DTLSv1_listen fix (CVE-2015-0207)
o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
o Segmentation fault for invalid PSS parameters fix (CVE-2015-0208)
o ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
o PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
o Empty CKE with client auth and DHE fix (CVE-2015-1787)
o Handshake with unseeded PRNG fix (CVE-2015-0285)
o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
o Removed the export ciphers from the DEFAULT ciphers
Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]:
o Suite B support for TLS 1.2 and DTLS 1.2
o Support for DTLS 1.2
o TLS automatic EC curve selection.
o API to set TLS supported signature algorithms and curves
o SSL_CONF configuration API.
o TLS Brainpool support.
o ALPN support.
o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
o Build fixes for the Windows and OpenVMS platforms
Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
o Fix for CVE-2014-3571
o Fix for CVE-2015-0206
o Fix for CVE-2014-3569
o Fix for CVE-2014-3572
o Fix for CVE-2015-0204
o Fix for CVE-2015-0205
o Fix for CVE-2014-8275
o Fix for CVE-2014-3570
Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
o Fix for CVE-2014-3513
o Fix for CVE-2014-3567
o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
o Fix for CVE-2014-3568
Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]
o Fix for CVE-2014-3512
o Fix for CVE-2014-3511
o Fix for CVE-2014-3510
o Fix for CVE-2014-3507
o Fix for CVE-2014-3506
o Fix for CVE-2014-3505
o Fix for CVE-2014-3509
o Fix for CVE-2014-5139
o Fix for CVE-2014-3508
Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
o Fix for CVE-2014-0224
o Fix for CVE-2014-0221
o Fix for CVE-2014-0198
o Fix for CVE-2014-0195
o Fix for CVE-2014-3470
o Fix for CVE-2010-5298
Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
o Fix for CVE-2014-0160
o Add TLS padding extension workaround for broken servers.
o Fix for CVE-2014-0076
Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
o Don't include gmt_unix_time in TLS server and client random values
o Fix for TLS record tampering bug CVE-2013-4353
o Fix for TLS version checking bug CVE-2013-6449
o Fix for DTLS retransmission bug CVE-2013-6450
Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]:
o Corrected fix for CVE-2013-0169
Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]:
o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
o Include the fips configuration module.
o Fix OCSP bad key DoS attack CVE-2013-0166
o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
o Fix for TLS AESNI record handling flaw CVE-2012-2686
Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]:
o Fix TLS/DTLS record length checking bug CVE-2012-2333
o Don't attempt to use non-FIPS composite ciphers in FIPS mode.
Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]:
o Fix compilation error on non-x86 platforms.
o Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0
Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]:
o Fix for ASN1 overflow bug CVE-2012-2110
o Workarounds for some servers that hang on long client hellos.
o Fix SEGV in AES code.
Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:
o TLS/DTLS heartbeat support.
o SCTP support.
o RFC 5705 TLS key material exporter.
o RFC 5764 DTLS-SRTP negotiation.
o Next Protocol Negotiation.
o PSS signatures in certificates, requests and CRLs.
o Support for password based recipient info for CMS.
o Support TLS v1.2 and TLS v1.1.
o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
o SRP support.
Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]:
o Fix for CMS/PKCS#7 MMA CVE-2012-0884
o Corrected fix for CVE-2011-4619
o Various DTLS fixes.
Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012]:
o Fix for DTLS DoS issue CVE-2012-0050
Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012]:
o Fix for DTLS plaintext recovery attack CVE-2011-4108
o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
o Check for malformed RFC3779 data CVE-2011-4577
Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011]:
o Fix for CRL vulnerability issue CVE-2011-3207
o Fix for ECDH crashes CVE-2011-3210
o Protection against EC timing attacks.
o Support ECDH ciphersuites for certificates using SHA2 algorithms.
o Various DTLS fixes.
Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011]:
o Fix for security issue CVE-2011-0014
Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010]:
o Fix for security issue CVE-2010-4180
o Fix for CVE-2010-4252
o Fix mishandling of absent EC point format extension.
o Fix various platform compilation issues.
o Corrected fix for security issue CVE-2010-3864.
Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010]:
o Fix for security issue CVE-2010-3864.
o Fix for CVE-2010-2939
o Fix WIN32 build system for GOST ENGINE.
Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010]:
o Fix for security issue CVE-2010-1633.
o GOST MAC and CFB fixes.
Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010]:
o RFC3280 path validation: sufficient to process PKITS tests.
o Integrated support for PVK files and keyblobs.
o Change default private key format to PKCS#8.
o CMS support: able to process all examples in RFC4134
o Streaming ASN1 encode support for PKCS#7 and CMS.
o Multiple signer and signer add support for PKCS#7 and CMS.
o ASN1 printing support.
o Whirlpool hash algorithm added.
o RFC3161 time stamp support.
o New generalised public key API supporting ENGINE based algorithms.
o New generalised public key API utilities.
o New ENGINE supporting GOST algorithms.
o SSL/TLS GOST ciphersuite support.
o PKCS#7 and CMS GOST support.
o RFC4279 PSK ciphersuite support.
o Supported points format extension for ECC ciphersuites.
o ecdsa-with-SHA224/256/384/512 signature types.
o dsa-with-SHA224 and dsa-with-SHA256 signature types.
o Opaque PRF Input TLS extension support.
o Updated time routines to avoid OS limitations.
Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
o CFB cipher definition fixes.
o Fix security issues CVE-2010-0740 and CVE-2010-0433.
Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]:
o Cipher definition fixes.
o Workaround for slow RAND_poll() on some WIN32 versions.
o Remove MD2 from algorithm tables.
o SPKAC handling fixes.
o Support for RFC5746 TLS renegotiation extension.
o Compression memory leak fixed.
o Compression session resumption fixed.
o Ticket and SNI coexistence fixes.
o Many fixes to DTLS handling.
Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]:
o Temporary work around for CVE-2009-3555: disable renegotiation.
Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]:
o Fix various build issues.
o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]:
o Fix security issue (CVE-2008-5077)
o Merge FIPS 140-2 branch code.
Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]:
o CryptoAPI ENGINE support.
o Various precautionary measures.
o Fix for bugs affecting certificate request creation.
o Support for local machine keyset attribute in PKCS#12 files.
Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]:
o Backport of CMS functionality to 0.9.8.
o Fixes for bugs introduced with 0.9.8f.
Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
o Add gcc 4.2 support.
o Add support for AES and SSE2 assembly language optimization
for VC++ build.
o Support for RFC4507bis and server name extensions if explicitly
selected at compile time.
o DTLS improvements.
o RFC4507bis support.
o TLS Extensions support.
Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]:
o Various ciphersuite selection fixes.
o RFC3779 support.
Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]:
o Introduce limits to prevent malicious key DoS (CVE-2006-2940)
o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
o Changes to ciphersuite selection algorithm
Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]:
o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
o New cipher Camellia
Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]:
o Cipher string fixes.
o Fixes for VC++ 2005.
o Updated ECC cipher suite support.
o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free().
o Zlib compression usage fixes.
o Built in dynamic engine compilation support on Win32.
o Fixes auto dynamic engine loading in Win32.
Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]:
o Fix potential SSL 2.0 rollback, CVE-2005-2969
o Extended Windows CE support
Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]:
o Major work on the BIGNUM library for higher efficiency and to
make operations more streamlined and less contradictory. This
is the result of a major audit of the BIGNUM library.
o Addition of BIGNUM functions for fields GF(2^m) and NIST
curves, to support the Elliptic Crypto functions.
o Major work on Elliptic Crypto; ECDH and ECDSA added, including
the use through EVP, X509 and ENGINE.
o New ASN.1 mini-compiler that's usable through the OpenSSL
configuration file.
o Added support for ASN.1 indefinite length constructed encoding.
o New PKCS#12 'medium level' API to manipulate PKCS#12 files.
o Complete rework of shared library construction and linking
programs with shared or static libraries, through a separate
Makefile.shared.
o Rework of the passing of parameters from one Makefile to another.
o Changed ENGINE framework to load dynamic engine modules
automatically from specifically given directories.
o New structure and ASN.1 functions for CertificatePair.
o Changed the ZLIB compression method to be stateful.
o Changed the key-generation and primality testing "progress"
mechanism to take a structure that contains the ticker
function and an argument.
o New engine module: GMP (performs private key exponentiation).
o New engine module: VIA PadLOck ACE extension in VIA C3
Nehemiah processors.
o Added support for IPv6 addresses in certificate extensions.
See RFC 1884, section 2.2.
o Added support for certificate policy mappings, policy
constraints and name constraints.
o Added support for multi-valued AVAs in the OpenSSL
configuration file.
o Added support for multiple certificates with the same subject
in the 'openssl ca' index file.
o Make it possible to create self-signed certificates using
'openssl ca -selfsign'.
o Make it possible to generate a serial number file with
'openssl ca -create_serial'.
o New binary search functions with extended functionality.
o New BUF functions.
o New STORE structure and library to provide an interface to all
sorts of data repositories. Supports storage of public and
private keys, certificates, CRLs, numbers and arbitrary blobs.
This library is unfortunately unfinished and unused within
OpenSSL.
o New control functions for the error stack.
o Changed the PKCS#7 library to support one-pass S/MIME
processing.
o Added the possibility to compile without old deprecated
functionality with the OPENSSL_NO_DEPRECATED macro or the
'no-deprecated' argument to the config and Configure scripts.
o Constification of all ASN.1 conversion functions, and other
affected functions.
o Improved platform support for PowerPC.
o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512).
o New X509_VERIFY_PARAM structure to support parameterisation
of X.509 path validation.
o Major overhaul of RC4 performance on Intel P4, IA-64 and
AMD64.
o Changed the Configure script to have some algorithms disabled
by default. Those can be explicitly enabled with the new
argument form 'enable-xxx'.
o Change the default digest in 'openssl' commands from MD5 to
SHA-1.
o Added support for DTLS.
o New BIGNUM blinding.
o Added support for the RSA-PSS encryption scheme
o Added support for the RSA X.931 padding.
o Added support for BSD sockets on NetWare.
o Added support for files larger than 2GB.
o Added initial support for Win64.
o Added alternate pkg-config files.
Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]:
o FIPS 1.1.1 module linking.
o Various ciphersuite selection fixes.
Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]:
o Introduce limits to prevent malicious key DoS (CVE-2006-2940)
o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]:
o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]:
o Visual C++ 2005 fixes.
o Update Windows build system for FIPS.
Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
o Give EVP_MAX_MD_SIZE its old value, except for a FIPS build.
Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:
o Fix SSL 2.0 Rollback, CVE-2005-2969
o Allow use of fixed-length exponent on DSA signing
o Default fixed-window RSA, DSA, DH private-key operations
Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]:
o More compilation issues fixed.
o Adaptation to more modern Kerberos API.
o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin.
o Enhanced x86_64 assembler BIGNUM module.
o More constification.
o Added processing of proxy certificates (RFC 3820).
Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]:
o Several compilation issues fixed.
o Many memory allocation failure checks added.
o Improved comparison of X509 Name type.
o Mandatory basic checks on certificates.
o Performance improvements.
Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]:
o Fix race condition in CRL checking code.
o Fixes to PKCS#7 (S/MIME) code.
Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]:
o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
o Security: Fix null-pointer assignment in do_change_cipher_spec()
o Allow multiple active certificates with same subject in CA index
o Multiple X509 verification fixes
o Speed up HMAC and other operations
Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]:
o Security: fix various ASN1 parsing bugs.
o New -ignore_err option to OCSP utility.
o Various interop and bug fixes in S/MIME code.
o SSL/TLS protocol fix for unrequested client certificates.
Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]:
o Security: counter the Klima-Pokorny-Rosa extension of
Bleichbacher's attack
o Security: make RSA blinding default.
o Configuration: Irix fixes, AIX fixes, better mingw support.
o Support for new platforms: linux-ia64-ecc.
o Build: shared library support fixes.
o ASN.1: treat domainComponent correctly.
o Documentation: fixes and additions.
Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]:
o Security: Important security related bugfixes.
o Enhanced compatibility with MIT Kerberos.
o Can be built without the ENGINE framework.
o IA32 assembler enhancements.
o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64.
o Configuration: the no-err option now works properly.
o SSL/TLS: now handles manual certificate chain building.
o SSL/TLS: certain session ID malfunctions corrected.
Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]:
o New library section OCSP.
o Complete rewrite of ASN1 code.
o CRL checking in verify code and openssl utility.
o Extension copying in 'ca' utility.
o Flexible display options in 'ca' utility.
o Provisional support for international characters with UTF8.
o Support for external crypto devices ('engine') is no longer
a separate distribution.
o New elliptic curve library section.
o New AES (Rijndael) library section.
o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
Linux x86_64, Linux 64-bit on Sparc v9
o Extended support for some platforms: VxWorks
o Enhanced support for shared libraries.
o Now only builds PIC code when shared library support is requested.
o Support for pkg-config.
o Lots of new manuals.
o Makes symbolic links to or copies of manuals to cover all described
functions.
o Change DES API to clean up the namespace (some applications link also
against libdes providing similar functions having the same name).
Provide macros for backward compatibility (will be removed in the
future).
o Unify handling of cryptographic algorithms (software and engine)
to be available via EVP routines for asymmetric and symmetric ciphers.
o NCONF: new configuration handling routines.
o Change API to use more 'const' modifiers to improve error checking
and help optimizers.
o Finally remove references to RSAref.
o Reworked parts of the BIGNUM code.
o Support for new engines: Broadcom ubsec, Accelerated Encryption
Processing, IBM 4758.
o A few new engines added in the demos area.
o Extended and corrected OID (object identifier) table.
o PRNG: query at more locations for a random device, automatic query for
EGD style random sources at several locations.
o SSL/TLS: allow optional cipher choice according to server's preference.
o SSL/TLS: allow server to explicitly set new session ids.
o SSL/TLS: support Kerberos cipher suites (RFC2712).
Only supports MIT Kerberos for now.
o SSL/TLS: allow more precise control of renegotiations and sessions.
o SSL/TLS: add callback to retrieve SSL/TLS messages.
o SSL/TLS: support AES cipher suites (RFC3268).
Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]:
o Security: fix various ASN1 parsing bugs.
o SSL/TLS protocol fix for unrequested client certificates.
Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]:
o Security: counter the Klima-Pokorny-Rosa extension of
Bleichbacher's attack
o Security: make RSA blinding default.
o Build: shared library support fixes.
Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]:
o Important security related bugfixes.
Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]:
o New configuration targets for Tandem OSS and A/UX.
o New OIDs for Microsoft attributes.
o Better handling of SSL session caching.
o Better comparison of distinguished names.
o Better handling of shared libraries in a mixed GNU/non-GNU environment.
o Support assembler code with Borland C.
o Fixes for length problems.
o Fixes for uninitialised variables.
o Fixes for memory leaks, some unusual crashes and some race conditions.
o Fixes for smaller building problems.
o Updates of manuals, FAQ and other instructive documents.
Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]:
o Important building fixes on Unix.
Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]:
o Various important bugfixes.
Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]:
o Important security related bugfixes.
o Various SSL/TLS library bugfixes.
Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]:
o Various SSL/TLS library bugfixes.
o Fix DH parameter generation for 'non-standard' generators.
Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]:
o Various SSL/TLS library bugfixes.
o BIGNUM library fixes.
o RSA OAEP and random number generation fixes.
o Object identifiers corrected and added.
o Add assembler BN routines for IA64.
o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8,
MIPS Linux; shared library support for Irix, HP-UX.
o Add crypto accelerator support for AEP, Baltimore SureWare,
Broadcom and Cryptographic Appliance's keyserver
[in 0.9.6c-engine release].
Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]:
o Security fix: PRNG improvements.
o Security fix: RSA OAEP check.
o Security fix: Reinsert and fix countermeasure to Bleichbacher's
attack.
o MIPS bug fix in BIGNUM.
o Bug fix in "openssl enc".
o Bug fix in X.509 printing routine.
o Bug fix in DSA verification routine and DSA S/MIME verification.
o Bug fix to make PRNG thread-safe.
o Bug fix in RAND_file_name().
o Bug fix in compatibility mode trust settings.
o Bug fix in blowfish EVP.
o Increase default size for BIO buffering filter.
o Compatibility fixes in some scripts.
Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]:
o Security fix: change behavior of OpenSSL to avoid using
environment variables when running as root.
o Security fix: check the result of RSA-CRT to reduce the
possibility of deducing the private key from an incorrectly
calculated signature.
o Security fix: prevent Bleichenbacher's DSA attack.
o Security fix: Zero the premaster secret after deriving the
master secret in DH ciphersuites.
o Reimplement SSL_peek(), which had various problems.
o Compatibility fix: the function des_encrypt() renamed to
des_encrypt1() to avoid clashes with some Unixen libc.
o Bug fixes for Win32, HP/UX and Irix.
o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and
memory checking routines.
o Bug fixes for RSA operations in threaded environments.
o Bug fixes in misc. openssl applications.
o Remove a few potential memory leaks.
o Add tighter checks of BIGNUM routines.
o Shared library support has been reworked for generality.
o More documentation.
o New function BN_rand_range().
o Add "-rand" option to openssl s_client and s_server.
Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]:
o Some documentation for BIO and SSL libraries.
o Enhanced chain verification using key identifiers.
o New sign and verify options to 'dgst' application.
o Support for DER and PEM encoded messages in 'smime' application.
o New 'rsautl' application, low level RSA utility.
o MD4 now included.
o Bugfix for SSL rollback padding check.
o Support for external crypto devices [1].
o Enhanced EVP interface.
[1] The support for external crypto devices is currently a separate
distribution. See the file README.ENGINE.
Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]:
o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8
o Shared library support for HPUX and Solaris-gcc
o Support of Linux/IA64
o Assembler support for Mingw32
o New 'rand' application
o New way to check for existence of algorithms from scripts
Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]:
o S/MIME support in new 'smime' command
o Documentation for the OpenSSL command line application
o Automation of 'req' application
o Fixes to make s_client, s_server work under Windows
o Support for multiple fieldnames in SPKACs
o New SPKAC command line utility and associated library functions
o Options to allow passwords to be obtained from various sources
o New public key PEM format and options to handle it
o Many other fixes and enhancements to command line utilities
o Usable certificate chain verification
o Certificate purpose checking
o Certificate trust settings
o Support of authority information access extension
o Extensions in certificate requests
o Simplified X509 name and attribute routines
o Initial (incomplete) support for international character sets
o New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD
o Read only memory BIOs and simplified creation function
o TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0
record; allow fragmentation and interleaving of handshake and other
data
o TLS/SSL code now "tolerates" MS SGC
o Work around for Netscape client certificate hang bug
o RSA_NULL option that removes RSA patent code but keeps other
RSA functionality
o Memory leak detection now allows applications to add extra information
via a per-thread stack
o PRNG robustness improved
o EGD support
o BIGNUM library bug fixes
o Faster DSA parameter generation
o Enhanced support for Alpha Linux
o Experimental MacOS support
Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]:
o Transparent support for PKCS#8 format private keys: these are used
by several software packages and are more secure than the standard
form
o PKCS#5 v2.0 implementation
o Password callbacks have a new void * argument for application data
o Avoid various memory leaks
o New pipe-like BIO that allows using the SSL library when actual I/O
must be handled by the application (BIO pair)
Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]:
o Lots of enhancements and cleanups to the Configuration mechanism
o RSA OEAP related fixes
o Added `openssl ca -revoke' option for revoking a certificate
o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs
o Source tree cleanups: removed lots of obsolete files
o Thawte SXNet, certificate policies and CRL distribution points
extension support
o Preliminary (experimental) S/MIME support
o Support for ASN.1 UTF8String and VisibleString
o Full integration of PKCS#12 code
o Sparc assembler bignum implementation, optimized hash functions
o Option to disable selected ciphers
Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]:
o Fixed a security hole related to session resumption
o Fixed RSA encryption routines for the p < q case
o "ALL" in cipher lists now means "everything except NULL ciphers"
o Support for Triple-DES CBCM cipher
o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA
o First support for new TLSv1 ciphers
o Added a few new BIOs (syslog BIO, reliable BIO)
o Extended support for DSA certificate/keys.
o Extended support for Certificate Signing Requests (CSR)
o Initial support for X.509v3 extensions
o Extended support for compression inside the SSL record layer
o Overhauled Win32 builds
o Cleanups and fixes to the Big Number (BN) library
o Support for ASN.1 GeneralizedTime
o Splitted ASN.1 SETs from SEQUENCEs
o ASN1 and PEM support for Netscape Certificate Sequences
o Overhauled Perl interface
o Lots of source tree cleanups.
o Lots of memory leak fixes.
o Lots of bug fixes.
Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]:
o Integration of the popular NO_RSA/NO_DSA patches
o Initial support for compression inside the SSL record layer
o Added BIO proxy and filtering functionality
o Extended Big Number (BN) library
o Added RIPE MD160 message digest
o Added support for RC2/64bit cipher
o Extended ASN.1 parser routines
o Adjustments of the source tree for CVS
o Support for various new platforms
diff --git a/crypto/openssl/README b/crypto/openssl/README
index 50345c3c28eb..3e100933f388 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README
@@ -1,93 +1,93 @@
- OpenSSL 1.1.1m 14 Dec 2021
+ OpenSSL 1.1.1n 15 Mar 2022
Copyright (c) 1998-2021 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
DESCRIPTION
-----------
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, fully featured, and Open Source toolkit implementing the
Transport Layer Security (TLS) protocols (including SSLv3) as well as a
full-strength general purpose cryptographic library.
OpenSSL is descended from the SSLeay library developed by Eric A. Young
and Tim J. Hudson. The OpenSSL toolkit is licensed under a dual-license (the
OpenSSL license plus the SSLeay license), which means that you are free to
get and use it for commercial and non-commercial purposes as long as you
fulfill the conditions of both licenses.
OVERVIEW
--------
The OpenSSL toolkit includes:
libssl (with platform specific naming):
Provides the client and server-side implementations for SSLv3 and TLS.
libcrypto (with platform specific naming):
Provides general cryptographic and X.509 support needed by SSL/TLS but
not logically part of it.
openssl:
A command line tool that can be used for:
Creation of key parameters
Creation of X.509 certificates, CSRs and CRLs
Calculation of message digests
Encryption and decryption
SSL/TLS client and server tests
Handling of S/MIME signed or encrypted mail
And more...
INSTALLATION
------------
See the appropriate file:
INSTALL Linux, Unix, Windows, OpenVMS, ...
NOTES.* INSTALL addendums for different platforms
SUPPORT
-------
See the OpenSSL website www.openssl.org for details on how to obtain
commercial technical support. Free community support is available through the
openssl-users email list (see
https://www.openssl.org/community/mailinglists.html for further details).
If you have any problems with OpenSSL then please take the following steps
first:
- Download the latest version from the repository
to see if the problem has already been addressed
- Configure with no-asm
- Remove compiler optimization flags
If you wish to report a bug then please include the following information
and create an issue on GitHub:
- OpenSSL version: output of 'openssl version -a'
- Configuration data: output of 'perl configdata.pm --dump'
- OS Name, Version, Hardware platform
- Compiler Details (name, version)
- Application Details (name, version)
- Problem Description (steps that will reproduce the problem, if known)
- Stack Traceback (if the application dumps core)
Just because something doesn't work the way you expect does not mean it
is necessarily a bug in OpenSSL. Use the openssl-users email list for this type
of query.
HOW TO CONTRIBUTE TO OpenSSL
----------------------------
See CONTRIBUTING
LEGALITIES
----------
A number of nations restrict the use or export of cryptography. If you
are potentially subject to such restrictions you should seek competent
professional legal advice before attempting to develop or distribute
cryptographic code.
diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
index c06241abb975..1a92271595f1 100644
--- a/crypto/openssl/apps/apps.c
+++ b/crypto/openssl/apps/apps.c
@@ -1,2779 +1,2783 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
/*
* On VMS, you need to define this to get the declaration of fileno(). The
* value 2 is to make sure no function defined in POSIX-2 is left undefined.
*/
# define _POSIX_C_SOURCE 2
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#ifndef OPENSSL_NO_POSIX_IO
# include <sys/stat.h>
# include <fcntl.h>
#endif
#include <ctype.h>
#include <errno.h>
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/ui.h>
#include <openssl/safestack.h>
#ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
#endif
#ifndef OPENSSL_NO_RSA
# include <openssl/rsa.h>
#endif
#include <openssl/bn.h>
#include <openssl/ssl.h>
#include "apps.h"
#ifdef _WIN32
static int WIN32_rename(const char *from, const char *to);
# define rename(from,to) WIN32_rename((from),(to))
#endif
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
# include <conio.h>
#endif
#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
# define _kbhit kbhit
#endif
typedef struct {
const char *name;
unsigned long flag;
unsigned long mask;
} NAME_EX_TBL;
static UI_METHOD *ui_method = NULL;
static const UI_METHOD *ui_fallback_method = NULL;
static int set_table_opts(unsigned long *flags, const char *arg,
const NAME_EX_TBL * in_tbl);
static int set_multi_opts(unsigned long *flags, const char *arg,
const NAME_EX_TBL * in_tbl);
int app_init(long mesgwin);
int chopup_args(ARGS *arg, char *buf)
{
int quoted;
char c = '\0', *p = NULL;
arg->argc = 0;
if (arg->size == 0) {
arg->size = 20;
arg->argv = app_malloc(sizeof(*arg->argv) * arg->size, "argv space");
}
for (p = buf;;) {
/* Skip whitespace. */
while (*p && isspace(_UC(*p)))
p++;
if (!*p)
break;
/* The start of something good :-) */
if (arg->argc >= arg->size) {
char **tmp;
arg->size += 20;
tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size);
if (tmp == NULL)
return 0;
arg->argv = tmp;
}
quoted = *p == '\'' || *p == '"';
if (quoted)
c = *p++;
arg->argv[arg->argc++] = p;
/* now look for the end of this */
if (quoted) {
while (*p && *p != c)
p++;
*p++ = '\0';
} else {
while (*p && !isspace(_UC(*p)))
p++;
if (*p)
*p++ = '\0';
}
}
arg->argv[arg->argc] = NULL;
return 1;
}
#ifndef APP_INIT
int app_init(long mesgwin)
{
return 1;
}
#endif
int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath, int noCAfile, int noCApath)
{
if (CAfile == NULL && CApath == NULL) {
if (!noCAfile && SSL_CTX_set_default_verify_file(ctx) <= 0)
return 0;
if (!noCApath && SSL_CTX_set_default_verify_dir(ctx) <= 0)
return 0;
return 1;
}
return SSL_CTX_load_verify_locations(ctx, CAfile, CApath);
}
#ifndef OPENSSL_NO_CT
int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
{
if (path == NULL)
return SSL_CTX_set_default_ctlog_list_file(ctx);
return SSL_CTX_set_ctlog_list_file(ctx, path);
}
#endif
static unsigned long nmflag = 0;
static char nmflag_set = 0;
int set_nameopt(const char *arg)
{
int ret = set_name_ex(&nmflag, arg);
if (ret)
nmflag_set = 1;
return ret;
}
unsigned long get_nameopt(void)
{
return (nmflag_set) ? nmflag : XN_FLAG_ONELINE;
}
int dump_cert_text(BIO *out, X509 *x)
{
print_name(out, "subject=", X509_get_subject_name(x), get_nameopt());
BIO_puts(out, "\n");
print_name(out, "issuer=", X509_get_issuer_name(x), get_nameopt());
BIO_puts(out, "\n");
return 0;
}
static int ui_open(UI *ui)
{
int (*opener)(UI *ui) = UI_method_get_opener(ui_fallback_method);
if (opener)
return opener(ui);
return 1;
}
static int ui_read(UI *ui, UI_STRING *uis)
{
int (*reader)(UI *ui, UI_STRING *uis) = NULL;
if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
&& UI_get0_user_data(ui)) {
switch (UI_get_string_type(uis)) {
case UIT_PROMPT:
case UIT_VERIFY:
{
const char *password =
((PW_CB_DATA *)UI_get0_user_data(ui))->password;
if (password && password[0] != '\0') {
UI_set_result(ui, uis, password);
return 1;
}
}
break;
case UIT_NONE:
case UIT_BOOLEAN:
case UIT_INFO:
case UIT_ERROR:
break;
}
}
reader = UI_method_get_reader(ui_fallback_method);
if (reader)
return reader(ui, uis);
return 1;
}
static int ui_write(UI *ui, UI_STRING *uis)
{
int (*writer)(UI *ui, UI_STRING *uis) = NULL;
if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
&& UI_get0_user_data(ui)) {
switch (UI_get_string_type(uis)) {
case UIT_PROMPT:
case UIT_VERIFY:
{
const char *password =
((PW_CB_DATA *)UI_get0_user_data(ui))->password;
if (password && password[0] != '\0')
return 1;
}
break;
case UIT_NONE:
case UIT_BOOLEAN:
case UIT_INFO:
case UIT_ERROR:
break;
}
}
writer = UI_method_get_writer(ui_fallback_method);
if (writer)
return writer(ui, uis);
return 1;
}
static int ui_close(UI *ui)
{
int (*closer)(UI *ui) = UI_method_get_closer(ui_fallback_method);
if (closer)
return closer(ui);
return 1;
}
int setup_ui_method(void)
{
ui_fallback_method = UI_null();
#ifndef OPENSSL_NO_UI_CONSOLE
ui_fallback_method = UI_OpenSSL();
#endif
ui_method = UI_create_method("OpenSSL application user interface");
UI_method_set_opener(ui_method, ui_open);
UI_method_set_reader(ui_method, ui_read);
UI_method_set_writer(ui_method, ui_write);
UI_method_set_closer(ui_method, ui_close);
return 0;
}
void destroy_ui_method(void)
{
if (ui_method) {
UI_destroy_method(ui_method);
ui_method = NULL;
}
}
const UI_METHOD *get_ui_method(void)
{
return ui_method;
}
int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
{
int res = 0;
UI *ui = NULL;
PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;
ui = UI_new_method(ui_method);
if (ui) {
int ok = 0;
char *buff = NULL;
int ui_flags = 0;
const char *prompt_info = NULL;
char *prompt;
+ int pw_min_len = PW_MIN_LENGTH;
if (cb_data != NULL && cb_data->prompt_info != NULL)
prompt_info = cb_data->prompt_info;
+ if (cb_data != NULL && cb_data->password != NULL
+ && *(const char*)cb_data->password != '\0')
+ pw_min_len = 1;
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
if (!prompt) {
BIO_printf(bio_err, "Out of memory\n");
UI_free(ui);
return 0;
}
ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
/* We know that there is no previous user data to return to us */
(void)UI_add_user_data(ui, cb_data);
ok = UI_add_input_string(ui, prompt, ui_flags, buf,
- PW_MIN_LENGTH, bufsiz - 1);
+ pw_min_len, bufsiz - 1);
if (ok >= 0 && verify) {
buff = app_malloc(bufsiz, "password buffer");
ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
- PW_MIN_LENGTH, bufsiz - 1, buf);
+ pw_min_len, bufsiz - 1, buf);
}
if (ok >= 0)
do {
ok = UI_process(ui);
} while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
OPENSSL_clear_free(buff, (unsigned int)bufsiz);
if (ok >= 0)
res = strlen(buf);
if (ok == -1) {
BIO_printf(bio_err, "User interface error\n");
ERR_print_errors(bio_err);
OPENSSL_cleanse(buf, (unsigned int)bufsiz);
res = 0;
}
if (ok == -2) {
BIO_printf(bio_err, "aborted!\n");
OPENSSL_cleanse(buf, (unsigned int)bufsiz);
res = 0;
}
UI_free(ui);
OPENSSL_free(prompt);
}
return res;
}
static char *app_get_pass(const char *arg, int keepbio);
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2)
{
int same;
if (arg2 == NULL || arg1 == NULL || strcmp(arg1, arg2))
same = 0;
else
same = 1;
if (arg1 != NULL) {
*pass1 = app_get_pass(arg1, same);
if (*pass1 == NULL)
return 0;
} else if (pass1 != NULL) {
*pass1 = NULL;
}
if (arg2 != NULL) {
*pass2 = app_get_pass(arg2, same ? 2 : 0);
if (*pass2 == NULL)
return 0;
} else if (pass2 != NULL) {
*pass2 = NULL;
}
return 1;
}
static char *app_get_pass(const char *arg, int keepbio)
{
char *tmp, tpass[APP_PASS_LEN];
static BIO *pwdbio = NULL;
int i;
if (strncmp(arg, "pass:", 5) == 0)
return OPENSSL_strdup(arg + 5);
if (strncmp(arg, "env:", 4) == 0) {
tmp = getenv(arg + 4);
if (tmp == NULL) {
BIO_printf(bio_err, "Can't read environment variable %s\n", arg + 4);
return NULL;
}
return OPENSSL_strdup(tmp);
}
if (!keepbio || pwdbio == NULL) {
if (strncmp(arg, "file:", 5) == 0) {
pwdbio = BIO_new_file(arg + 5, "r");
if (pwdbio == NULL) {
BIO_printf(bio_err, "Can't open file %s\n", arg + 5);
return NULL;
}
#if !defined(_WIN32)
/*
* Under _WIN32, which covers even Win64 and CE, file
* descriptors referenced by BIO_s_fd are not inherited
* by child process and therefore below is not an option.
* It could have been an option if bss_fd.c was operating
* on real Windows descriptors, such as those obtained
* with CreateFile.
*/
} else if (strncmp(arg, "fd:", 3) == 0) {
BIO *btmp;
i = atoi(arg + 3);
if (i >= 0)
pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
if ((i < 0) || !pwdbio) {
BIO_printf(bio_err, "Can't access file descriptor %s\n", arg + 3);
return NULL;
}
/*
* Can't do BIO_gets on an fd BIO so add a buffering BIO
*/
btmp = BIO_new(BIO_f_buffer());
pwdbio = BIO_push(btmp, pwdbio);
#endif
} else if (strcmp(arg, "stdin") == 0) {
pwdbio = dup_bio_in(FORMAT_TEXT);
if (!pwdbio) {
BIO_printf(bio_err, "Can't open BIO for stdin\n");
return NULL;
}
} else {
BIO_printf(bio_err, "Invalid password argument \"%s\"\n", arg);
return NULL;
}
}
i = BIO_gets(pwdbio, tpass, APP_PASS_LEN);
if (keepbio != 1) {
BIO_free_all(pwdbio);
pwdbio = NULL;
}
if (i <= 0) {
BIO_printf(bio_err, "Error reading password from BIO\n");
return NULL;
}
tmp = strchr(tpass, '\n');
if (tmp != NULL)
*tmp = 0;
return OPENSSL_strdup(tpass);
}
CONF *app_load_config_bio(BIO *in, const char *filename)
{
long errorline = -1;
CONF *conf;
int i;
conf = NCONF_new(NULL);
i = NCONF_load_bio(conf, in, &errorline);
if (i > 0)
return conf;
if (errorline <= 0) {
BIO_printf(bio_err, "%s: Can't load ", opt_getprog());
} else {
BIO_printf(bio_err, "%s: Error on line %ld of ", opt_getprog(),
errorline);
}
if (filename != NULL)
BIO_printf(bio_err, "config file \"%s\"\n", filename);
else
BIO_printf(bio_err, "config input");
NCONF_free(conf);
return NULL;
}
CONF *app_load_config(const char *filename)
{
BIO *in;
CONF *conf;
in = bio_open_default(filename, 'r', FORMAT_TEXT);
if (in == NULL)
return NULL;
conf = app_load_config_bio(in, filename);
BIO_free(in);
return conf;
}
CONF *app_load_config_quiet(const char *filename)
{
BIO *in;
CONF *conf;
in = bio_open_default_quiet(filename, 'r', FORMAT_TEXT);
if (in == NULL)
return NULL;
conf = app_load_config_bio(in, filename);
BIO_free(in);
return conf;
}
int app_load_modules(const CONF *config)
{
CONF *to_free = NULL;
if (config == NULL)
config = to_free = app_load_config_quiet(default_config_file);
if (config == NULL)
return 1;
if (CONF_modules_load(config, NULL, 0) <= 0) {
BIO_printf(bio_err, "Error configuring OpenSSL modules\n");
ERR_print_errors(bio_err);
NCONF_free(to_free);
return 0;
}
NCONF_free(to_free);
return 1;
}
int add_oid_section(CONF *conf)
{
char *p;
STACK_OF(CONF_VALUE) *sktmp;
CONF_VALUE *cnf;
int i;
if ((p = NCONF_get_string(conf, NULL, "oid_section")) == NULL) {
ERR_clear_error();
return 1;
}
if ((sktmp = NCONF_get_section(conf, p)) == NULL) {
BIO_printf(bio_err, "problem loading oid section %s\n", p);
return 0;
}
for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
cnf = sk_CONF_VALUE_value(sktmp, i);
if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
BIO_printf(bio_err, "problem creating object %s=%s\n",
cnf->name, cnf->value);
return 0;
}
}
return 1;
}
static int load_pkcs12(BIO *in, const char *desc,
pem_password_cb *pem_cb, void *cb_data,
EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
{
const char *pass;
char tpass[PEM_BUFSIZE];
int len, ret = 0;
PKCS12 *p12;
p12 = d2i_PKCS12_bio(in, NULL);
if (p12 == NULL) {
BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc);
goto die;
}
/* See if an empty password will do */
if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0)) {
pass = "";
} else {
if (!pem_cb)
pem_cb = (pem_password_cb *)password_callback;
len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
if (len < 0) {
BIO_printf(bio_err, "Passphrase callback error for %s\n", desc);
goto die;
}
if (len < PEM_BUFSIZE)
tpass[len] = 0;
if (!PKCS12_verify_mac(p12, tpass, len)) {
BIO_printf(bio_err,
"Mac verify error (wrong password?) in PKCS12 file for %s\n",
desc);
goto die;
}
pass = tpass;
}
ret = PKCS12_parse(p12, pass, pkey, cert, ca);
die:
PKCS12_free(p12);
return ret;
}
#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
static int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
{
char *host = NULL, *port = NULL, *path = NULL;
BIO *bio = NULL;
OCSP_REQ_CTX *rctx = NULL;
int use_ssl, rv = 0;
if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl))
goto err;
if (use_ssl) {
BIO_puts(bio_err, "https not supported\n");
goto err;
}
bio = BIO_new_connect(host);
if (!bio || !BIO_set_conn_port(bio, port))
goto err;
rctx = OCSP_REQ_CTX_new(bio, 1024);
if (rctx == NULL)
goto err;
if (!OCSP_REQ_CTX_http(rctx, "GET", path))
goto err;
if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host))
goto err;
if (pcert) {
do {
rv = X509_http_nbio(rctx, pcert);
} while (rv == -1);
} else {
do {
rv = X509_CRL_http_nbio(rctx, pcrl);
} while (rv == -1);
}
err:
OPENSSL_free(host);
OPENSSL_free(path);
OPENSSL_free(port);
BIO_free_all(bio);
OCSP_REQ_CTX_free(rctx);
if (rv != 1) {
BIO_printf(bio_err, "Error loading %s from %s\n",
pcert ? "certificate" : "CRL", url);
ERR_print_errors(bio_err);
}
return rv;
}
#endif
X509 *load_cert(const char *file, int format, const char *cert_descrip)
{
X509 *x = NULL;
BIO *cert;
if (format == FORMAT_HTTP) {
#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
load_cert_crl_http(file, &x, NULL);
#endif
return x;
}
if (file == NULL) {
unbuffer(stdin);
cert = dup_bio_in(format);
} else {
cert = bio_open_default(file, 'r', format);
}
if (cert == NULL)
goto end;
if (format == FORMAT_ASN1) {
x = d2i_X509_bio(cert, NULL);
} else if (format == FORMAT_PEM) {
x = PEM_read_bio_X509_AUX(cert, NULL,
(pem_password_cb *)password_callback, NULL);
} else if (format == FORMAT_PKCS12) {
if (!load_pkcs12(cert, cert_descrip, NULL, NULL, NULL, &x, NULL))
goto end;
} else {
BIO_printf(bio_err, "bad input format specified for %s\n", cert_descrip);
goto end;
}
end:
if (x == NULL) {
BIO_printf(bio_err, "unable to load certificate\n");
ERR_print_errors(bio_err);
}
BIO_free(cert);
return x;
}
X509_CRL *load_crl(const char *infile, int format)
{
X509_CRL *x = NULL;
BIO *in = NULL;
if (format == FORMAT_HTTP) {
#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
load_cert_crl_http(infile, NULL, &x);
#endif
return x;
}
in = bio_open_default(infile, 'r', format);
if (in == NULL)
goto end;
if (format == FORMAT_ASN1) {
x = d2i_X509_CRL_bio(in, NULL);
} else if (format == FORMAT_PEM) {
x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
} else {
BIO_printf(bio_err, "bad input format specified for input crl\n");
goto end;
}
if (x == NULL) {
BIO_printf(bio_err, "unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
end:
BIO_free(in);
return x;
}
EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *key_descrip)
{
BIO *key = NULL;
EVP_PKEY *pkey = NULL;
PW_CB_DATA cb_data;
cb_data.password = pass;
cb_data.prompt_info = file;
if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
BIO_printf(bio_err, "no keyfile specified\n");
goto end;
}
if (format == FORMAT_ENGINE) {
if (e == NULL) {
BIO_printf(bio_err, "no engine specified\n");
} else {
#ifndef OPENSSL_NO_ENGINE
if (ENGINE_init(e)) {
pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
ENGINE_finish(e);
}
if (pkey == NULL) {
BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
ERR_print_errors(bio_err);
}
#else
BIO_printf(bio_err, "engines not supported\n");
#endif
}
goto end;
}
if (file == NULL && maybe_stdin) {
unbuffer(stdin);
key = dup_bio_in(format);
} else {
key = bio_open_default(file, 'r', format);
}
if (key == NULL)
goto end;
if (format == FORMAT_ASN1) {
pkey = d2i_PrivateKey_bio(key, NULL);
} else if (format == FORMAT_PEM) {
pkey = PEM_read_bio_PrivateKey(key, NULL,
(pem_password_cb *)password_callback,
&cb_data);
} else if (format == FORMAT_PKCS12) {
if (!load_pkcs12(key, key_descrip,
(pem_password_cb *)password_callback, &cb_data,
&pkey, NULL, NULL))
goto end;
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
} else if (format == FORMAT_MSBLOB) {
pkey = b2i_PrivateKey_bio(key);
} else if (format == FORMAT_PVK) {
pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback,
&cb_data);
#endif
} else {
BIO_printf(bio_err, "bad input format specified for key file\n");
goto end;
}
end:
BIO_free(key);
if (pkey == NULL) {
BIO_printf(bio_err, "unable to load %s\n", key_descrip);
ERR_print_errors(bio_err);
}
return pkey;
}
EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *key_descrip)
{
BIO *key = NULL;
EVP_PKEY *pkey = NULL;
PW_CB_DATA cb_data;
cb_data.password = pass;
cb_data.prompt_info = file;
if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
BIO_printf(bio_err, "no keyfile specified\n");
goto end;
}
if (format == FORMAT_ENGINE) {
if (e == NULL) {
BIO_printf(bio_err, "no engine specified\n");
} else {
#ifndef OPENSSL_NO_ENGINE
pkey = ENGINE_load_public_key(e, file, ui_method, &cb_data);
if (pkey == NULL) {
BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
ERR_print_errors(bio_err);
}
#else
BIO_printf(bio_err, "engines not supported\n");
#endif
}
goto end;
}
if (file == NULL && maybe_stdin) {
unbuffer(stdin);
key = dup_bio_in(format);
} else {
key = bio_open_default(file, 'r', format);
}
if (key == NULL)
goto end;
if (format == FORMAT_ASN1) {
pkey = d2i_PUBKEY_bio(key, NULL);
} else if (format == FORMAT_ASN1RSA) {
#ifndef OPENSSL_NO_RSA
RSA *rsa;
rsa = d2i_RSAPublicKey_bio(key, NULL);
if (rsa) {
pkey = EVP_PKEY_new();
if (pkey != NULL)
EVP_PKEY_set1_RSA(pkey, rsa);
RSA_free(rsa);
} else
#else
BIO_printf(bio_err, "RSA keys not supported\n");
#endif
pkey = NULL;
} else if (format == FORMAT_PEMRSA) {
#ifndef OPENSSL_NO_RSA
RSA *rsa;
rsa = PEM_read_bio_RSAPublicKey(key, NULL,
(pem_password_cb *)password_callback,
&cb_data);
if (rsa != NULL) {
pkey = EVP_PKEY_new();
if (pkey != NULL)
EVP_PKEY_set1_RSA(pkey, rsa);
RSA_free(rsa);
} else
#else
BIO_printf(bio_err, "RSA keys not supported\n");
#endif
pkey = NULL;
} else if (format == FORMAT_PEM) {
pkey = PEM_read_bio_PUBKEY(key, NULL,
(pem_password_cb *)password_callback,
&cb_data);
#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
} else if (format == FORMAT_MSBLOB) {
pkey = b2i_PublicKey_bio(key);
#endif
}
end:
BIO_free(key);
if (pkey == NULL)
BIO_printf(bio_err, "unable to load %s\n", key_descrip);
return pkey;
}
static int load_certs_crls(const char *file, int format,
const char *pass, const char *desc,
STACK_OF(X509) **pcerts,
STACK_OF(X509_CRL) **pcrls)
{
int i;
BIO *bio;
STACK_OF(X509_INFO) *xis = NULL;
X509_INFO *xi;
PW_CB_DATA cb_data;
int rv = 0;
cb_data.password = pass;
cb_data.prompt_info = file;
if (format != FORMAT_PEM) {
BIO_printf(bio_err, "bad input format specified for %s\n", desc);
return 0;
}
bio = bio_open_default(file, 'r', FORMAT_PEM);
if (bio == NULL)
return 0;
xis = PEM_X509_INFO_read_bio(bio, NULL,
(pem_password_cb *)password_callback,
&cb_data);
BIO_free(bio);
if (pcerts != NULL && *pcerts == NULL) {
*pcerts = sk_X509_new_null();
if (*pcerts == NULL)
goto end;
}
if (pcrls != NULL && *pcrls == NULL) {
*pcrls = sk_X509_CRL_new_null();
if (*pcrls == NULL)
goto end;
}
for (i = 0; i < sk_X509_INFO_num(xis); i++) {
xi = sk_X509_INFO_value(xis, i);
if (xi->x509 != NULL && pcerts != NULL) {
if (!sk_X509_push(*pcerts, xi->x509))
goto end;
xi->x509 = NULL;
}
if (xi->crl != NULL && pcrls != NULL) {
if (!sk_X509_CRL_push(*pcrls, xi->crl))
goto end;
xi->crl = NULL;
}
}
if (pcerts != NULL && sk_X509_num(*pcerts) > 0)
rv = 1;
if (pcrls != NULL && sk_X509_CRL_num(*pcrls) > 0)
rv = 1;
end:
sk_X509_INFO_pop_free(xis, X509_INFO_free);
if (rv == 0) {
if (pcerts != NULL) {
sk_X509_pop_free(*pcerts, X509_free);
*pcerts = NULL;
}
if (pcrls != NULL) {
sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
*pcrls = NULL;
}
BIO_printf(bio_err, "unable to load %s\n",
pcerts ? "certificates" : "CRLs");
ERR_print_errors(bio_err);
}
return rv;
}
void* app_malloc(int sz, const char *what)
{
void *vp = OPENSSL_malloc(sz);
if (vp == NULL) {
BIO_printf(bio_err, "%s: Could not allocate %d bytes for %s\n",
opt_getprog(), sz, what);
ERR_print_errors(bio_err);
exit(1);
}
return vp;
}
/*
* Initialize or extend, if *certs != NULL, a certificate stack.
*/
int load_certs(const char *file, STACK_OF(X509) **certs, int format,
const char *pass, const char *desc)
{
return load_certs_crls(file, format, pass, desc, certs, NULL);
}
/*
* Initialize or extend, if *crls != NULL, a certificate stack.
*/
int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
const char *pass, const char *desc)
{
return load_certs_crls(file, format, pass, desc, NULL, crls);
}
#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
/* Return error for unknown extensions */
#define X509V3_EXT_DEFAULT 0
/* Print error for unknown extensions */
#define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
/* ASN1 parse unknown extensions */
#define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
/* BIO_dump unknown extensions */
#define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
#define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \
X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION)
int set_cert_ex(unsigned long *flags, const char *arg)
{
static const NAME_EX_TBL cert_tbl[] = {
{"compatible", X509_FLAG_COMPAT, 0xffffffffl},
{"ca_default", X509_FLAG_CA, 0xffffffffl},
{"no_header", X509_FLAG_NO_HEADER, 0},
{"no_version", X509_FLAG_NO_VERSION, 0},
{"no_serial", X509_FLAG_NO_SERIAL, 0},
{"no_signame", X509_FLAG_NO_SIGNAME, 0},
{"no_validity", X509_FLAG_NO_VALIDITY, 0},
{"no_subject", X509_FLAG_NO_SUBJECT, 0},
{"no_issuer", X509_FLAG_NO_ISSUER, 0},
{"no_pubkey", X509_FLAG_NO_PUBKEY, 0},
{"no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
{"no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
{"no_aux", X509_FLAG_NO_AUX, 0},
{"no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
{"ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
{"ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
{"ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
{"ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
{NULL, 0, 0}
};
return set_multi_opts(flags, arg, cert_tbl);
}
int set_name_ex(unsigned long *flags, const char *arg)
{
static const NAME_EX_TBL ex_tbl[] = {
{"esc_2253", ASN1_STRFLGS_ESC_2253, 0},
{"esc_2254", ASN1_STRFLGS_ESC_2254, 0},
{"esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
{"esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
{"use_quote", ASN1_STRFLGS_ESC_QUOTE, 0},
{"utf8", ASN1_STRFLGS_UTF8_CONVERT, 0},
{"ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0},
{"show_type", ASN1_STRFLGS_SHOW_TYPE, 0},
{"dump_all", ASN1_STRFLGS_DUMP_ALL, 0},
{"dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0},
{"dump_der", ASN1_STRFLGS_DUMP_DER, 0},
{"compat", XN_FLAG_COMPAT, 0xffffffffL},
{"sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK},
{"sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK},
{"sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK},
{"sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK},
{"dn_rev", XN_FLAG_DN_REV, 0},
{"nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
{"sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
{"lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
{"align", XN_FLAG_FN_ALIGN, 0},
{"oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
{"space_eq", XN_FLAG_SPC_EQ, 0},
{"dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
{"RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
{"oneline", XN_FLAG_ONELINE, 0xffffffffL},
{"multiline", XN_FLAG_MULTILINE, 0xffffffffL},
{"ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
{NULL, 0, 0}
};
if (set_multi_opts(flags, arg, ex_tbl) == 0)
return 0;
if (*flags != XN_FLAG_COMPAT
&& (*flags & XN_FLAG_SEP_MASK) == 0)
*flags |= XN_FLAG_SEP_CPLUS_SPC;
return 1;
}
int set_ext_copy(int *copy_type, const char *arg)
{
if (strcasecmp(arg, "none") == 0)
*copy_type = EXT_COPY_NONE;
else if (strcasecmp(arg, "copy") == 0)
*copy_type = EXT_COPY_ADD;
else if (strcasecmp(arg, "copyall") == 0)
*copy_type = EXT_COPY_ALL;
else
return 0;
return 1;
}
int copy_extensions(X509 *x, X509_REQ *req, int copy_type)
{
STACK_OF(X509_EXTENSION) *exts = NULL;
X509_EXTENSION *ext, *tmpext;
ASN1_OBJECT *obj;
int i, idx, ret = 0;
if (!x || !req || (copy_type == EXT_COPY_NONE))
return 1;
exts = X509_REQ_get_extensions(req);
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
ext = sk_X509_EXTENSION_value(exts, i);
obj = X509_EXTENSION_get_object(ext);
idx = X509_get_ext_by_OBJ(x, obj, -1);
/* Does extension exist? */
if (idx != -1) {
/* If normal copy don't override existing extension */
if (copy_type == EXT_COPY_ADD)
continue;
/* Delete all extensions of same type */
do {
tmpext = X509_get_ext(x, idx);
X509_delete_ext(x, idx);
X509_EXTENSION_free(tmpext);
idx = X509_get_ext_by_OBJ(x, obj, -1);
} while (idx != -1);
}
if (!X509_add_ext(x, ext, -1))
goto end;
}
ret = 1;
end:
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
return ret;
}
static int set_multi_opts(unsigned long *flags, const char *arg,
const NAME_EX_TBL * in_tbl)
{
STACK_OF(CONF_VALUE) *vals;
CONF_VALUE *val;
int i, ret = 1;
if (!arg)
return 0;
vals = X509V3_parse_list(arg);
for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
val = sk_CONF_VALUE_value(vals, i);
if (!set_table_opts(flags, val->name, in_tbl))
ret = 0;
}
sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
return ret;
}
static int set_table_opts(unsigned long *flags, const char *arg,
const NAME_EX_TBL * in_tbl)
{
char c;
const NAME_EX_TBL *ptbl;
c = arg[0];
if (c == '-') {
c = 0;
arg++;
} else if (c == '+') {
c = 1;
arg++;
} else {
c = 1;
}
for (ptbl = in_tbl; ptbl->name; ptbl++) {
if (strcasecmp(arg, ptbl->name) == 0) {
*flags &= ~ptbl->mask;
if (c)
*flags |= ptbl->flag;
else
*flags &= ~ptbl->flag;
return 1;
}
}
return 0;
}
void print_name(BIO *out, const char *title, X509_NAME *nm,
unsigned long lflags)
{
char *buf;
char mline = 0;
int indent = 0;
if (title)
BIO_puts(out, title);
if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
mline = 1;
indent = 4;
}
if (lflags == XN_FLAG_COMPAT) {
buf = X509_NAME_oneline(nm, 0, 0);
BIO_puts(out, buf);
BIO_puts(out, "\n");
OPENSSL_free(buf);
} else {
if (mline)
BIO_puts(out, "\n");
X509_NAME_print_ex(out, nm, indent, lflags);
BIO_puts(out, "\n");
}
}
void print_bignum_var(BIO *out, const BIGNUM *in, const char *var,
int len, unsigned char *buffer)
{
BIO_printf(out, " static unsigned char %s_%d[] = {", var, len);
if (BN_is_zero(in)) {
BIO_printf(out, "\n 0x00");
} else {
int i, l;
l = BN_bn2bin(in, buffer);
for (i = 0; i < l; i++) {
BIO_printf(out, (i % 10) == 0 ? "\n " : " ");
if (i < l - 1)
BIO_printf(out, "0x%02X,", buffer[i]);
else
BIO_printf(out, "0x%02X", buffer[i]);
}
}
BIO_printf(out, "\n };\n");
}
void print_array(BIO *out, const char* title, int len, const unsigned char* d)
{
int i;
BIO_printf(out, "unsigned char %s[%d] = {", title, len);
for (i = 0; i < len; i++) {
if ((i % 10) == 0)
BIO_printf(out, "\n ");
if (i < len - 1)
BIO_printf(out, "0x%02X, ", d[i]);
else
BIO_printf(out, "0x%02X", d[i]);
}
BIO_printf(out, "\n};\n");
}
X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, int noCApath)
{
X509_STORE *store = X509_STORE_new();
X509_LOOKUP *lookup;
if (store == NULL)
goto end;
if (CAfile != NULL || !noCAfile) {
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
goto end;
if (CAfile) {
if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
BIO_printf(bio_err, "Error loading file %s\n", CAfile);
goto end;
}
} else {
X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
}
}
if (CApath != NULL || !noCApath) {
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
if (CApath) {
if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
BIO_printf(bio_err, "Error loading directory %s\n", CApath);
goto end;
}
} else {
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
}
}
ERR_clear_error();
return store;
end:
X509_STORE_free(store);
return NULL;
}
#ifndef OPENSSL_NO_ENGINE
/* Try to load an engine in a shareable library */
static ENGINE *try_load_engine(const char *engine)
{
ENGINE *e = ENGINE_by_id("dynamic");
if (e) {
if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
|| !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
ENGINE_free(e);
e = NULL;
}
}
return e;
}
#endif
ENGINE *setup_engine(const char *engine, int debug)
{
ENGINE *e = NULL;
#ifndef OPENSSL_NO_ENGINE
if (engine != NULL) {
if (strcmp(engine, "auto") == 0) {
BIO_printf(bio_err, "enabling auto ENGINE support\n");
ENGINE_register_all_complete();
return NULL;
}
if ((e = ENGINE_by_id(engine)) == NULL
&& (e = try_load_engine(engine)) == NULL) {
BIO_printf(bio_err, "invalid engine \"%s\"\n", engine);
ERR_print_errors(bio_err);
return NULL;
}
if (debug) {
ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0);
}
ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
BIO_printf(bio_err, "can't use that engine\n");
ERR_print_errors(bio_err);
ENGINE_free(e);
return NULL;
}
BIO_printf(bio_err, "engine \"%s\" set.\n", ENGINE_get_id(e));
}
#endif
return e;
}
void release_engine(ENGINE *e)
{
#ifndef OPENSSL_NO_ENGINE
if (e != NULL)
/* Free our "structural" reference. */
ENGINE_free(e);
#endif
}
static unsigned long index_serial_hash(const OPENSSL_CSTRING *a)
{
const char *n;
n = a[DB_serial];
while (*n == '0')
n++;
return OPENSSL_LH_strhash(n);
}
static int index_serial_cmp(const OPENSSL_CSTRING *a,
const OPENSSL_CSTRING *b)
{
const char *aa, *bb;
for (aa = a[DB_serial]; *aa == '0'; aa++) ;
for (bb = b[DB_serial]; *bb == '0'; bb++) ;
return strcmp(aa, bb);
}
static int index_name_qual(char **a)
{
return (a[0][0] == 'V');
}
static unsigned long index_name_hash(const OPENSSL_CSTRING *a)
{
return OPENSSL_LH_strhash(a[DB_name]);
}
int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
{
return strcmp(a[DB_name], b[DB_name]);
}
static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
#undef BSIZE
#define BSIZE 256
BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
{
BIO *in = NULL;
BIGNUM *ret = NULL;
char buf[1024];
ASN1_INTEGER *ai = NULL;
ai = ASN1_INTEGER_new();
if (ai == NULL)
goto err;
in = BIO_new_file(serialfile, "r");
if (in == NULL) {
if (!create) {
perror(serialfile);
goto err;
}
ERR_clear_error();
ret = BN_new();
if (ret == NULL || !rand_serial(ret, ai))
BIO_printf(bio_err, "Out of memory\n");
} else {
if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) {
BIO_printf(bio_err, "unable to load number from %s\n",
serialfile);
goto err;
}
ret = ASN1_INTEGER_to_BN(ai, NULL);
if (ret == NULL) {
BIO_printf(bio_err,
"error converting number from bin to BIGNUM\n");
goto err;
}
}
if (ret && retai) {
*retai = ai;
ai = NULL;
}
err:
BIO_free(in);
ASN1_INTEGER_free(ai);
return ret;
}
int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial,
ASN1_INTEGER **retai)
{
char buf[1][BSIZE];
BIO *out = NULL;
int ret = 0;
ASN1_INTEGER *ai = NULL;
int j;
if (suffix == NULL)
j = strlen(serialfile);
else
j = strlen(serialfile) + strlen(suffix) + 1;
if (j >= BSIZE) {
BIO_printf(bio_err, "file name too long\n");
goto err;
}
if (suffix == NULL)
OPENSSL_strlcpy(buf[0], serialfile, BSIZE);
else {
#ifndef OPENSSL_SYS_VMS
j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, suffix);
#else
j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, suffix);
#endif
}
out = BIO_new_file(buf[0], "w");
if (out == NULL) {
ERR_print_errors(bio_err);
goto err;
}
if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) {
BIO_printf(bio_err, "error converting serial to ASN.1 format\n");
goto err;
}
i2a_ASN1_INTEGER(out, ai);
BIO_puts(out, "\n");
ret = 1;
if (retai) {
*retai = ai;
ai = NULL;
}
err:
BIO_free_all(out);
ASN1_INTEGER_free(ai);
return ret;
}
int rotate_serial(const char *serialfile, const char *new_suffix,
const char *old_suffix)
{
char buf[2][BSIZE];
int i, j;
i = strlen(serialfile) + strlen(old_suffix);
j = strlen(serialfile) + strlen(new_suffix);
if (i > j)
j = i;
if (j + 1 >= BSIZE) {
BIO_printf(bio_err, "file name too long\n");
goto err;
}
#ifndef OPENSSL_SYS_VMS
j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, new_suffix);
j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", serialfile, old_suffix);
#else
j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, new_suffix);
j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", serialfile, old_suffix);
#endif
if (rename(serialfile, buf[1]) < 0 && errno != ENOENT
#ifdef ENOTDIR
&& errno != ENOTDIR
#endif
) {
BIO_printf(bio_err,
"unable to rename %s to %s\n", serialfile, buf[1]);
perror("reason");
goto err;
}
if (rename(buf[0], serialfile) < 0) {
BIO_printf(bio_err,
"unable to rename %s to %s\n", buf[0], serialfile);
perror("reason");
rename(buf[1], serialfile);
goto err;
}
return 1;
err:
return 0;
}
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
{
BIGNUM *btmp;
int ret = 0;
btmp = b == NULL ? BN_new() : b;
if (btmp == NULL)
return 0;
if (!BN_rand(btmp, SERIAL_RAND_BITS, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))
goto error;
if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
goto error;
ret = 1;
error:
if (btmp != b)
BN_free(btmp);
return ret;
}
CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr)
{
CA_DB *retdb = NULL;
TXT_DB *tmpdb = NULL;
BIO *in;
CONF *dbattr_conf = NULL;
char buf[BSIZE];
#ifndef OPENSSL_NO_POSIX_IO
FILE *dbfp;
struct stat dbst;
#endif
in = BIO_new_file(dbfile, "r");
if (in == NULL) {
ERR_print_errors(bio_err);
goto err;
}
#ifndef OPENSSL_NO_POSIX_IO
BIO_get_fp(in, &dbfp);
if (fstat(fileno(dbfp), &dbst) == -1) {
SYSerr(SYS_F_FSTAT, errno);
ERR_add_error_data(3, "fstat('", dbfile, "')");
ERR_print_errors(bio_err);
goto err;
}
#endif
if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL)
goto err;
#ifndef OPENSSL_SYS_VMS
BIO_snprintf(buf, sizeof(buf), "%s.attr", dbfile);
#else
BIO_snprintf(buf, sizeof(buf), "%s-attr", dbfile);
#endif
dbattr_conf = app_load_config_quiet(buf);
retdb = app_malloc(sizeof(*retdb), "new DB");
retdb->db = tmpdb;
tmpdb = NULL;
if (db_attr)
retdb->attributes = *db_attr;
else {
retdb->attributes.unique_subject = 1;
}
if (dbattr_conf) {
char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
if (p) {
retdb->attributes.unique_subject = parse_yesno(p, 1);
}
}
retdb->dbfname = OPENSSL_strdup(dbfile);
#ifndef OPENSSL_NO_POSIX_IO
retdb->dbst = dbst;
#endif
err:
NCONF_free(dbattr_conf);
TXT_DB_free(tmpdb);
BIO_free_all(in);
return retdb;
}
/*
* Returns > 0 on success, <= 0 on error
*/
int index_index(CA_DB *db)
{
if (!TXT_DB_create_index(db->db, DB_serial, NULL,
LHASH_HASH_FN(index_serial),
LHASH_COMP_FN(index_serial))) {
BIO_printf(bio_err,
"error creating serial number index:(%ld,%ld,%ld)\n",
db->db->error, db->db->arg1, db->db->arg2);
return 0;
}
if (db->attributes.unique_subject
&& !TXT_DB_create_index(db->db, DB_name, index_name_qual,
LHASH_HASH_FN(index_name),
LHASH_COMP_FN(index_name))) {
BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n",
db->db->error, db->db->arg1, db->db->arg2);
return 0;
}
return 1;
}
int save_index(const char *dbfile, const char *suffix, CA_DB *db)
{
char buf[3][BSIZE];
BIO *out;
int j;
j = strlen(dbfile) + strlen(suffix);
if (j + 6 >= BSIZE) {
BIO_printf(bio_err, "file name too long\n");
goto err;
}
#ifndef OPENSSL_SYS_VMS
j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr", dbfile);
j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.attr.%s", dbfile, suffix);
j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, suffix);
#else
j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr", dbfile);
j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-attr-%s", dbfile, suffix);
j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, suffix);
#endif
out = BIO_new_file(buf[0], "w");
if (out == NULL) {
perror(dbfile);
BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
goto err;
}
j = TXT_DB_write(out, db->db);
BIO_free(out);
if (j <= 0)
goto err;
out = BIO_new_file(buf[1], "w");
if (out == NULL) {
perror(buf[2]);
BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
goto err;
}
BIO_printf(out, "unique_subject = %s\n",
db->attributes.unique_subject ? "yes" : "no");
BIO_free(out);
return 1;
err:
return 0;
}
int rotate_index(const char *dbfile, const char *new_suffix,
const char *old_suffix)
{
char buf[5][BSIZE];
int i, j;
i = strlen(dbfile) + strlen(old_suffix);
j = strlen(dbfile) + strlen(new_suffix);
if (i > j)
j = i;
if (j + 6 >= BSIZE) {
BIO_printf(bio_err, "file name too long\n");
goto err;
}
#ifndef OPENSSL_SYS_VMS
j = BIO_snprintf(buf[4], sizeof(buf[4]), "%s.attr", dbfile);
j = BIO_snprintf(buf[3], sizeof(buf[3]), "%s.attr.%s", dbfile, old_suffix);
j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr.%s", dbfile, new_suffix);
j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", dbfile, old_suffix);
j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, new_suffix);
#else
j = BIO_snprintf(buf[4], sizeof(buf[4]), "%s-attr", dbfile);
j = BIO_snprintf(buf[3], sizeof(buf[3]), "%s-attr-%s", dbfile, old_suffix);
j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr-%s", dbfile, new_suffix);
j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", dbfile, old_suffix);
j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, new_suffix);
#endif
if (rename(dbfile, buf[1]) < 0 && errno != ENOENT
#ifdef ENOTDIR
&& errno != ENOTDIR
#endif
) {
BIO_printf(bio_err, "unable to rename %s to %s\n", dbfile, buf[1]);
perror("reason");
goto err;
}
if (rename(buf[0], dbfile) < 0) {
BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile);
perror("reason");
rename(buf[1], dbfile);
goto err;
}
if (rename(buf[4], buf[3]) < 0 && errno != ENOENT
#ifdef ENOTDIR
&& errno != ENOTDIR
#endif
) {
BIO_printf(bio_err, "unable to rename %s to %s\n", buf[4], buf[3]);
perror("reason");
rename(dbfile, buf[0]);
rename(buf[1], dbfile);
goto err;
}
if (rename(buf[2], buf[4]) < 0) {
BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]);
perror("reason");
rename(buf[3], buf[4]);
rename(dbfile, buf[0]);
rename(buf[1], dbfile);
goto err;
}
return 1;
err:
return 0;
}
void free_index(CA_DB *db)
{
if (db) {
TXT_DB_free(db->db);
OPENSSL_free(db->dbfname);
OPENSSL_free(db);
}
}
int parse_yesno(const char *str, int def)
{
if (str) {
switch (*str) {
case 'f': /* false */
case 'F': /* FALSE */
case 'n': /* no */
case 'N': /* NO */
case '0': /* 0 */
return 0;
case 't': /* true */
case 'T': /* TRUE */
case 'y': /* yes */
case 'Y': /* YES */
case '1': /* 1 */
return 1;
}
}
return def;
}
/*
* name is expected to be in the format /type0=value0/type1=value1/type2=...
* where characters may be escaped by \
*/
X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
{
int nextismulti = 0;
char *work;
X509_NAME *n;
if (*cp++ != '/') {
BIO_printf(bio_err,
"name is expected to be in the format "
"/type0=value0/type1=value1/type2=... where characters may "
"be escaped by \\. This name is not in that format: '%s'\n",
--cp);
return NULL;
}
n = X509_NAME_new();
if (n == NULL)
return NULL;
work = OPENSSL_strdup(cp);
if (work == NULL)
goto err;
while (*cp) {
char *bp = work;
char *typestr = bp;
unsigned char *valstr;
int nid;
int ismulti = nextismulti;
nextismulti = 0;
/* Collect the type */
while (*cp && *cp != '=')
*bp++ = *cp++;
if (*cp == '\0') {
BIO_printf(bio_err,
"%s: Hit end of string before finding the equals.\n",
opt_getprog());
goto err;
}
*bp++ = '\0';
++cp;
/* Collect the value. */
valstr = (unsigned char *)bp;
for (; *cp && *cp != '/'; *bp++ = *cp++) {
if (canmulti && *cp == '+') {
nextismulti = 1;
break;
}
if (*cp == '\\' && *++cp == '\0') {
BIO_printf(bio_err,
"%s: escape character at end of string\n",
opt_getprog());
goto err;
}
}
*bp++ = '\0';
/* If not at EOS (must be + or /), move forward. */
if (*cp)
++cp;
/* Parse */
nid = OBJ_txt2nid(typestr);
if (nid == NID_undef) {
BIO_printf(bio_err, "%s: Skipping unknown attribute \"%s\"\n",
opt_getprog(), typestr);
continue;
}
if (*valstr == '\0') {
BIO_printf(bio_err,
"%s: No value provided for Subject Attribute %s, skipped\n",
opt_getprog(), typestr);
continue;
}
if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
valstr, strlen((char *)valstr),
-1, ismulti ? -1 : 0))
goto err;
}
OPENSSL_free(work);
return n;
err:
X509_NAME_free(n);
OPENSSL_free(work);
return NULL;
}
/*
* Read whole contents of a BIO into an allocated memory buffer and return
* it.
*/
int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
{
BIO *mem;
int len, ret;
unsigned char tbuf[1024];
mem = BIO_new(BIO_s_mem());
if (mem == NULL)
return -1;
for (;;) {
if ((maxlen != -1) && maxlen < 1024)
len = maxlen;
else
len = 1024;
len = BIO_read(in, tbuf, len);
if (len < 0) {
BIO_free(mem);
return -1;
}
if (len == 0)
break;
if (BIO_write(mem, tbuf, len) != len) {
BIO_free(mem);
return -1;
}
maxlen -= len;
if (maxlen == 0)
break;
}
ret = BIO_get_mem_data(mem, (char **)out);
BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
BIO_free(mem);
return ret;
}
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value)
{
int rv;
char *stmp, *vtmp = NULL;
stmp = OPENSSL_strdup(value);
if (!stmp)
return -1;
vtmp = strchr(stmp, ':');
if (vtmp) {
*vtmp = 0;
vtmp++;
}
rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp);
OPENSSL_free(stmp);
return rv;
}
static void nodes_print(const char *name, STACK_OF(X509_POLICY_NODE) *nodes)
{
X509_POLICY_NODE *node;
int i;
BIO_printf(bio_err, "%s Policies:", name);
if (nodes) {
BIO_puts(bio_err, "\n");
for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
node = sk_X509_POLICY_NODE_value(nodes, i);
X509_POLICY_NODE_print(bio_err, node, 2);
}
} else {
BIO_puts(bio_err, " <empty>\n");
}
}
void policies_print(X509_STORE_CTX *ctx)
{
X509_POLICY_TREE *tree;
int explicit_policy;
tree = X509_STORE_CTX_get0_policy_tree(ctx);
explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
BIO_printf(bio_err, "Require explicit Policy: %s\n",
explicit_policy ? "True" : "False");
nodes_print("Authority", X509_policy_tree_get0_policies(tree));
nodes_print("User", X509_policy_tree_get0_user_policies(tree));
}
/*-
* next_protos_parse parses a comma separated list of strings into a string
* in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
* outlen: (output) set to the length of the resulting buffer on success.
* err: (maybe NULL) on failure, an error message line is written to this BIO.
* in: a NUL terminated string like "abc,def,ghi"
*
* returns: a malloc'd buffer or NULL on failure.
*/
unsigned char *next_protos_parse(size_t *outlen, const char *in)
{
size_t len;
unsigned char *out;
size_t i, start = 0;
size_t skipped = 0;
len = strlen(in);
if (len == 0 || len >= 65535)
return NULL;
out = app_malloc(len + 1, "NPN buffer");
for (i = 0; i <= len; ++i) {
if (i == len || in[i] == ',') {
/*
* Zero-length ALPN elements are invalid on the wire, we could be
* strict and reject the entire string, but just ignoring extra
* commas seems harmless and more friendly.
*
* Every comma we skip in this way puts the input buffer another
* byte ahead of the output buffer, so all stores into the output
* buffer need to be decremented by the number commas skipped.
*/
if (i == start) {
++start;
++skipped;
continue;
}
if (i - start > 255) {
OPENSSL_free(out);
return NULL;
}
out[start-skipped] = (unsigned char)(i - start);
start = i + 1;
} else {
out[i + 1 - skipped] = in[i];
}
}
if (len <= skipped) {
OPENSSL_free(out);
return NULL;
}
*outlen = len + 1 - skipped;
return out;
}
void print_cert_checks(BIO *bio, X509 *x,
const char *checkhost,
const char *checkemail, const char *checkip)
{
if (x == NULL)
return;
if (checkhost) {
BIO_printf(bio, "Hostname %s does%s match certificate\n",
checkhost,
X509_check_host(x, checkhost, 0, 0, NULL) == 1
? "" : " NOT");
}
if (checkemail) {
BIO_printf(bio, "Email %s does%s match certificate\n",
checkemail, X509_check_email(x, checkemail, 0, 0)
? "" : " NOT");
}
if (checkip) {
BIO_printf(bio, "IP %s does%s match certificate\n",
checkip, X509_check_ip_asc(x, checkip, 0) ? "" : " NOT");
}
}
/* Get first http URL from a DIST_POINT structure */
static const char *get_dp_url(DIST_POINT *dp)
{
GENERAL_NAMES *gens;
GENERAL_NAME *gen;
int i, gtype;
ASN1_STRING *uri;
if (!dp->distpoint || dp->distpoint->type != 0)
return NULL;
gens = dp->distpoint->name.fullname;
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
gen = sk_GENERAL_NAME_value(gens, i);
uri = GENERAL_NAME_get0_value(gen, &gtype);
if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) {
const char *uptr = (const char *)ASN1_STRING_get0_data(uri);
if (strncmp(uptr, "http://", 7) == 0)
return uptr;
}
}
return NULL;
}
/*
* Look through a CRLDP structure and attempt to find an http URL to
* downloads a CRL from.
*/
static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
{
int i;
const char *urlptr = NULL;
for (i = 0; i < sk_DIST_POINT_num(crldp); i++) {
DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
urlptr = get_dp_url(dp);
if (urlptr)
return load_crl(urlptr, FORMAT_HTTP);
}
return NULL;
}
/*
* Example of downloading CRLs from CRLDP: not usable for real world as it
* always downloads, doesn't support non-blocking I/O and doesn't cache
* anything.
*/
static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
{
X509 *x;
STACK_OF(X509_CRL) *crls = NULL;
X509_CRL *crl;
STACK_OF(DIST_POINT) *crldp;
crls = sk_X509_CRL_new_null();
if (!crls)
return NULL;
x = X509_STORE_CTX_get_current_cert(ctx);
crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
crl = load_crl_crldp(crldp);
sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
if (!crl) {
sk_X509_CRL_free(crls);
return NULL;
}
sk_X509_CRL_push(crls, crl);
/* Try to download delta CRL */
crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
crl = load_crl_crldp(crldp);
sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
if (crl)
sk_X509_CRL_push(crls, crl);
return crls;
}
void store_setup_crl_download(X509_STORE *st)
{
X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
}
/*
* Platform-specific sections
*/
#if defined(_WIN32)
# ifdef fileno
# undef fileno
# define fileno(a) (int)_fileno(a)
# endif
# include <windows.h>
# include <tchar.h>
static int WIN32_rename(const char *from, const char *to)
{
TCHAR *tfrom = NULL, *tto;
DWORD err;
int ret = 0;
if (sizeof(TCHAR) == 1) {
tfrom = (TCHAR *)from;
tto = (TCHAR *)to;
} else { /* UNICODE path */
size_t i, flen = strlen(from) + 1, tlen = strlen(to) + 1;
tfrom = malloc(sizeof(*tfrom) * (flen + tlen));
if (tfrom == NULL)
goto err;
tto = tfrom + flen;
# if !defined(_WIN32_WCE) || _WIN32_WCE>=101
if (!MultiByteToWideChar(CP_ACP, 0, from, flen, (WCHAR *)tfrom, flen))
# endif
for (i = 0; i < flen; i++)
tfrom[i] = (TCHAR)from[i];
# if !defined(_WIN32_WCE) || _WIN32_WCE>=101
if (!MultiByteToWideChar(CP_ACP, 0, to, tlen, (WCHAR *)tto, tlen))
# endif
for (i = 0; i < tlen; i++)
tto[i] = (TCHAR)to[i];
}
if (MoveFile(tfrom, tto))
goto ok;
err = GetLastError();
if (err == ERROR_ALREADY_EXISTS || err == ERROR_FILE_EXISTS) {
if (DeleteFile(tto) && MoveFile(tfrom, tto))
goto ok;
err = GetLastError();
}
if (err == ERROR_FILE_NOT_FOUND || err == ERROR_PATH_NOT_FOUND)
errno = ENOENT;
else if (err == ERROR_ACCESS_DENIED)
errno = EACCES;
else
errno = EINVAL; /* we could map more codes... */
err:
ret = -1;
ok:
if (tfrom != NULL && tfrom != (TCHAR *)from)
free(tfrom);
return ret;
}
#endif
/* app_tminterval section */
#if defined(_WIN32)
double app_tminterval(int stop, int usertime)
{
FILETIME now;
double ret = 0;
static ULARGE_INTEGER tmstart;
static int warning = 1;
# ifdef _WIN32_WINNT
static HANDLE proc = NULL;
if (proc == NULL) {
if (check_winnt())
proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE,
GetCurrentProcessId());
if (proc == NULL)
proc = (HANDLE) - 1;
}
if (usertime && proc != (HANDLE) - 1) {
FILETIME junk;
GetProcessTimes(proc, &junk, &junk, &junk, &now);
} else
# endif
{
SYSTEMTIME systime;
if (usertime && warning) {
BIO_printf(bio_err, "To get meaningful results, run "
"this program on idle system.\n");
warning = 0;
}
GetSystemTime(&systime);
SystemTimeToFileTime(&systime, &now);
}
if (stop == TM_START) {
tmstart.u.LowPart = now.dwLowDateTime;
tmstart.u.HighPart = now.dwHighDateTime;
} else {
ULARGE_INTEGER tmstop;
tmstop.u.LowPart = now.dwLowDateTime;
tmstop.u.HighPart = now.dwHighDateTime;
ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart) * 1e-7;
}
return ret;
}
#elif defined(OPENSSL_SYS_VXWORKS)
# include <time.h>
double app_tminterval(int stop, int usertime)
{
double ret = 0;
# ifdef CLOCK_REALTIME
static struct timespec tmstart;
struct timespec now;
# else
static unsigned long tmstart;
unsigned long now;
# endif
static int warning = 1;
if (usertime && warning) {
BIO_printf(bio_err, "To get meaningful results, run "
"this program on idle system.\n");
warning = 0;
}
# ifdef CLOCK_REALTIME
clock_gettime(CLOCK_REALTIME, &now);
if (stop == TM_START)
tmstart = now;
else
ret = ((now.tv_sec + now.tv_nsec * 1e-9)
- (tmstart.tv_sec + tmstart.tv_nsec * 1e-9));
# else
now = tickGet();
if (stop == TM_START)
tmstart = now;
else
ret = (now - tmstart) / (double)sysClkRateGet();
# endif
return ret;
}
#elif defined(OPENSSL_SYSTEM_VMS)
# include <time.h>
# include <times.h>
double app_tminterval(int stop, int usertime)
{
static clock_t tmstart;
double ret = 0;
clock_t now;
# ifdef __TMS
struct tms rus;
now = times(&rus);
if (usertime)
now = rus.tms_utime;
# else
if (usertime)
now = clock(); /* sum of user and kernel times */
else {
struct timeval tv;
gettimeofday(&tv, NULL);
now = (clock_t)((unsigned long long)tv.tv_sec * CLK_TCK +
(unsigned long long)tv.tv_usec * (1000000 / CLK_TCK)
);
}
# endif
if (stop == TM_START)
tmstart = now;
else
ret = (now - tmstart) / (double)(CLK_TCK);
return ret;
}
#elif defined(_SC_CLK_TCK) /* by means of unistd.h */
# include <sys/times.h>
double app_tminterval(int stop, int usertime)
{
double ret = 0;
struct tms rus;
clock_t now = times(&rus);
static clock_t tmstart;
if (usertime)
now = rus.tms_utime;
if (stop == TM_START) {
tmstart = now;
} else {
long int tck = sysconf(_SC_CLK_TCK);
ret = (now - tmstart) / (double)tck;
}
return ret;
}
#else
# include <sys/time.h>
# include <sys/resource.h>
double app_tminterval(int stop, int usertime)
{
double ret = 0;
struct rusage rus;
struct timeval now;
static struct timeval tmstart;
if (usertime)
getrusage(RUSAGE_SELF, &rus), now = rus.ru_utime;
else
gettimeofday(&now, NULL);
if (stop == TM_START)
tmstart = now;
else
ret = ((now.tv_sec + now.tv_usec * 1e-6)
- (tmstart.tv_sec + tmstart.tv_usec * 1e-6));
return ret;
}
#endif
int app_access(const char* name, int flag)
{
#ifdef _WIN32
return _access(name, flag);
#else
return access(name, flag);
#endif
}
/* app_isdir section */
#ifdef _WIN32
int app_isdir(const char *name)
{
DWORD attr;
# if defined(UNICODE) || defined(_UNICODE)
size_t i, len_0 = strlen(name) + 1;
WCHAR tempname[MAX_PATH];
if (len_0 > MAX_PATH)
return -1;
# if !defined(_WIN32_WCE) || _WIN32_WCE>=101
if (!MultiByteToWideChar(CP_ACP, 0, name, len_0, tempname, MAX_PATH))
# endif
for (i = 0; i < len_0; i++)
tempname[i] = (WCHAR)name[i];
attr = GetFileAttributes(tempname);
# else
attr = GetFileAttributes(name);
# endif
if (attr == INVALID_FILE_ATTRIBUTES)
return -1;
return ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0);
}
#else
# include <sys/stat.h>
# ifndef S_ISDIR
# if defined(_S_IFMT) && defined(_S_IFDIR)
# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
# else
# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
# endif
# endif
int app_isdir(const char *name)
{
# if defined(S_ISDIR)
struct stat st;
if (stat(name, &st) == 0)
return S_ISDIR(st.st_mode);
else
return -1;
# else
return -1;
# endif
}
#endif
/* raw_read|write section */
#if defined(__VMS)
# include "vms_term_sock.h"
static int stdin_sock = -1;
static void close_stdin_sock(void)
{
TerminalSocket (TERM_SOCK_DELETE, &stdin_sock);
}
int fileno_stdin(void)
{
if (stdin_sock == -1) {
TerminalSocket(TERM_SOCK_CREATE, &stdin_sock);
atexit(close_stdin_sock);
}
return stdin_sock;
}
#else
int fileno_stdin(void)
{
return fileno(stdin);
}
#endif
int fileno_stdout(void)
{
return fileno(stdout);
}
#if defined(_WIN32) && defined(STD_INPUT_HANDLE)
int raw_read_stdin(void *buf, int siz)
{
DWORD n;
if (ReadFile(GetStdHandle(STD_INPUT_HANDLE), buf, siz, &n, NULL))
return n;
else
return -1;
}
#elif defined(__VMS)
# include <sys/socket.h>
int raw_read_stdin(void *buf, int siz)
{
return recv(fileno_stdin(), buf, siz, 0);
}
#else
int raw_read_stdin(void *buf, int siz)
{
return read(fileno_stdin(), buf, siz);
}
#endif
#if defined(_WIN32) && defined(STD_OUTPUT_HANDLE)
int raw_write_stdout(const void *buf, int siz)
{
DWORD n;
if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE), buf, siz, &n, NULL))
return n;
else
return -1;
}
#else
int raw_write_stdout(const void *buf, int siz)
{
return write(fileno_stdout(), buf, siz);
}
#endif
/*
* Centralized handling if input and output files with format specification
* The format is meant to show what the input and output is supposed to be,
* and is therefore a show of intent more than anything else. However, it
* does impact behavior on some platform, such as differentiating between
* text and binary input/output on non-Unix platforms
*/
static int istext(int format)
{
return (format & B_FORMAT_TEXT) == B_FORMAT_TEXT;
}
BIO *dup_bio_in(int format)
{
return BIO_new_fp(stdin,
BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0));
}
static BIO_METHOD *prefix_method = NULL;
BIO *dup_bio_out(int format)
{
BIO *b = BIO_new_fp(stdout,
BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0));
void *prefix = NULL;
#ifdef OPENSSL_SYS_VMS
if (istext(format))
b = BIO_push(BIO_new(BIO_f_linebuffer()), b);
#endif
if (istext(format) && (prefix = getenv("HARNESS_OSSL_PREFIX")) != NULL) {
if (prefix_method == NULL)
prefix_method = apps_bf_prefix();
b = BIO_push(BIO_new(prefix_method), b);
BIO_ctrl(b, PREFIX_CTRL_SET_PREFIX, 0, prefix);
}
return b;
}
BIO *dup_bio_err(int format)
{
BIO *b = BIO_new_fp(stderr,
BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0));
#ifdef OPENSSL_SYS_VMS
if (istext(format))
b = BIO_push(BIO_new(BIO_f_linebuffer()), b);
#endif
return b;
}
void destroy_prefix_method(void)
{
BIO_meth_free(prefix_method);
prefix_method = NULL;
}
void unbuffer(FILE *fp)
{
/*
* On VMS, setbuf() will only take 32-bit pointers, and a compilation
* with /POINTER_SIZE=64 will give off a MAYLOSEDATA2 warning here.
* However, we trust that the C RTL will never give us a FILE pointer
* above the first 4 GB of memory, so we simply turn off the warning
* temporarily.
*/
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
# pragma environment save
# pragma message disable maylosedata2
#endif
setbuf(fp, NULL);
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
# pragma environment restore
#endif
}
static const char *modestr(char mode, int format)
{
OPENSSL_assert(mode == 'a' || mode == 'r' || mode == 'w');
switch (mode) {
case 'a':
return istext(format) ? "a" : "ab";
case 'r':
return istext(format) ? "r" : "rb";
case 'w':
return istext(format) ? "w" : "wb";
}
/* The assert above should make sure we never reach this point */
return NULL;
}
static const char *modeverb(char mode)
{
switch (mode) {
case 'a':
return "appending";
case 'r':
return "reading";
case 'w':
return "writing";
}
return "(doing something)";
}
/*
* Open a file for writing, owner-read-only.
*/
BIO *bio_open_owner(const char *filename, int format, int private)
{
FILE *fp = NULL;
BIO *b = NULL;
int fd = -1, bflags, mode, textmode;
if (!private || filename == NULL || strcmp(filename, "-") == 0)
return bio_open_default(filename, 'w', format);
mode = O_WRONLY;
#ifdef O_CREAT
mode |= O_CREAT;
#endif
#ifdef O_TRUNC
mode |= O_TRUNC;
#endif
textmode = istext(format);
if (!textmode) {
#ifdef O_BINARY
mode |= O_BINARY;
#elif defined(_O_BINARY)
mode |= _O_BINARY;
#endif
}
#ifdef OPENSSL_SYS_VMS
/* VMS doesn't have O_BINARY, it just doesn't make sense. But,
* it still needs to know that we're going binary, or fdopen()
* will fail with "invalid argument"... so we tell VMS what the
* context is.
*/
if (!textmode)
fd = open(filename, mode, 0600, "ctx=bin");
else
#endif
fd = open(filename, mode, 0600);
if (fd < 0)
goto err;
fp = fdopen(fd, modestr('w', format));
if (fp == NULL)
goto err;
bflags = BIO_CLOSE;
if (textmode)
bflags |= BIO_FP_TEXT;
b = BIO_new_fp(fp, bflags);
if (b)
return b;
err:
BIO_printf(bio_err, "%s: Can't open \"%s\" for writing, %s\n",
opt_getprog(), filename, strerror(errno));
ERR_print_errors(bio_err);
/* If we have fp, then fdopen took over fd, so don't close both. */
if (fp)
fclose(fp);
else if (fd >= 0)
close(fd);
return NULL;
}
static BIO *bio_open_default_(const char *filename, char mode, int format,
int quiet)
{
BIO *ret;
if (filename == NULL || strcmp(filename, "-") == 0) {
ret = mode == 'r' ? dup_bio_in(format) : dup_bio_out(format);
if (quiet) {
ERR_clear_error();
return ret;
}
if (ret != NULL)
return ret;
BIO_printf(bio_err,
"Can't open %s, %s\n",
mode == 'r' ? "stdin" : "stdout", strerror(errno));
} else {
ret = BIO_new_file(filename, modestr(mode, format));
if (quiet) {
ERR_clear_error();
return ret;
}
if (ret != NULL)
return ret;
BIO_printf(bio_err,
"Can't open %s for %s, %s\n",
filename, modeverb(mode), strerror(errno));
}
ERR_print_errors(bio_err);
return NULL;
}
BIO *bio_open_default(const char *filename, char mode, int format)
{
return bio_open_default_(filename, mode, format, 0);
}
BIO *bio_open_default_quiet(const char *filename, char mode, int format)
{
return bio_open_default_(filename, mode, format, 1);
}
void wait_for_async(SSL *s)
{
/* On Windows select only works for sockets, so we simply don't wait */
#ifndef OPENSSL_SYS_WINDOWS
int width = 0;
fd_set asyncfds;
OSSL_ASYNC_FD *fds;
size_t numfds;
size_t i;
if (!SSL_get_all_async_fds(s, NULL, &numfds))
return;
if (numfds == 0)
return;
fds = app_malloc(sizeof(OSSL_ASYNC_FD) * numfds, "allocate async fds");
if (!SSL_get_all_async_fds(s, fds, &numfds)) {
OPENSSL_free(fds);
return;
}
FD_ZERO(&asyncfds);
for (i = 0; i < numfds; i++) {
if (width <= (int)fds[i])
width = (int)fds[i] + 1;
openssl_fdset((int)fds[i], &asyncfds);
}
select(width, (void *)&asyncfds, NULL, NULL, NULL);
OPENSSL_free(fds);
#endif
}
/* if OPENSSL_SYS_WINDOWS is defined then so is OPENSSL_SYS_MSDOS */
#if defined(OPENSSL_SYS_MSDOS)
int has_stdin_waiting(void)
{
# if defined(OPENSSL_SYS_WINDOWS)
HANDLE inhand = GetStdHandle(STD_INPUT_HANDLE);
DWORD events = 0;
INPUT_RECORD inputrec;
DWORD insize = 1;
BOOL peeked;
if (inhand == INVALID_HANDLE_VALUE) {
return 0;
}
peeked = PeekConsoleInput(inhand, &inputrec, insize, &events);
if (!peeked) {
/* Probably redirected input? _kbhit() does not work in this case */
if (!feof(stdin)) {
return 1;
}
return 0;
}
# endif
return _kbhit();
}
#endif
/* Corrupt a signature by modifying final byte */
void corrupt_signature(const ASN1_STRING *signature)
{
unsigned char *s = signature->data;
s[signature->length - 1] ^= 0x1;
}
int set_cert_times(X509 *x, const char *startdate, const char *enddate,
int days)
{
if (startdate == NULL || strcmp(startdate, "today") == 0) {
if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL)
return 0;
} else {
if (!ASN1_TIME_set_string_X509(X509_getm_notBefore(x), startdate))
return 0;
}
if (enddate == NULL) {
if (X509_time_adj_ex(X509_getm_notAfter(x), days, 0, NULL)
== NULL)
return 0;
} else if (!ASN1_TIME_set_string_X509(X509_getm_notAfter(x), enddate)) {
return 0;
}
return 1;
}
void make_uppercase(char *string)
{
int i;
for (i = 0; string[i] != '\0'; i++)
string[i] = toupper((unsigned char)string[i]);
}
diff --git a/crypto/openssl/apps/openssl.c b/crypto/openssl/apps/openssl.c
index ff7b759a40b1..f35d57f2648c 100644
--- a/crypto/openssl/apps/openssl.c
+++ b/crypto/openssl/apps/openssl.c
@@ -1,832 +1,830 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <internal/cryptlib.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/lhash.h>
#include <openssl/conf.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
#endif
#include <openssl/err.h>
/* Needed to get the other O_xxx flags. */
#ifdef OPENSSL_SYS_VMS
# include <unixio.h>
#endif
#include "apps.h"
#define INCLUDE_FUNCTION_TABLE
#include "progs.h"
/* Structure to hold the number of columns to be displayed and the
* field width used to display them.
*/
typedef struct {
int columns;
int width;
} DISPLAY_COLUMNS;
/* Special sentinel to exit the program. */
#define EXIT_THE_PROGRAM (-1)
/*
* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with
* the base prototypes (we cast each variable inside the function to the
* required type of "FUNCTION*"). This removes the necessity for
* macro-generated wrapper functions.
*/
static LHASH_OF(FUNCTION) *prog_init(void);
static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]);
static void list_pkey(void);
static void list_pkey_meth(void);
static void list_type(FUNC_TYPE ft, int one);
static void list_disabled(void);
char *default_config_file = NULL;
BIO *bio_in = NULL;
BIO *bio_out = NULL;
BIO *bio_err = NULL;
static void calculate_columns(DISPLAY_COLUMNS *dc)
{
FUNCTION *f;
int len, maxlen = 0;
for (f = functions; f->name != NULL; ++f)
if (f->type == FT_general || f->type == FT_md || f->type == FT_cipher)
if ((len = strlen(f->name)) > maxlen)
maxlen = len;
dc->width = maxlen + 2;
dc->columns = (80 - 1) / dc->width;
}
static int apps_startup(void)
{
#ifdef SIGPIPE
signal(SIGPIPE, SIG_IGN);
#endif
/* Set non-default library initialisation settings */
if (!OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN
| OPENSSL_INIT_LOAD_CONFIG, NULL))
return 0;
setup_ui_method();
return 1;
}
static void apps_shutdown(void)
{
destroy_ui_method();
destroy_prefix_method();
}
static char *make_config_name(void)
{
const char *t;
size_t len;
char *p;
if ((t = getenv("OPENSSL_CONF")) != NULL)
return OPENSSL_strdup(t);
t = X509_get_default_cert_area();
len = strlen(t) + 1 + strlen(OPENSSL_CONF) + 1;
p = app_malloc(len, "config filename buffer");
strcpy(p, t);
#ifndef OPENSSL_SYS_VMS
strcat(p, "/");
#endif
strcat(p, OPENSSL_CONF);
return p;
}
int main(int argc, char *argv[])
{
FUNCTION f, *fp;
LHASH_OF(FUNCTION) *prog = NULL;
- char **copied_argv = NULL;
char *p, *pname;
char buf[1024];
const char *prompt;
ARGS arg;
int first, n, i, ret = 0;
arg.argv = NULL;
arg.size = 0;
/* Set up some of the environment. */
default_config_file = make_config_name();
bio_in = dup_bio_in(FORMAT_TEXT);
bio_out = dup_bio_out(FORMAT_TEXT);
bio_err = dup_bio_err(FORMAT_TEXT);
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
- copied_argv = argv = copy_argv(&argc, argv);
+ argv = copy_argv(&argc, argv);
#elif defined(_WIN32)
/*
* Replace argv[] with UTF-8 encoded strings.
*/
win32_utf8argv(&argc, &argv);
#endif
p = getenv("OPENSSL_DEBUG_MEMORY");
if (p != NULL && strcmp(p, "on") == 0)
CRYPTO_set_mem_debug(1);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
if (getenv("OPENSSL_FIPS")) {
BIO_printf(bio_err, "FIPS mode not supported.\n");
return 1;
}
if (!apps_startup()) {
BIO_printf(bio_err,
"FATAL: Startup failure (dev note: apps_startup() failed)\n");
ERR_print_errors(bio_err);
ret = 1;
goto end;
}
prog = prog_init();
if (prog == NULL) {
BIO_printf(bio_err,
"FATAL: Startup failure (dev note: prog_init() failed)\n");
ERR_print_errors(bio_err);
ret = 1;
goto end;
}
pname = opt_progname(argv[0]);
/* first check the program name */
f.name = pname;
fp = lh_FUNCTION_retrieve(prog, &f);
if (fp != NULL) {
argv[0] = pname;
ret = fp->func(argc, argv);
goto end;
}
/* If there is stuff on the command line, run with that. */
if (argc != 1) {
argc--;
argv++;
ret = do_cmd(prog, argc, argv);
if (ret < 0)
ret = 0;
goto end;
}
/* ok, lets enter interactive mode */
for (;;) {
ret = 0;
/* Read a line, continue reading if line ends with \ */
for (p = buf, n = sizeof(buf), i = 0, first = 1; n > 0; first = 0) {
prompt = first ? "OpenSSL> " : "> ";
p[0] = '\0';
#ifndef READLINE
fputs(prompt, stdout);
fflush(stdout);
if (!fgets(p, n, stdin))
goto end;
if (p[0] == '\0')
goto end;
i = strlen(p);
if (i <= 1)
break;
if (p[i - 2] != '\\')
break;
i -= 2;
p += i;
n -= i;
#else
{
extern char *readline(const char *);
extern void add_history(const char *cp);
char *text;
text = readline(prompt);
if (text == NULL)
goto end;
i = strlen(text);
if (i == 0 || i > n)
break;
if (text[i - 1] != '\\') {
p += strlen(strcpy(p, text));
free(text);
add_history(buf);
break;
}
text[i - 1] = '\0';
p += strlen(strcpy(p, text));
free(text);
n -= i;
}
#endif
}
if (!chopup_args(&arg, buf)) {
BIO_printf(bio_err, "Can't parse (no memory?)\n");
break;
}
ret = do_cmd(prog, arg.argc, arg.argv);
if (ret == EXIT_THE_PROGRAM) {
ret = 0;
goto end;
}
if (ret != 0)
BIO_printf(bio_err, "error in %s\n", arg.argv[0]);
(void)BIO_flush(bio_out);
(void)BIO_flush(bio_err);
}
ret = 1;
end:
- OPENSSL_free(copied_argv);
OPENSSL_free(default_config_file);
lh_FUNCTION_free(prog);
OPENSSL_free(arg.argv);
app_RAND_write();
BIO_free(bio_in);
BIO_free_all(bio_out);
apps_shutdown();
#ifndef OPENSSL_NO_CRYPTO_MDEBUG
if (CRYPTO_mem_leaks(bio_err) <= 0)
ret = 1;
#endif
BIO_free(bio_err);
EXIT(ret);
}
static void list_cipher_fn(const EVP_CIPHER *c,
const char *from, const char *to, void *arg)
{
if (c != NULL) {
BIO_printf(arg, "%s\n", EVP_CIPHER_name(c));
} else {
if (from == NULL)
from = "<undefined>";
if (to == NULL)
to = "<undefined>";
BIO_printf(arg, "%s => %s\n", from, to);
}
}
static void list_md_fn(const EVP_MD *m,
const char *from, const char *to, void *arg)
{
if (m != NULL) {
BIO_printf(arg, "%s\n", EVP_MD_name(m));
} else {
if (from == NULL)
from = "<undefined>";
if (to == NULL)
to = "<undefined>";
BIO_printf((BIO *)arg, "%s => %s\n", from, to);
}
}
static void list_missing_help(void)
{
const FUNCTION *fp;
const OPTIONS *o;
for (fp = functions; fp->name != NULL; fp++) {
if ((o = fp->help) != NULL) {
/* If there is help, list what flags are not documented. */
for ( ; o->name != NULL; o++) {
if (o->helpstr == NULL)
BIO_printf(bio_out, "%s %s\n", fp->name, o->name);
}
} else if (fp->func != dgst_main) {
/* If not aliased to the dgst command, */
BIO_printf(bio_out, "%s *\n", fp->name);
}
}
}
static void list_options_for_command(const char *command)
{
const FUNCTION *fp;
const OPTIONS *o;
for (fp = functions; fp->name != NULL; fp++)
if (strcmp(fp->name, command) == 0)
break;
if (fp->name == NULL) {
BIO_printf(bio_err, "Invalid command '%s'; type \"help\" for a list.\n",
command);
return;
}
if ((o = fp->help) == NULL)
return;
for ( ; o->name != NULL; o++) {
if (o->name == OPT_HELP_STR
|| o->name == OPT_MORE_STR
|| o->name[0] == '\0')
continue;
BIO_printf(bio_out, "%s %c\n", o->name, o->valtype);
}
}
/* Unified enum for help and list commands. */
typedef enum HELPLIST_CHOICE {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ONE,
OPT_COMMANDS, OPT_DIGEST_COMMANDS, OPT_OPTIONS,
OPT_DIGEST_ALGORITHMS, OPT_CIPHER_COMMANDS, OPT_CIPHER_ALGORITHMS,
OPT_PK_ALGORITHMS, OPT_PK_METHOD, OPT_DISABLED, OPT_MISSING_HELP
} HELPLIST_CHOICE;
const OPTIONS list_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"1", OPT_ONE, '-', "List in one column"},
{"commands", OPT_COMMANDS, '-', "List of standard commands"},
{"digest-commands", OPT_DIGEST_COMMANDS, '-',
"List of message digest commands"},
{"digest-algorithms", OPT_DIGEST_ALGORITHMS, '-',
"List of message digest algorithms"},
{"cipher-commands", OPT_CIPHER_COMMANDS, '-', "List of cipher commands"},
{"cipher-algorithms", OPT_CIPHER_ALGORITHMS, '-',
"List of cipher algorithms"},
{"public-key-algorithms", OPT_PK_ALGORITHMS, '-',
"List of public key algorithms"},
{"public-key-methods", OPT_PK_METHOD, '-',
"List of public key methods"},
{"disabled", OPT_DISABLED, '-',
"List of disabled features"},
{"missing-help", OPT_MISSING_HELP, '-',
"List missing detailed help strings"},
{"options", OPT_OPTIONS, 's',
"List options for specified command"},
{NULL}
};
int list_main(int argc, char **argv)
{
char *prog;
HELPLIST_CHOICE o;
int one = 0, done = 0;
prog = opt_init(argc, argv, list_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF: /* Never hit, but suppresses warning */
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
return 1;
case OPT_HELP:
opt_help(list_options);
break;
case OPT_ONE:
one = 1;
break;
case OPT_COMMANDS:
list_type(FT_general, one);
break;
case OPT_DIGEST_COMMANDS:
list_type(FT_md, one);
break;
case OPT_DIGEST_ALGORITHMS:
EVP_MD_do_all_sorted(list_md_fn, bio_out);
break;
case OPT_CIPHER_COMMANDS:
list_type(FT_cipher, one);
break;
case OPT_CIPHER_ALGORITHMS:
EVP_CIPHER_do_all_sorted(list_cipher_fn, bio_out);
break;
case OPT_PK_ALGORITHMS:
list_pkey();
break;
case OPT_PK_METHOD:
list_pkey_meth();
break;
case OPT_DISABLED:
list_disabled();
break;
case OPT_MISSING_HELP:
list_missing_help();
break;
case OPT_OPTIONS:
list_options_for_command(opt_arg());
break;
}
done = 1;
}
if (opt_num_rest() != 0) {
BIO_printf(bio_err, "Extra arguments given.\n");
goto opthelp;
}
if (!done)
goto opthelp;
return 0;
}
typedef enum HELP_CHOICE {
OPT_hERR = -1, OPT_hEOF = 0, OPT_hHELP
} HELP_CHOICE;
const OPTIONS help_options[] = {
{OPT_HELP_STR, 1, '-', "Usage: help [options]\n"},
{OPT_HELP_STR, 1, '-', " help [command]\n"},
{"help", OPT_hHELP, '-', "Display this summary"},
{NULL}
};
int help_main(int argc, char **argv)
{
FUNCTION *fp;
int i, nl;
FUNC_TYPE tp;
char *prog;
HELP_CHOICE o;
DISPLAY_COLUMNS dc;
prog = opt_init(argc, argv, help_options);
while ((o = opt_next()) != OPT_hEOF) {
switch (o) {
case OPT_hERR:
case OPT_hEOF:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
return 1;
case OPT_hHELP:
opt_help(help_options);
return 0;
}
}
if (opt_num_rest() == 1) {
char *new_argv[3];
new_argv[0] = opt_rest()[0];
new_argv[1] = "--help";
new_argv[2] = NULL;
return do_cmd(prog_init(), 2, new_argv);
}
if (opt_num_rest() != 0) {
BIO_printf(bio_err, "Usage: %s\n", prog);
return 1;
}
calculate_columns(&dc);
BIO_printf(bio_err, "Standard commands");
i = 0;
tp = FT_none;
for (fp = functions; fp->name != NULL; fp++) {
nl = 0;
if (i++ % dc.columns == 0) {
BIO_printf(bio_err, "\n");
nl = 1;
}
if (fp->type != tp) {
tp = fp->type;
if (!nl)
BIO_printf(bio_err, "\n");
if (tp == FT_md) {
i = 1;
BIO_printf(bio_err,
"\nMessage Digest commands (see the `dgst' command for more details)\n");
} else if (tp == FT_cipher) {
i = 1;
BIO_printf(bio_err,
"\nCipher commands (see the `enc' command for more details)\n");
}
}
BIO_printf(bio_err, "%-*s", dc.width, fp->name);
}
BIO_printf(bio_err, "\n\n");
return 0;
}
static void list_type(FUNC_TYPE ft, int one)
{
FUNCTION *fp;
int i = 0;
DISPLAY_COLUMNS dc = {0};
if (!one)
calculate_columns(&dc);
for (fp = functions; fp->name != NULL; fp++) {
if (fp->type != ft)
continue;
if (one) {
BIO_printf(bio_out, "%s\n", fp->name);
} else {
if (i % dc.columns == 0 && i > 0)
BIO_printf(bio_out, "\n");
BIO_printf(bio_out, "%-*s", dc.width, fp->name);
i++;
}
}
if (!one)
BIO_printf(bio_out, "\n\n");
}
static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[])
{
FUNCTION f, *fp;
if (argc <= 0 || argv[0] == NULL)
return 0;
f.name = argv[0];
fp = lh_FUNCTION_retrieve(prog, &f);
if (fp == NULL) {
if (EVP_get_digestbyname(argv[0])) {
f.type = FT_md;
f.func = dgst_main;
fp = &f;
} else if (EVP_get_cipherbyname(argv[0])) {
f.type = FT_cipher;
f.func = enc_main;
fp = &f;
}
}
if (fp != NULL) {
return fp->func(argc, argv);
}
if ((strncmp(argv[0], "no-", 3)) == 0) {
/*
* User is asking if foo is unsupported, by trying to "run" the
* no-foo command. Strange.
*/
f.name = argv[0] + 3;
if (lh_FUNCTION_retrieve(prog, &f) == NULL) {
BIO_printf(bio_out, "%s\n", argv[0]);
return 0;
}
BIO_printf(bio_out, "%s\n", argv[0] + 3);
return 1;
}
if (strcmp(argv[0], "quit") == 0 || strcmp(argv[0], "q") == 0 ||
strcmp(argv[0], "exit") == 0 || strcmp(argv[0], "bye") == 0)
/* Special value to mean "exit the program. */
return EXIT_THE_PROGRAM;
BIO_printf(bio_err, "Invalid command '%s'; type \"help\" for a list.\n",
argv[0]);
return 1;
}
static void list_pkey(void)
{
int i;
for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) {
const EVP_PKEY_ASN1_METHOD *ameth;
int pkey_id, pkey_base_id, pkey_flags;
const char *pinfo, *pem_str;
ameth = EVP_PKEY_asn1_get0(i);
EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags,
&pinfo, &pem_str, ameth);
if (pkey_flags & ASN1_PKEY_ALIAS) {
BIO_printf(bio_out, "Name: %s\n", OBJ_nid2ln(pkey_id));
BIO_printf(bio_out, "\tAlias for: %s\n",
OBJ_nid2ln(pkey_base_id));
} else {
BIO_printf(bio_out, "Name: %s\n", pinfo);
BIO_printf(bio_out, "\tType: %s Algorithm\n",
pkey_flags & ASN1_PKEY_DYNAMIC ?
"External" : "Builtin");
BIO_printf(bio_out, "\tOID: %s\n", OBJ_nid2ln(pkey_id));
if (pem_str == NULL)
pem_str = "(none)";
BIO_printf(bio_out, "\tPEM string: %s\n", pem_str);
}
}
}
static void list_pkey_meth(void)
{
size_t i;
size_t meth_count = EVP_PKEY_meth_get_count();
for (i = 0; i < meth_count; i++) {
const EVP_PKEY_METHOD *pmeth = EVP_PKEY_meth_get0(i);
int pkey_id, pkey_flags;
EVP_PKEY_meth_get0_info(&pkey_id, &pkey_flags, pmeth);
BIO_printf(bio_out, "%s\n", OBJ_nid2ln(pkey_id));
BIO_printf(bio_out, "\tType: %s Algorithm\n",
pkey_flags & ASN1_PKEY_DYNAMIC ? "External" : "Builtin");
}
}
static int function_cmp(const FUNCTION * a, const FUNCTION * b)
{
return strncmp(a->name, b->name, 8);
}
static unsigned long function_hash(const FUNCTION * a)
{
return OPENSSL_LH_strhash(a->name);
}
static int SortFnByName(const void *_f1, const void *_f2)
{
const FUNCTION *f1 = _f1;
const FUNCTION *f2 = _f2;
if (f1->type != f2->type)
return f1->type - f2->type;
return strcmp(f1->name, f2->name);
}
static void list_disabled(void)
{
BIO_puts(bio_out, "Disabled algorithms:\n");
#ifdef OPENSSL_NO_ARIA
BIO_puts(bio_out, "ARIA\n");
#endif
#ifdef OPENSSL_NO_BF
BIO_puts(bio_out, "BF\n");
#endif
#ifdef OPENSSL_NO_BLAKE2
BIO_puts(bio_out, "BLAKE2\n");
#endif
#ifdef OPENSSL_NO_CAMELLIA
BIO_puts(bio_out, "CAMELLIA\n");
#endif
#ifdef OPENSSL_NO_CAST
BIO_puts(bio_out, "CAST\n");
#endif
#ifdef OPENSSL_NO_CMAC
BIO_puts(bio_out, "CMAC\n");
#endif
#ifdef OPENSSL_NO_CMS
BIO_puts(bio_out, "CMS\n");
#endif
#ifdef OPENSSL_NO_COMP
BIO_puts(bio_out, "COMP\n");
#endif
#ifdef OPENSSL_NO_DES
BIO_puts(bio_out, "DES\n");
#endif
#ifdef OPENSSL_NO_DGRAM
BIO_puts(bio_out, "DGRAM\n");
#endif
#ifdef OPENSSL_NO_DH
BIO_puts(bio_out, "DH\n");
#endif
#ifdef OPENSSL_NO_DSA
BIO_puts(bio_out, "DSA\n");
#endif
#if defined(OPENSSL_NO_DTLS)
BIO_puts(bio_out, "DTLS\n");
#endif
#if defined(OPENSSL_NO_DTLS1)
BIO_puts(bio_out, "DTLS1\n");
#endif
#if defined(OPENSSL_NO_DTLS1_2)
BIO_puts(bio_out, "DTLS1_2\n");
#endif
#ifdef OPENSSL_NO_EC
BIO_puts(bio_out, "EC\n");
#endif
#ifdef OPENSSL_NO_EC2M
BIO_puts(bio_out, "EC2M\n");
#endif
#ifdef OPENSSL_NO_ENGINE
BIO_puts(bio_out, "ENGINE\n");
#endif
#ifdef OPENSSL_NO_GOST
BIO_puts(bio_out, "GOST\n");
#endif
#ifdef OPENSSL_NO_HEARTBEATS
BIO_puts(bio_out, "HEARTBEATS\n");
#endif
#ifdef OPENSSL_NO_IDEA
BIO_puts(bio_out, "IDEA\n");
#endif
#ifdef OPENSSL_NO_MD2
BIO_puts(bio_out, "MD2\n");
#endif
#ifdef OPENSSL_NO_MD4
BIO_puts(bio_out, "MD4\n");
#endif
#ifdef OPENSSL_NO_MD5
BIO_puts(bio_out, "MD5\n");
#endif
#ifdef OPENSSL_NO_MDC2
BIO_puts(bio_out, "MDC2\n");
#endif
#ifdef OPENSSL_NO_OCB
BIO_puts(bio_out, "OCB\n");
#endif
#ifdef OPENSSL_NO_OCSP
BIO_puts(bio_out, "OCSP\n");
#endif
#ifdef OPENSSL_NO_PSK
BIO_puts(bio_out, "PSK\n");
#endif
#ifdef OPENSSL_NO_RC2
BIO_puts(bio_out, "RC2\n");
#endif
#ifdef OPENSSL_NO_RC4
BIO_puts(bio_out, "RC4\n");
#endif
#ifdef OPENSSL_NO_RC5
BIO_puts(bio_out, "RC5\n");
#endif
#ifdef OPENSSL_NO_RMD160
BIO_puts(bio_out, "RMD160\n");
#endif
#ifdef OPENSSL_NO_RSA
BIO_puts(bio_out, "RSA\n");
#endif
#ifdef OPENSSL_NO_SCRYPT
BIO_puts(bio_out, "SCRYPT\n");
#endif
#ifdef OPENSSL_NO_SCTP
BIO_puts(bio_out, "SCTP\n");
#endif
#ifdef OPENSSL_NO_SEED
BIO_puts(bio_out, "SEED\n");
#endif
#ifdef OPENSSL_NO_SM2
BIO_puts(bio_out, "SM2\n");
#endif
#ifdef OPENSSL_NO_SM3
BIO_puts(bio_out, "SM3\n");
#endif
#ifdef OPENSSL_NO_SM4
BIO_puts(bio_out, "SM4\n");
#endif
#ifdef OPENSSL_NO_SOCK
BIO_puts(bio_out, "SOCK\n");
#endif
#ifdef OPENSSL_NO_SRP
BIO_puts(bio_out, "SRP\n");
#endif
#ifdef OPENSSL_NO_SRTP
BIO_puts(bio_out, "SRTP\n");
#endif
#ifdef OPENSSL_NO_SSL3
BIO_puts(bio_out, "SSL3\n");
#endif
#ifdef OPENSSL_NO_TLS1
BIO_puts(bio_out, "TLS1\n");
#endif
#ifdef OPENSSL_NO_TLS1_1
BIO_puts(bio_out, "TLS1_1\n");
#endif
#ifdef OPENSSL_NO_TLS1_2
BIO_puts(bio_out, "TLS1_2\n");
#endif
#ifdef OPENSSL_NO_WHIRLPOOL
BIO_puts(bio_out, "WHIRLPOOL\n");
#endif
#ifndef ZLIB
BIO_puts(bio_out, "ZLIB\n");
#endif
}
static LHASH_OF(FUNCTION) *prog_init(void)
{
static LHASH_OF(FUNCTION) *ret = NULL;
static int prog_inited = 0;
FUNCTION *f;
size_t i;
if (prog_inited)
return ret;
prog_inited = 1;
/* Sort alphabetically within category. For nicer help displays. */
for (i = 0, f = functions; f->name != NULL; ++f, ++i)
;
qsort(functions, i, sizeof(*functions), SortFnByName);
if ((ret = lh_FUNCTION_new(function_hash, function_cmp)) == NULL)
return NULL;
for (f = functions; f->name != NULL; f++)
(void)lh_FUNCTION_insert(ret, f);
return ret;
}
diff --git a/crypto/openssl/apps/passwd.c b/crypto/openssl/apps/passwd.c
index d741d05335f8..af08ccd4ac0f 100644
--- a/crypto/openssl/apps/passwd.c
+++ b/crypto/openssl/apps/passwd.c
@@ -1,853 +1,853 @@
/*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/rand.h>
#ifndef OPENSSL_NO_DES
# include <openssl/des.h>
#endif
#include <openssl/md5.h>
#include <openssl/sha.h>
static unsigned const char cov_2char[64] = {
/* from crypto/des/fcrypt.c */
0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44,
0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54,
0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62,
0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A,
0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72,
0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A
};
static const char ascii_dollar[] = { 0x24, 0x00 };
typedef enum {
passwd_unset = 0,
passwd_crypt,
passwd_md5,
passwd_apr1,
passwd_sha256,
passwd_sha512,
passwd_aixmd5
} passwd_modes;
static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
char *passwd, BIO *out, int quiet, int table,
int reverse, size_t pw_maxlen, passwd_modes mode);
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_IN,
OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1,
OPT_1, OPT_5, OPT_6, OPT_CRYPT, OPT_AIXMD5, OPT_SALT, OPT_STDIN,
OPT_R_ENUM
} OPTION_CHOICE;
const OPTIONS passwd_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"in", OPT_IN, '<', "Read passwords from file"},
{"noverify", OPT_NOVERIFY, '-',
"Never verify when reading password from terminal"},
{"quiet", OPT_QUIET, '-', "No warnings"},
{"table", OPT_TABLE, '-', "Format output as table"},
{"reverse", OPT_REVERSE, '-', "Switch table columns"},
{"salt", OPT_SALT, 's', "Use provided salt"},
{"stdin", OPT_STDIN, '-', "Read passwords from stdin"},
{"6", OPT_6, '-', "SHA512-based password algorithm"},
{"5", OPT_5, '-', "SHA256-based password algorithm"},
{"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"},
{"1", OPT_1, '-', "MD5-based password algorithm"},
{"aixmd5", OPT_AIXMD5, '-', "AIX MD5-based password algorithm"},
#ifndef OPENSSL_NO_DES
{"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"},
#endif
OPT_R_OPTIONS,
{NULL}
};
int passwd_main(int argc, char **argv)
{
BIO *in = NULL;
char *infile = NULL, *salt = NULL, *passwd = NULL, **passwds = NULL;
char *salt_malloc = NULL, *passwd_malloc = NULL, *prog;
OPTION_CHOICE o;
int in_stdin = 0, pw_source_defined = 0;
#ifndef OPENSSL_NO_UI_CONSOLE
int in_noverify = 0;
#endif
int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
int ret = 1;
passwd_modes mode = passwd_unset;
size_t passwd_malloc_size = 0;
size_t pw_maxlen = 256; /* arbitrary limit, should be enough for most
* passwords */
prog = opt_init(argc, argv, passwd_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(passwd_options);
ret = 0;
goto end;
case OPT_IN:
if (pw_source_defined)
goto opthelp;
infile = opt_arg();
pw_source_defined = 1;
break;
case OPT_NOVERIFY:
#ifndef OPENSSL_NO_UI_CONSOLE
in_noverify = 1;
#endif
break;
case OPT_QUIET:
quiet = 1;
break;
case OPT_TABLE:
table = 1;
break;
case OPT_REVERSE:
reverse = 1;
break;
case OPT_1:
if (mode != passwd_unset)
goto opthelp;
mode = passwd_md5;
break;
case OPT_5:
if (mode != passwd_unset)
goto opthelp;
mode = passwd_sha256;
break;
case OPT_6:
if (mode != passwd_unset)
goto opthelp;
mode = passwd_sha512;
break;
case OPT_APR1:
if (mode != passwd_unset)
goto opthelp;
mode = passwd_apr1;
break;
case OPT_AIXMD5:
if (mode != passwd_unset)
goto opthelp;
mode = passwd_aixmd5;
break;
case OPT_CRYPT:
#ifndef OPENSSL_NO_DES
if (mode != passwd_unset)
goto opthelp;
mode = passwd_crypt;
#endif
break;
case OPT_SALT:
passed_salt = 1;
salt = opt_arg();
break;
case OPT_STDIN:
if (pw_source_defined)
goto opthelp;
in_stdin = 1;
pw_source_defined = 1;
break;
case OPT_R_CASES:
if (!opt_rand(o))
goto end;
break;
}
}
argc = opt_num_rest();
argv = opt_rest();
if (*argv != NULL) {
if (pw_source_defined)
goto opthelp;
pw_source_defined = 1;
passwds = argv;
}
if (mode == passwd_unset) {
/* use default */
mode = passwd_crypt;
}
#ifdef OPENSSL_NO_DES
if (mode == passwd_crypt)
goto opthelp;
#endif
if (infile != NULL && in_stdin) {
BIO_printf(bio_err, "%s: Can't combine -in and -stdin\n", prog);
goto end;
}
if (infile != NULL || in_stdin) {
/*
* If in_stdin is true, we know that infile is NULL, and that
* bio_open_default() will give us back an alias for stdin.
*/
in = bio_open_default(infile, 'r', FORMAT_TEXT);
if (in == NULL)
goto end;
}
if (mode == passwd_crypt)
pw_maxlen = 8;
if (passwds == NULL) {
/* no passwords on the command line */
passwd_malloc_size = pw_maxlen + 2;
/* longer than necessary so that we can warn about truncation */
passwd = passwd_malloc =
app_malloc(passwd_malloc_size, "password buffer");
}
if ((in == NULL) && (passwds == NULL)) {
/*
* we use the following method to make sure what
* in the 'else' section is always compiled, to
* avoid rot of not-frequently-used code.
*/
if (1) {
#ifndef OPENSSL_NO_UI_CONSOLE
/* build a null-terminated list */
static char *passwds_static[2] = { NULL, NULL };
passwds = passwds_static;
if (in == NULL) {
if (EVP_read_pw_string
(passwd_malloc, passwd_malloc_size, "Password: ",
!(passed_salt || in_noverify)) != 0)
goto end;
}
passwds[0] = passwd_malloc;
} else {
#endif
BIO_printf(bio_err, "password required\n");
goto end;
}
}
if (in == NULL) {
assert(passwds != NULL);
assert(*passwds != NULL);
do { /* loop over list of passwords */
passwd = *passwds++;
if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, bio_out,
quiet, table, reverse, pw_maxlen, mode))
goto end;
} while (*passwds != NULL);
} else {
/* in != NULL */
int done;
assert(passwd != NULL);
do {
int r = BIO_gets(in, passwd, pw_maxlen + 1);
if (r > 0) {
char *c = (strchr(passwd, '\n'));
if (c != NULL) {
*c = 0; /* truncate at newline */
} else {
/* ignore rest of line */
char trash[BUFSIZ];
do
r = BIO_gets(in, trash, sizeof(trash));
while ((r > 0) && (!strchr(trash, '\n')));
}
if (!do_passwd
(passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet,
table, reverse, pw_maxlen, mode))
goto end;
}
done = (r <= 0);
} while (!done);
}
ret = 0;
end:
#if 0
ERR_print_errors(bio_err);
#endif
OPENSSL_free(salt_malloc);
OPENSSL_free(passwd_malloc);
BIO_free(in);
return ret;
}
/*
* MD5-based password algorithm (should probably be available as a library
* function; then the static buffer would not be acceptable). For magic
* string "1", this should be compatible to the MD5-based BSD password
* algorithm. For 'magic' string "apr1", this is compatible to the MD5-based
* Apache password algorithm. (Apparently, the Apache password algorithm is
* identical except that the 'magic' string was changed -- the laziest
* application of the NIH principle I've ever encountered.)
*/
static char *md5crypt(const char *passwd, const char *magic, const char *salt)
{
/* "$apr1$..salt..$.......md5hash..........\0" */
static char out_buf[6 + 9 + 24 + 2];
unsigned char buf[MD5_DIGEST_LENGTH];
char ascii_magic[5]; /* "apr1" plus '\0' */
char ascii_salt[9]; /* Max 8 chars plus '\0' */
char *ascii_passwd = NULL;
char *salt_out;
int n;
unsigned int i;
EVP_MD_CTX *md = NULL, *md2 = NULL;
size_t passwd_len, salt_len, magic_len;
passwd_len = strlen(passwd);
out_buf[0] = 0;
magic_len = strlen(magic);
OPENSSL_strlcpy(ascii_magic, magic, sizeof(ascii_magic));
#ifdef CHARSET_EBCDIC
if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */
ebcdic2ascii(ascii_magic, ascii_magic, magic_len);
#endif
/* The salt gets truncated to 8 chars */
OPENSSL_strlcpy(ascii_salt, salt, sizeof(ascii_salt));
salt_len = strlen(ascii_salt);
#ifdef CHARSET_EBCDIC
ebcdic2ascii(ascii_salt, ascii_salt, salt_len);
#endif
#ifdef CHARSET_EBCDIC
ascii_passwd = OPENSSL_strdup(passwd);
if (ascii_passwd == NULL)
return NULL;
ebcdic2ascii(ascii_passwd, ascii_passwd, passwd_len);
passwd = ascii_passwd;
#endif
if (magic_len > 0) {
OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf));
if (magic_len > 4) /* assert it's "1" or "apr1" */
goto err;
OPENSSL_strlcat(out_buf, ascii_magic, sizeof(out_buf));
OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf));
}
OPENSSL_strlcat(out_buf, ascii_salt, sizeof(out_buf));
if (strlen(out_buf) > 6 + 8) /* assert "$apr1$..salt.." */
goto err;
salt_out = out_buf;
if (magic_len > 0)
salt_out += 2 + magic_len;
if (salt_len > 8)
goto err;
md = EVP_MD_CTX_new();
if (md == NULL
|| !EVP_DigestInit_ex(md, EVP_md5(), NULL)
|| !EVP_DigestUpdate(md, passwd, passwd_len))
goto err;
if (magic_len > 0)
if (!EVP_DigestUpdate(md, ascii_dollar, 1)
|| !EVP_DigestUpdate(md, ascii_magic, magic_len)
|| !EVP_DigestUpdate(md, ascii_dollar, 1))
goto err;
if (!EVP_DigestUpdate(md, ascii_salt, salt_len))
goto err;
md2 = EVP_MD_CTX_new();
if (md2 == NULL
|| !EVP_DigestInit_ex(md2, EVP_md5(), NULL)
|| !EVP_DigestUpdate(md2, passwd, passwd_len)
|| !EVP_DigestUpdate(md2, ascii_salt, salt_len)
|| !EVP_DigestUpdate(md2, passwd, passwd_len)
|| !EVP_DigestFinal_ex(md2, buf, NULL))
goto err;
for (i = passwd_len; i > sizeof(buf); i -= sizeof(buf)) {
if (!EVP_DigestUpdate(md, buf, sizeof(buf)))
goto err;
}
if (!EVP_DigestUpdate(md, buf, i))
goto err;
n = passwd_len;
while (n) {
if (!EVP_DigestUpdate(md, (n & 1) ? "\0" : passwd, 1))
goto err;
n >>= 1;
}
if (!EVP_DigestFinal_ex(md, buf, NULL))
- return NULL;
+ goto err;
for (i = 0; i < 1000; i++) {
if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL))
goto err;
if (!EVP_DigestUpdate(md2,
(i & 1) ? (unsigned const char *)passwd : buf,
(i & 1) ? passwd_len : sizeof(buf)))
goto err;
if (i % 3) {
if (!EVP_DigestUpdate(md2, ascii_salt, salt_len))
goto err;
}
if (i % 7) {
if (!EVP_DigestUpdate(md2, passwd, passwd_len))
goto err;
}
if (!EVP_DigestUpdate(md2,
(i & 1) ? buf : (unsigned const char *)passwd,
(i & 1) ? sizeof(buf) : passwd_len))
goto err;
if (!EVP_DigestFinal_ex(md2, buf, NULL))
goto err;
}
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
md2 = NULL;
md = NULL;
{
/* transform buf into output string */
unsigned char buf_perm[sizeof(buf)];
int dest, source;
char *output;
/* silly output permutation */
for (dest = 0, source = 0; dest < 14;
dest++, source = (source + 6) % 17)
buf_perm[dest] = buf[source];
buf_perm[14] = buf[5];
buf_perm[15] = buf[11];
# ifndef PEDANTIC /* Unfortunately, this generates a "no
* effect" warning */
assert(16 == sizeof(buf_perm));
# endif
output = salt_out + salt_len;
assert(output == out_buf + strlen(out_buf));
*output++ = ascii_dollar[0];
for (i = 0; i < 15; i += 3) {
*output++ = cov_2char[buf_perm[i + 2] & 0x3f];
*output++ = cov_2char[((buf_perm[i + 1] & 0xf) << 2) |
(buf_perm[i + 2] >> 6)];
*output++ = cov_2char[((buf_perm[i] & 3) << 4) |
(buf_perm[i + 1] >> 4)];
*output++ = cov_2char[buf_perm[i] >> 2];
}
assert(i == 15);
*output++ = cov_2char[buf_perm[i] & 0x3f];
*output++ = cov_2char[buf_perm[i] >> 6];
*output = 0;
assert(strlen(out_buf) < sizeof(out_buf));
#ifdef CHARSET_EBCDIC
ascii2ebcdic(out_buf, out_buf, strlen(out_buf));
#endif
}
return out_buf;
err:
OPENSSL_free(ascii_passwd);
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
return NULL;
}
/*
* SHA based password algorithm, describe by Ulrich Drepper here:
* https://www.akkadia.org/drepper/SHA-crypt.txt
* (note that it's in the public domain)
*/
static char *shacrypt(const char *passwd, const char *magic, const char *salt)
{
/* Prefix for optional rounds specification. */
static const char rounds_prefix[] = "rounds=";
/* Maximum salt string length. */
# define SALT_LEN_MAX 16
/* Default number of rounds if not explicitly specified. */
# define ROUNDS_DEFAULT 5000
/* Minimum number of rounds. */
# define ROUNDS_MIN 1000
/* Maximum number of rounds. */
# define ROUNDS_MAX 999999999
/* "$6$rounds=<N>$......salt......$...shahash(up to 86 chars)...\0" */
static char out_buf[3 + 17 + 17 + 86 + 1];
unsigned char buf[SHA512_DIGEST_LENGTH];
unsigned char temp_buf[SHA512_DIGEST_LENGTH];
size_t buf_size = 0;
char ascii_magic[2];
char ascii_salt[17]; /* Max 16 chars plus '\0' */
char *ascii_passwd = NULL;
size_t n;
EVP_MD_CTX *md = NULL, *md2 = NULL;
const EVP_MD *sha = NULL;
size_t passwd_len, salt_len, magic_len;
unsigned int rounds = 5000; /* Default */
char rounds_custom = 0;
char *p_bytes = NULL;
char *s_bytes = NULL;
char *cp = NULL;
passwd_len = strlen(passwd);
magic_len = strlen(magic);
/* assert it's "5" or "6" */
if (magic_len != 1)
return NULL;
switch (magic[0]) {
case '5':
sha = EVP_sha256();
buf_size = 32;
break;
case '6':
sha = EVP_sha512();
buf_size = 64;
break;
default:
return NULL;
}
if (strncmp(salt, rounds_prefix, sizeof(rounds_prefix) - 1) == 0) {
const char *num = salt + sizeof(rounds_prefix) - 1;
char *endp;
unsigned long int srounds = strtoul (num, &endp, 10);
if (*endp == '$') {
salt = endp + 1;
if (srounds > ROUNDS_MAX)
rounds = ROUNDS_MAX;
else if (srounds < ROUNDS_MIN)
rounds = ROUNDS_MIN;
else
rounds = (unsigned int)srounds;
rounds_custom = 1;
} else {
return NULL;
}
}
OPENSSL_strlcpy(ascii_magic, magic, sizeof(ascii_magic));
#ifdef CHARSET_EBCDIC
if ((magic[0] & 0x80) != 0) /* High bit is 1 in EBCDIC alnums */
ebcdic2ascii(ascii_magic, ascii_magic, magic_len);
#endif
/* The salt gets truncated to 16 chars */
OPENSSL_strlcpy(ascii_salt, salt, sizeof(ascii_salt));
salt_len = strlen(ascii_salt);
#ifdef CHARSET_EBCDIC
ebcdic2ascii(ascii_salt, ascii_salt, salt_len);
#endif
#ifdef CHARSET_EBCDIC
ascii_passwd = OPENSSL_strdup(passwd);
if (ascii_passwd == NULL)
return NULL;
ebcdic2ascii(ascii_passwd, ascii_passwd, passwd_len);
passwd = ascii_passwd;
#endif
out_buf[0] = 0;
OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf));
OPENSSL_strlcat(out_buf, ascii_magic, sizeof(out_buf));
OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf));
if (rounds_custom) {
char tmp_buf[80]; /* "rounds=999999999" */
sprintf(tmp_buf, "rounds=%u", rounds);
#ifdef CHARSET_EBCDIC
/* In case we're really on a ASCII based platform and just pretend */
if (tmp_buf[0] != 0x72) /* ASCII 'r' */
ebcdic2ascii(tmp_buf, tmp_buf, strlen(tmp_buf));
#endif
OPENSSL_strlcat(out_buf, tmp_buf, sizeof(out_buf));
OPENSSL_strlcat(out_buf, ascii_dollar, sizeof(out_buf));
}
OPENSSL_strlcat(out_buf, ascii_salt, sizeof(out_buf));
/* assert "$5$rounds=999999999$......salt......" */
if (strlen(out_buf) > 3 + 17 * rounds_custom + salt_len )
goto err;
md = EVP_MD_CTX_new();
if (md == NULL
|| !EVP_DigestInit_ex(md, sha, NULL)
|| !EVP_DigestUpdate(md, passwd, passwd_len)
|| !EVP_DigestUpdate(md, ascii_salt, salt_len))
goto err;
md2 = EVP_MD_CTX_new();
if (md2 == NULL
|| !EVP_DigestInit_ex(md2, sha, NULL)
|| !EVP_DigestUpdate(md2, passwd, passwd_len)
|| !EVP_DigestUpdate(md2, ascii_salt, salt_len)
|| !EVP_DigestUpdate(md2, passwd, passwd_len)
|| !EVP_DigestFinal_ex(md2, buf, NULL))
goto err;
for (n = passwd_len; n > buf_size; n -= buf_size) {
if (!EVP_DigestUpdate(md, buf, buf_size))
goto err;
}
if (!EVP_DigestUpdate(md, buf, n))
goto err;
n = passwd_len;
while (n) {
if (!EVP_DigestUpdate(md,
(n & 1) ? buf : (unsigned const char *)passwd,
(n & 1) ? buf_size : passwd_len))
goto err;
n >>= 1;
}
if (!EVP_DigestFinal_ex(md, buf, NULL))
- return NULL;
+ goto err;
/* P sequence */
if (!EVP_DigestInit_ex(md2, sha, NULL))
goto err;
for (n = passwd_len; n > 0; n--)
if (!EVP_DigestUpdate(md2, passwd, passwd_len))
goto err;
if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
- return NULL;
+ goto err;
if ((p_bytes = OPENSSL_zalloc(passwd_len)) == NULL)
goto err;
for (cp = p_bytes, n = passwd_len; n > buf_size; n -= buf_size, cp += buf_size)
memcpy(cp, temp_buf, buf_size);
memcpy(cp, temp_buf, n);
/* S sequence */
if (!EVP_DigestInit_ex(md2, sha, NULL))
goto err;
for (n = 16 + buf[0]; n > 0; n--)
if (!EVP_DigestUpdate(md2, ascii_salt, salt_len))
goto err;
if (!EVP_DigestFinal_ex(md2, temp_buf, NULL))
- return NULL;
+ goto err;
if ((s_bytes = OPENSSL_zalloc(salt_len)) == NULL)
goto err;
for (cp = s_bytes, n = salt_len; n > buf_size; n -= buf_size, cp += buf_size)
memcpy(cp, temp_buf, buf_size);
memcpy(cp, temp_buf, n);
for (n = 0; n < rounds; n++) {
if (!EVP_DigestInit_ex(md2, sha, NULL))
goto err;
if (!EVP_DigestUpdate(md2,
(n & 1) ? (unsigned const char *)p_bytes : buf,
(n & 1) ? passwd_len : buf_size))
goto err;
if (n % 3) {
if (!EVP_DigestUpdate(md2, s_bytes, salt_len))
goto err;
}
if (n % 7) {
if (!EVP_DigestUpdate(md2, p_bytes, passwd_len))
goto err;
}
if (!EVP_DigestUpdate(md2,
(n & 1) ? buf : (unsigned const char *)p_bytes,
(n & 1) ? buf_size : passwd_len))
goto err;
if (!EVP_DigestFinal_ex(md2, buf, NULL))
goto err;
}
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
md2 = NULL;
md = NULL;
OPENSSL_free(p_bytes);
OPENSSL_free(s_bytes);
p_bytes = NULL;
s_bytes = NULL;
cp = out_buf + strlen(out_buf);
*cp++ = ascii_dollar[0];
# define b64_from_24bit(B2, B1, B0, N) \
do { \
unsigned int w = ((B2) << 16) | ((B1) << 8) | (B0); \
int i = (N); \
while (i-- > 0) \
{ \
*cp++ = cov_2char[w & 0x3f]; \
w >>= 6; \
} \
} while (0)
switch (magic[0]) {
case '5':
b64_from_24bit (buf[0], buf[10], buf[20], 4);
b64_from_24bit (buf[21], buf[1], buf[11], 4);
b64_from_24bit (buf[12], buf[22], buf[2], 4);
b64_from_24bit (buf[3], buf[13], buf[23], 4);
b64_from_24bit (buf[24], buf[4], buf[14], 4);
b64_from_24bit (buf[15], buf[25], buf[5], 4);
b64_from_24bit (buf[6], buf[16], buf[26], 4);
b64_from_24bit (buf[27], buf[7], buf[17], 4);
b64_from_24bit (buf[18], buf[28], buf[8], 4);
b64_from_24bit (buf[9], buf[19], buf[29], 4);
b64_from_24bit (0, buf[31], buf[30], 3);
break;
case '6':
b64_from_24bit (buf[0], buf[21], buf[42], 4);
b64_from_24bit (buf[22], buf[43], buf[1], 4);
b64_from_24bit (buf[44], buf[2], buf[23], 4);
b64_from_24bit (buf[3], buf[24], buf[45], 4);
b64_from_24bit (buf[25], buf[46], buf[4], 4);
b64_from_24bit (buf[47], buf[5], buf[26], 4);
b64_from_24bit (buf[6], buf[27], buf[48], 4);
b64_from_24bit (buf[28], buf[49], buf[7], 4);
b64_from_24bit (buf[50], buf[8], buf[29], 4);
b64_from_24bit (buf[9], buf[30], buf[51], 4);
b64_from_24bit (buf[31], buf[52], buf[10], 4);
b64_from_24bit (buf[53], buf[11], buf[32], 4);
b64_from_24bit (buf[12], buf[33], buf[54], 4);
b64_from_24bit (buf[34], buf[55], buf[13], 4);
b64_from_24bit (buf[56], buf[14], buf[35], 4);
b64_from_24bit (buf[15], buf[36], buf[57], 4);
b64_from_24bit (buf[37], buf[58], buf[16], 4);
b64_from_24bit (buf[59], buf[17], buf[38], 4);
b64_from_24bit (buf[18], buf[39], buf[60], 4);
b64_from_24bit (buf[40], buf[61], buf[19], 4);
b64_from_24bit (buf[62], buf[20], buf[41], 4);
b64_from_24bit (0, 0, buf[63], 2);
break;
default:
goto err;
}
*cp = '\0';
#ifdef CHARSET_EBCDIC
ascii2ebcdic(out_buf, out_buf, strlen(out_buf));
#endif
return out_buf;
err:
EVP_MD_CTX_free(md2);
EVP_MD_CTX_free(md);
OPENSSL_free(p_bytes);
OPENSSL_free(s_bytes);
OPENSSL_free(ascii_passwd);
return NULL;
}
static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
char *passwd, BIO *out, int quiet, int table,
int reverse, size_t pw_maxlen, passwd_modes mode)
{
char *hash = NULL;
assert(salt_p != NULL);
assert(salt_malloc_p != NULL);
/* first make sure we have a salt */
if (!passed_salt) {
size_t saltlen = 0;
size_t i;
#ifndef OPENSSL_NO_DES
if (mode == passwd_crypt)
saltlen = 2;
#endif /* !OPENSSL_NO_DES */
if (mode == passwd_md5 || mode == passwd_apr1 || mode == passwd_aixmd5)
saltlen = 8;
if (mode == passwd_sha256 || mode == passwd_sha512)
saltlen = 16;
assert(saltlen != 0);
if (*salt_malloc_p == NULL)
*salt_p = *salt_malloc_p = app_malloc(saltlen + 1, "salt buffer");
if (RAND_bytes((unsigned char *)*salt_p, saltlen) <= 0)
goto end;
for (i = 0; i < saltlen; i++)
(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
(*salt_p)[i] = 0;
# ifdef CHARSET_EBCDIC
/* The password encryption function will convert back to ASCII */
ascii2ebcdic(*salt_p, *salt_p, saltlen);
# endif
}
assert(*salt_p != NULL);
/* truncate password if necessary */
if ((strlen(passwd) > pw_maxlen)) {
if (!quiet)
/*
* XXX: really we should know how to print a size_t, not cast it
*/
BIO_printf(bio_err,
"Warning: truncating password to %u characters\n",
(unsigned)pw_maxlen);
passwd[pw_maxlen] = 0;
}
assert(strlen(passwd) <= pw_maxlen);
/* now compute password hash */
#ifndef OPENSSL_NO_DES
if (mode == passwd_crypt)
hash = DES_crypt(passwd, *salt_p);
#endif
if (mode == passwd_md5 || mode == passwd_apr1)
hash = md5crypt(passwd, (mode == passwd_md5 ? "1" : "apr1"), *salt_p);
if (mode == passwd_aixmd5)
hash = md5crypt(passwd, "", *salt_p);
if (mode == passwd_sha256 || mode == passwd_sha512)
hash = shacrypt(passwd, (mode == passwd_sha256 ? "5" : "6"), *salt_p);
assert(hash != NULL);
if (table && !reverse)
BIO_printf(out, "%s\t%s\n", passwd, hash);
else if (table && reverse)
BIO_printf(out, "%s\t%s\n", hash, passwd);
else
BIO_printf(out, "%s\n", hash);
return 1;
end:
return 0;
}
diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c
index aa5841cd08e2..5664e7e04ec6 100644
--- a/crypto/openssl/apps/s_client.c
+++ b/crypto/openssl/apps/s_client.c
@@ -1,3572 +1,3583 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "e_os.h"
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <openssl/e_os2.h>
#ifndef OPENSSL_NO_SOCK
/*
* With IPv6, it looks like Digital has mixed up the proper order of
* recursive header file inclusion, resulting in the compiler complaining
* that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
* needed to have fileno() declared correctly... So let's define u_int
*/
#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
# define __U_INT
typedef unsigned int u_int;
#endif
#include "apps.h"
#include "progs.h"
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
#include <openssl/ocsp.h>
#include <openssl/bn.h>
#include <openssl/async.h>
#ifndef OPENSSL_NO_SRP
# include <openssl/srp.h>
#endif
#ifndef OPENSSL_NO_CT
# include <openssl/ct.h>
#endif
#include "s_apps.h"
#include "timeouts.h"
#include "internal/sockets.h"
#if defined(__has_feature)
# if __has_feature(memory_sanitizer)
# include <sanitizer/msan_interface.h>
# endif
#endif
#undef BUFSIZZ
#define BUFSIZZ 1024*8
#define S_CLIENT_IRC_READ_TIMEOUT 8
static char *prog;
static int c_debug = 0;
static int c_showcerts = 0;
static char *keymatexportlabel = NULL;
static int keymatexportlen = 20;
static BIO *bio_c_out = NULL;
static int c_quiet = 0;
static char *sess_out = NULL;
static SSL_SESSION *psksess = NULL;
static void print_stuff(BIO *berr, SSL *con, int full);
#ifndef OPENSSL_NO_OCSP
static int ocsp_resp_cb(SSL *s, void *arg);
#endif
static int ldap_ExtendedResponse_parse(const char *buf, long rem);
static int is_dNS_name(const char *host);
static int saved_errno;
static void save_errno(void)
{
saved_errno = errno;
errno = 0;
}
static int restore_errno(void)
{
int ret = errno;
errno = saved_errno;
return ret;
}
static void do_ssl_shutdown(SSL *ssl)
{
int ret;
do {
/* We only do unidirectional shutdown */
ret = SSL_shutdown(ssl);
if (ret < 0) {
switch (SSL_get_error(ssl, ret)) {
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_ASYNC:
case SSL_ERROR_WANT_ASYNC_JOB:
/* We just do busy waiting. Nothing clever */
continue;
}
ret = 0;
}
} while (ret < 0);
}
/* Default PSK identity and key */
static char *psk_identity = "Client_identity";
#ifndef OPENSSL_NO_PSK
static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
unsigned int max_identity_len,
unsigned char *psk,
unsigned int max_psk_len)
{
int ret;
long key_len;
unsigned char *key;
if (c_debug)
BIO_printf(bio_c_out, "psk_client_cb\n");
if (!hint) {
/* no ServerKeyExchange message */
if (c_debug)
BIO_printf(bio_c_out,
"NULL received PSK identity hint, continuing anyway\n");
} else if (c_debug) {
BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
}
/*
* lookup PSK identity and PSK key based on the given identity hint here
*/
ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
if (ret < 0 || (unsigned int)ret > max_identity_len)
goto out_err;
if (c_debug)
BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity,
ret);
/* convert the PSK key to binary */
key = OPENSSL_hexstr2buf(psk_key, &key_len);
if (key == NULL) {
BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
psk_key);
return 0;
}
if (max_psk_len > INT_MAX || key_len > (long)max_psk_len) {
BIO_printf(bio_err,
"psk buffer of callback is too small (%d) for key (%ld)\n",
max_psk_len, key_len);
OPENSSL_free(key);
return 0;
}
memcpy(psk, key, key_len);
OPENSSL_free(key);
if (c_debug)
BIO_printf(bio_c_out, "created PSK len=%ld\n", key_len);
return key_len;
out_err:
if (c_debug)
BIO_printf(bio_err, "Error in PSK client callback\n");
return 0;
}
#endif
const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
const unsigned char tls13_aes256gcmsha384_id[] = { 0x13, 0x02 };
static int psk_use_session_cb(SSL *s, const EVP_MD *md,
const unsigned char **id, size_t *idlen,
SSL_SESSION **sess)
{
SSL_SESSION *usesess = NULL;
const SSL_CIPHER *cipher = NULL;
if (psksess != NULL) {
SSL_SESSION_up_ref(psksess);
usesess = psksess;
} else {
long key_len;
unsigned char *key = OPENSSL_hexstr2buf(psk_key, &key_len);
if (key == NULL) {
BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
psk_key);
return 0;
}
/* We default to SHA-256 */
cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
if (cipher == NULL) {
BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
OPENSSL_free(key);
return 0;
}
usesess = SSL_SESSION_new();
if (usesess == NULL
|| !SSL_SESSION_set1_master_key(usesess, key, key_len)
|| !SSL_SESSION_set_cipher(usesess, cipher)
|| !SSL_SESSION_set_protocol_version(usesess, TLS1_3_VERSION)) {
OPENSSL_free(key);
goto err;
}
OPENSSL_free(key);
}
cipher = SSL_SESSION_get0_cipher(usesess);
if (cipher == NULL)
goto err;
if (md != NULL && SSL_CIPHER_get_handshake_digest(cipher) != md) {
/* PSK not usable, ignore it */
*id = NULL;
*idlen = 0;
*sess = NULL;
SSL_SESSION_free(usesess);
} else {
*sess = usesess;
*id = (unsigned char *)psk_identity;
*idlen = strlen(psk_identity);
}
return 1;
err:
SSL_SESSION_free(usesess);
return 0;
}
/* This is a context that we pass to callbacks */
typedef struct tlsextctx_st {
BIO *biodebug;
int ack;
} tlsextctx;
static int ssl_servername_cb(SSL *s, int *ad, void *arg)
{
tlsextctx *p = (tlsextctx *) arg;
const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
if (SSL_get_servername_type(s) != -1)
p->ack = !SSL_session_reused(s) && hn != NULL;
else
BIO_printf(bio_err, "Can't use SSL_get_servername\n");
return SSL_TLSEXT_ERR_OK;
}
#ifndef OPENSSL_NO_SRP
/* This is a context that we pass to all callbacks */
typedef struct srp_arg_st {
char *srppassin;
char *srplogin;
int msg; /* copy from c_msg */
int debug; /* copy from c_debug */
int amp; /* allow more groups */
int strength; /* minimal size for N */
} SRP_ARG;
# define SRP_NUMBER_ITERATIONS_FOR_PRIME 64
static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g)
{
BN_CTX *bn_ctx = BN_CTX_new();
BIGNUM *p = BN_new();
BIGNUM *r = BN_new();
int ret =
g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) &&
BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) == 1 &&
p != NULL && BN_rshift1(p, N) &&
/* p = (N-1)/2 */
BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) == 1 &&
r != NULL &&
/* verify g^((N-1)/2) == -1 (mod N) */
BN_mod_exp(r, g, p, N, bn_ctx) &&
BN_add_word(r, 1) && BN_cmp(r, N) == 0;
BN_free(r);
BN_free(p);
BN_CTX_free(bn_ctx);
return ret;
}
/*-
* This callback is used here for two purposes:
* - extended debugging
* - making some primality tests for unknown groups
* The callback is only called for a non default group.
*
* An application does not need the call back at all if
* only the standard groups are used. In real life situations,
* client and server already share well known groups,
* thus there is no need to verify them.
* Furthermore, in case that a server actually proposes a group that
* is not one of those defined in RFC 5054, it is more appropriate
* to add the group to a static list and then compare since
* primality tests are rather cpu consuming.
*/
static int ssl_srp_verify_param_cb(SSL *s, void *arg)
{
SRP_ARG *srp_arg = (SRP_ARG *)arg;
BIGNUM *N = NULL, *g = NULL;
if (((N = SSL_get_srp_N(s)) == NULL) || ((g = SSL_get_srp_g(s)) == NULL))
return 0;
if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) {
BIO_printf(bio_err, "SRP parameters:\n");
BIO_printf(bio_err, "\tN=");
BN_print(bio_err, N);
BIO_printf(bio_err, "\n\tg=");
BN_print(bio_err, g);
BIO_printf(bio_err, "\n");
}
if (SRP_check_known_gN_param(g, N))
return 1;
if (srp_arg->amp == 1) {
if (srp_arg->debug)
BIO_printf(bio_err,
"SRP param N and g are not known params, going to check deeper.\n");
/*
* The srp_moregroups is a real debugging feature. Implementors
* should rather add the value to the known ones. The minimal size
* has already been tested.
*/
if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N, g))
return 1;
}
BIO_printf(bio_err, "SRP param N and g rejected.\n");
return 0;
}
# define PWD_STRLEN 1024
static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
{
SRP_ARG *srp_arg = (SRP_ARG *)arg;
char *pass = app_malloc(PWD_STRLEN + 1, "SRP password buffer");
PW_CB_DATA cb_tmp;
int l;
cb_tmp.password = (char *)srp_arg->srppassin;
cb_tmp.prompt_info = "SRP user";
if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) {
BIO_printf(bio_err, "Can't read Password\n");
OPENSSL_free(pass);
return NULL;
}
*(pass + l) = '\0';
return pass;
}
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
/* This the context that we pass to next_proto_cb */
typedef struct tlsextnextprotoctx_st {
unsigned char *data;
size_t len;
int status;
} tlsextnextprotoctx;
static tlsextnextprotoctx next_proto;
static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen,
const unsigned char *in, unsigned int inlen,
void *arg)
{
tlsextnextprotoctx *ctx = arg;
if (!c_quiet) {
/* We can assume that |in| is syntactically valid. */
unsigned i;
BIO_printf(bio_c_out, "Protocols advertised by server: ");
for (i = 0; i < inlen;) {
if (i)
BIO_write(bio_c_out, ", ", 2);
BIO_write(bio_c_out, &in[i + 1], in[i]);
i += in[i] + 1;
}
BIO_write(bio_c_out, "\n", 1);
}
ctx->status =
SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
return SSL_TLSEXT_ERR_OK;
}
#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
const unsigned char *in, size_t inlen,
int *al, void *arg)
{
char pem_name[100];
unsigned char ext_buf[4 + 65536];
/* Reconstruct the type/len fields prior to extension data */
inlen &= 0xffff; /* for formal memcmpy correctness */
ext_buf[0] = (unsigned char)(ext_type >> 8);
ext_buf[1] = (unsigned char)(ext_type);
ext_buf[2] = (unsigned char)(inlen >> 8);
ext_buf[3] = (unsigned char)(inlen);
memcpy(ext_buf + 4, in, inlen);
BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
ext_type);
PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
return 1;
}
/*
* Hex decoder that tolerates optional whitespace. Returns number of bytes
* produced, advances inptr to end of input string.
*/
static ossl_ssize_t hexdecode(const char **inptr, void *result)
{
unsigned char **out = (unsigned char **)result;
const char *in = *inptr;
unsigned char *ret = app_malloc(strlen(in) / 2, "hexdecode");
unsigned char *cp = ret;
uint8_t byte;
int nibble = 0;
if (ret == NULL)
return -1;
for (byte = 0; *in; ++in) {
int x;
if (isspace(_UC(*in)))
continue;
x = OPENSSL_hexchar2int(*in);
if (x < 0) {
OPENSSL_free(ret);
return 0;
}
byte |= (char)x;
if ((nibble ^= 1) == 0) {
*cp++ = byte;
byte = 0;
} else {
byte <<= 4;
}
}
if (nibble != 0) {
OPENSSL_free(ret);
return 0;
}
*inptr = in;
return cp - (*out = ret);
}
/*
* Decode unsigned 0..255, returns 1 on success, <= 0 on failure. Advances
* inptr to next field skipping leading whitespace.
*/
static ossl_ssize_t checked_uint8(const char **inptr, void *out)
{
uint8_t *result = (uint8_t *)out;
const char *in = *inptr;
char *endp;
long v;
int e;
save_errno();
v = strtol(in, &endp, 10);
e = restore_errno();
if (((v == LONG_MIN || v == LONG_MAX) && e == ERANGE) ||
endp == in || !isspace(_UC(*endp)) ||
v != (*result = (uint8_t) v)) {
return -1;
}
for (in = endp; isspace(_UC(*in)); ++in)
continue;
*inptr = in;
return 1;
}
struct tlsa_field {
void *var;
const char *name;
ossl_ssize_t (*parser)(const char **, void *);
};
static int tlsa_import_rr(SSL *con, const char *rrdata)
{
/* Not necessary to re-init these values; the "parsers" do that. */
static uint8_t usage;
static uint8_t selector;
static uint8_t mtype;
static unsigned char *data;
static struct tlsa_field tlsa_fields[] = {
{ &usage, "usage", checked_uint8 },
{ &selector, "selector", checked_uint8 },
{ &mtype, "mtype", checked_uint8 },
{ &data, "data", hexdecode },
{ NULL, }
};
struct tlsa_field *f;
int ret;
const char *cp = rrdata;
ossl_ssize_t len = 0;
for (f = tlsa_fields; f->var; ++f) {
/* Returns number of bytes produced, advances cp to next field */
if ((len = f->parser(&cp, f->var)) <= 0) {
BIO_printf(bio_err, "%s: warning: bad TLSA %s field in: %s\n",
prog, f->name, rrdata);
return 0;
}
}
/* The data field is last, so len is its length */
ret = SSL_dane_tlsa_add(con, usage, selector, mtype, data, len);
OPENSSL_free(data);
if (ret == 0) {
ERR_print_errors(bio_err);
BIO_printf(bio_err, "%s: warning: unusable TLSA rrdata: %s\n",
prog, rrdata);
return 0;
}
if (ret < 0) {
ERR_print_errors(bio_err);
BIO_printf(bio_err, "%s: warning: error loading TLSA rrdata: %s\n",
prog, rrdata);
return 0;
}
return ret;
}
static int tlsa_import_rrset(SSL *con, STACK_OF(OPENSSL_STRING) *rrset)
{
int num = sk_OPENSSL_STRING_num(rrset);
int count = 0;
int i;
for (i = 0; i < num; ++i) {
char *rrdata = sk_OPENSSL_STRING_value(rrset, i);
if (tlsa_import_rr(con, rrdata) > 0)
++count;
}
return count > 0;
}
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_4, OPT_6, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_BIND, OPT_UNIX,
OPT_XMPPHOST, OPT_VERIFY, OPT_NAMEOPT,
OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN,
OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
OPT_BRIEF, OPT_PREXIT, OPT_CRLF, OPT_QUIET, OPT_NBIO,
OPT_SSL_CLIENT_ENGINE, OPT_IGN_EOF, OPT_NO_IGN_EOF,
OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_WDEBUG,
OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG,
OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE,
OPT_PSK_IDENTITY, OPT_PSK, OPT_PSK_SESS,
#ifndef OPENSSL_NO_SRP
OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH, OPT_SRP_LATEUSER,
OPT_SRP_MOREGROUPS,
#endif
OPT_SSL3, OPT_SSL_CONFIG,
OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE,
OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN,
OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_NOSERVERNAME, OPT_ASYNC,
OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_PROTOHOST,
OPT_MAXFRAGLEN, OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES,
OPT_READ_BUF, OPT_KEYLOG_FILE, OPT_EARLY_DATA, OPT_REQCAFILE,
OPT_V_ENUM,
OPT_X_ENUM,
OPT_S_ENUM,
OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_DANE_TLSA_DOMAIN,
#ifndef OPENSSL_NO_CT
OPT_CT, OPT_NOCT, OPT_CTLOG_FILE,
#endif
OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
OPT_ENABLE_PHA,
OPT_SCTP_LABEL_BUG,
OPT_R_ENUM
} OPTION_CHOICE;
const OPTIONS s_client_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"host", OPT_HOST, 's', "Use -connect instead"},
{"port", OPT_PORT, 'p', "Use -connect instead"},
{"connect", OPT_CONNECT, 's',
"TCP/IP where to connect (default is :" PORT ")"},
{"bind", OPT_BIND, 's', "bind local address for connection"},
{"proxy", OPT_PROXY, 's',
"Connect to via specified proxy to the real server"},
#ifdef AF_UNIX
{"unix", OPT_UNIX, 's', "Connect over the specified Unix-domain socket"},
#endif
{"4", OPT_4, '-', "Use IPv4 only"},
#ifdef AF_INET6
{"6", OPT_6, '-', "Use IPv6 only"},
#endif
{"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"},
{"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"},
{"certform", OPT_CERTFORM, 'F',
"Certificate format (PEM or DER) PEM default"},
{"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
{"key", OPT_KEY, 's', "Private key file to use, if not in -cert file"},
{"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM default"},
{"pass", OPT_PASS, 's', "Private key file pass phrase source"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"requestCAfile", OPT_REQCAFILE, '<',
"PEM format file of CA names to send to the server"},
{"dane_tlsa_domain", OPT_DANE_TLSA_DOMAIN, 's', "DANE TLSA base domain"},
{"dane_tlsa_rrdata", OPT_DANE_TLSA_RRDATA, 's',
"DANE TLSA rrdata presentation form"},
{"dane_ee_no_namechecks", OPT_DANE_EE_NO_NAME, '-',
"Disable name checks when matching DANE-EE(3) TLSA records"},
{"reconnect", OPT_RECONNECT, '-',
"Drop and re-make the connection with the same Session-ID"},
{"showcerts", OPT_SHOWCERTS, '-',
"Show all certificates sent by the server"},
{"debug", OPT_DEBUG, '-', "Extra output"},
{"msg", OPT_MSG, '-', "Show protocol messages"},
{"msgfile", OPT_MSGFILE, '>',
"File to send output of -msg or -trace, instead of stdout"},
{"nbio_test", OPT_NBIO_TEST, '-', "More ssl protocol testing"},
{"state", OPT_STATE, '-', "Print the ssl states"},
{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
{"quiet", OPT_QUIET, '-', "No s_client output"},
{"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"},
{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Don't ignore input eof"},
{"starttls", OPT_STARTTLS, 's',
"Use the appropriate STARTTLS command before starting TLS"},
{"xmpphost", OPT_XMPPHOST, 's',
"Alias of -name option for \"-starttls xmpp[-server]\""},
OPT_R_OPTIONS,
{"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"},
{"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"},
#ifndef OPENSSL_NO_SRTP
{"use_srtp", OPT_USE_SRTP, 's',
"Offer SRTP key management with a colon-separated profile list"},
#endif
{"keymatexport", OPT_KEYMATEXPORT, 's',
"Export keying material using label"},
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
"Export len bytes of keying material (default 20)"},
{"maxfraglen", OPT_MAXFRAGLEN, 'p',
"Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096)"},
{"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"},
{"name", OPT_PROTOHOST, 's',
"Hostname to use for \"-starttls lmtp\", \"-starttls smtp\" or \"-starttls xmpp[-server]\""},
{"CRL", OPT_CRL, '<', "CRL file to use"},
{"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"},
{"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"},
{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
"Close connection on verification error"},
{"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"},
{"brief", OPT_BRIEF, '-',
"Restrict output to brief summary of connection parameters"},
{"prexit", OPT_PREXIT, '-',
"Print session information when the program exits"},
{"security_debug", OPT_SECURITY_DEBUG, '-',
"Enable security debug messages"},
{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
"Output more security debug output"},
{"cert_chain", OPT_CERT_CHAIN, '<',
"Certificate chain file (in PEM format)"},
{"chainCApath", OPT_CHAINCAPATH, '/',
"Use dir as certificate store path to build CA certificate chain"},
{"verifyCApath", OPT_VERIFYCAPATH, '/',
"Use dir as certificate store path to verify CA certificate"},
{"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
{"chainCAfile", OPT_CHAINCAFILE, '<',
"CA file for certificate chain (PEM format)"},
{"verifyCAfile", OPT_VERIFYCAFILE, '<',
"CA file for certificate verification (PEM format)"},
{"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
{"servername", OPT_SERVERNAME, 's',
"Set TLS extension servername (SNI) in ClientHello (default)"},
{"noservername", OPT_NOSERVERNAME, '-',
"Do not send the server name (SNI) extension in the ClientHello"},
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
"Hex dump of all TLS extensions received"},
#ifndef OPENSSL_NO_OCSP
{"status", OPT_STATUS, '-', "Request certificate status from server"},
#endif
{"serverinfo", OPT_SERVERINFO, 's',
"types Send empty ClientHello extensions (comma-separated numbers)"},
{"alpn", OPT_ALPN, 's',
"Enable ALPN extension, considering named protocols supported (comma-separated list)"},
{"async", OPT_ASYNC, '-', "Support asynchronous operation"},
{"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"},
{"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
"Size used to split data for encrypt pipelines"},
{"max_pipelines", OPT_MAX_PIPELINES, 'p',
"Maximum number of encrypt/decrypt pipelines to be used"},
{"read_buf", OPT_READ_BUF, 'p',
"Default read buffer size to be used for connections"},
OPT_S_OPTIONS,
OPT_V_OPTIONS,
OPT_X_OPTIONS,
#ifndef OPENSSL_NO_SSL3
{"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
#endif
#ifndef OPENSSL_NO_TLS1
{"tls1", OPT_TLS1, '-', "Just use TLSv1"},
#endif
#ifndef OPENSSL_NO_TLS1_1
{"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"},
#endif
#ifndef OPENSSL_NO_TLS1_2
{"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},
#endif
#ifndef OPENSSL_NO_TLS1_3
{"tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3"},
#endif
#ifndef OPENSSL_NO_DTLS
{"dtls", OPT_DTLS, '-', "Use any version of DTLS"},
{"timeout", OPT_TIMEOUT, '-',
"Enable send/receive timeout on DTLS connections"},
{"mtu", OPT_MTU, 'p', "Set the link layer MTU"},
#endif
#ifndef OPENSSL_NO_DTLS1
{"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"},
#endif
#ifndef OPENSSL_NO_DTLS1_2
{"dtls1_2", OPT_DTLS1_2, '-', "Just use DTLSv1.2"},
#endif
#ifndef OPENSSL_NO_SCTP
{"sctp", OPT_SCTP, '-', "Use SCTP"},
{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
#endif
#ifndef OPENSSL_NO_SSL_TRACE
{"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
#endif
#ifdef WATT32
{"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"},
#endif
{"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
{"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"},
{"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
{"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
#ifndef OPENSSL_NO_SRP
{"srpuser", OPT_SRPUSER, 's', "SRP authentication for 'user'"},
{"srppass", OPT_SRPPASS, 's', "Password for 'user'"},
{"srp_lateuser", OPT_SRP_LATEUSER, '-',
"SRP username into second ClientHello message"},
{"srp_moregroups", OPT_SRP_MOREGROUPS, '-',
"Tolerate other than the known g N values."},
{"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal length in bits for N"},
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
{"nextprotoneg", OPT_NEXTPROTONEG, 's',
"Enable NPN extension, considering named protocols supported (comma-separated list)"},
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
{"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's',
"Specify engine to be used for client certificate operations"},
#endif
#ifndef OPENSSL_NO_CT
{"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"},
{"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"},
{"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"},
#endif
{"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
{"early_data", OPT_EARLY_DATA, '<', "File to send as early data"},
{"enable_pha", OPT_ENABLE_PHA, '-', "Enable post-handshake-authentication"},
{NULL, OPT_EOF, 0x00, NULL}
};
typedef enum PROTOCOL_choice {
PROTO_OFF,
PROTO_SMTP,
PROTO_POP3,
PROTO_IMAP,
PROTO_FTP,
PROTO_TELNET,
PROTO_XMPP,
PROTO_XMPP_SERVER,
PROTO_CONNECT,
PROTO_IRC,
PROTO_MYSQL,
PROTO_POSTGRES,
PROTO_LMTP,
PROTO_NNTP,
PROTO_SIEVE,
PROTO_LDAP
} PROTOCOL_CHOICE;
static const OPT_PAIR services[] = {
{"smtp", PROTO_SMTP},
{"pop3", PROTO_POP3},
{"imap", PROTO_IMAP},
{"ftp", PROTO_FTP},
{"xmpp", PROTO_XMPP},
{"xmpp-server", PROTO_XMPP_SERVER},
{"telnet", PROTO_TELNET},
{"irc", PROTO_IRC},
{"mysql", PROTO_MYSQL},
{"postgres", PROTO_POSTGRES},
{"lmtp", PROTO_LMTP},
{"nntp", PROTO_NNTP},
{"sieve", PROTO_SIEVE},
{"ldap", PROTO_LDAP},
{NULL, 0}
};
#define IS_INET_FLAG(o) \
(o == OPT_4 || o == OPT_6 || o == OPT_HOST || o == OPT_PORT || o == OPT_CONNECT)
#define IS_UNIX_FLAG(o) (o == OPT_UNIX)
#define IS_PROT_FLAG(o) \
(o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
|| o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
/* Free |*dest| and optionally set it to a copy of |source|. */
static void freeandcopy(char **dest, const char *source)
{
OPENSSL_free(*dest);
*dest = NULL;
if (source != NULL)
*dest = OPENSSL_strdup(source);
}
static int new_session_cb(SSL *s, SSL_SESSION *sess)
{
if (sess_out != NULL) {
BIO *stmp = BIO_new_file(sess_out, "w");
if (stmp == NULL) {
BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
} else {
PEM_write_bio_SSL_SESSION(stmp, sess);
BIO_free(stmp);
}
}
/*
* Session data gets dumped on connection for TLSv1.2 and below, and on
* arrival of the NewSessionTicket for TLSv1.3.
*/
if (SSL_version(s) == TLS1_3_VERSION) {
BIO_printf(bio_c_out,
"---\nPost-Handshake New Session Ticket arrived:\n");
SSL_SESSION_print(bio_c_out, sess);
BIO_printf(bio_c_out, "---\n");
}
/*
* We always return a "fail" response so that the session gets freed again
* because we haven't used the reference.
*/
return 0;
}
int s_client_main(int argc, char **argv)
{
BIO *sbio;
EVP_PKEY *key = NULL;
SSL *con = NULL;
SSL_CTX *ctx = NULL;
STACK_OF(X509) *chain = NULL;
X509 *cert = NULL;
X509_VERIFY_PARAM *vpm = NULL;
SSL_EXCERT *exc = NULL;
SSL_CONF_CTX *cctx = NULL;
STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
char *dane_tlsa_domain = NULL;
STACK_OF(OPENSSL_STRING) *dane_tlsa_rrset = NULL;
int dane_ee_no_name = 0;
STACK_OF(X509_CRL) *crls = NULL;
const SSL_METHOD *meth = TLS_client_method();
const char *CApath = NULL, *CAfile = NULL;
char *cbuf = NULL, *sbuf = NULL;
char *mbuf = NULL, *proxystr = NULL, *connectstr = NULL, *bindstr = NULL;
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
char *chCApath = NULL, *chCAfile = NULL, *host = NULL;
char *port = OPENSSL_strdup(PORT);
char *bindhost = NULL, *bindport = NULL;
char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
char *ReqCAfile = NULL;
char *sess_in = NULL, *crl_file = NULL, *p;
const char *protohost = NULL;
struct timeval timeout, *timeoutp;
fd_set readfds, writefds;
int noCApath = 0, noCAfile = 0;
int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM;
int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0;
int prexit = 0;
int sdebug = 0;
int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0;
int ret = 1, in_init = 1, i, nbio_test = 0, s = -1, k, width, state = 0;
int sbuf_len, sbuf_off, cmdletters = 1;
int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0;
int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0;
int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
int at_eof = 0;
#endif
int read_buf_len = 0;
int fallback_scsv = 0;
OPTION_CHOICE o;
#ifndef OPENSSL_NO_DTLS
int enable_timeouts = 0;
long socket_mtu = 0;
#endif
#ifndef OPENSSL_NO_ENGINE
ENGINE *ssl_client_engine = NULL;
#endif
ENGINE *e = NULL;
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
struct timeval tv;
#endif
const char *servername = NULL;
+ char *sname_alloc = NULL;
int noservername = 0;
const char *alpn_in = NULL;
tlsextctx tlsextcbp = { NULL, 0 };
const char *ssl_config = NULL;
#define MAX_SI_TYPES 100
unsigned short serverinfo_types[MAX_SI_TYPES];
int serverinfo_count = 0, start = 0, len;
#ifndef OPENSSL_NO_NEXTPROTONEG
const char *next_proto_neg_in = NULL;
#endif
#ifndef OPENSSL_NO_SRP
char *srppass = NULL;
int srp_lateuser = 0;
SRP_ARG srp_arg = { NULL, NULL, 0, 0, 0, 1024 };
#endif
#ifndef OPENSSL_NO_SRTP
char *srtp_profiles = NULL;
#endif
#ifndef OPENSSL_NO_CT
char *ctlog_file = NULL;
int ct_validation = 0;
#endif
int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
int async = 0;
unsigned int max_send_fragment = 0;
unsigned int split_send_fragment = 0, max_pipelines = 0;
enum { use_inet, use_unix, use_unknown } connect_type = use_unknown;
int count4or6 = 0;
uint8_t maxfraglen = 0;
int c_nbio = 0, c_msg = 0, c_ign_eof = 0, c_brief = 0;
int c_tlsextdebug = 0;
#ifndef OPENSSL_NO_OCSP
int c_status_req = 0;
#endif
BIO *bio_c_msg = NULL;
const char *keylog_file = NULL, *early_data_file = NULL;
#ifndef OPENSSL_NO_DTLS
int isdtls = 0;
#endif
char *psksessf = NULL;
int enable_pha = 0;
#ifndef OPENSSL_NO_SCTP
int sctp_label_bug = 0;
#endif
FD_ZERO(&readfds);
FD_ZERO(&writefds);
/* Known false-positive of MemorySanitizer. */
#if defined(__has_feature)
# if __has_feature(memory_sanitizer)
__msan_unpoison(&readfds, sizeof(readfds));
__msan_unpoison(&writefds, sizeof(writefds));
# endif
#endif
prog = opt_progname(argv[0]);
c_quiet = 0;
c_debug = 0;
c_showcerts = 0;
c_nbio = 0;
vpm = X509_VERIFY_PARAM_new();
cctx = SSL_CONF_CTX_new();
if (vpm == NULL || cctx == NULL) {
BIO_printf(bio_err, "%s: out of memory\n", prog);
goto end;
}
cbuf = app_malloc(BUFSIZZ, "cbuf");
sbuf = app_malloc(BUFSIZZ, "sbuf");
mbuf = app_malloc(BUFSIZZ, "mbuf");
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT | SSL_CONF_FLAG_CMDLINE);
prog = opt_init(argc, argv, s_client_options);
while ((o = opt_next()) != OPT_EOF) {
/* Check for intermixing flags. */
if (connect_type == use_unix && IS_INET_FLAG(o)) {
BIO_printf(bio_err,
"%s: Intermixed protocol flags (unix and internet domains)\n",
prog);
goto end;
}
if (connect_type == use_inet && IS_UNIX_FLAG(o)) {
BIO_printf(bio_err,
"%s: Intermixed protocol flags (internet and unix domains)\n",
prog);
goto end;
}
if (IS_PROT_FLAG(o) && ++prot_opt > 1) {
BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
goto end;
}
if (IS_NO_PROT_FLAG(o))
no_prot_opt++;
if (prot_opt == 1 && no_prot_opt) {
BIO_printf(bio_err,
"Cannot supply both a protocol flag and '-no_<prot>'\n");
goto end;
}
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(s_client_options);
ret = 0;
goto end;
case OPT_4:
connect_type = use_inet;
socket_family = AF_INET;
count4or6++;
break;
#ifdef AF_INET6
case OPT_6:
connect_type = use_inet;
socket_family = AF_INET6;
count4or6++;
break;
#endif
case OPT_HOST:
connect_type = use_inet;
freeandcopy(&host, opt_arg());
break;
case OPT_PORT:
connect_type = use_inet;
freeandcopy(&port, opt_arg());
break;
case OPT_CONNECT:
connect_type = use_inet;
freeandcopy(&connectstr, opt_arg());
break;
case OPT_BIND:
freeandcopy(&bindstr, opt_arg());
break;
case OPT_PROXY:
proxystr = opt_arg();
starttls_proto = PROTO_CONNECT;
break;
#ifdef AF_UNIX
case OPT_UNIX:
connect_type = use_unix;
socket_family = AF_UNIX;
freeandcopy(&host, opt_arg());
break;
#endif
case OPT_XMPPHOST:
/* fall through, since this is an alias */
case OPT_PROTOHOST:
protohost = opt_arg();
break;
case OPT_VERIFY:
verify = SSL_VERIFY_PEER;
verify_args.depth = atoi(opt_arg());
if (!c_quiet)
BIO_printf(bio_err, "verify depth is %d\n", verify_args.depth);
break;
case OPT_CERT:
cert_file = opt_arg();
break;
case OPT_NAMEOPT:
if (!set_nameopt(opt_arg()))
goto end;
break;
case OPT_CRL:
crl_file = opt_arg();
break;
case OPT_CRL_DOWNLOAD:
crl_download = 1;
break;
case OPT_SESS_OUT:
sess_out = opt_arg();
break;
case OPT_SESS_IN:
sess_in = opt_arg();
break;
case OPT_CERTFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &cert_format))
goto opthelp;
break;
case OPT_CRLFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format))
goto opthelp;
break;
case OPT_VERIFY_RET_ERROR:
verify = SSL_VERIFY_PEER;
verify_args.return_error = 1;
break;
case OPT_VERIFY_QUIET:
verify_args.quiet = 1;
break;
case OPT_BRIEF:
c_brief = verify_args.quiet = c_quiet = 1;
break;
case OPT_S_CASES:
if (ssl_args == NULL)
ssl_args = sk_OPENSSL_STRING_new_null();
if (ssl_args == NULL
|| !sk_OPENSSL_STRING_push(ssl_args, opt_flag())
|| !sk_OPENSSL_STRING_push(ssl_args, opt_arg())) {
BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
goto end;
}
break;
case OPT_V_CASES:
if (!opt_verify(o, vpm))
goto end;
vpmtouched++;
break;
case OPT_X_CASES:
if (!args_excert(o, &exc))
goto end;
break;
case OPT_PREXIT:
prexit = 1;
break;
case OPT_CRLF:
crlf = 1;
break;
case OPT_QUIET:
c_quiet = c_ign_eof = 1;
break;
case OPT_NBIO:
c_nbio = 1;
break;
case OPT_NOCMDS:
cmdletters = 0;
break;
case OPT_ENGINE:
e = setup_engine(opt_arg(), 1);
break;
case OPT_SSL_CLIENT_ENGINE:
#ifndef OPENSSL_NO_ENGINE
ssl_client_engine = ENGINE_by_id(opt_arg());
if (ssl_client_engine == NULL) {
BIO_printf(bio_err, "Error getting client auth engine\n");
goto opthelp;
}
#endif
break;
case OPT_R_CASES:
if (!opt_rand(o))
goto end;
break;
case OPT_IGN_EOF:
c_ign_eof = 1;
break;
case OPT_NO_IGN_EOF:
c_ign_eof = 0;
break;
case OPT_DEBUG:
c_debug = 1;
break;
case OPT_TLSEXTDEBUG:
c_tlsextdebug = 1;
break;
case OPT_STATUS:
#ifndef OPENSSL_NO_OCSP
c_status_req = 1;
#endif
break;
case OPT_WDEBUG:
#ifdef WATT32
dbug_init();
#endif
break;
case OPT_MSG:
c_msg = 1;
break;
case OPT_MSGFILE:
bio_c_msg = BIO_new_file(opt_arg(), "w");
break;
case OPT_TRACE:
#ifndef OPENSSL_NO_SSL_TRACE
c_msg = 2;
#endif
break;
case OPT_SECURITY_DEBUG:
sdebug = 1;
break;
case OPT_SECURITY_DEBUG_VERBOSE:
sdebug = 2;
break;
case OPT_SHOWCERTS:
c_showcerts = 1;
break;
case OPT_NBIO_TEST:
nbio_test = 1;
break;
case OPT_STATE:
state = 1;
break;
case OPT_PSK_IDENTITY:
psk_identity = opt_arg();
break;
case OPT_PSK:
for (p = psk_key = opt_arg(); *p; p++) {
if (isxdigit(_UC(*p)))
continue;
BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
goto end;
}
break;
case OPT_PSK_SESS:
psksessf = opt_arg();
break;
#ifndef OPENSSL_NO_SRP
case OPT_SRPUSER:
srp_arg.srplogin = opt_arg();
if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
break;
case OPT_SRPPASS:
srppass = opt_arg();
if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
break;
case OPT_SRP_STRENGTH:
srp_arg.strength = atoi(opt_arg());
BIO_printf(bio_err, "SRP minimal length for N is %d\n",
srp_arg.strength);
if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
break;
case OPT_SRP_LATEUSER:
srp_lateuser = 1;
if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
break;
case OPT_SRP_MOREGROUPS:
srp_arg.amp = 1;
if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
break;
#endif
case OPT_SSL_CONFIG:
ssl_config = opt_arg();
break;
case OPT_SSL3:
min_version = SSL3_VERSION;
max_version = SSL3_VERSION;
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
#endif
break;
case OPT_TLS1_3:
min_version = TLS1_3_VERSION;
max_version = TLS1_3_VERSION;
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
#endif
break;
case OPT_TLS1_2:
min_version = TLS1_2_VERSION;
max_version = TLS1_2_VERSION;
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
#endif
break;
case OPT_TLS1_1:
min_version = TLS1_1_VERSION;
max_version = TLS1_1_VERSION;
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
#endif
break;
case OPT_TLS1:
min_version = TLS1_VERSION;
max_version = TLS1_VERSION;
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
#endif
break;
case OPT_DTLS:
#ifndef OPENSSL_NO_DTLS
meth = DTLS_client_method();
socket_type = SOCK_DGRAM;
isdtls = 1;
#endif
break;
case OPT_DTLS1:
#ifndef OPENSSL_NO_DTLS1
meth = DTLS_client_method();
min_version = DTLS1_VERSION;
max_version = DTLS1_VERSION;
socket_type = SOCK_DGRAM;
isdtls = 1;
#endif
break;
case OPT_DTLS1_2:
#ifndef OPENSSL_NO_DTLS1_2
meth = DTLS_client_method();
min_version = DTLS1_2_VERSION;
max_version = DTLS1_2_VERSION;
socket_type = SOCK_DGRAM;
isdtls = 1;
#endif
break;
case OPT_SCTP:
#ifndef OPENSSL_NO_SCTP
protocol = IPPROTO_SCTP;
#endif
break;
case OPT_SCTP_LABEL_BUG:
#ifndef OPENSSL_NO_SCTP
sctp_label_bug = 1;
#endif
break;
case OPT_TIMEOUT:
#ifndef OPENSSL_NO_DTLS
enable_timeouts = 1;
#endif
break;
case OPT_MTU:
#ifndef OPENSSL_NO_DTLS
socket_mtu = atol(opt_arg());
#endif
break;
case OPT_FALLBACKSCSV:
fallback_scsv = 1;
break;
case OPT_KEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_PDE, &key_format))
goto opthelp;
break;
case OPT_PASS:
passarg = opt_arg();
break;
case OPT_CERT_CHAIN:
chain_file = opt_arg();
break;
case OPT_KEY:
key_file = opt_arg();
break;
case OPT_RECONNECT:
reconnect = 5;
break;
case OPT_CAPATH:
CApath = opt_arg();
break;
case OPT_NOCAPATH:
noCApath = 1;
break;
case OPT_CHAINCAPATH:
chCApath = opt_arg();
break;
case OPT_VERIFYCAPATH:
vfyCApath = opt_arg();
break;
case OPT_BUILD_CHAIN:
build_chain = 1;
break;
case OPT_REQCAFILE:
ReqCAfile = opt_arg();
break;
case OPT_CAFILE:
CAfile = opt_arg();
break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
#ifndef OPENSSL_NO_CT
case OPT_NOCT:
ct_validation = 0;
break;
case OPT_CT:
ct_validation = 1;
break;
case OPT_CTLOG_FILE:
ctlog_file = opt_arg();
break;
#endif
case OPT_CHAINCAFILE:
chCAfile = opt_arg();
break;
case OPT_VERIFYCAFILE:
vfyCAfile = opt_arg();
break;
case OPT_DANE_TLSA_DOMAIN:
dane_tlsa_domain = opt_arg();
break;
case OPT_DANE_TLSA_RRDATA:
if (dane_tlsa_rrset == NULL)
dane_tlsa_rrset = sk_OPENSSL_STRING_new_null();
if (dane_tlsa_rrset == NULL ||
!sk_OPENSSL_STRING_push(dane_tlsa_rrset, opt_arg())) {
BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
goto end;
}
break;
case OPT_DANE_EE_NO_NAME:
dane_ee_no_name = 1;
break;
case OPT_NEXTPROTONEG:
#ifndef OPENSSL_NO_NEXTPROTONEG
next_proto_neg_in = opt_arg();
#endif
break;
case OPT_ALPN:
alpn_in = opt_arg();
break;
case OPT_SERVERINFO:
p = opt_arg();
len = strlen(p);
for (start = 0, i = 0; i <= len; ++i) {
if (i == len || p[i] == ',') {
serverinfo_types[serverinfo_count] = atoi(p + start);
if (++serverinfo_count == MAX_SI_TYPES)
break;
start = i + 1;
}
}
break;
case OPT_STARTTLS:
if (!opt_pair(opt_arg(), services, &starttls_proto))
goto end;
break;
case OPT_SERVERNAME:
servername = opt_arg();
break;
case OPT_NOSERVERNAME:
noservername = 1;
break;
case OPT_USE_SRTP:
#ifndef OPENSSL_NO_SRTP
srtp_profiles = opt_arg();
#endif
break;
case OPT_KEYMATEXPORT:
keymatexportlabel = opt_arg();
break;
case OPT_KEYMATEXPORTLEN:
keymatexportlen = atoi(opt_arg());
break;
case OPT_ASYNC:
async = 1;
break;
case OPT_MAXFRAGLEN:
len = atoi(opt_arg());
switch (len) {
case 512:
maxfraglen = TLSEXT_max_fragment_length_512;
break;
case 1024:
maxfraglen = TLSEXT_max_fragment_length_1024;
break;
case 2048:
maxfraglen = TLSEXT_max_fragment_length_2048;
break;
case 4096:
maxfraglen = TLSEXT_max_fragment_length_4096;
break;
default:
BIO_printf(bio_err,
"%s: Max Fragment Len %u is out of permitted values",
prog, len);
goto opthelp;
}
break;
case OPT_MAX_SEND_FRAG:
max_send_fragment = atoi(opt_arg());
break;
case OPT_SPLIT_SEND_FRAG:
split_send_fragment = atoi(opt_arg());
break;
case OPT_MAX_PIPELINES:
max_pipelines = atoi(opt_arg());
break;
case OPT_READ_BUF:
read_buf_len = atoi(opt_arg());
break;
case OPT_KEYLOG_FILE:
keylog_file = opt_arg();
break;
case OPT_EARLY_DATA:
early_data_file = opt_arg();
break;
case OPT_ENABLE_PHA:
enable_pha = 1;
break;
}
}
if (count4or6 >= 2) {
BIO_printf(bio_err, "%s: Can't use both -4 and -6\n", prog);
goto opthelp;
}
if (noservername) {
if (servername != NULL) {
BIO_printf(bio_err,
"%s: Can't use -servername and -noservername together\n",
prog);
goto opthelp;
}
if (dane_tlsa_domain != NULL) {
BIO_printf(bio_err,
"%s: Can't use -dane_tlsa_domain and -noservername together\n",
prog);
goto opthelp;
}
}
argc = opt_num_rest();
if (argc == 1) {
/* If there's a positional argument, it's the equivalent of
* OPT_CONNECT.
* Don't allow -connect and a separate argument.
*/
if (connectstr != NULL) {
BIO_printf(bio_err,
"%s: must not provide both -connect option and target parameter\n",
prog);
goto opthelp;
}
connect_type = use_inet;
freeandcopy(&connectstr, *opt_rest());
} else if (argc != 0) {
goto opthelp;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
goto opthelp;
}
#endif
if (proxystr != NULL) {
int res;
char *tmp_host = host, *tmp_port = port;
if (connectstr == NULL) {
BIO_printf(bio_err, "%s: -proxy requires use of -connect or target parameter\n", prog);
goto opthelp;
}
res = BIO_parse_hostserv(proxystr, &host, &port, BIO_PARSE_PRIO_HOST);
if (tmp_host != host)
OPENSSL_free(tmp_host);
if (tmp_port != port)
OPENSSL_free(tmp_port);
if (!res) {
BIO_printf(bio_err,
"%s: -proxy argument malformed or ambiguous\n", prog);
goto end;
}
+ if (servername == NULL && !noservername) {
+ res = BIO_parse_hostserv(connectstr, &sname_alloc, NULL, BIO_PARSE_PRIO_HOST);
+ if (!res) {
+ BIO_printf(bio_err,
+ "%s: -connect argument malformed or ambiguous\n", prog);
+ goto end;
+ }
+ servername = sname_alloc;
+ }
} else {
int res = 1;
char *tmp_host = host, *tmp_port = port;
if (connectstr != NULL)
res = BIO_parse_hostserv(connectstr, &host, &port,
BIO_PARSE_PRIO_HOST);
if (tmp_host != host)
OPENSSL_free(tmp_host);
if (tmp_port != port)
OPENSSL_free(tmp_port);
if (!res) {
BIO_printf(bio_err,
"%s: -connect argument or target parameter malformed or ambiguous\n",
prog);
goto end;
}
}
if (bindstr != NULL) {
int res;
res = BIO_parse_hostserv(bindstr, &bindhost, &bindport,
BIO_PARSE_PRIO_HOST);
if (!res) {
BIO_printf(bio_err,
"%s: -bind argument parameter malformed or ambiguous\n",
prog);
goto end;
}
}
#ifdef AF_UNIX
if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) {
BIO_printf(bio_err,
"Can't use unix sockets and datagrams together\n");
goto end;
}
#endif
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP) {
if (socket_type != SOCK_DGRAM) {
BIO_printf(bio_err, "Can't use -sctp without DTLS\n");
goto end;
}
/* SCTP is unusual. It uses DTLS over a SOCK_STREAM protocol */
socket_type = SOCK_STREAM;
}
#endif
#if !defined(OPENSSL_NO_NEXTPROTONEG)
next_proto.status = -1;
if (next_proto_neg_in) {
next_proto.data =
next_protos_parse(&next_proto.len, next_proto_neg_in);
if (next_proto.data == NULL) {
BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
goto end;
}
} else
next_proto.data = NULL;
#endif
if (!app_passwd(passarg, NULL, &pass, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (key_file == NULL)
key_file = cert_file;
if (key_file != NULL) {
key = load_key(key_file, key_format, 0, pass, e,
"client certificate private key file");
if (key == NULL) {
ERR_print_errors(bio_err);
goto end;
}
}
if (cert_file != NULL) {
cert = load_cert(cert_file, cert_format, "client certificate file");
if (cert == NULL) {
ERR_print_errors(bio_err);
goto end;
}
}
if (chain_file != NULL) {
if (!load_certs(chain_file, &chain, FORMAT_PEM, NULL,
"client certificate chain"))
goto end;
}
if (crl_file != NULL) {
X509_CRL *crl;
crl = load_crl(crl_file, crl_format);
if (crl == NULL) {
BIO_puts(bio_err, "Error loading CRL\n");
ERR_print_errors(bio_err);
goto end;
}
crls = sk_X509_CRL_new_null();
if (crls == NULL || !sk_X509_CRL_push(crls, crl)) {
BIO_puts(bio_err, "Error adding CRL\n");
ERR_print_errors(bio_err);
X509_CRL_free(crl);
goto end;
}
}
if (!load_excert(&exc))
goto end;
if (bio_c_out == NULL) {
if (c_quiet && !c_debug) {
bio_c_out = BIO_new(BIO_s_null());
if (c_msg && bio_c_msg == NULL)
bio_c_msg = dup_bio_out(FORMAT_TEXT);
} else if (bio_c_out == NULL)
bio_c_out = dup_bio_out(FORMAT_TEXT);
}
#ifndef OPENSSL_NO_SRP
if (!app_passwd(srppass, NULL, &srp_arg.srppassin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
#endif
ctx = SSL_CTX_new(meth);
if (ctx == NULL) {
ERR_print_errors(bio_err);
goto end;
}
SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
if (sdebug)
ssl_ctx_security_debug(ctx, sdebug);
if (!config_ctx(cctx, ssl_args, ctx))
goto end;
if (ssl_config != NULL) {
if (SSL_CTX_config(ctx, ssl_config) == 0) {
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
ssl_config);
ERR_print_errors(bio_err);
goto end;
}
}
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
#endif
if (min_version != 0
&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
goto end;
if (max_version != 0
&& SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
goto end;
if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
BIO_printf(bio_err, "Error setting verify params\n");
ERR_print_errors(bio_err);
goto end;
}
if (async) {
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
}
if (max_send_fragment > 0
&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
prog, max_send_fragment);
goto end;
}
if (split_send_fragment > 0
&& !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)) {
BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
prog, split_send_fragment);
goto end;
}
if (max_pipelines > 0
&& !SSL_CTX_set_max_pipelines(ctx, max_pipelines)) {
BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
prog, max_pipelines);
goto end;
}
if (read_buf_len > 0) {
SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
}
if (maxfraglen > 0
&& !SSL_CTX_set_tlsext_max_fragment_length(ctx, maxfraglen)) {
BIO_printf(bio_err,
"%s: Max Fragment Length code %u is out of permitted values"
"\n", prog, maxfraglen);
goto end;
}
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
crls, crl_download)) {
BIO_printf(bio_err, "Error loading store locations\n");
ERR_print_errors(bio_err);
goto end;
}
if (ReqCAfile != NULL) {
STACK_OF(X509_NAME) *nm = sk_X509_NAME_new_null();
if (nm == NULL || !SSL_add_file_cert_subjects_to_stack(nm, ReqCAfile)) {
sk_X509_NAME_pop_free(nm, X509_NAME_free);
BIO_printf(bio_err, "Error loading CA names\n");
ERR_print_errors(bio_err);
goto end;
}
SSL_CTX_set0_CA_list(ctx, nm);
}
#ifndef OPENSSL_NO_ENGINE
if (ssl_client_engine) {
if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) {
BIO_puts(bio_err, "Error setting client auth engine\n");
ERR_print_errors(bio_err);
ENGINE_free(ssl_client_engine);
goto end;
}
ENGINE_free(ssl_client_engine);
}
#endif
#ifndef OPENSSL_NO_PSK
if (psk_key != NULL) {
if (c_debug)
BIO_printf(bio_c_out, "PSK key given, setting client callback\n");
SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
}
#endif
if (psksessf != NULL) {
BIO *stmp = BIO_new_file(psksessf, "r");
if (stmp == NULL) {
BIO_printf(bio_err, "Can't open PSK session file %s\n", psksessf);
ERR_print_errors(bio_err);
goto end;
}
psksess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
BIO_free(stmp);
if (psksess == NULL) {
BIO_printf(bio_err, "Can't read PSK session file %s\n", psksessf);
ERR_print_errors(bio_err);
goto end;
}
}
if (psk_key != NULL || psksess != NULL)
SSL_CTX_set_psk_use_session_callback(ctx, psk_use_session_cb);
#ifndef OPENSSL_NO_SRTP
if (srtp_profiles != NULL) {
/* Returns 0 on success! */
if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) {
BIO_printf(bio_err, "Error setting SRTP profile\n");
ERR_print_errors(bio_err);
goto end;
}
}
#endif
if (exc != NULL)
ssl_ctx_set_excert(ctx, exc);
#if !defined(OPENSSL_NO_NEXTPROTONEG)
if (next_proto.data != NULL)
SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
#endif
if (alpn_in) {
size_t alpn_len;
unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
if (alpn == NULL) {
BIO_printf(bio_err, "Error parsing -alpn argument\n");
goto end;
}
/* Returns 0 on success! */
if (SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len) != 0) {
BIO_printf(bio_err, "Error setting ALPN\n");
goto end;
}
OPENSSL_free(alpn);
}
for (i = 0; i < serverinfo_count; i++) {
if (!SSL_CTX_add_client_custom_ext(ctx,
serverinfo_types[i],
NULL, NULL, NULL,
serverinfo_cli_parse_cb, NULL)) {
BIO_printf(bio_err,
"Warning: Unable to add custom extension %u, skipping\n",
serverinfo_types[i]);
}
}
if (state)
SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
#ifndef OPENSSL_NO_CT
/* Enable SCT processing, without early connection termination */
if (ct_validation &&
!SSL_CTX_enable_ct(ctx, SSL_CT_VALIDATION_PERMISSIVE)) {
ERR_print_errors(bio_err);
goto end;
}
if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
if (ct_validation) {
ERR_print_errors(bio_err);
goto end;
}
/*
* If CT validation is not enabled, the log list isn't needed so don't
* show errors or abort. We try to load it regardless because then we
* can show the names of the logs any SCTs came from (SCTs may be seen
* even with validation disabled).
*/
ERR_clear_error();
}
#endif
SSL_CTX_set_verify(ctx, verify, verify_callback);
if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
ERR_print_errors(bio_err);
goto end;
}
ssl_ctx_add_crls(ctx, crls, crl_download);
if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
goto end;
if (!noservername) {
tlsextcbp.biodebug = bio_err;
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
}
# ifndef OPENSSL_NO_SRP
if (srp_arg.srplogin) {
if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) {
BIO_printf(bio_err, "Unable to set SRP username\n");
goto end;
}
srp_arg.msg = c_msg;
srp_arg.debug = c_debug;
SSL_CTX_set_srp_cb_arg(ctx, &srp_arg);
SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb);
SSL_CTX_set_srp_strength(ctx, srp_arg.strength);
if (c_msg || c_debug || srp_arg.amp == 0)
SSL_CTX_set_srp_verify_param_callback(ctx,
ssl_srp_verify_param_cb);
}
# endif
if (dane_tlsa_domain != NULL) {
if (SSL_CTX_dane_enable(ctx) <= 0) {
BIO_printf(bio_err,
"%s: Error enabling DANE TLSA authentication.\n",
prog);
ERR_print_errors(bio_err);
goto end;
}
}
/*
* In TLSv1.3 NewSessionTicket messages arrive after the handshake and can
* come at any time. Therefore we use a callback to write out the session
* when we know about it. This approach works for < TLSv1.3 as well.
*/
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT
| SSL_SESS_CACHE_NO_INTERNAL_STORE);
SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
if (set_keylog_file(ctx, keylog_file))
goto end;
con = SSL_new(ctx);
if (con == NULL)
goto end;
if (enable_pha)
SSL_set_post_handshake_auth(con, 1);
if (sess_in != NULL) {
SSL_SESSION *sess;
BIO *stmp = BIO_new_file(sess_in, "r");
if (stmp == NULL) {
BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
ERR_print_errors(bio_err);
goto end;
}
sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
BIO_free(stmp);
if (sess == NULL) {
BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
ERR_print_errors(bio_err);
goto end;
}
if (!SSL_set_session(con, sess)) {
BIO_printf(bio_err, "Can't set session\n");
ERR_print_errors(bio_err);
goto end;
}
SSL_SESSION_free(sess);
}
if (fallback_scsv)
SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
if (!noservername && (servername != NULL || dane_tlsa_domain == NULL)) {
if (servername == NULL) {
if(host == NULL || is_dNS_name(host))
servername = (host == NULL) ? "localhost" : host;
}
if (servername != NULL && !SSL_set_tlsext_host_name(con, servername)) {
BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
ERR_print_errors(bio_err);
goto end;
}
}
if (dane_tlsa_domain != NULL) {
if (SSL_dane_enable(con, dane_tlsa_domain) <= 0) {
BIO_printf(bio_err, "%s: Error enabling DANE TLSA "
"authentication.\n", prog);
ERR_print_errors(bio_err);
goto end;
}
if (dane_tlsa_rrset == NULL) {
BIO_printf(bio_err, "%s: DANE TLSA authentication requires at "
"least one -dane_tlsa_rrdata option.\n", prog);
goto end;
}
if (tlsa_import_rrset(con, dane_tlsa_rrset) <= 0) {
BIO_printf(bio_err, "%s: Failed to import any TLSA "
"records.\n", prog);
goto end;
}
if (dane_ee_no_name)
SSL_dane_set_flags(con, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
} else if (dane_tlsa_rrset != NULL) {
BIO_printf(bio_err, "%s: DANE TLSA authentication requires the "
"-dane_tlsa_domain option.\n", prog);
goto end;
}
re_start:
if (init_client(&s, host, port, bindhost, bindport, socket_family,
socket_type, protocol) == 0) {
BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
BIO_closesocket(s);
goto end;
}
BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s);
if (c_nbio) {
if (!BIO_socket_nbio(s, 1)) {
ERR_print_errors(bio_err);
goto end;
}
BIO_printf(bio_c_out, "Turned on non blocking io\n");
}
#ifndef OPENSSL_NO_DTLS
if (isdtls) {
union BIO_sock_info_u peer_info;
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP)
sbio = BIO_new_dgram_sctp(s, BIO_NOCLOSE);
else
#endif
sbio = BIO_new_dgram(s, BIO_NOCLOSE);
if ((peer_info.addr = BIO_ADDR_new()) == NULL) {
BIO_printf(bio_err, "memory allocation failure\n");
BIO_closesocket(s);
goto end;
}
if (!BIO_sock_info(s, BIO_SOCK_INFO_ADDRESS, &peer_info)) {
BIO_printf(bio_err, "getsockname:errno=%d\n",
get_last_socket_error());
BIO_ADDR_free(peer_info.addr);
BIO_closesocket(s);
goto end;
}
(void)BIO_ctrl_set_connected(sbio, peer_info.addr);
BIO_ADDR_free(peer_info.addr);
peer_info.addr = NULL;
if (enable_timeouts) {
timeout.tv_sec = 0;
timeout.tv_usec = DGRAM_RCV_TIMEOUT;
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
timeout.tv_sec = 0;
timeout.tv_usec = DGRAM_SND_TIMEOUT;
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
}
if (socket_mtu) {
if (socket_mtu < DTLS_get_link_min_mtu(con)) {
BIO_printf(bio_err, "MTU too small. Must be at least %ld\n",
DTLS_get_link_min_mtu(con));
BIO_free(sbio);
goto shut;
}
SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
if (!DTLS_set_link_mtu(con, socket_mtu)) {
BIO_printf(bio_err, "Failed to set MTU\n");
BIO_free(sbio);
goto shut;
}
} else {
/* want to do MTU discovery */
BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
}
} else
#endif /* OPENSSL_NO_DTLS */
sbio = BIO_new_socket(s, BIO_NOCLOSE);
if (nbio_test) {
BIO *test;
test = BIO_new(BIO_f_nbio_test());
sbio = BIO_push(test, sbio);
}
if (c_debug) {
BIO_set_callback(sbio, bio_dump_callback);
BIO_set_callback_arg(sbio, (char *)bio_c_out);
}
if (c_msg) {
#ifndef OPENSSL_NO_SSL_TRACE
if (c_msg == 2)
SSL_set_msg_callback(con, SSL_trace);
else
#endif
SSL_set_msg_callback(con, msg_cb);
SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
}
if (c_tlsextdebug) {
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_c_out);
}
#ifndef OPENSSL_NO_OCSP
if (c_status_req) {
SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
}
#endif
SSL_set_bio(con, sbio, sbio);
SSL_set_connect_state(con);
/* ok, lets connect */
if (fileno_stdin() > SSL_get_fd(con))
width = fileno_stdin() + 1;
else
width = SSL_get_fd(con) + 1;
read_tty = 1;
write_tty = 0;
tty_on = 0;
read_ssl = 1;
write_ssl = 1;
cbuf_len = 0;
cbuf_off = 0;
sbuf_len = 0;
sbuf_off = 0;
switch ((PROTOCOL_CHOICE) starttls_proto) {
case PROTO_OFF:
break;
case PROTO_LMTP:
case PROTO_SMTP:
{
/*
* This is an ugly hack that does a lot of assumptions. We do
* have to handle multi-line responses which may come in a single
* packet or not. We therefore have to use BIO_gets() which does
* need a buffering BIO. So during the initial chitchat we do
* push a buffering BIO into the chain that is removed again
* later on to not disturb the rest of the s_client operation.
*/
int foundit = 0;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
/* Wait for multi-line response to end from LMTP or SMTP */
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
} while (mbuf_len > 3 && mbuf[3] == '-');
if (protohost == NULL)
protohost = "mail.example.com";
if (starttls_proto == (int)PROTO_LMTP)
BIO_printf(fbio, "LHLO %s\r\n", protohost);
else
BIO_printf(fbio, "EHLO %s\r\n", protohost);
(void)BIO_flush(fbio);
/*
* Wait for multi-line response to end LHLO LMTP or EHLO SMTP
* response.
*/
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
if (strstr(mbuf, "STARTTLS"))
foundit = 1;
} while (mbuf_len > 3 && mbuf[3] == '-');
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (!foundit)
BIO_printf(bio_err,
"Didn't find STARTTLS in server response,"
" trying anyway...\n");
BIO_printf(sbio, "STARTTLS\r\n");
BIO_read(sbio, sbuf, BUFSIZZ);
}
break;
case PROTO_POP3:
{
BIO_read(sbio, mbuf, BUFSIZZ);
BIO_printf(sbio, "STLS\r\n");
mbuf_len = BIO_read(sbio, sbuf, BUFSIZZ);
if (mbuf_len < 0) {
BIO_printf(bio_err, "BIO_read failed\n");
goto end;
}
}
break;
case PROTO_IMAP:
{
int foundit = 0;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
BIO_gets(fbio, mbuf, BUFSIZZ);
/* STARTTLS command requires CAPABILITY... */
BIO_printf(fbio, ". CAPABILITY\r\n");
(void)BIO_flush(fbio);
/* wait for multi-line CAPABILITY response */
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
if (strstr(mbuf, "STARTTLS"))
foundit = 1;
}
while (mbuf_len > 3 && mbuf[0] != '.');
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (!foundit)
BIO_printf(bio_err,
"Didn't find STARTTLS in server response,"
" trying anyway...\n");
BIO_printf(sbio, ". STARTTLS\r\n");
BIO_read(sbio, sbuf, BUFSIZZ);
}
break;
case PROTO_FTP:
{
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
/* wait for multi-line response to end from FTP */
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
}
while (mbuf_len > 3 && (!isdigit(mbuf[0]) || !isdigit(mbuf[1]) || !isdigit(mbuf[2]) || mbuf[3] != ' '));
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
BIO_printf(sbio, "AUTH TLS\r\n");
BIO_read(sbio, sbuf, BUFSIZZ);
}
break;
case PROTO_XMPP:
case PROTO_XMPP_SERVER:
{
int seen = 0;
BIO_printf(sbio, "<stream:stream "
"xmlns:stream='http://etherx.jabber.org/streams' "
"xmlns='jabber:%s' to='%s' version='1.0'>",
starttls_proto == PROTO_XMPP ? "client" : "server",
protohost ? protohost : host);
seen = BIO_read(sbio, mbuf, BUFSIZZ);
if (seen < 0) {
BIO_printf(bio_err, "BIO_read failed\n");
goto end;
}
mbuf[seen] = '\0';
while (!strstr
(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
&& !strstr(mbuf,
"<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
{
seen = BIO_read(sbio, mbuf, BUFSIZZ);
if (seen <= 0)
goto shut;
mbuf[seen] = '\0';
}
BIO_printf(sbio,
"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
seen = BIO_read(sbio, sbuf, BUFSIZZ);
if (seen < 0) {
BIO_printf(bio_err, "BIO_read failed\n");
goto shut;
}
sbuf[seen] = '\0';
if (!strstr(sbuf, "<proceed"))
goto shut;
mbuf[0] = '\0';
}
break;
case PROTO_TELNET:
{
static const unsigned char tls_do[] = {
/* IAC DO START_TLS */
255, 253, 46
};
static const unsigned char tls_will[] = {
/* IAC WILL START_TLS */
255, 251, 46
};
static const unsigned char tls_follows[] = {
/* IAC SB START_TLS FOLLOWS IAC SE */
255, 250, 46, 1, 255, 240
};
int bytes;
/* Telnet server should demand we issue START_TLS */
bytes = BIO_read(sbio, mbuf, BUFSIZZ);
if (bytes != 3 || memcmp(mbuf, tls_do, 3) != 0)
goto shut;
/* Agree to issue START_TLS and send the FOLLOWS sub-command */
BIO_write(sbio, tls_will, 3);
BIO_write(sbio, tls_follows, 6);
(void)BIO_flush(sbio);
/* Telnet server also sent the FOLLOWS sub-command */
bytes = BIO_read(sbio, mbuf, BUFSIZZ);
if (bytes != 6 || memcmp(mbuf, tls_follows, 6) != 0)
goto shut;
}
break;
case PROTO_CONNECT:
{
enum {
error_proto, /* Wrong protocol, not even HTTP */
error_connect, /* CONNECT failed */
success
} foundit = error_connect;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
BIO_printf(fbio, "CONNECT %s HTTP/1.0\r\n\r\n", connectstr);
(void)BIO_flush(fbio);
/*
* The first line is the HTTP response. According to RFC 7230,
* it's formatted exactly like this:
*
* HTTP/d.d ddd Reason text\r\n
*/
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
if (mbuf_len < (int)strlen("HTTP/1.0 200")) {
BIO_printf(bio_err,
"%s: HTTP CONNECT failed, insufficient response "
"from proxy (got %d octets)\n", prog, mbuf_len);
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
goto shut;
}
if (mbuf[8] != ' ') {
BIO_printf(bio_err,
"%s: HTTP CONNECT failed, incorrect response "
"from proxy\n", prog);
foundit = error_proto;
} else if (mbuf[9] != '2') {
BIO_printf(bio_err, "%s: HTTP CONNECT failed: %s ", prog,
&mbuf[9]);
} else {
foundit = success;
}
if (foundit != error_proto) {
/* Read past all following headers */
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
} while (mbuf_len > 2);
}
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (foundit != success) {
goto shut;
}
}
break;
case PROTO_IRC:
{
int numeric;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
BIO_printf(fbio, "STARTTLS\r\n");
(void)BIO_flush(fbio);
width = SSL_get_fd(con) + 1;
do {
numeric = 0;
FD_ZERO(&readfds);
openssl_fdset(SSL_get_fd(con), &readfds);
timeout.tv_sec = S_CLIENT_IRC_READ_TIMEOUT;
timeout.tv_usec = 0;
/*
* If the IRCd doesn't respond within
* S_CLIENT_IRC_READ_TIMEOUT seconds, assume
* it doesn't support STARTTLS. Many IRCds
* will not give _any_ sort of response to a
* STARTTLS command when it's not supported.
*/
if (!BIO_get_buffer_num_lines(fbio)
&& !BIO_pending(fbio)
&& !BIO_pending(sbio)
&& select(width, (void *)&readfds, NULL, NULL,
&timeout) < 1) {
BIO_printf(bio_err,
"Timeout waiting for response (%d seconds).\n",
S_CLIENT_IRC_READ_TIMEOUT);
break;
}
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
if (mbuf_len < 1 || sscanf(mbuf, "%*s %d", &numeric) != 1)
break;
/* :example.net 451 STARTTLS :You have not registered */
/* :example.net 421 STARTTLS :Unknown command */
if ((numeric == 451 || numeric == 421)
&& strstr(mbuf, "STARTTLS") != NULL) {
BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
break;
}
if (numeric == 691) {
BIO_printf(bio_err, "STARTTLS negotiation failed: ");
ERR_print_errors(bio_err);
break;
}
} while (numeric != 670);
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (numeric != 670) {
BIO_printf(bio_err, "Server does not support STARTTLS.\n");
ret = 1;
goto shut;
}
}
break;
case PROTO_MYSQL:
{
/* SSL request packet */
static const unsigned char ssl_req[] = {
/* payload_length, sequence_id */
0x20, 0x00, 0x00, 0x01,
/* payload */
/* capability flags, CLIENT_SSL always set */
0x85, 0xae, 0x7f, 0x00,
/* max-packet size */
0x00, 0x00, 0x00, 0x01,
/* character set */
0x21,
/* string[23] reserved (all [0]) */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
int bytes = 0;
int ssl_flg = 0x800;
int pos;
const unsigned char *packet = (const unsigned char *)sbuf;
/* Receiving Initial Handshake packet. */
bytes = BIO_read(sbio, (void *)packet, BUFSIZZ);
if (bytes < 0) {
BIO_printf(bio_err, "BIO_read failed\n");
goto shut;
/* Packet length[3], Packet number[1] + minimum payload[17] */
} else if (bytes < 21) {
BIO_printf(bio_err, "MySQL packet too short.\n");
goto shut;
} else if (bytes != (4 + packet[0] +
(packet[1] << 8) +
(packet[2] << 16))) {
BIO_printf(bio_err, "MySQL packet length does not match.\n");
goto shut;
/* protocol version[1] */
} else if (packet[4] != 0xA) {
BIO_printf(bio_err,
"Only MySQL protocol version 10 is supported.\n");
goto shut;
}
pos = 5;
/* server version[string+NULL] */
for (;;) {
if (pos >= bytes) {
BIO_printf(bio_err, "Cannot confirm server version. ");
goto shut;
} else if (packet[pos++] == '\0') {
break;
}
}
/* make sure we have at least 15 bytes left in the packet */
if (pos + 15 > bytes) {
BIO_printf(bio_err,
"MySQL server handshake packet is broken.\n");
goto shut;
}
pos += 12; /* skip over conn id[4] + SALT[8] */
if (packet[pos++] != '\0') { /* verify filler */
BIO_printf(bio_err,
"MySQL packet is broken.\n");
goto shut;
}
/* capability flags[2] */
if (!((packet[pos] + (packet[pos + 1] << 8)) & ssl_flg)) {
BIO_printf(bio_err, "MySQL server does not support SSL.\n");
goto shut;
}
/* Sending SSL Handshake packet. */
BIO_write(sbio, ssl_req, sizeof(ssl_req));
(void)BIO_flush(sbio);
}
break;
case PROTO_POSTGRES:
{
static const unsigned char ssl_request[] = {
/* Length SSLRequest */
0, 0, 0, 8, 4, 210, 22, 47
};
int bytes;
/* Send SSLRequest packet */
BIO_write(sbio, ssl_request, 8);
(void)BIO_flush(sbio);
/* Reply will be a single S if SSL is enabled */
bytes = BIO_read(sbio, sbuf, BUFSIZZ);
if (bytes != 1 || sbuf[0] != 'S')
goto shut;
}
break;
case PROTO_NNTP:
{
int foundit = 0;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
BIO_gets(fbio, mbuf, BUFSIZZ);
/* STARTTLS command requires CAPABILITIES... */
BIO_printf(fbio, "CAPABILITIES\r\n");
(void)BIO_flush(fbio);
/* wait for multi-line CAPABILITIES response */
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
if (strstr(mbuf, "STARTTLS"))
foundit = 1;
} while (mbuf_len > 1 && mbuf[0] != '.');
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (!foundit)
BIO_printf(bio_err,
"Didn't find STARTTLS in server response,"
" trying anyway...\n");
BIO_printf(sbio, "STARTTLS\r\n");
mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
if (mbuf_len < 0) {
BIO_printf(bio_err, "BIO_read failed\n");
goto end;
}
mbuf[mbuf_len] = '\0';
if (strstr(mbuf, "382") == NULL) {
BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
goto shut;
}
}
break;
case PROTO_SIEVE:
{
int foundit = 0;
BIO *fbio = BIO_new(BIO_f_buffer());
BIO_push(fbio, sbio);
/* wait for multi-line response to end from Sieve */
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
/*
* According to RFC 5804 § 1.7, capability
* is case-insensitive, make it uppercase
*/
if (mbuf_len > 1 && mbuf[0] == '"') {
make_uppercase(mbuf);
if (strncmp(mbuf, "\"STARTTLS\"", 10) == 0)
foundit = 1;
}
} while (mbuf_len > 1 && mbuf[0] == '"');
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
if (!foundit)
BIO_printf(bio_err,
"Didn't find STARTTLS in server response,"
" trying anyway...\n");
BIO_printf(sbio, "STARTTLS\r\n");
mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
if (mbuf_len < 0) {
BIO_printf(bio_err, "BIO_read failed\n");
goto end;
}
mbuf[mbuf_len] = '\0';
if (mbuf_len < 2) {
BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
goto shut;
}
/*
* According to RFC 5804 § 2.2, response codes are case-
* insensitive, make it uppercase but preserve the response.
*/
strncpy(sbuf, mbuf, 2);
make_uppercase(sbuf);
if (strncmp(sbuf, "OK", 2) != 0) {
BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
goto shut;
}
}
break;
case PROTO_LDAP:
{
/* StartTLS Operation according to RFC 4511 */
static char ldap_tls_genconf[] = "asn1=SEQUENCE:LDAPMessage\n"
"[LDAPMessage]\n"
"messageID=INTEGER:1\n"
"extendedReq=EXPLICIT:23A,IMPLICIT:0C,"
"FORMAT:ASCII,OCT:1.3.6.1.4.1.1466.20037\n";
long errline = -1;
char *genstr = NULL;
int result = -1;
ASN1_TYPE *atyp = NULL;
BIO *ldapbio = BIO_new(BIO_s_mem());
CONF *cnf = NCONF_new(NULL);
if (cnf == NULL) {
BIO_free(ldapbio);
goto end;
}
BIO_puts(ldapbio, ldap_tls_genconf);
if (NCONF_load_bio(cnf, ldapbio, &errline) <= 0) {
BIO_free(ldapbio);
NCONF_free(cnf);
if (errline <= 0) {
BIO_printf(bio_err, "NCONF_load_bio failed\n");
goto end;
} else {
BIO_printf(bio_err, "Error on line %ld\n", errline);
goto end;
}
}
BIO_free(ldapbio);
genstr = NCONF_get_string(cnf, "default", "asn1");
if (genstr == NULL) {
NCONF_free(cnf);
BIO_printf(bio_err, "NCONF_get_string failed\n");
goto end;
}
atyp = ASN1_generate_nconf(genstr, cnf);
if (atyp == NULL) {
NCONF_free(cnf);
BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
goto end;
}
NCONF_free(cnf);
/* Send SSLRequest packet */
BIO_write(sbio, atyp->value.sequence->data,
atyp->value.sequence->length);
(void)BIO_flush(sbio);
ASN1_TYPE_free(atyp);
mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
if (mbuf_len < 0) {
BIO_printf(bio_err, "BIO_read failed\n");
goto end;
}
result = ldap_ExtendedResponse_parse(mbuf, mbuf_len);
if (result < 0) {
BIO_printf(bio_err, "ldap_ExtendedResponse_parse failed\n");
goto shut;
} else if (result > 0) {
BIO_printf(bio_err, "STARTTLS failed, LDAP Result Code: %i\n",
result);
goto shut;
}
mbuf_len = 0;
}
break;
}
if (early_data_file != NULL
&& ((SSL_get0_session(con) != NULL
&& SSL_SESSION_get_max_early_data(SSL_get0_session(con)) > 0)
|| (psksess != NULL
&& SSL_SESSION_get_max_early_data(psksess) > 0))) {
BIO *edfile = BIO_new_file(early_data_file, "r");
size_t readbytes, writtenbytes;
int finish = 0;
if (edfile == NULL) {
BIO_printf(bio_err, "Cannot open early data file\n");
goto shut;
}
while (!finish) {
if (!BIO_read_ex(edfile, cbuf, BUFSIZZ, &readbytes))
finish = 1;
while (!SSL_write_early_data(con, cbuf, readbytes, &writtenbytes)) {
switch (SSL_get_error(con, 0)) {
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_ASYNC:
case SSL_ERROR_WANT_READ:
/* Just keep trying - busy waiting */
continue;
default:
BIO_printf(bio_err, "Error writing early data\n");
BIO_free(edfile);
ERR_print_errors(bio_err);
goto shut;
}
}
}
BIO_free(edfile);
}
for (;;) {
FD_ZERO(&readfds);
FD_ZERO(&writefds);
if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout))
timeoutp = &timeout;
else
timeoutp = NULL;
if (!SSL_is_init_finished(con) && SSL_total_renegotiations(con) == 0
&& SSL_get_key_update_type(con) == SSL_KEY_UPDATE_NONE) {
in_init = 1;
tty_on = 0;
} else {
tty_on = 1;
if (in_init) {
in_init = 0;
if (c_brief) {
BIO_puts(bio_err, "CONNECTION ESTABLISHED\n");
print_ssl_summary(con);
}
print_stuff(bio_c_out, con, full_log);
if (full_log > 0)
full_log--;
if (starttls_proto) {
BIO_write(bio_err, mbuf, mbuf_len);
/* We don't need to know any more */
if (!reconnect)
starttls_proto = PROTO_OFF;
}
if (reconnect) {
reconnect--;
BIO_printf(bio_c_out,
"drop connection and then reconnect\n");
do_ssl_shutdown(con);
SSL_set_connect_state(con);
BIO_closesocket(SSL_get_fd(con));
goto re_start;
}
}
}
ssl_pending = read_ssl && SSL_has_pending(con);
if (!ssl_pending) {
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
if (tty_on) {
/*
* Note that select() returns when read _would not block_,
* and EOF satisfies that. To avoid a CPU-hogging loop,
* set the flag so we exit.
*/
if (read_tty && !at_eof)
openssl_fdset(fileno_stdin(), &readfds);
#if !defined(OPENSSL_SYS_VMS)
if (write_tty)
openssl_fdset(fileno_stdout(), &writefds);
#endif
}
if (read_ssl)
openssl_fdset(SSL_get_fd(con), &readfds);
if (write_ssl)
openssl_fdset(SSL_get_fd(con), &writefds);
#else
if (!tty_on || !write_tty) {
if (read_ssl)
openssl_fdset(SSL_get_fd(con), &readfds);
if (write_ssl)
openssl_fdset(SSL_get_fd(con), &writefds);
}
#endif
/*
* Note: under VMS with SOCKETSHR the second parameter is
* currently of type (int *) whereas under other systems it is
* (void *) if you don't have a cast it will choke the compiler:
* if you do have a cast then you can either go for (int *) or
* (void *).
*/
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
/*
* Under Windows/DOS we make the assumption that we can always
* write to the tty: therefore if we need to write to the tty we
* just fall through. Otherwise we timeout the select every
* second and see if there are any keypresses. Note: this is a
* hack, in a proper Windows application we wouldn't do this.
*/
i = 0;
if (!write_tty) {
if (read_tty) {
tv.tv_sec = 1;
tv.tv_usec = 0;
i = select(width, (void *)&readfds, (void *)&writefds,
NULL, &tv);
if (!i && (!has_stdin_waiting() || !read_tty))
continue;
} else
i = select(width, (void *)&readfds, (void *)&writefds,
NULL, timeoutp);
}
#else
i = select(width, (void *)&readfds, (void *)&writefds,
NULL, timeoutp);
#endif
if (i < 0) {
BIO_printf(bio_err, "bad select %d\n",
get_last_socket_error());
goto shut;
}
}
if (SSL_is_dtls(con) && DTLSv1_handle_timeout(con) > 0)
BIO_printf(bio_err, "TIMEOUT occurred\n");
if (!ssl_pending && FD_ISSET(SSL_get_fd(con), &writefds)) {
k = SSL_write(con, &(cbuf[cbuf_off]), (unsigned int)cbuf_len);
switch (SSL_get_error(con, k)) {
case SSL_ERROR_NONE:
cbuf_off += k;
cbuf_len -= k;
if (k <= 0)
goto end;
/* we have done a write(con,NULL,0); */
if (cbuf_len <= 0) {
read_tty = 1;
write_ssl = 0;
} else { /* if (cbuf_len > 0) */
read_tty = 0;
write_ssl = 1;
}
break;
case SSL_ERROR_WANT_WRITE:
BIO_printf(bio_c_out, "write W BLOCK\n");
write_ssl = 1;
read_tty = 0;
break;
case SSL_ERROR_WANT_ASYNC:
BIO_printf(bio_c_out, "write A BLOCK\n");
wait_for_async(con);
write_ssl = 1;
read_tty = 0;
break;
case SSL_ERROR_WANT_READ:
BIO_printf(bio_c_out, "write R BLOCK\n");
write_tty = 0;
read_ssl = 1;
write_ssl = 0;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
BIO_printf(bio_c_out, "write X BLOCK\n");
break;
case SSL_ERROR_ZERO_RETURN:
if (cbuf_len != 0) {
BIO_printf(bio_c_out, "shutdown\n");
ret = 0;
goto shut;
} else {
read_tty = 1;
write_ssl = 0;
break;
}
case SSL_ERROR_SYSCALL:
if ((k != 0) || (cbuf_len != 0)) {
BIO_printf(bio_err, "write:errno=%d\n",
get_last_socket_error());
goto shut;
} else {
read_tty = 1;
write_ssl = 0;
}
break;
case SSL_ERROR_WANT_ASYNC_JOB:
/* This shouldn't ever happen in s_client - treat as an error */
case SSL_ERROR_SSL:
ERR_print_errors(bio_err);
goto shut;
}
}
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VMS)
/* Assume Windows/DOS/BeOS can always write */
else if (!ssl_pending && write_tty)
#else
else if (!ssl_pending && FD_ISSET(fileno_stdout(), &writefds))
#endif
{
#ifdef CHARSET_EBCDIC
ascii2ebcdic(&(sbuf[sbuf_off]), &(sbuf[sbuf_off]), sbuf_len);
#endif
i = raw_write_stdout(&(sbuf[sbuf_off]), sbuf_len);
if (i <= 0) {
BIO_printf(bio_c_out, "DONE\n");
ret = 0;
goto shut;
}
sbuf_len -= i;
sbuf_off += i;
if (sbuf_len <= 0) {
read_ssl = 1;
write_tty = 0;
}
} else if (ssl_pending || FD_ISSET(SSL_get_fd(con), &readfds)) {
#ifdef RENEG
{
static int iiii;
if (++iiii == 52) {
SSL_renegotiate(con);
iiii = 0;
}
}
#endif
k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ );
switch (SSL_get_error(con, k)) {
case SSL_ERROR_NONE:
if (k <= 0)
goto end;
sbuf_off = 0;
sbuf_len = k;
read_ssl = 0;
write_tty = 1;
break;
case SSL_ERROR_WANT_ASYNC:
BIO_printf(bio_c_out, "read A BLOCK\n");
wait_for_async(con);
write_tty = 0;
read_ssl = 1;
if ((read_tty == 0) && (write_ssl == 0))
write_ssl = 1;
break;
case SSL_ERROR_WANT_WRITE:
BIO_printf(bio_c_out, "read W BLOCK\n");
write_ssl = 1;
read_tty = 0;
break;
case SSL_ERROR_WANT_READ:
BIO_printf(bio_c_out, "read R BLOCK\n");
write_tty = 0;
read_ssl = 1;
if ((read_tty == 0) && (write_ssl == 0))
write_ssl = 1;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
BIO_printf(bio_c_out, "read X BLOCK\n");
break;
case SSL_ERROR_SYSCALL:
ret = get_last_socket_error();
if (c_brief)
BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
else
BIO_printf(bio_err, "read:errno=%d\n", ret);
goto shut;
case SSL_ERROR_ZERO_RETURN:
BIO_printf(bio_c_out, "closed\n");
ret = 0;
goto shut;
case SSL_ERROR_WANT_ASYNC_JOB:
/* This shouldn't ever happen in s_client. Treat as an error */
case SSL_ERROR_SSL:
ERR_print_errors(bio_err);
goto shut;
}
}
/* OPENSSL_SYS_MSDOS includes OPENSSL_SYS_WINDOWS */
#if defined(OPENSSL_SYS_MSDOS)
else if (has_stdin_waiting())
#else
else if (FD_ISSET(fileno_stdin(), &readfds))
#endif
{
if (crlf) {
int j, lf_num;
i = raw_read_stdin(cbuf, BUFSIZZ / 2);
lf_num = 0;
/* both loops are skipped when i <= 0 */
for (j = 0; j < i; j++)
if (cbuf[j] == '\n')
lf_num++;
for (j = i - 1; j >= 0; j--) {
cbuf[j + lf_num] = cbuf[j];
if (cbuf[j] == '\n') {
lf_num--;
i++;
cbuf[j + lf_num] = '\r';
}
}
assert(lf_num == 0);
} else
i = raw_read_stdin(cbuf, BUFSIZZ);
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
if (i == 0)
at_eof = 1;
#endif
if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q' && cmdletters))) {
BIO_printf(bio_err, "DONE\n");
ret = 0;
goto shut;
}
if ((!c_ign_eof) && (cbuf[0] == 'R' && cmdletters)) {
BIO_printf(bio_err, "RENEGOTIATING\n");
SSL_renegotiate(con);
cbuf_len = 0;
} else if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' )
&& cmdletters) {
BIO_printf(bio_err, "KEYUPDATE\n");
SSL_key_update(con,
cbuf[0] == 'K' ? SSL_KEY_UPDATE_REQUESTED
: SSL_KEY_UPDATE_NOT_REQUESTED);
cbuf_len = 0;
}
#ifndef OPENSSL_NO_HEARTBEATS
else if ((!c_ign_eof) && (cbuf[0] == 'B' && cmdletters)) {
BIO_printf(bio_err, "HEARTBEATING\n");
SSL_heartbeat(con);
cbuf_len = 0;
}
#endif
else {
cbuf_len = i;
cbuf_off = 0;
#ifdef CHARSET_EBCDIC
ebcdic2ascii(cbuf, cbuf, i);
#endif
}
write_ssl = 1;
read_tty = 0;
}
}
ret = 0;
shut:
if (in_init)
print_stuff(bio_c_out, con, full_log);
do_ssl_shutdown(con);
/*
* If we ended with an alert being sent, but still with data in the
* network buffer to be read, then calling BIO_closesocket() will
* result in a TCP-RST being sent. On some platforms (notably
* Windows) then this will result in the peer immediately abandoning
* the connection including any buffered alert data before it has
* had a chance to be read. Shutting down the sending side first,
* and then closing the socket sends TCP-FIN first followed by
* TCP-RST. This seems to allow the peer to read the alert data.
*/
shutdown(SSL_get_fd(con), 1); /* SHUT_WR */
/*
* We just said we have nothing else to say, but it doesn't mean that
* the other side has nothing. It's even recommended to consume incoming
* data. [In testing context this ensures that alerts are passed on...]
*/
timeout.tv_sec = 0;
timeout.tv_usec = 500000; /* some extreme round-trip */
do {
FD_ZERO(&readfds);
openssl_fdset(s, &readfds);
} while (select(s + 1, &readfds, NULL, NULL, &timeout) > 0
&& BIO_read(sbio, sbuf, BUFSIZZ) > 0);
BIO_closesocket(SSL_get_fd(con));
end:
if (con != NULL) {
if (prexit != 0)
print_stuff(bio_c_out, con, 1);
SSL_free(con);
}
SSL_SESSION_free(psksess);
#if !defined(OPENSSL_NO_NEXTPROTONEG)
OPENSSL_free(next_proto.data);
#endif
SSL_CTX_free(ctx);
set_keylog_file(NULL, NULL);
X509_free(cert);
sk_X509_CRL_pop_free(crls, X509_CRL_free);
EVP_PKEY_free(key);
sk_X509_pop_free(chain, X509_free);
OPENSSL_free(pass);
#ifndef OPENSSL_NO_SRP
OPENSSL_free(srp_arg.srppassin);
#endif
+ OPENSSL_free(sname_alloc);
OPENSSL_free(connectstr);
OPENSSL_free(bindstr);
OPENSSL_free(bindhost);
OPENSSL_free(bindport);
OPENSSL_free(host);
OPENSSL_free(port);
X509_VERIFY_PARAM_free(vpm);
ssl_excert_free(exc);
sk_OPENSSL_STRING_free(ssl_args);
sk_OPENSSL_STRING_free(dane_tlsa_rrset);
SSL_CONF_CTX_free(cctx);
OPENSSL_clear_free(cbuf, BUFSIZZ);
OPENSSL_clear_free(sbuf, BUFSIZZ);
OPENSSL_clear_free(mbuf, BUFSIZZ);
release_engine(e);
BIO_free(bio_c_out);
bio_c_out = NULL;
BIO_free(bio_c_msg);
bio_c_msg = NULL;
return ret;
}
static void print_stuff(BIO *bio, SSL *s, int full)
{
X509 *peer = NULL;
STACK_OF(X509) *sk;
const SSL_CIPHER *c;
int i, istls13 = (SSL_version(s) == TLS1_3_VERSION);
long verify_result;
#ifndef OPENSSL_NO_COMP
const COMP_METHOD *comp, *expansion;
#endif
unsigned char *exportedkeymat;
#ifndef OPENSSL_NO_CT
const SSL_CTX *ctx = SSL_get_SSL_CTX(s);
#endif
if (full) {
int got_a_chain = 0;
sk = SSL_get_peer_cert_chain(s);
if (sk != NULL) {
got_a_chain = 1;
BIO_printf(bio, "---\nCertificate chain\n");
for (i = 0; i < sk_X509_num(sk); i++) {
BIO_printf(bio, "%2d s:", i);
X509_NAME_print_ex(bio, X509_get_subject_name(sk_X509_value(sk, i)), 0, get_nameopt());
BIO_puts(bio, "\n");
BIO_printf(bio, " i:");
X509_NAME_print_ex(bio, X509_get_issuer_name(sk_X509_value(sk, i)), 0, get_nameopt());
BIO_puts(bio, "\n");
if (c_showcerts)
PEM_write_bio_X509(bio, sk_X509_value(sk, i));
}
}
BIO_printf(bio, "---\n");
peer = SSL_get_peer_certificate(s);
if (peer != NULL) {
BIO_printf(bio, "Server certificate\n");
/* Redundant if we showed the whole chain */
if (!(c_showcerts && got_a_chain))
PEM_write_bio_X509(bio, peer);
dump_cert_text(bio, peer);
} else {
BIO_printf(bio, "no peer certificate available\n");
}
print_ca_names(bio, s);
ssl_print_sigalgs(bio, s);
ssl_print_tmp_key(bio, s);
#ifndef OPENSSL_NO_CT
/*
* When the SSL session is anonymous, or resumed via an abbreviated
* handshake, no SCTs are provided as part of the handshake. While in
* a resumed session SCTs may be present in the session's certificate,
* no callbacks are invoked to revalidate these, and in any case that
* set of SCTs may be incomplete. Thus it makes little sense to
* attempt to display SCTs from a resumed session's certificate, and of
* course none are associated with an anonymous peer.
*/
if (peer != NULL && !SSL_session_reused(s) && SSL_ct_is_enabled(s)) {
const STACK_OF(SCT) *scts = SSL_get0_peer_scts(s);
int sct_count = scts != NULL ? sk_SCT_num(scts) : 0;
BIO_printf(bio, "---\nSCTs present (%i)\n", sct_count);
if (sct_count > 0) {
const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx);
BIO_printf(bio, "---\n");
for (i = 0; i < sct_count; ++i) {
SCT *sct = sk_SCT_value(scts, i);
BIO_printf(bio, "SCT validation status: %s\n",
SCT_validation_status_string(sct));
SCT_print(sct, bio, 0, log_store);
if (i < sct_count - 1)
BIO_printf(bio, "\n---\n");
}
BIO_printf(bio, "\n");
}
}
#endif
BIO_printf(bio,
"---\nSSL handshake has read %ju bytes "
"and written %ju bytes\n",
BIO_number_read(SSL_get_rbio(s)),
BIO_number_written(SSL_get_wbio(s)));
}
print_verify_detail(s, bio);
BIO_printf(bio, (SSL_session_reused(s) ? "---\nReused, " : "---\nNew, "));
c = SSL_get_current_cipher(s);
BIO_printf(bio, "%s, Cipher is %s\n",
SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
if (peer != NULL) {
EVP_PKEY *pktmp;
pktmp = X509_get0_pubkey(peer);
BIO_printf(bio, "Server public key is %d bit\n",
EVP_PKEY_bits(pktmp));
}
BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
#ifndef OPENSSL_NO_COMP
comp = SSL_get_current_compression(s);
expansion = SSL_get_current_expansion(s);
BIO_printf(bio, "Compression: %s\n",
comp ? SSL_COMP_get_name(comp) : "NONE");
BIO_printf(bio, "Expansion: %s\n",
expansion ? SSL_COMP_get_name(expansion) : "NONE");
#endif
#ifndef OPENSSL_NO_KTLS
if (BIO_get_ktls_send(SSL_get_wbio(s)))
BIO_printf(bio_err, "Using Kernel TLS for sending\n");
if (BIO_get_ktls_recv(SSL_get_rbio(s)))
BIO_printf(bio_err, "Using Kernel TLS for receiving\n");
#endif
#ifdef SSL_DEBUG
{
/* Print out local port of connection: useful for debugging */
int sock;
union BIO_sock_info_u info;
sock = SSL_get_fd(s);
if ((info.addr = BIO_ADDR_new()) != NULL
&& BIO_sock_info(sock, BIO_SOCK_INFO_ADDRESS, &info)) {
BIO_printf(bio_c_out, "LOCAL PORT is %u\n",
ntohs(BIO_ADDR_rawport(info.addr)));
}
BIO_ADDR_free(info.addr);
}
#endif
#if !defined(OPENSSL_NO_NEXTPROTONEG)
if (next_proto.status != -1) {
const unsigned char *proto;
unsigned int proto_len;
SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
BIO_write(bio, proto, proto_len);
BIO_write(bio, "\n", 1);
}
#endif
{
const unsigned char *proto;
unsigned int proto_len;
SSL_get0_alpn_selected(s, &proto, &proto_len);
if (proto_len > 0) {
BIO_printf(bio, "ALPN protocol: ");
BIO_write(bio, proto, proto_len);
BIO_write(bio, "\n", 1);
} else
BIO_printf(bio, "No ALPN negotiated\n");
}
#ifndef OPENSSL_NO_SRTP
{
SRTP_PROTECTION_PROFILE *srtp_profile =
SSL_get_selected_srtp_profile(s);
if (srtp_profile)
BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n",
srtp_profile->name);
}
#endif
if (istls13) {
switch (SSL_get_early_data_status(s)) {
case SSL_EARLY_DATA_NOT_SENT:
BIO_printf(bio, "Early data was not sent\n");
break;
case SSL_EARLY_DATA_REJECTED:
BIO_printf(bio, "Early data was rejected\n");
break;
case SSL_EARLY_DATA_ACCEPTED:
BIO_printf(bio, "Early data was accepted\n");
break;
}
/*
* We also print the verify results when we dump session information,
* but in TLSv1.3 we may not get that right away (or at all) depending
* on when we get a NewSessionTicket. Therefore we print it now as well.
*/
verify_result = SSL_get_verify_result(s);
BIO_printf(bio, "Verify return code: %ld (%s)\n", verify_result,
X509_verify_cert_error_string(verify_result));
} else {
/* In TLSv1.3 we do this on arrival of a NewSessionTicket */
SSL_SESSION_print(bio, SSL_get_session(s));
}
if (SSL_get_session(s) != NULL && keymatexportlabel != NULL) {
BIO_printf(bio, "Keying material exporter:\n");
BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
exportedkeymat = app_malloc(keymatexportlen, "export key");
if (!SSL_export_keying_material(s, exportedkeymat,
keymatexportlen,
keymatexportlabel,
strlen(keymatexportlabel),
NULL, 0, 0)) {
BIO_printf(bio, " Error\n");
} else {
BIO_printf(bio, " Keying material: ");
for (i = 0; i < keymatexportlen; i++)
BIO_printf(bio, "%02X", exportedkeymat[i]);
BIO_printf(bio, "\n");
}
OPENSSL_free(exportedkeymat);
}
BIO_printf(bio, "---\n");
X509_free(peer);
/* flush, or debugging output gets mixed with http response */
(void)BIO_flush(bio);
}
# ifndef OPENSSL_NO_OCSP
static int ocsp_resp_cb(SSL *s, void *arg)
{
const unsigned char *p;
int len;
OCSP_RESPONSE *rsp;
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
BIO_puts(arg, "OCSP response: ");
if (p == NULL) {
BIO_puts(arg, "no response sent\n");
return 1;
}
rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
if (rsp == NULL) {
BIO_puts(arg, "response parse error\n");
BIO_dump_indent(arg, (char *)p, len, 4);
return 0;
}
BIO_puts(arg, "\n======================================\n");
OCSP_RESPONSE_print(arg, rsp, 0);
BIO_puts(arg, "======================================\n");
OCSP_RESPONSE_free(rsp);
return 1;
}
# endif
static int ldap_ExtendedResponse_parse(const char *buf, long rem)
{
const unsigned char *cur, *end;
long len;
int tag, xclass, inf, ret = -1;
cur = (const unsigned char *)buf;
end = cur + rem;
/*
* From RFC 4511:
*
* LDAPMessage ::= SEQUENCE {
* messageID MessageID,
* protocolOp CHOICE {
* ...
* extendedResp ExtendedResponse,
* ... },
* controls [0] Controls OPTIONAL }
*
* ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
* COMPONENTS OF LDAPResult,
* responseName [10] LDAPOID OPTIONAL,
* responseValue [11] OCTET STRING OPTIONAL }
*
* LDAPResult ::= SEQUENCE {
* resultCode ENUMERATED {
* success (0),
* ...
* other (80),
* ... },
* matchedDN LDAPDN,
* diagnosticMessage LDAPString,
* referral [3] Referral OPTIONAL }
*/
/* pull SEQUENCE */
inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
if (inf != V_ASN1_CONSTRUCTED || tag != V_ASN1_SEQUENCE ||
(rem = end - cur, len > rem)) {
BIO_printf(bio_err, "Unexpected LDAP response\n");
goto end;
}
rem = len; /* ensure that we don't overstep the SEQUENCE */
/* pull MessageID */
inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_INTEGER ||
(rem = end - cur, len > rem)) {
BIO_printf(bio_err, "No MessageID\n");
goto end;
}
cur += len; /* shall we check for MessageId match or just skip? */
/* pull [APPLICATION 24] */
rem = end - cur;
inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
if (inf != V_ASN1_CONSTRUCTED || xclass != V_ASN1_APPLICATION ||
tag != 24) {
BIO_printf(bio_err, "Not ExtendedResponse\n");
goto end;
}
/* pull resultCode */
rem = end - cur;
inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_ENUMERATED || len == 0 ||
(rem = end - cur, len > rem)) {
BIO_printf(bio_err, "Not LDAPResult\n");
goto end;
}
/* len should always be one, but just in case... */
for (ret = 0, inf = 0; inf < len; inf++) {
ret <<= 8;
ret |= cur[inf];
}
/* There is more data, but we don't care... */
end:
return ret;
}
/*
* Host dNS Name verifier: used for checking that the hostname is in dNS format
* before setting it as SNI
*/
static int is_dNS_name(const char *host)
{
const size_t MAX_LABEL_LENGTH = 63;
size_t i;
int isdnsname = 0;
size_t length = strlen(host);
size_t label_length = 0;
int all_numeric = 1;
/*
* Deviation from strict DNS name syntax, also check names with '_'
* Check DNS name syntax, any '-' or '.' must be internal,
* and on either side of each '.' we can't have a '-' or '.'.
*
* If the name has just one label, we don't consider it a DNS name.
*/
for (i = 0; i < length && label_length < MAX_LABEL_LENGTH; ++i) {
char c = host[i];
if ((c >= 'a' && c <= 'z')
|| (c >= 'A' && c <= 'Z')
|| c == '_') {
label_length += 1;
all_numeric = 0;
continue;
}
if (c >= '0' && c <= '9') {
label_length += 1;
continue;
}
/* Dot and hyphen cannot be first or last. */
if (i > 0 && i < length - 1) {
if (c == '-') {
label_length += 1;
continue;
}
/*
* Next to a dot the preceding and following characters must not be
* another dot or a hyphen. Otherwise, record that the name is
* plausible, since it has two or more labels.
*/
if (c == '.'
&& host[i + 1] != '.'
&& host[i - 1] != '-'
&& host[i + 1] != '-') {
label_length = 0;
isdnsname = 1;
continue;
}
}
isdnsname = 0;
break;
}
/* dNS name must not be all numeric and labels must be shorter than 64 characters. */
isdnsname &= !all_numeric && !(label_length == MAX_LABEL_LENGTH);
return isdnsname;
}
#endif /* OPENSSL_NO_SOCK */
diff --git a/crypto/openssl/apps/s_socket.c b/crypto/openssl/apps/s_socket.c
index aee366d5f457..96f16d2931cd 100644
--- a/crypto/openssl/apps/s_socket.c
+++ b/crypto/openssl/apps/s_socket.c
@@ -1,405 +1,405 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/* socket-related functions used by s_client and s_server */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <signal.h>
#include <openssl/opensslconf.h>
/*
* With IPv6, it looks like Digital has mixed up the proper order of
* recursive header file inclusion, resulting in the compiler complaining
* that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
* needed to have fileno() declared correctly... So let's define u_int
*/
#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
# define __U_INT
typedef unsigned int u_int;
#endif
#ifndef OPENSSL_NO_SOCK
# include "apps.h"
# include "s_apps.h"
# include "internal/sockets.h"
# include <openssl/bio.h>
# include <openssl/err.h>
/* Keep track of our peer's address for the cookie callback */
BIO_ADDR *ourpeer = NULL;
/*
* init_client - helper routine to set up socket communication
* @sock: pointer to storage of resulting socket.
* @host: the host name or path (for AF_UNIX) to connect to.
* @port: the port to connect to (ignored for AF_UNIX).
* @bindhost: source host or path (for AF_UNIX).
* @bindport: source port (ignored for AF_UNIX).
* @family: desired socket family, may be AF_INET, AF_INET6, AF_UNIX or
* AF_UNSPEC
* @type: socket type, must be SOCK_STREAM or SOCK_DGRAM
* @protocol: socket protocol, e.g. IPPROTO_TCP or IPPROTO_UDP (or 0 for any)
*
* This will create a socket and use it to connect to a host:port, or if
* family == AF_UNIX, to the path found in host.
*
* If the host has more than one address, it will try them one by one until
* a successful connection is established. The resulting socket will be
* found in *sock on success, it will be given INVALID_SOCKET otherwise.
*
* Returns 1 on success, 0 on failure.
*/
int init_client(int *sock, const char *host, const char *port,
const char *bindhost, const char *bindport,
int family, int type, int protocol)
{
BIO_ADDRINFO *res = NULL;
BIO_ADDRINFO *bindaddr = NULL;
const BIO_ADDRINFO *ai = NULL;
const BIO_ADDRINFO *bi = NULL;
int found = 0;
int ret;
if (BIO_sock_init() != 1)
return 0;
ret = BIO_lookup_ex(host, port, BIO_LOOKUP_CLIENT, family, type, protocol,
&res);
if (ret == 0) {
ERR_print_errors(bio_err);
return 0;
}
if (bindhost != NULL || bindport != NULL) {
ret = BIO_lookup_ex(bindhost, bindport, BIO_LOOKUP_CLIENT,
family, type, protocol, &bindaddr);
if (ret == 0) {
ERR_print_errors (bio_err);
goto out;
}
}
ret = 0;
for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) {
/* Admittedly, these checks are quite paranoid, we should not get
* anything in the BIO_ADDRINFO chain that we haven't
* asked for. */
OPENSSL_assert((family == AF_UNSPEC
|| family == BIO_ADDRINFO_family(ai))
&& (type == 0 || type == BIO_ADDRINFO_socktype(ai))
&& (protocol == 0
|| protocol == BIO_ADDRINFO_protocol(ai)));
if (bindaddr != NULL) {
for (bi = bindaddr; bi != NULL; bi = BIO_ADDRINFO_next(bi)) {
if (BIO_ADDRINFO_family(bi) == BIO_ADDRINFO_family(ai))
break;
}
if (bi == NULL)
continue;
++found;
}
*sock = BIO_socket(BIO_ADDRINFO_family(ai), BIO_ADDRINFO_socktype(ai),
BIO_ADDRINFO_protocol(ai), 0);
if (*sock == INVALID_SOCKET) {
/* Maybe the kernel doesn't support the socket family, even if
* BIO_lookup() added it in the returned result...
*/
continue;
}
if (bi != NULL) {
if (!BIO_bind(*sock, BIO_ADDRINFO_address(bi),
BIO_SOCK_REUSEADDR)) {
BIO_closesocket(*sock);
*sock = INVALID_SOCKET;
break;
}
}
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP) {
/*
* For SCTP we have to set various options on the socket prior to
* connecting. This is done automatically by BIO_new_dgram_sctp().
* We don't actually need the created BIO though so we free it again
* immediately.
*/
BIO *tmpbio = BIO_new_dgram_sctp(*sock, BIO_NOCLOSE);
if (tmpbio == NULL) {
ERR_print_errors(bio_err);
return 0;
}
BIO_free(tmpbio);
}
#endif
if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai),
- protocol == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) {
+ BIO_ADDRINFO_protocol(ai) == IPPROTO_TCP ? BIO_SOCK_NODELAY : 0)) {
BIO_closesocket(*sock);
*sock = INVALID_SOCKET;
continue;
}
/* Success, don't try any more addresses */
break;
}
if (*sock == INVALID_SOCKET) {
if (bindaddr != NULL && !found) {
BIO_printf(bio_err, "Can't bind %saddress for %s%s%s\n",
BIO_ADDRINFO_family(res) == AF_INET6 ? "IPv6 " :
BIO_ADDRINFO_family(res) == AF_INET ? "IPv4 " :
BIO_ADDRINFO_family(res) == AF_UNIX ? "unix " : "",
bindhost != NULL ? bindhost : "",
bindport != NULL ? ":" : "",
bindport != NULL ? bindport : "");
ERR_clear_error();
ret = 0;
}
ERR_print_errors(bio_err);
} else {
/* Remove any stale errors from previous connection attempts */
ERR_clear_error();
ret = 1;
}
out:
if (bindaddr != NULL) {
BIO_ADDRINFO_free (bindaddr);
}
BIO_ADDRINFO_free(res);
return ret;
}
/*
* do_server - helper routine to perform a server operation
* @accept_sock: pointer to storage of resulting socket.
* @host: the host name or path (for AF_UNIX) to connect to.
* @port: the port to connect to (ignored for AF_UNIX).
* @family: desired socket family, may be AF_INET, AF_INET6, AF_UNIX or
* AF_UNSPEC
* @type: socket type, must be SOCK_STREAM or SOCK_DGRAM
* @cb: pointer to a function that receives the accepted socket and
* should perform the communication with the connecting client.
* @context: pointer to memory that's passed verbatim to the cb function.
* @naccept: number of times an incoming connect should be accepted. If -1,
* unlimited number.
*
* This will create a socket and use it to listen to a host:port, or if
* family == AF_UNIX, to the path found in host, then start accepting
* incoming connections and run cb on the resulting socket.
*
* 0 on failure, something other on success.
*/
int do_server(int *accept_sock, const char *host, const char *port,
int family, int type, int protocol, do_server_cb cb,
unsigned char *context, int naccept, BIO *bio_s_out)
{
int asock = 0;
int sock;
int i;
BIO_ADDRINFO *res = NULL;
const BIO_ADDRINFO *next;
int sock_family, sock_type, sock_protocol, sock_port;
const BIO_ADDR *sock_address;
int sock_family_fallback = AF_UNSPEC;
const BIO_ADDR *sock_address_fallback = NULL;
int sock_options = BIO_SOCK_REUSEADDR;
int ret = 0;
if (BIO_sock_init() != 1)
return 0;
if (!BIO_lookup_ex(host, port, BIO_LOOKUP_SERVER, family, type, protocol,
&res)) {
ERR_print_errors(bio_err);
return 0;
}
/* Admittedly, these checks are quite paranoid, we should not get
* anything in the BIO_ADDRINFO chain that we haven't asked for */
OPENSSL_assert((family == AF_UNSPEC || family == BIO_ADDRINFO_family(res))
&& (type == 0 || type == BIO_ADDRINFO_socktype(res))
&& (protocol == 0 || protocol == BIO_ADDRINFO_protocol(res)));
sock_family = BIO_ADDRINFO_family(res);
sock_type = BIO_ADDRINFO_socktype(res);
sock_protocol = BIO_ADDRINFO_protocol(res);
sock_address = BIO_ADDRINFO_address(res);
next = BIO_ADDRINFO_next(res);
if (sock_family == AF_INET6)
sock_options |= BIO_SOCK_V6_ONLY;
if (next != NULL
&& BIO_ADDRINFO_socktype(next) == sock_type
&& BIO_ADDRINFO_protocol(next) == sock_protocol) {
if (sock_family == AF_INET
&& BIO_ADDRINFO_family(next) == AF_INET6) {
/* In case AF_INET6 is returned but not supported by the
* kernel, retry with the first detected address family */
sock_family_fallback = sock_family;
sock_address_fallback = sock_address;
sock_family = AF_INET6;
sock_address = BIO_ADDRINFO_address(next);
} else if (sock_family == AF_INET6
&& BIO_ADDRINFO_family(next) == AF_INET) {
sock_options &= ~BIO_SOCK_V6_ONLY;
}
}
asock = BIO_socket(sock_family, sock_type, sock_protocol, 0);
if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) {
asock = BIO_socket(sock_family_fallback, sock_type, sock_protocol, 0);
sock_address = sock_address_fallback;
}
if (asock == INVALID_SOCKET
|| !BIO_listen(asock, sock_address, sock_options)) {
BIO_ADDRINFO_free(res);
ERR_print_errors(bio_err);
if (asock != INVALID_SOCKET)
BIO_closesocket(asock);
goto end;
}
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP) {
/*
* For SCTP we have to set various options on the socket prior to
* accepting. This is done automatically by BIO_new_dgram_sctp().
* We don't actually need the created BIO though so we free it again
* immediately.
*/
BIO *tmpbio = BIO_new_dgram_sctp(asock, BIO_NOCLOSE);
if (tmpbio == NULL) {
BIO_closesocket(asock);
ERR_print_errors(bio_err);
goto end;
}
BIO_free(tmpbio);
}
#endif
sock_port = BIO_ADDR_rawport(sock_address);
BIO_ADDRINFO_free(res);
res = NULL;
if (sock_port == 0) {
/* dynamically allocated port, report which one */
union BIO_sock_info_u info;
char *hostname = NULL;
char *service = NULL;
int success = 0;
if ((info.addr = BIO_ADDR_new()) != NULL
&& BIO_sock_info(asock, BIO_SOCK_INFO_ADDRESS, &info)
&& (hostname = BIO_ADDR_hostname_string(info.addr, 1)) != NULL
&& (service = BIO_ADDR_service_string(info.addr, 1)) != NULL
&& BIO_printf(bio_s_out,
strchr(hostname, ':') == NULL
? /* IPv4 */ "ACCEPT %s:%s\n"
: /* IPv6 */ "ACCEPT [%s]:%s\n",
hostname, service) > 0)
success = 1;
(void)BIO_flush(bio_s_out);
OPENSSL_free(hostname);
OPENSSL_free(service);
BIO_ADDR_free(info.addr);
if (!success) {
BIO_closesocket(asock);
ERR_print_errors(bio_err);
goto end;
}
} else {
(void)BIO_printf(bio_s_out, "ACCEPT\n");
(void)BIO_flush(bio_s_out);
}
if (accept_sock != NULL)
*accept_sock = asock;
for (;;) {
char sink[64];
struct timeval timeout;
fd_set readfds;
if (type == SOCK_STREAM) {
BIO_ADDR_free(ourpeer);
ourpeer = BIO_ADDR_new();
if (ourpeer == NULL) {
BIO_closesocket(asock);
ERR_print_errors(bio_err);
goto end;
}
do {
sock = BIO_accept_ex(asock, ourpeer, 0);
} while (sock < 0 && BIO_sock_should_retry(sock));
if (sock < 0) {
ERR_print_errors(bio_err);
BIO_closesocket(asock);
break;
}
BIO_set_tcp_ndelay(sock, 1);
i = (*cb)(sock, type, protocol, context);
/*
* If we ended with an alert being sent, but still with data in the
* network buffer to be read, then calling BIO_closesocket() will
* result in a TCP-RST being sent. On some platforms (notably
* Windows) then this will result in the peer immediately abandoning
* the connection including any buffered alert data before it has
* had a chance to be read. Shutting down the sending side first,
* and then closing the socket sends TCP-FIN first followed by
* TCP-RST. This seems to allow the peer to read the alert data.
*/
shutdown(sock, 1); /* SHUT_WR */
/*
* We just said we have nothing else to say, but it doesn't mean
* that the other side has nothing. It's even recommended to
* consume incoming data. [In testing context this ensures that
* alerts are passed on...]
*/
timeout.tv_sec = 0;
timeout.tv_usec = 500000; /* some extreme round-trip */
do {
FD_ZERO(&readfds);
openssl_fdset(sock, &readfds);
} while (select(sock + 1, &readfds, NULL, NULL, &timeout) > 0
&& readsocket(sock, sink, sizeof(sink)) > 0);
BIO_closesocket(sock);
} else {
i = (*cb)(asock, type, protocol, context);
}
if (naccept != -1)
naccept--;
if (i < 0 || naccept == 0) {
BIO_closesocket(asock);
ret = i;
break;
}
}
end:
# ifdef AF_UNIX
if (family == AF_UNIX)
unlink(host);
# endif
BIO_ADDR_free(ourpeer);
ourpeer = NULL;
return ret;
}
#endif /* OPENSSL_NO_SOCK */
diff --git a/crypto/openssl/config b/crypto/openssl/config
index 26225ca2a9e5..49422981ae84 100755
--- a/crypto/openssl/config
+++ b/crypto/openssl/config
@@ -1,944 +1,945 @@
#!/bin/sh
# Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
# OpenSSL config: determine the operating system and run ./Configure
# Derived from minarch and GuessOS from Apache.
#
# Do "config -h" for usage information.
SUFFIX=""
DRYRUN="false"
VERBOSE="false"
EXE=""
THERE=`dirname $0`
# pick up any command line args to config
for i
do
case "$i" in
-d*) options=$options" --debug";;
-t*) DRYRUN="true" VERBOSE="true";;
-v*) VERBOSE="true";;
-h*) DRYRUN="true"; cat <<EOF
Usage: config [options]
-d Build with debugging when possible.
-t Test mode, do not run the Configure perl script.
-v Verbose mode, show the exact Configure call that is being made.
-h This help.
Any other text will be passed to the Configure perl script.
See INSTALL for instructions.
EOF
;;
*) i=`echo "$i" | sed -e "s|'|'\\\\\\''|g"`
options="$options '$i'" ;;
esac
done
# Environment that's being passed to Configure
__CNF_CPPDEFINES=
__CNF_CPPINCLUDES=
__CNF_CPPFLAGS=
__CNF_CFLAGS=
__CNF_CXXFLAGS=
__CNF_LDFLAGS=
__CNF_LDLIBS=
# First get uname entries that we use below
[ "$MACHINE" ] || MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown"
[ "$RELEASE" ] || RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown"
[ "$SYSTEM" ] || SYSTEM=`(uname -s) 2>/dev/null` || SYSTEM="unknown"
[ "$BUILD" ] || VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
# Now test for ISC and SCO, since it is has a braindamaged uname.
#
# We need to work around FreeBSD 1.1.5.1
(
XREL=`uname -X 2>/dev/null | grep "^Release" | awk '{print $3}'`
if [ "x$XREL" != "x" ]; then
if [ -f /etc/kconfig ]; then
case "$XREL" in
4.0|4.1)
echo "${MACHINE}-whatever-isc4"; exit 0
;;
esac
else
case "$XREL" in
3.2v4.2)
echo "whatever-whatever-sco3"; exit 0
;;
3.2v5.0*)
echo "whatever-whatever-sco5"; exit 0
;;
4.2MP)
case "x${VERSION}" in
x2.0*) echo "whatever-whatever-unixware20"; exit 0 ;;
x2.1*) echo "whatever-whatever-unixware21"; exit 0 ;;
x2*) echo "whatever-whatever-unixware2"; exit 0 ;;
esac
;;
4.2)
echo "whatever-whatever-unixware1"; exit 0
;;
5*)
case "x${VERSION}" in
# We hardcode i586 in place of ${MACHINE} for the
# following reason. The catch is that even though Pentium
# is minimum requirement for platforms in question,
# ${MACHINE} gets always assigned to i386. Now, problem
# with i386 is that it makes ./config pass 386 to
# ./Configure, which in turn makes make generate
# inefficient SHA-1 (for this moment) code.
x[678]*) echo "i586-sco-unixware7"; exit 0 ;;
esac
;;
esac
fi
fi
# Now we simply scan though... In most cases, the SYSTEM info is enough
#
case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
A/UX:*)
echo "m68k-apple-aux3"; exit 0
;;
AIX:[3-9]:4:*)
echo "${MACHINE}-ibm-aix"; exit 0
;;
AIX:*:[5-9]:*)
echo "${MACHINE}-ibm-aix"; exit 0
;;
AIX:*)
echo "${MACHINE}-ibm-aix3"; exit 0
;;
HI-UX:*)
echo "${MACHINE}-hi-hiux"; exit 0
;;
HP-UX:*)
HPUXVER=`echo ${RELEASE}|sed -e 's/[^.]*.[0B]*//'`
case "$HPUXVER" in
1[0-9].*) # HPUX 10 and 11 targets are unified
echo "${MACHINE}-hp-hpux1x"; exit 0
;;
*)
echo "${MACHINE}-hp-hpux"; exit 0
;;
esac
;;
IRIX:6.*)
echo "mips3-sgi-irix"; exit 0
;;
IRIX64:*)
echo "mips4-sgi-irix64"; exit 0
;;
Linux:[2-9].*)
echo "${MACHINE}-whatever-linux2"; exit 0
;;
Linux:1.*)
echo "${MACHINE}-whatever-linux1"; exit 0
;;
GNU*)
echo "hurd-x86"; exit 0;
;;
LynxOS:*)
echo "${MACHINE}-lynx-lynxos"; exit 0
;;
BSD/OS:4.*) # BSD/OS always says 386
echo "i486-whatever-bsdi4"; exit 0
;;
BSD/386:*:*:*486*|BSD/OS:*:*:*:*486*)
case `/sbin/sysctl -n hw.model` in
Pentium*)
echo "i586-whatever-bsdi"; exit 0
;;
*)
echo "i386-whatever-bsdi"; exit 0
;;
esac;
;;
BSD/386:*|BSD/OS:*)
echo "${MACHINE}-whatever-bsdi"; exit 0
;;
FreeBSD:*:*:*386*)
VERS=`echo ${RELEASE} | sed -e 's/[-(].*//'`
MACH=`sysctl -n hw.model`
ARCH='whatever'
case ${MACH} in
*386* ) MACH="i386" ;;
*486* ) MACH="i486" ;;
Pentium\ II*) MACH="i686" ;;
Pentium* ) MACH="i586" ;;
* ) MACH="$MACHINE" ;;
esac
case ${MACH} in
i[0-9]86 ) ARCH="pc" ;;
esac
echo "${MACH}-${ARCH}-freebsd${VERS}"; exit 0
;;
DragonFly:*)
echo "${MACHINE}-whatever-dragonfly"; exit 0
;;
FreeBSD:*)
echo "${MACHINE}-whatever-freebsd"; exit 0
;;
Haiku:*)
echo "${MACHINE}-whatever-haiku"; exit 0
;;
NetBSD:*:*:*386*)
echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
;;
NetBSD:*)
echo "${MACHINE}-whatever-netbsd"; exit 0
;;
OpenBSD:*)
echo "${MACHINE}-whatever-openbsd"; exit 0
;;
OpenUNIX:*)
echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0
;;
OSF1:*:*:*alpha*)
OSFMAJOR=`echo ${RELEASE}| sed -e 's/^V\([0-9]*\)\..*$/\1/'`
case "$OSFMAJOR" in
4|5)
echo "${MACHINE}-dec-tru64"; exit 0
;;
1|2|3)
echo "${MACHINE}-dec-osf"; exit 0
;;
*)
echo "${MACHINE}-dec-osf"; exit 0
;;
esac
;;
Paragon*:*:*:*)
echo "i860-intel-osf1"; exit 0
;;
Rhapsody:*)
echo "ppc-apple-rhapsody"; exit 0
;;
Darwin:*)
case "$MACHINE" in
Power*)
echo "ppc-apple-darwin${VERSION}"
;;
*)
echo "${MACHINE}-apple-darwin${VERSION}"
;;
esac
exit 0
;;
SunOS:5.*)
echo "${MACHINE}-whatever-solaris2"; exit 0
;;
SunOS:*)
echo "${MACHINE}-sun-sunos4"; exit 0
;;
UNIX_System_V:4.*:*)
echo "${MACHINE}-whatever-sysv4"; exit 0
;;
VOS:*:*:i786)
echo "i386-stratus-vos"; exit 0
;;
VOS:*:*:*)
echo "hppa1.1-stratus-vos"; exit 0
;;
*:4*:R4*:m88k)
echo "${MACHINE}-whatever-sysv4"; exit 0
;;
DYNIX/ptx:4*:*)
echo "${MACHINE}-whatever-sysv4"; exit 0
;;
*:4.0:3.0:3[34]?? | *:4.0:3.0:3[34]??,*)
echo "i486-ncr-sysv4"; exit 0
;;
ULTRIX:*)
echo "${MACHINE}-unknown-ultrix"; exit 0
;;
POSIX-BC*)
echo "${MACHINE}-siemens-sysv4"; exit 0 # Here, $MACHINE == "BS2000"
;;
machten:*)
echo "${MACHINE}-tenon-${SYSTEM}"; exit 0;
;;
library:*)
echo "${MACHINE}-ncr-sysv4"; exit 0
;;
ConvexOS:*:11.0:*)
echo "${MACHINE}-v11-${SYSTEM}"; exit 0;
;;
# The following combinations are supported
# MINGW64* on x86_64 => mingw64
# MINGW32* on x86_64 => mingw
# MINGW32* on i?86 => mingw
#
# MINGW64* on i?86 isn't expected to work...
MINGW64*:*:*:x86_64)
echo "${MACHINE}-whatever-mingw64"; exit 0;
;;
MINGW*)
echo "${MACHINE}-whatever-mingw"; exit 0;
;;
CYGWIN*)
echo "${MACHINE}-pc-cygwin"; exit 0
;;
vxworks*)
echo "${MACHINE}-whatever-vxworks"; exit 0;
;;
esac
#
# Ugg. These are all we can determine by what we know about
# the output of uname. Be more creative:
#
# Do the Apollo stuff first. Here, we just simply assume
# that the existence of the /usr/apollo directory is proof
# enough
if [ -d /usr/apollo ]; then
echo "whatever-apollo-whatever"
exit 0
fi
# Now NeXT
ISNEXT=`hostinfo 2>/dev/null`
case "$ISNEXT" in
*'NeXT Mach 3.3'*)
echo "whatever-next-nextstep3.3"; exit 0
;;
*NeXT*)
echo "whatever-next-nextstep"; exit 0
;;
esac
# At this point we gone through all the one's
# we know of: Punt
echo "${MACHINE}-whatever-${SYSTEM}"
exit 0
) 2>/dev/null | (
# ---------------------------------------------------------------------------
# this is where the translation occurs into SSLeay terms
# ---------------------------------------------------------------------------
# Only set CC if not supplied already
if [ -z "$CROSS_COMPILE$CC" ]; then
GCCVER=`sh -c "gcc -dumpversion" 2>/dev/null`
if [ "$GCCVER" != "" ]; then
# then strip off whatever prefix egcs prepends the number with...
# Hopefully, this will work for any future prefixes as well.
GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'`
# Since gcc 3.1 gcc --version behaviour has changed. gcc -dumpversion
# does give us what we want though, so we use that. We just just the
# major and minor version numbers.
# peak single digit before and after first dot, e.g. 2.95.1 gives 29
GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
CC=gcc
else
CC=cc
fi
fi
GCCVER=${GCCVER:-0}
if [ "$SYSTEM" = "HP-UX" ];then
# By default gcc is a ILP32 compiler (with long long == 64).
GCC_BITS="32"
if [ $GCCVER -ge 30 ]; then
# PA64 support only came in with gcc 3.0.x.
# We check if the preprocessor symbol __LP64__ is defined...
if echo "__LP64__" | gcc -v -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null; then
: # __LP64__ has slipped through, it therefore is not defined
else
GCC_BITS="64"
fi
fi
fi
if [ "$SYSTEM" = "SunOS" ]; then
if [ $GCCVER -ge 30 ]; then
# 64-bit ABI isn't officially supported in gcc 3.0, but it appears
# to be working, at the very least 'make test' passes...
if gcc -v -E -x c /dev/null 2>&1 | grep __arch64__ > /dev/null; then
GCC_ARCH="-m64"
else
GCC_ARCH="-m32"
fi
fi
# check for WorkShop C, expected output is "cc: blah-blah C x.x"
CCVER=`(cc -V 2>&1) 2>/dev/null | \
egrep -e '^cc: .* C [0-9]\.[0-9]' | \
sed 's/.* C \([0-9]\)\.\([0-9]\).*/\1\2/'`
CCVER=${CCVER:-0}
if [ $MACHINE != i86pc -a $CCVER -gt 40 ]; then
CC=cc # overrides gcc!!!
if [ $CCVER -eq 50 ]; then
echo "WARNING! Detected WorkShop C 5.0. Do make sure you have"
echo " patch #107357-01 or later applied."
sleep 5
fi
fi
fi
if [ "${SYSTEM}" = "AIX" ]; then # favor vendor cc over gcc
(cc) 2>&1 | grep -iv "not found" > /dev/null && CC=cc
fi
CCVER=${CCVER:-0}
# read the output of the embedded GuessOS
read GUESSOS
echo Operating system: $GUESSOS
# now map the output into SSLeay terms ... really should hack into the
# script above so we end up with values in vars but that would take
# more time that I want to waste at the moment
case "$GUESSOS" in
uClinux*64*)
OUT=uClinux-dist64
;;
uClinux*)
OUT=uClinux-dist
;;
mips3-sgi-irix)
OUT="irix-mips3-$CC"
;;
mips4-sgi-irix64)
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke '$THERE/Configure irix64-mips4-$CC' *manually*."
if [ "$DRYRUN" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
OUT="irix-mips3-$CC"
;;
ppc-apple-rhapsody) OUT="rhapsody-ppc-cc" ;;
ppc-apple-darwin*)
ISA64=`(sysctl -n hw.optional.64bitops) 2>/dev/null`
if [ "$ISA64" = "1" -a -z "$KERNEL_BITS" ]; then
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke '$THERE/Configure darwin64-ppc-cc' *manually*."
if [ "$DRYRUN" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
fi
if [ "$ISA64" = "1" -a "$KERNEL_BITS" = "64" ]; then
OUT="darwin64-ppc-cc"
else
OUT="darwin-ppc-cc"
fi ;;
i?86-apple-darwin*)
ISA64=`(sysctl -n hw.optional.x86_64) 2>/dev/null`
if [ "$ISA64" = "1" -a -z "$KERNEL_BITS" ]; then
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke 'KERNEL_BITS=64 $THERE/config $options'."
if [ "$DRYRUN" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`; exit 1" 2; stty -icanon min 0 time 50; read waste; exit 0) <&1 || exit
fi
fi
if [ "$ISA64" = "1" -a "$KERNEL_BITS" = "64" ]; then
OUT="darwin64-x86_64-cc"
else
OUT="darwin-i386-cc"
fi ;;
x86_64-apple-darwin*)
if [ "$KERNEL_BITS" = "32" ]; then
OUT="darwin-i386-cc"
else
OUT="darwin64-x86_64-cc"
fi ;;
$MACHINE-apple-darwin*)
OUT="darwin64-$MACHINE-cc"
;;
armv6+7-*-iphoneos)
__CNF_CFLAGS="$__CNF_CFLAGS -arch armv6 -arch armv7"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch armv6 -arch armv7"
OUT="iphoneos-cross" ;;
*-*-iphoneos)
__CNF_CFLAGS="$__CNF_CFLAGS -arch ${MACHINE}"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch ${MACHINE}"
OUT="iphoneos-cross" ;;
arm64-*-iphoneos|*-*-ios64)
OUT="ios64-cross" ;;
alpha-*-linux2)
ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
OUT="linux-alpha-$CC"
if [ "$CC" = "gcc" ]; then
case ${ISA:-generic} in
EV5|EV45) __CNF_CFLAGS="$__CNF_CFLAGS -mcpu=ev5"
__CNF_CXXFLAGS="$__CNF_CFLAGS -mcpu=ev5";;
EV56|PCA56) __CNF_CFLAGS="$__CNF_CFLAGS -mcpu=ev56"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -mcpu=ev56";;
*) __CNF_CFLAGS="$__CNF_CFLAGS -mcpu=ev6"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -mcpu=ev6";;
esac
fi
;;
ppc64-*-linux2)
if [ -z "$KERNEL_BITS" ]; then
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke '$THERE/Configure linux-ppc64' *manually*."
if [ "$DRYRUN" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
fi
if [ "$KERNEL_BITS" = "64" ]; then
OUT="linux-ppc64"
else
OUT="linux-ppc"
if (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null); then
:;
else
__CNF_CFLAGS="$__CNF_CFLAGS -m32"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -m32"
fi
fi
;;
ppc64le-*-linux2) OUT="linux-ppc64le" ;;
ppc-*-linux2) OUT="linux-ppc" ;;
mips64*-*-linux2)
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke '$THERE/Configure linux64-mips64' *manually*."
if [ "$DRYRUN" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
OUT="linux-mips64"
;;
mips*-*-linux2) OUT="linux-mips32" ;;
ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;
ppcgen-*-vxworks*) OUT="vxworks-ppcgen" ;;
pentium-*-vxworks*) OUT="vxworks-pentium" ;;
simlinux-*-vxworks*) OUT="vxworks-simlinux" ;;
mips-*-vxworks*) OUT="vxworks-mips";;
ia64-*-linux?) OUT="linux-ia64" ;;
sparc64-*-linux2)
echo "WARNING! If you *know* that your GNU C supports 64-bit/V9 ABI"
echo " and wish to build 64-bit library, then you have to"
echo " invoke '$THERE/Configure linux64-sparcv9' *manually*."
if [ "$DRYRUN" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
OUT="linux-sparcv9" ;;
sparc-*-linux2)
KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo`
case ${KARCH:-sun4} in
sun4u*) OUT="linux-sparcv9" ;;
sun4m) OUT="linux-sparcv8" ;;
sun4d) OUT="linux-sparcv8" ;;
*) OUT="linux-generic32";
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN" ;;
esac ;;
parisc*-*-linux2)
# 64-bit builds under parisc64 linux are not supported and
# compiler is expected to generate 32-bit objects...
CPUARCH=`awk '/cpu family/{print substr($5,1,3); exit(0);}' /proc/cpuinfo`
CPUSCHEDULE=`awk '/^cpu.[ ]*: PA/{print substr($3,3); exit(0);}' /proc/cpuinfo`
# ??TODO ?? Model transformations
# 0. CPU Architecture for the 1.1 processor has letter suffixes. We strip that off
# assuming no further arch. identification will ever be used by GCC.
# 1. I'm most concerned about whether is a 7300LC is closer to a 7100 versus a 7100LC.
# 2. The variant 64-bit processors cause concern should GCC support explicit schedulers
# for these chips in the future.
# PA7300LC -> 7100LC (1.1)
# PA8200 -> 8000 (2.0)
# PA8500 -> 8000 (2.0)
# PA8600 -> 8000 (2.0)
CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'`
# Finish Model transformations
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN"
__CNF_CFLAGS="$__CNF_CFLAGS -mschedule=$CPUSCHEDULE -march=$CPUARCH"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -mschedule=$CPUSCHEDULE -march=$CPUARCH"
OUT="linux-generic32" ;;
armv[1-3]*-*-linux2) OUT="linux-generic32" ;;
armv[7-9]*-*-linux2) OUT="linux-armv4"
__CNF_CFLAGS="$__CNF_CFLAGS -march=armv7-a"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -march=armv7-a"
;;
arm*-*-linux2) OUT="linux-armv4" ;;
aarch64-*-linux2) OUT="linux-aarch64" ;;
sh*b-*-linux2) OUT="linux-generic32";
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN" ;;
sh*-*-linux2) OUT="linux-generic32";
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DL_ENDIAN" ;;
m68k*-*-linux2) OUT="linux-generic32";
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN" ;;
s390-*-linux2) OUT="linux-generic32";
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN" ;;
s390x-*-linux2)
# To be uncommented when glibc bug is fixed, see Configure...
#if egrep -e '^features.* highgprs' /proc/cpuinfo >/dev/null ; then
# echo "WARNING! If you wish to build \"highgprs\" 32-bit library, then you"
# echo " have to invoke './Configure linux32-s390x' *manually*."
# if [ "$DRYRUN" = "false" -a -t -1 ]; then
# echo " You have about 5 seconds to press Ctrl-C to abort."
# (trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
# fi
#fi
OUT="linux64-s390x"
;;
x86_64-*-linux?)
if $CC -dM -E -x c /dev/null 2>&1 | grep -q ILP32 > /dev/null; then
OUT="linux-x32"
else
OUT="linux-x86_64"
fi ;;
*86-*-linux2)
# On machines where the compiler understands -m32, prefer a
# config target that uses it
if $CC -m32 -E -x c /dev/null > /dev/null 2>&1; then
OUT="linux-x86"
else
OUT="linux-elf"
fi ;;
*86-*-linux1) OUT="linux-aout" ;;
*-*-linux?) OUT="linux-generic32" ;;
sun4[uv]*-*-solaris2)
OUT="solaris-sparcv9-$CC"
ISA64=`(isainfo) 2>/dev/null | grep sparcv9`
if [ "$ISA64" != "" -a "$KERNEL_BITS" = "" ]; then
if [ "$CC" = "cc" -a $CCVER -ge 50 ]; then
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke '$THERE/Configure solaris64-sparcv9-cc' *manually*."
if [ "$DRYRUN" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
elif [ "$CC" = "gcc" -a "$GCC_ARCH" = "-m64" ]; then
# $GCC_ARCH denotes default ABI chosen by compiler driver
# (first one found on the $PATH). I assume that user
# expects certain consistency with the rest of his builds
# and therefore switch over to 64-bit. <appro>
OUT="solaris64-sparcv9-gcc"
echo "WARNING! If you wish to build 32-bit library, then you have to"
echo " invoke '$THERE/Configure solaris-sparcv9-gcc' *manually*."
if [ "$DRYRUN" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
elif [ "$GCC_ARCH" = "-m32" ]; then
echo "NOTICE! If you *know* that your GNU C supports 64-bit/V9 ABI"
echo " and wish to build 64-bit library, then you have to"
echo " invoke '$THERE/Configure solaris64-sparcv9-gcc' *manually*."
if [ "$DRYRUN" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
fi
fi
if [ "$ISA64" != "" -a "$KERNEL_BITS" = "64" ]; then
OUT="solaris64-sparcv9-$CC"
fi
;;
sun4m-*-solaris2) OUT="solaris-sparcv8-$CC" ;;
sun4d-*-solaris2) OUT="solaris-sparcv8-$CC" ;;
sun4*-*-solaris2) OUT="solaris-sparcv7-$CC" ;;
*86*-*-solaris2)
ISA64=`(isainfo) 2>/dev/null | grep amd64`
if [ "$ISA64" != "" -a ${KERNEL_BITS:-64} -eq 64 ]; then
OUT="solaris64-x86_64-$CC"
else
OUT="solaris-x86-$CC"
if [ `uname -r | sed -e 's/5\.//'` -lt 10 ]; then
options="$options no-sse2"
fi
fi
;;
*-*-sunos4) OUT="sunos-$CC" ;;
*86*-*-bsdi4) OUT="BSD-x86-elf"; options="$options no-sse2";
__CNF_LDFLAGS="$__CNF_LDFLAGS -ldl" ;;
alpha*-*-*bsd*) OUT="BSD-generic64";
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DL_ENDIAN" ;;
powerpc64-*-*bsd*) OUT="BSD-generic64";
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -DB_ENDIAN" ;;
+ riscv64-*-*bsd*) OUT="BSD-riscv64" ;;
sparc64-*-*bsd*) OUT="BSD-sparc64" ;;
ia64-*-*bsd*) OUT="BSD-ia64" ;;
x86_64-*-dragonfly*) OUT="BSD-x86_64" ;;
amd64-*-*bsd*) OUT="BSD-x86_64" ;;
*86*-*-*bsd*) # mimic ld behaviour when it's looking for libc...
if [ -L /usr/lib/libc.so ]; then # [Free|Net]BSD
libc=/usr/lib/libc.so
else # OpenBSD
# ld searches for highest libc.so.* and so do we
libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null`
fi
case "`(file -L $libc) 2>/dev/null`" in
*ELF*) OUT="BSD-x86-elf" ;;
*) OUT="BSD-x86"; options="$options no-sse2" ;;
esac ;;
*-*-*bsd*) OUT="BSD-generic32" ;;
x86_64-*-haiku) OUT="haiku-x86_64" ;;
*-*-haiku) OUT="haiku-x86" ;;
*-*-osf) OUT="osf1-alpha-cc" ;;
*-*-tru64) OUT="tru64-alpha-cc" ;;
*-*-[Uu]nix[Ww]are7)
if [ "$CC" = "gcc" ]; then
OUT="unixware-7-gcc" ; options="$options no-sse2"
else
OUT="unixware-7" ; options="$options no-sse2"
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -D__i386__"
fi
;;
*-*-[Uu]nix[Ww]are20*) OUT="unixware-2.0"; options="$options no-sse2 no-sha512" ;;
*-*-[Uu]nix[Ww]are21*) OUT="unixware-2.1"; options="$options no-sse2 no-sha512" ;;
*-*-vos)
options="$options no-threads no-shared no-asm no-dso"
EXE=".pm"
OUT="vos-$CC" ;;
BS2000-siemens-sysv4) OUT="BS2000-OSD" ;;
*-hpux1*)
if [ $CC = "gcc" -a $GCC_BITS = "64" ]; then
OUT="hpux64-parisc2-gcc"
fi
[ "$KERNEL_BITS" ] || KERNEL_BITS=`(getconf KERNEL_BITS) 2>/dev/null`
KERNEL_BITS=${KERNEL_BITS:-32}
CPU_VERSION=`(getconf CPU_VERSION) 2>/dev/null`
CPU_VERSION=${CPU_VERSION:-0}
# See <sys/unistd.h> for further info on CPU_VERSION.
if [ $CPU_VERSION -ge 768 ]; then # IA-64 CPU
if [ $KERNEL_BITS -eq 64 -a "$CC" = "cc" ]; then
OUT="hpux64-ia64-cc"
else
OUT="hpux-ia64-cc"
fi
elif [ $CPU_VERSION -ge 532 ]; then # PA-RISC 2.x CPU
# PA-RISC 2.0 is no longer supported as separate 32-bit
# target. This is compensated for by run-time detection
# in most critical assembly modules and taking advantage
# of 2.0 architecture in PA-RISC 1.1 build.
OUT=${OUT:-"hpux-parisc1_1-${CC}"}
if [ $KERNEL_BITS -eq 64 -a "$CC" = "cc" ]; then
echo "WARNING! If you wish to build 64-bit library then you have to"
echo " invoke '$THERE/Configure hpux64-parisc2-cc' *manually*."
if [ "$DRYRUN" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
fi
elif [ $CPU_VERSION -ge 528 ]; then # PA-RISC 1.1+ CPU
OUT="hpux-parisc1_1-${CC}"
elif [ $CPU_VERSION -ge 523 ]; then # PA-RISC 1.0 CPU
OUT="hpux-parisc-${CC}"
else # Motorola(?) CPU
OUT="hpux-$CC"
fi
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -D_REENTRANT" ;;
*-hpux) OUT="hpux-parisc-$CC" ;;
*-aix)
[ "$KERNEL_BITS" ] || KERNEL_BITS=`(getconf KERNEL_BITMODE) 2>/dev/null`
KERNEL_BITS=${KERNEL_BITS:-32}
OBJECT_MODE=${OBJECT_MODE:-32}
if [ "$CC" = "gcc" ]; then
OUT="aix-gcc"
if [ $OBJECT_MODE -eq 64 ]; then
echo 'Your $OBJECT_MODE was found to be set to 64'
OUT="aix64-gcc"
fi
elif [ $OBJECT_MODE -eq 64 ]; then
echo 'Your $OBJECT_MODE was found to be set to 64'
OUT="aix64-cc"
else
OUT="aix-cc"
if [ $KERNEL_BITS -eq 64 ]; then
echo "WARNING! If you wish to build 64-bit kit, then you have to"
echo " invoke '$THERE/Configure aix64-cc' *manually*."
if [ "$DRYRUN" = "false" -a -t 1 ]; then
echo " You have ~5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`; exit 0" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
fi
fi
if (lsattr -E -O -l `lsdev -c processor|awk '{print$1;exit}'` | grep -i powerpc) >/dev/null 2>&1; then
: # this applies even to Power3 and later, as they return PowerPC_POWER[345]
else
options="$options no-asm"
fi
;;
# these are all covered by the catchall below
i[3456]86-*-cygwin) OUT="Cygwin-x86" ;;
*-*-cygwin) OUT="Cygwin-${MACHINE}" ;;
x86-*-android|i?86-*-android) OUT="android-x86" ;;
armv[7-9]*-*-android)
OUT="android-armeabi"
__CNF_CFLAGS="$__CNF_CFLAGS -march=armv7-a"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -march=armv7-a";;
arm*-*-android) OUT="android-armeabi" ;;
*) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
esac
# NB: This atalla support has been superseded by the ENGINE support
# That contains its own header and definitions anyway. Support can
# be enabled or disabled on any supported platform without external
# headers, eg. by adding the "hw-atalla" switch to ./config or
# perl Configure
#
# See whether we can compile Atalla support
#if [ -f /usr/include/atasi.h ]
#then
# __CNF_CPPFLAGS="$__CNF_CPPFLAGS -DATALLA"
#fi
if [ -n "$CONFIG_OPTIONS" ]; then
options="$options $CONFIG_OPTIONS"
fi
# gcc < 2.8 does not support -march=ultrasparc
if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]
then
echo "WARNING! Falling down to 'solaris-sparcv8-gcc'."
echo " Upgrade to gcc-2.8 or later."
sleep 5
OUT=solaris-sparcv8-gcc
fi
if [ "$OUT" = "linux-sparcv9" -a $GCCVER -lt 28 ]
then
echo "WARNING! Falling down to 'linux-sparcv8'."
echo " Upgrade to gcc-2.8 or later."
sleep 5
OUT=linux-sparcv8
fi
case "$GUESSOS" in
i386-*) options="$options 386" ;;
esac
for i in aes aria bf camellia cast des dh dsa ec hmac idea md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa seed sha sm2 sm3 sm4
do
if [ ! -d $THERE/crypto/$i ]
then
options="$options no-$i"
fi
done
if [ -z "$OUT" ]; then
OUT="$CC"
fi
if [ ".$PERL" = . ] ; then
for i in . `echo $PATH | sed 's/:/ /g'`; do
if [ -f "$i/perl5$EXE" ] ; then
PERL="$i/perl5$EXE"
break;
fi;
done
fi
if [ ".$PERL" = . ] ; then
for i in . `echo $PATH | sed 's/:/ /g'`; do
if [ -f "$i/perl$EXE" ] ; then
if "$i/perl$EXE" -e 'exit($]<5.0)'; then
PERL="$i/perl$EXE"
break;
fi;
fi;
done
fi
if [ ".$PERL" = . ] ; then
echo "You need Perl 5."
exit 1
fi
# run Configure to check to see if we need to specify the
# compiler for the platform ... in which case we add it on
# the end ... otherwise we leave it off
$PERL $THERE/Configure LIST | grep "$OUT-$CC" > /dev/null
if [ $? = "0" ]; then
OUT="$OUT-$CC"
fi
OUT="$OUT"
if [ "$OUT" = "darwin64-x86_64-cc" ]; then
echo "WARNING! If you wish to build 32-bit libraries, then you have to"
echo " invoke 'KERNEL_BITS=32 $THERE/config $options'."
fi
if $PERL $THERE/Configure LIST | grep "$OUT" > /dev/null; then
if [ "$VERBOSE" = "true" ]; then
echo /usr/bin/env \
__CNF_CPPDEFINES="'$__CNF_CPPDEFINES'" \
__CNF_CPPINCLUDES="'$__CNF_CPPINCLUDES'" \
__CNF_CPPFLAGS="'$__CNF_CPPFLAGS'" \
__CNF_CFLAGS="'$__CNF_CFLAGS'" \
__CNF_CXXFLAGS="'$__CNF_CXXFLAGS'" \
__CNF_LDFLAGS="'$__CNF_LDFLAGS'" \
__CNF_LDLIBS="'$__CNF_LDLIBS'" \
$PERL $THERE/Configure $OUT $options
fi
if [ "$DRYRUN" = "false" ]; then
# eval to make sure quoted options, possibly with spaces inside,
# are treated right
eval /usr/bin/env \
__CNF_CPPDEFINES="'$__CNF_CPPDEFINES'" \
__CNF_CPPINCLUDES="'$__CNF_CPPINCLUDES'" \
__CNF_CPPFLAGS="'$__CNF_CPPFLAGS'" \
__CNF_CFLAGS="'$__CNF_CFLAGS'" \
__CNF_CXXFLAGS="'$__CNF_CXXFLAGS'" \
__CNF_LDFLAGS="'$__CNF_LDFLAGS'" \
__CNF_LDLIBS="'$__CNF_LDLIBS'" \
$PERL $THERE/Configure $OUT $options
fi
else
echo "This system ($OUT) is not supported. See file INSTALL for details."
exit 1
fi
# Do not add anothing from here on, so we don't lose the Configure exit code
)
diff --git a/crypto/openssl/crypto/asn1/charmap.h b/crypto/openssl/crypto/asn1/charmap.h
index e234c9e615d0..5630291bd58c 100644
--- a/crypto/openssl/crypto/asn1/charmap.h
+++ b/crypto/openssl/crypto/asn1/charmap.h
@@ -1,34 +1,34 @@
/*
* WARNING: do not edit!
* Generated by crypto/asn1/charmap.pl
*
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#define CHARTYPE_HOST_ANY 4096
#define CHARTYPE_HOST_DOT 8192
#define CHARTYPE_HOST_HYPHEN 16384
#define CHARTYPE_HOST_WILD 32768
/*
* Mask of various character properties
*/
static const unsigned short char_type[] = {
1026, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 120, 0, 1, 40,
0, 0, 0, 16, 1040, 1040, 33792, 25, 25, 16400, 8208, 16,
4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 16, 9,
9, 16, 9, 16, 0, 4112, 4112, 4112, 4112, 4112, 4112, 4112,
4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112,
4112, 4112, 4112, 4112, 4112, 4112, 4112, 0, 1025, 0, 0, 0,
0, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112,
4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112, 4112,
4112, 4112, 4112, 0, 0, 0, 0, 2
};
diff --git a/crypto/openssl/crypto/bio/b_addr.c b/crypto/openssl/crypto/bio/b_addr.c
index 8ea32bce401b..0af7a330bc68 100644
--- a/crypto/openssl/crypto/bio/b_addr.c
+++ b/crypto/openssl/crypto/bio/b_addr.c
@@ -1,928 +1,928 @@
/*
- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <assert.h>
#include <string.h>
#include "bio_local.h"
#include <openssl/crypto.h>
#ifndef OPENSSL_NO_SOCK
#include <openssl/err.h>
#include <openssl/buffer.h>
#include "internal/thread_once.h"
CRYPTO_RWLOCK *bio_lookup_lock;
static CRYPTO_ONCE bio_lookup_init = CRYPTO_ONCE_STATIC_INIT;
/*
* Throughout this file and bio_local.h, the existence of the macro
* AI_PASSIVE is used to detect the availability of struct addrinfo,
* getnameinfo() and getaddrinfo(). If that macro doesn't exist,
* we use our own implementation instead, using gethostbyname,
* getservbyname and a few other.
*/
/**********************************************************************
*
* Address structure
*
*/
BIO_ADDR *BIO_ADDR_new(void)
{
BIO_ADDR *ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL) {
BIOerr(BIO_F_BIO_ADDR_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->sa.sa_family = AF_UNSPEC;
return ret;
}
void BIO_ADDR_free(BIO_ADDR *ap)
{
OPENSSL_free(ap);
}
void BIO_ADDR_clear(BIO_ADDR *ap)
{
memset(ap, 0, sizeof(*ap));
ap->sa.sa_family = AF_UNSPEC;
}
/*
* BIO_ADDR_make - non-public routine to fill a BIO_ADDR with the contents
* of a struct sockaddr.
*/
int BIO_ADDR_make(BIO_ADDR *ap, const struct sockaddr *sa)
{
if (sa->sa_family == AF_INET) {
memcpy(&(ap->s_in), sa, sizeof(struct sockaddr_in));
return 1;
}
#ifdef AF_INET6
if (sa->sa_family == AF_INET6) {
memcpy(&(ap->s_in6), sa, sizeof(struct sockaddr_in6));
return 1;
}
#endif
#ifdef AF_UNIX
if (sa->sa_family == AF_UNIX) {
memcpy(&(ap->s_un), sa, sizeof(struct sockaddr_un));
return 1;
}
#endif
return 0;
}
int BIO_ADDR_rawmake(BIO_ADDR *ap, int family,
const void *where, size_t wherelen,
unsigned short port)
{
#ifdef AF_UNIX
if (family == AF_UNIX) {
if (wherelen + 1 > sizeof(ap->s_un.sun_path))
return 0;
memset(&ap->s_un, 0, sizeof(ap->s_un));
ap->s_un.sun_family = family;
strncpy(ap->s_un.sun_path, where, sizeof(ap->s_un.sun_path) - 1);
return 1;
}
#endif
if (family == AF_INET) {
if (wherelen != sizeof(struct in_addr))
return 0;
memset(&ap->s_in, 0, sizeof(ap->s_in));
ap->s_in.sin_family = family;
ap->s_in.sin_port = port;
ap->s_in.sin_addr = *(struct in_addr *)where;
return 1;
}
#ifdef AF_INET6
if (family == AF_INET6) {
if (wherelen != sizeof(struct in6_addr))
return 0;
memset(&ap->s_in6, 0, sizeof(ap->s_in6));
ap->s_in6.sin6_family = family;
ap->s_in6.sin6_port = port;
ap->s_in6.sin6_addr = *(struct in6_addr *)where;
return 1;
}
#endif
return 0;
}
int BIO_ADDR_family(const BIO_ADDR *ap)
{
return ap->sa.sa_family;
}
int BIO_ADDR_rawaddress(const BIO_ADDR *ap, void *p, size_t *l)
{
size_t len = 0;
const void *addrptr = NULL;
if (ap->sa.sa_family == AF_INET) {
len = sizeof(ap->s_in.sin_addr);
addrptr = &ap->s_in.sin_addr;
}
#ifdef AF_INET6
else if (ap->sa.sa_family == AF_INET6) {
len = sizeof(ap->s_in6.sin6_addr);
addrptr = &ap->s_in6.sin6_addr;
}
#endif
#ifdef AF_UNIX
else if (ap->sa.sa_family == AF_UNIX) {
len = strlen(ap->s_un.sun_path);
addrptr = &ap->s_un.sun_path;
}
#endif
if (addrptr == NULL)
return 0;
if (p != NULL) {
memcpy(p, addrptr, len);
}
if (l != NULL)
*l = len;
return 1;
}
unsigned short BIO_ADDR_rawport(const BIO_ADDR *ap)
{
if (ap->sa.sa_family == AF_INET)
return ap->s_in.sin_port;
#ifdef AF_INET6
if (ap->sa.sa_family == AF_INET6)
return ap->s_in6.sin6_port;
#endif
return 0;
}
/*-
* addr_strings - helper function to get host and service names
* @ap: the BIO_ADDR that has the input info
* @numeric: 0 if actual names should be returned, 1 if the numeric
* representation should be returned.
* @hostname: a pointer to a pointer to a memory area to store the
* host name or numeric representation. Unused if NULL.
* @service: a pointer to a pointer to a memory area to store the
* service name or numeric representation. Unused if NULL.
*
* The return value is 0 on failure, with the error code in the error
* stack, and 1 on success.
*/
static int addr_strings(const BIO_ADDR *ap, int numeric,
char **hostname, char **service)
{
if (BIO_sock_init() != 1)
return 0;
if (1) {
#ifdef AI_PASSIVE
int ret = 0;
char host[NI_MAXHOST] = "", serv[NI_MAXSERV] = "";
int flags = 0;
if (numeric)
flags |= NI_NUMERICHOST | NI_NUMERICSERV;
if ((ret = getnameinfo(BIO_ADDR_sockaddr(ap),
BIO_ADDR_sockaddr_size(ap),
host, sizeof(host), serv, sizeof(serv),
flags)) != 0) {
# ifdef EAI_SYSTEM
if (ret == EAI_SYSTEM) {
SYSerr(SYS_F_GETNAMEINFO, get_last_socket_error());
BIOerr(BIO_F_ADDR_STRINGS, ERR_R_SYS_LIB);
} else
# endif
{
BIOerr(BIO_F_ADDR_STRINGS, ERR_R_SYS_LIB);
ERR_add_error_data(1, gai_strerror(ret));
}
return 0;
}
/* VMS getnameinfo() has a bug, it doesn't fill in serv, which
* leaves it with whatever garbage that happens to be there.
* However, we initialise serv with the empty string (serv[0]
* is therefore NUL), so it gets real easy to detect when things
* didn't go the way one might expect.
*/
if (serv[0] == '\0') {
BIO_snprintf(serv, sizeof(serv), "%d",
ntohs(BIO_ADDR_rawport(ap)));
}
if (hostname != NULL)
*hostname = OPENSSL_strdup(host);
if (service != NULL)
*service = OPENSSL_strdup(serv);
} else {
#endif
if (hostname != NULL)
*hostname = OPENSSL_strdup(inet_ntoa(ap->s_in.sin_addr));
if (service != NULL) {
char serv[6]; /* port is 16 bits => max 5 decimal digits */
BIO_snprintf(serv, sizeof(serv), "%d", ntohs(ap->s_in.sin_port));
*service = OPENSSL_strdup(serv);
}
}
if ((hostname != NULL && *hostname == NULL)
|| (service != NULL && *service == NULL)) {
if (hostname != NULL) {
OPENSSL_free(*hostname);
*hostname = NULL;
}
if (service != NULL) {
OPENSSL_free(*service);
*service = NULL;
}
BIOerr(BIO_F_ADDR_STRINGS, ERR_R_MALLOC_FAILURE);
return 0;
}
return 1;
}
char *BIO_ADDR_hostname_string(const BIO_ADDR *ap, int numeric)
{
char *hostname = NULL;
if (addr_strings(ap, numeric, &hostname, NULL))
return hostname;
return NULL;
}
char *BIO_ADDR_service_string(const BIO_ADDR *ap, int numeric)
{
char *service = NULL;
if (addr_strings(ap, numeric, NULL, &service))
return service;
return NULL;
}
char *BIO_ADDR_path_string(const BIO_ADDR *ap)
{
#ifdef AF_UNIX
if (ap->sa.sa_family == AF_UNIX)
return OPENSSL_strdup(ap->s_un.sun_path);
#endif
return NULL;
}
/*
* BIO_ADDR_sockaddr - non-public routine to return the struct sockaddr
* for a given BIO_ADDR. In reality, this is simply a type safe cast.
* The returned struct sockaddr is const, so it can't be tampered with.
*/
const struct sockaddr *BIO_ADDR_sockaddr(const BIO_ADDR *ap)
{
return &(ap->sa);
}
/*
* BIO_ADDR_sockaddr_noconst - non-public function that does the same
* as BIO_ADDR_sockaddr, but returns a non-const. USE WITH CARE, as
* it allows you to tamper with the data (and thereby the contents
* of the input BIO_ADDR).
*/
struct sockaddr *BIO_ADDR_sockaddr_noconst(BIO_ADDR *ap)
{
return &(ap->sa);
}
/*
* BIO_ADDR_sockaddr_size - non-public function that returns the size
* of the struct sockaddr the BIO_ADDR is using. If the protocol family
* isn't set or is something other than AF_INET, AF_INET6 or AF_UNIX,
* the size of the BIO_ADDR type is returned.
*/
socklen_t BIO_ADDR_sockaddr_size(const BIO_ADDR *ap)
{
if (ap->sa.sa_family == AF_INET)
return sizeof(ap->s_in);
#ifdef AF_INET6
if (ap->sa.sa_family == AF_INET6)
return sizeof(ap->s_in6);
#endif
#ifdef AF_UNIX
if (ap->sa.sa_family == AF_UNIX)
return sizeof(ap->s_un);
#endif
return sizeof(*ap);
}
/**********************************************************************
*
* Address info database
*
*/
const BIO_ADDRINFO *BIO_ADDRINFO_next(const BIO_ADDRINFO *bai)
{
if (bai != NULL)
return bai->bai_next;
return NULL;
}
int BIO_ADDRINFO_family(const BIO_ADDRINFO *bai)
{
if (bai != NULL)
return bai->bai_family;
return 0;
}
int BIO_ADDRINFO_socktype(const BIO_ADDRINFO *bai)
{
if (bai != NULL)
return bai->bai_socktype;
return 0;
}
int BIO_ADDRINFO_protocol(const BIO_ADDRINFO *bai)
{
if (bai != NULL) {
if (bai->bai_protocol != 0)
return bai->bai_protocol;
#ifdef AF_UNIX
if (bai->bai_family == AF_UNIX)
return 0;
#endif
switch (bai->bai_socktype) {
case SOCK_STREAM:
return IPPROTO_TCP;
case SOCK_DGRAM:
return IPPROTO_UDP;
default:
break;
}
}
return 0;
}
/*
* BIO_ADDRINFO_sockaddr_size - non-public function that returns the size
* of the struct sockaddr inside the BIO_ADDRINFO.
*/
socklen_t BIO_ADDRINFO_sockaddr_size(const BIO_ADDRINFO *bai)
{
if (bai != NULL)
return bai->bai_addrlen;
return 0;
}
/*
* BIO_ADDRINFO_sockaddr - non-public function that returns bai_addr
* as the struct sockaddr it is.
*/
const struct sockaddr *BIO_ADDRINFO_sockaddr(const BIO_ADDRINFO *bai)
{
if (bai != NULL)
return bai->bai_addr;
return NULL;
}
const BIO_ADDR *BIO_ADDRINFO_address(const BIO_ADDRINFO *bai)
{
if (bai != NULL)
return (BIO_ADDR *)bai->bai_addr;
return NULL;
}
void BIO_ADDRINFO_free(BIO_ADDRINFO *bai)
{
if (bai == NULL)
return;
#ifdef AI_PASSIVE
# ifdef AF_UNIX
# define _cond bai->bai_family != AF_UNIX
# else
# define _cond 1
# endif
if (_cond) {
freeaddrinfo(bai);
return;
}
#endif
/* Free manually when we know that addrinfo_wrap() was used.
* See further comment above addrinfo_wrap()
*/
while (bai != NULL) {
BIO_ADDRINFO *next = bai->bai_next;
OPENSSL_free(bai->bai_addr);
OPENSSL_free(bai);
bai = next;
}
}
/**********************************************************************
*
* Service functions
*
*/
/*-
* The specs in hostserv can take these forms:
*
* host:service => *host = "host", *service = "service"
* host:* => *host = "host", *service = NULL
* host: => *host = "host", *service = NULL
* :service => *host = NULL, *service = "service"
* *:service => *host = NULL, *service = "service"
*
* in case no : is present in the string, the result depends on
* hostserv_prio, as follows:
*
* when hostserv_prio == BIO_PARSE_PRIO_HOST
* host => *host = "host", *service untouched
*
* when hostserv_prio == BIO_PARSE_PRIO_SERV
* service => *host untouched, *service = "service"
*
*/
int BIO_parse_hostserv(const char *hostserv, char **host, char **service,
enum BIO_hostserv_priorities hostserv_prio)
{
const char *h = NULL; size_t hl = 0;
const char *p = NULL; size_t pl = 0;
if (*hostserv == '[') {
if ((p = strchr(hostserv, ']')) == NULL)
goto spec_err;
h = hostserv + 1;
hl = p - h;
p++;
if (*p == '\0')
p = NULL;
else if (*p != ':')
goto spec_err;
else {
p++;
pl = strlen(p);
}
} else {
const char *p2 = strrchr(hostserv, ':');
p = strchr(hostserv, ':');
/*-
* Check for more than one colon. There are three possible
* interpretations:
* 1. IPv6 address with port number, last colon being separator.
* 2. IPv6 address only.
* 3. IPv6 address only if hostserv_prio == BIO_PARSE_PRIO_HOST,
* IPv6 address and port number if hostserv_prio == BIO_PARSE_PRIO_SERV
* Because of this ambiguity, we currently choose to make it an
* error.
*/
if (p != p2)
goto amb_err;
if (p != NULL) {
h = hostserv;
hl = p - h;
p++;
pl = strlen(p);
} else if (hostserv_prio == BIO_PARSE_PRIO_HOST) {
h = hostserv;
hl = strlen(h);
} else {
p = hostserv;
pl = strlen(p);
}
}
if (p != NULL && strchr(p, ':'))
goto spec_err;
if (h != NULL && host != NULL) {
if (hl == 0
|| (hl == 1 && h[0] == '*')) {
*host = NULL;
} else {
*host = OPENSSL_strndup(h, hl);
if (*host == NULL)
goto memerr;
}
}
if (p != NULL && service != NULL) {
if (pl == 0
|| (pl == 1 && p[0] == '*')) {
*service = NULL;
} else {
*service = OPENSSL_strndup(p, pl);
if (*service == NULL)
goto memerr;
}
}
return 1;
amb_err:
BIOerr(BIO_F_BIO_PARSE_HOSTSERV, BIO_R_AMBIGUOUS_HOST_OR_SERVICE);
return 0;
spec_err:
BIOerr(BIO_F_BIO_PARSE_HOSTSERV, BIO_R_MALFORMED_HOST_OR_SERVICE);
return 0;
memerr:
BIOerr(BIO_F_BIO_PARSE_HOSTSERV, ERR_R_MALLOC_FAILURE);
return 0;
}
/* addrinfo_wrap is used to build our own addrinfo "chain".
* (it has only one entry, so calling it a chain may be a stretch)
* It should ONLY be called when getaddrinfo() and friends
* aren't available, OR when dealing with a non IP protocol
* family, such as AF_UNIX
*
* the return value is 1 on success, or 0 on failure, which
* only happens if a memory allocation error occurred.
*/
static int addrinfo_wrap(int family, int socktype,
const void *where, size_t wherelen,
unsigned short port,
BIO_ADDRINFO **bai)
{
if ((*bai = OPENSSL_zalloc(sizeof(**bai))) == NULL) {
BIOerr(BIO_F_ADDRINFO_WRAP, ERR_R_MALLOC_FAILURE);
return 0;
}
(*bai)->bai_family = family;
(*bai)->bai_socktype = socktype;
if (socktype == SOCK_STREAM)
(*bai)->bai_protocol = IPPROTO_TCP;
if (socktype == SOCK_DGRAM)
(*bai)->bai_protocol = IPPROTO_UDP;
#ifdef AF_UNIX
if (family == AF_UNIX)
(*bai)->bai_protocol = 0;
#endif
{
/* Magic: We know that BIO_ADDR_sockaddr_noconst is really
just an advanced cast of BIO_ADDR* to struct sockaddr *
by the power of union, so while it may seem that we're
creating a memory leak here, we are not. It will be
all right. */
BIO_ADDR *addr = BIO_ADDR_new();
if (addr != NULL) {
BIO_ADDR_rawmake(addr, family, where, wherelen, port);
(*bai)->bai_addr = BIO_ADDR_sockaddr_noconst(addr);
}
}
(*bai)->bai_next = NULL;
if ((*bai)->bai_addr == NULL) {
BIO_ADDRINFO_free(*bai);
*bai = NULL;
return 0;
}
return 1;
}
DEFINE_RUN_ONCE_STATIC(do_bio_lookup_init)
{
if (!OPENSSL_init_crypto(0, NULL))
return 0;
bio_lookup_lock = CRYPTO_THREAD_lock_new();
return bio_lookup_lock != NULL;
}
int BIO_lookup(const char *host, const char *service,
enum BIO_lookup_type lookup_type,
int family, int socktype, BIO_ADDRINFO **res)
{
return BIO_lookup_ex(host, service, lookup_type, family, socktype, 0, res);
}
/*-
* BIO_lookup_ex - look up the node and service you want to connect to.
* @node: the node you want to connect to.
* @service: the service you want to connect to.
* @lookup_type: declare intent with the result, client or server.
* @family: the address family you want to use. Use AF_UNSPEC for any, or
* AF_INET, AF_INET6 or AF_UNIX.
* @socktype: The socket type you want to use. Can be SOCK_STREAM, SOCK_DGRAM
* or 0 for all.
* @protocol: The protocol to use, e.g. IPPROTO_TCP or IPPROTO_UDP or 0 for all.
* Note that some platforms may not return IPPROTO_SCTP without
* explicitly requesting it (i.e. IPPROTO_SCTP may not be returned
* with 0 for the protocol)
* @res: Storage place for the resulting list of returned addresses
*
* This will do a lookup of the node and service that you want to connect to.
* It returns a linked list of different addresses you can try to connect to.
*
* When no longer needed you should call BIO_ADDRINFO_free() to free the result.
*
* The return value is 1 on success or 0 in case of error.
*/
int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
int family, int socktype, int protocol, BIO_ADDRINFO **res)
{
int ret = 0; /* Assume failure */
switch(family) {
case AF_INET:
#ifdef AF_INET6
case AF_INET6:
#endif
#ifdef AF_UNIX
case AF_UNIX:
#endif
#ifdef AF_UNSPEC
case AF_UNSPEC:
#endif
break;
default:
BIOerr(BIO_F_BIO_LOOKUP_EX, BIO_R_UNSUPPORTED_PROTOCOL_FAMILY);
return 0;
}
#ifdef AF_UNIX
if (family == AF_UNIX) {
if (addrinfo_wrap(family, socktype, host, strlen(host), 0, res))
return 1;
else
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_MALLOC_FAILURE);
return 0;
}
#endif
if (BIO_sock_init() != 1)
return 0;
if (1) {
#ifdef AI_PASSIVE
int gai_ret = 0, old_ret = 0;
struct addrinfo hints;
memset(&hints, 0, sizeof(hints));
hints.ai_family = family;
hints.ai_socktype = socktype;
hints.ai_protocol = protocol;
# ifdef AI_ADDRCONFIG
# ifdef AF_UNSPEC
if (host != NULL && family == AF_UNSPEC)
# endif
hints.ai_flags |= AI_ADDRCONFIG;
# endif
if (lookup_type == BIO_LOOKUP_SERVER)
hints.ai_flags |= AI_PASSIVE;
/* Note that |res| SHOULD be a 'struct addrinfo **' thanks to
* macro magic in bio_local.h
*/
# if defined(AI_ADDRCONFIG) && defined(AI_NUMERICHOST)
retry:
# endif
switch ((gai_ret = getaddrinfo(host, service, &hints, res))) {
# ifdef EAI_SYSTEM
case EAI_SYSTEM:
SYSerr(SYS_F_GETADDRINFO, get_last_socket_error());
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_SYS_LIB);
break;
# endif
# ifdef EAI_MEMORY
case EAI_MEMORY:
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_MALLOC_FAILURE);
break;
# endif
case 0:
ret = 1; /* Success */
break;
default:
# if defined(AI_ADDRCONFIG) && defined(AI_NUMERICHOST)
if (hints.ai_flags & AI_ADDRCONFIG) {
hints.ai_flags &= ~AI_ADDRCONFIG;
hints.ai_flags |= AI_NUMERICHOST;
old_ret = gai_ret;
goto retry;
}
# endif
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_SYS_LIB);
ERR_add_error_data(1, gai_strerror(old_ret ? old_ret : gai_ret));
break;
}
} else {
#endif
const struct hostent *he;
/*
* Because struct hostent is defined for 32-bit pointers only with
* VMS C, we need to make sure that '&he_fallback_address' and
* '&he_fallback_addresses' are 32-bit pointers
*/
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
# pragma pointer_size save
# pragma pointer_size 32
#endif
/* Windows doesn't seem to have in_addr_t */
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
static uint32_t he_fallback_address;
static const char *he_fallback_addresses[] =
{ (char *)&he_fallback_address, NULL };
#else
static in_addr_t he_fallback_address;
static const char *he_fallback_addresses[] =
{ (char *)&he_fallback_address, NULL };
#endif
static const struct hostent he_fallback =
{ NULL, NULL, AF_INET, sizeof(he_fallback_address),
(char **)&he_fallback_addresses };
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
# pragma pointer_size restore
#endif
struct servent *se;
/* Apparently, on WIN64, s_proto and s_port have traded places... */
#ifdef _WIN64
struct servent se_fallback = { NULL, NULL, NULL, 0 };
#else
struct servent se_fallback = { NULL, NULL, 0, NULL };
#endif
if (!RUN_ONCE(&bio_lookup_init, do_bio_lookup_init)) {
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_MALLOC_FAILURE);
ret = 0;
goto err;
}
CRYPTO_THREAD_write_lock(bio_lookup_lock);
he_fallback_address = INADDR_ANY;
if (host == NULL) {
he = &he_fallback;
switch(lookup_type) {
case BIO_LOOKUP_CLIENT:
he_fallback_address = INADDR_LOOPBACK;
break;
case BIO_LOOKUP_SERVER:
he_fallback_address = INADDR_ANY;
break;
default:
/* We forgot to handle a lookup type! */
assert("We forgot to handle a lookup type!" == NULL);
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_INTERNAL_ERROR);
ret = 0;
goto err;
}
} else {
he = gethostbyname(host);
if (he == NULL) {
#ifndef OPENSSL_SYS_WINDOWS
/*
* This might be misleading, because h_errno is used as if
* it was errno. To minimize mixup add 1000. Underlying
* reason for this is that hstrerror is declared obsolete,
* not to mention that a) h_errno is not always guaranteed
* to be meaningless; b) hstrerror can reside in yet another
* library, linking for sake of hstrerror is an overkill;
* c) this path is not executed on contemporary systems
* anyway [above getaddrinfo/gai_strerror is]. We just let
* system administrator figure this out...
*/
# if defined(OPENSSL_SYS_VXWORKS)
/* h_errno doesn't exist on VxWorks */
SYSerr(SYS_F_GETHOSTBYNAME, 1000 );
# else
SYSerr(SYS_F_GETHOSTBYNAME, 1000 + h_errno);
# endif
#else
SYSerr(SYS_F_GETHOSTBYNAME, WSAGetLastError());
#endif
ret = 0;
goto err;
}
}
if (service == NULL) {
se_fallback.s_port = 0;
se_fallback.s_proto = NULL;
se = &se_fallback;
} else {
char *endp = NULL;
long portnum = strtol(service, &endp, 10);
/*
* Because struct servent is defined for 32-bit pointers only with
* VMS C, we need to make sure that 'proto' is a 32-bit pointer.
*/
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
# pragma pointer_size save
# pragma pointer_size 32
#endif
char *proto = NULL;
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
# pragma pointer_size restore
#endif
switch (socktype) {
case SOCK_STREAM:
proto = "tcp";
break;
case SOCK_DGRAM:
proto = "udp";
break;
}
if (endp != service && *endp == '\0'
&& portnum > 0 && portnum < 65536) {
se_fallback.s_port = htons((unsigned short)portnum);
se_fallback.s_proto = proto;
se = &se_fallback;
} else if (endp == service) {
se = getservbyname(service, proto);
if (se == NULL) {
#ifndef OPENSSL_SYS_WINDOWS
SYSerr(SYS_F_GETSERVBYNAME, errno);
#else
SYSerr(SYS_F_GETSERVBYNAME, WSAGetLastError());
#endif
goto err;
}
} else {
BIOerr(BIO_F_BIO_LOOKUP_EX, BIO_R_MALFORMED_HOST_OR_SERVICE);
goto err;
}
}
*res = NULL;
{
/*
* Because hostent::h_addr_list is an array of 32-bit pointers with VMS C,
* we must make sure our iterator designates the same element type, hence
* the pointer size dance.
*/
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
# pragma pointer_size save
# pragma pointer_size 32
#endif
char **addrlistp;
#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
# pragma pointer_size restore
#endif
size_t addresses;
BIO_ADDRINFO *tmp_bai = NULL;
/* The easiest way to create a linked list from an
array is to start from the back */
for(addrlistp = he->h_addr_list; *addrlistp != NULL;
addrlistp++)
;
for(addresses = addrlistp - he->h_addr_list;
addrlistp--, addresses-- > 0; ) {
if (!addrinfo_wrap(he->h_addrtype, socktype,
*addrlistp, he->h_length,
se->s_port, &tmp_bai))
goto addrinfo_malloc_err;
tmp_bai->bai_next = *res;
*res = tmp_bai;
continue;
addrinfo_malloc_err:
BIO_ADDRINFO_free(*res);
*res = NULL;
BIOerr(BIO_F_BIO_LOOKUP_EX, ERR_R_MALLOC_FAILURE);
ret = 0;
goto err;
}
ret = 1;
}
err:
CRYPTO_THREAD_unlock(bio_lookup_lock);
}
return ret;
}
#endif /* OPENSSL_NO_SOCK */
diff --git a/crypto/openssl/crypto/bn/bn_exp2.c b/crypto/openssl/crypto/bn/bn_exp2.c
index e542abe46fa1..eac0896e6869 100644
--- a/crypto/openssl/crypto/bn/bn_exp2.c
+++ b/crypto/openssl/crypto/bn/bn_exp2.c
@@ -1,201 +1,201 @@
/*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include "internal/cryptlib.h"
#include "bn_local.h"
#define TABLE_SIZE 32
int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m,
BN_CTX *ctx, BN_MONT_CTX *in_mont)
{
int i, j, bits, b, bits1, bits2, ret =
0, wpos1, wpos2, window1, window2, wvalue1, wvalue2;
int r_is_one = 1;
BIGNUM *d, *r;
const BIGNUM *a_mod_m;
/* Tables of variables obtained from 'ctx' */
BIGNUM *val1[TABLE_SIZE], *val2[TABLE_SIZE];
BN_MONT_CTX *mont = NULL;
bn_check_top(a1);
bn_check_top(p1);
bn_check_top(a2);
bn_check_top(p2);
bn_check_top(m);
- if (!(m->d[0] & 1)) {
+ if (!BN_is_odd(m)) {
BNerr(BN_F_BN_MOD_EXP2_MONT, BN_R_CALLED_WITH_EVEN_MODULUS);
return 0;
}
bits1 = BN_num_bits(p1);
bits2 = BN_num_bits(p2);
if ((bits1 == 0) && (bits2 == 0)) {
ret = BN_one(rr);
return ret;
}
bits = (bits1 > bits2) ? bits1 : bits2;
BN_CTX_start(ctx);
d = BN_CTX_get(ctx);
r = BN_CTX_get(ctx);
val1[0] = BN_CTX_get(ctx);
val2[0] = BN_CTX_get(ctx);
if (val2[0] == NULL)
goto err;
if (in_mont != NULL)
mont = in_mont;
else {
if ((mont = BN_MONT_CTX_new()) == NULL)
goto err;
if (!BN_MONT_CTX_set(mont, m, ctx))
goto err;
}
window1 = BN_window_bits_for_exponent_size(bits1);
window2 = BN_window_bits_for_exponent_size(bits2);
/*
* Build table for a1: val1[i] := a1^(2*i + 1) mod m for i = 0 .. 2^(window1-1)
*/
if (a1->neg || BN_ucmp(a1, m) >= 0) {
if (!BN_mod(val1[0], a1, m, ctx))
goto err;
a_mod_m = val1[0];
} else
a_mod_m = a1;
if (BN_is_zero(a_mod_m)) {
BN_zero(rr);
ret = 1;
goto err;
}
if (!BN_to_montgomery(val1[0], a_mod_m, mont, ctx))
goto err;
if (window1 > 1) {
if (!BN_mod_mul_montgomery(d, val1[0], val1[0], mont, ctx))
goto err;
j = 1 << (window1 - 1);
for (i = 1; i < j; i++) {
if (((val1[i] = BN_CTX_get(ctx)) == NULL) ||
!BN_mod_mul_montgomery(val1[i], val1[i - 1], d, mont, ctx))
goto err;
}
}
/*
* Build table for a2: val2[i] := a2^(2*i + 1) mod m for i = 0 .. 2^(window2-1)
*/
if (a2->neg || BN_ucmp(a2, m) >= 0) {
if (!BN_mod(val2[0], a2, m, ctx))
goto err;
a_mod_m = val2[0];
} else
a_mod_m = a2;
if (BN_is_zero(a_mod_m)) {
BN_zero(rr);
ret = 1;
goto err;
}
if (!BN_to_montgomery(val2[0], a_mod_m, mont, ctx))
goto err;
if (window2 > 1) {
if (!BN_mod_mul_montgomery(d, val2[0], val2[0], mont, ctx))
goto err;
j = 1 << (window2 - 1);
for (i = 1; i < j; i++) {
if (((val2[i] = BN_CTX_get(ctx)) == NULL) ||
!BN_mod_mul_montgomery(val2[i], val2[i - 1], d, mont, ctx))
goto err;
}
}
/* Now compute the power product, using independent windows. */
r_is_one = 1;
wvalue1 = 0; /* The 'value' of the first window */
wvalue2 = 0; /* The 'value' of the second window */
wpos1 = 0; /* If wvalue1 > 0, the bottom bit of the
* first window */
wpos2 = 0; /* If wvalue2 > 0, the bottom bit of the
* second window */
if (!BN_to_montgomery(r, BN_value_one(), mont, ctx))
goto err;
for (b = bits - 1; b >= 0; b--) {
if (!r_is_one) {
if (!BN_mod_mul_montgomery(r, r, r, mont, ctx))
goto err;
}
if (!wvalue1)
if (BN_is_bit_set(p1, b)) {
/*
* consider bits b-window1+1 .. b for this window
*/
i = b - window1 + 1;
while (!BN_is_bit_set(p1, i)) /* works for i<0 */
i++;
wpos1 = i;
wvalue1 = 1;
for (i = b - 1; i >= wpos1; i--) {
wvalue1 <<= 1;
if (BN_is_bit_set(p1, i))
wvalue1++;
}
}
if (!wvalue2)
if (BN_is_bit_set(p2, b)) {
/*
* consider bits b-window2+1 .. b for this window
*/
i = b - window2 + 1;
while (!BN_is_bit_set(p2, i))
i++;
wpos2 = i;
wvalue2 = 1;
for (i = b - 1; i >= wpos2; i--) {
wvalue2 <<= 1;
if (BN_is_bit_set(p2, i))
wvalue2++;
}
}
if (wvalue1 && b == wpos1) {
/* wvalue1 is odd and < 2^window1 */
if (!BN_mod_mul_montgomery(r, r, val1[wvalue1 >> 1], mont, ctx))
goto err;
wvalue1 = 0;
r_is_one = 0;
}
if (wvalue2 && b == wpos2) {
/* wvalue2 is odd and < 2^window2 */
if (!BN_mod_mul_montgomery(r, r, val2[wvalue2 >> 1], mont, ctx))
goto err;
wvalue2 = 0;
r_is_one = 0;
}
}
if (!BN_from_montgomery(rr, r, mont, ctx))
goto err;
ret = 1;
err:
if (in_mont == NULL)
BN_MONT_CTX_free(mont);
BN_CTX_end(ctx);
bn_check_top(rr);
return ret;
}
diff --git a/crypto/openssl/crypto/bn/bn_prime.h b/crypto/openssl/crypto/bn/bn_prime.h
index 1a25c285773a..8f2d7e995a01 100644
--- a/crypto/openssl/crypto/bn/bn_prime.h
+++ b/crypto/openssl/crypto/bn/bn_prime.h
@@ -1,273 +1,273 @@
/*
* WARNING: do not edit!
* Generated by crypto/bn/bn_prime.pl
*
- * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
typedef unsigned short prime_t;
# define NUMPRIMES 2048
static const prime_t primes[2048] = {
2, 3, 5, 7, 11, 13, 17, 19,
23, 29, 31, 37, 41, 43, 47, 53,
59, 61, 67, 71, 73, 79, 83, 89,
97, 101, 103, 107, 109, 113, 127, 131,
137, 139, 149, 151, 157, 163, 167, 173,
179, 181, 191, 193, 197, 199, 211, 223,
227, 229, 233, 239, 241, 251, 257, 263,
269, 271, 277, 281, 283, 293, 307, 311,
313, 317, 331, 337, 347, 349, 353, 359,
367, 373, 379, 383, 389, 397, 401, 409,
419, 421, 431, 433, 439, 443, 449, 457,
461, 463, 467, 479, 487, 491, 499, 503,
509, 521, 523, 541, 547, 557, 563, 569,
571, 577, 587, 593, 599, 601, 607, 613,
617, 619, 631, 641, 643, 647, 653, 659,
661, 673, 677, 683, 691, 701, 709, 719,
727, 733, 739, 743, 751, 757, 761, 769,
773, 787, 797, 809, 811, 821, 823, 827,
829, 839, 853, 857, 859, 863, 877, 881,
883, 887, 907, 911, 919, 929, 937, 941,
947, 953, 967, 971, 977, 983, 991, 997,
1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049,
1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097,
1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163,
1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223,
1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283,
1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321,
1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423,
1427, 1429, 1433, 1439, 1447, 1451, 1453, 1459,
1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511,
1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571,
1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619,
1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693,
1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747,
1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811,
1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877,
1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949,
1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003,
2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069,
2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129,
2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203,
2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267,
2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311,
2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377,
2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423,
2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503,
2521, 2531, 2539, 2543, 2549, 2551, 2557, 2579,
2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657,
2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693,
2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741,
2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801,
2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861,
2879, 2887, 2897, 2903, 2909, 2917, 2927, 2939,
2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011,
3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079,
3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167,
3169, 3181, 3187, 3191, 3203, 3209, 3217, 3221,
3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301,
3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347,
3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413,
3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491,
3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541,
3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607,
3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671,
3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727,
3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797,
3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863,
3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923,
3929, 3931, 3943, 3947, 3967, 3989, 4001, 4003,
4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057,
4073, 4079, 4091, 4093, 4099, 4111, 4127, 4129,
4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211,
4217, 4219, 4229, 4231, 4241, 4243, 4253, 4259,
4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337,
4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409,
4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481,
4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547,
4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621,
4637, 4639, 4643, 4649, 4651, 4657, 4663, 4673,
4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751,
4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813,
4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909,
4919, 4931, 4933, 4937, 4943, 4951, 4957, 4967,
4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011,
5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087,
5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167,
5171, 5179, 5189, 5197, 5209, 5227, 5231, 5233,
5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309,
5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399,
5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443,
5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507,
5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573,
5581, 5591, 5623, 5639, 5641, 5647, 5651, 5653,
5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711,
5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791,
5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849,
5851, 5857, 5861, 5867, 5869, 5879, 5881, 5897,
5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007,
6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073,
6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133,
6143, 6151, 6163, 6173, 6197, 6199, 6203, 6211,
6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271,
6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329,
6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379,
6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473,
6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563,
6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637,
6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701,
6703, 6709, 6719, 6733, 6737, 6761, 6763, 6779,
6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833,
6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907,
6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971,
6977, 6983, 6991, 6997, 7001, 7013, 7019, 7027,
7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121,
7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207,
7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253,
7283, 7297, 7307, 7309, 7321, 7331, 7333, 7349,
7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457,
7459, 7477, 7481, 7487, 7489, 7499, 7507, 7517,
7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561,
7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621,
7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691,
7699, 7703, 7717, 7723, 7727, 7741, 7753, 7757,
7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853,
7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919,
7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009,
8011, 8017, 8039, 8053, 8059, 8069, 8081, 8087,
8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161,
8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231,
8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291,
8293, 8297, 8311, 8317, 8329, 8353, 8363, 8369,
8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443,
8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537,
8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609,
8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677,
8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731,
8737, 8741, 8747, 8753, 8761, 8779, 8783, 8803,
8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861,
8863, 8867, 8887, 8893, 8923, 8929, 8933, 8941,
8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011,
9013, 9029, 9041, 9043, 9049, 9059, 9067, 9091,
9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161,
9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227,
9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311,
9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377,
9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433,
9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491,
9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587,
9601, 9613, 9619, 9623, 9629, 9631, 9643, 9649,
9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733,
9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791,
9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857,
9859, 9871, 9883, 9887, 9901, 9907, 9923, 9929,
9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037,
10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099,
10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163,
10169, 10177, 10181, 10193, 10211, 10223, 10243, 10247,
10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303,
10313, 10321, 10331, 10333, 10337, 10343, 10357, 10369,
10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459,
10463, 10477, 10487, 10499, 10501, 10513, 10529, 10531,
10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627,
10631, 10639, 10651, 10657, 10663, 10667, 10687, 10691,
10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771,
10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859,
10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937,
10939, 10949, 10957, 10973, 10979, 10987, 10993, 11003,
11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087,
11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161,
11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251,
11257, 11261, 11273, 11279, 11287, 11299, 11311, 11317,
11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399,
11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483,
11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551,
11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657,
11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731,
11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813,
11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887,
11897, 11903, 11909, 11923, 11927, 11933, 11939, 11941,
11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011,
12037, 12041, 12043, 12049, 12071, 12073, 12097, 12101,
12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161,
12163, 12197, 12203, 12211, 12227, 12239, 12241, 12251,
12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323,
12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401,
12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473,
12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527,
12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589,
12601, 12611, 12613, 12619, 12637, 12641, 12647, 12653,
12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739,
12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821,
12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907,
12911, 12917, 12919, 12923, 12941, 12953, 12959, 12967,
12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033,
13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109,
13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177,
13183, 13187, 13217, 13219, 13229, 13241, 13249, 13259,
13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337,
13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421,
13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499,
13513, 13523, 13537, 13553, 13567, 13577, 13591, 13597,
13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681,
13687, 13691, 13693, 13697, 13709, 13711, 13721, 13723,
13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799,
13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879,
13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933,
13963, 13967, 13997, 13999, 14009, 14011, 14029, 14033,
14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143,
14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221,
14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323,
14327, 14341, 14347, 14369, 14387, 14389, 14401, 14407,
14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461,
14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549,
14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627,
14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699,
14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753,
14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821,
14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887,
14891, 14897, 14923, 14929, 14939, 14947, 14951, 14957,
14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073,
15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137,
15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217,
15227, 15233, 15241, 15259, 15263, 15269, 15271, 15277,
15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331,
15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401,
15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473,
15493, 15497, 15511, 15527, 15541, 15551, 15559, 15569,
15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643,
15647, 15649, 15661, 15667, 15671, 15679, 15683, 15727,
15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773,
15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859,
15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919,
15923, 15937, 15959, 15971, 15973, 15991, 16001, 16007,
16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087,
16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183,
16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249,
16253, 16267, 16273, 16301, 16319, 16333, 16339, 16349,
16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427,
16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493,
16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603,
16607, 16619, 16631, 16633, 16649, 16651, 16657, 16661,
16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747,
16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843,
16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927,
16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993,
17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053,
17077, 17093, 17099, 17107, 17117, 17123, 17137, 17159,
17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231,
17239, 17257, 17291, 17293, 17299, 17317, 17321, 17327,
17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389,
17393, 17401, 17417, 17419, 17431, 17443, 17449, 17467,
17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519,
17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599,
17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683,
17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783,
17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863,
};
diff --git a/crypto/openssl/crypto/bn/bn_print.c b/crypto/openssl/crypto/bn/bn_print.c
index 69749a9fa7dc..17ac6e7cac1c 100644
--- a/crypto/openssl/crypto/bn/bn_print.c
+++ b/crypto/openssl/crypto/bn/bn_print.c
@@ -1,345 +1,345 @@
/*
* Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include "crypto/ctype.h"
#include <limits.h>
#include "internal/cryptlib.h"
#include <openssl/buffer.h>
#include "bn_local.h"
static const char Hex[] = "0123456789ABCDEF";
/* Must 'OPENSSL_free' the returned data */
char *BN_bn2hex(const BIGNUM *a)
{
int i, j, v, z = 0;
char *buf;
char *p;
if (BN_is_zero(a))
return OPENSSL_strdup("0");
buf = OPENSSL_malloc(a->top * BN_BYTES * 2 + 2);
if (buf == NULL) {
BNerr(BN_F_BN_BN2HEX, ERR_R_MALLOC_FAILURE);
goto err;
}
p = buf;
if (a->neg)
*p++ = '-';
for (i = a->top - 1; i >= 0; i--) {
for (j = BN_BITS2 - 8; j >= 0; j -= 8) {
/* strip leading zeros */
v = (int)((a->d[i] >> j) & 0xff);
if (z || v != 0) {
*p++ = Hex[v >> 4];
*p++ = Hex[v & 0x0f];
z = 1;
}
}
}
*p = '\0';
err:
return buf;
}
/* Must 'OPENSSL_free' the returned data */
char *BN_bn2dec(const BIGNUM *a)
{
int i = 0, num, ok = 0, n, tbytes;
char *buf = NULL;
char *p;
BIGNUM *t = NULL;
BN_ULONG *bn_data = NULL, *lp;
int bn_data_num;
/*-
* get an upper bound for the length of the decimal integer
* num <= (BN_num_bits(a) + 1) * log(2)
* <= 3 * BN_num_bits(a) * 0.101 + log(2) + 1 (rounding error)
* <= 3 * BN_num_bits(a) / 10 + 3 * BN_num_bits / 1000 + 1 + 1
*/
i = BN_num_bits(a) * 3;
num = (i / 10 + i / 1000 + 1) + 1;
tbytes = num + 3; /* negative and terminator and one spare? */
bn_data_num = num / BN_DEC_NUM + 1;
bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
buf = OPENSSL_malloc(tbytes);
if (buf == NULL || bn_data == NULL) {
BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
goto err;
}
if ((t = BN_dup(a)) == NULL)
goto err;
p = buf;
lp = bn_data;
if (BN_is_zero(t)) {
*p++ = '0';
*p++ = '\0';
} else {
if (BN_is_negative(t))
*p++ = '-';
while (!BN_is_zero(t)) {
if (lp - bn_data >= bn_data_num)
goto err;
*lp = BN_div_word(t, BN_DEC_CONV);
if (*lp == (BN_ULONG)-1)
goto err;
lp++;
}
lp--;
/*
* We now have a series of blocks, BN_DEC_NUM chars in length, where
* the last one needs truncation. The blocks need to be reversed in
* order.
*/
n = BIO_snprintf(p, tbytes - (size_t)(p - buf), BN_DEC_FMT1, *lp);
if (n < 0)
goto err;
p += n;
while (lp != bn_data) {
lp--;
n = BIO_snprintf(p, tbytes - (size_t)(p - buf), BN_DEC_FMT2, *lp);
if (n < 0)
goto err;
p += n;
}
}
ok = 1;
err:
OPENSSL_free(bn_data);
BN_free(t);
if (ok)
return buf;
OPENSSL_free(buf);
return NULL;
}
int BN_hex2bn(BIGNUM **bn, const char *a)
{
BIGNUM *ret = NULL;
BN_ULONG l = 0;
int neg = 0, h, m, i, j, k, c;
int num;
if (a == NULL || *a == '\0')
return 0;
if (*a == '-') {
neg = 1;
a++;
}
for (i = 0; i <= INT_MAX / 4 && ossl_isxdigit(a[i]); i++)
continue;
if (i == 0 || i > INT_MAX / 4)
- goto err;
+ return 0;
num = i + neg;
if (bn == NULL)
return num;
/* a is the start of the hex digits, and it is 'i' long */
if (*bn == NULL) {
if ((ret = BN_new()) == NULL)
return 0;
} else {
ret = *bn;
BN_zero(ret);
}
/* i is the number of hex digits */
if (bn_expand(ret, i * 4) == NULL)
goto err;
j = i; /* least significant 'hex' */
m = 0;
h = 0;
while (j > 0) {
m = (BN_BYTES * 2 <= j) ? BN_BYTES * 2 : j;
l = 0;
for (;;) {
c = a[j - m];
k = OPENSSL_hexchar2int(c);
if (k < 0)
k = 0; /* paranoia */
l = (l << 4) | k;
if (--m <= 0) {
ret->d[h++] = l;
break;
}
}
j -= BN_BYTES * 2;
}
ret->top = h;
bn_correct_top(ret);
*bn = ret;
bn_check_top(ret);
/* Don't set the negative flag if it's zero. */
if (ret->top != 0)
ret->neg = neg;
return num;
err:
if (*bn == NULL)
BN_free(ret);
return 0;
}
int BN_dec2bn(BIGNUM **bn, const char *a)
{
BIGNUM *ret = NULL;
BN_ULONG l = 0;
int neg = 0, i, j;
int num;
if (a == NULL || *a == '\0')
return 0;
if (*a == '-') {
neg = 1;
a++;
}
for (i = 0; i <= INT_MAX / 4 && ossl_isdigit(a[i]); i++)
continue;
if (i == 0 || i > INT_MAX / 4)
goto err;
num = i + neg;
if (bn == NULL)
return num;
/*
* a is the start of the digits, and it is 'i' long. We chop it into
* BN_DEC_NUM digits at a time
*/
if (*bn == NULL) {
if ((ret = BN_new()) == NULL)
return 0;
} else {
ret = *bn;
BN_zero(ret);
}
/* i is the number of digits, a bit of an over expand */
if (bn_expand(ret, i * 4) == NULL)
goto err;
j = BN_DEC_NUM - i % BN_DEC_NUM;
if (j == BN_DEC_NUM)
j = 0;
l = 0;
while (--i >= 0) {
l *= 10;
l += *a - '0';
a++;
if (++j == BN_DEC_NUM) {
if (!BN_mul_word(ret, BN_DEC_CONV)
|| !BN_add_word(ret, l))
goto err;
l = 0;
j = 0;
}
}
bn_correct_top(ret);
*bn = ret;
bn_check_top(ret);
/* Don't set the negative flag if it's zero. */
if (ret->top != 0)
ret->neg = neg;
return num;
err:
if (*bn == NULL)
BN_free(ret);
return 0;
}
int BN_asc2bn(BIGNUM **bn, const char *a)
{
const char *p = a;
if (*p == '-')
p++;
if (p[0] == '0' && (p[1] == 'X' || p[1] == 'x')) {
if (!BN_hex2bn(bn, p + 2))
return 0;
} else {
if (!BN_dec2bn(bn, p))
return 0;
}
/* Don't set the negative flag if it's zero. */
if (*a == '-' && (*bn)->top != 0)
(*bn)->neg = 1;
return 1;
}
# ifndef OPENSSL_NO_STDIO
int BN_print_fp(FILE *fp, const BIGNUM *a)
{
BIO *b;
int ret;
if ((b = BIO_new(BIO_s_file())) == NULL)
return 0;
BIO_set_fp(b, fp, BIO_NOCLOSE);
ret = BN_print(b, a);
BIO_free(b);
return ret;
}
# endif
int BN_print(BIO *bp, const BIGNUM *a)
{
int i, j, v, z = 0;
int ret = 0;
if ((a->neg) && BIO_write(bp, "-", 1) != 1)
goto end;
if (BN_is_zero(a) && BIO_write(bp, "0", 1) != 1)
goto end;
for (i = a->top - 1; i >= 0; i--) {
for (j = BN_BITS2 - 4; j >= 0; j -= 4) {
/* strip leading zeros */
v = (int)((a->d[i] >> j) & 0x0f);
if (z || v != 0) {
if (BIO_write(bp, &Hex[v], 1) != 1)
goto end;
z = 1;
}
}
}
ret = 1;
end:
return ret;
}
char *BN_options(void)
{
static int init = 0;
static char data[16];
if (!init) {
init++;
#ifdef BN_LLONG
BIO_snprintf(data, sizeof(data), "bn(%zu,%zu)",
sizeof(BN_ULLONG) * 8, sizeof(BN_ULONG) * 8);
#else
BIO_snprintf(data, sizeof(data), "bn(%zu,%zu)",
sizeof(BN_ULONG) * 8, sizeof(BN_ULONG) * 8);
#endif
}
return data;
}
diff --git a/crypto/openssl/crypto/bn/bn_sqrt.c b/crypto/openssl/crypto/bn/bn_sqrt.c
index 53b0f559855c..6a42ce8a9413 100644
--- a/crypto/openssl/crypto/bn/bn_sqrt.c
+++ b/crypto/openssl/crypto/bn/bn_sqrt.c
@@ -1,365 +1,365 @@
/*
- * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "internal/cryptlib.h"
#include "bn_local.h"
BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/*
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
* Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
* an incorrect "result" will be returned.
*/
{
BIGNUM *ret = in;
int err = 1;
int r;
BIGNUM *A, *b, *q, *t, *x, *y;
int e, i, j;
if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) {
if (BN_abs_is_word(p, 2)) {
if (ret == NULL)
ret = BN_new();
if (ret == NULL)
goto end;
if (!BN_set_word(ret, BN_is_bit_set(a, 0))) {
if (ret != in)
BN_free(ret);
return NULL;
}
bn_check_top(ret);
return ret;
}
BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
return NULL;
}
if (BN_is_zero(a) || BN_is_one(a)) {
if (ret == NULL)
ret = BN_new();
if (ret == NULL)
goto end;
if (!BN_set_word(ret, BN_is_one(a))) {
if (ret != in)
BN_free(ret);
return NULL;
}
bn_check_top(ret);
return ret;
}
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
b = BN_CTX_get(ctx);
q = BN_CTX_get(ctx);
t = BN_CTX_get(ctx);
x = BN_CTX_get(ctx);
y = BN_CTX_get(ctx);
if (y == NULL)
goto end;
if (ret == NULL)
ret = BN_new();
if (ret == NULL)
goto end;
/* A = a mod p */
if (!BN_nnmod(A, a, p, ctx))
goto end;
/* now write |p| - 1 as 2^e*q where q is odd */
e = 1;
while (!BN_is_bit_set(p, e))
e++;
/* we'll set q later (if needed) */
if (e == 1) {
/*-
* The easy case: (|p|-1)/2 is odd, so 2 has an inverse
* modulo (|p|-1)/2, and square roots can be computed
* directly by modular exponentiation.
* We have
* 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2),
* so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1.
*/
if (!BN_rshift(q, p, 2))
goto end;
q->neg = 0;
if (!BN_add_word(q, 1))
goto end;
if (!BN_mod_exp(ret, A, q, p, ctx))
goto end;
err = 0;
goto vrfy;
}
if (e == 2) {
/*-
* |p| == 5 (mod 8)
*
* In this case 2 is always a non-square since
* Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime.
* So if a really is a square, then 2*a is a non-square.
* Thus for
* b := (2*a)^((|p|-5)/8),
* i := (2*a)*b^2
* we have
* i^2 = (2*a)^((1 + (|p|-5)/4)*2)
* = (2*a)^((p-1)/2)
* = -1;
* so if we set
* x := a*b*(i-1),
* then
* x^2 = a^2 * b^2 * (i^2 - 2*i + 1)
* = a^2 * b^2 * (-2*i)
* = a*(-i)*(2*a*b^2)
* = a*(-i)*i
* = a.
*
* (This is due to A.O.L. Atkin,
* Subject: Square Roots and Cognate Matters modulo p=8n+5.
* URL: https://listserv.nodak.edu/cgi-bin/wa.exe?A2=ind9211&L=NMBRTHRY&P=4026
* November 1992.)
*/
/* t := 2*a */
if (!BN_mod_lshift1_quick(t, A, p))
goto end;
/* b := (2*a)^((|p|-5)/8) */
if (!BN_rshift(q, p, 3))
goto end;
q->neg = 0;
if (!BN_mod_exp(b, t, q, p, ctx))
goto end;
/* y := b^2 */
if (!BN_mod_sqr(y, b, p, ctx))
goto end;
/* t := (2*a)*b^2 - 1 */
if (!BN_mod_mul(t, t, y, p, ctx))
goto end;
if (!BN_sub_word(t, 1))
goto end;
/* x = a*b*t */
if (!BN_mod_mul(x, A, b, p, ctx))
goto end;
if (!BN_mod_mul(x, x, t, p, ctx))
goto end;
if (!BN_copy(ret, x))
goto end;
err = 0;
goto vrfy;
}
/*
* e > 2, so we really have to use the Tonelli/Shanks algorithm. First,
* find some y that is not a square.
*/
if (!BN_copy(q, p))
goto end; /* use 'q' as temp */
q->neg = 0;
i = 2;
do {
/*
* For efficiency, try small numbers first; if this fails, try random
* numbers.
*/
if (i < 22) {
if (!BN_set_word(y, i))
goto end;
} else {
if (!BN_priv_rand(y, BN_num_bits(p), 0, 0))
goto end;
if (BN_ucmp(y, p) >= 0) {
if (!(p->neg ? BN_add : BN_sub) (y, y, p))
goto end;
}
/* now 0 <= y < |p| */
if (BN_is_zero(y))
if (!BN_set_word(y, i))
goto end;
}
r = BN_kronecker(y, q, ctx); /* here 'q' is |p| */
if (r < -1)
goto end;
if (r == 0) {
/* m divides p */
BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
goto end;
}
}
while (r == 1 && ++i < 82);
if (r != -1) {
/*
* Many rounds and still no non-square -- this is more likely a bug
* than just bad luck. Even if p is not prime, we should have found
* some y such that r == -1.
*/
BNerr(BN_F_BN_MOD_SQRT, BN_R_TOO_MANY_ITERATIONS);
goto end;
}
/* Here's our actual 'q': */
if (!BN_rshift(q, q, e))
goto end;
/*
* Now that we have some non-square, we can find an element of order 2^e
* by computing its q'th power.
*/
if (!BN_mod_exp(y, y, q, p, ctx))
goto end;
if (BN_is_one(y)) {
BNerr(BN_F_BN_MOD_SQRT, BN_R_P_IS_NOT_PRIME);
goto end;
}
/*-
* Now we know that (if p is indeed prime) there is an integer
* k, 0 <= k < 2^e, such that
*
* a^q * y^k == 1 (mod p).
*
* As a^q is a square and y is not, k must be even.
* q+1 is even, too, so there is an element
*
* X := a^((q+1)/2) * y^(k/2),
*
* and it satisfies
*
* X^2 = a^q * a * y^k
* = a,
*
* so it is the square root that we are looking for.
*/
/* t := (q-1)/2 (note that q is odd) */
if (!BN_rshift1(t, q))
goto end;
/* x := a^((q-1)/2) */
if (BN_is_zero(t)) { /* special case: p = 2^e + 1 */
if (!BN_nnmod(t, A, p, ctx))
goto end;
if (BN_is_zero(t)) {
/* special case: a == 0 (mod p) */
BN_zero(ret);
err = 0;
goto end;
} else if (!BN_one(x))
goto end;
} else {
if (!BN_mod_exp(x, A, t, p, ctx))
goto end;
if (BN_is_zero(x)) {
/* special case: a == 0 (mod p) */
BN_zero(ret);
err = 0;
goto end;
}
}
/* b := a*x^2 (= a^q) */
if (!BN_mod_sqr(b, x, p, ctx))
goto end;
if (!BN_mod_mul(b, b, A, p, ctx))
goto end;
/* x := a*x (= a^((q+1)/2)) */
if (!BN_mod_mul(x, x, A, p, ctx))
goto end;
while (1) {
/*-
* Now b is a^q * y^k for some even k (0 <= k < 2^E
* where E refers to the original value of e, which we
* don't keep in a variable), and x is a^((q+1)/2) * y^(k/2).
*
* We have a*b = x^2,
* y^2^(e-1) = -1,
* b^2^(e-1) = 1.
*/
if (BN_is_one(b)) {
if (!BN_copy(ret, x))
goto end;
err = 0;
goto vrfy;
}
/* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
for (i = 1; i < e; i++) {
if (i == 1) {
if (!BN_mod_sqr(t, b, p, ctx))
goto end;
} else {
if (!BN_mod_mul(t, t, t, p, ctx))
goto end;
}
if (BN_is_one(t))
break;
}
/* If not found, a is not a square or p is not prime. */
if (i >= e) {
BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
goto end;
}
/* t := y^2^(e - i - 1) */
if (!BN_copy(t, y))
goto end;
for (j = e - i - 1; j > 0; j--) {
if (!BN_mod_sqr(t, t, p, ctx))
goto end;
}
if (!BN_mod_mul(y, t, t, p, ctx))
goto end;
if (!BN_mod_mul(x, x, t, p, ctx))
goto end;
if (!BN_mod_mul(b, b, y, p, ctx))
goto end;
e = i;
}
vrfy:
if (!err) {
/*
* verify the result -- the input might have been not a square (test
* added in 0.9.8)
*/
if (!BN_mod_sqr(x, ret, p, ctx))
err = 1;
if (!err && 0 != BN_cmp(x, A)) {
BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
err = 1;
}
}
end:
if (err) {
if (ret != in)
BN_clear_free(ret);
ret = NULL;
}
BN_CTX_end(ctx);
bn_check_top(ret);
return ret;
}
diff --git a/crypto/openssl/crypto/conf/conf_def.h b/crypto/openssl/crypto/conf/conf_def.h
index 1e4a03e10bbd..0490236287ac 100644
--- a/crypto/openssl/crypto/conf/conf_def.h
+++ b/crypto/openssl/crypto/conf/conf_def.h
@@ -1,76 +1,76 @@
/*
* WARNING: do not edit!
* Generated by crypto/conf/keysets.pl
*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#define CONF_NUMBER 1
#define CONF_UPPER 2
#define CONF_LOWER 4
#define CONF_UNDER 256
#define CONF_PUNCT 512
#define CONF_WS 16
#define CONF_ESC 32
#define CONF_QUOTE 64
#define CONF_DQUOTE 1024
#define CONF_COMMENT 128
#define CONF_FCOMMENT 2048
#define CONF_EOF 8
#define CONF_ALPHA (CONF_UPPER|CONF_LOWER)
#define CONF_ALNUM (CONF_ALPHA|CONF_NUMBER|CONF_UNDER)
#define CONF_ALNUM_PUNCT (CONF_ALPHA|CONF_NUMBER|CONF_UNDER|CONF_PUNCT)
#define IS_COMMENT(conf,c) is_keytype(conf, c, CONF_COMMENT)
#define IS_FCOMMENT(conf,c) is_keytype(conf, c, CONF_FCOMMENT)
#define IS_EOF(conf,c) is_keytype(conf, c, CONF_EOF)
#define IS_ESC(conf,c) is_keytype(conf, c, CONF_ESC)
#define IS_NUMBER(conf,c) is_keytype(conf, c, CONF_NUMBER)
#define IS_WS(conf,c) is_keytype(conf, c, CONF_WS)
#define IS_ALNUM(conf,c) is_keytype(conf, c, CONF_ALNUM)
#define IS_ALNUM_PUNCT(conf,c) is_keytype(conf, c, CONF_ALNUM_PUNCT)
#define IS_QUOTE(conf,c) is_keytype(conf, c, CONF_QUOTE)
#define IS_DQUOTE(conf,c) is_keytype(conf, c, CONF_DQUOTE)
static const unsigned short CONF_type_default[128] = {
0x0008, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x0010, 0x0010, 0x0000, 0x0000, 0x0010, 0x0000, 0x0000,
0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
0x0010, 0x0200, 0x0040, 0x0080, 0x0000, 0x0200, 0x0200, 0x0040,
0x0000, 0x0000, 0x0200, 0x0200, 0x0200, 0x0200, 0x0200, 0x0200,
0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001,
0x0001, 0x0001, 0x0000, 0x0200, 0x0000, 0x0000, 0x0000, 0x0200,
0x0200, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002,
0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002,
0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002,
0x0002, 0x0002, 0x0002, 0x0000, 0x0020, 0x0000, 0x0200, 0x0100,
0x0040, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004,
0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004,
0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004,
0x0004, 0x0004, 0x0004, 0x0000, 0x0200, 0x0000, 0x0200, 0x0000,
};
static const unsigned short CONF_type_win32[128] = {
0x0008, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x0010, 0x0010, 0x0000, 0x0000, 0x0010, 0x0000, 0x0000,
0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
0x0010, 0x0200, 0x0400, 0x0000, 0x0000, 0x0200, 0x0200, 0x0000,
0x0000, 0x0000, 0x0200, 0x0200, 0x0200, 0x0200, 0x0200, 0x0200,
0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001,
0x0001, 0x0001, 0x0000, 0x0A00, 0x0000, 0x0000, 0x0000, 0x0200,
0x0200, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002,
0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002,
0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002,
0x0002, 0x0002, 0x0002, 0x0000, 0x0000, 0x0000, 0x0200, 0x0100,
0x0000, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004,
0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004,
0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004, 0x0004,
0x0004, 0x0004, 0x0004, 0x0000, 0x0200, 0x0000, 0x0200, 0x0000,
};
diff --git a/crypto/openssl/crypto/engine/eng_all.c b/crypto/openssl/crypto/engine/eng_all.c
index b675ed7892e2..474a60c9bf13 100644
--- a/crypto/openssl/crypto/engine/eng_all.c
+++ b/crypto/openssl/crypto/engine/eng_all.c
@@ -1,25 +1,22 @@
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "internal/cryptlib.h"
#include "eng_local.h"
void ENGINE_load_builtin_engines(void)
{
- /* Some ENGINEs need this */
- OPENSSL_cpuid_setup();
-
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
}
#if (defined(__OpenBSD__) || defined(__FreeBSD__) || defined(__DragonFly__)) && OPENSSL_API_COMPAT < 0x10100000L
void ENGINE_setup_bsd_cryptodev(void)
{
}
#endif
diff --git a/crypto/openssl/crypto/engine/eng_dyn.c b/crypto/openssl/crypto/engine/eng_dyn.c
index 87c762edb8a0..6a0ddc162d00 100644
--- a/crypto/openssl/crypto/engine/eng_dyn.c
+++ b/crypto/openssl/crypto/engine/eng_dyn.c
@@ -1,512 +1,521 @@
/*
- * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "eng_local.h"
#include "internal/dso.h"
#include <openssl/crypto.h>
/*
* Shared libraries implementing ENGINEs for use by the "dynamic" ENGINE
* loader should implement the hook-up functions with the following
* prototypes.
*/
/* Our ENGINE handlers */
static int dynamic_init(ENGINE *e);
static int dynamic_finish(ENGINE *e);
static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p,
void (*f) (void));
/* Predeclare our context type */
typedef struct st_dynamic_data_ctx dynamic_data_ctx;
/* The implementation for the important control command */
static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx);
#define DYNAMIC_CMD_SO_PATH ENGINE_CMD_BASE
#define DYNAMIC_CMD_NO_VCHECK (ENGINE_CMD_BASE + 1)
#define DYNAMIC_CMD_ID (ENGINE_CMD_BASE + 2)
#define DYNAMIC_CMD_LIST_ADD (ENGINE_CMD_BASE + 3)
#define DYNAMIC_CMD_DIR_LOAD (ENGINE_CMD_BASE + 4)
#define DYNAMIC_CMD_DIR_ADD (ENGINE_CMD_BASE + 5)
#define DYNAMIC_CMD_LOAD (ENGINE_CMD_BASE + 6)
/* The constants used when creating the ENGINE */
static const char *engine_dynamic_id = "dynamic";
static const char *engine_dynamic_name = "Dynamic engine loading support";
static const ENGINE_CMD_DEFN dynamic_cmd_defns[] = {
{DYNAMIC_CMD_SO_PATH,
"SO_PATH",
"Specifies the path to the new ENGINE shared library",
ENGINE_CMD_FLAG_STRING},
{DYNAMIC_CMD_NO_VCHECK,
"NO_VCHECK",
"Specifies to continue even if version checking fails (boolean)",
ENGINE_CMD_FLAG_NUMERIC},
{DYNAMIC_CMD_ID,
"ID",
"Specifies an ENGINE id name for loading",
ENGINE_CMD_FLAG_STRING},
{DYNAMIC_CMD_LIST_ADD,
"LIST_ADD",
"Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)",
ENGINE_CMD_FLAG_NUMERIC},
{DYNAMIC_CMD_DIR_LOAD,
"DIR_LOAD",
"Specifies whether to load from 'DIR_ADD' directories (0=no,1=yes,2=mandatory)",
ENGINE_CMD_FLAG_NUMERIC},
{DYNAMIC_CMD_DIR_ADD,
"DIR_ADD",
"Adds a directory from which ENGINEs can be loaded",
ENGINE_CMD_FLAG_STRING},
{DYNAMIC_CMD_LOAD,
"LOAD",
"Load up the ENGINE specified by other settings",
ENGINE_CMD_FLAG_NO_INPUT},
{0, NULL, NULL, 0}
};
/*
* Loading code stores state inside the ENGINE structure via the "ex_data"
* element. We load all our state into a single structure and use that as a
* single context in the "ex_data" stack.
*/
struct st_dynamic_data_ctx {
/* The DSO object we load that supplies the ENGINE code */
DSO *dynamic_dso;
/*
* The function pointer to the version checking shared library function
*/
dynamic_v_check_fn v_check;
/*
* The function pointer to the engine-binding shared library function
*/
dynamic_bind_engine bind_engine;
/* The default name/path for loading the shared library */
char *DYNAMIC_LIBNAME;
/* Whether to continue loading on a version check failure */
int no_vcheck;
/* If non-NULL, stipulates the 'id' of the ENGINE to be loaded */
char *engine_id;
/*
* If non-zero, a successfully loaded ENGINE should be added to the
* internal ENGINE list. If 2, the add must succeed or the entire load
* should fail.
*/
int list_add_value;
/* The symbol name for the version checking function */
const char *DYNAMIC_F1;
/* The symbol name for the "initialise ENGINE structure" function */
const char *DYNAMIC_F2;
/*
* Whether to never use 'dirs', use 'dirs' as a fallback, or only use
* 'dirs' for loading. Default is to use 'dirs' as a fallback.
*/
int dir_load;
/* A stack of directories from which ENGINEs could be loaded */
STACK_OF(OPENSSL_STRING) *dirs;
};
/*
* This is the "ex_data" index we obtain and reserve for use with our context
* structure.
*/
static int dynamic_ex_data_idx = -1;
static void int_free_str(char *s)
{
OPENSSL_free(s);
}
/*
* Because our ex_data element may or may not get allocated depending on
* whether a "first-use" occurs before the ENGINE is freed, we have a memory
* leak problem to solve. We can't declare a "new" handler for the ex_data as
* we don't want a dynamic_data_ctx in *all* ENGINE structures of all types
* (this is a bug in the design of CRYPTO_EX_DATA). As such, we just declare
* a "free" handler and that will get called if an ENGINE is being destroyed
* and there was an ex_data element corresponding to our context type.
*/
static void dynamic_data_ctx_free_func(void *parent, void *ptr,
CRYPTO_EX_DATA *ad, int idx, long argl,
void *argp)
{
if (ptr) {
dynamic_data_ctx *ctx = (dynamic_data_ctx *)ptr;
DSO_free(ctx->dynamic_dso);
OPENSSL_free(ctx->DYNAMIC_LIBNAME);
OPENSSL_free(ctx->engine_id);
sk_OPENSSL_STRING_pop_free(ctx->dirs, int_free_str);
OPENSSL_free(ctx);
}
}
/*
* Construct the per-ENGINE context. We create it blindly and then use a lock
* to check for a race - if so, all but one of the threads "racing" will have
* wasted their time. The alternative involves creating everything inside the
* lock which is far worse.
*/
static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx)
{
dynamic_data_ctx *c = OPENSSL_zalloc(sizeof(*c));
int ret = 1;
if (c == NULL) {
ENGINEerr(ENGINE_F_DYNAMIC_SET_DATA_CTX, ERR_R_MALLOC_FAILURE);
return 0;
}
c->dirs = sk_OPENSSL_STRING_new_null();
if (c->dirs == NULL) {
ENGINEerr(ENGINE_F_DYNAMIC_SET_DATA_CTX, ERR_R_MALLOC_FAILURE);
OPENSSL_free(c);
return 0;
}
c->DYNAMIC_F1 = "v_check";
c->DYNAMIC_F2 = "bind_engine";
c->dir_load = 1;
CRYPTO_THREAD_write_lock(global_engine_lock);
if ((*ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e,
dynamic_ex_data_idx))
== NULL) {
/* Good, we're the first */
ret = ENGINE_set_ex_data(e, dynamic_ex_data_idx, c);
if (ret) {
*ctx = c;
c = NULL;
}
}
CRYPTO_THREAD_unlock(global_engine_lock);
/*
* If we lost the race to set the context, c is non-NULL and *ctx is the
* context of the thread that won.
*/
if (c)
sk_OPENSSL_STRING_free(c->dirs);
OPENSSL_free(c);
return ret;
}
/*
* This function retrieves the context structure from an ENGINE's "ex_data",
* or if it doesn't exist yet, sets it up.
*/
static dynamic_data_ctx *dynamic_get_data_ctx(ENGINE *e)
{
dynamic_data_ctx *ctx;
if (dynamic_ex_data_idx < 0) {
/*
* Create and register the ENGINE ex_data, and associate our "free"
* function with it to ensure any allocated contexts get freed when
* an ENGINE goes underground.
*/
int new_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL,
dynamic_data_ctx_free_func);
if (new_idx == -1) {
ENGINEerr(ENGINE_F_DYNAMIC_GET_DATA_CTX, ENGINE_R_NO_INDEX);
return NULL;
}
CRYPTO_THREAD_write_lock(global_engine_lock);
/* Avoid a race by checking again inside this lock */
if (dynamic_ex_data_idx < 0) {
/* Good, someone didn't beat us to it */
dynamic_ex_data_idx = new_idx;
new_idx = -1;
}
CRYPTO_THREAD_unlock(global_engine_lock);
/*
* In theory we could "give back" the index here if (new_idx>-1), but
* it's not possible and wouldn't gain us much if it were.
*/
}
ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e, dynamic_ex_data_idx);
/* Check if the context needs to be created */
if ((ctx == NULL) && !dynamic_set_data_ctx(e, &ctx))
/* "set_data" will set errors if necessary */
return NULL;
return ctx;
}
static ENGINE *engine_dynamic(void)
{
ENGINE *ret = ENGINE_new();
if (ret == NULL)
return NULL;
if (!ENGINE_set_id(ret, engine_dynamic_id) ||
!ENGINE_set_name(ret, engine_dynamic_name) ||
!ENGINE_set_init_function(ret, dynamic_init) ||
!ENGINE_set_finish_function(ret, dynamic_finish) ||
!ENGINE_set_ctrl_function(ret, dynamic_ctrl) ||
!ENGINE_set_flags(ret, ENGINE_FLAGS_BY_ID_COPY) ||
!ENGINE_set_cmd_defns(ret, dynamic_cmd_defns)) {
ENGINE_free(ret);
return NULL;
}
return ret;
}
void engine_load_dynamic_int(void)
{
ENGINE *toadd = engine_dynamic();
if (!toadd)
return;
ENGINE_add(toadd);
/*
* If the "add" worked, it gets a structural reference. So either way, we
* release our just-created reference.
*/
ENGINE_free(toadd);
/*
* If the "add" didn't work, it was probably a conflict because it was
* already added (eg. someone calling ENGINE_load_blah then calling
* ENGINE_load_builtin_engines() perhaps).
*/
ERR_clear_error();
}
static int dynamic_init(ENGINE *e)
{
/*
* We always return failure - the "dynamic" engine itself can't be used
* for anything.
*/
return 0;
}
static int dynamic_finish(ENGINE *e)
{
/*
* This should never be called on account of "dynamic_init" always
* failing.
*/
return 0;
}
static int dynamic_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void))
{
dynamic_data_ctx *ctx = dynamic_get_data_ctx(e);
int initialised;
if (!ctx) {
ENGINEerr(ENGINE_F_DYNAMIC_CTRL, ENGINE_R_NOT_LOADED);
return 0;
}
initialised = ((ctx->dynamic_dso == NULL) ? 0 : 1);
/* All our control commands require the ENGINE to be uninitialised */
if (initialised) {
ENGINEerr(ENGINE_F_DYNAMIC_CTRL, ENGINE_R_ALREADY_LOADED);
return 0;
}
switch (cmd) {
case DYNAMIC_CMD_SO_PATH:
/* a NULL 'p' or a string of zero-length is the same thing */
if (p && (strlen((const char *)p) < 1))
p = NULL;
OPENSSL_free(ctx->DYNAMIC_LIBNAME);
if (p)
ctx->DYNAMIC_LIBNAME = OPENSSL_strdup(p);
else
ctx->DYNAMIC_LIBNAME = NULL;
return (ctx->DYNAMIC_LIBNAME ? 1 : 0);
case DYNAMIC_CMD_NO_VCHECK:
ctx->no_vcheck = ((i == 0) ? 0 : 1);
return 1;
case DYNAMIC_CMD_ID:
/* a NULL 'p' or a string of zero-length is the same thing */
if (p && (strlen((const char *)p) < 1))
p = NULL;
OPENSSL_free(ctx->engine_id);
if (p)
ctx->engine_id = OPENSSL_strdup(p);
else
ctx->engine_id = NULL;
return (ctx->engine_id ? 1 : 0);
case DYNAMIC_CMD_LIST_ADD:
if ((i < 0) || (i > 2)) {
ENGINEerr(ENGINE_F_DYNAMIC_CTRL, ENGINE_R_INVALID_ARGUMENT);
return 0;
}
ctx->list_add_value = (int)i;
return 1;
case DYNAMIC_CMD_LOAD:
return dynamic_load(e, ctx);
case DYNAMIC_CMD_DIR_LOAD:
if ((i < 0) || (i > 2)) {
ENGINEerr(ENGINE_F_DYNAMIC_CTRL, ENGINE_R_INVALID_ARGUMENT);
return 0;
}
ctx->dir_load = (int)i;
return 1;
case DYNAMIC_CMD_DIR_ADD:
/* a NULL 'p' or a string of zero-length is the same thing */
if (!p || (strlen((const char *)p) < 1)) {
ENGINEerr(ENGINE_F_DYNAMIC_CTRL, ENGINE_R_INVALID_ARGUMENT);
return 0;
}
{
char *tmp_str = OPENSSL_strdup(p);
if (tmp_str == NULL) {
ENGINEerr(ENGINE_F_DYNAMIC_CTRL, ERR_R_MALLOC_FAILURE);
return 0;
}
if (!sk_OPENSSL_STRING_push(ctx->dirs, tmp_str)) {
OPENSSL_free(tmp_str);
ENGINEerr(ENGINE_F_DYNAMIC_CTRL, ERR_R_MALLOC_FAILURE);
return 0;
}
}
return 1;
default:
break;
}
ENGINEerr(ENGINE_F_DYNAMIC_CTRL, ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED);
return 0;
}
static int int_load(dynamic_data_ctx *ctx)
{
int num, loop;
/* Unless told not to, try a direct load */
if ((ctx->dir_load != 2) && (DSO_load(ctx->dynamic_dso,
ctx->DYNAMIC_LIBNAME, NULL,
0)) != NULL)
return 1;
/* If we're not allowed to use 'dirs' or we have none, fail */
if (!ctx->dir_load || (num = sk_OPENSSL_STRING_num(ctx->dirs)) < 1)
return 0;
for (loop = 0; loop < num; loop++) {
const char *s = sk_OPENSSL_STRING_value(ctx->dirs, loop);
char *merge = DSO_merge(ctx->dynamic_dso, ctx->DYNAMIC_LIBNAME, s);
if (!merge)
return 0;
if (DSO_load(ctx->dynamic_dso, merge, NULL, 0)) {
/* Found what we're looking for */
OPENSSL_free(merge);
return 1;
}
OPENSSL_free(merge);
}
return 0;
}
static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx)
{
ENGINE cpy;
dynamic_fns fns;
if (ctx->dynamic_dso == NULL)
ctx->dynamic_dso = DSO_new();
if (ctx->dynamic_dso == NULL)
return 0;
if (!ctx->DYNAMIC_LIBNAME) {
if (!ctx->engine_id)
return 0;
DSO_ctrl(ctx->dynamic_dso, DSO_CTRL_SET_FLAGS,
DSO_FLAG_NAME_TRANSLATION_EXT_ONLY, NULL);
ctx->DYNAMIC_LIBNAME =
DSO_convert_filename(ctx->dynamic_dso, ctx->engine_id);
}
if (!int_load(ctx)) {
ENGINEerr(ENGINE_F_DYNAMIC_LOAD, ENGINE_R_DSO_NOT_FOUND);
DSO_free(ctx->dynamic_dso);
ctx->dynamic_dso = NULL;
return 0;
}
/* We have to find a bind function otherwise it'll always end badly */
if (!
(ctx->bind_engine =
(dynamic_bind_engine) DSO_bind_func(ctx->dynamic_dso,
ctx->DYNAMIC_F2))) {
ctx->bind_engine = NULL;
DSO_free(ctx->dynamic_dso);
ctx->dynamic_dso = NULL;
ENGINEerr(ENGINE_F_DYNAMIC_LOAD, ENGINE_R_DSO_FAILURE);
return 0;
}
/* Do we perform version checking? */
if (!ctx->no_vcheck) {
unsigned long vcheck_res = 0;
/*
* Now we try to find a version checking function and decide how to
* cope with failure if/when it fails.
*/
ctx->v_check =
(dynamic_v_check_fn) DSO_bind_func(ctx->dynamic_dso,
ctx->DYNAMIC_F1);
if (ctx->v_check)
vcheck_res = ctx->v_check(OSSL_DYNAMIC_VERSION);
/*
* We fail if the version checker veto'd the load *or* if it is
* deferring to us (by returning its version) and we think it is too
* old.
+ * Unfortunately the version checker does not distinguish between
+ * engines built for openssl 1.1.x and openssl 3.x, but loading
+ * an engine that is built for openssl 3.x will cause a fatal
+ * error. Detect such engines, since EVP_PKEY_get_base_id is exported
+ * as a function in openssl 3.x, while it is named EVP_PKEY_base_id
+ * in openssl 1.1.x. Therefore we take the presence of that symbol
+ * as an indication that the engine will be incompatible.
*/
- if (vcheck_res < OSSL_DYNAMIC_OLDEST) {
+ if (vcheck_res < OSSL_DYNAMIC_OLDEST
+ || DSO_bind_func(ctx->dynamic_dso,
+ "EVP_PKEY_get_base_id") != NULL) {
/* Fail */
ctx->bind_engine = NULL;
ctx->v_check = NULL;
DSO_free(ctx->dynamic_dso);
ctx->dynamic_dso = NULL;
ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
ENGINE_R_VERSION_INCOMPATIBILITY);
return 0;
}
}
/*
* First binary copy the ENGINE structure so that we can roll back if the
* hand-over fails
*/
memcpy(&cpy, e, sizeof(ENGINE));
/*
* Provide the ERR, "ex_data", memory, and locking callbacks so the
* loaded library uses our state rather than its own. FIXME: As noted in
* engine.h, much of this would be simplified if each area of code
* provided its own "summary" structure of all related callbacks. It
* would also increase opaqueness.
*/
fns.static_state = ENGINE_get_static_state();
CRYPTO_get_mem_functions(&fns.mem_fns.malloc_fn, &fns.mem_fns.realloc_fn,
&fns.mem_fns.free_fn);
/*
* Now that we've loaded the dynamic engine, make sure no "dynamic"
* ENGINE elements will show through.
*/
engine_set_all_null(e);
/* Try to bind the ENGINE onto our own ENGINE structure */
if (!engine_add_dynamic_id(e, (ENGINE_DYNAMIC_ID)ctx->bind_engine, 1)
|| !ctx->bind_engine(e, ctx->engine_id, &fns)) {
engine_remove_dynamic_id(e, 1);
ctx->bind_engine = NULL;
ctx->v_check = NULL;
DSO_free(ctx->dynamic_dso);
ctx->dynamic_dso = NULL;
ENGINEerr(ENGINE_F_DYNAMIC_LOAD, ENGINE_R_INIT_FAILED);
/* Copy the original ENGINE structure back */
memcpy(e, &cpy, sizeof(ENGINE));
return 0;
}
/* Do we try to add this ENGINE to the internal list too? */
if (ctx->list_add_value > 0) {
if (!ENGINE_add(e)) {
/* Do we tolerate this or fail? */
if (ctx->list_add_value > 1) {
/*
* Fail - NB: By this time, it's too late to rollback, and
* trying to do so allows the bind_engine() code to have
* created leaks. We just have to fail where we are, after
* the ENGINE has changed.
*/
ENGINEerr(ENGINE_F_DYNAMIC_LOAD,
ENGINE_R_CONFLICTING_ENGINE_ID);
return 0;
}
/* Tolerate */
ERR_clear_error();
}
}
return 1;
}
diff --git a/crypto/openssl/crypto/evp/digest.c b/crypto/openssl/crypto/evp/digest.c
index d1bfa274ca81..01a6f251f56e 100644
--- a/crypto/openssl/crypto/evp/digest.c
+++ b/crypto/openssl/crypto/evp/digest.c
@@ -1,301 +1,311 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/engine.h>
#include "crypto/evp.h"
#include "evp_local.h"
+
+static void cleanup_old_md_data(EVP_MD_CTX *ctx, int force)
+{
+ if (ctx->digest != NULL) {
+ if (ctx->digest->cleanup != NULL
+ && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
+ ctx->digest->cleanup(ctx);
+ if (ctx->md_data != NULL && ctx->digest->ctx_size > 0
+ && (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)
+ || force)) {
+ OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
+ ctx->md_data = NULL;
+ }
+ }
+}
+
/* This call frees resources associated with the context */
int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
{
if (ctx == NULL)
return 1;
/*
* Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
* sometimes only copies of the context are ever finalised.
*/
- if (ctx->digest && ctx->digest->cleanup
- && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_CLEANED))
- ctx->digest->cleanup(ctx);
- if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
- && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
- OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
- }
+ cleanup_old_md_data(ctx, 0);
+
/*
* pctx should be freed by the user of EVP_MD_CTX
* if EVP_MD_CTX_FLAG_KEEP_PKEY_CTX is set
*/
if (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX))
EVP_PKEY_CTX_free(ctx->pctx);
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(ctx->engine);
#endif
OPENSSL_cleanse(ctx, sizeof(*ctx));
return 1;
}
EVP_MD_CTX *EVP_MD_CTX_new(void)
{
return OPENSSL_zalloc(sizeof(EVP_MD_CTX));
}
void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
{
EVP_MD_CTX_reset(ctx);
OPENSSL_free(ctx);
}
int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
{
EVP_MD_CTX_reset(ctx);
return EVP_DigestInit_ex(ctx, type, NULL);
}
int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
{
EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
#ifndef OPENSSL_NO_ENGINE
/*
* Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
* this context may already have an ENGINE! Try to avoid releasing the
* previous handle, re-querying for an ENGINE, and having a
* reinitialisation, when it may all be unnecessary.
*/
if (ctx->engine && ctx->digest &&
(type == NULL || (type->type == ctx->digest->type)))
goto skip_to_init;
+
if (type) {
/*
* Ensure an ENGINE left lying around from last time is cleared (the
* previous check attempted to avoid this if the same ENGINE and
* EVP_MD could be used).
*/
ENGINE_finish(ctx->engine);
if (impl != NULL) {
if (!ENGINE_init(impl)) {
EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
return 0;
}
} else {
/* Ask if an ENGINE is reserved for this job */
impl = ENGINE_get_digest_engine(type->type);
}
if (impl != NULL) {
/* There's an ENGINE for this job ... (apparently) */
const EVP_MD *d = ENGINE_get_digest(impl, type->type);
if (d == NULL) {
EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_INITIALIZATION_ERROR);
ENGINE_finish(impl);
return 0;
}
/* We'll use the ENGINE's private digest definition */
type = d;
/*
* Store the ENGINE functional reference so we know 'type' came
* from an ENGINE and we need to release it when done.
*/
ctx->engine = impl;
} else
ctx->engine = NULL;
} else {
if (!ctx->digest) {
EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_NO_DIGEST_SET);
return 0;
}
type = ctx->digest;
}
#endif
if (ctx->digest != type) {
- if (ctx->digest && ctx->digest->ctx_size) {
- OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
- ctx->md_data = NULL;
- }
+ cleanup_old_md_data(ctx, 1);
+
ctx->digest = type;
if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
ctx->update = type->update;
ctx->md_data = OPENSSL_zalloc(type->ctx_size);
if (ctx->md_data == NULL) {
EVPerr(EVP_F_EVP_DIGESTINIT_EX, ERR_R_MALLOC_FAILURE);
return 0;
}
}
}
#ifndef OPENSSL_NO_ENGINE
skip_to_init:
#endif
if (ctx->pctx) {
int r;
r = EVP_PKEY_CTX_ctrl(ctx->pctx, -1, EVP_PKEY_OP_TYPE_SIG,
EVP_PKEY_CTRL_DIGESTINIT, 0, ctx);
if (r <= 0 && (r != -2))
return 0;
}
if (ctx->flags & EVP_MD_CTX_FLAG_NO_INIT)
return 1;
return ctx->digest->init(ctx);
}
int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
{
if (count == 0)
return 1;
return ctx->update(ctx, data, count);
}
/* The caller can assume that this removes any secret data from the context */
int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
{
int ret;
ret = EVP_DigestFinal_ex(ctx, md, size);
EVP_MD_CTX_reset(ctx);
return ret;
}
/* The caller can assume that this removes any secret data from the context */
int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
{
int ret;
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
ret = ctx->digest->final(ctx, md);
if (size != NULL)
*size = ctx->digest->md_size;
if (ctx->digest->cleanup) {
ctx->digest->cleanup(ctx);
EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
}
OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
return ret;
}
int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t size)
{
int ret = 0;
if (ctx->digest->flags & EVP_MD_FLAG_XOF
&& size <= INT_MAX
&& ctx->digest->md_ctrl(ctx, EVP_MD_CTRL_XOF_LEN, (int)size, NULL)) {
ret = ctx->digest->final(ctx, md);
if (ctx->digest->cleanup != NULL) {
ctx->digest->cleanup(ctx);
EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
}
OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);
} else {
EVPerr(EVP_F_EVP_DIGESTFINALXOF, EVP_R_NOT_XOF_OR_INVALID_LENGTH);
}
return ret;
}
int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in)
{
EVP_MD_CTX_reset(out);
return EVP_MD_CTX_copy_ex(out, in);
}
int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
{
unsigned char *tmp_buf;
if ((in == NULL) || (in->digest == NULL)) {
EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, EVP_R_INPUT_NOT_INITIALIZED);
return 0;
}
#ifndef OPENSSL_NO_ENGINE
/* Make sure it's safe to copy a digest context using an ENGINE */
if (in->engine && !ENGINE_init(in->engine)) {
EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, ERR_R_ENGINE_LIB);
return 0;
}
#endif
if (out->digest == in->digest) {
tmp_buf = out->md_data;
EVP_MD_CTX_set_flags(out, EVP_MD_CTX_FLAG_REUSE);
} else
tmp_buf = NULL;
EVP_MD_CTX_reset(out);
memcpy(out, in, sizeof(*out));
/* copied EVP_MD_CTX should free the copied EVP_PKEY_CTX */
EVP_MD_CTX_clear_flags(out, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX);
/* Null these variables, since they are getting fixed up
* properly below. Anything else may cause a memleak and/or
* double free if any of the memory allocations below fail
*/
out->md_data = NULL;
out->pctx = NULL;
if (in->md_data && out->digest->ctx_size) {
if (tmp_buf)
out->md_data = tmp_buf;
else {
out->md_data = OPENSSL_malloc(out->digest->ctx_size);
if (out->md_data == NULL) {
EVPerr(EVP_F_EVP_MD_CTX_COPY_EX, ERR_R_MALLOC_FAILURE);
return 0;
}
}
memcpy(out->md_data, in->md_data, out->digest->ctx_size);
}
out->update = in->update;
if (in->pctx) {
out->pctx = EVP_PKEY_CTX_dup(in->pctx);
if (!out->pctx) {
EVP_MD_CTX_reset(out);
return 0;
}
}
if (out->digest->copy)
return out->digest->copy(out, in);
return 1;
}
int EVP_Digest(const void *data, size_t count,
unsigned char *md, unsigned int *size, const EVP_MD *type,
ENGINE *impl)
{
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
int ret;
if (ctx == NULL)
return 0;
EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_ONESHOT);
ret = EVP_DigestInit_ex(ctx, type, impl)
&& EVP_DigestUpdate(ctx, data, count)
&& EVP_DigestFinal_ex(ctx, md, size);
EVP_MD_CTX_free(ctx);
return ret;
}
int EVP_MD_CTX_ctrl(EVP_MD_CTX *ctx, int cmd, int p1, void *p2)
{
if (ctx->digest && ctx->digest->md_ctrl) {
int ret = ctx->digest->md_ctrl(ctx, cmd, p1, p2);
if (ret <= 0)
return 0;
return 1;
}
return 0;
}
diff --git a/crypto/openssl/crypto/lhash/lhash.c b/crypto/openssl/crypto/lhash/lhash.c
index 9dc887d91e4b..603224975ca1 100644
--- a/crypto/openssl/crypto/lhash/lhash.c
+++ b/crypto/openssl/crypto/lhash/lhash.c
@@ -1,393 +1,395 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <openssl/crypto.h>
#include <openssl/lhash.h>
#include <openssl/err.h>
#include "crypto/ctype.h"
#include "crypto/lhash.h"
#include "lhash_local.h"
/*
* A hashing implementation that appears to be based on the linear hashing
* algorithm:
* https://en.wikipedia.org/wiki/Linear_hashing
*
* Litwin, Witold (1980), "Linear hashing: A new tool for file and table
* addressing", Proc. 6th Conference on Very Large Databases: 212-223
* https://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf
*
* From the Wikipedia article "Linear hashing is used in the BDB Berkeley
* database system, which in turn is used by many software systems such as
* OpenLDAP, using a C implementation derived from the CACM article and first
* published on the Usenet in 1988 by Esmond Pitt."
*
* The CACM paper is available here:
* https://pdfs.semanticscholar.org/ff4d/1c5deca6269cc316bfd952172284dbf610ee.pdf
*/
#undef MIN_NODES
#define MIN_NODES 16
#define UP_LOAD (2*LH_LOAD_MULT) /* load times 256 (default 2) */
#define DOWN_LOAD (LH_LOAD_MULT) /* load times 256 (default 1) */
static int expand(OPENSSL_LHASH *lh);
static void contract(OPENSSL_LHASH *lh);
static OPENSSL_LH_NODE **getrn(OPENSSL_LHASH *lh, const void *data, unsigned long *rhash);
OPENSSL_LHASH *OPENSSL_LH_new(OPENSSL_LH_HASHFUNC h, OPENSSL_LH_COMPFUNC c)
{
OPENSSL_LHASH *ret;
if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) {
/*
* Do not set the error code, because the ERR code uses LHASH
* and we want to avoid possible endless error loop.
* CRYPTOerr(CRYPTO_F_OPENSSL_LH_NEW, ERR_R_MALLOC_FAILURE);
*/
return NULL;
}
if ((ret->b = OPENSSL_zalloc(sizeof(*ret->b) * MIN_NODES)) == NULL)
goto err;
ret->comp = ((c == NULL) ? (OPENSSL_LH_COMPFUNC)strcmp : c);
ret->hash = ((h == NULL) ? (OPENSSL_LH_HASHFUNC)OPENSSL_LH_strhash : h);
ret->num_nodes = MIN_NODES / 2;
ret->num_alloc_nodes = MIN_NODES;
ret->pmax = MIN_NODES / 2;
ret->up_load = UP_LOAD;
ret->down_load = DOWN_LOAD;
return ret;
err:
OPENSSL_free(ret->b);
OPENSSL_free(ret);
return NULL;
}
void OPENSSL_LH_free(OPENSSL_LHASH *lh)
{
unsigned int i;
OPENSSL_LH_NODE *n, *nn;
if (lh == NULL)
return;
for (i = 0; i < lh->num_nodes; i++) {
n = lh->b[i];
while (n != NULL) {
nn = n->next;
OPENSSL_free(n);
n = nn;
}
}
OPENSSL_free(lh->b);
OPENSSL_free(lh);
}
void *OPENSSL_LH_insert(OPENSSL_LHASH *lh, void *data)
{
unsigned long hash;
OPENSSL_LH_NODE *nn, **rn;
void *ret;
lh->error = 0;
if ((lh->up_load <= (lh->num_items * LH_LOAD_MULT / lh->num_nodes)) && !expand(lh))
return NULL; /* 'lh->error++' already done in 'expand' */
rn = getrn(lh, data, &hash);
if (*rn == NULL) {
if ((nn = OPENSSL_malloc(sizeof(*nn))) == NULL) {
lh->error++;
return NULL;
}
nn->data = data;
nn->next = NULL;
nn->hash = hash;
*rn = nn;
ret = NULL;
lh->num_insert++;
lh->num_items++;
} else { /* replace same key */
ret = (*rn)->data;
(*rn)->data = data;
lh->num_replace++;
}
return ret;
}
void *OPENSSL_LH_delete(OPENSSL_LHASH *lh, const void *data)
{
unsigned long hash;
OPENSSL_LH_NODE *nn, **rn;
void *ret;
lh->error = 0;
rn = getrn(lh, data, &hash);
if (*rn == NULL) {
lh->num_no_delete++;
return NULL;
} else {
nn = *rn;
*rn = nn->next;
ret = nn->data;
OPENSSL_free(nn);
lh->num_delete++;
}
lh->num_items--;
if ((lh->num_nodes > MIN_NODES) &&
(lh->down_load >= (lh->num_items * LH_LOAD_MULT / lh->num_nodes)))
contract(lh);
return ret;
}
void *OPENSSL_LH_retrieve(OPENSSL_LHASH *lh, const void *data)
{
unsigned long hash;
OPENSSL_LH_NODE **rn;
void *ret;
tsan_store((TSAN_QUALIFIER int *)&lh->error, 0);
rn = getrn(lh, data, &hash);
if (*rn == NULL) {
tsan_counter(&lh->num_retrieve_miss);
return NULL;
} else {
ret = (*rn)->data;
tsan_counter(&lh->num_retrieve);
}
return ret;
}
static void doall_util_fn(OPENSSL_LHASH *lh, int use_arg,
OPENSSL_LH_DOALL_FUNC func,
OPENSSL_LH_DOALL_FUNCARG func_arg, void *arg)
{
int i;
OPENSSL_LH_NODE *a, *n;
if (lh == NULL)
return;
/*
* reverse the order so we search from 'top to bottom' We were having
* memory leaks otherwise
*/
for (i = lh->num_nodes - 1; i >= 0; i--) {
a = lh->b[i];
while (a != NULL) {
n = a->next;
if (use_arg)
func_arg(a->data, arg);
else
func(a->data);
a = n;
}
}
}
void OPENSSL_LH_doall(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNC func)
{
doall_util_fn(lh, 0, func, (OPENSSL_LH_DOALL_FUNCARG)0, NULL);
}
void OPENSSL_LH_doall_arg(OPENSSL_LHASH *lh, OPENSSL_LH_DOALL_FUNCARG func, void *arg)
{
doall_util_fn(lh, 1, (OPENSSL_LH_DOALL_FUNC)0, func, arg);
}
static int expand(OPENSSL_LHASH *lh)
{
OPENSSL_LH_NODE **n, **n1, **n2, *np;
unsigned int p, pmax, nni, j;
unsigned long hash;
nni = lh->num_alloc_nodes;
p = lh->p;
pmax = lh->pmax;
if (p + 1 >= pmax) {
j = nni * 2;
n = OPENSSL_realloc(lh->b, sizeof(OPENSSL_LH_NODE *) * j);
if (n == NULL) {
lh->error++;
return 0;
}
lh->b = n;
memset(n + nni, 0, sizeof(*n) * (j - nni));
lh->pmax = nni;
lh->num_alloc_nodes = j;
lh->num_expand_reallocs++;
lh->p = 0;
} else {
lh->p++;
}
lh->num_nodes++;
lh->num_expands++;
n1 = &(lh->b[p]);
n2 = &(lh->b[p + pmax]);
*n2 = NULL;
for (np = *n1; np != NULL;) {
hash = np->hash;
if ((hash % nni) != p) { /* move it */
*n1 = (*n1)->next;
np->next = *n2;
*n2 = np;
} else
n1 = &((*n1)->next);
np = *n1;
}
return 1;
}
static void contract(OPENSSL_LHASH *lh)
{
OPENSSL_LH_NODE **n, *n1, *np;
np = lh->b[lh->p + lh->pmax - 1];
lh->b[lh->p + lh->pmax - 1] = NULL; /* 24/07-92 - eay - weird but :-( */
if (lh->p == 0) {
n = OPENSSL_realloc(lh->b,
(unsigned int)(sizeof(OPENSSL_LH_NODE *) * lh->pmax));
if (n == NULL) {
/* fputs("realloc error in lhash",stderr); */
lh->error++;
return;
}
lh->num_contract_reallocs++;
lh->num_alloc_nodes /= 2;
lh->pmax /= 2;
lh->p = lh->pmax - 1;
lh->b = n;
} else
lh->p--;
lh->num_nodes--;
lh->num_contracts++;
n1 = lh->b[(int)lh->p];
if (n1 == NULL)
lh->b[(int)lh->p] = np;
else {
while (n1->next != NULL)
n1 = n1->next;
n1->next = np;
}
}
static OPENSSL_LH_NODE **getrn(OPENSSL_LHASH *lh,
const void *data, unsigned long *rhash)
{
OPENSSL_LH_NODE **ret, *n1;
unsigned long hash, nn;
OPENSSL_LH_COMPFUNC cf;
hash = (*(lh->hash)) (data);
tsan_counter(&lh->num_hash_calls);
*rhash = hash;
nn = hash % lh->pmax;
if (nn < lh->p)
nn = hash % lh->num_alloc_nodes;
cf = lh->comp;
ret = &(lh->b[(int)nn]);
for (n1 = *ret; n1 != NULL; n1 = n1->next) {
tsan_counter(&lh->num_hash_comps);
if (n1->hash != hash) {
ret = &(n1->next);
continue;
}
tsan_counter(&lh->num_comp_calls);
if (cf(n1->data, data) == 0)
break;
ret = &(n1->next);
}
return ret;
}
/*
* The following hash seems to work very well on normal text strings no
* collisions on /usr/dict/words and it distributes on %2^n quite well, not
* as good as MD5, but still good.
*/
unsigned long OPENSSL_LH_strhash(const char *c)
{
unsigned long ret = 0;
long n;
unsigned long v;
int r;
if ((c == NULL) || (*c == '\0'))
return ret;
n = 0x100;
while (*c) {
v = n | (*c);
n += 0x100;
r = (int)((v >> 2) ^ v) & 0x0f;
- ret = (ret << r) | (ret >> (32 - r));
+ /* cast to uint64_t to avoid 32 bit shift of 32 bit value */
+ ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
ret &= 0xFFFFFFFFL;
ret ^= v * v;
c++;
}
return (ret >> 16) ^ ret;
}
unsigned long openssl_lh_strcasehash(const char *c)
{
unsigned long ret = 0;
long n;
unsigned long v;
int r;
if (c == NULL || *c == '\0')
return ret;
for (n = 0x100; *c != '\0'; n += 0x100) {
v = n | ossl_tolower(*c);
r = (int)((v >> 2) ^ v) & 0x0f;
- ret = (ret << r) | (ret >> (32 - r));
+ /* cast to uint64_t to avoid 32 bit shift of 32 bit value */
+ ret = (ret << r) | (unsigned long)((uint64_t)ret >> (32 - r));
ret &= 0xFFFFFFFFL;
ret ^= v * v;
c++;
}
return (ret >> 16) ^ ret;
}
unsigned long OPENSSL_LH_num_items(const OPENSSL_LHASH *lh)
{
return lh ? lh->num_items : 0;
}
unsigned long OPENSSL_LH_get_down_load(const OPENSSL_LHASH *lh)
{
return lh->down_load;
}
void OPENSSL_LH_set_down_load(OPENSSL_LHASH *lh, unsigned long down_load)
{
lh->down_load = down_load;
}
int OPENSSL_LH_error(OPENSSL_LHASH *lh)
{
return lh->error;
}
diff --git a/crypto/openssl/crypto/objects/obj_dat.c b/crypto/openssl/crypto/objects/obj_dat.c
index 46006fe6cf9c..7e8de727f310 100644
--- a/crypto/openssl/crypto/objects/obj_dat.c
+++ b/crypto/openssl/crypto/objects/obj_dat.c
@@ -1,739 +1,740 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include "crypto/ctype.h"
#include <limits.h>
#include "internal/cryptlib.h"
#include <openssl/lhash.h>
#include <openssl/asn1.h>
#include "crypto/objects.h"
#include <openssl/bn.h>
#include "crypto/asn1.h"
#include "obj_local.h"
/* obj_dat.h is generated from objects.h by obj_dat.pl */
#include "obj_dat.h"
DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, sn);
DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, ln);
DECLARE_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, obj);
#define ADDED_DATA 0
#define ADDED_SNAME 1
#define ADDED_LNAME 2
#define ADDED_NID 3
struct added_obj_st {
int type;
ASN1_OBJECT *obj;
};
static int new_nid = NUM_NID;
static LHASH_OF(ADDED_OBJ) *added = NULL;
static int sn_cmp(const ASN1_OBJECT *const *a, const unsigned int *b)
{
return strcmp((*a)->sn, nid_objs[*b].sn);
}
IMPLEMENT_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, sn);
static int ln_cmp(const ASN1_OBJECT *const *a, const unsigned int *b)
{
return strcmp((*a)->ln, nid_objs[*b].ln);
}
IMPLEMENT_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, ln);
static unsigned long added_obj_hash(const ADDED_OBJ *ca)
{
const ASN1_OBJECT *a;
int i;
unsigned long ret = 0;
unsigned char *p;
a = ca->obj;
switch (ca->type) {
case ADDED_DATA:
ret = a->length << 20L;
p = (unsigned char *)a->data;
for (i = 0; i < a->length; i++)
ret ^= p[i] << ((i * 3) % 24);
break;
case ADDED_SNAME:
ret = OPENSSL_LH_strhash(a->sn);
break;
case ADDED_LNAME:
ret = OPENSSL_LH_strhash(a->ln);
break;
case ADDED_NID:
ret = a->nid;
break;
default:
/* abort(); */
return 0;
}
ret &= 0x3fffffffL;
ret |= ((unsigned long)ca->type) << 30L;
return ret;
}
static int added_obj_cmp(const ADDED_OBJ *ca, const ADDED_OBJ *cb)
{
ASN1_OBJECT *a, *b;
int i;
i = ca->type - cb->type;
if (i)
return i;
a = ca->obj;
b = cb->obj;
switch (ca->type) {
case ADDED_DATA:
i = (a->length - b->length);
if (i)
return i;
return memcmp(a->data, b->data, (size_t)a->length);
case ADDED_SNAME:
if (a->sn == NULL)
return -1;
else if (b->sn == NULL)
return 1;
else
return strcmp(a->sn, b->sn);
case ADDED_LNAME:
if (a->ln == NULL)
return -1;
else if (b->ln == NULL)
return 1;
else
return strcmp(a->ln, b->ln);
case ADDED_NID:
return a->nid - b->nid;
default:
/* abort(); */
return 0;
}
}
static int init_added(void)
{
if (added != NULL)
return 1;
added = lh_ADDED_OBJ_new(added_obj_hash, added_obj_cmp);
return added != NULL;
}
static void cleanup1_doall(ADDED_OBJ *a)
{
a->obj->nid = 0;
a->obj->flags |= ASN1_OBJECT_FLAG_DYNAMIC |
ASN1_OBJECT_FLAG_DYNAMIC_STRINGS | ASN1_OBJECT_FLAG_DYNAMIC_DATA;
}
static void cleanup2_doall(ADDED_OBJ *a)
{
a->obj->nid++;
}
static void cleanup3_doall(ADDED_OBJ *a)
{
if (--a->obj->nid == 0)
ASN1_OBJECT_free(a->obj);
OPENSSL_free(a);
}
void obj_cleanup_int(void)
{
if (added == NULL)
return;
lh_ADDED_OBJ_set_down_load(added, 0);
lh_ADDED_OBJ_doall(added, cleanup1_doall); /* zero counters */
lh_ADDED_OBJ_doall(added, cleanup2_doall); /* set counters */
lh_ADDED_OBJ_doall(added, cleanup3_doall); /* free objects */
lh_ADDED_OBJ_free(added);
added = NULL;
}
int OBJ_new_nid(int num)
{
int i;
i = new_nid;
new_nid += num;
return i;
}
int OBJ_add_object(const ASN1_OBJECT *obj)
{
ASN1_OBJECT *o;
ADDED_OBJ *ao[4] = { NULL, NULL, NULL, NULL }, *aop;
int i;
if (added == NULL)
if (!init_added())
return 0;
if ((o = OBJ_dup(obj)) == NULL)
goto err;
if ((ao[ADDED_NID] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
goto err2;
if ((o->length != 0) && (obj->data != NULL))
if ((ao[ADDED_DATA] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
goto err2;
if (o->sn != NULL)
if ((ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
goto err2;
if (o->ln != NULL)
if ((ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(*ao[0]))) == NULL)
goto err2;
for (i = ADDED_DATA; i <= ADDED_NID; i++) {
if (ao[i] != NULL) {
ao[i]->type = i;
ao[i]->obj = o;
aop = lh_ADDED_OBJ_insert(added, ao[i]);
/* memory leak, but should not normally matter */
OPENSSL_free(aop);
}
}
o->flags &=
~(ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |
ASN1_OBJECT_FLAG_DYNAMIC_DATA);
return o->nid;
err2:
OBJerr(OBJ_F_OBJ_ADD_OBJECT, ERR_R_MALLOC_FAILURE);
err:
for (i = ADDED_DATA; i <= ADDED_NID; i++)
OPENSSL_free(ao[i]);
ASN1_OBJECT_free(o);
return NID_undef;
}
ASN1_OBJECT *OBJ_nid2obj(int n)
{
ADDED_OBJ ad, *adp;
ASN1_OBJECT ob;
if ((n >= 0) && (n < NUM_NID)) {
if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) {
OBJerr(OBJ_F_OBJ_NID2OBJ, OBJ_R_UNKNOWN_NID);
return NULL;
}
return (ASN1_OBJECT *)&(nid_objs[n]);
- } else if (added == NULL)
+ } else if (added == NULL) {
+ OBJerr(OBJ_F_OBJ_NID2OBJ, OBJ_R_UNKNOWN_NID);
return NULL;
- else {
+ } else {
ad.type = ADDED_NID;
ad.obj = &ob;
ob.nid = n;
adp = lh_ADDED_OBJ_retrieve(added, &ad);
if (adp != NULL)
return adp->obj;
else {
OBJerr(OBJ_F_OBJ_NID2OBJ, OBJ_R_UNKNOWN_NID);
return NULL;
}
}
}
const char *OBJ_nid2sn(int n)
{
ADDED_OBJ ad, *adp;
ASN1_OBJECT ob;
if ((n >= 0) && (n < NUM_NID)) {
if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) {
OBJerr(OBJ_F_OBJ_NID2SN, OBJ_R_UNKNOWN_NID);
return NULL;
}
return nid_objs[n].sn;
} else if (added == NULL)
return NULL;
else {
ad.type = ADDED_NID;
ad.obj = &ob;
ob.nid = n;
adp = lh_ADDED_OBJ_retrieve(added, &ad);
if (adp != NULL)
return adp->obj->sn;
else {
OBJerr(OBJ_F_OBJ_NID2SN, OBJ_R_UNKNOWN_NID);
return NULL;
}
}
}
const char *OBJ_nid2ln(int n)
{
ADDED_OBJ ad, *adp;
ASN1_OBJECT ob;
if ((n >= 0) && (n < NUM_NID)) {
if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) {
OBJerr(OBJ_F_OBJ_NID2LN, OBJ_R_UNKNOWN_NID);
return NULL;
}
return nid_objs[n].ln;
} else if (added == NULL)
return NULL;
else {
ad.type = ADDED_NID;
ad.obj = &ob;
ob.nid = n;
adp = lh_ADDED_OBJ_retrieve(added, &ad);
if (adp != NULL)
return adp->obj->ln;
else {
OBJerr(OBJ_F_OBJ_NID2LN, OBJ_R_UNKNOWN_NID);
return NULL;
}
}
}
static int obj_cmp(const ASN1_OBJECT *const *ap, const unsigned int *bp)
{
int j;
const ASN1_OBJECT *a = *ap;
const ASN1_OBJECT *b = &nid_objs[*bp];
j = (a->length - b->length);
if (j)
return j;
if (a->length == 0)
return 0;
return memcmp(a->data, b->data, a->length);
}
IMPLEMENT_OBJ_BSEARCH_CMP_FN(const ASN1_OBJECT *, unsigned int, obj);
int OBJ_obj2nid(const ASN1_OBJECT *a)
{
const unsigned int *op;
ADDED_OBJ ad, *adp;
if (a == NULL)
return NID_undef;
if (a->nid != 0)
return a->nid;
if (a->length == 0)
return NID_undef;
if (added != NULL) {
ad.type = ADDED_DATA;
ad.obj = (ASN1_OBJECT *)a; /* XXX: ugly but harmless */
adp = lh_ADDED_OBJ_retrieve(added, &ad);
if (adp != NULL)
return adp->obj->nid;
}
op = OBJ_bsearch_obj(&a, obj_objs, NUM_OBJ);
if (op == NULL)
return NID_undef;
return nid_objs[*op].nid;
}
/*
* Convert an object name into an ASN1_OBJECT if "noname" is not set then
* search for short and long names first. This will convert the "dotted" form
* into an object: unlike OBJ_txt2nid it can be used with any objects, not
* just registered ones.
*/
ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name)
{
int nid = NID_undef;
ASN1_OBJECT *op;
unsigned char *buf;
unsigned char *p;
const unsigned char *cp;
int i, j;
if (!no_name) {
if (((nid = OBJ_sn2nid(s)) != NID_undef) ||
((nid = OBJ_ln2nid(s)) != NID_undef))
return OBJ_nid2obj(nid);
}
/* Work out size of content octets */
i = a2d_ASN1_OBJECT(NULL, 0, s, -1);
if (i <= 0) {
/* Don't clear the error */
/*
* ERR_clear_error();
*/
return NULL;
}
/* Work out total size */
j = ASN1_object_size(0, i, V_ASN1_OBJECT);
if (j < 0)
return NULL;
if ((buf = OPENSSL_malloc(j)) == NULL) {
OBJerr(OBJ_F_OBJ_TXT2OBJ, ERR_R_MALLOC_FAILURE);
return NULL;
}
p = buf;
/* Write out tag+length */
ASN1_put_object(&p, 0, i, V_ASN1_OBJECT, V_ASN1_UNIVERSAL);
/* Write out contents */
a2d_ASN1_OBJECT(p, i, s, -1);
cp = buf;
op = d2i_ASN1_OBJECT(NULL, &cp, j);
OPENSSL_free(buf);
return op;
}
int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
{
int i, n = 0, len, nid, first, use_bn;
BIGNUM *bl;
unsigned long l;
const unsigned char *p;
char tbuf[DECIMAL_SIZE(i) + DECIMAL_SIZE(l) + 2];
/* Ensure that, at every state, |buf| is NUL-terminated. */
if (buf && buf_len > 0)
buf[0] = '\0';
if ((a == NULL) || (a->data == NULL))
return 0;
if (!no_name && (nid = OBJ_obj2nid(a)) != NID_undef) {
const char *s;
s = OBJ_nid2ln(nid);
if (s == NULL)
s = OBJ_nid2sn(nid);
if (s) {
if (buf)
OPENSSL_strlcpy(buf, s, buf_len);
n = strlen(s);
return n;
}
}
len = a->length;
p = a->data;
first = 1;
bl = NULL;
while (len > 0) {
l = 0;
use_bn = 0;
for (;;) {
unsigned char c = *p++;
len--;
if ((len == 0) && (c & 0x80))
goto err;
if (use_bn) {
if (!BN_add_word(bl, c & 0x7f))
goto err;
} else
l |= c & 0x7f;
if (!(c & 0x80))
break;
if (!use_bn && (l > (ULONG_MAX >> 7L))) {
if (bl == NULL && (bl = BN_new()) == NULL)
goto err;
if (!BN_set_word(bl, l))
goto err;
use_bn = 1;
}
if (use_bn) {
if (!BN_lshift(bl, bl, 7))
goto err;
} else
l <<= 7L;
}
if (first) {
first = 0;
if (l >= 80) {
i = 2;
if (use_bn) {
if (!BN_sub_word(bl, 80))
goto err;
} else
l -= 80;
} else {
i = (int)(l / 40);
l -= (long)(i * 40);
}
if (buf && (buf_len > 1)) {
*buf++ = i + '0';
*buf = '\0';
buf_len--;
}
n++;
}
if (use_bn) {
char *bndec;
bndec = BN_bn2dec(bl);
if (!bndec)
goto err;
i = strlen(bndec);
if (buf) {
if (buf_len > 1) {
*buf++ = '.';
*buf = '\0';
buf_len--;
}
OPENSSL_strlcpy(buf, bndec, buf_len);
if (i > buf_len) {
buf += buf_len;
buf_len = 0;
} else {
buf += i;
buf_len -= i;
}
}
n++;
n += i;
OPENSSL_free(bndec);
} else {
BIO_snprintf(tbuf, sizeof(tbuf), ".%lu", l);
i = strlen(tbuf);
if (buf && (buf_len > 0)) {
OPENSSL_strlcpy(buf, tbuf, buf_len);
if (i > buf_len) {
buf += buf_len;
buf_len = 0;
} else {
buf += i;
buf_len -= i;
}
}
n += i;
l = 0;
}
}
BN_free(bl);
return n;
err:
BN_free(bl);
return -1;
}
int OBJ_txt2nid(const char *s)
{
ASN1_OBJECT *obj;
int nid;
obj = OBJ_txt2obj(s, 0);
nid = OBJ_obj2nid(obj);
ASN1_OBJECT_free(obj);
return nid;
}
int OBJ_ln2nid(const char *s)
{
ASN1_OBJECT o;
const ASN1_OBJECT *oo = &o;
ADDED_OBJ ad, *adp;
const unsigned int *op;
o.ln = s;
if (added != NULL) {
ad.type = ADDED_LNAME;
ad.obj = &o;
adp = lh_ADDED_OBJ_retrieve(added, &ad);
if (adp != NULL)
return adp->obj->nid;
}
op = OBJ_bsearch_ln(&oo, ln_objs, NUM_LN);
if (op == NULL)
return NID_undef;
return nid_objs[*op].nid;
}
int OBJ_sn2nid(const char *s)
{
ASN1_OBJECT o;
const ASN1_OBJECT *oo = &o;
ADDED_OBJ ad, *adp;
const unsigned int *op;
o.sn = s;
if (added != NULL) {
ad.type = ADDED_SNAME;
ad.obj = &o;
adp = lh_ADDED_OBJ_retrieve(added, &ad);
if (adp != NULL)
return adp->obj->nid;
}
op = OBJ_bsearch_sn(&oo, sn_objs, NUM_SN);
if (op == NULL)
return NID_undef;
return nid_objs[*op].nid;
}
const void *OBJ_bsearch_(const void *key, const void *base, int num, int size,
int (*cmp) (const void *, const void *))
{
return OBJ_bsearch_ex_(key, base, num, size, cmp, 0);
}
const void *OBJ_bsearch_ex_(const void *key, const void *base_, int num,
int size,
int (*cmp) (const void *, const void *),
int flags)
{
const char *base = base_;
int l, h, i = 0, c = 0;
const char *p = NULL;
if (num == 0)
return NULL;
l = 0;
h = num;
while (l < h) {
i = (l + h) / 2;
p = &(base[i * size]);
c = (*cmp) (key, p);
if (c < 0)
h = i;
else if (c > 0)
l = i + 1;
else
break;
}
#ifdef CHARSET_EBCDIC
/*
* THIS IS A KLUDGE - Because the *_obj is sorted in ASCII order, and I
* don't have perl (yet), we revert to a *LINEAR* search when the object
* wasn't found in the binary search.
*/
if (c != 0) {
for (i = 0; i < num; ++i) {
p = &(base[i * size]);
c = (*cmp) (key, p);
if (c == 0 || (c < 0 && (flags & OBJ_BSEARCH_VALUE_ON_NOMATCH)))
return p;
}
}
#endif
if (c != 0 && !(flags & OBJ_BSEARCH_VALUE_ON_NOMATCH))
p = NULL;
else if (c == 0 && (flags & OBJ_BSEARCH_FIRST_VALUE_ON_MATCH)) {
while (i > 0 && (*cmp) (key, &(base[(i - 1) * size])) == 0)
i--;
p = &(base[i * size]);
}
return p;
}
/*
* Parse a BIO sink to create some extra oid's objects.
* Line format:<OID:isdigit or '.']><isspace><SN><isspace><LN>
*/
int OBJ_create_objects(BIO *in)
{
char buf[512];
int i, num = 0;
char *o, *s, *l = NULL;
for (;;) {
s = o = NULL;
i = BIO_gets(in, buf, 512);
if (i <= 0)
return num;
buf[i - 1] = '\0';
if (!ossl_isalnum(buf[0]))
return num;
o = s = buf;
while (ossl_isdigit(*s) || *s == '.')
s++;
if (*s != '\0') {
*(s++) = '\0';
while (ossl_isspace(*s))
s++;
if (*s == '\0') {
s = NULL;
} else {
l = s;
while (*l != '\0' && !ossl_isspace(*l))
l++;
if (*l != '\0') {
*(l++) = '\0';
while (ossl_isspace(*l))
l++;
if (*l == '\0') {
l = NULL;
}
} else {
l = NULL;
}
}
} else {
s = NULL;
}
if (*o == '\0')
return num;
if (!OBJ_create(o, s, l))
return num;
num++;
}
}
int OBJ_create(const char *oid, const char *sn, const char *ln)
{
ASN1_OBJECT *tmpoid = NULL;
int ok = 0;
/* Check to see if short or long name already present */
if ((sn != NULL && OBJ_sn2nid(sn) != NID_undef)
|| (ln != NULL && OBJ_ln2nid(ln) != NID_undef)) {
OBJerr(OBJ_F_OBJ_CREATE, OBJ_R_OID_EXISTS);
return 0;
}
/* Convert numerical OID string to an ASN1_OBJECT structure */
tmpoid = OBJ_txt2obj(oid, 1);
if (tmpoid == NULL)
return 0;
/* If NID is not NID_undef then object already exists */
if (OBJ_obj2nid(tmpoid) != NID_undef) {
OBJerr(OBJ_F_OBJ_CREATE, OBJ_R_OID_EXISTS);
goto err;
}
tmpoid->nid = OBJ_new_nid(1);
tmpoid->sn = (char *)sn;
tmpoid->ln = (char *)ln;
ok = OBJ_add_object(tmpoid);
tmpoid->sn = NULL;
tmpoid->ln = NULL;
err:
ASN1_OBJECT_free(tmpoid);
return ok;
}
size_t OBJ_length(const ASN1_OBJECT *obj)
{
if (obj == NULL)
return 0;
return obj->length;
}
const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj)
{
if (obj == NULL)
return NULL;
return obj->data;
}
diff --git a/crypto/openssl/crypto/objects/obj_dat.h b/crypto/openssl/crypto/objects/obj_dat.h
index 24b49a2df258..63bf69e4437d 100644
--- a/crypto/openssl/crypto/objects/obj_dat.h
+++ b/crypto/openssl/crypto/objects/obj_dat.h
@@ -1,5733 +1,5733 @@
/*
* WARNING: do not edit!
* Generated by crypto/objects/obj_dat.pl
*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/* Serialized OID's */
static const unsigned char so[7762] = {
0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x05, /* [ 21] OBJ_md5 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x04, /* [ 29] OBJ_rc4 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x01, /* [ 37] OBJ_rsaEncryption */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x02, /* [ 46] OBJ_md2WithRSAEncryption */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x04, /* [ 55] OBJ_md5WithRSAEncryption */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x01, /* [ 64] OBJ_pbeWithMD2AndDES_CBC */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x03, /* [ 73] OBJ_pbeWithMD5AndDES_CBC */
0x55, /* [ 82] OBJ_X500 */
0x55,0x04, /* [ 83] OBJ_X509 */
0x55,0x04,0x03, /* [ 85] OBJ_commonName */
0x55,0x04,0x06, /* [ 88] OBJ_countryName */
0x55,0x04,0x07, /* [ 91] OBJ_localityName */
0x55,0x04,0x08, /* [ 94] OBJ_stateOrProvinceName */
0x55,0x04,0x0A, /* [ 97] OBJ_organizationName */
0x55,0x04,0x0B, /* [ 100] OBJ_organizationalUnitName */
0x55,0x08,0x01,0x01, /* [ 103] OBJ_rsa */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07, /* [ 107] OBJ_pkcs7 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x01, /* [ 115] OBJ_pkcs7_data */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x02, /* [ 124] OBJ_pkcs7_signed */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x03, /* [ 133] OBJ_pkcs7_enveloped */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x04, /* [ 142] OBJ_pkcs7_signedAndEnveloped */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x05, /* [ 151] OBJ_pkcs7_digest */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x07,0x06, /* [ 160] OBJ_pkcs7_encrypted */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03, /* [ 169] OBJ_pkcs3 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x03,0x01, /* [ 177] OBJ_dhKeyAgreement */
0x2B,0x0E,0x03,0x02,0x06, /* [ 186] OBJ_des_ecb */
0x2B,0x0E,0x03,0x02,0x09, /* [ 191] OBJ_des_cfb64 */
0x2B,0x0E,0x03,0x02,0x07, /* [ 196] OBJ_des_cbc */
0x2B,0x0E,0x03,0x02,0x11, /* [ 201] OBJ_des_ede_ecb */
0x2B,0x06,0x01,0x04,0x01,0x81,0x3C,0x07,0x01,0x01,0x02, /* [ 206] OBJ_idea_cbc */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x02, /* [ 217] OBJ_rc2_cbc */
0x2B,0x0E,0x03,0x02,0x12, /* [ 225] OBJ_sha */
0x2B,0x0E,0x03,0x02,0x0F, /* [ 230] OBJ_shaWithRSAEncryption */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x07, /* [ 235] OBJ_des_ede3_cbc */
0x2B,0x0E,0x03,0x02,0x08, /* [ 243] OBJ_des_ofb64 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09, /* [ 248] OBJ_pkcs9 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x01, /* [ 256] OBJ_pkcs9_emailAddress */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x02, /* [ 265] OBJ_pkcs9_unstructuredName */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x03, /* [ 274] OBJ_pkcs9_contentType */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x04, /* [ 283] OBJ_pkcs9_messageDigest */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x05, /* [ 292] OBJ_pkcs9_signingTime */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x06, /* [ 301] OBJ_pkcs9_countersignature */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x07, /* [ 310] OBJ_pkcs9_challengePassword */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x08, /* [ 319] OBJ_pkcs9_unstructuredAddress */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x09, /* [ 328] OBJ_pkcs9_extCertAttributes */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42, /* [ 337] OBJ_netscape */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01, /* [ 344] OBJ_netscape_cert_extension */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02, /* [ 352] OBJ_netscape_data_type */
0x2B,0x0E,0x03,0x02,0x1A, /* [ 360] OBJ_sha1 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x05, /* [ 365] OBJ_sha1WithRSAEncryption */
0x2B,0x0E,0x03,0x02,0x0D, /* [ 374] OBJ_dsaWithSHA */
0x2B,0x0E,0x03,0x02,0x0C, /* [ 379] OBJ_dsa_2 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0B, /* [ 384] OBJ_pbeWithSHA1AndRC2_CBC */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0C, /* [ 393] OBJ_id_pbkdf2 */
0x2B,0x0E,0x03,0x02,0x1B, /* [ 402] OBJ_dsaWithSHA1_2 */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x01, /* [ 407] OBJ_netscape_cert_type */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x02, /* [ 416] OBJ_netscape_base_url */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x03, /* [ 425] OBJ_netscape_revocation_url */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x04, /* [ 434] OBJ_netscape_ca_revocation_url */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x07, /* [ 443] OBJ_netscape_renewal_url */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x08, /* [ 452] OBJ_netscape_ca_policy_url */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0C, /* [ 461] OBJ_netscape_ssl_server_name */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x01,0x0D, /* [ 470] OBJ_netscape_comment */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x02,0x05, /* [ 479] OBJ_netscape_cert_sequence */
0x55,0x1D, /* [ 488] OBJ_id_ce */
0x55,0x1D,0x0E, /* [ 490] OBJ_subject_key_identifier */
0x55,0x1D,0x0F, /* [ 493] OBJ_key_usage */
0x55,0x1D,0x10, /* [ 496] OBJ_private_key_usage_period */
0x55,0x1D,0x11, /* [ 499] OBJ_subject_alt_name */
0x55,0x1D,0x12, /* [ 502] OBJ_issuer_alt_name */
0x55,0x1D,0x13, /* [ 505] OBJ_basic_constraints */
0x55,0x1D,0x14, /* [ 508] OBJ_crl_number */
0x55,0x1D,0x20, /* [ 511] OBJ_certificate_policies */
0x55,0x1D,0x23, /* [ 514] OBJ_authority_key_identifier */
0x2B,0x06,0x01,0x04,0x01,0x97,0x55,0x01,0x02, /* [ 517] OBJ_bf_cbc */
0x55,0x08,0x03,0x65, /* [ 526] OBJ_mdc2 */
0x55,0x08,0x03,0x64, /* [ 530] OBJ_mdc2WithRSA */
0x55,0x04,0x2A, /* [ 534] OBJ_givenName */
0x55,0x04,0x04, /* [ 537] OBJ_surname */
0x55,0x04,0x2B, /* [ 540] OBJ_initials */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2C, /* [ 543] OBJ_uniqueIdentifier */
0x55,0x1D,0x1F, /* [ 553] OBJ_crl_distribution_points */
0x2B,0x0E,0x03,0x02,0x03, /* [ 556] OBJ_md5WithRSA */
0x55,0x04,0x05, /* [ 561] OBJ_serialNumber */
0x55,0x04,0x0C, /* [ 564] OBJ_title */
0x55,0x04,0x0D, /* [ 567] OBJ_description */
0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0A, /* [ 570] OBJ_cast5_cbc */
0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0C, /* [ 579] OBJ_pbeWithMD5AndCast5_CBC */
0x2A,0x86,0x48,0xCE,0x38,0x04,0x03, /* [ 588] OBJ_dsaWithSHA1 */
0x2B,0x0E,0x03,0x02,0x1D, /* [ 595] OBJ_sha1WithRSA */
0x2A,0x86,0x48,0xCE,0x38,0x04,0x01, /* [ 600] OBJ_dsa */
0x2B,0x24,0x03,0x02,0x01, /* [ 607] OBJ_ripemd160 */
0x2B,0x24,0x03,0x03,0x01,0x02, /* [ 612] OBJ_ripemd160WithRSA */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x08, /* [ 618] OBJ_rc5_cbc */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x08, /* [ 626] OBJ_zlib_compression */
0x55,0x1D,0x25, /* [ 637] OBJ_ext_key_usage */
0x2B,0x06,0x01,0x05,0x05,0x07, /* [ 640] OBJ_id_pkix */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03, /* [ 646] OBJ_id_kp */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01, /* [ 653] OBJ_server_auth */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02, /* [ 661] OBJ_client_auth */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x03, /* [ 669] OBJ_code_sign */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x04, /* [ 677] OBJ_email_protect */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x08, /* [ 685] OBJ_time_stamp */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x15, /* [ 693] OBJ_ms_code_ind */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x16, /* [ 703] OBJ_ms_code_com */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x01, /* [ 713] OBJ_ms_ctl_sign */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x03, /* [ 723] OBJ_ms_sgc */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x0A,0x03,0x04, /* [ 733] OBJ_ms_efs */
0x60,0x86,0x48,0x01,0x86,0xF8,0x42,0x04,0x01, /* [ 743] OBJ_ns_sgc */
0x55,0x1D,0x1B, /* [ 752] OBJ_delta_crl */
0x55,0x1D,0x15, /* [ 755] OBJ_crl_reason */
0x55,0x1D,0x18, /* [ 758] OBJ_invalidity_date */
0x2B,0x65,0x01,0x04,0x01, /* [ 761] OBJ_sxnet */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x01, /* [ 766] OBJ_pbe_WithSHA1And128BitRC4 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x02, /* [ 776] OBJ_pbe_WithSHA1And40BitRC4 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x03, /* [ 786] OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x04, /* [ 796] OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x05, /* [ 806] OBJ_pbe_WithSHA1And128BitRC2_CBC */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x01,0x06, /* [ 816] OBJ_pbe_WithSHA1And40BitRC2_CBC */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x01, /* [ 826] OBJ_keyBag */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x02, /* [ 837] OBJ_pkcs8ShroudedKeyBag */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x03, /* [ 848] OBJ_certBag */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x04, /* [ 859] OBJ_crlBag */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x05, /* [ 870] OBJ_secretBag */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x0C,0x0A,0x01,0x06, /* [ 881] OBJ_safeContentsBag */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x14, /* [ 892] OBJ_friendlyName */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x15, /* [ 901] OBJ_localKeyID */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x01, /* [ 910] OBJ_x509Certificate */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x16,0x02, /* [ 920] OBJ_sdsiCertificate */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x17,0x01, /* [ 930] OBJ_x509Crl */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0D, /* [ 940] OBJ_pbes2 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0E, /* [ 949] OBJ_pbmac1 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x07, /* [ 958] OBJ_hmacWithSHA1 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x01, /* [ 966] OBJ_id_qt_cps */
0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02, /* [ 974] OBJ_id_qt_unotice */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0F, /* [ 982] OBJ_SMIMECapabilities */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x04, /* [ 991] OBJ_pbeWithMD2AndRC2_CBC */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x06, /* [ 1000] OBJ_pbeWithMD5AndRC2_CBC */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05,0x0A, /* [ 1009] OBJ_pbeWithSHA1AndDES_CBC */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x02,0x01,0x0E, /* [ 1018] OBJ_ms_ext_req */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x0E, /* [ 1028] OBJ_ext_req */
0x55,0x04,0x29, /* [ 1037] OBJ_name */
0x55,0x04,0x2E, /* [ 1040] OBJ_dnQualifier */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01, /* [ 1043] OBJ_id_pe */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30, /* [ 1050] OBJ_id_ad */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01, /* [ 1057] OBJ_info_access */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01, /* [ 1065] OBJ_ad_OCSP */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02, /* [ 1073] OBJ_ad_ca_issuers */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x09, /* [ 1081] OBJ_OCSP_sign */
0x2A, /* [ 1089] OBJ_member_body */
0x2A,0x86,0x48, /* [ 1090] OBJ_ISO_US */
0x2A,0x86,0x48,0xCE,0x38, /* [ 1093] OBJ_X9_57 */
0x2A,0x86,0x48,0xCE,0x38,0x04, /* [ 1098] OBJ_X9cm */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01, /* [ 1104] OBJ_pkcs1 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x05, /* [ 1112] OBJ_pkcs5 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10, /* [ 1120] OBJ_SMIME */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00, /* [ 1129] OBJ_id_smime_mod */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01, /* [ 1139] OBJ_id_smime_ct */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02, /* [ 1149] OBJ_id_smime_aa */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03, /* [ 1159] OBJ_id_smime_alg */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04, /* [ 1169] OBJ_id_smime_cd */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05, /* [ 1179] OBJ_id_smime_spq */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06, /* [ 1189] OBJ_id_smime_cti */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x01, /* [ 1199] OBJ_id_smime_mod_cms */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x02, /* [ 1210] OBJ_id_smime_mod_ess */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x03, /* [ 1221] OBJ_id_smime_mod_oid */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x04, /* [ 1232] OBJ_id_smime_mod_msg_v3 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x05, /* [ 1243] OBJ_id_smime_mod_ets_eSignature_88 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x06, /* [ 1254] OBJ_id_smime_mod_ets_eSignature_97 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x07, /* [ 1265] OBJ_id_smime_mod_ets_eSigPolicy_88 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x00,0x08, /* [ 1276] OBJ_id_smime_mod_ets_eSigPolicy_97 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x01, /* [ 1287] OBJ_id_smime_ct_receipt */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x02, /* [ 1298] OBJ_id_smime_ct_authData */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x03, /* [ 1309] OBJ_id_smime_ct_publishCert */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x04, /* [ 1320] OBJ_id_smime_ct_TSTInfo */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x05, /* [ 1331] OBJ_id_smime_ct_TDTInfo */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x06, /* [ 1342] OBJ_id_smime_ct_contentInfo */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x07, /* [ 1353] OBJ_id_smime_ct_DVCSRequestData */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x08, /* [ 1364] OBJ_id_smime_ct_DVCSResponseData */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x01, /* [ 1375] OBJ_id_smime_aa_receiptRequest */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x02, /* [ 1386] OBJ_id_smime_aa_securityLabel */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x03, /* [ 1397] OBJ_id_smime_aa_mlExpandHistory */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x04, /* [ 1408] OBJ_id_smime_aa_contentHint */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x05, /* [ 1419] OBJ_id_smime_aa_msgSigDigest */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x06, /* [ 1430] OBJ_id_smime_aa_encapContentType */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x07, /* [ 1441] OBJ_id_smime_aa_contentIdentifier */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x08, /* [ 1452] OBJ_id_smime_aa_macValue */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x09, /* [ 1463] OBJ_id_smime_aa_equivalentLabels */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0A, /* [ 1474] OBJ_id_smime_aa_contentReference */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0B, /* [ 1485] OBJ_id_smime_aa_encrypKeyPref */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0C, /* [ 1496] OBJ_id_smime_aa_signingCertificate */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0D, /* [ 1507] OBJ_id_smime_aa_smimeEncryptCerts */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0E, /* [ 1518] OBJ_id_smime_aa_timeStampToken */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x0F, /* [ 1529] OBJ_id_smime_aa_ets_sigPolicyId */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x10, /* [ 1540] OBJ_id_smime_aa_ets_commitmentType */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x11, /* [ 1551] OBJ_id_smime_aa_ets_signerLocation */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x12, /* [ 1562] OBJ_id_smime_aa_ets_signerAttr */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x13, /* [ 1573] OBJ_id_smime_aa_ets_otherSigCert */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x14, /* [ 1584] OBJ_id_smime_aa_ets_contentTimestamp */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x15, /* [ 1595] OBJ_id_smime_aa_ets_CertificateRefs */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x16, /* [ 1606] OBJ_id_smime_aa_ets_RevocationRefs */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x17, /* [ 1617] OBJ_id_smime_aa_ets_certValues */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x18, /* [ 1628] OBJ_id_smime_aa_ets_revocationValues */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x19, /* [ 1639] OBJ_id_smime_aa_ets_escTimeStamp */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1A, /* [ 1650] OBJ_id_smime_aa_ets_certCRLTimestamp */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1B, /* [ 1661] OBJ_id_smime_aa_ets_archiveTimeStamp */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1C, /* [ 1672] OBJ_id_smime_aa_signatureType */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1D, /* [ 1683] OBJ_id_smime_aa_dvcs_dvc */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x01, /* [ 1694] OBJ_id_smime_alg_ESDHwith3DES */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x02, /* [ 1705] OBJ_id_smime_alg_ESDHwithRC2 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x03, /* [ 1716] OBJ_id_smime_alg_3DESwrap */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x04, /* [ 1727] OBJ_id_smime_alg_RC2wrap */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x05, /* [ 1738] OBJ_id_smime_alg_ESDH */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x06, /* [ 1749] OBJ_id_smime_alg_CMS3DESwrap */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x07, /* [ 1760] OBJ_id_smime_alg_CMSRC2wrap */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x04,0x01, /* [ 1771] OBJ_id_smime_cd_ldap */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x01, /* [ 1782] OBJ_id_smime_spq_ets_sqt_uri */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x05,0x02, /* [ 1793] OBJ_id_smime_spq_ets_sqt_unotice */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x01, /* [ 1804] OBJ_id_smime_cti_ets_proofOfOrigin */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x02, /* [ 1815] OBJ_id_smime_cti_ets_proofOfReceipt */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x03, /* [ 1826] OBJ_id_smime_cti_ets_proofOfDelivery */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x04, /* [ 1837] OBJ_id_smime_cti_ets_proofOfSender */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x05, /* [ 1848] OBJ_id_smime_cti_ets_proofOfApproval */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x06,0x06, /* [ 1859] OBJ_id_smime_cti_ets_proofOfCreation */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x04, /* [ 1870] OBJ_md4 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00, /* [ 1878] OBJ_id_pkix_mod */
0x2B,0x06,0x01,0x05,0x05,0x07,0x02, /* [ 1885] OBJ_id_qt */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04, /* [ 1892] OBJ_id_it */
0x2B,0x06,0x01,0x05,0x05,0x07,0x05, /* [ 1899] OBJ_id_pkip */
0x2B,0x06,0x01,0x05,0x05,0x07,0x06, /* [ 1906] OBJ_id_alg */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07, /* [ 1913] OBJ_id_cmc */
0x2B,0x06,0x01,0x05,0x05,0x07,0x08, /* [ 1920] OBJ_id_on */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09, /* [ 1927] OBJ_id_pda */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A, /* [ 1934] OBJ_id_aca */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0B, /* [ 1941] OBJ_id_qcs */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0C, /* [ 1948] OBJ_id_cct */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x01, /* [ 1955] OBJ_id_pkix1_explicit_88 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x02, /* [ 1963] OBJ_id_pkix1_implicit_88 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x03, /* [ 1971] OBJ_id_pkix1_explicit_93 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x04, /* [ 1979] OBJ_id_pkix1_implicit_93 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x05, /* [ 1987] OBJ_id_mod_crmf */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x06, /* [ 1995] OBJ_id_mod_cmc */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x07, /* [ 2003] OBJ_id_mod_kea_profile_88 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x08, /* [ 2011] OBJ_id_mod_kea_profile_93 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x09, /* [ 2019] OBJ_id_mod_cmp */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0A, /* [ 2027] OBJ_id_mod_qualified_cert_88 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0B, /* [ 2035] OBJ_id_mod_qualified_cert_93 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0C, /* [ 2043] OBJ_id_mod_attribute_cert */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0D, /* [ 2051] OBJ_id_mod_timestamp_protocol */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0E, /* [ 2059] OBJ_id_mod_ocsp */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x0F, /* [ 2067] OBJ_id_mod_dvcs */
0x2B,0x06,0x01,0x05,0x05,0x07,0x00,0x10, /* [ 2075] OBJ_id_mod_cmp2000 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x02, /* [ 2083] OBJ_biometricInfo */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x03, /* [ 2091] OBJ_qcStatements */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x04, /* [ 2099] OBJ_ac_auditEntity */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x05, /* [ 2107] OBJ_ac_targeting */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x06, /* [ 2115] OBJ_aaControls */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07, /* [ 2123] OBJ_sbgp_ipAddrBlock */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08, /* [ 2131] OBJ_sbgp_autonomousSysNum */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09, /* [ 2139] OBJ_sbgp_routerIdentifier */
0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03, /* [ 2147] OBJ_textNotice */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05, /* [ 2155] OBJ_ipsecEndSystem */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06, /* [ 2163] OBJ_ipsecTunnel */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x07, /* [ 2171] OBJ_ipsecUser */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x0A, /* [ 2179] OBJ_dvcs */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x01, /* [ 2187] OBJ_id_it_caProtEncCert */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x02, /* [ 2195] OBJ_id_it_signKeyPairTypes */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x03, /* [ 2203] OBJ_id_it_encKeyPairTypes */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x04, /* [ 2211] OBJ_id_it_preferredSymmAlg */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x05, /* [ 2219] OBJ_id_it_caKeyUpdateInfo */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x06, /* [ 2227] OBJ_id_it_currentCRL */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x07, /* [ 2235] OBJ_id_it_unsupportedOIDs */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x08, /* [ 2243] OBJ_id_it_subscriptionRequest */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x09, /* [ 2251] OBJ_id_it_subscriptionResponse */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0A, /* [ 2259] OBJ_id_it_keyPairParamReq */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0B, /* [ 2267] OBJ_id_it_keyPairParamRep */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0C, /* [ 2275] OBJ_id_it_revPassphrase */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0D, /* [ 2283] OBJ_id_it_implicitConfirm */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0E, /* [ 2291] OBJ_id_it_confirmWaitTime */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x0F, /* [ 2299] OBJ_id_it_origPKIMessage */
0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01, /* [ 2307] OBJ_id_regCtrl */
0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02, /* [ 2315] OBJ_id_regInfo */
0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x01, /* [ 2323] OBJ_id_regCtrl_regToken */
0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x02, /* [ 2332] OBJ_id_regCtrl_authenticator */
0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x03, /* [ 2341] OBJ_id_regCtrl_pkiPublicationInfo */
0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x04, /* [ 2350] OBJ_id_regCtrl_pkiArchiveOptions */
0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x05, /* [ 2359] OBJ_id_regCtrl_oldCertID */
0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x01,0x06, /* [ 2368] OBJ_id_regCtrl_protocolEncrKey */
0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x01, /* [ 2377] OBJ_id_regInfo_utf8Pairs */
0x2B,0x06,0x01,0x05,0x05,0x07,0x05,0x02,0x02, /* [ 2386] OBJ_id_regInfo_certReq */
0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x01, /* [ 2395] OBJ_id_alg_des40 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x02, /* [ 2403] OBJ_id_alg_noSignature */
0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x03, /* [ 2411] OBJ_id_alg_dh_sig_hmac_sha1 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x06,0x04, /* [ 2419] OBJ_id_alg_dh_pop */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x01, /* [ 2427] OBJ_id_cmc_statusInfo */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x02, /* [ 2435] OBJ_id_cmc_identification */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x03, /* [ 2443] OBJ_id_cmc_identityProof */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x04, /* [ 2451] OBJ_id_cmc_dataReturn */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x05, /* [ 2459] OBJ_id_cmc_transactionId */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x06, /* [ 2467] OBJ_id_cmc_senderNonce */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x07, /* [ 2475] OBJ_id_cmc_recipientNonce */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x08, /* [ 2483] OBJ_id_cmc_addExtensions */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x09, /* [ 2491] OBJ_id_cmc_encryptedPOP */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0A, /* [ 2499] OBJ_id_cmc_decryptedPOP */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0B, /* [ 2507] OBJ_id_cmc_lraPOPWitness */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x0F, /* [ 2515] OBJ_id_cmc_getCert */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x10, /* [ 2523] OBJ_id_cmc_getCRL */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x11, /* [ 2531] OBJ_id_cmc_revokeRequest */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x12, /* [ 2539] OBJ_id_cmc_regInfo */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x13, /* [ 2547] OBJ_id_cmc_responseInfo */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x15, /* [ 2555] OBJ_id_cmc_queryPending */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x16, /* [ 2563] OBJ_id_cmc_popLinkRandom */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x17, /* [ 2571] OBJ_id_cmc_popLinkWitness */
0x2B,0x06,0x01,0x05,0x05,0x07,0x07,0x18, /* [ 2579] OBJ_id_cmc_confirmCertAcceptance */
0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x01, /* [ 2587] OBJ_id_on_personalData */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x01, /* [ 2595] OBJ_id_pda_dateOfBirth */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x02, /* [ 2603] OBJ_id_pda_placeOfBirth */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x03, /* [ 2611] OBJ_id_pda_gender */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x04, /* [ 2619] OBJ_id_pda_countryOfCitizenship */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x05, /* [ 2627] OBJ_id_pda_countryOfResidence */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x01, /* [ 2635] OBJ_id_aca_authenticationInfo */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x02, /* [ 2643] OBJ_id_aca_accessIdentity */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x03, /* [ 2651] OBJ_id_aca_chargingIdentity */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x04, /* [ 2659] OBJ_id_aca_group */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x05, /* [ 2667] OBJ_id_aca_role */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,0x01, /* [ 2675] OBJ_id_qcs_pkixQCSyntax_v1 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x01, /* [ 2683] OBJ_id_cct_crs */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x02, /* [ 2691] OBJ_id_cct_PKIData */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x03, /* [ 2699] OBJ_id_cct_PKIResponse */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x03, /* [ 2707] OBJ_ad_timeStamping */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x04, /* [ 2715] OBJ_ad_dvcs */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x01, /* [ 2723] OBJ_id_pkix_OCSP_basic */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x02, /* [ 2732] OBJ_id_pkix_OCSP_Nonce */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x03, /* [ 2741] OBJ_id_pkix_OCSP_CrlID */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x04, /* [ 2750] OBJ_id_pkix_OCSP_acceptableResponses */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x05, /* [ 2759] OBJ_id_pkix_OCSP_noCheck */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x06, /* [ 2768] OBJ_id_pkix_OCSP_archiveCutoff */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x07, /* [ 2777] OBJ_id_pkix_OCSP_serviceLocator */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x08, /* [ 2786] OBJ_id_pkix_OCSP_extendedStatus */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x09, /* [ 2795] OBJ_id_pkix_OCSP_valid */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0A, /* [ 2804] OBJ_id_pkix_OCSP_path */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0B, /* [ 2813] OBJ_id_pkix_OCSP_trustRoot */
0x2B,0x0E,0x03,0x02, /* [ 2822] OBJ_algorithm */
0x2B,0x0E,0x03,0x02,0x0B, /* [ 2826] OBJ_rsaSignature */
0x55,0x08, /* [ 2831] OBJ_X500algorithms */
0x2B, /* [ 2833] OBJ_org */
0x2B,0x06, /* [ 2834] OBJ_dod */
0x2B,0x06,0x01, /* [ 2836] OBJ_iana */
0x2B,0x06,0x01,0x01, /* [ 2839] OBJ_Directory */
0x2B,0x06,0x01,0x02, /* [ 2843] OBJ_Management */
0x2B,0x06,0x01,0x03, /* [ 2847] OBJ_Experimental */
0x2B,0x06,0x01,0x04, /* [ 2851] OBJ_Private */
0x2B,0x06,0x01,0x05, /* [ 2855] OBJ_Security */
0x2B,0x06,0x01,0x06, /* [ 2859] OBJ_SNMPv2 */
0x2B,0x06,0x01,0x07, /* [ 2863] OBJ_Mail */
0x2B,0x06,0x01,0x04,0x01, /* [ 2867] OBJ_Enterprises */
0x2B,0x06,0x01,0x04,0x01,0x8B,0x3A,0x82,0x58, /* [ 2872] OBJ_dcObject */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19, /* [ 2881] OBJ_domainComponent */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0D, /* [ 2891] OBJ_Domain */
0x55,0x01,0x05, /* [ 2901] OBJ_selected_attribute_types */
0x55,0x01,0x05,0x37, /* [ 2904] OBJ_clearance */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x03, /* [ 2908] OBJ_md4WithRSAEncryption */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0A, /* [ 2917] OBJ_ac_proxying */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0B, /* [ 2925] OBJ_sinfo_access */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x06, /* [ 2933] OBJ_id_aca_encAttrs */
0x55,0x04,0x48, /* [ 2941] OBJ_role */
0x55,0x1D,0x24, /* [ 2944] OBJ_policy_constraints */
0x55,0x1D,0x37, /* [ 2947] OBJ_target_information */
0x55,0x1D,0x38, /* [ 2950] OBJ_no_rev_avail */
0x2A,0x86,0x48,0xCE,0x3D, /* [ 2953] OBJ_ansi_X9_62 */
0x2A,0x86,0x48,0xCE,0x3D,0x01,0x01, /* [ 2958] OBJ_X9_62_prime_field */
0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02, /* [ 2965] OBJ_X9_62_characteristic_two_field */
0x2A,0x86,0x48,0xCE,0x3D,0x02,0x01, /* [ 2972] OBJ_X9_62_id_ecPublicKey */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x01, /* [ 2979] OBJ_X9_62_prime192v1 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x02, /* [ 2987] OBJ_X9_62_prime192v2 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x03, /* [ 2995] OBJ_X9_62_prime192v3 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x04, /* [ 3003] OBJ_X9_62_prime239v1 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x05, /* [ 3011] OBJ_X9_62_prime239v2 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x06, /* [ 3019] OBJ_X9_62_prime239v3 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x01,0x07, /* [ 3027] OBJ_X9_62_prime256v1 */
0x2A,0x86,0x48,0xCE,0x3D,0x04,0x01, /* [ 3035] OBJ_ecdsa_with_SHA1 */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x01, /* [ 3042] OBJ_ms_csp_name */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x01, /* [ 3051] OBJ_aes_128_ecb */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x02, /* [ 3060] OBJ_aes_128_cbc */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x03, /* [ 3069] OBJ_aes_128_ofb128 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x04, /* [ 3078] OBJ_aes_128_cfb128 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x15, /* [ 3087] OBJ_aes_192_ecb */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x16, /* [ 3096] OBJ_aes_192_cbc */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x17, /* [ 3105] OBJ_aes_192_ofb128 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x18, /* [ 3114] OBJ_aes_192_cfb128 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x29, /* [ 3123] OBJ_aes_256_ecb */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2A, /* [ 3132] OBJ_aes_256_cbc */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2B, /* [ 3141] OBJ_aes_256_ofb128 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2C, /* [ 3150] OBJ_aes_256_cfb128 */
0x55,0x1D,0x17, /* [ 3159] OBJ_hold_instruction_code */
0x2A,0x86,0x48,0xCE,0x38,0x02,0x01, /* [ 3162] OBJ_hold_instruction_none */
0x2A,0x86,0x48,0xCE,0x38,0x02,0x02, /* [ 3169] OBJ_hold_instruction_call_issuer */
0x2A,0x86,0x48,0xCE,0x38,0x02,0x03, /* [ 3176] OBJ_hold_instruction_reject */
0x09, /* [ 3183] OBJ_data */
0x09,0x92,0x26, /* [ 3184] OBJ_pss */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C, /* [ 3187] OBJ_ucl */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64, /* [ 3194] OBJ_pilot */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01, /* [ 3202] OBJ_pilotAttributeType */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03, /* [ 3211] OBJ_pilotAttributeSyntax */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04, /* [ 3220] OBJ_pilotObjectClass */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x0A, /* [ 3229] OBJ_pilotGroups */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x04, /* [ 3238] OBJ_iA5StringSyntax */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x03,0x05, /* [ 3248] OBJ_caseIgnoreIA5StringSyntax */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x03, /* [ 3258] OBJ_pilotObject */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x04, /* [ 3268] OBJ_pilotPerson */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x05, /* [ 3278] OBJ_account */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x06, /* [ 3288] OBJ_document */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x07, /* [ 3298] OBJ_room */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x09, /* [ 3308] OBJ_documentSeries */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0E, /* [ 3318] OBJ_rFC822localPart */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0F, /* [ 3328] OBJ_dNSDomain */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x11, /* [ 3338] OBJ_domainRelatedObject */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x12, /* [ 3348] OBJ_friendlyCountry */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x13, /* [ 3358] OBJ_simpleSecurityObject */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x14, /* [ 3368] OBJ_pilotOrganization */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x15, /* [ 3378] OBJ_pilotDSA */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x16, /* [ 3388] OBJ_qualityLabelledData */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x01, /* [ 3398] OBJ_userId */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x02, /* [ 3408] OBJ_textEncodedORAddress */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x03, /* [ 3418] OBJ_rfc822Mailbox */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x04, /* [ 3428] OBJ_info */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x05, /* [ 3438] OBJ_favouriteDrink */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x06, /* [ 3448] OBJ_roomNumber */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x07, /* [ 3458] OBJ_photo */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x08, /* [ 3468] OBJ_userClass */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x09, /* [ 3478] OBJ_host */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0A, /* [ 3488] OBJ_manager */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0B, /* [ 3498] OBJ_documentIdentifier */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0C, /* [ 3508] OBJ_documentTitle */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0D, /* [ 3518] OBJ_documentVersion */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0E, /* [ 3528] OBJ_documentAuthor */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x0F, /* [ 3538] OBJ_documentLocation */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x14, /* [ 3548] OBJ_homeTelephoneNumber */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x15, /* [ 3558] OBJ_secretary */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x16, /* [ 3568] OBJ_otherMailbox */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x17, /* [ 3578] OBJ_lastModifiedTime */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x18, /* [ 3588] OBJ_lastModifiedBy */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1A, /* [ 3598] OBJ_aRecord */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1B, /* [ 3608] OBJ_pilotAttributeType27 */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1C, /* [ 3618] OBJ_mXRecord */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1D, /* [ 3628] OBJ_nSRecord */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1E, /* [ 3638] OBJ_sOARecord */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x1F, /* [ 3648] OBJ_cNAMERecord */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x25, /* [ 3658] OBJ_associatedDomain */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x26, /* [ 3668] OBJ_associatedName */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x27, /* [ 3678] OBJ_homePostalAddress */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x28, /* [ 3688] OBJ_personalTitle */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x29, /* [ 3698] OBJ_mobileTelephoneNumber */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2A, /* [ 3708] OBJ_pagerTelephoneNumber */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2B, /* [ 3718] OBJ_friendlyCountryName */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2D, /* [ 3728] OBJ_organizationalStatus */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2E, /* [ 3738] OBJ_janetMailbox */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x2F, /* [ 3748] OBJ_mailPreferenceOption */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x30, /* [ 3758] OBJ_buildingName */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x31, /* [ 3768] OBJ_dSAQuality */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x32, /* [ 3778] OBJ_singleLevelQuality */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x33, /* [ 3788] OBJ_subtreeMinimumQuality */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x34, /* [ 3798] OBJ_subtreeMaximumQuality */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x35, /* [ 3808] OBJ_personalSignature */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x36, /* [ 3818] OBJ_dITRedirect */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x37, /* [ 3828] OBJ_audio */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x38, /* [ 3838] OBJ_documentPublisher */
0x55,0x04,0x2D, /* [ 3848] OBJ_x500UniqueIdentifier */
0x2B,0x06,0x01,0x07,0x01, /* [ 3851] OBJ_mime_mhs */
0x2B,0x06,0x01,0x07,0x01,0x01, /* [ 3856] OBJ_mime_mhs_headings */
0x2B,0x06,0x01,0x07,0x01,0x02, /* [ 3862] OBJ_mime_mhs_bodies */
0x2B,0x06,0x01,0x07,0x01,0x01,0x01, /* [ 3868] OBJ_id_hex_partial_message */
0x2B,0x06,0x01,0x07,0x01,0x01,0x02, /* [ 3875] OBJ_id_hex_multipart_message */
0x55,0x04,0x2C, /* [ 3882] OBJ_generationQualifier */
0x55,0x04,0x41, /* [ 3885] OBJ_pseudonym */
0x67,0x2A, /* [ 3888] OBJ_id_set */
0x67,0x2A,0x00, /* [ 3890] OBJ_set_ctype */
0x67,0x2A,0x01, /* [ 3893] OBJ_set_msgExt */
0x67,0x2A,0x03, /* [ 3896] OBJ_set_attr */
0x67,0x2A,0x05, /* [ 3899] OBJ_set_policy */
0x67,0x2A,0x07, /* [ 3902] OBJ_set_certExt */
0x67,0x2A,0x08, /* [ 3905] OBJ_set_brand */
0x67,0x2A,0x00,0x00, /* [ 3908] OBJ_setct_PANData */
0x67,0x2A,0x00,0x01, /* [ 3912] OBJ_setct_PANToken */
0x67,0x2A,0x00,0x02, /* [ 3916] OBJ_setct_PANOnly */
0x67,0x2A,0x00,0x03, /* [ 3920] OBJ_setct_OIData */
0x67,0x2A,0x00,0x04, /* [ 3924] OBJ_setct_PI */
0x67,0x2A,0x00,0x05, /* [ 3928] OBJ_setct_PIData */
0x67,0x2A,0x00,0x06, /* [ 3932] OBJ_setct_PIDataUnsigned */
0x67,0x2A,0x00,0x07, /* [ 3936] OBJ_setct_HODInput */
0x67,0x2A,0x00,0x08, /* [ 3940] OBJ_setct_AuthResBaggage */
0x67,0x2A,0x00,0x09, /* [ 3944] OBJ_setct_AuthRevReqBaggage */
0x67,0x2A,0x00,0x0A, /* [ 3948] OBJ_setct_AuthRevResBaggage */
0x67,0x2A,0x00,0x0B, /* [ 3952] OBJ_setct_CapTokenSeq */
0x67,0x2A,0x00,0x0C, /* [ 3956] OBJ_setct_PInitResData */
0x67,0x2A,0x00,0x0D, /* [ 3960] OBJ_setct_PI_TBS */
0x67,0x2A,0x00,0x0E, /* [ 3964] OBJ_setct_PResData */
0x67,0x2A,0x00,0x10, /* [ 3968] OBJ_setct_AuthReqTBS */
0x67,0x2A,0x00,0x11, /* [ 3972] OBJ_setct_AuthResTBS */
0x67,0x2A,0x00,0x12, /* [ 3976] OBJ_setct_AuthResTBSX */
0x67,0x2A,0x00,0x13, /* [ 3980] OBJ_setct_AuthTokenTBS */
0x67,0x2A,0x00,0x14, /* [ 3984] OBJ_setct_CapTokenData */
0x67,0x2A,0x00,0x15, /* [ 3988] OBJ_setct_CapTokenTBS */
0x67,0x2A,0x00,0x16, /* [ 3992] OBJ_setct_AcqCardCodeMsg */
0x67,0x2A,0x00,0x17, /* [ 3996] OBJ_setct_AuthRevReqTBS */
0x67,0x2A,0x00,0x18, /* [ 4000] OBJ_setct_AuthRevResData */
0x67,0x2A,0x00,0x19, /* [ 4004] OBJ_setct_AuthRevResTBS */
0x67,0x2A,0x00,0x1A, /* [ 4008] OBJ_setct_CapReqTBS */
0x67,0x2A,0x00,0x1B, /* [ 4012] OBJ_setct_CapReqTBSX */
0x67,0x2A,0x00,0x1C, /* [ 4016] OBJ_setct_CapResData */
0x67,0x2A,0x00,0x1D, /* [ 4020] OBJ_setct_CapRevReqTBS */
0x67,0x2A,0x00,0x1E, /* [ 4024] OBJ_setct_CapRevReqTBSX */
0x67,0x2A,0x00,0x1F, /* [ 4028] OBJ_setct_CapRevResData */
0x67,0x2A,0x00,0x20, /* [ 4032] OBJ_setct_CredReqTBS */
0x67,0x2A,0x00,0x21, /* [ 4036] OBJ_setct_CredReqTBSX */
0x67,0x2A,0x00,0x22, /* [ 4040] OBJ_setct_CredResData */
0x67,0x2A,0x00,0x23, /* [ 4044] OBJ_setct_CredRevReqTBS */
0x67,0x2A,0x00,0x24, /* [ 4048] OBJ_setct_CredRevReqTBSX */
0x67,0x2A,0x00,0x25, /* [ 4052] OBJ_setct_CredRevResData */
0x67,0x2A,0x00,0x26, /* [ 4056] OBJ_setct_PCertReqData */
0x67,0x2A,0x00,0x27, /* [ 4060] OBJ_setct_PCertResTBS */
0x67,0x2A,0x00,0x28, /* [ 4064] OBJ_setct_BatchAdminReqData */
0x67,0x2A,0x00,0x29, /* [ 4068] OBJ_setct_BatchAdminResData */
0x67,0x2A,0x00,0x2A, /* [ 4072] OBJ_setct_CardCInitResTBS */
0x67,0x2A,0x00,0x2B, /* [ 4076] OBJ_setct_MeAqCInitResTBS */
0x67,0x2A,0x00,0x2C, /* [ 4080] OBJ_setct_RegFormResTBS */
0x67,0x2A,0x00,0x2D, /* [ 4084] OBJ_setct_CertReqData */
0x67,0x2A,0x00,0x2E, /* [ 4088] OBJ_setct_CertReqTBS */
0x67,0x2A,0x00,0x2F, /* [ 4092] OBJ_setct_CertResData */
0x67,0x2A,0x00,0x30, /* [ 4096] OBJ_setct_CertInqReqTBS */
0x67,0x2A,0x00,0x31, /* [ 4100] OBJ_setct_ErrorTBS */
0x67,0x2A,0x00,0x32, /* [ 4104] OBJ_setct_PIDualSignedTBE */
0x67,0x2A,0x00,0x33, /* [ 4108] OBJ_setct_PIUnsignedTBE */
0x67,0x2A,0x00,0x34, /* [ 4112] OBJ_setct_AuthReqTBE */
0x67,0x2A,0x00,0x35, /* [ 4116] OBJ_setct_AuthResTBE */
0x67,0x2A,0x00,0x36, /* [ 4120] OBJ_setct_AuthResTBEX */
0x67,0x2A,0x00,0x37, /* [ 4124] OBJ_setct_AuthTokenTBE */
0x67,0x2A,0x00,0x38, /* [ 4128] OBJ_setct_CapTokenTBE */
0x67,0x2A,0x00,0x39, /* [ 4132] OBJ_setct_CapTokenTBEX */
0x67,0x2A,0x00,0x3A, /* [ 4136] OBJ_setct_AcqCardCodeMsgTBE */
0x67,0x2A,0x00,0x3B, /* [ 4140] OBJ_setct_AuthRevReqTBE */
0x67,0x2A,0x00,0x3C, /* [ 4144] OBJ_setct_AuthRevResTBE */
0x67,0x2A,0x00,0x3D, /* [ 4148] OBJ_setct_AuthRevResTBEB */
0x67,0x2A,0x00,0x3E, /* [ 4152] OBJ_setct_CapReqTBE */
0x67,0x2A,0x00,0x3F, /* [ 4156] OBJ_setct_CapReqTBEX */
0x67,0x2A,0x00,0x40, /* [ 4160] OBJ_setct_CapResTBE */
0x67,0x2A,0x00,0x41, /* [ 4164] OBJ_setct_CapRevReqTBE */
0x67,0x2A,0x00,0x42, /* [ 4168] OBJ_setct_CapRevReqTBEX */
0x67,0x2A,0x00,0x43, /* [ 4172] OBJ_setct_CapRevResTBE */
0x67,0x2A,0x00,0x44, /* [ 4176] OBJ_setct_CredReqTBE */
0x67,0x2A,0x00,0x45, /* [ 4180] OBJ_setct_CredReqTBEX */
0x67,0x2A,0x00,0x46, /* [ 4184] OBJ_setct_CredResTBE */
0x67,0x2A,0x00,0x47, /* [ 4188] OBJ_setct_CredRevReqTBE */
0x67,0x2A,0x00,0x48, /* [ 4192] OBJ_setct_CredRevReqTBEX */
0x67,0x2A,0x00,0x49, /* [ 4196] OBJ_setct_CredRevResTBE */
0x67,0x2A,0x00,0x4A, /* [ 4200] OBJ_setct_BatchAdminReqTBE */
0x67,0x2A,0x00,0x4B, /* [ 4204] OBJ_setct_BatchAdminResTBE */
0x67,0x2A,0x00,0x4C, /* [ 4208] OBJ_setct_RegFormReqTBE */
0x67,0x2A,0x00,0x4D, /* [ 4212] OBJ_setct_CertReqTBE */
0x67,0x2A,0x00,0x4E, /* [ 4216] OBJ_setct_CertReqTBEX */
0x67,0x2A,0x00,0x4F, /* [ 4220] OBJ_setct_CertResTBE */
0x67,0x2A,0x00,0x50, /* [ 4224] OBJ_setct_CRLNotificationTBS */
0x67,0x2A,0x00,0x51, /* [ 4228] OBJ_setct_CRLNotificationResTBS */
0x67,0x2A,0x00,0x52, /* [ 4232] OBJ_setct_BCIDistributionTBS */
0x67,0x2A,0x01,0x01, /* [ 4236] OBJ_setext_genCrypt */
0x67,0x2A,0x01,0x03, /* [ 4240] OBJ_setext_miAuth */
0x67,0x2A,0x01,0x04, /* [ 4244] OBJ_setext_pinSecure */
0x67,0x2A,0x01,0x05, /* [ 4248] OBJ_setext_pinAny */
0x67,0x2A,0x01,0x07, /* [ 4252] OBJ_setext_track2 */
0x67,0x2A,0x01,0x08, /* [ 4256] OBJ_setext_cv */
0x67,0x2A,0x05,0x00, /* [ 4260] OBJ_set_policy_root */
0x67,0x2A,0x07,0x00, /* [ 4264] OBJ_setCext_hashedRoot */
0x67,0x2A,0x07,0x01, /* [ 4268] OBJ_setCext_certType */
0x67,0x2A,0x07,0x02, /* [ 4272] OBJ_setCext_merchData */
0x67,0x2A,0x07,0x03, /* [ 4276] OBJ_setCext_cCertRequired */
0x67,0x2A,0x07,0x04, /* [ 4280] OBJ_setCext_tunneling */
0x67,0x2A,0x07,0x05, /* [ 4284] OBJ_setCext_setExt */
0x67,0x2A,0x07,0x06, /* [ 4288] OBJ_setCext_setQualf */
0x67,0x2A,0x07,0x07, /* [ 4292] OBJ_setCext_PGWYcapabilities */
0x67,0x2A,0x07,0x08, /* [ 4296] OBJ_setCext_TokenIdentifier */
0x67,0x2A,0x07,0x09, /* [ 4300] OBJ_setCext_Track2Data */
0x67,0x2A,0x07,0x0A, /* [ 4304] OBJ_setCext_TokenType */
0x67,0x2A,0x07,0x0B, /* [ 4308] OBJ_setCext_IssuerCapabilities */
0x67,0x2A,0x03,0x00, /* [ 4312] OBJ_setAttr_Cert */
0x67,0x2A,0x03,0x01, /* [ 4316] OBJ_setAttr_PGWYcap */
0x67,0x2A,0x03,0x02, /* [ 4320] OBJ_setAttr_TokenType */
0x67,0x2A,0x03,0x03, /* [ 4324] OBJ_setAttr_IssCap */
0x67,0x2A,0x03,0x00,0x00, /* [ 4328] OBJ_set_rootKeyThumb */
0x67,0x2A,0x03,0x00,0x01, /* [ 4333] OBJ_set_addPolicy */
0x67,0x2A,0x03,0x02,0x01, /* [ 4338] OBJ_setAttr_Token_EMV */
0x67,0x2A,0x03,0x02,0x02, /* [ 4343] OBJ_setAttr_Token_B0Prime */
0x67,0x2A,0x03,0x03,0x03, /* [ 4348] OBJ_setAttr_IssCap_CVM */
0x67,0x2A,0x03,0x03,0x04, /* [ 4353] OBJ_setAttr_IssCap_T2 */
0x67,0x2A,0x03,0x03,0x05, /* [ 4358] OBJ_setAttr_IssCap_Sig */
0x67,0x2A,0x03,0x03,0x03,0x01, /* [ 4363] OBJ_setAttr_GenCryptgrm */
0x67,0x2A,0x03,0x03,0x04,0x01, /* [ 4369] OBJ_setAttr_T2Enc */
0x67,0x2A,0x03,0x03,0x04,0x02, /* [ 4375] OBJ_setAttr_T2cleartxt */
0x67,0x2A,0x03,0x03,0x05,0x01, /* [ 4381] OBJ_setAttr_TokICCsig */
0x67,0x2A,0x03,0x03,0x05,0x02, /* [ 4387] OBJ_setAttr_SecDevSig */
0x67,0x2A,0x08,0x01, /* [ 4393] OBJ_set_brand_IATA_ATA */
0x67,0x2A,0x08,0x1E, /* [ 4397] OBJ_set_brand_Diners */
0x67,0x2A,0x08,0x22, /* [ 4401] OBJ_set_brand_AmericanExpress */
0x67,0x2A,0x08,0x23, /* [ 4405] OBJ_set_brand_JCB */
0x67,0x2A,0x08,0x04, /* [ 4409] OBJ_set_brand_Visa */
0x67,0x2A,0x08,0x05, /* [ 4413] OBJ_set_brand_MasterCard */
0x67,0x2A,0x08,0xAE,0x7B, /* [ 4417] OBJ_set_brand_Novus */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x0A, /* [ 4422] OBJ_des_cdmf */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x06, /* [ 4430] OBJ_rsaOAEPEncryptionSET */
0x67, /* [ 4439] OBJ_international_organizations */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02, /* [ 4440] OBJ_ms_smartcard_login */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03, /* [ 4450] OBJ_ms_upn */
0x55,0x04,0x09, /* [ 4460] OBJ_streetAddress */
0x55,0x04,0x11, /* [ 4463] OBJ_postalCode */
0x2B,0x06,0x01,0x05,0x05,0x07,0x15, /* [ 4466] OBJ_id_ppl */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0E, /* [ 4473] OBJ_proxyCertInfo */
0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x00, /* [ 4481] OBJ_id_ppl_anyLanguage */
0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x01, /* [ 4489] OBJ_id_ppl_inheritAll */
0x55,0x1D,0x1E, /* [ 4497] OBJ_name_constraints */
0x2B,0x06,0x01,0x05,0x05,0x07,0x15,0x02, /* [ 4500] OBJ_Independent */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B, /* [ 4508] OBJ_sha256WithRSAEncryption */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0C, /* [ 4517] OBJ_sha384WithRSAEncryption */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0D, /* [ 4526] OBJ_sha512WithRSAEncryption */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0E, /* [ 4535] OBJ_sha224WithRSAEncryption */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x01, /* [ 4544] OBJ_sha256 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x02, /* [ 4553] OBJ_sha384 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x03, /* [ 4562] OBJ_sha512 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x04, /* [ 4571] OBJ_sha224 */
0x2B, /* [ 4580] OBJ_identified_organization */
0x2B,0x81,0x04, /* [ 4581] OBJ_certicom_arc */
0x67,0x2B, /* [ 4584] OBJ_wap */
0x67,0x2B,0x01, /* [ 4586] OBJ_wap_wsg */
0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03, /* [ 4589] OBJ_X9_62_id_characteristic_two_basis */
0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x01, /* [ 4597] OBJ_X9_62_onBasis */
0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x02, /* [ 4606] OBJ_X9_62_tpBasis */
0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x03, /* [ 4615] OBJ_X9_62_ppBasis */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x01, /* [ 4624] OBJ_X9_62_c2pnb163v1 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x02, /* [ 4632] OBJ_X9_62_c2pnb163v2 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x03, /* [ 4640] OBJ_X9_62_c2pnb163v3 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x04, /* [ 4648] OBJ_X9_62_c2pnb176v1 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x05, /* [ 4656] OBJ_X9_62_c2tnb191v1 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x06, /* [ 4664] OBJ_X9_62_c2tnb191v2 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x07, /* [ 4672] OBJ_X9_62_c2tnb191v3 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x08, /* [ 4680] OBJ_X9_62_c2onb191v4 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x09, /* [ 4688] OBJ_X9_62_c2onb191v5 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0A, /* [ 4696] OBJ_X9_62_c2pnb208w1 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0B, /* [ 4704] OBJ_X9_62_c2tnb239v1 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0C, /* [ 4712] OBJ_X9_62_c2tnb239v2 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0D, /* [ 4720] OBJ_X9_62_c2tnb239v3 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0E, /* [ 4728] OBJ_X9_62_c2onb239v4 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x0F, /* [ 4736] OBJ_X9_62_c2onb239v5 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x10, /* [ 4744] OBJ_X9_62_c2pnb272w1 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x11, /* [ 4752] OBJ_X9_62_c2pnb304w1 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x12, /* [ 4760] OBJ_X9_62_c2tnb359v1 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x13, /* [ 4768] OBJ_X9_62_c2pnb368w1 */
0x2A,0x86,0x48,0xCE,0x3D,0x03,0x00,0x14, /* [ 4776] OBJ_X9_62_c2tnb431r1 */
0x2B,0x81,0x04,0x00,0x06, /* [ 4784] OBJ_secp112r1 */
0x2B,0x81,0x04,0x00,0x07, /* [ 4789] OBJ_secp112r2 */
0x2B,0x81,0x04,0x00,0x1C, /* [ 4794] OBJ_secp128r1 */
0x2B,0x81,0x04,0x00,0x1D, /* [ 4799] OBJ_secp128r2 */
0x2B,0x81,0x04,0x00,0x09, /* [ 4804] OBJ_secp160k1 */
0x2B,0x81,0x04,0x00,0x08, /* [ 4809] OBJ_secp160r1 */
0x2B,0x81,0x04,0x00,0x1E, /* [ 4814] OBJ_secp160r2 */
0x2B,0x81,0x04,0x00,0x1F, /* [ 4819] OBJ_secp192k1 */
0x2B,0x81,0x04,0x00,0x20, /* [ 4824] OBJ_secp224k1 */
0x2B,0x81,0x04,0x00,0x21, /* [ 4829] OBJ_secp224r1 */
0x2B,0x81,0x04,0x00,0x0A, /* [ 4834] OBJ_secp256k1 */
0x2B,0x81,0x04,0x00,0x22, /* [ 4839] OBJ_secp384r1 */
0x2B,0x81,0x04,0x00,0x23, /* [ 4844] OBJ_secp521r1 */
0x2B,0x81,0x04,0x00,0x04, /* [ 4849] OBJ_sect113r1 */
0x2B,0x81,0x04,0x00,0x05, /* [ 4854] OBJ_sect113r2 */
0x2B,0x81,0x04,0x00,0x16, /* [ 4859] OBJ_sect131r1 */
0x2B,0x81,0x04,0x00,0x17, /* [ 4864] OBJ_sect131r2 */
0x2B,0x81,0x04,0x00,0x01, /* [ 4869] OBJ_sect163k1 */
0x2B,0x81,0x04,0x00,0x02, /* [ 4874] OBJ_sect163r1 */
0x2B,0x81,0x04,0x00,0x0F, /* [ 4879] OBJ_sect163r2 */
0x2B,0x81,0x04,0x00,0x18, /* [ 4884] OBJ_sect193r1 */
0x2B,0x81,0x04,0x00,0x19, /* [ 4889] OBJ_sect193r2 */
0x2B,0x81,0x04,0x00,0x1A, /* [ 4894] OBJ_sect233k1 */
0x2B,0x81,0x04,0x00,0x1B, /* [ 4899] OBJ_sect233r1 */
0x2B,0x81,0x04,0x00,0x03, /* [ 4904] OBJ_sect239k1 */
0x2B,0x81,0x04,0x00,0x10, /* [ 4909] OBJ_sect283k1 */
0x2B,0x81,0x04,0x00,0x11, /* [ 4914] OBJ_sect283r1 */
0x2B,0x81,0x04,0x00,0x24, /* [ 4919] OBJ_sect409k1 */
0x2B,0x81,0x04,0x00,0x25, /* [ 4924] OBJ_sect409r1 */
0x2B,0x81,0x04,0x00,0x26, /* [ 4929] OBJ_sect571k1 */
0x2B,0x81,0x04,0x00,0x27, /* [ 4934] OBJ_sect571r1 */
0x67,0x2B,0x01,0x04,0x01, /* [ 4939] OBJ_wap_wsg_idm_ecid_wtls1 */
0x67,0x2B,0x01,0x04,0x03, /* [ 4944] OBJ_wap_wsg_idm_ecid_wtls3 */
0x67,0x2B,0x01,0x04,0x04, /* [ 4949] OBJ_wap_wsg_idm_ecid_wtls4 */
0x67,0x2B,0x01,0x04,0x05, /* [ 4954] OBJ_wap_wsg_idm_ecid_wtls5 */
0x67,0x2B,0x01,0x04,0x06, /* [ 4959] OBJ_wap_wsg_idm_ecid_wtls6 */
0x67,0x2B,0x01,0x04,0x07, /* [ 4964] OBJ_wap_wsg_idm_ecid_wtls7 */
0x67,0x2B,0x01,0x04,0x08, /* [ 4969] OBJ_wap_wsg_idm_ecid_wtls8 */
0x67,0x2B,0x01,0x04,0x09, /* [ 4974] OBJ_wap_wsg_idm_ecid_wtls9 */
0x67,0x2B,0x01,0x04,0x0A, /* [ 4979] OBJ_wap_wsg_idm_ecid_wtls10 */
0x67,0x2B,0x01,0x04,0x0B, /* [ 4984] OBJ_wap_wsg_idm_ecid_wtls11 */
0x67,0x2B,0x01,0x04,0x0C, /* [ 4989] OBJ_wap_wsg_idm_ecid_wtls12 */
0x55,0x1D,0x20,0x00, /* [ 4994] OBJ_any_policy */
0x55,0x1D,0x21, /* [ 4998] OBJ_policy_mappings */
0x55,0x1D,0x36, /* [ 5001] OBJ_inhibit_any_policy */
0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x02, /* [ 5004] OBJ_camellia_128_cbc */
0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x03, /* [ 5015] OBJ_camellia_192_cbc */
0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x01,0x04, /* [ 5026] OBJ_camellia_256_cbc */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x01, /* [ 5037] OBJ_camellia_128_ecb */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x15, /* [ 5045] OBJ_camellia_192_ecb */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x29, /* [ 5053] OBJ_camellia_256_ecb */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x04, /* [ 5061] OBJ_camellia_128_cfb128 */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x18, /* [ 5069] OBJ_camellia_192_cfb128 */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2C, /* [ 5077] OBJ_camellia_256_cfb128 */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x03, /* [ 5085] OBJ_camellia_128_ofb128 */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x17, /* [ 5093] OBJ_camellia_192_ofb128 */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2B, /* [ 5101] OBJ_camellia_256_ofb128 */
0x55,0x1D,0x09, /* [ 5109] OBJ_subject_directory_attributes */
0x55,0x1D,0x1C, /* [ 5112] OBJ_issuing_distribution_point */
0x55,0x1D,0x1D, /* [ 5115] OBJ_certificate_issuer */
0x2A,0x83,0x1A,0x8C,0x9A,0x44, /* [ 5118] OBJ_kisa */
0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x03, /* [ 5124] OBJ_seed_ecb */
0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x04, /* [ 5132] OBJ_seed_cbc */
0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x06, /* [ 5140] OBJ_seed_ofb128 */
0x2A,0x83,0x1A,0x8C,0x9A,0x44,0x01,0x05, /* [ 5148] OBJ_seed_cfb128 */
0x2B,0x06,0x01,0x05,0x05,0x08,0x01,0x01, /* [ 5156] OBJ_hmac_md5 */
0x2B,0x06,0x01,0x05,0x05,0x08,0x01,0x02, /* [ 5164] OBJ_hmac_sha1 */
0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x0D, /* [ 5172] OBJ_id_PasswordBasedMAC */
0x2A,0x86,0x48,0x86,0xF6,0x7D,0x07,0x42,0x1E, /* [ 5181] OBJ_id_DHBasedMac */
0x2B,0x06,0x01,0x05,0x05,0x07,0x04,0x10, /* [ 5190] OBJ_id_it_suppLangTags */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x05, /* [ 5198] OBJ_caRepository */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x09, /* [ 5206] OBJ_id_smime_ct_compressedData */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1B, /* [ 5217] OBJ_id_ct_asciiTextWithCRLF */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x05, /* [ 5228] OBJ_id_aes128_wrap */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x19, /* [ 5237] OBJ_id_aes192_wrap */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2D, /* [ 5246] OBJ_id_aes256_wrap */
0x2A,0x86,0x48,0xCE,0x3D,0x04,0x02, /* [ 5255] OBJ_ecdsa_with_Recommended */
0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03, /* [ 5262] OBJ_ecdsa_with_Specified */
0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x01, /* [ 5269] OBJ_ecdsa_with_SHA224 */
0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02, /* [ 5277] OBJ_ecdsa_with_SHA256 */
0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03, /* [ 5285] OBJ_ecdsa_with_SHA384 */
0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x04, /* [ 5293] OBJ_ecdsa_with_SHA512 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x06, /* [ 5301] OBJ_hmacWithMD5 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x08, /* [ 5309] OBJ_hmacWithSHA224 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x09, /* [ 5317] OBJ_hmacWithSHA256 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0A, /* [ 5325] OBJ_hmacWithSHA384 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0B, /* [ 5333] OBJ_hmacWithSHA512 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x01, /* [ 5341] OBJ_dsa_with_SHA224 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x02, /* [ 5350] OBJ_dsa_with_SHA256 */
0x28,0xCF,0x06,0x03,0x00,0x37, /* [ 5359] OBJ_whirlpool */
0x2A,0x85,0x03,0x02,0x02, /* [ 5365] OBJ_cryptopro */
0x2A,0x85,0x03,0x02,0x09, /* [ 5370] OBJ_cryptocom */
0x2A,0x85,0x03,0x02,0x02,0x03, /* [ 5375] OBJ_id_GostR3411_94_with_GostR3410_2001 */
0x2A,0x85,0x03,0x02,0x02,0x04, /* [ 5381] OBJ_id_GostR3411_94_with_GostR3410_94 */
0x2A,0x85,0x03,0x02,0x02,0x09, /* [ 5387] OBJ_id_GostR3411_94 */
0x2A,0x85,0x03,0x02,0x02,0x0A, /* [ 5393] OBJ_id_HMACGostR3411_94 */
0x2A,0x85,0x03,0x02,0x02,0x13, /* [ 5399] OBJ_id_GostR3410_2001 */
0x2A,0x85,0x03,0x02,0x02,0x14, /* [ 5405] OBJ_id_GostR3410_94 */
0x2A,0x85,0x03,0x02,0x02,0x15, /* [ 5411] OBJ_id_Gost28147_89 */
0x2A,0x85,0x03,0x02,0x02,0x16, /* [ 5417] OBJ_id_Gost28147_89_MAC */
0x2A,0x85,0x03,0x02,0x02,0x17, /* [ 5423] OBJ_id_GostR3411_94_prf */
0x2A,0x85,0x03,0x02,0x02,0x62, /* [ 5429] OBJ_id_GostR3410_2001DH */
0x2A,0x85,0x03,0x02,0x02,0x63, /* [ 5435] OBJ_id_GostR3410_94DH */
0x2A,0x85,0x03,0x02,0x02,0x0E,0x01, /* [ 5441] OBJ_id_Gost28147_89_CryptoPro_KeyMeshing */
0x2A,0x85,0x03,0x02,0x02,0x0E,0x00, /* [ 5448] OBJ_id_Gost28147_89_None_KeyMeshing */
0x2A,0x85,0x03,0x02,0x02,0x1E,0x00, /* [ 5455] OBJ_id_GostR3411_94_TestParamSet */
0x2A,0x85,0x03,0x02,0x02,0x1E,0x01, /* [ 5462] OBJ_id_GostR3411_94_CryptoProParamSet */
0x2A,0x85,0x03,0x02,0x02,0x1F,0x00, /* [ 5469] OBJ_id_Gost28147_89_TestParamSet */
0x2A,0x85,0x03,0x02,0x02,0x1F,0x01, /* [ 5476] OBJ_id_Gost28147_89_CryptoPro_A_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x1F,0x02, /* [ 5483] OBJ_id_Gost28147_89_CryptoPro_B_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x1F,0x03, /* [ 5490] OBJ_id_Gost28147_89_CryptoPro_C_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x1F,0x04, /* [ 5497] OBJ_id_Gost28147_89_CryptoPro_D_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x1F,0x05, /* [ 5504] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x1F,0x06, /* [ 5511] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x1F,0x07, /* [ 5518] OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x20,0x00, /* [ 5525] OBJ_id_GostR3410_94_TestParamSet */
0x2A,0x85,0x03,0x02,0x02,0x20,0x02, /* [ 5532] OBJ_id_GostR3410_94_CryptoPro_A_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x20,0x03, /* [ 5539] OBJ_id_GostR3410_94_CryptoPro_B_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x20,0x04, /* [ 5546] OBJ_id_GostR3410_94_CryptoPro_C_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x20,0x05, /* [ 5553] OBJ_id_GostR3410_94_CryptoPro_D_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x21,0x01, /* [ 5560] OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x21,0x02, /* [ 5567] OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x21,0x03, /* [ 5574] OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x23,0x00, /* [ 5581] OBJ_id_GostR3410_2001_TestParamSet */
0x2A,0x85,0x03,0x02,0x02,0x23,0x01, /* [ 5588] OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x23,0x02, /* [ 5595] OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x23,0x03, /* [ 5602] OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x24,0x00, /* [ 5609] OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x24,0x01, /* [ 5616] OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet */
0x2A,0x85,0x03,0x02,0x02,0x14,0x01, /* [ 5623] OBJ_id_GostR3410_94_a */
0x2A,0x85,0x03,0x02,0x02,0x14,0x02, /* [ 5630] OBJ_id_GostR3410_94_aBis */
0x2A,0x85,0x03,0x02,0x02,0x14,0x03, /* [ 5637] OBJ_id_GostR3410_94_b */
0x2A,0x85,0x03,0x02,0x02,0x14,0x04, /* [ 5644] OBJ_id_GostR3410_94_bBis */
0x2A,0x85,0x03,0x02,0x09,0x01,0x06,0x01, /* [ 5651] OBJ_id_Gost28147_89_cc */
0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x03, /* [ 5659] OBJ_id_GostR3410_94_cc */
0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x04, /* [ 5667] OBJ_id_GostR3410_2001_cc */
0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x03, /* [ 5675] OBJ_id_GostR3411_94_with_GostR3410_94_cc */
0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x04, /* [ 5683] OBJ_id_GostR3411_94_with_GostR3410_2001_cc */
0x2A,0x85,0x03,0x02,0x09,0x01,0x08,0x01, /* [ 5691] OBJ_id_GostR3410_2001_ParamSet_cc */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x02, /* [ 5699] OBJ_LocalKeySet */
0x55,0x1D,0x2E, /* [ 5708] OBJ_freshest_crl */
0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x03, /* [ 5711] OBJ_id_on_permanentIdentifier */
0x55,0x04,0x0E, /* [ 5719] OBJ_searchGuide */
0x55,0x04,0x0F, /* [ 5722] OBJ_businessCategory */
0x55,0x04,0x10, /* [ 5725] OBJ_postalAddress */
0x55,0x04,0x12, /* [ 5728] OBJ_postOfficeBox */
0x55,0x04,0x13, /* [ 5731] OBJ_physicalDeliveryOfficeName */
0x55,0x04,0x14, /* [ 5734] OBJ_telephoneNumber */
0x55,0x04,0x15, /* [ 5737] OBJ_telexNumber */
0x55,0x04,0x16, /* [ 5740] OBJ_teletexTerminalIdentifier */
0x55,0x04,0x17, /* [ 5743] OBJ_facsimileTelephoneNumber */
0x55,0x04,0x18, /* [ 5746] OBJ_x121Address */
0x55,0x04,0x19, /* [ 5749] OBJ_internationaliSDNNumber */
0x55,0x04,0x1A, /* [ 5752] OBJ_registeredAddress */
0x55,0x04,0x1B, /* [ 5755] OBJ_destinationIndicator */
0x55,0x04,0x1C, /* [ 5758] OBJ_preferredDeliveryMethod */
0x55,0x04,0x1D, /* [ 5761] OBJ_presentationAddress */
0x55,0x04,0x1E, /* [ 5764] OBJ_supportedApplicationContext */
0x55,0x04,0x1F, /* [ 5767] OBJ_member */
0x55,0x04,0x20, /* [ 5770] OBJ_owner */
0x55,0x04,0x21, /* [ 5773] OBJ_roleOccupant */
0x55,0x04,0x22, /* [ 5776] OBJ_seeAlso */
0x55,0x04,0x23, /* [ 5779] OBJ_userPassword */
0x55,0x04,0x24, /* [ 5782] OBJ_userCertificate */
0x55,0x04,0x25, /* [ 5785] OBJ_cACertificate */
0x55,0x04,0x26, /* [ 5788] OBJ_authorityRevocationList */
0x55,0x04,0x27, /* [ 5791] OBJ_certificateRevocationList */
0x55,0x04,0x28, /* [ 5794] OBJ_crossCertificatePair */
0x55,0x04,0x2F, /* [ 5797] OBJ_enhancedSearchGuide */
0x55,0x04,0x30, /* [ 5800] OBJ_protocolInformation */
0x55,0x04,0x31, /* [ 5803] OBJ_distinguishedName */
0x55,0x04,0x32, /* [ 5806] OBJ_uniqueMember */
0x55,0x04,0x33, /* [ 5809] OBJ_houseIdentifier */
0x55,0x04,0x34, /* [ 5812] OBJ_supportedAlgorithms */
0x55,0x04,0x35, /* [ 5815] OBJ_deltaRevocationList */
0x55,0x04,0x36, /* [ 5818] OBJ_dmdName */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x09, /* [ 5821] OBJ_id_alg_PWRI_KEK */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x06, /* [ 5832] OBJ_aes_128_gcm */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x07, /* [ 5841] OBJ_aes_128_ccm */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x08, /* [ 5850] OBJ_id_aes128_wrap_pad */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1A, /* [ 5859] OBJ_aes_192_gcm */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1B, /* [ 5868] OBJ_aes_192_ccm */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x1C, /* [ 5877] OBJ_id_aes192_wrap_pad */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2E, /* [ 5886] OBJ_aes_256_gcm */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2F, /* [ 5895] OBJ_aes_256_ccm */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x30, /* [ 5904] OBJ_id_aes256_wrap_pad */
0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x02, /* [ 5913] OBJ_id_camellia128_wrap */
0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x03, /* [ 5924] OBJ_id_camellia192_wrap */
0x2A,0x83,0x08,0x8C,0x9A,0x4B,0x3D,0x01,0x01,0x03,0x04, /* [ 5935] OBJ_id_camellia256_wrap */
0x55,0x1D,0x25,0x00, /* [ 5946] OBJ_anyExtendedKeyUsage */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x08, /* [ 5950] OBJ_mgf1 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0A, /* [ 5959] OBJ_rsassaPss */
0x2B,0x6F,0x02,0x8C,0x53,0x00,0x01,0x01, /* [ 5968] OBJ_aes_128_xts */
0x2B,0x6F,0x02,0x8C,0x53,0x00,0x01,0x02, /* [ 5976] OBJ_aes_256_xts */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x07, /* [ 5984] OBJ_rsaesOaep */
0x2A,0x86,0x48,0xCE,0x3E,0x02,0x01, /* [ 5993] OBJ_dhpublicnumber */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x01, /* [ 6000] OBJ_brainpoolP160r1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x02, /* [ 6009] OBJ_brainpoolP160t1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x03, /* [ 6018] OBJ_brainpoolP192r1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x04, /* [ 6027] OBJ_brainpoolP192t1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x05, /* [ 6036] OBJ_brainpoolP224r1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x06, /* [ 6045] OBJ_brainpoolP224t1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x07, /* [ 6054] OBJ_brainpoolP256r1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x08, /* [ 6063] OBJ_brainpoolP256t1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x09, /* [ 6072] OBJ_brainpoolP320r1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0A, /* [ 6081] OBJ_brainpoolP320t1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0B, /* [ 6090] OBJ_brainpoolP384r1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0C, /* [ 6099] OBJ_brainpoolP384t1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0D, /* [ 6108] OBJ_brainpoolP512r1 */
0x2B,0x24,0x03,0x03,0x02,0x08,0x01,0x01,0x0E, /* [ 6117] OBJ_brainpoolP512t1 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x09, /* [ 6126] OBJ_pSpecified */
0x2B,0x81,0x05,0x10,0x86,0x48,0x3F,0x00,0x02, /* [ 6135] OBJ_dhSinglePass_stdDH_sha1kdf_scheme */
0x2B,0x81,0x04,0x01,0x0B,0x00, /* [ 6144] OBJ_dhSinglePass_stdDH_sha224kdf_scheme */
0x2B,0x81,0x04,0x01,0x0B,0x01, /* [ 6150] OBJ_dhSinglePass_stdDH_sha256kdf_scheme */
0x2B,0x81,0x04,0x01,0x0B,0x02, /* [ 6156] OBJ_dhSinglePass_stdDH_sha384kdf_scheme */
0x2B,0x81,0x04,0x01,0x0B,0x03, /* [ 6162] OBJ_dhSinglePass_stdDH_sha512kdf_scheme */
0x2B,0x81,0x05,0x10,0x86,0x48,0x3F,0x00,0x03, /* [ 6168] OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme */
0x2B,0x81,0x04,0x01,0x0E,0x00, /* [ 6177] OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme */
0x2B,0x81,0x04,0x01,0x0E,0x01, /* [ 6183] OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme */
0x2B,0x81,0x04,0x01,0x0E,0x02, /* [ 6189] OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme */
0x2B,0x81,0x04,0x01,0x0E,0x03, /* [ 6195] OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme */
0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02, /* [ 6201] OBJ_ct_precert_scts */
0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x03, /* [ 6211] OBJ_ct_precert_poison */
0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x04, /* [ 6221] OBJ_ct_precert_signer */
0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x05, /* [ 6231] OBJ_ct_cert_scts */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x01, /* [ 6241] OBJ_jurisdictionLocalityName */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x02, /* [ 6252] OBJ_jurisdictionStateOrProvinceName */
0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x03, /* [ 6263] OBJ_jurisdictionCountryName */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x06, /* [ 6274] OBJ_camellia_128_gcm */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x07, /* [ 6282] OBJ_camellia_128_ccm */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x09, /* [ 6290] OBJ_camellia_128_ctr */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x0A, /* [ 6298] OBJ_camellia_128_cmac */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x1A, /* [ 6306] OBJ_camellia_192_gcm */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x1B, /* [ 6314] OBJ_camellia_192_ccm */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x1D, /* [ 6322] OBJ_camellia_192_ctr */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x1E, /* [ 6330] OBJ_camellia_192_cmac */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2E, /* [ 6338] OBJ_camellia_256_gcm */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2F, /* [ 6346] OBJ_camellia_256_ccm */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x31, /* [ 6354] OBJ_camellia_256_ctr */
0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x32, /* [ 6362] OBJ_camellia_256_cmac */
0x2B,0x06,0x01,0x04,0x01,0xDA,0x47,0x04,0x0B, /* [ 6370] OBJ_id_scrypt */
0x2A,0x85,0x03,0x07,0x01, /* [ 6379] OBJ_id_tc26 */
0x2A,0x85,0x03,0x07,0x01,0x01, /* [ 6384] OBJ_id_tc26_algorithms */
0x2A,0x85,0x03,0x07,0x01,0x01,0x01, /* [ 6390] OBJ_id_tc26_sign */
0x2A,0x85,0x03,0x07,0x01,0x01,0x01,0x01, /* [ 6397] OBJ_id_GostR3410_2012_256 */
0x2A,0x85,0x03,0x07,0x01,0x01,0x01,0x02, /* [ 6405] OBJ_id_GostR3410_2012_512 */
0x2A,0x85,0x03,0x07,0x01,0x01,0x02, /* [ 6413] OBJ_id_tc26_digest */
0x2A,0x85,0x03,0x07,0x01,0x01,0x02,0x02, /* [ 6420] OBJ_id_GostR3411_2012_256 */
0x2A,0x85,0x03,0x07,0x01,0x01,0x02,0x03, /* [ 6428] OBJ_id_GostR3411_2012_512 */
0x2A,0x85,0x03,0x07,0x01,0x01,0x03, /* [ 6436] OBJ_id_tc26_signwithdigest */
0x2A,0x85,0x03,0x07,0x01,0x01,0x03,0x02, /* [ 6443] OBJ_id_tc26_signwithdigest_gost3410_2012_256 */
0x2A,0x85,0x03,0x07,0x01,0x01,0x03,0x03, /* [ 6451] OBJ_id_tc26_signwithdigest_gost3410_2012_512 */
0x2A,0x85,0x03,0x07,0x01,0x01,0x04, /* [ 6459] OBJ_id_tc26_mac */
0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x01, /* [ 6466] OBJ_id_tc26_hmac_gost_3411_2012_256 */
0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x02, /* [ 6474] OBJ_id_tc26_hmac_gost_3411_2012_512 */
0x2A,0x85,0x03,0x07,0x01,0x01,0x05, /* [ 6482] OBJ_id_tc26_cipher */
0x2A,0x85,0x03,0x07,0x01,0x01,0x06, /* [ 6489] OBJ_id_tc26_agreement */
0x2A,0x85,0x03,0x07,0x01,0x01,0x06,0x01, /* [ 6496] OBJ_id_tc26_agreement_gost_3410_2012_256 */
0x2A,0x85,0x03,0x07,0x01,0x01,0x06,0x02, /* [ 6504] OBJ_id_tc26_agreement_gost_3410_2012_512 */
0x2A,0x85,0x03,0x07,0x01,0x02, /* [ 6512] OBJ_id_tc26_constants */
0x2A,0x85,0x03,0x07,0x01,0x02,0x01, /* [ 6518] OBJ_id_tc26_sign_constants */
0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02, /* [ 6525] OBJ_id_tc26_gost_3410_2012_512_constants */
0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x00, /* [ 6533] OBJ_id_tc26_gost_3410_2012_512_paramSetTest */
0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x01, /* [ 6542] OBJ_id_tc26_gost_3410_2012_512_paramSetA */
0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x02, /* [ 6551] OBJ_id_tc26_gost_3410_2012_512_paramSetB */
0x2A,0x85,0x03,0x07,0x01,0x02,0x02, /* [ 6560] OBJ_id_tc26_digest_constants */
0x2A,0x85,0x03,0x07,0x01,0x02,0x05, /* [ 6567] OBJ_id_tc26_cipher_constants */
0x2A,0x85,0x03,0x07,0x01,0x02,0x05,0x01, /* [ 6574] OBJ_id_tc26_gost_28147_constants */
0x2A,0x85,0x03,0x07,0x01,0x02,0x05,0x01,0x01, /* [ 6582] OBJ_id_tc26_gost_28147_param_Z */
0x2A,0x85,0x03,0x03,0x81,0x03,0x01,0x01, /* [ 6591] OBJ_INN */
0x2A,0x85,0x03,0x64,0x01, /* [ 6599] OBJ_OGRN */
0x2A,0x85,0x03,0x64,0x03, /* [ 6604] OBJ_SNILS */
0x2A,0x85,0x03,0x64,0x6F, /* [ 6609] OBJ_subjectSignTool */
0x2A,0x85,0x03,0x64,0x70, /* [ 6614] OBJ_issuerSignTool */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x18, /* [ 6619] OBJ_tlsfeature */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x11, /* [ 6627] OBJ_ipsec_IKE */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x12, /* [ 6635] OBJ_capwapAC */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x13, /* [ 6643] OBJ_capwapWTP */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x15, /* [ 6651] OBJ_sshClient */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x16, /* [ 6659] OBJ_sshServer */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x17, /* [ 6667] OBJ_sendRouter */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x18, /* [ 6675] OBJ_sendProxiedRouter */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x19, /* [ 6683] OBJ_sendOwner */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x1A, /* [ 6691] OBJ_sendProxiedOwner */
0x2B,0x06,0x01,0x05,0x02,0x03, /* [ 6699] OBJ_id_pkinit */
0x2B,0x06,0x01,0x05,0x02,0x03,0x04, /* [ 6705] OBJ_pkInitClientAuth */
0x2B,0x06,0x01,0x05,0x02,0x03,0x05, /* [ 6712] OBJ_pkInitKDC */
0x2B,0x65,0x6E, /* [ 6719] OBJ_X25519 */
0x2B,0x65,0x6F, /* [ 6722] OBJ_X448 */
0x2B,0x06,0x01,0x04,0x01,0x8D,0x3A,0x0C,0x02,0x01,0x10, /* [ 6725] OBJ_blake2b512 */
0x2B,0x06,0x01,0x04,0x01,0x8D,0x3A,0x0C,0x02,0x02,0x08, /* [ 6736] OBJ_blake2s256 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x13, /* [ 6747] OBJ_id_smime_ct_contentCollection */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x17, /* [ 6758] OBJ_id_smime_ct_authEnvelopedData */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x1C, /* [ 6769] OBJ_id_ct_xml */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x01, /* [ 6780] OBJ_aria_128_ecb */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x02, /* [ 6789] OBJ_aria_128_cbc */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x03, /* [ 6798] OBJ_aria_128_cfb128 */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x04, /* [ 6807] OBJ_aria_128_ofb128 */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x05, /* [ 6816] OBJ_aria_128_ctr */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x06, /* [ 6825] OBJ_aria_192_ecb */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x07, /* [ 6834] OBJ_aria_192_cbc */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x08, /* [ 6843] OBJ_aria_192_cfb128 */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x09, /* [ 6852] OBJ_aria_192_ofb128 */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0A, /* [ 6861] OBJ_aria_192_ctr */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0B, /* [ 6870] OBJ_aria_256_ecb */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0C, /* [ 6879] OBJ_aria_256_cbc */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0D, /* [ 6888] OBJ_aria_256_cfb128 */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0E, /* [ 6897] OBJ_aria_256_ofb128 */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0F, /* [ 6906] OBJ_aria_256_ctr */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x2F, /* [ 6915] OBJ_id_smime_aa_signingCertificateV2 */
0x2B,0x65,0x70, /* [ 6926] OBJ_ED25519 */
0x2B,0x65,0x71, /* [ 6929] OBJ_ED448 */
0x55,0x04,0x61, /* [ 6932] OBJ_organizationIdentifier */
0x55,0x04,0x62, /* [ 6935] OBJ_countryCode3c */
0x55,0x04,0x63, /* [ 6938] OBJ_countryCode3n */
0x55,0x04,0x64, /* [ 6941] OBJ_dnsName */
0x2B,0x24,0x08,0x03,0x03, /* [ 6944] OBJ_x509ExtAdmission */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x05, /* [ 6949] OBJ_sha512_224 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x06, /* [ 6958] OBJ_sha512_256 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x07, /* [ 6967] OBJ_sha3_224 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x08, /* [ 6976] OBJ_sha3_256 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x09, /* [ 6985] OBJ_sha3_384 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x0A, /* [ 6994] OBJ_sha3_512 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x0B, /* [ 7003] OBJ_shake128 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x0C, /* [ 7012] OBJ_shake256 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x0D, /* [ 7021] OBJ_hmac_sha3_224 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x0E, /* [ 7030] OBJ_hmac_sha3_256 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x0F, /* [ 7039] OBJ_hmac_sha3_384 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x10, /* [ 7048] OBJ_hmac_sha3_512 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x03, /* [ 7057] OBJ_dsa_with_SHA384 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x04, /* [ 7066] OBJ_dsa_with_SHA512 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x05, /* [ 7075] OBJ_dsa_with_SHA3_224 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x06, /* [ 7084] OBJ_dsa_with_SHA3_256 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x07, /* [ 7093] OBJ_dsa_with_SHA3_384 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x08, /* [ 7102] OBJ_dsa_with_SHA3_512 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x09, /* [ 7111] OBJ_ecdsa_with_SHA3_224 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0A, /* [ 7120] OBJ_ecdsa_with_SHA3_256 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0B, /* [ 7129] OBJ_ecdsa_with_SHA3_384 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0C, /* [ 7138] OBJ_ecdsa_with_SHA3_512 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0D, /* [ 7147] OBJ_RSA_SHA3_224 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0E, /* [ 7156] OBJ_RSA_SHA3_256 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0F, /* [ 7165] OBJ_RSA_SHA3_384 */
0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x10, /* [ 7174] OBJ_RSA_SHA3_512 */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x25, /* [ 7183] OBJ_aria_128_ccm */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x26, /* [ 7192] OBJ_aria_192_ccm */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x27, /* [ 7201] OBJ_aria_256_ccm */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x22, /* [ 7210] OBJ_aria_128_gcm */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x23, /* [ 7219] OBJ_aria_192_gcm */
0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x24, /* [ 7228] OBJ_aria_256_gcm */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x1B, /* [ 7237] OBJ_cmcCA */
0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x1C, /* [ 7245] OBJ_cmcRA */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x01, /* [ 7253] OBJ_sm4_ecb */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x02, /* [ 7261] OBJ_sm4_cbc */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x03, /* [ 7269] OBJ_sm4_ofb128 */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x05, /* [ 7277] OBJ_sm4_cfb1 */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x04, /* [ 7285] OBJ_sm4_cfb128 */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x06, /* [ 7293] OBJ_sm4_cfb8 */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x07, /* [ 7301] OBJ_sm4_ctr */
0x2A,0x81,0x1C, /* [ 7309] OBJ_ISO_CN */
0x2A,0x81,0x1C,0xCF,0x55, /* [ 7312] OBJ_oscca */
0x2A,0x81,0x1C,0xCF,0x55,0x01, /* [ 7317] OBJ_sm_scheme */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x11, /* [ 7323] OBJ_sm3 */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x78, /* [ 7331] OBJ_sm3WithRSAEncryption */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0F, /* [ 7339] OBJ_sha512_224WithRSAEncryption */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x10, /* [ 7348] OBJ_sha512_256WithRSAEncryption */
0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01, /* [ 7357] OBJ_id_tc26_gost_3410_2012_256_constants */
0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x01, /* [ 7365] OBJ_id_tc26_gost_3410_2012_256_paramSetA */
0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x03, /* [ 7374] OBJ_id_tc26_gost_3410_2012_512_paramSetC */
0x2A,0x86,0x24, /* [ 7383] OBJ_ISO_UA */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01, /* [ 7386] OBJ_ua_pki */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x01,0x01, /* [ 7393] OBJ_dstu28147 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x01,0x01,0x02, /* [ 7403] OBJ_dstu28147_ofb */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x01,0x01,0x03, /* [ 7414] OBJ_dstu28147_cfb */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x01,0x01,0x05, /* [ 7425] OBJ_dstu28147_wrap */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x01,0x02, /* [ 7436] OBJ_hmacWithDstu34311 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x02,0x01, /* [ 7446] OBJ_dstu34311 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01, /* [ 7456] OBJ_dstu4145le */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x01,0x01, /* [ 7467] OBJ_dstu4145be */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x00, /* [ 7480] OBJ_uacurve0 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x01, /* [ 7493] OBJ_uacurve1 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x02, /* [ 7506] OBJ_uacurve2 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x03, /* [ 7519] OBJ_uacurve3 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x04, /* [ 7532] OBJ_uacurve4 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x05, /* [ 7545] OBJ_uacurve5 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x06, /* [ 7558] OBJ_uacurve6 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x07, /* [ 7571] OBJ_uacurve7 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x08, /* [ 7584] OBJ_uacurve8 */
0x2A,0x86,0x24,0x02,0x01,0x01,0x01,0x01,0x03,0x01,0x01,0x02,0x09, /* [ 7597] OBJ_uacurve9 */
0x2B,0x6F, /* [ 7610] OBJ_ieee */
0x2B,0x6F,0x02,0x8C,0x53, /* [ 7612] OBJ_ieee_siswg */
0x2A,0x81,0x1C,0xCF,0x55,0x01,0x82,0x2D, /* [ 7617] OBJ_sm2 */
0x2A,0x85,0x03,0x07,0x01,0x01,0x05,0x01, /* [ 7625] OBJ_id_tc26_cipher_gostr3412_2015_magma */
0x2A,0x85,0x03,0x07,0x01,0x01,0x05,0x01,0x01, /* [ 7633] OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm */
0x2A,0x85,0x03,0x07,0x01,0x01,0x05,0x01,0x02, /* [ 7642] OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac */
0x2A,0x85,0x03,0x07,0x01,0x01,0x05,0x02, /* [ 7651] OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik */
0x2A,0x85,0x03,0x07,0x01,0x01,0x05,0x02,0x01, /* [ 7659] OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm */
0x2A,0x85,0x03,0x07,0x01,0x01,0x05,0x02,0x02, /* [ 7668] OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac */
0x2A,0x85,0x03,0x07,0x01,0x01,0x07, /* [ 7677] OBJ_id_tc26_wrap */
0x2A,0x85,0x03,0x07,0x01,0x01,0x07,0x01, /* [ 7684] OBJ_id_tc26_wrap_gostr3412_2015_magma */
0x2A,0x85,0x03,0x07,0x01,0x01,0x07,0x01,0x01, /* [ 7692] OBJ_id_tc26_wrap_gostr3412_2015_magma_kexp15 */
0x2A,0x85,0x03,0x07,0x01,0x01,0x07,0x02, /* [ 7701] OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik */
0x2A,0x85,0x03,0x07,0x01,0x01,0x07,0x02,0x01, /* [ 7709] OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 */
0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x02, /* [ 7718] OBJ_id_tc26_gost_3410_2012_256_paramSetB */
0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x03, /* [ 7727] OBJ_id_tc26_gost_3410_2012_256_paramSetC */
0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x04, /* [ 7736] OBJ_id_tc26_gost_3410_2012_256_paramSetD */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0C, /* [ 7745] OBJ_hmacWithSHA512_224 */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */
};
#define NUM_NID 1195
static const ASN1_OBJECT nid_objs[NUM_NID] = {
{"UNDEF", "undefined", NID_undef},
{"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
{"pkcs", "RSA Data Security, Inc. PKCS", NID_pkcs, 7, &so[6]},
{"MD2", "md2", NID_md2, 8, &so[13]},
{"MD5", "md5", NID_md5, 8, &so[21]},
{"RC4", "rc4", NID_rc4, 8, &so[29]},
{"rsaEncryption", "rsaEncryption", NID_rsaEncryption, 9, &so[37]},
{"RSA-MD2", "md2WithRSAEncryption", NID_md2WithRSAEncryption, 9, &so[46]},
{"RSA-MD5", "md5WithRSAEncryption", NID_md5WithRSAEncryption, 9, &so[55]},
{"PBE-MD2-DES", "pbeWithMD2AndDES-CBC", NID_pbeWithMD2AndDES_CBC, 9, &so[64]},
{"PBE-MD5-DES", "pbeWithMD5AndDES-CBC", NID_pbeWithMD5AndDES_CBC, 9, &so[73]},
{"X500", "directory services (X.500)", NID_X500, 1, &so[82]},
{"X509", "X509", NID_X509, 2, &so[83]},
{"CN", "commonName", NID_commonName, 3, &so[85]},
{"C", "countryName", NID_countryName, 3, &so[88]},
{"L", "localityName", NID_localityName, 3, &so[91]},
{"ST", "stateOrProvinceName", NID_stateOrProvinceName, 3, &so[94]},
{"O", "organizationName", NID_organizationName, 3, &so[97]},
{"OU", "organizationalUnitName", NID_organizationalUnitName, 3, &so[100]},
{"RSA", "rsa", NID_rsa, 4, &so[103]},
{"pkcs7", "pkcs7", NID_pkcs7, 8, &so[107]},
{"pkcs7-data", "pkcs7-data", NID_pkcs7_data, 9, &so[115]},
{"pkcs7-signedData", "pkcs7-signedData", NID_pkcs7_signed, 9, &so[124]},
{"pkcs7-envelopedData", "pkcs7-envelopedData", NID_pkcs7_enveloped, 9, &so[133]},
{"pkcs7-signedAndEnvelopedData", "pkcs7-signedAndEnvelopedData", NID_pkcs7_signedAndEnveloped, 9, &so[142]},
{"pkcs7-digestData", "pkcs7-digestData", NID_pkcs7_digest, 9, &so[151]},
{"pkcs7-encryptedData", "pkcs7-encryptedData", NID_pkcs7_encrypted, 9, &so[160]},
{"pkcs3", "pkcs3", NID_pkcs3, 8, &so[169]},
{"dhKeyAgreement", "dhKeyAgreement", NID_dhKeyAgreement, 9, &so[177]},
{"DES-ECB", "des-ecb", NID_des_ecb, 5, &so[186]},
{"DES-CFB", "des-cfb", NID_des_cfb64, 5, &so[191]},
{"DES-CBC", "des-cbc", NID_des_cbc, 5, &so[196]},
{"DES-EDE", "des-ede", NID_des_ede_ecb, 5, &so[201]},
{"DES-EDE3", "des-ede3", NID_des_ede3_ecb},
{"IDEA-CBC", "idea-cbc", NID_idea_cbc, 11, &so[206]},
{"IDEA-CFB", "idea-cfb", NID_idea_cfb64},
{"IDEA-ECB", "idea-ecb", NID_idea_ecb},
{"RC2-CBC", "rc2-cbc", NID_rc2_cbc, 8, &so[217]},
{"RC2-ECB", "rc2-ecb", NID_rc2_ecb},
{"RC2-CFB", "rc2-cfb", NID_rc2_cfb64},
{"RC2-OFB", "rc2-ofb", NID_rc2_ofb64},
{"SHA", "sha", NID_sha, 5, &so[225]},
{"RSA-SHA", "shaWithRSAEncryption", NID_shaWithRSAEncryption, 5, &so[230]},
{"DES-EDE-CBC", "des-ede-cbc", NID_des_ede_cbc},
{"DES-EDE3-CBC", "des-ede3-cbc", NID_des_ede3_cbc, 8, &so[235]},
{"DES-OFB", "des-ofb", NID_des_ofb64, 5, &so[243]},
{"IDEA-OFB", "idea-ofb", NID_idea_ofb64},
{"pkcs9", "pkcs9", NID_pkcs9, 8, &so[248]},
{"emailAddress", "emailAddress", NID_pkcs9_emailAddress, 9, &so[256]},
{"unstructuredName", "unstructuredName", NID_pkcs9_unstructuredName, 9, &so[265]},
{"contentType", "contentType", NID_pkcs9_contentType, 9, &so[274]},
{"messageDigest", "messageDigest", NID_pkcs9_messageDigest, 9, &so[283]},
{"signingTime", "signingTime", NID_pkcs9_signingTime, 9, &so[292]},
{"countersignature", "countersignature", NID_pkcs9_countersignature, 9, &so[301]},
{"challengePassword", "challengePassword", NID_pkcs9_challengePassword, 9, &so[310]},
{"unstructuredAddress", "unstructuredAddress", NID_pkcs9_unstructuredAddress, 9, &so[319]},
{"extendedCertificateAttributes", "extendedCertificateAttributes", NID_pkcs9_extCertAttributes, 9, &so[328]},
{"Netscape", "Netscape Communications Corp.", NID_netscape, 7, &so[337]},
{"nsCertExt", "Netscape Certificate Extension", NID_netscape_cert_extension, 8, &so[344]},
{"nsDataType", "Netscape Data Type", NID_netscape_data_type, 8, &so[352]},
{"DES-EDE-CFB", "des-ede-cfb", NID_des_ede_cfb64},
{"DES-EDE3-CFB", "des-ede3-cfb", NID_des_ede3_cfb64},
{"DES-EDE-OFB", "des-ede-ofb", NID_des_ede_ofb64},
{"DES-EDE3-OFB", "des-ede3-ofb", NID_des_ede3_ofb64},
{"SHA1", "sha1", NID_sha1, 5, &so[360]},
{"RSA-SHA1", "sha1WithRSAEncryption", NID_sha1WithRSAEncryption, 9, &so[365]},
{"DSA-SHA", "dsaWithSHA", NID_dsaWithSHA, 5, &so[374]},
{"DSA-old", "dsaEncryption-old", NID_dsa_2, 5, &so[379]},
{"PBE-SHA1-RC2-64", "pbeWithSHA1AndRC2-CBC", NID_pbeWithSHA1AndRC2_CBC, 9, &so[384]},
{"PBKDF2", "PBKDF2", NID_id_pbkdf2, 9, &so[393]},
{"DSA-SHA1-old", "dsaWithSHA1-old", NID_dsaWithSHA1_2, 5, &so[402]},
{"nsCertType", "Netscape Cert Type", NID_netscape_cert_type, 9, &so[407]},
{"nsBaseUrl", "Netscape Base Url", NID_netscape_base_url, 9, &so[416]},
{"nsRevocationUrl", "Netscape Revocation Url", NID_netscape_revocation_url, 9, &so[425]},
{"nsCaRevocationUrl", "Netscape CA Revocation Url", NID_netscape_ca_revocation_url, 9, &so[434]},
{"nsRenewalUrl", "Netscape Renewal Url", NID_netscape_renewal_url, 9, &so[443]},
{"nsCaPolicyUrl", "Netscape CA Policy Url", NID_netscape_ca_policy_url, 9, &so[452]},
{"nsSslServerName", "Netscape SSL Server Name", NID_netscape_ssl_server_name, 9, &so[461]},
{"nsComment", "Netscape Comment", NID_netscape_comment, 9, &so[470]},
{"nsCertSequence", "Netscape Certificate Sequence", NID_netscape_cert_sequence, 9, &so[479]},
{"DESX-CBC", "desx-cbc", NID_desx_cbc},
{"id-ce", "id-ce", NID_id_ce, 2, &so[488]},
{"subjectKeyIdentifier", "X509v3 Subject Key Identifier", NID_subject_key_identifier, 3, &so[490]},
{"keyUsage", "X509v3 Key Usage", NID_key_usage, 3, &so[493]},
{"privateKeyUsagePeriod", "X509v3 Private Key Usage Period", NID_private_key_usage_period, 3, &so[496]},
{"subjectAltName", "X509v3 Subject Alternative Name", NID_subject_alt_name, 3, &so[499]},
{"issuerAltName", "X509v3 Issuer Alternative Name", NID_issuer_alt_name, 3, &so[502]},
{"basicConstraints", "X509v3 Basic Constraints", NID_basic_constraints, 3, &so[505]},
{"crlNumber", "X509v3 CRL Number", NID_crl_number, 3, &so[508]},
{"certificatePolicies", "X509v3 Certificate Policies", NID_certificate_policies, 3, &so[511]},
{"authorityKeyIdentifier", "X509v3 Authority Key Identifier", NID_authority_key_identifier, 3, &so[514]},
{"BF-CBC", "bf-cbc", NID_bf_cbc, 9, &so[517]},
{"BF-ECB", "bf-ecb", NID_bf_ecb},
{"BF-CFB", "bf-cfb", NID_bf_cfb64},
{"BF-OFB", "bf-ofb", NID_bf_ofb64},
{"MDC2", "mdc2", NID_mdc2, 4, &so[526]},
{"RSA-MDC2", "mdc2WithRSA", NID_mdc2WithRSA, 4, &so[530]},
{"RC4-40", "rc4-40", NID_rc4_40},
{"RC2-40-CBC", "rc2-40-cbc", NID_rc2_40_cbc},
{"GN", "givenName", NID_givenName, 3, &so[534]},
{"SN", "surname", NID_surname, 3, &so[537]},
{"initials", "initials", NID_initials, 3, &so[540]},
{"uid", "uniqueIdentifier", NID_uniqueIdentifier, 10, &so[543]},
{"crlDistributionPoints", "X509v3 CRL Distribution Points", NID_crl_distribution_points, 3, &so[553]},
{"RSA-NP-MD5", "md5WithRSA", NID_md5WithRSA, 5, &so[556]},
{"serialNumber", "serialNumber", NID_serialNumber, 3, &so[561]},
{"title", "title", NID_title, 3, &so[564]},
{"description", "description", NID_description, 3, &so[567]},
{"CAST5-CBC", "cast5-cbc", NID_cast5_cbc, 9, &so[570]},
{"CAST5-ECB", "cast5-ecb", NID_cast5_ecb},
{"CAST5-CFB", "cast5-cfb", NID_cast5_cfb64},
{"CAST5-OFB", "cast5-ofb", NID_cast5_ofb64},
{"pbeWithMD5AndCast5CBC", "pbeWithMD5AndCast5CBC", NID_pbeWithMD5AndCast5_CBC, 9, &so[579]},
{"DSA-SHA1", "dsaWithSHA1", NID_dsaWithSHA1, 7, &so[588]},
{"MD5-SHA1", "md5-sha1", NID_md5_sha1},
{"RSA-SHA1-2", "sha1WithRSA", NID_sha1WithRSA, 5, &so[595]},
{"DSA", "dsaEncryption", NID_dsa, 7, &so[600]},
{"RIPEMD160", "ripemd160", NID_ripemd160, 5, &so[607]},
{ NULL, NULL, NID_undef },
{"RSA-RIPEMD160", "ripemd160WithRSA", NID_ripemd160WithRSA, 6, &so[612]},
{"RC5-CBC", "rc5-cbc", NID_rc5_cbc, 8, &so[618]},
{"RC5-ECB", "rc5-ecb", NID_rc5_ecb},
{"RC5-CFB", "rc5-cfb", NID_rc5_cfb64},
{"RC5-OFB", "rc5-ofb", NID_rc5_ofb64},
{ NULL, NULL, NID_undef },
{"ZLIB", "zlib compression", NID_zlib_compression, 11, &so[626]},
{"extendedKeyUsage", "X509v3 Extended Key Usage", NID_ext_key_usage, 3, &so[637]},
{"PKIX", "PKIX", NID_id_pkix, 6, &so[640]},
{"id-kp", "id-kp", NID_id_kp, 7, &so[646]},
{"serverAuth", "TLS Web Server Authentication", NID_server_auth, 8, &so[653]},
{"clientAuth", "TLS Web Client Authentication", NID_client_auth, 8, &so[661]},
{"codeSigning", "Code Signing", NID_code_sign, 8, &so[669]},
{"emailProtection", "E-mail Protection", NID_email_protect, 8, &so[677]},
{"timeStamping", "Time Stamping", NID_time_stamp, 8, &so[685]},
{"msCodeInd", "Microsoft Individual Code Signing", NID_ms_code_ind, 10, &so[693]},
{"msCodeCom", "Microsoft Commercial Code Signing", NID_ms_code_com, 10, &so[703]},
{"msCTLSign", "Microsoft Trust List Signing", NID_ms_ctl_sign, 10, &so[713]},
{"msSGC", "Microsoft Server Gated Crypto", NID_ms_sgc, 10, &so[723]},
{"msEFS", "Microsoft Encrypted File System", NID_ms_efs, 10, &so[733]},
{"nsSGC", "Netscape Server Gated Crypto", NID_ns_sgc, 9, &so[743]},
{"deltaCRL", "X509v3 Delta CRL Indicator", NID_delta_crl, 3, &so[752]},
{"CRLReason", "X509v3 CRL Reason Code", NID_crl_reason, 3, &so[755]},
{"invalidityDate", "Invalidity Date", NID_invalidity_date, 3, &so[758]},
{"SXNetID", "Strong Extranet ID", NID_sxnet, 5, &so[761]},
{"PBE-SHA1-RC4-128", "pbeWithSHA1And128BitRC4", NID_pbe_WithSHA1And128BitRC4, 10, &so[766]},
{"PBE-SHA1-RC4-40", "pbeWithSHA1And40BitRC4", NID_pbe_WithSHA1And40BitRC4, 10, &so[776]},
{"PBE-SHA1-3DES", "pbeWithSHA1And3-KeyTripleDES-CBC", NID_pbe_WithSHA1And3_Key_TripleDES_CBC, 10, &so[786]},
{"PBE-SHA1-2DES", "pbeWithSHA1And2-KeyTripleDES-CBC", NID_pbe_WithSHA1And2_Key_TripleDES_CBC, 10, &so[796]},
{"PBE-SHA1-RC2-128", "pbeWithSHA1And128BitRC2-CBC", NID_pbe_WithSHA1And128BitRC2_CBC, 10, &so[806]},
{"PBE-SHA1-RC2-40", "pbeWithSHA1And40BitRC2-CBC", NID_pbe_WithSHA1And40BitRC2_CBC, 10, &so[816]},
{"keyBag", "keyBag", NID_keyBag, 11, &so[826]},
{"pkcs8ShroudedKeyBag", "pkcs8ShroudedKeyBag", NID_pkcs8ShroudedKeyBag, 11, &so[837]},
{"certBag", "certBag", NID_certBag, 11, &so[848]},
{"crlBag", "crlBag", NID_crlBag, 11, &so[859]},
{"secretBag", "secretBag", NID_secretBag, 11, &so[870]},
{"safeContentsBag", "safeContentsBag", NID_safeContentsBag, 11, &so[881]},
{"friendlyName", "friendlyName", NID_friendlyName, 9, &so[892]},
{"localKeyID", "localKeyID", NID_localKeyID, 9, &so[901]},
{"x509Certificate", "x509Certificate", NID_x509Certificate, 10, &so[910]},
{"sdsiCertificate", "sdsiCertificate", NID_sdsiCertificate, 10, &so[920]},
{"x509Crl", "x509Crl", NID_x509Crl, 10, &so[930]},
{"PBES2", "PBES2", NID_pbes2, 9, &so[940]},
{"PBMAC1", "PBMAC1", NID_pbmac1, 9, &so[949]},
{"hmacWithSHA1", "hmacWithSHA1", NID_hmacWithSHA1, 8, &so[958]},
{"id-qt-cps", "Policy Qualifier CPS", NID_id_qt_cps, 8, &so[966]},
{"id-qt-unotice", "Policy Qualifier User Notice", NID_id_qt_unotice, 8, &so[974]},
{"RC2-64-CBC", "rc2-64-cbc", NID_rc2_64_cbc},
{"SMIME-CAPS", "S/MIME Capabilities", NID_SMIMECapabilities, 9, &so[982]},
{"PBE-MD2-RC2-64", "pbeWithMD2AndRC2-CBC", NID_pbeWithMD2AndRC2_CBC, 9, &so[991]},
{"PBE-MD5-RC2-64", "pbeWithMD5AndRC2-CBC", NID_pbeWithMD5AndRC2_CBC, 9, &so[1000]},
{"PBE-SHA1-DES", "pbeWithSHA1AndDES-CBC", NID_pbeWithSHA1AndDES_CBC, 9, &so[1009]},
{"msExtReq", "Microsoft Extension Request", NID_ms_ext_req, 10, &so[1018]},
{"extReq", "Extension Request", NID_ext_req, 9, &so[1028]},
{"name", "name", NID_name, 3, &so[1037]},
{"dnQualifier", "dnQualifier", NID_dnQualifier, 3, &so[1040]},
{"id-pe", "id-pe", NID_id_pe, 7, &so[1043]},
{"id-ad", "id-ad", NID_id_ad, 7, &so[1050]},
{"authorityInfoAccess", "Authority Information Access", NID_info_access, 8, &so[1057]},
{"OCSP", "OCSP", NID_ad_OCSP, 8, &so[1065]},
{"caIssuers", "CA Issuers", NID_ad_ca_issuers, 8, &so[1073]},
{"OCSPSigning", "OCSP Signing", NID_OCSP_sign, 8, &so[1081]},
{"ISO", "iso", NID_iso},
{"member-body", "ISO Member Body", NID_member_body, 1, &so[1089]},
{"ISO-US", "ISO US Member Body", NID_ISO_US, 3, &so[1090]},
{"X9-57", "X9.57", NID_X9_57, 5, &so[1093]},
{"X9cm", "X9.57 CM ?", NID_X9cm, 6, &so[1098]},
{"pkcs1", "pkcs1", NID_pkcs1, 8, &so[1104]},
{"pkcs5", "pkcs5", NID_pkcs5, 8, &so[1112]},
{"SMIME", "S/MIME", NID_SMIME, 9, &so[1120]},
{"id-smime-mod", "id-smime-mod", NID_id_smime_mod, 10, &so[1129]},
{"id-smime-ct", "id-smime-ct", NID_id_smime_ct, 10, &so[1139]},
{"id-smime-aa", "id-smime-aa", NID_id_smime_aa, 10, &so[1149]},
{"id-smime-alg", "id-smime-alg", NID_id_smime_alg, 10, &so[1159]},
{"id-smime-cd", "id-smime-cd", NID_id_smime_cd, 10, &so[1169]},
{"id-smime-spq", "id-smime-spq", NID_id_smime_spq, 10, &so[1179]},
{"id-smime-cti", "id-smime-cti", NID_id_smime_cti, 10, &so[1189]},
{"id-smime-mod-cms", "id-smime-mod-cms", NID_id_smime_mod_cms, 11, &so[1199]},
{"id-smime-mod-ess", "id-smime-mod-ess", NID_id_smime_mod_ess, 11, &so[1210]},
{"id-smime-mod-oid", "id-smime-mod-oid", NID_id_smime_mod_oid, 11, &so[1221]},
{"id-smime-mod-msg-v3", "id-smime-mod-msg-v3", NID_id_smime_mod_msg_v3, 11, &so[1232]},
{"id-smime-mod-ets-eSignature-88", "id-smime-mod-ets-eSignature-88", NID_id_smime_mod_ets_eSignature_88, 11, &so[1243]},
{"id-smime-mod-ets-eSignature-97", "id-smime-mod-ets-eSignature-97", NID_id_smime_mod_ets_eSignature_97, 11, &so[1254]},
{"id-smime-mod-ets-eSigPolicy-88", "id-smime-mod-ets-eSigPolicy-88", NID_id_smime_mod_ets_eSigPolicy_88, 11, &so[1265]},
{"id-smime-mod-ets-eSigPolicy-97", "id-smime-mod-ets-eSigPolicy-97", NID_id_smime_mod_ets_eSigPolicy_97, 11, &so[1276]},
{"id-smime-ct-receipt", "id-smime-ct-receipt", NID_id_smime_ct_receipt, 11, &so[1287]},
{"id-smime-ct-authData", "id-smime-ct-authData", NID_id_smime_ct_authData, 11, &so[1298]},
{"id-smime-ct-publishCert", "id-smime-ct-publishCert", NID_id_smime_ct_publishCert, 11, &so[1309]},
{"id-smime-ct-TSTInfo", "id-smime-ct-TSTInfo", NID_id_smime_ct_TSTInfo, 11, &so[1320]},
{"id-smime-ct-TDTInfo", "id-smime-ct-TDTInfo", NID_id_smime_ct_TDTInfo, 11, &so[1331]},
{"id-smime-ct-contentInfo", "id-smime-ct-contentInfo", NID_id_smime_ct_contentInfo, 11, &so[1342]},
{"id-smime-ct-DVCSRequestData", "id-smime-ct-DVCSRequestData", NID_id_smime_ct_DVCSRequestData, 11, &so[1353]},
{"id-smime-ct-DVCSResponseData", "id-smime-ct-DVCSResponseData", NID_id_smime_ct_DVCSResponseData, 11, &so[1364]},
{"id-smime-aa-receiptRequest", "id-smime-aa-receiptRequest", NID_id_smime_aa_receiptRequest, 11, &so[1375]},
{"id-smime-aa-securityLabel", "id-smime-aa-securityLabel", NID_id_smime_aa_securityLabel, 11, &so[1386]},
{"id-smime-aa-mlExpandHistory", "id-smime-aa-mlExpandHistory", NID_id_smime_aa_mlExpandHistory, 11, &so[1397]},
{"id-smime-aa-contentHint", "id-smime-aa-contentHint", NID_id_smime_aa_contentHint, 11, &so[1408]},
{"id-smime-aa-msgSigDigest", "id-smime-aa-msgSigDigest", NID_id_smime_aa_msgSigDigest, 11, &so[1419]},
{"id-smime-aa-encapContentType", "id-smime-aa-encapContentType", NID_id_smime_aa_encapContentType, 11, &so[1430]},
{"id-smime-aa-contentIdentifier", "id-smime-aa-contentIdentifier", NID_id_smime_aa_contentIdentifier, 11, &so[1441]},
{"id-smime-aa-macValue", "id-smime-aa-macValue", NID_id_smime_aa_macValue, 11, &so[1452]},
{"id-smime-aa-equivalentLabels", "id-smime-aa-equivalentLabels", NID_id_smime_aa_equivalentLabels, 11, &so[1463]},
{"id-smime-aa-contentReference", "id-smime-aa-contentReference", NID_id_smime_aa_contentReference, 11, &so[1474]},
{"id-smime-aa-encrypKeyPref", "id-smime-aa-encrypKeyPref", NID_id_smime_aa_encrypKeyPref, 11, &so[1485]},
{"id-smime-aa-signingCertificate", "id-smime-aa-signingCertificate", NID_id_smime_aa_signingCertificate, 11, &so[1496]},
{"id-smime-aa-smimeEncryptCerts", "id-smime-aa-smimeEncryptCerts", NID_id_smime_aa_smimeEncryptCerts, 11, &so[1507]},
{"id-smime-aa-timeStampToken", "id-smime-aa-timeStampToken", NID_id_smime_aa_timeStampToken, 11, &so[1518]},
{"id-smime-aa-ets-sigPolicyId", "id-smime-aa-ets-sigPolicyId", NID_id_smime_aa_ets_sigPolicyId, 11, &so[1529]},
{"id-smime-aa-ets-commitmentType", "id-smime-aa-ets-commitmentType", NID_id_smime_aa_ets_commitmentType, 11, &so[1540]},
{"id-smime-aa-ets-signerLocation", "id-smime-aa-ets-signerLocation", NID_id_smime_aa_ets_signerLocation, 11, &so[1551]},
{"id-smime-aa-ets-signerAttr", "id-smime-aa-ets-signerAttr", NID_id_smime_aa_ets_signerAttr, 11, &so[1562]},
{"id-smime-aa-ets-otherSigCert", "id-smime-aa-ets-otherSigCert", NID_id_smime_aa_ets_otherSigCert, 11, &so[1573]},
{"id-smime-aa-ets-contentTimestamp", "id-smime-aa-ets-contentTimestamp", NID_id_smime_aa_ets_contentTimestamp, 11, &so[1584]},
{"id-smime-aa-ets-CertificateRefs", "id-smime-aa-ets-CertificateRefs", NID_id_smime_aa_ets_CertificateRefs, 11, &so[1595]},
{"id-smime-aa-ets-RevocationRefs", "id-smime-aa-ets-RevocationRefs", NID_id_smime_aa_ets_RevocationRefs, 11, &so[1606]},
{"id-smime-aa-ets-certValues", "id-smime-aa-ets-certValues", NID_id_smime_aa_ets_certValues, 11, &so[1617]},
{"id-smime-aa-ets-revocationValues", "id-smime-aa-ets-revocationValues", NID_id_smime_aa_ets_revocationValues, 11, &so[1628]},
{"id-smime-aa-ets-escTimeStamp", "id-smime-aa-ets-escTimeStamp", NID_id_smime_aa_ets_escTimeStamp, 11, &so[1639]},
{"id-smime-aa-ets-certCRLTimestamp", "id-smime-aa-ets-certCRLTimestamp", NID_id_smime_aa_ets_certCRLTimestamp, 11, &so[1650]},
{"id-smime-aa-ets-archiveTimeStamp", "id-smime-aa-ets-archiveTimeStamp", NID_id_smime_aa_ets_archiveTimeStamp, 11, &so[1661]},
{"id-smime-aa-signatureType", "id-smime-aa-signatureType", NID_id_smime_aa_signatureType, 11, &so[1672]},
{"id-smime-aa-dvcs-dvc", "id-smime-aa-dvcs-dvc", NID_id_smime_aa_dvcs_dvc, 11, &so[1683]},
{"id-smime-alg-ESDHwith3DES", "id-smime-alg-ESDHwith3DES", NID_id_smime_alg_ESDHwith3DES, 11, &so[1694]},
{"id-smime-alg-ESDHwithRC2", "id-smime-alg-ESDHwithRC2", NID_id_smime_alg_ESDHwithRC2, 11, &so[1705]},
{"id-smime-alg-3DESwrap", "id-smime-alg-3DESwrap", NID_id_smime_alg_3DESwrap, 11, &so[1716]},
{"id-smime-alg-RC2wrap", "id-smime-alg-RC2wrap", NID_id_smime_alg_RC2wrap, 11, &so[1727]},
{"id-smime-alg-ESDH", "id-smime-alg-ESDH", NID_id_smime_alg_ESDH, 11, &so[1738]},
{"id-smime-alg-CMS3DESwrap", "id-smime-alg-CMS3DESwrap", NID_id_smime_alg_CMS3DESwrap, 11, &so[1749]},
{"id-smime-alg-CMSRC2wrap", "id-smime-alg-CMSRC2wrap", NID_id_smime_alg_CMSRC2wrap, 11, &so[1760]},
{"id-smime-cd-ldap", "id-smime-cd-ldap", NID_id_smime_cd_ldap, 11, &so[1771]},
{"id-smime-spq-ets-sqt-uri", "id-smime-spq-ets-sqt-uri", NID_id_smime_spq_ets_sqt_uri, 11, &so[1782]},
{"id-smime-spq-ets-sqt-unotice", "id-smime-spq-ets-sqt-unotice", NID_id_smime_spq_ets_sqt_unotice, 11, &so[1793]},
{"id-smime-cti-ets-proofOfOrigin", "id-smime-cti-ets-proofOfOrigin", NID_id_smime_cti_ets_proofOfOrigin, 11, &so[1804]},
{"id-smime-cti-ets-proofOfReceipt", "id-smime-cti-ets-proofOfReceipt", NID_id_smime_cti_ets_proofOfReceipt, 11, &so[1815]},
{"id-smime-cti-ets-proofOfDelivery", "id-smime-cti-ets-proofOfDelivery", NID_id_smime_cti_ets_proofOfDelivery, 11, &so[1826]},
{"id-smime-cti-ets-proofOfSender", "id-smime-cti-ets-proofOfSender", NID_id_smime_cti_ets_proofOfSender, 11, &so[1837]},
{"id-smime-cti-ets-proofOfApproval", "id-smime-cti-ets-proofOfApproval", NID_id_smime_cti_ets_proofOfApproval, 11, &so[1848]},
{"id-smime-cti-ets-proofOfCreation", "id-smime-cti-ets-proofOfCreation", NID_id_smime_cti_ets_proofOfCreation, 11, &so[1859]},
{"MD4", "md4", NID_md4, 8, &so[1870]},
{"id-pkix-mod", "id-pkix-mod", NID_id_pkix_mod, 7, &so[1878]},
{"id-qt", "id-qt", NID_id_qt, 7, &so[1885]},
{"id-it", "id-it", NID_id_it, 7, &so[1892]},
{"id-pkip", "id-pkip", NID_id_pkip, 7, &so[1899]},
{"id-alg", "id-alg", NID_id_alg, 7, &so[1906]},
{"id-cmc", "id-cmc", NID_id_cmc, 7, &so[1913]},
{"id-on", "id-on", NID_id_on, 7, &so[1920]},
{"id-pda", "id-pda", NID_id_pda, 7, &so[1927]},
{"id-aca", "id-aca", NID_id_aca, 7, &so[1934]},
{"id-qcs", "id-qcs", NID_id_qcs, 7, &so[1941]},
{"id-cct", "id-cct", NID_id_cct, 7, &so[1948]},
{"id-pkix1-explicit-88", "id-pkix1-explicit-88", NID_id_pkix1_explicit_88, 8, &so[1955]},
{"id-pkix1-implicit-88", "id-pkix1-implicit-88", NID_id_pkix1_implicit_88, 8, &so[1963]},
{"id-pkix1-explicit-93", "id-pkix1-explicit-93", NID_id_pkix1_explicit_93, 8, &so[1971]},
{"id-pkix1-implicit-93", "id-pkix1-implicit-93", NID_id_pkix1_implicit_93, 8, &so[1979]},
{"id-mod-crmf", "id-mod-crmf", NID_id_mod_crmf, 8, &so[1987]},
{"id-mod-cmc", "id-mod-cmc", NID_id_mod_cmc, 8, &so[1995]},
{"id-mod-kea-profile-88", "id-mod-kea-profile-88", NID_id_mod_kea_profile_88, 8, &so[2003]},
{"id-mod-kea-profile-93", "id-mod-kea-profile-93", NID_id_mod_kea_profile_93, 8, &so[2011]},
{"id-mod-cmp", "id-mod-cmp", NID_id_mod_cmp, 8, &so[2019]},
{"id-mod-qualified-cert-88", "id-mod-qualified-cert-88", NID_id_mod_qualified_cert_88, 8, &so[2027]},
{"id-mod-qualified-cert-93", "id-mod-qualified-cert-93", NID_id_mod_qualified_cert_93, 8, &so[2035]},
{"id-mod-attribute-cert", "id-mod-attribute-cert", NID_id_mod_attribute_cert, 8, &so[2043]},
{"id-mod-timestamp-protocol", "id-mod-timestamp-protocol", NID_id_mod_timestamp_protocol, 8, &so[2051]},
{"id-mod-ocsp", "id-mod-ocsp", NID_id_mod_ocsp, 8, &so[2059]},
{"id-mod-dvcs", "id-mod-dvcs", NID_id_mod_dvcs, 8, &so[2067]},
{"id-mod-cmp2000", "id-mod-cmp2000", NID_id_mod_cmp2000, 8, &so[2075]},
{"biometricInfo", "Biometric Info", NID_biometricInfo, 8, &so[2083]},
{"qcStatements", "qcStatements", NID_qcStatements, 8, &so[2091]},
{"ac-auditEntity", "ac-auditEntity", NID_ac_auditEntity, 8, &so[2099]},
{"ac-targeting", "ac-targeting", NID_ac_targeting, 8, &so[2107]},
{"aaControls", "aaControls", NID_aaControls, 8, &so[2115]},
{"sbgp-ipAddrBlock", "sbgp-ipAddrBlock", NID_sbgp_ipAddrBlock, 8, &so[2123]},
{"sbgp-autonomousSysNum", "sbgp-autonomousSysNum", NID_sbgp_autonomousSysNum, 8, &so[2131]},
{"sbgp-routerIdentifier", "sbgp-routerIdentifier", NID_sbgp_routerIdentifier, 8, &so[2139]},
{"textNotice", "textNotice", NID_textNotice, 8, &so[2147]},
{"ipsecEndSystem", "IPSec End System", NID_ipsecEndSystem, 8, &so[2155]},
{"ipsecTunnel", "IPSec Tunnel", NID_ipsecTunnel, 8, &so[2163]},
{"ipsecUser", "IPSec User", NID_ipsecUser, 8, &so[2171]},
{"DVCS", "dvcs", NID_dvcs, 8, &so[2179]},
{"id-it-caProtEncCert", "id-it-caProtEncCert", NID_id_it_caProtEncCert, 8, &so[2187]},
{"id-it-signKeyPairTypes", "id-it-signKeyPairTypes", NID_id_it_signKeyPairTypes, 8, &so[2195]},
{"id-it-encKeyPairTypes", "id-it-encKeyPairTypes", NID_id_it_encKeyPairTypes, 8, &so[2203]},
{"id-it-preferredSymmAlg", "id-it-preferredSymmAlg", NID_id_it_preferredSymmAlg, 8, &so[2211]},
{"id-it-caKeyUpdateInfo", "id-it-caKeyUpdateInfo", NID_id_it_caKeyUpdateInfo, 8, &so[2219]},
{"id-it-currentCRL", "id-it-currentCRL", NID_id_it_currentCRL, 8, &so[2227]},
{"id-it-unsupportedOIDs", "id-it-unsupportedOIDs", NID_id_it_unsupportedOIDs, 8, &so[2235]},
{"id-it-subscriptionRequest", "id-it-subscriptionRequest", NID_id_it_subscriptionRequest, 8, &so[2243]},
{"id-it-subscriptionResponse", "id-it-subscriptionResponse", NID_id_it_subscriptionResponse, 8, &so[2251]},
{"id-it-keyPairParamReq", "id-it-keyPairParamReq", NID_id_it_keyPairParamReq, 8, &so[2259]},
{"id-it-keyPairParamRep", "id-it-keyPairParamRep", NID_id_it_keyPairParamRep, 8, &so[2267]},
{"id-it-revPassphrase", "id-it-revPassphrase", NID_id_it_revPassphrase, 8, &so[2275]},
{"id-it-implicitConfirm", "id-it-implicitConfirm", NID_id_it_implicitConfirm, 8, &so[2283]},
{"id-it-confirmWaitTime", "id-it-confirmWaitTime", NID_id_it_confirmWaitTime, 8, &so[2291]},
{"id-it-origPKIMessage", "id-it-origPKIMessage", NID_id_it_origPKIMessage, 8, &so[2299]},
{"id-regCtrl", "id-regCtrl", NID_id_regCtrl, 8, &so[2307]},
{"id-regInfo", "id-regInfo", NID_id_regInfo, 8, &so[2315]},
{"id-regCtrl-regToken", "id-regCtrl-regToken", NID_id_regCtrl_regToken, 9, &so[2323]},
{"id-regCtrl-authenticator", "id-regCtrl-authenticator", NID_id_regCtrl_authenticator, 9, &so[2332]},
{"id-regCtrl-pkiPublicationInfo", "id-regCtrl-pkiPublicationInfo", NID_id_regCtrl_pkiPublicationInfo, 9, &so[2341]},
{"id-regCtrl-pkiArchiveOptions", "id-regCtrl-pkiArchiveOptions", NID_id_regCtrl_pkiArchiveOptions, 9, &so[2350]},
{"id-regCtrl-oldCertID", "id-regCtrl-oldCertID", NID_id_regCtrl_oldCertID, 9, &so[2359]},
{"id-regCtrl-protocolEncrKey", "id-regCtrl-protocolEncrKey", NID_id_regCtrl_protocolEncrKey, 9, &so[2368]},
{"id-regInfo-utf8Pairs", "id-regInfo-utf8Pairs", NID_id_regInfo_utf8Pairs, 9, &so[2377]},
{"id-regInfo-certReq", "id-regInfo-certReq", NID_id_regInfo_certReq, 9, &so[2386]},
{"id-alg-des40", "id-alg-des40", NID_id_alg_des40, 8, &so[2395]},
{"id-alg-noSignature", "id-alg-noSignature", NID_id_alg_noSignature, 8, &so[2403]},
{"id-alg-dh-sig-hmac-sha1", "id-alg-dh-sig-hmac-sha1", NID_id_alg_dh_sig_hmac_sha1, 8, &so[2411]},
{"id-alg-dh-pop", "id-alg-dh-pop", NID_id_alg_dh_pop, 8, &so[2419]},
{"id-cmc-statusInfo", "id-cmc-statusInfo", NID_id_cmc_statusInfo, 8, &so[2427]},
{"id-cmc-identification", "id-cmc-identification", NID_id_cmc_identification, 8, &so[2435]},
{"id-cmc-identityProof", "id-cmc-identityProof", NID_id_cmc_identityProof, 8, &so[2443]},
{"id-cmc-dataReturn", "id-cmc-dataReturn", NID_id_cmc_dataReturn, 8, &so[2451]},
{"id-cmc-transactionId", "id-cmc-transactionId", NID_id_cmc_transactionId, 8, &so[2459]},
{"id-cmc-senderNonce", "id-cmc-senderNonce", NID_id_cmc_senderNonce, 8, &so[2467]},
{"id-cmc-recipientNonce", "id-cmc-recipientNonce", NID_id_cmc_recipientNonce, 8, &so[2475]},
{"id-cmc-addExtensions", "id-cmc-addExtensions", NID_id_cmc_addExtensions, 8, &so[2483]},
{"id-cmc-encryptedPOP", "id-cmc-encryptedPOP", NID_id_cmc_encryptedPOP, 8, &so[2491]},
{"id-cmc-decryptedPOP", "id-cmc-decryptedPOP", NID_id_cmc_decryptedPOP, 8, &so[2499]},
{"id-cmc-lraPOPWitness", "id-cmc-lraPOPWitness", NID_id_cmc_lraPOPWitness, 8, &so[2507]},
{"id-cmc-getCert", "id-cmc-getCert", NID_id_cmc_getCert, 8, &so[2515]},
{"id-cmc-getCRL", "id-cmc-getCRL", NID_id_cmc_getCRL, 8, &so[2523]},
{"id-cmc-revokeRequest", "id-cmc-revokeRequest", NID_id_cmc_revokeRequest, 8, &so[2531]},
{"id-cmc-regInfo", "id-cmc-regInfo", NID_id_cmc_regInfo, 8, &so[2539]},
{"id-cmc-responseInfo", "id-cmc-responseInfo", NID_id_cmc_responseInfo, 8, &so[2547]},
{"id-cmc-queryPending", "id-cmc-queryPending", NID_id_cmc_queryPending, 8, &so[2555]},
{"id-cmc-popLinkRandom", "id-cmc-popLinkRandom", NID_id_cmc_popLinkRandom, 8, &so[2563]},
{"id-cmc-popLinkWitness", "id-cmc-popLinkWitness", NID_id_cmc_popLinkWitness, 8, &so[2571]},
{"id-cmc-confirmCertAcceptance", "id-cmc-confirmCertAcceptance", NID_id_cmc_confirmCertAcceptance, 8, &so[2579]},
{"id-on-personalData", "id-on-personalData", NID_id_on_personalData, 8, &so[2587]},
{"id-pda-dateOfBirth", "id-pda-dateOfBirth", NID_id_pda_dateOfBirth, 8, &so[2595]},
{"id-pda-placeOfBirth", "id-pda-placeOfBirth", NID_id_pda_placeOfBirth, 8, &so[2603]},
{ NULL, NULL, NID_undef },
{"id-pda-gender", "id-pda-gender", NID_id_pda_gender, 8, &so[2611]},
{"id-pda-countryOfCitizenship", "id-pda-countryOfCitizenship", NID_id_pda_countryOfCitizenship, 8, &so[2619]},
{"id-pda-countryOfResidence", "id-pda-countryOfResidence", NID_id_pda_countryOfResidence, 8, &so[2627]},
{"id-aca-authenticationInfo", "id-aca-authenticationInfo", NID_id_aca_authenticationInfo, 8, &so[2635]},
{"id-aca-accessIdentity", "id-aca-accessIdentity", NID_id_aca_accessIdentity, 8, &so[2643]},
{"id-aca-chargingIdentity", "id-aca-chargingIdentity", NID_id_aca_chargingIdentity, 8, &so[2651]},
{"id-aca-group", "id-aca-group", NID_id_aca_group, 8, &so[2659]},
{"id-aca-role", "id-aca-role", NID_id_aca_role, 8, &so[2667]},
{"id-qcs-pkixQCSyntax-v1", "id-qcs-pkixQCSyntax-v1", NID_id_qcs_pkixQCSyntax_v1, 8, &so[2675]},
{"id-cct-crs", "id-cct-crs", NID_id_cct_crs, 8, &so[2683]},
{"id-cct-PKIData", "id-cct-PKIData", NID_id_cct_PKIData, 8, &so[2691]},
{"id-cct-PKIResponse", "id-cct-PKIResponse", NID_id_cct_PKIResponse, 8, &so[2699]},
{"ad_timestamping", "AD Time Stamping", NID_ad_timeStamping, 8, &so[2707]},
{"AD_DVCS", "ad dvcs", NID_ad_dvcs, 8, &so[2715]},
{"basicOCSPResponse", "Basic OCSP Response", NID_id_pkix_OCSP_basic, 9, &so[2723]},
{"Nonce", "OCSP Nonce", NID_id_pkix_OCSP_Nonce, 9, &so[2732]},
{"CrlID", "OCSP CRL ID", NID_id_pkix_OCSP_CrlID, 9, &so[2741]},
{"acceptableResponses", "Acceptable OCSP Responses", NID_id_pkix_OCSP_acceptableResponses, 9, &so[2750]},
{"noCheck", "OCSP No Check", NID_id_pkix_OCSP_noCheck, 9, &so[2759]},
{"archiveCutoff", "OCSP Archive Cutoff", NID_id_pkix_OCSP_archiveCutoff, 9, &so[2768]},
{"serviceLocator", "OCSP Service Locator", NID_id_pkix_OCSP_serviceLocator, 9, &so[2777]},
{"extendedStatus", "Extended OCSP Status", NID_id_pkix_OCSP_extendedStatus, 9, &so[2786]},
{"valid", "valid", NID_id_pkix_OCSP_valid, 9, &so[2795]},
{"path", "path", NID_id_pkix_OCSP_path, 9, &so[2804]},
{"trustRoot", "Trust Root", NID_id_pkix_OCSP_trustRoot, 9, &so[2813]},
{"algorithm", "algorithm", NID_algorithm, 4, &so[2822]},
{"rsaSignature", "rsaSignature", NID_rsaSignature, 5, &so[2826]},
{"X500algorithms", "directory services - algorithms", NID_X500algorithms, 2, &so[2831]},
{"ORG", "org", NID_org, 1, &so[2833]},
{"DOD", "dod", NID_dod, 2, &so[2834]},
{"IANA", "iana", NID_iana, 3, &so[2836]},
{"directory", "Directory", NID_Directory, 4, &so[2839]},
{"mgmt", "Management", NID_Management, 4, &so[2843]},
{"experimental", "Experimental", NID_Experimental, 4, &so[2847]},
{"private", "Private", NID_Private, 4, &so[2851]},
{"security", "Security", NID_Security, 4, &so[2855]},
{"snmpv2", "SNMPv2", NID_SNMPv2, 4, &so[2859]},
{"Mail", "Mail", NID_Mail, 4, &so[2863]},
{"enterprises", "Enterprises", NID_Enterprises, 5, &so[2867]},
{"dcobject", "dcObject", NID_dcObject, 9, &so[2872]},
{"DC", "domainComponent", NID_domainComponent, 10, &so[2881]},
{"domain", "Domain", NID_Domain, 10, &so[2891]},
{"NULL", "NULL", NID_joint_iso_ccitt},
{"selected-attribute-types", "Selected Attribute Types", NID_selected_attribute_types, 3, &so[2901]},
{"clearance", "clearance", NID_clearance, 4, &so[2904]},
{"RSA-MD4", "md4WithRSAEncryption", NID_md4WithRSAEncryption, 9, &so[2908]},
{"ac-proxying", "ac-proxying", NID_ac_proxying, 8, &so[2917]},
{"subjectInfoAccess", "Subject Information Access", NID_sinfo_access, 8, &so[2925]},
{"id-aca-encAttrs", "id-aca-encAttrs", NID_id_aca_encAttrs, 8, &so[2933]},
{"role", "role", NID_role, 3, &so[2941]},
{"policyConstraints", "X509v3 Policy Constraints", NID_policy_constraints, 3, &so[2944]},
{"targetInformation", "X509v3 AC Targeting", NID_target_information, 3, &so[2947]},
{"noRevAvail", "X509v3 No Revocation Available", NID_no_rev_avail, 3, &so[2950]},
{"NULL", "NULL", NID_ccitt},
{"ansi-X9-62", "ANSI X9.62", NID_ansi_X9_62, 5, &so[2953]},
{"prime-field", "prime-field", NID_X9_62_prime_field, 7, &so[2958]},
{"characteristic-two-field", "characteristic-two-field", NID_X9_62_characteristic_two_field, 7, &so[2965]},
{"id-ecPublicKey", "id-ecPublicKey", NID_X9_62_id_ecPublicKey, 7, &so[2972]},
{"prime192v1", "prime192v1", NID_X9_62_prime192v1, 8, &so[2979]},
{"prime192v2", "prime192v2", NID_X9_62_prime192v2, 8, &so[2987]},
{"prime192v3", "prime192v3", NID_X9_62_prime192v3, 8, &so[2995]},
{"prime239v1", "prime239v1", NID_X9_62_prime239v1, 8, &so[3003]},
{"prime239v2", "prime239v2", NID_X9_62_prime239v2, 8, &so[3011]},
{"prime239v3", "prime239v3", NID_X9_62_prime239v3, 8, &so[3019]},
{"prime256v1", "prime256v1", NID_X9_62_prime256v1, 8, &so[3027]},
{"ecdsa-with-SHA1", "ecdsa-with-SHA1", NID_ecdsa_with_SHA1, 7, &so[3035]},
{"CSPName", "Microsoft CSP Name", NID_ms_csp_name, 9, &so[3042]},
{"AES-128-ECB", "aes-128-ecb", NID_aes_128_ecb, 9, &so[3051]},
{"AES-128-CBC", "aes-128-cbc", NID_aes_128_cbc, 9, &so[3060]},
{"AES-128-OFB", "aes-128-ofb", NID_aes_128_ofb128, 9, &so[3069]},
{"AES-128-CFB", "aes-128-cfb", NID_aes_128_cfb128, 9, &so[3078]},
{"AES-192-ECB", "aes-192-ecb", NID_aes_192_ecb, 9, &so[3087]},
{"AES-192-CBC", "aes-192-cbc", NID_aes_192_cbc, 9, &so[3096]},
{"AES-192-OFB", "aes-192-ofb", NID_aes_192_ofb128, 9, &so[3105]},
{"AES-192-CFB", "aes-192-cfb", NID_aes_192_cfb128, 9, &so[3114]},
{"AES-256-ECB", "aes-256-ecb", NID_aes_256_ecb, 9, &so[3123]},
{"AES-256-CBC", "aes-256-cbc", NID_aes_256_cbc, 9, &so[3132]},
{"AES-256-OFB", "aes-256-ofb", NID_aes_256_ofb128, 9, &so[3141]},
{"AES-256-CFB", "aes-256-cfb", NID_aes_256_cfb128, 9, &so[3150]},
{"holdInstructionCode", "Hold Instruction Code", NID_hold_instruction_code, 3, &so[3159]},
{"holdInstructionNone", "Hold Instruction None", NID_hold_instruction_none, 7, &so[3162]},
{"holdInstructionCallIssuer", "Hold Instruction Call Issuer", NID_hold_instruction_call_issuer, 7, &so[3169]},
{"holdInstructionReject", "Hold Instruction Reject", NID_hold_instruction_reject, 7, &so[3176]},
{"data", "data", NID_data, 1, &so[3183]},
{"pss", "pss", NID_pss, 3, &so[3184]},
{"ucl", "ucl", NID_ucl, 7, &so[3187]},
{"pilot", "pilot", NID_pilot, 8, &so[3194]},
{"pilotAttributeType", "pilotAttributeType", NID_pilotAttributeType, 9, &so[3202]},
{"pilotAttributeSyntax", "pilotAttributeSyntax", NID_pilotAttributeSyntax, 9, &so[3211]},
{"pilotObjectClass", "pilotObjectClass", NID_pilotObjectClass, 9, &so[3220]},
{"pilotGroups", "pilotGroups", NID_pilotGroups, 9, &so[3229]},
{"iA5StringSyntax", "iA5StringSyntax", NID_iA5StringSyntax, 10, &so[3238]},
{"caseIgnoreIA5StringSyntax", "caseIgnoreIA5StringSyntax", NID_caseIgnoreIA5StringSyntax, 10, &so[3248]},
{"pilotObject", "pilotObject", NID_pilotObject, 10, &so[3258]},
{"pilotPerson", "pilotPerson", NID_pilotPerson, 10, &so[3268]},
{"account", "account", NID_account, 10, &so[3278]},
{"document", "document", NID_document, 10, &so[3288]},
{"room", "room", NID_room, 10, &so[3298]},
{"documentSeries", "documentSeries", NID_documentSeries, 10, &so[3308]},
{"rFC822localPart", "rFC822localPart", NID_rFC822localPart, 10, &so[3318]},
{"dNSDomain", "dNSDomain", NID_dNSDomain, 10, &so[3328]},
{"domainRelatedObject", "domainRelatedObject", NID_domainRelatedObject, 10, &so[3338]},
{"friendlyCountry", "friendlyCountry", NID_friendlyCountry, 10, &so[3348]},
{"simpleSecurityObject", "simpleSecurityObject", NID_simpleSecurityObject, 10, &so[3358]},
{"pilotOrganization", "pilotOrganization", NID_pilotOrganization, 10, &so[3368]},
{"pilotDSA", "pilotDSA", NID_pilotDSA, 10, &so[3378]},
{"qualityLabelledData", "qualityLabelledData", NID_qualityLabelledData, 10, &so[3388]},
{"UID", "userId", NID_userId, 10, &so[3398]},
{"textEncodedORAddress", "textEncodedORAddress", NID_textEncodedORAddress, 10, &so[3408]},
{"mail", "rfc822Mailbox", NID_rfc822Mailbox, 10, &so[3418]},
{"info", "info", NID_info, 10, &so[3428]},
{"favouriteDrink", "favouriteDrink", NID_favouriteDrink, 10, &so[3438]},
{"roomNumber", "roomNumber", NID_roomNumber, 10, &so[3448]},
{"photo", "photo", NID_photo, 10, &so[3458]},
{"userClass", "userClass", NID_userClass, 10, &so[3468]},
{"host", "host", NID_host, 10, &so[3478]},
{"manager", "manager", NID_manager, 10, &so[3488]},
{"documentIdentifier", "documentIdentifier", NID_documentIdentifier, 10, &so[3498]},
{"documentTitle", "documentTitle", NID_documentTitle, 10, &so[3508]},
{"documentVersion", "documentVersion", NID_documentVersion, 10, &so[3518]},
{"documentAuthor", "documentAuthor", NID_documentAuthor, 10, &so[3528]},
{"documentLocation", "documentLocation", NID_documentLocation, 10, &so[3538]},
{"homeTelephoneNumber", "homeTelephoneNumber", NID_homeTelephoneNumber, 10, &so[3548]},
{"secretary", "secretary", NID_secretary, 10, &so[3558]},
{"otherMailbox", "otherMailbox", NID_otherMailbox, 10, &so[3568]},
{"lastModifiedTime", "lastModifiedTime", NID_lastModifiedTime, 10, &so[3578]},
{"lastModifiedBy", "lastModifiedBy", NID_lastModifiedBy, 10, &so[3588]},
{"aRecord", "aRecord", NID_aRecord, 10, &so[3598]},
{"pilotAttributeType27", "pilotAttributeType27", NID_pilotAttributeType27, 10, &so[3608]},
{"mXRecord", "mXRecord", NID_mXRecord, 10, &so[3618]},
{"nSRecord", "nSRecord", NID_nSRecord, 10, &so[3628]},
{"sOARecord", "sOARecord", NID_sOARecord, 10, &so[3638]},
{"cNAMERecord", "cNAMERecord", NID_cNAMERecord, 10, &so[3648]},
{"associatedDomain", "associatedDomain", NID_associatedDomain, 10, &so[3658]},
{"associatedName", "associatedName", NID_associatedName, 10, &so[3668]},
{"homePostalAddress", "homePostalAddress", NID_homePostalAddress, 10, &so[3678]},
{"personalTitle", "personalTitle", NID_personalTitle, 10, &so[3688]},
{"mobileTelephoneNumber", "mobileTelephoneNumber", NID_mobileTelephoneNumber, 10, &so[3698]},
{"pagerTelephoneNumber", "pagerTelephoneNumber", NID_pagerTelephoneNumber, 10, &so[3708]},
{"friendlyCountryName", "friendlyCountryName", NID_friendlyCountryName, 10, &so[3718]},
{"organizationalStatus", "organizationalStatus", NID_organizationalStatus, 10, &so[3728]},
{"janetMailbox", "janetMailbox", NID_janetMailbox, 10, &so[3738]},
{"mailPreferenceOption", "mailPreferenceOption", NID_mailPreferenceOption, 10, &so[3748]},
{"buildingName", "buildingName", NID_buildingName, 10, &so[3758]},
{"dSAQuality", "dSAQuality", NID_dSAQuality, 10, &so[3768]},
{"singleLevelQuality", "singleLevelQuality", NID_singleLevelQuality, 10, &so[3778]},
{"subtreeMinimumQuality", "subtreeMinimumQuality", NID_subtreeMinimumQuality, 10, &so[3788]},
{"subtreeMaximumQuality", "subtreeMaximumQuality", NID_subtreeMaximumQuality, 10, &so[3798]},
{"personalSignature", "personalSignature", NID_personalSignature, 10, &so[3808]},
{"dITRedirect", "dITRedirect", NID_dITRedirect, 10, &so[3818]},
{"audio", "audio", NID_audio, 10, &so[3828]},
{"documentPublisher", "documentPublisher", NID_documentPublisher, 10, &so[3838]},
{"x500UniqueIdentifier", "x500UniqueIdentifier", NID_x500UniqueIdentifier, 3, &so[3848]},
{"mime-mhs", "MIME MHS", NID_mime_mhs, 5, &so[3851]},
{"mime-mhs-headings", "mime-mhs-headings", NID_mime_mhs_headings, 6, &so[3856]},
{"mime-mhs-bodies", "mime-mhs-bodies", NID_mime_mhs_bodies, 6, &so[3862]},
{"id-hex-partial-message", "id-hex-partial-message", NID_id_hex_partial_message, 7, &so[3868]},
{"id-hex-multipart-message", "id-hex-multipart-message", NID_id_hex_multipart_message, 7, &so[3875]},
{"generationQualifier", "generationQualifier", NID_generationQualifier, 3, &so[3882]},
{"pseudonym", "pseudonym", NID_pseudonym, 3, &so[3885]},
{ NULL, NULL, NID_undef },
{"id-set", "Secure Electronic Transactions", NID_id_set, 2, &so[3888]},
{"set-ctype", "content types", NID_set_ctype, 3, &so[3890]},
{"set-msgExt", "message extensions", NID_set_msgExt, 3, &so[3893]},
{"set-attr", "set-attr", NID_set_attr, 3, &so[3896]},
{"set-policy", "set-policy", NID_set_policy, 3, &so[3899]},
{"set-certExt", "certificate extensions", NID_set_certExt, 3, &so[3902]},
{"set-brand", "set-brand", NID_set_brand, 3, &so[3905]},
{"setct-PANData", "setct-PANData", NID_setct_PANData, 4, &so[3908]},
{"setct-PANToken", "setct-PANToken", NID_setct_PANToken, 4, &so[3912]},
{"setct-PANOnly", "setct-PANOnly", NID_setct_PANOnly, 4, &so[3916]},
{"setct-OIData", "setct-OIData", NID_setct_OIData, 4, &so[3920]},
{"setct-PI", "setct-PI", NID_setct_PI, 4, &so[3924]},
{"setct-PIData", "setct-PIData", NID_setct_PIData, 4, &so[3928]},
{"setct-PIDataUnsigned", "setct-PIDataUnsigned", NID_setct_PIDataUnsigned, 4, &so[3932]},
{"setct-HODInput", "setct-HODInput", NID_setct_HODInput, 4, &so[3936]},
{"setct-AuthResBaggage", "setct-AuthResBaggage", NID_setct_AuthResBaggage, 4, &so[3940]},
{"setct-AuthRevReqBaggage", "setct-AuthRevReqBaggage", NID_setct_AuthRevReqBaggage, 4, &so[3944]},
{"setct-AuthRevResBaggage", "setct-AuthRevResBaggage", NID_setct_AuthRevResBaggage, 4, &so[3948]},
{"setct-CapTokenSeq", "setct-CapTokenSeq", NID_setct_CapTokenSeq, 4, &so[3952]},
{"setct-PInitResData", "setct-PInitResData", NID_setct_PInitResData, 4, &so[3956]},
{"setct-PI-TBS", "setct-PI-TBS", NID_setct_PI_TBS, 4, &so[3960]},
{"setct-PResData", "setct-PResData", NID_setct_PResData, 4, &so[3964]},
{"setct-AuthReqTBS", "setct-AuthReqTBS", NID_setct_AuthReqTBS, 4, &so[3968]},
{"setct-AuthResTBS", "setct-AuthResTBS", NID_setct_AuthResTBS, 4, &so[3972]},
{"setct-AuthResTBSX", "setct-AuthResTBSX", NID_setct_AuthResTBSX, 4, &so[3976]},
{"setct-AuthTokenTBS", "setct-AuthTokenTBS", NID_setct_AuthTokenTBS, 4, &so[3980]},
{"setct-CapTokenData", "setct-CapTokenData", NID_setct_CapTokenData, 4, &so[3984]},
{"setct-CapTokenTBS", "setct-CapTokenTBS", NID_setct_CapTokenTBS, 4, &so[3988]},
{"setct-AcqCardCodeMsg", "setct-AcqCardCodeMsg", NID_setct_AcqCardCodeMsg, 4, &so[3992]},
{"setct-AuthRevReqTBS", "setct-AuthRevReqTBS", NID_setct_AuthRevReqTBS, 4, &so[3996]},
{"setct-AuthRevResData", "setct-AuthRevResData", NID_setct_AuthRevResData, 4, &so[4000]},
{"setct-AuthRevResTBS", "setct-AuthRevResTBS", NID_setct_AuthRevResTBS, 4, &so[4004]},
{"setct-CapReqTBS", "setct-CapReqTBS", NID_setct_CapReqTBS, 4, &so[4008]},
{"setct-CapReqTBSX", "setct-CapReqTBSX", NID_setct_CapReqTBSX, 4, &so[4012]},
{"setct-CapResData", "setct-CapResData", NID_setct_CapResData, 4, &so[4016]},
{"setct-CapRevReqTBS", "setct-CapRevReqTBS", NID_setct_CapRevReqTBS, 4, &so[4020]},
{"setct-CapRevReqTBSX", "setct-CapRevReqTBSX", NID_setct_CapRevReqTBSX, 4, &so[4024]},
{"setct-CapRevResData", "setct-CapRevResData", NID_setct_CapRevResData, 4, &so[4028]},
{"setct-CredReqTBS", "setct-CredReqTBS", NID_setct_CredReqTBS, 4, &so[4032]},
{"setct-CredReqTBSX", "setct-CredReqTBSX", NID_setct_CredReqTBSX, 4, &so[4036]},
{"setct-CredResData", "setct-CredResData", NID_setct_CredResData, 4, &so[4040]},
{"setct-CredRevReqTBS", "setct-CredRevReqTBS", NID_setct_CredRevReqTBS, 4, &so[4044]},
{"setct-CredRevReqTBSX", "setct-CredRevReqTBSX", NID_setct_CredRevReqTBSX, 4, &so[4048]},
{"setct-CredRevResData", "setct-CredRevResData", NID_setct_CredRevResData, 4, &so[4052]},
{"setct-PCertReqData", "setct-PCertReqData", NID_setct_PCertReqData, 4, &so[4056]},
{"setct-PCertResTBS", "setct-PCertResTBS", NID_setct_PCertResTBS, 4, &so[4060]},
{"setct-BatchAdminReqData", "setct-BatchAdminReqData", NID_setct_BatchAdminReqData, 4, &so[4064]},
{"setct-BatchAdminResData", "setct-BatchAdminResData", NID_setct_BatchAdminResData, 4, &so[4068]},
{"setct-CardCInitResTBS", "setct-CardCInitResTBS", NID_setct_CardCInitResTBS, 4, &so[4072]},
{"setct-MeAqCInitResTBS", "setct-MeAqCInitResTBS", NID_setct_MeAqCInitResTBS, 4, &so[4076]},
{"setct-RegFormResTBS", "setct-RegFormResTBS", NID_setct_RegFormResTBS, 4, &so[4080]},
{"setct-CertReqData", "setct-CertReqData", NID_setct_CertReqData, 4, &so[4084]},
{"setct-CertReqTBS", "setct-CertReqTBS", NID_setct_CertReqTBS, 4, &so[4088]},
{"setct-CertResData", "setct-CertResData", NID_setct_CertResData, 4, &so[4092]},
{"setct-CertInqReqTBS", "setct-CertInqReqTBS", NID_setct_CertInqReqTBS, 4, &so[4096]},
{"setct-ErrorTBS", "setct-ErrorTBS", NID_setct_ErrorTBS, 4, &so[4100]},
{"setct-PIDualSignedTBE", "setct-PIDualSignedTBE", NID_setct_PIDualSignedTBE, 4, &so[4104]},
{"setct-PIUnsignedTBE", "setct-PIUnsignedTBE", NID_setct_PIUnsignedTBE, 4, &so[4108]},
{"setct-AuthReqTBE", "setct-AuthReqTBE", NID_setct_AuthReqTBE, 4, &so[4112]},
{"setct-AuthResTBE", "setct-AuthResTBE", NID_setct_AuthResTBE, 4, &so[4116]},
{"setct-AuthResTBEX", "setct-AuthResTBEX", NID_setct_AuthResTBEX, 4, &so[4120]},
{"setct-AuthTokenTBE", "setct-AuthTokenTBE", NID_setct_AuthTokenTBE, 4, &so[4124]},
{"setct-CapTokenTBE", "setct-CapTokenTBE", NID_setct_CapTokenTBE, 4, &so[4128]},
{"setct-CapTokenTBEX", "setct-CapTokenTBEX", NID_setct_CapTokenTBEX, 4, &so[4132]},
{"setct-AcqCardCodeMsgTBE", "setct-AcqCardCodeMsgTBE", NID_setct_AcqCardCodeMsgTBE, 4, &so[4136]},
{"setct-AuthRevReqTBE", "setct-AuthRevReqTBE", NID_setct_AuthRevReqTBE, 4, &so[4140]},
{"setct-AuthRevResTBE", "setct-AuthRevResTBE", NID_setct_AuthRevResTBE, 4, &so[4144]},
{"setct-AuthRevResTBEB", "setct-AuthRevResTBEB", NID_setct_AuthRevResTBEB, 4, &so[4148]},
{"setct-CapReqTBE", "setct-CapReqTBE", NID_setct_CapReqTBE, 4, &so[4152]},
{"setct-CapReqTBEX", "setct-CapReqTBEX", NID_setct_CapReqTBEX, 4, &so[4156]},
{"setct-CapResTBE", "setct-CapResTBE", NID_setct_CapResTBE, 4, &so[4160]},
{"setct-CapRevReqTBE", "setct-CapRevReqTBE", NID_setct_CapRevReqTBE, 4, &so[4164]},
{"setct-CapRevReqTBEX", "setct-CapRevReqTBEX", NID_setct_CapRevReqTBEX, 4, &so[4168]},
{"setct-CapRevResTBE", "setct-CapRevResTBE", NID_setct_CapRevResTBE, 4, &so[4172]},
{"setct-CredReqTBE", "setct-CredReqTBE", NID_setct_CredReqTBE, 4, &so[4176]},
{"setct-CredReqTBEX", "setct-CredReqTBEX", NID_setct_CredReqTBEX, 4, &so[4180]},
{"setct-CredResTBE", "setct-CredResTBE", NID_setct_CredResTBE, 4, &so[4184]},
{"setct-CredRevReqTBE", "setct-CredRevReqTBE", NID_setct_CredRevReqTBE, 4, &so[4188]},
{"setct-CredRevReqTBEX", "setct-CredRevReqTBEX", NID_setct_CredRevReqTBEX, 4, &so[4192]},
{"setct-CredRevResTBE", "setct-CredRevResTBE", NID_setct_CredRevResTBE, 4, &so[4196]},
{"setct-BatchAdminReqTBE", "setct-BatchAdminReqTBE", NID_setct_BatchAdminReqTBE, 4, &so[4200]},
{"setct-BatchAdminResTBE", "setct-BatchAdminResTBE", NID_setct_BatchAdminResTBE, 4, &so[4204]},
{"setct-RegFormReqTBE", "setct-RegFormReqTBE", NID_setct_RegFormReqTBE, 4, &so[4208]},
{"setct-CertReqTBE", "setct-CertReqTBE", NID_setct_CertReqTBE, 4, &so[4212]},
{"setct-CertReqTBEX", "setct-CertReqTBEX", NID_setct_CertReqTBEX, 4, &so[4216]},
{"setct-CertResTBE", "setct-CertResTBE", NID_setct_CertResTBE, 4, &so[4220]},
{"setct-CRLNotificationTBS", "setct-CRLNotificationTBS", NID_setct_CRLNotificationTBS, 4, &so[4224]},
{"setct-CRLNotificationResTBS", "setct-CRLNotificationResTBS", NID_setct_CRLNotificationResTBS, 4, &so[4228]},
{"setct-BCIDistributionTBS", "setct-BCIDistributionTBS", NID_setct_BCIDistributionTBS, 4, &so[4232]},
{"setext-genCrypt", "generic cryptogram", NID_setext_genCrypt, 4, &so[4236]},
{"setext-miAuth", "merchant initiated auth", NID_setext_miAuth, 4, &so[4240]},
{"setext-pinSecure", "setext-pinSecure", NID_setext_pinSecure, 4, &so[4244]},
{"setext-pinAny", "setext-pinAny", NID_setext_pinAny, 4, &so[4248]},
{"setext-track2", "setext-track2", NID_setext_track2, 4, &so[4252]},
{"setext-cv", "additional verification", NID_setext_cv, 4, &so[4256]},
{"set-policy-root", "set-policy-root", NID_set_policy_root, 4, &so[4260]},
{"setCext-hashedRoot", "setCext-hashedRoot", NID_setCext_hashedRoot, 4, &so[4264]},
{"setCext-certType", "setCext-certType", NID_setCext_certType, 4, &so[4268]},
{"setCext-merchData", "setCext-merchData", NID_setCext_merchData, 4, &so[4272]},
{"setCext-cCertRequired", "setCext-cCertRequired", NID_setCext_cCertRequired, 4, &so[4276]},
{"setCext-tunneling", "setCext-tunneling", NID_setCext_tunneling, 4, &so[4280]},
{"setCext-setExt", "setCext-setExt", NID_setCext_setExt, 4, &so[4284]},
{"setCext-setQualf", "setCext-setQualf", NID_setCext_setQualf, 4, &so[4288]},
{"setCext-PGWYcapabilities", "setCext-PGWYcapabilities", NID_setCext_PGWYcapabilities, 4, &so[4292]},
{"setCext-TokenIdentifier", "setCext-TokenIdentifier", NID_setCext_TokenIdentifier, 4, &so[4296]},
{"setCext-Track2Data", "setCext-Track2Data", NID_setCext_Track2Data, 4, &so[4300]},
{"setCext-TokenType", "setCext-TokenType", NID_setCext_TokenType, 4, &so[4304]},
{"setCext-IssuerCapabilities", "setCext-IssuerCapabilities", NID_setCext_IssuerCapabilities, 4, &so[4308]},
{"setAttr-Cert", "setAttr-Cert", NID_setAttr_Cert, 4, &so[4312]},
{"setAttr-PGWYcap", "payment gateway capabilities", NID_setAttr_PGWYcap, 4, &so[4316]},
{"setAttr-TokenType", "setAttr-TokenType", NID_setAttr_TokenType, 4, &so[4320]},
{"setAttr-IssCap", "issuer capabilities", NID_setAttr_IssCap, 4, &so[4324]},
{"set-rootKeyThumb", "set-rootKeyThumb", NID_set_rootKeyThumb, 5, &so[4328]},
{"set-addPolicy", "set-addPolicy", NID_set_addPolicy, 5, &so[4333]},
{"setAttr-Token-EMV", "setAttr-Token-EMV", NID_setAttr_Token_EMV, 5, &so[4338]},
{"setAttr-Token-B0Prime", "setAttr-Token-B0Prime", NID_setAttr_Token_B0Prime, 5, &so[4343]},
{"setAttr-IssCap-CVM", "setAttr-IssCap-CVM", NID_setAttr_IssCap_CVM, 5, &so[4348]},
{"setAttr-IssCap-T2", "setAttr-IssCap-T2", NID_setAttr_IssCap_T2, 5, &so[4353]},
{"setAttr-IssCap-Sig", "setAttr-IssCap-Sig", NID_setAttr_IssCap_Sig, 5, &so[4358]},
{"setAttr-GenCryptgrm", "generate cryptogram", NID_setAttr_GenCryptgrm, 6, &so[4363]},
{"setAttr-T2Enc", "encrypted track 2", NID_setAttr_T2Enc, 6, &so[4369]},
{"setAttr-T2cleartxt", "cleartext track 2", NID_setAttr_T2cleartxt, 6, &so[4375]},
{"setAttr-TokICCsig", "ICC or token signature", NID_setAttr_TokICCsig, 6, &so[4381]},
{"setAttr-SecDevSig", "secure device signature", NID_setAttr_SecDevSig, 6, &so[4387]},
{"set-brand-IATA-ATA", "set-brand-IATA-ATA", NID_set_brand_IATA_ATA, 4, &so[4393]},
{"set-brand-Diners", "set-brand-Diners", NID_set_brand_Diners, 4, &so[4397]},
{"set-brand-AmericanExpress", "set-brand-AmericanExpress", NID_set_brand_AmericanExpress, 4, &so[4401]},
{"set-brand-JCB", "set-brand-JCB", NID_set_brand_JCB, 4, &so[4405]},
{"set-brand-Visa", "set-brand-Visa", NID_set_brand_Visa, 4, &so[4409]},
{"set-brand-MasterCard", "set-brand-MasterCard", NID_set_brand_MasterCard, 4, &so[4413]},
{"set-brand-Novus", "set-brand-Novus", NID_set_brand_Novus, 5, &so[4417]},
{"DES-CDMF", "des-cdmf", NID_des_cdmf, 8, &so[4422]},
{"rsaOAEPEncryptionSET", "rsaOAEPEncryptionSET", NID_rsaOAEPEncryptionSET, 9, &so[4430]},
{"ITU-T", "itu-t", NID_itu_t},
{"JOINT-ISO-ITU-T", "joint-iso-itu-t", NID_joint_iso_itu_t},
{"international-organizations", "International Organizations", NID_international_organizations, 1, &so[4439]},
{"msSmartcardLogin", "Microsoft Smartcard Login", NID_ms_smartcard_login, 10, &so[4440]},
{"msUPN", "Microsoft User Principal Name", NID_ms_upn, 10, &so[4450]},
{"AES-128-CFB1", "aes-128-cfb1", NID_aes_128_cfb1},
{"AES-192-CFB1", "aes-192-cfb1", NID_aes_192_cfb1},
{"AES-256-CFB1", "aes-256-cfb1", NID_aes_256_cfb1},
{"AES-128-CFB8", "aes-128-cfb8", NID_aes_128_cfb8},
{"AES-192-CFB8", "aes-192-cfb8", NID_aes_192_cfb8},
{"AES-256-CFB8", "aes-256-cfb8", NID_aes_256_cfb8},
{"DES-CFB1", "des-cfb1", NID_des_cfb1},
{"DES-CFB8", "des-cfb8", NID_des_cfb8},
{"DES-EDE3-CFB1", "des-ede3-cfb1", NID_des_ede3_cfb1},
{"DES-EDE3-CFB8", "des-ede3-cfb8", NID_des_ede3_cfb8},
{"street", "streetAddress", NID_streetAddress, 3, &so[4460]},
{"postalCode", "postalCode", NID_postalCode, 3, &so[4463]},
{"id-ppl", "id-ppl", NID_id_ppl, 7, &so[4466]},
{"proxyCertInfo", "Proxy Certificate Information", NID_proxyCertInfo, 8, &so[4473]},
{"id-ppl-anyLanguage", "Any language", NID_id_ppl_anyLanguage, 8, &so[4481]},
{"id-ppl-inheritAll", "Inherit all", NID_id_ppl_inheritAll, 8, &so[4489]},
{"nameConstraints", "X509v3 Name Constraints", NID_name_constraints, 3, &so[4497]},
{"id-ppl-independent", "Independent", NID_Independent, 8, &so[4500]},
{"RSA-SHA256", "sha256WithRSAEncryption", NID_sha256WithRSAEncryption, 9, &so[4508]},
{"RSA-SHA384", "sha384WithRSAEncryption", NID_sha384WithRSAEncryption, 9, &so[4517]},
{"RSA-SHA512", "sha512WithRSAEncryption", NID_sha512WithRSAEncryption, 9, &so[4526]},
{"RSA-SHA224", "sha224WithRSAEncryption", NID_sha224WithRSAEncryption, 9, &so[4535]},
{"SHA256", "sha256", NID_sha256, 9, &so[4544]},
{"SHA384", "sha384", NID_sha384, 9, &so[4553]},
{"SHA512", "sha512", NID_sha512, 9, &so[4562]},
{"SHA224", "sha224", NID_sha224, 9, &so[4571]},
{"identified-organization", "identified-organization", NID_identified_organization, 1, &so[4580]},
{"certicom-arc", "certicom-arc", NID_certicom_arc, 3, &so[4581]},
{"wap", "wap", NID_wap, 2, &so[4584]},
{"wap-wsg", "wap-wsg", NID_wap_wsg, 3, &so[4586]},
{"id-characteristic-two-basis", "id-characteristic-two-basis", NID_X9_62_id_characteristic_two_basis, 8, &so[4589]},
{"onBasis", "onBasis", NID_X9_62_onBasis, 9, &so[4597]},
{"tpBasis", "tpBasis", NID_X9_62_tpBasis, 9, &so[4606]},
{"ppBasis", "ppBasis", NID_X9_62_ppBasis, 9, &so[4615]},
{"c2pnb163v1", "c2pnb163v1", NID_X9_62_c2pnb163v1, 8, &so[4624]},
{"c2pnb163v2", "c2pnb163v2", NID_X9_62_c2pnb163v2, 8, &so[4632]},
{"c2pnb163v3", "c2pnb163v3", NID_X9_62_c2pnb163v3, 8, &so[4640]},
{"c2pnb176v1", "c2pnb176v1", NID_X9_62_c2pnb176v1, 8, &so[4648]},
{"c2tnb191v1", "c2tnb191v1", NID_X9_62_c2tnb191v1, 8, &so[4656]},
{"c2tnb191v2", "c2tnb191v2", NID_X9_62_c2tnb191v2, 8, &so[4664]},
{"c2tnb191v3", "c2tnb191v3", NID_X9_62_c2tnb191v3, 8, &so[4672]},
{"c2onb191v4", "c2onb191v4", NID_X9_62_c2onb191v4, 8, &so[4680]},
{"c2onb191v5", "c2onb191v5", NID_X9_62_c2onb191v5, 8, &so[4688]},
{"c2pnb208w1", "c2pnb208w1", NID_X9_62_c2pnb208w1, 8, &so[4696]},
{"c2tnb239v1", "c2tnb239v1", NID_X9_62_c2tnb239v1, 8, &so[4704]},
{"c2tnb239v2", "c2tnb239v2", NID_X9_62_c2tnb239v2, 8, &so[4712]},
{"c2tnb239v3", "c2tnb239v3", NID_X9_62_c2tnb239v3, 8, &so[4720]},
{"c2onb239v4", "c2onb239v4", NID_X9_62_c2onb239v4, 8, &so[4728]},
{"c2onb239v5", "c2onb239v5", NID_X9_62_c2onb239v5, 8, &so[4736]},
{"c2pnb272w1", "c2pnb272w1", NID_X9_62_c2pnb272w1, 8, &so[4744]},
{"c2pnb304w1", "c2pnb304w1", NID_X9_62_c2pnb304w1, 8, &so[4752]},
{"c2tnb359v1", "c2tnb359v1", NID_X9_62_c2tnb359v1, 8, &so[4760]},
{"c2pnb368w1", "c2pnb368w1", NID_X9_62_c2pnb368w1, 8, &so[4768]},
{"c2tnb431r1", "c2tnb431r1", NID_X9_62_c2tnb431r1, 8, &so[4776]},
{"secp112r1", "secp112r1", NID_secp112r1, 5, &so[4784]},
{"secp112r2", "secp112r2", NID_secp112r2, 5, &so[4789]},
{"secp128r1", "secp128r1", NID_secp128r1, 5, &so[4794]},
{"secp128r2", "secp128r2", NID_secp128r2, 5, &so[4799]},
{"secp160k1", "secp160k1", NID_secp160k1, 5, &so[4804]},
{"secp160r1", "secp160r1", NID_secp160r1, 5, &so[4809]},
{"secp160r2", "secp160r2", NID_secp160r2, 5, &so[4814]},
{"secp192k1", "secp192k1", NID_secp192k1, 5, &so[4819]},
{"secp224k1", "secp224k1", NID_secp224k1, 5, &so[4824]},
{"secp224r1", "secp224r1", NID_secp224r1, 5, &so[4829]},
{"secp256k1", "secp256k1", NID_secp256k1, 5, &so[4834]},
{"secp384r1", "secp384r1", NID_secp384r1, 5, &so[4839]},
{"secp521r1", "secp521r1", NID_secp521r1, 5, &so[4844]},
{"sect113r1", "sect113r1", NID_sect113r1, 5, &so[4849]},
{"sect113r2", "sect113r2", NID_sect113r2, 5, &so[4854]},
{"sect131r1", "sect131r1", NID_sect131r1, 5, &so[4859]},
{"sect131r2", "sect131r2", NID_sect131r2, 5, &so[4864]},
{"sect163k1", "sect163k1", NID_sect163k1, 5, &so[4869]},
{"sect163r1", "sect163r1", NID_sect163r1, 5, &so[4874]},
{"sect163r2", "sect163r2", NID_sect163r2, 5, &so[4879]},
{"sect193r1", "sect193r1", NID_sect193r1, 5, &so[4884]},
{"sect193r2", "sect193r2", NID_sect193r2, 5, &so[4889]},
{"sect233k1", "sect233k1", NID_sect233k1, 5, &so[4894]},
{"sect233r1", "sect233r1", NID_sect233r1, 5, &so[4899]},
{"sect239k1", "sect239k1", NID_sect239k1, 5, &so[4904]},
{"sect283k1", "sect283k1", NID_sect283k1, 5, &so[4909]},
{"sect283r1", "sect283r1", NID_sect283r1, 5, &so[4914]},
{"sect409k1", "sect409k1", NID_sect409k1, 5, &so[4919]},
{"sect409r1", "sect409r1", NID_sect409r1, 5, &so[4924]},
{"sect571k1", "sect571k1", NID_sect571k1, 5, &so[4929]},
{"sect571r1", "sect571r1", NID_sect571r1, 5, &so[4934]},
{"wap-wsg-idm-ecid-wtls1", "wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1, 5, &so[4939]},
{"wap-wsg-idm-ecid-wtls3", "wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3, 5, &so[4944]},
{"wap-wsg-idm-ecid-wtls4", "wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4, 5, &so[4949]},
{"wap-wsg-idm-ecid-wtls5", "wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5, 5, &so[4954]},
{"wap-wsg-idm-ecid-wtls6", "wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6, 5, &so[4959]},
{"wap-wsg-idm-ecid-wtls7", "wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7, 5, &so[4964]},
{"wap-wsg-idm-ecid-wtls8", "wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8, 5, &so[4969]},
{"wap-wsg-idm-ecid-wtls9", "wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9, 5, &so[4974]},
{"wap-wsg-idm-ecid-wtls10", "wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10, 5, &so[4979]},
{"wap-wsg-idm-ecid-wtls11", "wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11, 5, &so[4984]},
{"wap-wsg-idm-ecid-wtls12", "wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12, 5, &so[4989]},
{"anyPolicy", "X509v3 Any Policy", NID_any_policy, 4, &so[4994]},
{"policyMappings", "X509v3 Policy Mappings", NID_policy_mappings, 3, &so[4998]},
{"inhibitAnyPolicy", "X509v3 Inhibit Any Policy", NID_inhibit_any_policy, 3, &so[5001]},
{"Oakley-EC2N-3", "ipsec3", NID_ipsec3},
{"Oakley-EC2N-4", "ipsec4", NID_ipsec4},
{"CAMELLIA-128-CBC", "camellia-128-cbc", NID_camellia_128_cbc, 11, &so[5004]},
{"CAMELLIA-192-CBC", "camellia-192-cbc", NID_camellia_192_cbc, 11, &so[5015]},
{"CAMELLIA-256-CBC", "camellia-256-cbc", NID_camellia_256_cbc, 11, &so[5026]},
{"CAMELLIA-128-ECB", "camellia-128-ecb", NID_camellia_128_ecb, 8, &so[5037]},
{"CAMELLIA-192-ECB", "camellia-192-ecb", NID_camellia_192_ecb, 8, &so[5045]},
{"CAMELLIA-256-ECB", "camellia-256-ecb", NID_camellia_256_ecb, 8, &so[5053]},
{"CAMELLIA-128-CFB", "camellia-128-cfb", NID_camellia_128_cfb128, 8, &so[5061]},
{"CAMELLIA-192-CFB", "camellia-192-cfb", NID_camellia_192_cfb128, 8, &so[5069]},
{"CAMELLIA-256-CFB", "camellia-256-cfb", NID_camellia_256_cfb128, 8, &so[5077]},
{"CAMELLIA-128-CFB1", "camellia-128-cfb1", NID_camellia_128_cfb1},
{"CAMELLIA-192-CFB1", "camellia-192-cfb1", NID_camellia_192_cfb1},
{"CAMELLIA-256-CFB1", "camellia-256-cfb1", NID_camellia_256_cfb1},
{"CAMELLIA-128-CFB8", "camellia-128-cfb8", NID_camellia_128_cfb8},
{"CAMELLIA-192-CFB8", "camellia-192-cfb8", NID_camellia_192_cfb8},
{"CAMELLIA-256-CFB8", "camellia-256-cfb8", NID_camellia_256_cfb8},
{"CAMELLIA-128-OFB", "camellia-128-ofb", NID_camellia_128_ofb128, 8, &so[5085]},
{"CAMELLIA-192-OFB", "camellia-192-ofb", NID_camellia_192_ofb128, 8, &so[5093]},
{"CAMELLIA-256-OFB", "camellia-256-ofb", NID_camellia_256_ofb128, 8, &so[5101]},
{"subjectDirectoryAttributes", "X509v3 Subject Directory Attributes", NID_subject_directory_attributes, 3, &so[5109]},
{"issuingDistributionPoint", "X509v3 Issuing Distribution Point", NID_issuing_distribution_point, 3, &so[5112]},
{"certificateIssuer", "X509v3 Certificate Issuer", NID_certificate_issuer, 3, &so[5115]},
{ NULL, NULL, NID_undef },
{"KISA", "kisa", NID_kisa, 6, &so[5118]},
{ NULL, NULL, NID_undef },
{ NULL, NULL, NID_undef },
{"SEED-ECB", "seed-ecb", NID_seed_ecb, 8, &so[5124]},
{"SEED-CBC", "seed-cbc", NID_seed_cbc, 8, &so[5132]},
{"SEED-OFB", "seed-ofb", NID_seed_ofb128, 8, &so[5140]},
{"SEED-CFB", "seed-cfb", NID_seed_cfb128, 8, &so[5148]},
{"HMAC-MD5", "hmac-md5", NID_hmac_md5, 8, &so[5156]},
{"HMAC-SHA1", "hmac-sha1", NID_hmac_sha1, 8, &so[5164]},
{"id-PasswordBasedMAC", "password based MAC", NID_id_PasswordBasedMAC, 9, &so[5172]},
{"id-DHBasedMac", "Diffie-Hellman based MAC", NID_id_DHBasedMac, 9, &so[5181]},
{"id-it-suppLangTags", "id-it-suppLangTags", NID_id_it_suppLangTags, 8, &so[5190]},
{"caRepository", "CA Repository", NID_caRepository, 8, &so[5198]},
{"id-smime-ct-compressedData", "id-smime-ct-compressedData", NID_id_smime_ct_compressedData, 11, &so[5206]},
{"id-ct-asciiTextWithCRLF", "id-ct-asciiTextWithCRLF", NID_id_ct_asciiTextWithCRLF, 11, &so[5217]},
{"id-aes128-wrap", "id-aes128-wrap", NID_id_aes128_wrap, 9, &so[5228]},
{"id-aes192-wrap", "id-aes192-wrap", NID_id_aes192_wrap, 9, &so[5237]},
{"id-aes256-wrap", "id-aes256-wrap", NID_id_aes256_wrap, 9, &so[5246]},
{"ecdsa-with-Recommended", "ecdsa-with-Recommended", NID_ecdsa_with_Recommended, 7, &so[5255]},
{"ecdsa-with-Specified", "ecdsa-with-Specified", NID_ecdsa_with_Specified, 7, &so[5262]},
{"ecdsa-with-SHA224", "ecdsa-with-SHA224", NID_ecdsa_with_SHA224, 8, &so[5269]},
{"ecdsa-with-SHA256", "ecdsa-with-SHA256", NID_ecdsa_with_SHA256, 8, &so[5277]},
{"ecdsa-with-SHA384", "ecdsa-with-SHA384", NID_ecdsa_with_SHA384, 8, &so[5285]},
{"ecdsa-with-SHA512", "ecdsa-with-SHA512", NID_ecdsa_with_SHA512, 8, &so[5293]},
{"hmacWithMD5", "hmacWithMD5", NID_hmacWithMD5, 8, &so[5301]},
{"hmacWithSHA224", "hmacWithSHA224", NID_hmacWithSHA224, 8, &so[5309]},
{"hmacWithSHA256", "hmacWithSHA256", NID_hmacWithSHA256, 8, &so[5317]},
{"hmacWithSHA384", "hmacWithSHA384", NID_hmacWithSHA384, 8, &so[5325]},
{"hmacWithSHA512", "hmacWithSHA512", NID_hmacWithSHA512, 8, &so[5333]},
{"dsa_with_SHA224", "dsa_with_SHA224", NID_dsa_with_SHA224, 9, &so[5341]},
{"dsa_with_SHA256", "dsa_with_SHA256", NID_dsa_with_SHA256, 9, &so[5350]},
{"whirlpool", "whirlpool", NID_whirlpool, 6, &so[5359]},
{"cryptopro", "cryptopro", NID_cryptopro, 5, &so[5365]},
{"cryptocom", "cryptocom", NID_cryptocom, 5, &so[5370]},
{"id-GostR3411-94-with-GostR3410-2001", "GOST R 34.11-94 with GOST R 34.10-2001", NID_id_GostR3411_94_with_GostR3410_2001, 6, &so[5375]},
{"id-GostR3411-94-with-GostR3410-94", "GOST R 34.11-94 with GOST R 34.10-94", NID_id_GostR3411_94_with_GostR3410_94, 6, &so[5381]},
{"md_gost94", "GOST R 34.11-94", NID_id_GostR3411_94, 6, &so[5387]},
{"id-HMACGostR3411-94", "HMAC GOST 34.11-94", NID_id_HMACGostR3411_94, 6, &so[5393]},
{"gost2001", "GOST R 34.10-2001", NID_id_GostR3410_2001, 6, &so[5399]},
{"gost94", "GOST R 34.10-94", NID_id_GostR3410_94, 6, &so[5405]},
{"gost89", "GOST 28147-89", NID_id_Gost28147_89, 6, &so[5411]},
{"gost89-cnt", "gost89-cnt", NID_gost89_cnt},
{"gost-mac", "GOST 28147-89 MAC", NID_id_Gost28147_89_MAC, 6, &so[5417]},
{"prf-gostr3411-94", "GOST R 34.11-94 PRF", NID_id_GostR3411_94_prf, 6, &so[5423]},
{"id-GostR3410-2001DH", "GOST R 34.10-2001 DH", NID_id_GostR3410_2001DH, 6, &so[5429]},
{"id-GostR3410-94DH", "GOST R 34.10-94 DH", NID_id_GostR3410_94DH, 6, &so[5435]},
{"id-Gost28147-89-CryptoPro-KeyMeshing", "id-Gost28147-89-CryptoPro-KeyMeshing", NID_id_Gost28147_89_CryptoPro_KeyMeshing, 7, &so[5441]},
{"id-Gost28147-89-None-KeyMeshing", "id-Gost28147-89-None-KeyMeshing", NID_id_Gost28147_89_None_KeyMeshing, 7, &so[5448]},
{"id-GostR3411-94-TestParamSet", "id-GostR3411-94-TestParamSet", NID_id_GostR3411_94_TestParamSet, 7, &so[5455]},
{"id-GostR3411-94-CryptoProParamSet", "id-GostR3411-94-CryptoProParamSet", NID_id_GostR3411_94_CryptoProParamSet, 7, &so[5462]},
{"id-Gost28147-89-TestParamSet", "id-Gost28147-89-TestParamSet", NID_id_Gost28147_89_TestParamSet, 7, &so[5469]},
{"id-Gost28147-89-CryptoPro-A-ParamSet", "id-Gost28147-89-CryptoPro-A-ParamSet", NID_id_Gost28147_89_CryptoPro_A_ParamSet, 7, &so[5476]},
{"id-Gost28147-89-CryptoPro-B-ParamSet", "id-Gost28147-89-CryptoPro-B-ParamSet", NID_id_Gost28147_89_CryptoPro_B_ParamSet, 7, &so[5483]},
{"id-Gost28147-89-CryptoPro-C-ParamSet", "id-Gost28147-89-CryptoPro-C-ParamSet", NID_id_Gost28147_89_CryptoPro_C_ParamSet, 7, &so[5490]},
{"id-Gost28147-89-CryptoPro-D-ParamSet", "id-Gost28147-89-CryptoPro-D-ParamSet", NID_id_Gost28147_89_CryptoPro_D_ParamSet, 7, &so[5497]},
{"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet", "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet", NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet, 7, &so[5504]},
{"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet", "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet", NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet, 7, &so[5511]},
{"id-Gost28147-89-CryptoPro-RIC-1-ParamSet", "id-Gost28147-89-CryptoPro-RIC-1-ParamSet", NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet, 7, &so[5518]},
{"id-GostR3410-94-TestParamSet", "id-GostR3410-94-TestParamSet", NID_id_GostR3410_94_TestParamSet, 7, &so[5525]},
{"id-GostR3410-94-CryptoPro-A-ParamSet", "id-GostR3410-94-CryptoPro-A-ParamSet", NID_id_GostR3410_94_CryptoPro_A_ParamSet, 7, &so[5532]},
{"id-GostR3410-94-CryptoPro-B-ParamSet", "id-GostR3410-94-CryptoPro-B-ParamSet", NID_id_GostR3410_94_CryptoPro_B_ParamSet, 7, &so[5539]},
{"id-GostR3410-94-CryptoPro-C-ParamSet", "id-GostR3410-94-CryptoPro-C-ParamSet", NID_id_GostR3410_94_CryptoPro_C_ParamSet, 7, &so[5546]},
{"id-GostR3410-94-CryptoPro-D-ParamSet", "id-GostR3410-94-CryptoPro-D-ParamSet", NID_id_GostR3410_94_CryptoPro_D_ParamSet, 7, &so[5553]},
{"id-GostR3410-94-CryptoPro-XchA-ParamSet", "id-GostR3410-94-CryptoPro-XchA-ParamSet", NID_id_GostR3410_94_CryptoPro_XchA_ParamSet, 7, &so[5560]},
{"id-GostR3410-94-CryptoPro-XchB-ParamSet", "id-GostR3410-94-CryptoPro-XchB-ParamSet", NID_id_GostR3410_94_CryptoPro_XchB_ParamSet, 7, &so[5567]},
{"id-GostR3410-94-CryptoPro-XchC-ParamSet", "id-GostR3410-94-CryptoPro-XchC-ParamSet", NID_id_GostR3410_94_CryptoPro_XchC_ParamSet, 7, &so[5574]},
{"id-GostR3410-2001-TestParamSet", "id-GostR3410-2001-TestParamSet", NID_id_GostR3410_2001_TestParamSet, 7, &so[5581]},
{"id-GostR3410-2001-CryptoPro-A-ParamSet", "id-GostR3410-2001-CryptoPro-A-ParamSet", NID_id_GostR3410_2001_CryptoPro_A_ParamSet, 7, &so[5588]},
{"id-GostR3410-2001-CryptoPro-B-ParamSet", "id-GostR3410-2001-CryptoPro-B-ParamSet", NID_id_GostR3410_2001_CryptoPro_B_ParamSet, 7, &so[5595]},
{"id-GostR3410-2001-CryptoPro-C-ParamSet", "id-GostR3410-2001-CryptoPro-C-ParamSet", NID_id_GostR3410_2001_CryptoPro_C_ParamSet, 7, &so[5602]},
{"id-GostR3410-2001-CryptoPro-XchA-ParamSet", "id-GostR3410-2001-CryptoPro-XchA-ParamSet", NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet, 7, &so[5609]},
{"id-GostR3410-2001-CryptoPro-XchB-ParamSet", "id-GostR3410-2001-CryptoPro-XchB-ParamSet", NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet, 7, &so[5616]},
{"id-GostR3410-94-a", "id-GostR3410-94-a", NID_id_GostR3410_94_a, 7, &so[5623]},
{"id-GostR3410-94-aBis", "id-GostR3410-94-aBis", NID_id_GostR3410_94_aBis, 7, &so[5630]},
{"id-GostR3410-94-b", "id-GostR3410-94-b", NID_id_GostR3410_94_b, 7, &so[5637]},
{"id-GostR3410-94-bBis", "id-GostR3410-94-bBis", NID_id_GostR3410_94_bBis, 7, &so[5644]},
{"id-Gost28147-89-cc", "GOST 28147-89 Cryptocom ParamSet", NID_id_Gost28147_89_cc, 8, &so[5651]},
{"gost94cc", "GOST 34.10-94 Cryptocom", NID_id_GostR3410_94_cc, 8, &so[5659]},
{"gost2001cc", "GOST 34.10-2001 Cryptocom", NID_id_GostR3410_2001_cc, 8, &so[5667]},
{"id-GostR3411-94-with-GostR3410-94-cc", "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom", NID_id_GostR3411_94_with_GostR3410_94_cc, 8, &so[5675]},
{"id-GostR3411-94-with-GostR3410-2001-cc", "GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom", NID_id_GostR3411_94_with_GostR3410_2001_cc, 8, &so[5683]},
{"id-GostR3410-2001-ParamSet-cc", "GOST R 3410-2001 Parameter Set Cryptocom", NID_id_GostR3410_2001_ParamSet_cc, 8, &so[5691]},
{"HMAC", "hmac", NID_hmac},
{"LocalKeySet", "Microsoft Local Key set", NID_LocalKeySet, 9, &so[5699]},
{"freshestCRL", "X509v3 Freshest CRL", NID_freshest_crl, 3, &so[5708]},
{"id-on-permanentIdentifier", "Permanent Identifier", NID_id_on_permanentIdentifier, 8, &so[5711]},
{"searchGuide", "searchGuide", NID_searchGuide, 3, &so[5719]},
{"businessCategory", "businessCategory", NID_businessCategory, 3, &so[5722]},
{"postalAddress", "postalAddress", NID_postalAddress, 3, &so[5725]},
{"postOfficeBox", "postOfficeBox", NID_postOfficeBox, 3, &so[5728]},
{"physicalDeliveryOfficeName", "physicalDeliveryOfficeName", NID_physicalDeliveryOfficeName, 3, &so[5731]},
{"telephoneNumber", "telephoneNumber", NID_telephoneNumber, 3, &so[5734]},
{"telexNumber", "telexNumber", NID_telexNumber, 3, &so[5737]},
{"teletexTerminalIdentifier", "teletexTerminalIdentifier", NID_teletexTerminalIdentifier, 3, &so[5740]},
{"facsimileTelephoneNumber", "facsimileTelephoneNumber", NID_facsimileTelephoneNumber, 3, &so[5743]},
{"x121Address", "x121Address", NID_x121Address, 3, &so[5746]},
{"internationaliSDNNumber", "internationaliSDNNumber", NID_internationaliSDNNumber, 3, &so[5749]},
{"registeredAddress", "registeredAddress", NID_registeredAddress, 3, &so[5752]},
{"destinationIndicator", "destinationIndicator", NID_destinationIndicator, 3, &so[5755]},
{"preferredDeliveryMethod", "preferredDeliveryMethod", NID_preferredDeliveryMethod, 3, &so[5758]},
{"presentationAddress", "presentationAddress", NID_presentationAddress, 3, &so[5761]},
{"supportedApplicationContext", "supportedApplicationContext", NID_supportedApplicationContext, 3, &so[5764]},
{"member", "member", NID_member, 3, &so[5767]},
{"owner", "owner", NID_owner, 3, &so[5770]},
{"roleOccupant", "roleOccupant", NID_roleOccupant, 3, &so[5773]},
{"seeAlso", "seeAlso", NID_seeAlso, 3, &so[5776]},
{"userPassword", "userPassword", NID_userPassword, 3, &so[5779]},
{"userCertificate", "userCertificate", NID_userCertificate, 3, &so[5782]},
{"cACertificate", "cACertificate", NID_cACertificate, 3, &so[5785]},
{"authorityRevocationList", "authorityRevocationList", NID_authorityRevocationList, 3, &so[5788]},
{"certificateRevocationList", "certificateRevocationList", NID_certificateRevocationList, 3, &so[5791]},
{"crossCertificatePair", "crossCertificatePair", NID_crossCertificatePair, 3, &so[5794]},
{"enhancedSearchGuide", "enhancedSearchGuide", NID_enhancedSearchGuide, 3, &so[5797]},
{"protocolInformation", "protocolInformation", NID_protocolInformation, 3, &so[5800]},
{"distinguishedName", "distinguishedName", NID_distinguishedName, 3, &so[5803]},
{"uniqueMember", "uniqueMember", NID_uniqueMember, 3, &so[5806]},
{"houseIdentifier", "houseIdentifier", NID_houseIdentifier, 3, &so[5809]},
{"supportedAlgorithms", "supportedAlgorithms", NID_supportedAlgorithms, 3, &so[5812]},
{"deltaRevocationList", "deltaRevocationList", NID_deltaRevocationList, 3, &so[5815]},
{"dmdName", "dmdName", NID_dmdName, 3, &so[5818]},
{"id-alg-PWRI-KEK", "id-alg-PWRI-KEK", NID_id_alg_PWRI_KEK, 11, &so[5821]},
{"CMAC", "cmac", NID_cmac},
{"id-aes128-GCM", "aes-128-gcm", NID_aes_128_gcm, 9, &so[5832]},
{"id-aes128-CCM", "aes-128-ccm", NID_aes_128_ccm, 9, &so[5841]},
{"id-aes128-wrap-pad", "id-aes128-wrap-pad", NID_id_aes128_wrap_pad, 9, &so[5850]},
{"id-aes192-GCM", "aes-192-gcm", NID_aes_192_gcm, 9, &so[5859]},
{"id-aes192-CCM", "aes-192-ccm", NID_aes_192_ccm, 9, &so[5868]},
{"id-aes192-wrap-pad", "id-aes192-wrap-pad", NID_id_aes192_wrap_pad, 9, &so[5877]},
{"id-aes256-GCM", "aes-256-gcm", NID_aes_256_gcm, 9, &so[5886]},
{"id-aes256-CCM", "aes-256-ccm", NID_aes_256_ccm, 9, &so[5895]},
{"id-aes256-wrap-pad", "id-aes256-wrap-pad", NID_id_aes256_wrap_pad, 9, &so[5904]},
{"AES-128-CTR", "aes-128-ctr", NID_aes_128_ctr},
{"AES-192-CTR", "aes-192-ctr", NID_aes_192_ctr},
{"AES-256-CTR", "aes-256-ctr", NID_aes_256_ctr},
{"id-camellia128-wrap", "id-camellia128-wrap", NID_id_camellia128_wrap, 11, &so[5913]},
{"id-camellia192-wrap", "id-camellia192-wrap", NID_id_camellia192_wrap, 11, &so[5924]},
{"id-camellia256-wrap", "id-camellia256-wrap", NID_id_camellia256_wrap, 11, &so[5935]},
{"anyExtendedKeyUsage", "Any Extended Key Usage", NID_anyExtendedKeyUsage, 4, &so[5946]},
{"MGF1", "mgf1", NID_mgf1, 9, &so[5950]},
{"RSASSA-PSS", "rsassaPss", NID_rsassaPss, 9, &so[5959]},
{"AES-128-XTS", "aes-128-xts", NID_aes_128_xts, 8, &so[5968]},
{"AES-256-XTS", "aes-256-xts", NID_aes_256_xts, 8, &so[5976]},
{"RC4-HMAC-MD5", "rc4-hmac-md5", NID_rc4_hmac_md5},
{"AES-128-CBC-HMAC-SHA1", "aes-128-cbc-hmac-sha1", NID_aes_128_cbc_hmac_sha1},
{"AES-192-CBC-HMAC-SHA1", "aes-192-cbc-hmac-sha1", NID_aes_192_cbc_hmac_sha1},
{"AES-256-CBC-HMAC-SHA1", "aes-256-cbc-hmac-sha1", NID_aes_256_cbc_hmac_sha1},
{"RSAES-OAEP", "rsaesOaep", NID_rsaesOaep, 9, &so[5984]},
{"dhpublicnumber", "X9.42 DH", NID_dhpublicnumber, 7, &so[5993]},
{"brainpoolP160r1", "brainpoolP160r1", NID_brainpoolP160r1, 9, &so[6000]},
{"brainpoolP160t1", "brainpoolP160t1", NID_brainpoolP160t1, 9, &so[6009]},
{"brainpoolP192r1", "brainpoolP192r1", NID_brainpoolP192r1, 9, &so[6018]},
{"brainpoolP192t1", "brainpoolP192t1", NID_brainpoolP192t1, 9, &so[6027]},
{"brainpoolP224r1", "brainpoolP224r1", NID_brainpoolP224r1, 9, &so[6036]},
{"brainpoolP224t1", "brainpoolP224t1", NID_brainpoolP224t1, 9, &so[6045]},
{"brainpoolP256r1", "brainpoolP256r1", NID_brainpoolP256r1, 9, &so[6054]},
{"brainpoolP256t1", "brainpoolP256t1", NID_brainpoolP256t1, 9, &so[6063]},
{"brainpoolP320r1", "brainpoolP320r1", NID_brainpoolP320r1, 9, &so[6072]},
{"brainpoolP320t1", "brainpoolP320t1", NID_brainpoolP320t1, 9, &so[6081]},
{"brainpoolP384r1", "brainpoolP384r1", NID_brainpoolP384r1, 9, &so[6090]},
{"brainpoolP384t1", "brainpoolP384t1", NID_brainpoolP384t1, 9, &so[6099]},
{"brainpoolP512r1", "brainpoolP512r1", NID_brainpoolP512r1, 9, &so[6108]},
{"brainpoolP512t1", "brainpoolP512t1", NID_brainpoolP512t1, 9, &so[6117]},
{"PSPECIFIED", "pSpecified", NID_pSpecified, 9, &so[6126]},
{"dhSinglePass-stdDH-sha1kdf-scheme", "dhSinglePass-stdDH-sha1kdf-scheme", NID_dhSinglePass_stdDH_sha1kdf_scheme, 9, &so[6135]},
{"dhSinglePass-stdDH-sha224kdf-scheme", "dhSinglePass-stdDH-sha224kdf-scheme", NID_dhSinglePass_stdDH_sha224kdf_scheme, 6, &so[6144]},
{"dhSinglePass-stdDH-sha256kdf-scheme", "dhSinglePass-stdDH-sha256kdf-scheme", NID_dhSinglePass_stdDH_sha256kdf_scheme, 6, &so[6150]},
{"dhSinglePass-stdDH-sha384kdf-scheme", "dhSinglePass-stdDH-sha384kdf-scheme", NID_dhSinglePass_stdDH_sha384kdf_scheme, 6, &so[6156]},
{"dhSinglePass-stdDH-sha512kdf-scheme", "dhSinglePass-stdDH-sha512kdf-scheme", NID_dhSinglePass_stdDH_sha512kdf_scheme, 6, &so[6162]},
{"dhSinglePass-cofactorDH-sha1kdf-scheme", "dhSinglePass-cofactorDH-sha1kdf-scheme", NID_dhSinglePass_cofactorDH_sha1kdf_scheme, 9, &so[6168]},
{"dhSinglePass-cofactorDH-sha224kdf-scheme", "dhSinglePass-cofactorDH-sha224kdf-scheme", NID_dhSinglePass_cofactorDH_sha224kdf_scheme, 6, &so[6177]},
{"dhSinglePass-cofactorDH-sha256kdf-scheme", "dhSinglePass-cofactorDH-sha256kdf-scheme", NID_dhSinglePass_cofactorDH_sha256kdf_scheme, 6, &so[6183]},
{"dhSinglePass-cofactorDH-sha384kdf-scheme", "dhSinglePass-cofactorDH-sha384kdf-scheme", NID_dhSinglePass_cofactorDH_sha384kdf_scheme, 6, &so[6189]},
{"dhSinglePass-cofactorDH-sha512kdf-scheme", "dhSinglePass-cofactorDH-sha512kdf-scheme", NID_dhSinglePass_cofactorDH_sha512kdf_scheme, 6, &so[6195]},
{"dh-std-kdf", "dh-std-kdf", NID_dh_std_kdf},
{"dh-cofactor-kdf", "dh-cofactor-kdf", NID_dh_cofactor_kdf},
{"AES-128-CBC-HMAC-SHA256", "aes-128-cbc-hmac-sha256", NID_aes_128_cbc_hmac_sha256},
{"AES-192-CBC-HMAC-SHA256", "aes-192-cbc-hmac-sha256", NID_aes_192_cbc_hmac_sha256},
{"AES-256-CBC-HMAC-SHA256", "aes-256-cbc-hmac-sha256", NID_aes_256_cbc_hmac_sha256},
{"ct_precert_scts", "CT Precertificate SCTs", NID_ct_precert_scts, 10, &so[6201]},
{"ct_precert_poison", "CT Precertificate Poison", NID_ct_precert_poison, 10, &so[6211]},
{"ct_precert_signer", "CT Precertificate Signer", NID_ct_precert_signer, 10, &so[6221]},
{"ct_cert_scts", "CT Certificate SCTs", NID_ct_cert_scts, 10, &so[6231]},
{"jurisdictionL", "jurisdictionLocalityName", NID_jurisdictionLocalityName, 11, &so[6241]},
{"jurisdictionST", "jurisdictionStateOrProvinceName", NID_jurisdictionStateOrProvinceName, 11, &so[6252]},
{"jurisdictionC", "jurisdictionCountryName", NID_jurisdictionCountryName, 11, &so[6263]},
{"AES-128-OCB", "aes-128-ocb", NID_aes_128_ocb},
{"AES-192-OCB", "aes-192-ocb", NID_aes_192_ocb},
{"AES-256-OCB", "aes-256-ocb", NID_aes_256_ocb},
{"CAMELLIA-128-GCM", "camellia-128-gcm", NID_camellia_128_gcm, 8, &so[6274]},
{"CAMELLIA-128-CCM", "camellia-128-ccm", NID_camellia_128_ccm, 8, &so[6282]},
{"CAMELLIA-128-CTR", "camellia-128-ctr", NID_camellia_128_ctr, 8, &so[6290]},
{"CAMELLIA-128-CMAC", "camellia-128-cmac", NID_camellia_128_cmac, 8, &so[6298]},
{"CAMELLIA-192-GCM", "camellia-192-gcm", NID_camellia_192_gcm, 8, &so[6306]},
{"CAMELLIA-192-CCM", "camellia-192-ccm", NID_camellia_192_ccm, 8, &so[6314]},
{"CAMELLIA-192-CTR", "camellia-192-ctr", NID_camellia_192_ctr, 8, &so[6322]},
{"CAMELLIA-192-CMAC", "camellia-192-cmac", NID_camellia_192_cmac, 8, &so[6330]},
{"CAMELLIA-256-GCM", "camellia-256-gcm", NID_camellia_256_gcm, 8, &so[6338]},
{"CAMELLIA-256-CCM", "camellia-256-ccm", NID_camellia_256_ccm, 8, &so[6346]},
{"CAMELLIA-256-CTR", "camellia-256-ctr", NID_camellia_256_ctr, 8, &so[6354]},
{"CAMELLIA-256-CMAC", "camellia-256-cmac", NID_camellia_256_cmac, 8, &so[6362]},
{"id-scrypt", "scrypt", NID_id_scrypt, 9, &so[6370]},
{"id-tc26", "id-tc26", NID_id_tc26, 5, &so[6379]},
{"gost89-cnt-12", "gost89-cnt-12", NID_gost89_cnt_12},
{"gost-mac-12", "gost-mac-12", NID_gost_mac_12},
{"id-tc26-algorithms", "id-tc26-algorithms", NID_id_tc26_algorithms, 6, &so[6384]},
{"id-tc26-sign", "id-tc26-sign", NID_id_tc26_sign, 7, &so[6390]},
{"gost2012_256", "GOST R 34.10-2012 with 256 bit modulus", NID_id_GostR3410_2012_256, 8, &so[6397]},
{"gost2012_512", "GOST R 34.10-2012 with 512 bit modulus", NID_id_GostR3410_2012_512, 8, &so[6405]},
{"id-tc26-digest", "id-tc26-digest", NID_id_tc26_digest, 7, &so[6413]},
{"md_gost12_256", "GOST R 34.11-2012 with 256 bit hash", NID_id_GostR3411_2012_256, 8, &so[6420]},
{"md_gost12_512", "GOST R 34.11-2012 with 512 bit hash", NID_id_GostR3411_2012_512, 8, &so[6428]},
{"id-tc26-signwithdigest", "id-tc26-signwithdigest", NID_id_tc26_signwithdigest, 7, &so[6436]},
{"id-tc26-signwithdigest-gost3410-2012-256", "GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)", NID_id_tc26_signwithdigest_gost3410_2012_256, 8, &so[6443]},
{"id-tc26-signwithdigest-gost3410-2012-512", "GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)", NID_id_tc26_signwithdigest_gost3410_2012_512, 8, &so[6451]},
{"id-tc26-mac", "id-tc26-mac", NID_id_tc26_mac, 7, &so[6459]},
{"id-tc26-hmac-gost-3411-2012-256", "HMAC GOST 34.11-2012 256 bit", NID_id_tc26_hmac_gost_3411_2012_256, 8, &so[6466]},
{"id-tc26-hmac-gost-3411-2012-512", "HMAC GOST 34.11-2012 512 bit", NID_id_tc26_hmac_gost_3411_2012_512, 8, &so[6474]},
{"id-tc26-cipher", "id-tc26-cipher", NID_id_tc26_cipher, 7, &so[6482]},
{"id-tc26-agreement", "id-tc26-agreement", NID_id_tc26_agreement, 7, &so[6489]},
{"id-tc26-agreement-gost-3410-2012-256", "id-tc26-agreement-gost-3410-2012-256", NID_id_tc26_agreement_gost_3410_2012_256, 8, &so[6496]},
{"id-tc26-agreement-gost-3410-2012-512", "id-tc26-agreement-gost-3410-2012-512", NID_id_tc26_agreement_gost_3410_2012_512, 8, &so[6504]},
{"id-tc26-constants", "id-tc26-constants", NID_id_tc26_constants, 6, &so[6512]},
{"id-tc26-sign-constants", "id-tc26-sign-constants", NID_id_tc26_sign_constants, 7, &so[6518]},
{"id-tc26-gost-3410-2012-512-constants", "id-tc26-gost-3410-2012-512-constants", NID_id_tc26_gost_3410_2012_512_constants, 8, &so[6525]},
{"id-tc26-gost-3410-2012-512-paramSetTest", "GOST R 34.10-2012 (512 bit) testing parameter set", NID_id_tc26_gost_3410_2012_512_paramSetTest, 9, &so[6533]},
{"id-tc26-gost-3410-2012-512-paramSetA", "GOST R 34.10-2012 (512 bit) ParamSet A", NID_id_tc26_gost_3410_2012_512_paramSetA, 9, &so[6542]},
{"id-tc26-gost-3410-2012-512-paramSetB", "GOST R 34.10-2012 (512 bit) ParamSet B", NID_id_tc26_gost_3410_2012_512_paramSetB, 9, &so[6551]},
{"id-tc26-digest-constants", "id-tc26-digest-constants", NID_id_tc26_digest_constants, 7, &so[6560]},
{"id-tc26-cipher-constants", "id-tc26-cipher-constants", NID_id_tc26_cipher_constants, 7, &so[6567]},
{"id-tc26-gost-28147-constants", "id-tc26-gost-28147-constants", NID_id_tc26_gost_28147_constants, 8, &so[6574]},
{"id-tc26-gost-28147-param-Z", "GOST 28147-89 TC26 parameter set", NID_id_tc26_gost_28147_param_Z, 9, &so[6582]},
{"INN", "INN", NID_INN, 8, &so[6591]},
{"OGRN", "OGRN", NID_OGRN, 5, &so[6599]},
{"SNILS", "SNILS", NID_SNILS, 5, &so[6604]},
{"subjectSignTool", "Signing Tool of Subject", NID_subjectSignTool, 5, &so[6609]},
{"issuerSignTool", "Signing Tool of Issuer", NID_issuerSignTool, 5, &so[6614]},
{"gost89-cbc", "gost89-cbc", NID_gost89_cbc},
{"gost89-ecb", "gost89-ecb", NID_gost89_ecb},
{"gost89-ctr", "gost89-ctr", NID_gost89_ctr},
{"grasshopper-ecb", "grasshopper-ecb", NID_grasshopper_ecb},
{"grasshopper-ctr", "grasshopper-ctr", NID_grasshopper_ctr},
{"grasshopper-ofb", "grasshopper-ofb", NID_grasshopper_ofb},
{"grasshopper-cbc", "grasshopper-cbc", NID_grasshopper_cbc},
{"grasshopper-cfb", "grasshopper-cfb", NID_grasshopper_cfb},
{"grasshopper-mac", "grasshopper-mac", NID_grasshopper_mac},
{"ChaCha20-Poly1305", "chacha20-poly1305", NID_chacha20_poly1305},
{"ChaCha20", "chacha20", NID_chacha20},
{"tlsfeature", "TLS Feature", NID_tlsfeature, 8, &so[6619]},
{"TLS1-PRF", "tls1-prf", NID_tls1_prf},
{"ipsecIKE", "ipsec Internet Key Exchange", NID_ipsec_IKE, 8, &so[6627]},
{"capwapAC", "Ctrl/provision WAP Access", NID_capwapAC, 8, &so[6635]},
{"capwapWTP", "Ctrl/Provision WAP Termination", NID_capwapWTP, 8, &so[6643]},
{"secureShellClient", "SSH Client", NID_sshClient, 8, &so[6651]},
{"secureShellServer", "SSH Server", NID_sshServer, 8, &so[6659]},
{"sendRouter", "Send Router", NID_sendRouter, 8, &so[6667]},
{"sendProxiedRouter", "Send Proxied Router", NID_sendProxiedRouter, 8, &so[6675]},
{"sendOwner", "Send Owner", NID_sendOwner, 8, &so[6683]},
{"sendProxiedOwner", "Send Proxied Owner", NID_sendProxiedOwner, 8, &so[6691]},
{"id-pkinit", "id-pkinit", NID_id_pkinit, 6, &so[6699]},
{"pkInitClientAuth", "PKINIT Client Auth", NID_pkInitClientAuth, 7, &so[6705]},
{"pkInitKDC", "Signing KDC Response", NID_pkInitKDC, 7, &so[6712]},
{"X25519", "X25519", NID_X25519, 3, &so[6719]},
{"X448", "X448", NID_X448, 3, &so[6722]},
{"HKDF", "hkdf", NID_hkdf},
{"KxRSA", "kx-rsa", NID_kx_rsa},
{"KxECDHE", "kx-ecdhe", NID_kx_ecdhe},
{"KxDHE", "kx-dhe", NID_kx_dhe},
{"KxECDHE-PSK", "kx-ecdhe-psk", NID_kx_ecdhe_psk},
{"KxDHE-PSK", "kx-dhe-psk", NID_kx_dhe_psk},
{"KxRSA_PSK", "kx-rsa-psk", NID_kx_rsa_psk},
{"KxPSK", "kx-psk", NID_kx_psk},
{"KxSRP", "kx-srp", NID_kx_srp},
{"KxGOST", "kx-gost", NID_kx_gost},
{"AuthRSA", "auth-rsa", NID_auth_rsa},
{"AuthECDSA", "auth-ecdsa", NID_auth_ecdsa},
{"AuthPSK", "auth-psk", NID_auth_psk},
{"AuthDSS", "auth-dss", NID_auth_dss},
{"AuthGOST01", "auth-gost01", NID_auth_gost01},
{"AuthGOST12", "auth-gost12", NID_auth_gost12},
{"AuthSRP", "auth-srp", NID_auth_srp},
{"AuthNULL", "auth-null", NID_auth_null},
{ NULL, NULL, NID_undef },
{ NULL, NULL, NID_undef },
{"BLAKE2b512", "blake2b512", NID_blake2b512, 11, &so[6725]},
{"BLAKE2s256", "blake2s256", NID_blake2s256, 11, &so[6736]},
{"id-smime-ct-contentCollection", "id-smime-ct-contentCollection", NID_id_smime_ct_contentCollection, 11, &so[6747]},
{"id-smime-ct-authEnvelopedData", "id-smime-ct-authEnvelopedData", NID_id_smime_ct_authEnvelopedData, 11, &so[6758]},
{"id-ct-xml", "id-ct-xml", NID_id_ct_xml, 11, &so[6769]},
{"Poly1305", "poly1305", NID_poly1305},
{"SipHash", "siphash", NID_siphash},
{"KxANY", "kx-any", NID_kx_any},
{"AuthANY", "auth-any", NID_auth_any},
{"ARIA-128-ECB", "aria-128-ecb", NID_aria_128_ecb, 9, &so[6780]},
{"ARIA-128-CBC", "aria-128-cbc", NID_aria_128_cbc, 9, &so[6789]},
{"ARIA-128-CFB", "aria-128-cfb", NID_aria_128_cfb128, 9, &so[6798]},
{"ARIA-128-OFB", "aria-128-ofb", NID_aria_128_ofb128, 9, &so[6807]},
{"ARIA-128-CTR", "aria-128-ctr", NID_aria_128_ctr, 9, &so[6816]},
{"ARIA-192-ECB", "aria-192-ecb", NID_aria_192_ecb, 9, &so[6825]},
{"ARIA-192-CBC", "aria-192-cbc", NID_aria_192_cbc, 9, &so[6834]},
{"ARIA-192-CFB", "aria-192-cfb", NID_aria_192_cfb128, 9, &so[6843]},
{"ARIA-192-OFB", "aria-192-ofb", NID_aria_192_ofb128, 9, &so[6852]},
{"ARIA-192-CTR", "aria-192-ctr", NID_aria_192_ctr, 9, &so[6861]},
{"ARIA-256-ECB", "aria-256-ecb", NID_aria_256_ecb, 9, &so[6870]},
{"ARIA-256-CBC", "aria-256-cbc", NID_aria_256_cbc, 9, &so[6879]},
{"ARIA-256-CFB", "aria-256-cfb", NID_aria_256_cfb128, 9, &so[6888]},
{"ARIA-256-OFB", "aria-256-ofb", NID_aria_256_ofb128, 9, &so[6897]},
{"ARIA-256-CTR", "aria-256-ctr", NID_aria_256_ctr, 9, &so[6906]},
{"ARIA-128-CFB1", "aria-128-cfb1", NID_aria_128_cfb1},
{"ARIA-192-CFB1", "aria-192-cfb1", NID_aria_192_cfb1},
{"ARIA-256-CFB1", "aria-256-cfb1", NID_aria_256_cfb1},
{"ARIA-128-CFB8", "aria-128-cfb8", NID_aria_128_cfb8},
{"ARIA-192-CFB8", "aria-192-cfb8", NID_aria_192_cfb8},
{"ARIA-256-CFB8", "aria-256-cfb8", NID_aria_256_cfb8},
{"id-smime-aa-signingCertificateV2", "id-smime-aa-signingCertificateV2", NID_id_smime_aa_signingCertificateV2, 11, &so[6915]},
{"ED25519", "ED25519", NID_ED25519, 3, &so[6926]},
{"ED448", "ED448", NID_ED448, 3, &so[6929]},
{"organizationIdentifier", "organizationIdentifier", NID_organizationIdentifier, 3, &so[6932]},
{"c3", "countryCode3c", NID_countryCode3c, 3, &so[6935]},
{"n3", "countryCode3n", NID_countryCode3n, 3, &so[6938]},
{"dnsName", "dnsName", NID_dnsName, 3, &so[6941]},
{"x509ExtAdmission", "Professional Information or basis for Admission", NID_x509ExtAdmission, 5, &so[6944]},
{"SHA512-224", "sha512-224", NID_sha512_224, 9, &so[6949]},
{"SHA512-256", "sha512-256", NID_sha512_256, 9, &so[6958]},
{"SHA3-224", "sha3-224", NID_sha3_224, 9, &so[6967]},
{"SHA3-256", "sha3-256", NID_sha3_256, 9, &so[6976]},
{"SHA3-384", "sha3-384", NID_sha3_384, 9, &so[6985]},
{"SHA3-512", "sha3-512", NID_sha3_512, 9, &so[6994]},
{"SHAKE128", "shake128", NID_shake128, 9, &so[7003]},
{"SHAKE256", "shake256", NID_shake256, 9, &so[7012]},
{"id-hmacWithSHA3-224", "hmac-sha3-224", NID_hmac_sha3_224, 9, &so[7021]},
{"id-hmacWithSHA3-256", "hmac-sha3-256", NID_hmac_sha3_256, 9, &so[7030]},
{"id-hmacWithSHA3-384", "hmac-sha3-384", NID_hmac_sha3_384, 9, &so[7039]},
{"id-hmacWithSHA3-512", "hmac-sha3-512", NID_hmac_sha3_512, 9, &so[7048]},
{"id-dsa-with-sha384", "dsa_with_SHA384", NID_dsa_with_SHA384, 9, &so[7057]},
{"id-dsa-with-sha512", "dsa_with_SHA512", NID_dsa_with_SHA512, 9, &so[7066]},
{"id-dsa-with-sha3-224", "dsa_with_SHA3-224", NID_dsa_with_SHA3_224, 9, &so[7075]},
{"id-dsa-with-sha3-256", "dsa_with_SHA3-256", NID_dsa_with_SHA3_256, 9, &so[7084]},
{"id-dsa-with-sha3-384", "dsa_with_SHA3-384", NID_dsa_with_SHA3_384, 9, &so[7093]},
{"id-dsa-with-sha3-512", "dsa_with_SHA3-512", NID_dsa_with_SHA3_512, 9, &so[7102]},
{"id-ecdsa-with-sha3-224", "ecdsa_with_SHA3-224", NID_ecdsa_with_SHA3_224, 9, &so[7111]},
{"id-ecdsa-with-sha3-256", "ecdsa_with_SHA3-256", NID_ecdsa_with_SHA3_256, 9, &so[7120]},
{"id-ecdsa-with-sha3-384", "ecdsa_with_SHA3-384", NID_ecdsa_with_SHA3_384, 9, &so[7129]},
{"id-ecdsa-with-sha3-512", "ecdsa_with_SHA3-512", NID_ecdsa_with_SHA3_512, 9, &so[7138]},
{"id-rsassa-pkcs1-v1_5-with-sha3-224", "RSA-SHA3-224", NID_RSA_SHA3_224, 9, &so[7147]},
{"id-rsassa-pkcs1-v1_5-with-sha3-256", "RSA-SHA3-256", NID_RSA_SHA3_256, 9, &so[7156]},
{"id-rsassa-pkcs1-v1_5-with-sha3-384", "RSA-SHA3-384", NID_RSA_SHA3_384, 9, &so[7165]},
{"id-rsassa-pkcs1-v1_5-with-sha3-512", "RSA-SHA3-512", NID_RSA_SHA3_512, 9, &so[7174]},
{"ARIA-128-CCM", "aria-128-ccm", NID_aria_128_ccm, 9, &so[7183]},
{"ARIA-192-CCM", "aria-192-ccm", NID_aria_192_ccm, 9, &so[7192]},
{"ARIA-256-CCM", "aria-256-ccm", NID_aria_256_ccm, 9, &so[7201]},
{"ARIA-128-GCM", "aria-128-gcm", NID_aria_128_gcm, 9, &so[7210]},
{"ARIA-192-GCM", "aria-192-gcm", NID_aria_192_gcm, 9, &so[7219]},
{"ARIA-256-GCM", "aria-256-gcm", NID_aria_256_gcm, 9, &so[7228]},
{"ffdhe2048", "ffdhe2048", NID_ffdhe2048},
{"ffdhe3072", "ffdhe3072", NID_ffdhe3072},
{"ffdhe4096", "ffdhe4096", NID_ffdhe4096},
{"ffdhe6144", "ffdhe6144", NID_ffdhe6144},
{"ffdhe8192", "ffdhe8192", NID_ffdhe8192},
{"cmcCA", "CMC Certificate Authority", NID_cmcCA, 8, &so[7237]},
{"cmcRA", "CMC Registration Authority", NID_cmcRA, 8, &so[7245]},
{"SM4-ECB", "sm4-ecb", NID_sm4_ecb, 8, &so[7253]},
{"SM4-CBC", "sm4-cbc", NID_sm4_cbc, 8, &so[7261]},
{"SM4-OFB", "sm4-ofb", NID_sm4_ofb128, 8, &so[7269]},
{"SM4-CFB1", "sm4-cfb1", NID_sm4_cfb1, 8, &so[7277]},
{"SM4-CFB", "sm4-cfb", NID_sm4_cfb128, 8, &so[7285]},
{"SM4-CFB8", "sm4-cfb8", NID_sm4_cfb8, 8, &so[7293]},
{"SM4-CTR", "sm4-ctr", NID_sm4_ctr, 8, &so[7301]},
{"ISO-CN", "ISO CN Member Body", NID_ISO_CN, 3, &so[7309]},
{"oscca", "oscca", NID_oscca, 5, &so[7312]},
{"sm-scheme", "sm-scheme", NID_sm_scheme, 6, &so[7317]},
{"SM3", "sm3", NID_sm3, 8, &so[7323]},
{"RSA-SM3", "sm3WithRSAEncryption", NID_sm3WithRSAEncryption, 8, &so[7331]},
{"RSA-SHA512/224", "sha512-224WithRSAEncryption", NID_sha512_224WithRSAEncryption, 9, &so[7339]},
{"RSA-SHA512/256", "sha512-256WithRSAEncryption", NID_sha512_256WithRSAEncryption, 9, &so[7348]},
{"id-tc26-gost-3410-2012-256-constants", "id-tc26-gost-3410-2012-256-constants", NID_id_tc26_gost_3410_2012_256_constants, 8, &so[7357]},
{"id-tc26-gost-3410-2012-256-paramSetA", "GOST R 34.10-2012 (256 bit) ParamSet A", NID_id_tc26_gost_3410_2012_256_paramSetA, 9, &so[7365]},
{"id-tc26-gost-3410-2012-512-paramSetC", "GOST R 34.10-2012 (512 bit) ParamSet C", NID_id_tc26_gost_3410_2012_512_paramSetC, 9, &so[7374]},
{"ISO-UA", "ISO-UA", NID_ISO_UA, 3, &so[7383]},
{"ua-pki", "ua-pki", NID_ua_pki, 7, &so[7386]},
{"dstu28147", "DSTU Gost 28147-2009", NID_dstu28147, 10, &so[7393]},
{"dstu28147-ofb", "DSTU Gost 28147-2009 OFB mode", NID_dstu28147_ofb, 11, &so[7403]},
{"dstu28147-cfb", "DSTU Gost 28147-2009 CFB mode", NID_dstu28147_cfb, 11, &so[7414]},
{"dstu28147-wrap", "DSTU Gost 28147-2009 key wrap", NID_dstu28147_wrap, 11, &so[7425]},
{"hmacWithDstu34311", "HMAC DSTU Gost 34311-95", NID_hmacWithDstu34311, 10, &so[7436]},
{"dstu34311", "DSTU Gost 34311-95", NID_dstu34311, 10, &so[7446]},
{"dstu4145le", "DSTU 4145-2002 little endian", NID_dstu4145le, 11, &so[7456]},
{"dstu4145be", "DSTU 4145-2002 big endian", NID_dstu4145be, 13, &so[7467]},
{"uacurve0", "DSTU curve 0", NID_uacurve0, 13, &so[7480]},
{"uacurve1", "DSTU curve 1", NID_uacurve1, 13, &so[7493]},
{"uacurve2", "DSTU curve 2", NID_uacurve2, 13, &so[7506]},
{"uacurve3", "DSTU curve 3", NID_uacurve3, 13, &so[7519]},
{"uacurve4", "DSTU curve 4", NID_uacurve4, 13, &so[7532]},
{"uacurve5", "DSTU curve 5", NID_uacurve5, 13, &so[7545]},
{"uacurve6", "DSTU curve 6", NID_uacurve6, 13, &so[7558]},
{"uacurve7", "DSTU curve 7", NID_uacurve7, 13, &so[7571]},
{"uacurve8", "DSTU curve 8", NID_uacurve8, 13, &so[7584]},
{"uacurve9", "DSTU curve 9", NID_uacurve9, 13, &so[7597]},
{"ieee", "ieee", NID_ieee, 2, &so[7610]},
{"ieee-siswg", "IEEE Security in Storage Working Group", NID_ieee_siswg, 5, &so[7612]},
{"SM2", "sm2", NID_sm2, 8, &so[7617]},
{"id-tc26-cipher-gostr3412-2015-magma", "id-tc26-cipher-gostr3412-2015-magma", NID_id_tc26_cipher_gostr3412_2015_magma, 8, &so[7625]},
{"id-tc26-cipher-gostr3412-2015-magma-ctracpkm", "id-tc26-cipher-gostr3412-2015-magma-ctracpkm", NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm, 9, &so[7633]},
{"id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac", "id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac", NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac, 9, &so[7642]},
{"id-tc26-cipher-gostr3412-2015-kuznyechik", "id-tc26-cipher-gostr3412-2015-kuznyechik", NID_id_tc26_cipher_gostr3412_2015_kuznyechik, 8, &so[7651]},
{"id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm", "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm", NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm, 9, &so[7659]},
{"id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac", "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac", NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac, 9, &so[7668]},
{"id-tc26-wrap", "id-tc26-wrap", NID_id_tc26_wrap, 7, &so[7677]},
{"id-tc26-wrap-gostr3412-2015-magma", "id-tc26-wrap-gostr3412-2015-magma", NID_id_tc26_wrap_gostr3412_2015_magma, 8, &so[7684]},
{"id-tc26-wrap-gostr3412-2015-magma-kexp15", "id-tc26-wrap-gostr3412-2015-magma-kexp15", NID_id_tc26_wrap_gostr3412_2015_magma_kexp15, 9, &so[7692]},
{"id-tc26-wrap-gostr3412-2015-kuznyechik", "id-tc26-wrap-gostr3412-2015-kuznyechik", NID_id_tc26_wrap_gostr3412_2015_kuznyechik, 8, &so[7701]},
{"id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15", "id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15", NID_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15, 9, &so[7709]},
{"id-tc26-gost-3410-2012-256-paramSetB", "GOST R 34.10-2012 (256 bit) ParamSet B", NID_id_tc26_gost_3410_2012_256_paramSetB, 9, &so[7718]},
{"id-tc26-gost-3410-2012-256-paramSetC", "GOST R 34.10-2012 (256 bit) ParamSet C", NID_id_tc26_gost_3410_2012_256_paramSetC, 9, &so[7727]},
{"id-tc26-gost-3410-2012-256-paramSetD", "GOST R 34.10-2012 (256 bit) ParamSet D", NID_id_tc26_gost_3410_2012_256_paramSetD, 9, &so[7736]},
{"magma-ecb", "magma-ecb", NID_magma_ecb},
{"magma-ctr", "magma-ctr", NID_magma_ctr},
{"magma-ofb", "magma-ofb", NID_magma_ofb},
{"magma-cbc", "magma-cbc", NID_magma_cbc},
{"magma-cfb", "magma-cfb", NID_magma_cfb},
{"magma-mac", "magma-mac", NID_magma_mac},
{"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]},
{"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]},
};
#define NUM_SN 1186
static const unsigned int sn_objs[NUM_SN] = {
364, /* "AD_DVCS" */
419, /* "AES-128-CBC" */
916, /* "AES-128-CBC-HMAC-SHA1" */
948, /* "AES-128-CBC-HMAC-SHA256" */
421, /* "AES-128-CFB" */
650, /* "AES-128-CFB1" */
653, /* "AES-128-CFB8" */
904, /* "AES-128-CTR" */
418, /* "AES-128-ECB" */
958, /* "AES-128-OCB" */
420, /* "AES-128-OFB" */
913, /* "AES-128-XTS" */
423, /* "AES-192-CBC" */
917, /* "AES-192-CBC-HMAC-SHA1" */
949, /* "AES-192-CBC-HMAC-SHA256" */
425, /* "AES-192-CFB" */
651, /* "AES-192-CFB1" */
654, /* "AES-192-CFB8" */
905, /* "AES-192-CTR" */
422, /* "AES-192-ECB" */
959, /* "AES-192-OCB" */
424, /* "AES-192-OFB" */
427, /* "AES-256-CBC" */
918, /* "AES-256-CBC-HMAC-SHA1" */
950, /* "AES-256-CBC-HMAC-SHA256" */
429, /* "AES-256-CFB" */
652, /* "AES-256-CFB1" */
655, /* "AES-256-CFB8" */
906, /* "AES-256-CTR" */
426, /* "AES-256-ECB" */
960, /* "AES-256-OCB" */
428, /* "AES-256-OFB" */
914, /* "AES-256-XTS" */
1066, /* "ARIA-128-CBC" */
1120, /* "ARIA-128-CCM" */
1067, /* "ARIA-128-CFB" */
1080, /* "ARIA-128-CFB1" */
1083, /* "ARIA-128-CFB8" */
1069, /* "ARIA-128-CTR" */
1065, /* "ARIA-128-ECB" */
1123, /* "ARIA-128-GCM" */
1068, /* "ARIA-128-OFB" */
1071, /* "ARIA-192-CBC" */
1121, /* "ARIA-192-CCM" */
1072, /* "ARIA-192-CFB" */
1081, /* "ARIA-192-CFB1" */
1084, /* "ARIA-192-CFB8" */
1074, /* "ARIA-192-CTR" */
1070, /* "ARIA-192-ECB" */
1124, /* "ARIA-192-GCM" */
1073, /* "ARIA-192-OFB" */
1076, /* "ARIA-256-CBC" */
1122, /* "ARIA-256-CCM" */
1077, /* "ARIA-256-CFB" */
1082, /* "ARIA-256-CFB1" */
1085, /* "ARIA-256-CFB8" */
1079, /* "ARIA-256-CTR" */
1075, /* "ARIA-256-ECB" */
1125, /* "ARIA-256-GCM" */
1078, /* "ARIA-256-OFB" */
1064, /* "AuthANY" */
1049, /* "AuthDSS" */
1047, /* "AuthECDSA" */
1050, /* "AuthGOST01" */
1051, /* "AuthGOST12" */
1053, /* "AuthNULL" */
1048, /* "AuthPSK" */
1046, /* "AuthRSA" */
1052, /* "AuthSRP" */
91, /* "BF-CBC" */
93, /* "BF-CFB" */
92, /* "BF-ECB" */
94, /* "BF-OFB" */
1056, /* "BLAKE2b512" */
1057, /* "BLAKE2s256" */
14, /* "C" */
751, /* "CAMELLIA-128-CBC" */
962, /* "CAMELLIA-128-CCM" */
757, /* "CAMELLIA-128-CFB" */
760, /* "CAMELLIA-128-CFB1" */
763, /* "CAMELLIA-128-CFB8" */
964, /* "CAMELLIA-128-CMAC" */
963, /* "CAMELLIA-128-CTR" */
754, /* "CAMELLIA-128-ECB" */
961, /* "CAMELLIA-128-GCM" */
766, /* "CAMELLIA-128-OFB" */
752, /* "CAMELLIA-192-CBC" */
966, /* "CAMELLIA-192-CCM" */
758, /* "CAMELLIA-192-CFB" */
761, /* "CAMELLIA-192-CFB1" */
764, /* "CAMELLIA-192-CFB8" */
968, /* "CAMELLIA-192-CMAC" */
967, /* "CAMELLIA-192-CTR" */
755, /* "CAMELLIA-192-ECB" */
965, /* "CAMELLIA-192-GCM" */
767, /* "CAMELLIA-192-OFB" */
753, /* "CAMELLIA-256-CBC" */
970, /* "CAMELLIA-256-CCM" */
759, /* "CAMELLIA-256-CFB" */
762, /* "CAMELLIA-256-CFB1" */
765, /* "CAMELLIA-256-CFB8" */
972, /* "CAMELLIA-256-CMAC" */
971, /* "CAMELLIA-256-CTR" */
756, /* "CAMELLIA-256-ECB" */
969, /* "CAMELLIA-256-GCM" */
768, /* "CAMELLIA-256-OFB" */
108, /* "CAST5-CBC" */
110, /* "CAST5-CFB" */
109, /* "CAST5-ECB" */
111, /* "CAST5-OFB" */
894, /* "CMAC" */
13, /* "CN" */
141, /* "CRLReason" */
417, /* "CSPName" */
1019, /* "ChaCha20" */
1018, /* "ChaCha20-Poly1305" */
367, /* "CrlID" */
391, /* "DC" */
31, /* "DES-CBC" */
643, /* "DES-CDMF" */
30, /* "DES-CFB" */
656, /* "DES-CFB1" */
657, /* "DES-CFB8" */
29, /* "DES-ECB" */
32, /* "DES-EDE" */
43, /* "DES-EDE-CBC" */
60, /* "DES-EDE-CFB" */
62, /* "DES-EDE-OFB" */
33, /* "DES-EDE3" */
44, /* "DES-EDE3-CBC" */
61, /* "DES-EDE3-CFB" */
658, /* "DES-EDE3-CFB1" */
659, /* "DES-EDE3-CFB8" */
63, /* "DES-EDE3-OFB" */
45, /* "DES-OFB" */
80, /* "DESX-CBC" */
380, /* "DOD" */
116, /* "DSA" */
66, /* "DSA-SHA" */
113, /* "DSA-SHA1" */
70, /* "DSA-SHA1-old" */
67, /* "DSA-old" */
297, /* "DVCS" */
1087, /* "ED25519" */
1088, /* "ED448" */
99, /* "GN" */
1036, /* "HKDF" */
855, /* "HMAC" */
780, /* "HMAC-MD5" */
781, /* "HMAC-SHA1" */
381, /* "IANA" */
34, /* "IDEA-CBC" */
35, /* "IDEA-CFB" */
36, /* "IDEA-ECB" */
46, /* "IDEA-OFB" */
1004, /* "INN" */
181, /* "ISO" */
1140, /* "ISO-CN" */
1150, /* "ISO-UA" */
183, /* "ISO-US" */
645, /* "ITU-T" */
646, /* "JOINT-ISO-ITU-T" */
773, /* "KISA" */
1063, /* "KxANY" */
1039, /* "KxDHE" */
1041, /* "KxDHE-PSK" */
1038, /* "KxECDHE" */
1040, /* "KxECDHE-PSK" */
1045, /* "KxGOST" */
1043, /* "KxPSK" */
1037, /* "KxRSA" */
1042, /* "KxRSA_PSK" */
1044, /* "KxSRP" */
15, /* "L" */
856, /* "LocalKeySet" */
3, /* "MD2" */
257, /* "MD4" */
4, /* "MD5" */
114, /* "MD5-SHA1" */
95, /* "MDC2" */
911, /* "MGF1" */
388, /* "Mail" */
393, /* "NULL" */
404, /* "NULL" */
57, /* "Netscape" */
366, /* "Nonce" */
17, /* "O" */
178, /* "OCSP" */
180, /* "OCSPSigning" */
1005, /* "OGRN" */
379, /* "ORG" */
18, /* "OU" */
749, /* "Oakley-EC2N-3" */
750, /* "Oakley-EC2N-4" */
9, /* "PBE-MD2-DES" */
168, /* "PBE-MD2-RC2-64" */
10, /* "PBE-MD5-DES" */
169, /* "PBE-MD5-RC2-64" */
147, /* "PBE-SHA1-2DES" */
146, /* "PBE-SHA1-3DES" */
170, /* "PBE-SHA1-DES" */
148, /* "PBE-SHA1-RC2-128" */
149, /* "PBE-SHA1-RC2-40" */
68, /* "PBE-SHA1-RC2-64" */
144, /* "PBE-SHA1-RC4-128" */
145, /* "PBE-SHA1-RC4-40" */
161, /* "PBES2" */
69, /* "PBKDF2" */
162, /* "PBMAC1" */
127, /* "PKIX" */
935, /* "PSPECIFIED" */
1061, /* "Poly1305" */
98, /* "RC2-40-CBC" */
166, /* "RC2-64-CBC" */
37, /* "RC2-CBC" */
39, /* "RC2-CFB" */
38, /* "RC2-ECB" */
40, /* "RC2-OFB" */
5, /* "RC4" */
97, /* "RC4-40" */
915, /* "RC4-HMAC-MD5" */
120, /* "RC5-CBC" */
122, /* "RC5-CFB" */
121, /* "RC5-ECB" */
123, /* "RC5-OFB" */
117, /* "RIPEMD160" */
19, /* "RSA" */
7, /* "RSA-MD2" */
396, /* "RSA-MD4" */
8, /* "RSA-MD5" */
96, /* "RSA-MDC2" */
104, /* "RSA-NP-MD5" */
119, /* "RSA-RIPEMD160" */
42, /* "RSA-SHA" */
65, /* "RSA-SHA1" */
115, /* "RSA-SHA1-2" */
671, /* "RSA-SHA224" */
668, /* "RSA-SHA256" */
669, /* "RSA-SHA384" */
670, /* "RSA-SHA512" */
1145, /* "RSA-SHA512/224" */
1146, /* "RSA-SHA512/256" */
1144, /* "RSA-SM3" */
919, /* "RSAES-OAEP" */
912, /* "RSASSA-PSS" */
777, /* "SEED-CBC" */
779, /* "SEED-CFB" */
776, /* "SEED-ECB" */
778, /* "SEED-OFB" */
41, /* "SHA" */
64, /* "SHA1" */
675, /* "SHA224" */
672, /* "SHA256" */
1096, /* "SHA3-224" */
1097, /* "SHA3-256" */
1098, /* "SHA3-384" */
1099, /* "SHA3-512" */
673, /* "SHA384" */
674, /* "SHA512" */
1094, /* "SHA512-224" */
1095, /* "SHA512-256" */
1100, /* "SHAKE128" */
1101, /* "SHAKE256" */
1172, /* "SM2" */
1143, /* "SM3" */
1134, /* "SM4-CBC" */
1137, /* "SM4-CFB" */
1136, /* "SM4-CFB1" */
1138, /* "SM4-CFB8" */
1139, /* "SM4-CTR" */
1133, /* "SM4-ECB" */
1135, /* "SM4-OFB" */
188, /* "SMIME" */
167, /* "SMIME-CAPS" */
100, /* "SN" */
1006, /* "SNILS" */
16, /* "ST" */
143, /* "SXNetID" */
1062, /* "SipHash" */
1021, /* "TLS1-PRF" */
458, /* "UID" */
0, /* "UNDEF" */
1034, /* "X25519" */
1035, /* "X448" */
11, /* "X500" */
378, /* "X500algorithms" */
12, /* "X509" */
184, /* "X9-57" */
185, /* "X9cm" */
125, /* "ZLIB" */
478, /* "aRecord" */
289, /* "aaControls" */
287, /* "ac-auditEntity" */
397, /* "ac-proxying" */
288, /* "ac-targeting" */
368, /* "acceptableResponses" */
446, /* "account" */
363, /* "ad_timestamping" */
376, /* "algorithm" */
405, /* "ansi-X9-62" */
910, /* "anyExtendedKeyUsage" */
746, /* "anyPolicy" */
370, /* "archiveCutoff" */
484, /* "associatedDomain" */
485, /* "associatedName" */
501, /* "audio" */
177, /* "authorityInfoAccess" */
90, /* "authorityKeyIdentifier" */
882, /* "authorityRevocationList" */
87, /* "basicConstraints" */
365, /* "basicOCSPResponse" */
285, /* "biometricInfo" */
921, /* "brainpoolP160r1" */
922, /* "brainpoolP160t1" */
923, /* "brainpoolP192r1" */
924, /* "brainpoolP192t1" */
925, /* "brainpoolP224r1" */
926, /* "brainpoolP224t1" */
927, /* "brainpoolP256r1" */
928, /* "brainpoolP256t1" */
929, /* "brainpoolP320r1" */
930, /* "brainpoolP320t1" */
931, /* "brainpoolP384r1" */
932, /* "brainpoolP384t1" */
933, /* "brainpoolP512r1" */
934, /* "brainpoolP512t1" */
494, /* "buildingName" */
860, /* "businessCategory" */
691, /* "c2onb191v4" */
692, /* "c2onb191v5" */
697, /* "c2onb239v4" */
698, /* "c2onb239v5" */
684, /* "c2pnb163v1" */
685, /* "c2pnb163v2" */
686, /* "c2pnb163v3" */
687, /* "c2pnb176v1" */
693, /* "c2pnb208w1" */
699, /* "c2pnb272w1" */
700, /* "c2pnb304w1" */
702, /* "c2pnb368w1" */
688, /* "c2tnb191v1" */
689, /* "c2tnb191v2" */
690, /* "c2tnb191v3" */
694, /* "c2tnb239v1" */
695, /* "c2tnb239v2" */
696, /* "c2tnb239v3" */
701, /* "c2tnb359v1" */
703, /* "c2tnb431r1" */
1090, /* "c3" */
881, /* "cACertificate" */
483, /* "cNAMERecord" */
179, /* "caIssuers" */
785, /* "caRepository" */
1023, /* "capwapAC" */
1024, /* "capwapWTP" */
443, /* "caseIgnoreIA5StringSyntax" */
152, /* "certBag" */
677, /* "certicom-arc" */
771, /* "certificateIssuer" */
89, /* "certificatePolicies" */
883, /* "certificateRevocationList" */
54, /* "challengePassword" */
407, /* "characteristic-two-field" */
395, /* "clearance" */
130, /* "clientAuth" */
1131, /* "cmcCA" */
1132, /* "cmcRA" */
131, /* "codeSigning" */
50, /* "contentType" */
53, /* "countersignature" */
153, /* "crlBag" */
103, /* "crlDistributionPoints" */
88, /* "crlNumber" */
884, /* "crossCertificatePair" */
806, /* "cryptocom" */
805, /* "cryptopro" */
954, /* "ct_cert_scts" */
952, /* "ct_precert_poison" */
951, /* "ct_precert_scts" */
953, /* "ct_precert_signer" */
500, /* "dITRedirect" */
451, /* "dNSDomain" */
495, /* "dSAQuality" */
434, /* "data" */
390, /* "dcobject" */
140, /* "deltaCRL" */
891, /* "deltaRevocationList" */
107, /* "description" */
871, /* "destinationIndicator" */
947, /* "dh-cofactor-kdf" */
946, /* "dh-std-kdf" */
28, /* "dhKeyAgreement" */
941, /* "dhSinglePass-cofactorDH-sha1kdf-scheme" */
942, /* "dhSinglePass-cofactorDH-sha224kdf-scheme" */
943, /* "dhSinglePass-cofactorDH-sha256kdf-scheme" */
944, /* "dhSinglePass-cofactorDH-sha384kdf-scheme" */
945, /* "dhSinglePass-cofactorDH-sha512kdf-scheme" */
936, /* "dhSinglePass-stdDH-sha1kdf-scheme" */
937, /* "dhSinglePass-stdDH-sha224kdf-scheme" */
938, /* "dhSinglePass-stdDH-sha256kdf-scheme" */
939, /* "dhSinglePass-stdDH-sha384kdf-scheme" */
940, /* "dhSinglePass-stdDH-sha512kdf-scheme" */
920, /* "dhpublicnumber" */
382, /* "directory" */
887, /* "distinguishedName" */
892, /* "dmdName" */
174, /* "dnQualifier" */
1092, /* "dnsName" */
447, /* "document" */
471, /* "documentAuthor" */
468, /* "documentIdentifier" */
472, /* "documentLocation" */
502, /* "documentPublisher" */
449, /* "documentSeries" */
469, /* "documentTitle" */
470, /* "documentVersion" */
392, /* "domain" */
452, /* "domainRelatedObject" */
802, /* "dsa_with_SHA224" */
803, /* "dsa_with_SHA256" */
1152, /* "dstu28147" */
1154, /* "dstu28147-cfb" */
1153, /* "dstu28147-ofb" */
1155, /* "dstu28147-wrap" */
1157, /* "dstu34311" */
1159, /* "dstu4145be" */
1158, /* "dstu4145le" */
791, /* "ecdsa-with-Recommended" */
416, /* "ecdsa-with-SHA1" */
793, /* "ecdsa-with-SHA224" */
794, /* "ecdsa-with-SHA256" */
795, /* "ecdsa-with-SHA384" */
796, /* "ecdsa-with-SHA512" */
792, /* "ecdsa-with-Specified" */
48, /* "emailAddress" */
132, /* "emailProtection" */
885, /* "enhancedSearchGuide" */
389, /* "enterprises" */
384, /* "experimental" */
172, /* "extReq" */
56, /* "extendedCertificateAttributes" */
126, /* "extendedKeyUsage" */
372, /* "extendedStatus" */
867, /* "facsimileTelephoneNumber" */
462, /* "favouriteDrink" */
1126, /* "ffdhe2048" */
1127, /* "ffdhe3072" */
1128, /* "ffdhe4096" */
1129, /* "ffdhe6144" */
1130, /* "ffdhe8192" */
857, /* "freshestCRL" */
453, /* "friendlyCountry" */
490, /* "friendlyCountryName" */
156, /* "friendlyName" */
509, /* "generationQualifier" */
815, /* "gost-mac" */
976, /* "gost-mac-12" */
811, /* "gost2001" */
851, /* "gost2001cc" */
979, /* "gost2012_256" */
980, /* "gost2012_512" */
813, /* "gost89" */
1009, /* "gost89-cbc" */
814, /* "gost89-cnt" */
975, /* "gost89-cnt-12" */
1011, /* "gost89-ctr" */
1010, /* "gost89-ecb" */
812, /* "gost94" */
850, /* "gost94cc" */
1015, /* "grasshopper-cbc" */
1016, /* "grasshopper-cfb" */
1013, /* "grasshopper-ctr" */
1012, /* "grasshopper-ecb" */
1017, /* "grasshopper-mac" */
1014, /* "grasshopper-ofb" */
1156, /* "hmacWithDstu34311" */
797, /* "hmacWithMD5" */
163, /* "hmacWithSHA1" */
798, /* "hmacWithSHA224" */
799, /* "hmacWithSHA256" */
800, /* "hmacWithSHA384" */
801, /* "hmacWithSHA512" */
1193, /* "hmacWithSHA512-224" */
1194, /* "hmacWithSHA512-256" */
432, /* "holdInstructionCallIssuer" */
430, /* "holdInstructionCode" */
431, /* "holdInstructionNone" */
433, /* "holdInstructionReject" */
486, /* "homePostalAddress" */
473, /* "homeTelephoneNumber" */
466, /* "host" */
889, /* "houseIdentifier" */
442, /* "iA5StringSyntax" */
783, /* "id-DHBasedMac" */
824, /* "id-Gost28147-89-CryptoPro-A-ParamSet" */
825, /* "id-Gost28147-89-CryptoPro-B-ParamSet" */
826, /* "id-Gost28147-89-CryptoPro-C-ParamSet" */
827, /* "id-Gost28147-89-CryptoPro-D-ParamSet" */
819, /* "id-Gost28147-89-CryptoPro-KeyMeshing" */
829, /* "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet" */
828, /* "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet" */
830, /* "id-Gost28147-89-CryptoPro-RIC-1-ParamSet" */
820, /* "id-Gost28147-89-None-KeyMeshing" */
823, /* "id-Gost28147-89-TestParamSet" */
849, /* "id-Gost28147-89-cc" */
840, /* "id-GostR3410-2001-CryptoPro-A-ParamSet" */
841, /* "id-GostR3410-2001-CryptoPro-B-ParamSet" */
842, /* "id-GostR3410-2001-CryptoPro-C-ParamSet" */
843, /* "id-GostR3410-2001-CryptoPro-XchA-ParamSet" */
844, /* "id-GostR3410-2001-CryptoPro-XchB-ParamSet" */
854, /* "id-GostR3410-2001-ParamSet-cc" */
839, /* "id-GostR3410-2001-TestParamSet" */
817, /* "id-GostR3410-2001DH" */
832, /* "id-GostR3410-94-CryptoPro-A-ParamSet" */
833, /* "id-GostR3410-94-CryptoPro-B-ParamSet" */
834, /* "id-GostR3410-94-CryptoPro-C-ParamSet" */
835, /* "id-GostR3410-94-CryptoPro-D-ParamSet" */
836, /* "id-GostR3410-94-CryptoPro-XchA-ParamSet" */
837, /* "id-GostR3410-94-CryptoPro-XchB-ParamSet" */
838, /* "id-GostR3410-94-CryptoPro-XchC-ParamSet" */
831, /* "id-GostR3410-94-TestParamSet" */
845, /* "id-GostR3410-94-a" */
846, /* "id-GostR3410-94-aBis" */
847, /* "id-GostR3410-94-b" */
848, /* "id-GostR3410-94-bBis" */
818, /* "id-GostR3410-94DH" */
822, /* "id-GostR3411-94-CryptoProParamSet" */
821, /* "id-GostR3411-94-TestParamSet" */
807, /* "id-GostR3411-94-with-GostR3410-2001" */
853, /* "id-GostR3411-94-with-GostR3410-2001-cc" */
808, /* "id-GostR3411-94-with-GostR3410-94" */
852, /* "id-GostR3411-94-with-GostR3410-94-cc" */
810, /* "id-HMACGostR3411-94" */
782, /* "id-PasswordBasedMAC" */
266, /* "id-aca" */
355, /* "id-aca-accessIdentity" */
354, /* "id-aca-authenticationInfo" */
356, /* "id-aca-chargingIdentity" */
399, /* "id-aca-encAttrs" */
357, /* "id-aca-group" */
358, /* "id-aca-role" */
176, /* "id-ad" */
896, /* "id-aes128-CCM" */
895, /* "id-aes128-GCM" */
788, /* "id-aes128-wrap" */
897, /* "id-aes128-wrap-pad" */
899, /* "id-aes192-CCM" */
898, /* "id-aes192-GCM" */
789, /* "id-aes192-wrap" */
900, /* "id-aes192-wrap-pad" */
902, /* "id-aes256-CCM" */
901, /* "id-aes256-GCM" */
790, /* "id-aes256-wrap" */
903, /* "id-aes256-wrap-pad" */
262, /* "id-alg" */
893, /* "id-alg-PWRI-KEK" */
323, /* "id-alg-des40" */
326, /* "id-alg-dh-pop" */
325, /* "id-alg-dh-sig-hmac-sha1" */
324, /* "id-alg-noSignature" */
907, /* "id-camellia128-wrap" */
908, /* "id-camellia192-wrap" */
909, /* "id-camellia256-wrap" */
268, /* "id-cct" */
361, /* "id-cct-PKIData" */
362, /* "id-cct-PKIResponse" */
360, /* "id-cct-crs" */
81, /* "id-ce" */
680, /* "id-characteristic-two-basis" */
263, /* "id-cmc" */
334, /* "id-cmc-addExtensions" */
346, /* "id-cmc-confirmCertAcceptance" */
330, /* "id-cmc-dataReturn" */
336, /* "id-cmc-decryptedPOP" */
335, /* "id-cmc-encryptedPOP" */
339, /* "id-cmc-getCRL" */
338, /* "id-cmc-getCert" */
328, /* "id-cmc-identification" */
329, /* "id-cmc-identityProof" */
337, /* "id-cmc-lraPOPWitness" */
344, /* "id-cmc-popLinkRandom" */
345, /* "id-cmc-popLinkWitness" */
343, /* "id-cmc-queryPending" */
333, /* "id-cmc-recipientNonce" */
341, /* "id-cmc-regInfo" */
342, /* "id-cmc-responseInfo" */
340, /* "id-cmc-revokeRequest" */
332, /* "id-cmc-senderNonce" */
327, /* "id-cmc-statusInfo" */
331, /* "id-cmc-transactionId" */
787, /* "id-ct-asciiTextWithCRLF" */
1060, /* "id-ct-xml" */
1108, /* "id-dsa-with-sha3-224" */
1109, /* "id-dsa-with-sha3-256" */
1110, /* "id-dsa-with-sha3-384" */
1111, /* "id-dsa-with-sha3-512" */
1106, /* "id-dsa-with-sha384" */
1107, /* "id-dsa-with-sha512" */
408, /* "id-ecPublicKey" */
1112, /* "id-ecdsa-with-sha3-224" */
1113, /* "id-ecdsa-with-sha3-256" */
1114, /* "id-ecdsa-with-sha3-384" */
1115, /* "id-ecdsa-with-sha3-512" */
508, /* "id-hex-multipart-message" */
507, /* "id-hex-partial-message" */
1102, /* "id-hmacWithSHA3-224" */
1103, /* "id-hmacWithSHA3-256" */
1104, /* "id-hmacWithSHA3-384" */
1105, /* "id-hmacWithSHA3-512" */
260, /* "id-it" */
302, /* "id-it-caKeyUpdateInfo" */
298, /* "id-it-caProtEncCert" */
311, /* "id-it-confirmWaitTime" */
303, /* "id-it-currentCRL" */
300, /* "id-it-encKeyPairTypes" */
310, /* "id-it-implicitConfirm" */
308, /* "id-it-keyPairParamRep" */
307, /* "id-it-keyPairParamReq" */
312, /* "id-it-origPKIMessage" */
301, /* "id-it-preferredSymmAlg" */
309, /* "id-it-revPassphrase" */
299, /* "id-it-signKeyPairTypes" */
305, /* "id-it-subscriptionRequest" */
306, /* "id-it-subscriptionResponse" */
784, /* "id-it-suppLangTags" */
304, /* "id-it-unsupportedOIDs" */
128, /* "id-kp" */
280, /* "id-mod-attribute-cert" */
274, /* "id-mod-cmc" */
277, /* "id-mod-cmp" */
284, /* "id-mod-cmp2000" */
273, /* "id-mod-crmf" */
283, /* "id-mod-dvcs" */
275, /* "id-mod-kea-profile-88" */
276, /* "id-mod-kea-profile-93" */
282, /* "id-mod-ocsp" */
278, /* "id-mod-qualified-cert-88" */
279, /* "id-mod-qualified-cert-93" */
281, /* "id-mod-timestamp-protocol" */
264, /* "id-on" */
858, /* "id-on-permanentIdentifier" */
347, /* "id-on-personalData" */
265, /* "id-pda" */
352, /* "id-pda-countryOfCitizenship" */
353, /* "id-pda-countryOfResidence" */
348, /* "id-pda-dateOfBirth" */
351, /* "id-pda-gender" */
349, /* "id-pda-placeOfBirth" */
175, /* "id-pe" */
1031, /* "id-pkinit" */
261, /* "id-pkip" */
258, /* "id-pkix-mod" */
269, /* "id-pkix1-explicit-88" */
271, /* "id-pkix1-explicit-93" */
270, /* "id-pkix1-implicit-88" */
272, /* "id-pkix1-implicit-93" */
662, /* "id-ppl" */
664, /* "id-ppl-anyLanguage" */
667, /* "id-ppl-independent" */
665, /* "id-ppl-inheritAll" */
267, /* "id-qcs" */
359, /* "id-qcs-pkixQCSyntax-v1" */
259, /* "id-qt" */
164, /* "id-qt-cps" */
165, /* "id-qt-unotice" */
313, /* "id-regCtrl" */
316, /* "id-regCtrl-authenticator" */
319, /* "id-regCtrl-oldCertID" */
318, /* "id-regCtrl-pkiArchiveOptions" */
317, /* "id-regCtrl-pkiPublicationInfo" */
320, /* "id-regCtrl-protocolEncrKey" */
315, /* "id-regCtrl-regToken" */
314, /* "id-regInfo" */
322, /* "id-regInfo-certReq" */
321, /* "id-regInfo-utf8Pairs" */
1116, /* "id-rsassa-pkcs1-v1_5-with-sha3-224" */
1117, /* "id-rsassa-pkcs1-v1_5-with-sha3-256" */
1118, /* "id-rsassa-pkcs1-v1_5-with-sha3-384" */
1119, /* "id-rsassa-pkcs1-v1_5-with-sha3-512" */
973, /* "id-scrypt" */
512, /* "id-set" */
191, /* "id-smime-aa" */
215, /* "id-smime-aa-contentHint" */
218, /* "id-smime-aa-contentIdentifier" */
221, /* "id-smime-aa-contentReference" */
240, /* "id-smime-aa-dvcs-dvc" */
217, /* "id-smime-aa-encapContentType" */
222, /* "id-smime-aa-encrypKeyPref" */
220, /* "id-smime-aa-equivalentLabels" */
232, /* "id-smime-aa-ets-CertificateRefs" */
233, /* "id-smime-aa-ets-RevocationRefs" */
238, /* "id-smime-aa-ets-archiveTimeStamp" */
237, /* "id-smime-aa-ets-certCRLTimestamp" */
234, /* "id-smime-aa-ets-certValues" */
227, /* "id-smime-aa-ets-commitmentType" */
231, /* "id-smime-aa-ets-contentTimestamp" */
236, /* "id-smime-aa-ets-escTimeStamp" */
230, /* "id-smime-aa-ets-otherSigCert" */
235, /* "id-smime-aa-ets-revocationValues" */
226, /* "id-smime-aa-ets-sigPolicyId" */
229, /* "id-smime-aa-ets-signerAttr" */
228, /* "id-smime-aa-ets-signerLocation" */
219, /* "id-smime-aa-macValue" */
214, /* "id-smime-aa-mlExpandHistory" */
216, /* "id-smime-aa-msgSigDigest" */
212, /* "id-smime-aa-receiptRequest" */
213, /* "id-smime-aa-securityLabel" */
239, /* "id-smime-aa-signatureType" */
223, /* "id-smime-aa-signingCertificate" */
1086, /* "id-smime-aa-signingCertificateV2" */
224, /* "id-smime-aa-smimeEncryptCerts" */
225, /* "id-smime-aa-timeStampToken" */
192, /* "id-smime-alg" */
243, /* "id-smime-alg-3DESwrap" */
246, /* "id-smime-alg-CMS3DESwrap" */
247, /* "id-smime-alg-CMSRC2wrap" */
245, /* "id-smime-alg-ESDH" */
241, /* "id-smime-alg-ESDHwith3DES" */
242, /* "id-smime-alg-ESDHwithRC2" */
244, /* "id-smime-alg-RC2wrap" */
193, /* "id-smime-cd" */
248, /* "id-smime-cd-ldap" */
190, /* "id-smime-ct" */
210, /* "id-smime-ct-DVCSRequestData" */
211, /* "id-smime-ct-DVCSResponseData" */
208, /* "id-smime-ct-TDTInfo" */
207, /* "id-smime-ct-TSTInfo" */
205, /* "id-smime-ct-authData" */
1059, /* "id-smime-ct-authEnvelopedData" */
786, /* "id-smime-ct-compressedData" */
1058, /* "id-smime-ct-contentCollection" */
209, /* "id-smime-ct-contentInfo" */
206, /* "id-smime-ct-publishCert" */
204, /* "id-smime-ct-receipt" */
195, /* "id-smime-cti" */
255, /* "id-smime-cti-ets-proofOfApproval" */
256, /* "id-smime-cti-ets-proofOfCreation" */
253, /* "id-smime-cti-ets-proofOfDelivery" */
251, /* "id-smime-cti-ets-proofOfOrigin" */
252, /* "id-smime-cti-ets-proofOfReceipt" */
254, /* "id-smime-cti-ets-proofOfSender" */
189, /* "id-smime-mod" */
196, /* "id-smime-mod-cms" */
197, /* "id-smime-mod-ess" */
202, /* "id-smime-mod-ets-eSigPolicy-88" */
203, /* "id-smime-mod-ets-eSigPolicy-97" */
200, /* "id-smime-mod-ets-eSignature-88" */
201, /* "id-smime-mod-ets-eSignature-97" */
199, /* "id-smime-mod-msg-v3" */
198, /* "id-smime-mod-oid" */
194, /* "id-smime-spq" */
250, /* "id-smime-spq-ets-sqt-unotice" */
249, /* "id-smime-spq-ets-sqt-uri" */
974, /* "id-tc26" */
991, /* "id-tc26-agreement" */
992, /* "id-tc26-agreement-gost-3410-2012-256" */
993, /* "id-tc26-agreement-gost-3410-2012-512" */
977, /* "id-tc26-algorithms" */
990, /* "id-tc26-cipher" */
1001, /* "id-tc26-cipher-constants" */
1176, /* "id-tc26-cipher-gostr3412-2015-kuznyechik" */
1177, /* "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm" */
1178, /* "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac" */
1173, /* "id-tc26-cipher-gostr3412-2015-magma" */
1174, /* "id-tc26-cipher-gostr3412-2015-magma-ctracpkm" */
1175, /* "id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac" */
994, /* "id-tc26-constants" */
981, /* "id-tc26-digest" */
1000, /* "id-tc26-digest-constants" */
1002, /* "id-tc26-gost-28147-constants" */
1003, /* "id-tc26-gost-28147-param-Z" */
1147, /* "id-tc26-gost-3410-2012-256-constants" */
1148, /* "id-tc26-gost-3410-2012-256-paramSetA" */
1184, /* "id-tc26-gost-3410-2012-256-paramSetB" */
1185, /* "id-tc26-gost-3410-2012-256-paramSetC" */
1186, /* "id-tc26-gost-3410-2012-256-paramSetD" */
996, /* "id-tc26-gost-3410-2012-512-constants" */
998, /* "id-tc26-gost-3410-2012-512-paramSetA" */
999, /* "id-tc26-gost-3410-2012-512-paramSetB" */
1149, /* "id-tc26-gost-3410-2012-512-paramSetC" */
997, /* "id-tc26-gost-3410-2012-512-paramSetTest" */
988, /* "id-tc26-hmac-gost-3411-2012-256" */
989, /* "id-tc26-hmac-gost-3411-2012-512" */
987, /* "id-tc26-mac" */
978, /* "id-tc26-sign" */
995, /* "id-tc26-sign-constants" */
984, /* "id-tc26-signwithdigest" */
985, /* "id-tc26-signwithdigest-gost3410-2012-256" */
986, /* "id-tc26-signwithdigest-gost3410-2012-512" */
1179, /* "id-tc26-wrap" */
1182, /* "id-tc26-wrap-gostr3412-2015-kuznyechik" */
1183, /* "id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15" */
1180, /* "id-tc26-wrap-gostr3412-2015-magma" */
1181, /* "id-tc26-wrap-gostr3412-2015-magma-kexp15" */
676, /* "identified-organization" */
1170, /* "ieee" */
1171, /* "ieee-siswg" */
461, /* "info" */
748, /* "inhibitAnyPolicy" */
101, /* "initials" */
647, /* "international-organizations" */
869, /* "internationaliSDNNumber" */
142, /* "invalidityDate" */
294, /* "ipsecEndSystem" */
1022, /* "ipsecIKE" */
295, /* "ipsecTunnel" */
296, /* "ipsecUser" */
86, /* "issuerAltName" */
1008, /* "issuerSignTool" */
770, /* "issuingDistributionPoint" */
492, /* "janetMailbox" */
957, /* "jurisdictionC" */
955, /* "jurisdictionL" */
956, /* "jurisdictionST" */
150, /* "keyBag" */
83, /* "keyUsage" */
477, /* "lastModifiedBy" */
476, /* "lastModifiedTime" */
157, /* "localKeyID" */
480, /* "mXRecord" */
1190, /* "magma-cbc" */
1191, /* "magma-cfb" */
1188, /* "magma-ctr" */
1187, /* "magma-ecb" */
1192, /* "magma-mac" */
1189, /* "magma-ofb" */
460, /* "mail" */
493, /* "mailPreferenceOption" */
467, /* "manager" */
982, /* "md_gost12_256" */
983, /* "md_gost12_512" */
809, /* "md_gost94" */
875, /* "member" */
182, /* "member-body" */
51, /* "messageDigest" */
383, /* "mgmt" */
504, /* "mime-mhs" */
506, /* "mime-mhs-bodies" */
505, /* "mime-mhs-headings" */
488, /* "mobileTelephoneNumber" */
136, /* "msCTLSign" */
135, /* "msCodeCom" */
134, /* "msCodeInd" */
138, /* "msEFS" */
171, /* "msExtReq" */
137, /* "msSGC" */
648, /* "msSmartcardLogin" */
649, /* "msUPN" */
1091, /* "n3" */
481, /* "nSRecord" */
173, /* "name" */
666, /* "nameConstraints" */
369, /* "noCheck" */
403, /* "noRevAvail" */
72, /* "nsBaseUrl" */
76, /* "nsCaPolicyUrl" */
74, /* "nsCaRevocationUrl" */
58, /* "nsCertExt" */
79, /* "nsCertSequence" */
71, /* "nsCertType" */
78, /* "nsComment" */
59, /* "nsDataType" */
75, /* "nsRenewalUrl" */
73, /* "nsRevocationUrl" */
139, /* "nsSGC" */
77, /* "nsSslServerName" */
681, /* "onBasis" */
1089, /* "organizationIdentifier" */
491, /* "organizationalStatus" */
1141, /* "oscca" */
475, /* "otherMailbox" */
876, /* "owner" */
489, /* "pagerTelephoneNumber" */
374, /* "path" */
112, /* "pbeWithMD5AndCast5CBC" */
499, /* "personalSignature" */
487, /* "personalTitle" */
464, /* "photo" */
863, /* "physicalDeliveryOfficeName" */
437, /* "pilot" */
439, /* "pilotAttributeSyntax" */
438, /* "pilotAttributeType" */
479, /* "pilotAttributeType27" */
456, /* "pilotDSA" */
441, /* "pilotGroups" */
444, /* "pilotObject" */
440, /* "pilotObjectClass" */
455, /* "pilotOrganization" */
445, /* "pilotPerson" */
1032, /* "pkInitClientAuth" */
1033, /* "pkInitKDC" */
2, /* "pkcs" */
186, /* "pkcs1" */
27, /* "pkcs3" */
187, /* "pkcs5" */
20, /* "pkcs7" */
21, /* "pkcs7-data" */
25, /* "pkcs7-digestData" */
26, /* "pkcs7-encryptedData" */
23, /* "pkcs7-envelopedData" */
24, /* "pkcs7-signedAndEnvelopedData" */
22, /* "pkcs7-signedData" */
151, /* "pkcs8ShroudedKeyBag" */
47, /* "pkcs9" */
401, /* "policyConstraints" */
747, /* "policyMappings" */
862, /* "postOfficeBox" */
861, /* "postalAddress" */
661, /* "postalCode" */
683, /* "ppBasis" */
872, /* "preferredDeliveryMethod" */
873, /* "presentationAddress" */
816, /* "prf-gostr3411-94" */
406, /* "prime-field" */
409, /* "prime192v1" */
410, /* "prime192v2" */
411, /* "prime192v3" */
412, /* "prime239v1" */
413, /* "prime239v2" */
414, /* "prime239v3" */
415, /* "prime256v1" */
385, /* "private" */
84, /* "privateKeyUsagePeriod" */
886, /* "protocolInformation" */
663, /* "proxyCertInfo" */
510, /* "pseudonym" */
435, /* "pss" */
286, /* "qcStatements" */
457, /* "qualityLabelledData" */
450, /* "rFC822localPart" */
870, /* "registeredAddress" */
400, /* "role" */
877, /* "roleOccupant" */
448, /* "room" */
463, /* "roomNumber" */
6, /* "rsaEncryption" */
644, /* "rsaOAEPEncryptionSET" */
377, /* "rsaSignature" */
1, /* "rsadsi" */
482, /* "sOARecord" */
155, /* "safeContentsBag" */
291, /* "sbgp-autonomousSysNum" */
290, /* "sbgp-ipAddrBlock" */
292, /* "sbgp-routerIdentifier" */
159, /* "sdsiCertificate" */
859, /* "searchGuide" */
704, /* "secp112r1" */
705, /* "secp112r2" */
706, /* "secp128r1" */
707, /* "secp128r2" */
708, /* "secp160k1" */
709, /* "secp160r1" */
710, /* "secp160r2" */
711, /* "secp192k1" */
712, /* "secp224k1" */
713, /* "secp224r1" */
714, /* "secp256k1" */
715, /* "secp384r1" */
716, /* "secp521r1" */
154, /* "secretBag" */
474, /* "secretary" */
717, /* "sect113r1" */
718, /* "sect113r2" */
719, /* "sect131r1" */
720, /* "sect131r2" */
721, /* "sect163k1" */
722, /* "sect163r1" */
723, /* "sect163r2" */
724, /* "sect193r1" */
725, /* "sect193r2" */
726, /* "sect233k1" */
727, /* "sect233r1" */
728, /* "sect239k1" */
729, /* "sect283k1" */
730, /* "sect283r1" */
731, /* "sect409k1" */
732, /* "sect409r1" */
733, /* "sect571k1" */
734, /* "sect571r1" */
1025, /* "secureShellClient" */
1026, /* "secureShellServer" */
386, /* "security" */
878, /* "seeAlso" */
394, /* "selected-attribute-types" */
1029, /* "sendOwner" */
1030, /* "sendProxiedOwner" */
1028, /* "sendProxiedRouter" */
1027, /* "sendRouter" */
105, /* "serialNumber" */
129, /* "serverAuth" */
371, /* "serviceLocator" */
625, /* "set-addPolicy" */
515, /* "set-attr" */
518, /* "set-brand" */
638, /* "set-brand-AmericanExpress" */
637, /* "set-brand-Diners" */
636, /* "set-brand-IATA-ATA" */
639, /* "set-brand-JCB" */
641, /* "set-brand-MasterCard" */
642, /* "set-brand-Novus" */
640, /* "set-brand-Visa" */
517, /* "set-certExt" */
513, /* "set-ctype" */
514, /* "set-msgExt" */
516, /* "set-policy" */
607, /* "set-policy-root" */
624, /* "set-rootKeyThumb" */
620, /* "setAttr-Cert" */
631, /* "setAttr-GenCryptgrm" */
623, /* "setAttr-IssCap" */
628, /* "setAttr-IssCap-CVM" */
630, /* "setAttr-IssCap-Sig" */
629, /* "setAttr-IssCap-T2" */
621, /* "setAttr-PGWYcap" */
635, /* "setAttr-SecDevSig" */
632, /* "setAttr-T2Enc" */
633, /* "setAttr-T2cleartxt" */
634, /* "setAttr-TokICCsig" */
627, /* "setAttr-Token-B0Prime" */
626, /* "setAttr-Token-EMV" */
622, /* "setAttr-TokenType" */
619, /* "setCext-IssuerCapabilities" */
615, /* "setCext-PGWYcapabilities" */
616, /* "setCext-TokenIdentifier" */
618, /* "setCext-TokenType" */
617, /* "setCext-Track2Data" */
611, /* "setCext-cCertRequired" */
609, /* "setCext-certType" */
608, /* "setCext-hashedRoot" */
610, /* "setCext-merchData" */
613, /* "setCext-setExt" */
614, /* "setCext-setQualf" */
612, /* "setCext-tunneling" */
540, /* "setct-AcqCardCodeMsg" */
576, /* "setct-AcqCardCodeMsgTBE" */
570, /* "setct-AuthReqTBE" */
534, /* "setct-AuthReqTBS" */
527, /* "setct-AuthResBaggage" */
571, /* "setct-AuthResTBE" */
572, /* "setct-AuthResTBEX" */
535, /* "setct-AuthResTBS" */
536, /* "setct-AuthResTBSX" */
528, /* "setct-AuthRevReqBaggage" */
577, /* "setct-AuthRevReqTBE" */
541, /* "setct-AuthRevReqTBS" */
529, /* "setct-AuthRevResBaggage" */
542, /* "setct-AuthRevResData" */
578, /* "setct-AuthRevResTBE" */
579, /* "setct-AuthRevResTBEB" */
543, /* "setct-AuthRevResTBS" */
573, /* "setct-AuthTokenTBE" */
537, /* "setct-AuthTokenTBS" */
600, /* "setct-BCIDistributionTBS" */
558, /* "setct-BatchAdminReqData" */
592, /* "setct-BatchAdminReqTBE" */
559, /* "setct-BatchAdminResData" */
593, /* "setct-BatchAdminResTBE" */
599, /* "setct-CRLNotificationResTBS" */
598, /* "setct-CRLNotificationTBS" */
580, /* "setct-CapReqTBE" */
581, /* "setct-CapReqTBEX" */
544, /* "setct-CapReqTBS" */
545, /* "setct-CapReqTBSX" */
546, /* "setct-CapResData" */
582, /* "setct-CapResTBE" */
583, /* "setct-CapRevReqTBE" */
584, /* "setct-CapRevReqTBEX" */
547, /* "setct-CapRevReqTBS" */
548, /* "setct-CapRevReqTBSX" */
549, /* "setct-CapRevResData" */
585, /* "setct-CapRevResTBE" */
538, /* "setct-CapTokenData" */
530, /* "setct-CapTokenSeq" */
574, /* "setct-CapTokenTBE" */
575, /* "setct-CapTokenTBEX" */
539, /* "setct-CapTokenTBS" */
560, /* "setct-CardCInitResTBS" */
566, /* "setct-CertInqReqTBS" */
563, /* "setct-CertReqData" */
595, /* "setct-CertReqTBE" */
596, /* "setct-CertReqTBEX" */
564, /* "setct-CertReqTBS" */
565, /* "setct-CertResData" */
597, /* "setct-CertResTBE" */
586, /* "setct-CredReqTBE" */
587, /* "setct-CredReqTBEX" */
550, /* "setct-CredReqTBS" */
551, /* "setct-CredReqTBSX" */
552, /* "setct-CredResData" */
588, /* "setct-CredResTBE" */
589, /* "setct-CredRevReqTBE" */
590, /* "setct-CredRevReqTBEX" */
553, /* "setct-CredRevReqTBS" */
554, /* "setct-CredRevReqTBSX" */
555, /* "setct-CredRevResData" */
591, /* "setct-CredRevResTBE" */
567, /* "setct-ErrorTBS" */
526, /* "setct-HODInput" */
561, /* "setct-MeAqCInitResTBS" */
522, /* "setct-OIData" */
519, /* "setct-PANData" */
521, /* "setct-PANOnly" */
520, /* "setct-PANToken" */
556, /* "setct-PCertReqData" */
557, /* "setct-PCertResTBS" */
523, /* "setct-PI" */
532, /* "setct-PI-TBS" */
524, /* "setct-PIData" */
525, /* "setct-PIDataUnsigned" */
568, /* "setct-PIDualSignedTBE" */
569, /* "setct-PIUnsignedTBE" */
531, /* "setct-PInitResData" */
533, /* "setct-PResData" */
594, /* "setct-RegFormReqTBE" */
562, /* "setct-RegFormResTBS" */
606, /* "setext-cv" */
601, /* "setext-genCrypt" */
602, /* "setext-miAuth" */
604, /* "setext-pinAny" */
603, /* "setext-pinSecure" */
605, /* "setext-track2" */
52, /* "signingTime" */
454, /* "simpleSecurityObject" */
496, /* "singleLevelQuality" */
1142, /* "sm-scheme" */
387, /* "snmpv2" */
660, /* "street" */
85, /* "subjectAltName" */
769, /* "subjectDirectoryAttributes" */
398, /* "subjectInfoAccess" */
82, /* "subjectKeyIdentifier" */
1007, /* "subjectSignTool" */
498, /* "subtreeMaximumQuality" */
497, /* "subtreeMinimumQuality" */
890, /* "supportedAlgorithms" */
874, /* "supportedApplicationContext" */
402, /* "targetInformation" */
864, /* "telephoneNumber" */
866, /* "teletexTerminalIdentifier" */
865, /* "telexNumber" */
459, /* "textEncodedORAddress" */
293, /* "textNotice" */
133, /* "timeStamping" */
106, /* "title" */
1020, /* "tlsfeature" */
682, /* "tpBasis" */
375, /* "trustRoot" */
1151, /* "ua-pki" */
1160, /* "uacurve0" */
1161, /* "uacurve1" */
1162, /* "uacurve2" */
1163, /* "uacurve3" */
1164, /* "uacurve4" */
1165, /* "uacurve5" */
1166, /* "uacurve6" */
1167, /* "uacurve7" */
1168, /* "uacurve8" */
1169, /* "uacurve9" */
436, /* "ucl" */
102, /* "uid" */
888, /* "uniqueMember" */
55, /* "unstructuredAddress" */
49, /* "unstructuredName" */
880, /* "userCertificate" */
465, /* "userClass" */
879, /* "userPassword" */
373, /* "valid" */
678, /* "wap" */
679, /* "wap-wsg" */
735, /* "wap-wsg-idm-ecid-wtls1" */
743, /* "wap-wsg-idm-ecid-wtls10" */
744, /* "wap-wsg-idm-ecid-wtls11" */
745, /* "wap-wsg-idm-ecid-wtls12" */
736, /* "wap-wsg-idm-ecid-wtls3" */
737, /* "wap-wsg-idm-ecid-wtls4" */
738, /* "wap-wsg-idm-ecid-wtls5" */
739, /* "wap-wsg-idm-ecid-wtls6" */
740, /* "wap-wsg-idm-ecid-wtls7" */
741, /* "wap-wsg-idm-ecid-wtls8" */
742, /* "wap-wsg-idm-ecid-wtls9" */
804, /* "whirlpool" */
868, /* "x121Address" */
503, /* "x500UniqueIdentifier" */
158, /* "x509Certificate" */
160, /* "x509Crl" */
1093, /* "x509ExtAdmission" */
};
#define NUM_LN 1186
static const unsigned int ln_objs[NUM_LN] = {
363, /* "AD Time Stamping" */
405, /* "ANSI X9.62" */
368, /* "Acceptable OCSP Responses" */
910, /* "Any Extended Key Usage" */
664, /* "Any language" */
177, /* "Authority Information Access" */
365, /* "Basic OCSP Response" */
285, /* "Biometric Info" */
179, /* "CA Issuers" */
785, /* "CA Repository" */
1131, /* "CMC Certificate Authority" */
1132, /* "CMC Registration Authority" */
954, /* "CT Certificate SCTs" */
952, /* "CT Precertificate Poison" */
951, /* "CT Precertificate SCTs" */
953, /* "CT Precertificate Signer" */
131, /* "Code Signing" */
1024, /* "Ctrl/Provision WAP Termination" */
1023, /* "Ctrl/provision WAP Access" */
1159, /* "DSTU 4145-2002 big endian" */
1158, /* "DSTU 4145-2002 little endian" */
1152, /* "DSTU Gost 28147-2009" */
1154, /* "DSTU Gost 28147-2009 CFB mode" */
1153, /* "DSTU Gost 28147-2009 OFB mode" */
1155, /* "DSTU Gost 28147-2009 key wrap" */
1157, /* "DSTU Gost 34311-95" */
1160, /* "DSTU curve 0" */
1161, /* "DSTU curve 1" */
1162, /* "DSTU curve 2" */
1163, /* "DSTU curve 3" */
1164, /* "DSTU curve 4" */
1165, /* "DSTU curve 5" */
1166, /* "DSTU curve 6" */
1167, /* "DSTU curve 7" */
1168, /* "DSTU curve 8" */
1169, /* "DSTU curve 9" */
783, /* "Diffie-Hellman based MAC" */
382, /* "Directory" */
392, /* "Domain" */
132, /* "E-mail Protection" */
1087, /* "ED25519" */
1088, /* "ED448" */
389, /* "Enterprises" */
384, /* "Experimental" */
372, /* "Extended OCSP Status" */
172, /* "Extension Request" */
813, /* "GOST 28147-89" */
849, /* "GOST 28147-89 Cryptocom ParamSet" */
815, /* "GOST 28147-89 MAC" */
1003, /* "GOST 28147-89 TC26 parameter set" */
851, /* "GOST 34.10-2001 Cryptocom" */
850, /* "GOST 34.10-94 Cryptocom" */
811, /* "GOST R 34.10-2001" */
817, /* "GOST R 34.10-2001 DH" */
1148, /* "GOST R 34.10-2012 (256 bit) ParamSet A" */
1184, /* "GOST R 34.10-2012 (256 bit) ParamSet B" */
1185, /* "GOST R 34.10-2012 (256 bit) ParamSet C" */
1186, /* "GOST R 34.10-2012 (256 bit) ParamSet D" */
998, /* "GOST R 34.10-2012 (512 bit) ParamSet A" */
999, /* "GOST R 34.10-2012 (512 bit) ParamSet B" */
1149, /* "GOST R 34.10-2012 (512 bit) ParamSet C" */
997, /* "GOST R 34.10-2012 (512 bit) testing parameter set" */
979, /* "GOST R 34.10-2012 with 256 bit modulus" */
980, /* "GOST R 34.10-2012 with 512 bit modulus" */
985, /* "GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)" */
986, /* "GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)" */
812, /* "GOST R 34.10-94" */
818, /* "GOST R 34.10-94 DH" */
982, /* "GOST R 34.11-2012 with 256 bit hash" */
983, /* "GOST R 34.11-2012 with 512 bit hash" */
809, /* "GOST R 34.11-94" */
816, /* "GOST R 34.11-94 PRF" */
807, /* "GOST R 34.11-94 with GOST R 34.10-2001" */
853, /* "GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom" */
808, /* "GOST R 34.11-94 with GOST R 34.10-94" */
852, /* "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom" */
854, /* "GOST R 3410-2001 Parameter Set Cryptocom" */
1156, /* "HMAC DSTU Gost 34311-95" */
988, /* "HMAC GOST 34.11-2012 256 bit" */
989, /* "HMAC GOST 34.11-2012 512 bit" */
810, /* "HMAC GOST 34.11-94" */
432, /* "Hold Instruction Call Issuer" */
430, /* "Hold Instruction Code" */
431, /* "Hold Instruction None" */
433, /* "Hold Instruction Reject" */
634, /* "ICC or token signature" */
1171, /* "IEEE Security in Storage Working Group" */
1004, /* "INN" */
294, /* "IPSec End System" */
295, /* "IPSec Tunnel" */
296, /* "IPSec User" */
1140, /* "ISO CN Member Body" */
182, /* "ISO Member Body" */
183, /* "ISO US Member Body" */
1150, /* "ISO-UA" */
667, /* "Independent" */
665, /* "Inherit all" */
647, /* "International Organizations" */
142, /* "Invalidity Date" */
504, /* "MIME MHS" */
388, /* "Mail" */
383, /* "Management" */
417, /* "Microsoft CSP Name" */
135, /* "Microsoft Commercial Code Signing" */
138, /* "Microsoft Encrypted File System" */
171, /* "Microsoft Extension Request" */
134, /* "Microsoft Individual Code Signing" */
856, /* "Microsoft Local Key set" */
137, /* "Microsoft Server Gated Crypto" */
648, /* "Microsoft Smartcard Login" */
136, /* "Microsoft Trust List Signing" */
649, /* "Microsoft User Principal Name" */
393, /* "NULL" */
404, /* "NULL" */
72, /* "Netscape Base Url" */
76, /* "Netscape CA Policy Url" */
74, /* "Netscape CA Revocation Url" */
71, /* "Netscape Cert Type" */
58, /* "Netscape Certificate Extension" */
79, /* "Netscape Certificate Sequence" */
78, /* "Netscape Comment" */
57, /* "Netscape Communications Corp." */
59, /* "Netscape Data Type" */
75, /* "Netscape Renewal Url" */
73, /* "Netscape Revocation Url" */
77, /* "Netscape SSL Server Name" */
139, /* "Netscape Server Gated Crypto" */
178, /* "OCSP" */
370, /* "OCSP Archive Cutoff" */
367, /* "OCSP CRL ID" */
369, /* "OCSP No Check" */
366, /* "OCSP Nonce" */
371, /* "OCSP Service Locator" */
180, /* "OCSP Signing" */
1005, /* "OGRN" */
161, /* "PBES2" */
69, /* "PBKDF2" */
162, /* "PBMAC1" */
1032, /* "PKINIT Client Auth" */
127, /* "PKIX" */
858, /* "Permanent Identifier" */
164, /* "Policy Qualifier CPS" */
165, /* "Policy Qualifier User Notice" */
385, /* "Private" */
1093, /* "Professional Information or basis for Admission" */
663, /* "Proxy Certificate Information" */
1, /* "RSA Data Security, Inc." */
2, /* "RSA Data Security, Inc. PKCS" */
1116, /* "RSA-SHA3-224" */
1117, /* "RSA-SHA3-256" */
1118, /* "RSA-SHA3-384" */
1119, /* "RSA-SHA3-512" */
188, /* "S/MIME" */
167, /* "S/MIME Capabilities" */
1006, /* "SNILS" */
387, /* "SNMPv2" */
1025, /* "SSH Client" */
1026, /* "SSH Server" */
512, /* "Secure Electronic Transactions" */
386, /* "Security" */
394, /* "Selected Attribute Types" */
1029, /* "Send Owner" */
1030, /* "Send Proxied Owner" */
1028, /* "Send Proxied Router" */
1027, /* "Send Router" */
1033, /* "Signing KDC Response" */
1008, /* "Signing Tool of Issuer" */
1007, /* "Signing Tool of Subject" */
143, /* "Strong Extranet ID" */
398, /* "Subject Information Access" */
1020, /* "TLS Feature" */
130, /* "TLS Web Client Authentication" */
129, /* "TLS Web Server Authentication" */
133, /* "Time Stamping" */
375, /* "Trust Root" */
1034, /* "X25519" */
1035, /* "X448" */
12, /* "X509" */
402, /* "X509v3 AC Targeting" */
746, /* "X509v3 Any Policy" */
90, /* "X509v3 Authority Key Identifier" */
87, /* "X509v3 Basic Constraints" */
103, /* "X509v3 CRL Distribution Points" */
88, /* "X509v3 CRL Number" */
141, /* "X509v3 CRL Reason Code" */
771, /* "X509v3 Certificate Issuer" */
89, /* "X509v3 Certificate Policies" */
140, /* "X509v3 Delta CRL Indicator" */
126, /* "X509v3 Extended Key Usage" */
857, /* "X509v3 Freshest CRL" */
748, /* "X509v3 Inhibit Any Policy" */
86, /* "X509v3 Issuer Alternative Name" */
770, /* "X509v3 Issuing Distribution Point" */
83, /* "X509v3 Key Usage" */
666, /* "X509v3 Name Constraints" */
403, /* "X509v3 No Revocation Available" */
401, /* "X509v3 Policy Constraints" */
747, /* "X509v3 Policy Mappings" */
84, /* "X509v3 Private Key Usage Period" */
85, /* "X509v3 Subject Alternative Name" */
769, /* "X509v3 Subject Directory Attributes" */
82, /* "X509v3 Subject Key Identifier" */
920, /* "X9.42 DH" */
184, /* "X9.57" */
185, /* "X9.57 CM ?" */
478, /* "aRecord" */
289, /* "aaControls" */
287, /* "ac-auditEntity" */
397, /* "ac-proxying" */
288, /* "ac-targeting" */
446, /* "account" */
364, /* "ad dvcs" */
606, /* "additional verification" */
419, /* "aes-128-cbc" */
916, /* "aes-128-cbc-hmac-sha1" */
948, /* "aes-128-cbc-hmac-sha256" */
896, /* "aes-128-ccm" */
421, /* "aes-128-cfb" */
650, /* "aes-128-cfb1" */
653, /* "aes-128-cfb8" */
904, /* "aes-128-ctr" */
418, /* "aes-128-ecb" */
895, /* "aes-128-gcm" */
958, /* "aes-128-ocb" */
420, /* "aes-128-ofb" */
913, /* "aes-128-xts" */
423, /* "aes-192-cbc" */
917, /* "aes-192-cbc-hmac-sha1" */
949, /* "aes-192-cbc-hmac-sha256" */
899, /* "aes-192-ccm" */
425, /* "aes-192-cfb" */
651, /* "aes-192-cfb1" */
654, /* "aes-192-cfb8" */
905, /* "aes-192-ctr" */
422, /* "aes-192-ecb" */
898, /* "aes-192-gcm" */
959, /* "aes-192-ocb" */
424, /* "aes-192-ofb" */
427, /* "aes-256-cbc" */
918, /* "aes-256-cbc-hmac-sha1" */
950, /* "aes-256-cbc-hmac-sha256" */
902, /* "aes-256-ccm" */
429, /* "aes-256-cfb" */
652, /* "aes-256-cfb1" */
655, /* "aes-256-cfb8" */
906, /* "aes-256-ctr" */
426, /* "aes-256-ecb" */
901, /* "aes-256-gcm" */
960, /* "aes-256-ocb" */
428, /* "aes-256-ofb" */
914, /* "aes-256-xts" */
376, /* "algorithm" */
1066, /* "aria-128-cbc" */
1120, /* "aria-128-ccm" */
1067, /* "aria-128-cfb" */
1080, /* "aria-128-cfb1" */
1083, /* "aria-128-cfb8" */
1069, /* "aria-128-ctr" */
1065, /* "aria-128-ecb" */
1123, /* "aria-128-gcm" */
1068, /* "aria-128-ofb" */
1071, /* "aria-192-cbc" */
1121, /* "aria-192-ccm" */
1072, /* "aria-192-cfb" */
1081, /* "aria-192-cfb1" */
1084, /* "aria-192-cfb8" */
1074, /* "aria-192-ctr" */
1070, /* "aria-192-ecb" */
1124, /* "aria-192-gcm" */
1073, /* "aria-192-ofb" */
1076, /* "aria-256-cbc" */
1122, /* "aria-256-ccm" */
1077, /* "aria-256-cfb" */
1082, /* "aria-256-cfb1" */
1085, /* "aria-256-cfb8" */
1079, /* "aria-256-ctr" */
1075, /* "aria-256-ecb" */
1125, /* "aria-256-gcm" */
1078, /* "aria-256-ofb" */
484, /* "associatedDomain" */
485, /* "associatedName" */
501, /* "audio" */
1064, /* "auth-any" */
1049, /* "auth-dss" */
1047, /* "auth-ecdsa" */
1050, /* "auth-gost01" */
1051, /* "auth-gost12" */
1053, /* "auth-null" */
1048, /* "auth-psk" */
1046, /* "auth-rsa" */
1052, /* "auth-srp" */
882, /* "authorityRevocationList" */
91, /* "bf-cbc" */
93, /* "bf-cfb" */
92, /* "bf-ecb" */
94, /* "bf-ofb" */
1056, /* "blake2b512" */
1057, /* "blake2s256" */
921, /* "brainpoolP160r1" */
922, /* "brainpoolP160t1" */
923, /* "brainpoolP192r1" */
924, /* "brainpoolP192t1" */
925, /* "brainpoolP224r1" */
926, /* "brainpoolP224t1" */
927, /* "brainpoolP256r1" */
928, /* "brainpoolP256t1" */
929, /* "brainpoolP320r1" */
930, /* "brainpoolP320t1" */
931, /* "brainpoolP384r1" */
932, /* "brainpoolP384t1" */
933, /* "brainpoolP512r1" */
934, /* "brainpoolP512t1" */
494, /* "buildingName" */
860, /* "businessCategory" */
691, /* "c2onb191v4" */
692, /* "c2onb191v5" */
697, /* "c2onb239v4" */
698, /* "c2onb239v5" */
684, /* "c2pnb163v1" */
685, /* "c2pnb163v2" */
686, /* "c2pnb163v3" */
687, /* "c2pnb176v1" */
693, /* "c2pnb208w1" */
699, /* "c2pnb272w1" */
700, /* "c2pnb304w1" */
702, /* "c2pnb368w1" */
688, /* "c2tnb191v1" */
689, /* "c2tnb191v2" */
690, /* "c2tnb191v3" */
694, /* "c2tnb239v1" */
695, /* "c2tnb239v2" */
696, /* "c2tnb239v3" */
701, /* "c2tnb359v1" */
703, /* "c2tnb431r1" */
881, /* "cACertificate" */
483, /* "cNAMERecord" */
751, /* "camellia-128-cbc" */
962, /* "camellia-128-ccm" */
757, /* "camellia-128-cfb" */
760, /* "camellia-128-cfb1" */
763, /* "camellia-128-cfb8" */
964, /* "camellia-128-cmac" */
963, /* "camellia-128-ctr" */
754, /* "camellia-128-ecb" */
961, /* "camellia-128-gcm" */
766, /* "camellia-128-ofb" */
752, /* "camellia-192-cbc" */
966, /* "camellia-192-ccm" */
758, /* "camellia-192-cfb" */
761, /* "camellia-192-cfb1" */
764, /* "camellia-192-cfb8" */
968, /* "camellia-192-cmac" */
967, /* "camellia-192-ctr" */
755, /* "camellia-192-ecb" */
965, /* "camellia-192-gcm" */
767, /* "camellia-192-ofb" */
753, /* "camellia-256-cbc" */
970, /* "camellia-256-ccm" */
759, /* "camellia-256-cfb" */
762, /* "camellia-256-cfb1" */
765, /* "camellia-256-cfb8" */
972, /* "camellia-256-cmac" */
971, /* "camellia-256-ctr" */
756, /* "camellia-256-ecb" */
969, /* "camellia-256-gcm" */
768, /* "camellia-256-ofb" */
443, /* "caseIgnoreIA5StringSyntax" */
108, /* "cast5-cbc" */
110, /* "cast5-cfb" */
109, /* "cast5-ecb" */
111, /* "cast5-ofb" */
152, /* "certBag" */
677, /* "certicom-arc" */
517, /* "certificate extensions" */
883, /* "certificateRevocationList" */
1019, /* "chacha20" */
1018, /* "chacha20-poly1305" */
54, /* "challengePassword" */
407, /* "characteristic-two-field" */
395, /* "clearance" */
633, /* "cleartext track 2" */
894, /* "cmac" */
13, /* "commonName" */
513, /* "content types" */
50, /* "contentType" */
53, /* "countersignature" */
1090, /* "countryCode3c" */
1091, /* "countryCode3n" */
14, /* "countryName" */
153, /* "crlBag" */
884, /* "crossCertificatePair" */
806, /* "cryptocom" */
805, /* "cryptopro" */
500, /* "dITRedirect" */
451, /* "dNSDomain" */
495, /* "dSAQuality" */
434, /* "data" */
390, /* "dcObject" */
891, /* "deltaRevocationList" */
31, /* "des-cbc" */
643, /* "des-cdmf" */
30, /* "des-cfb" */
656, /* "des-cfb1" */
657, /* "des-cfb8" */
29, /* "des-ecb" */
32, /* "des-ede" */
43, /* "des-ede-cbc" */
60, /* "des-ede-cfb" */
62, /* "des-ede-ofb" */
33, /* "des-ede3" */
44, /* "des-ede3-cbc" */
61, /* "des-ede3-cfb" */
658, /* "des-ede3-cfb1" */
659, /* "des-ede3-cfb8" */
63, /* "des-ede3-ofb" */
45, /* "des-ofb" */
107, /* "description" */
871, /* "destinationIndicator" */
80, /* "desx-cbc" */
947, /* "dh-cofactor-kdf" */
946, /* "dh-std-kdf" */
28, /* "dhKeyAgreement" */
941, /* "dhSinglePass-cofactorDH-sha1kdf-scheme" */
942, /* "dhSinglePass-cofactorDH-sha224kdf-scheme" */
943, /* "dhSinglePass-cofactorDH-sha256kdf-scheme" */
944, /* "dhSinglePass-cofactorDH-sha384kdf-scheme" */
945, /* "dhSinglePass-cofactorDH-sha512kdf-scheme" */
936, /* "dhSinglePass-stdDH-sha1kdf-scheme" */
937, /* "dhSinglePass-stdDH-sha224kdf-scheme" */
938, /* "dhSinglePass-stdDH-sha256kdf-scheme" */
939, /* "dhSinglePass-stdDH-sha384kdf-scheme" */
940, /* "dhSinglePass-stdDH-sha512kdf-scheme" */
11, /* "directory services (X.500)" */
378, /* "directory services - algorithms" */
887, /* "distinguishedName" */
892, /* "dmdName" */
174, /* "dnQualifier" */
1092, /* "dnsName" */
447, /* "document" */
471, /* "documentAuthor" */
468, /* "documentIdentifier" */
472, /* "documentLocation" */
502, /* "documentPublisher" */
449, /* "documentSeries" */
469, /* "documentTitle" */
470, /* "documentVersion" */
380, /* "dod" */
391, /* "domainComponent" */
452, /* "domainRelatedObject" */
116, /* "dsaEncryption" */
67, /* "dsaEncryption-old" */
66, /* "dsaWithSHA" */
113, /* "dsaWithSHA1" */
70, /* "dsaWithSHA1-old" */
802, /* "dsa_with_SHA224" */
803, /* "dsa_with_SHA256" */
1108, /* "dsa_with_SHA3-224" */
1109, /* "dsa_with_SHA3-256" */
1110, /* "dsa_with_SHA3-384" */
1111, /* "dsa_with_SHA3-512" */
1106, /* "dsa_with_SHA384" */
1107, /* "dsa_with_SHA512" */
297, /* "dvcs" */
791, /* "ecdsa-with-Recommended" */
416, /* "ecdsa-with-SHA1" */
793, /* "ecdsa-with-SHA224" */
794, /* "ecdsa-with-SHA256" */
795, /* "ecdsa-with-SHA384" */
796, /* "ecdsa-with-SHA512" */
792, /* "ecdsa-with-Specified" */
1112, /* "ecdsa_with_SHA3-224" */
1113, /* "ecdsa_with_SHA3-256" */
1114, /* "ecdsa_with_SHA3-384" */
1115, /* "ecdsa_with_SHA3-512" */
48, /* "emailAddress" */
632, /* "encrypted track 2" */
885, /* "enhancedSearchGuide" */
56, /* "extendedCertificateAttributes" */
867, /* "facsimileTelephoneNumber" */
462, /* "favouriteDrink" */
1126, /* "ffdhe2048" */
1127, /* "ffdhe3072" */
1128, /* "ffdhe4096" */
1129, /* "ffdhe6144" */
1130, /* "ffdhe8192" */
453, /* "friendlyCountry" */
490, /* "friendlyCountryName" */
156, /* "friendlyName" */
631, /* "generate cryptogram" */
509, /* "generationQualifier" */
601, /* "generic cryptogram" */
99, /* "givenName" */
976, /* "gost-mac-12" */
1009, /* "gost89-cbc" */
814, /* "gost89-cnt" */
975, /* "gost89-cnt-12" */
1011, /* "gost89-ctr" */
1010, /* "gost89-ecb" */
1015, /* "grasshopper-cbc" */
1016, /* "grasshopper-cfb" */
1013, /* "grasshopper-ctr" */
1012, /* "grasshopper-ecb" */
1017, /* "grasshopper-mac" */
1014, /* "grasshopper-ofb" */
1036, /* "hkdf" */
855, /* "hmac" */
780, /* "hmac-md5" */
781, /* "hmac-sha1" */
1102, /* "hmac-sha3-224" */
1103, /* "hmac-sha3-256" */
1104, /* "hmac-sha3-384" */
1105, /* "hmac-sha3-512" */
797, /* "hmacWithMD5" */
163, /* "hmacWithSHA1" */
798, /* "hmacWithSHA224" */
799, /* "hmacWithSHA256" */
800, /* "hmacWithSHA384" */
801, /* "hmacWithSHA512" */
1193, /* "hmacWithSHA512-224" */
1194, /* "hmacWithSHA512-256" */
486, /* "homePostalAddress" */
473, /* "homeTelephoneNumber" */
466, /* "host" */
889, /* "houseIdentifier" */
442, /* "iA5StringSyntax" */
381, /* "iana" */
824, /* "id-Gost28147-89-CryptoPro-A-ParamSet" */
825, /* "id-Gost28147-89-CryptoPro-B-ParamSet" */
826, /* "id-Gost28147-89-CryptoPro-C-ParamSet" */
827, /* "id-Gost28147-89-CryptoPro-D-ParamSet" */
819, /* "id-Gost28147-89-CryptoPro-KeyMeshing" */
829, /* "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet" */
828, /* "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet" */
830, /* "id-Gost28147-89-CryptoPro-RIC-1-ParamSet" */
820, /* "id-Gost28147-89-None-KeyMeshing" */
823, /* "id-Gost28147-89-TestParamSet" */
840, /* "id-GostR3410-2001-CryptoPro-A-ParamSet" */
841, /* "id-GostR3410-2001-CryptoPro-B-ParamSet" */
842, /* "id-GostR3410-2001-CryptoPro-C-ParamSet" */
843, /* "id-GostR3410-2001-CryptoPro-XchA-ParamSet" */
844, /* "id-GostR3410-2001-CryptoPro-XchB-ParamSet" */
839, /* "id-GostR3410-2001-TestParamSet" */
832, /* "id-GostR3410-94-CryptoPro-A-ParamSet" */
833, /* "id-GostR3410-94-CryptoPro-B-ParamSet" */
834, /* "id-GostR3410-94-CryptoPro-C-ParamSet" */
835, /* "id-GostR3410-94-CryptoPro-D-ParamSet" */
836, /* "id-GostR3410-94-CryptoPro-XchA-ParamSet" */
837, /* "id-GostR3410-94-CryptoPro-XchB-ParamSet" */
838, /* "id-GostR3410-94-CryptoPro-XchC-ParamSet" */
831, /* "id-GostR3410-94-TestParamSet" */
845, /* "id-GostR3410-94-a" */
846, /* "id-GostR3410-94-aBis" */
847, /* "id-GostR3410-94-b" */
848, /* "id-GostR3410-94-bBis" */
822, /* "id-GostR3411-94-CryptoProParamSet" */
821, /* "id-GostR3411-94-TestParamSet" */
266, /* "id-aca" */
355, /* "id-aca-accessIdentity" */
354, /* "id-aca-authenticationInfo" */
356, /* "id-aca-chargingIdentity" */
399, /* "id-aca-encAttrs" */
357, /* "id-aca-group" */
358, /* "id-aca-role" */
176, /* "id-ad" */
788, /* "id-aes128-wrap" */
897, /* "id-aes128-wrap-pad" */
789, /* "id-aes192-wrap" */
900, /* "id-aes192-wrap-pad" */
790, /* "id-aes256-wrap" */
903, /* "id-aes256-wrap-pad" */
262, /* "id-alg" */
893, /* "id-alg-PWRI-KEK" */
323, /* "id-alg-des40" */
326, /* "id-alg-dh-pop" */
325, /* "id-alg-dh-sig-hmac-sha1" */
324, /* "id-alg-noSignature" */
907, /* "id-camellia128-wrap" */
908, /* "id-camellia192-wrap" */
909, /* "id-camellia256-wrap" */
268, /* "id-cct" */
361, /* "id-cct-PKIData" */
362, /* "id-cct-PKIResponse" */
360, /* "id-cct-crs" */
81, /* "id-ce" */
680, /* "id-characteristic-two-basis" */
263, /* "id-cmc" */
334, /* "id-cmc-addExtensions" */
346, /* "id-cmc-confirmCertAcceptance" */
330, /* "id-cmc-dataReturn" */
336, /* "id-cmc-decryptedPOP" */
335, /* "id-cmc-encryptedPOP" */
339, /* "id-cmc-getCRL" */
338, /* "id-cmc-getCert" */
328, /* "id-cmc-identification" */
329, /* "id-cmc-identityProof" */
337, /* "id-cmc-lraPOPWitness" */
344, /* "id-cmc-popLinkRandom" */
345, /* "id-cmc-popLinkWitness" */
343, /* "id-cmc-queryPending" */
333, /* "id-cmc-recipientNonce" */
341, /* "id-cmc-regInfo" */
342, /* "id-cmc-responseInfo" */
340, /* "id-cmc-revokeRequest" */
332, /* "id-cmc-senderNonce" */
327, /* "id-cmc-statusInfo" */
331, /* "id-cmc-transactionId" */
787, /* "id-ct-asciiTextWithCRLF" */
1060, /* "id-ct-xml" */
408, /* "id-ecPublicKey" */
508, /* "id-hex-multipart-message" */
507, /* "id-hex-partial-message" */
260, /* "id-it" */
302, /* "id-it-caKeyUpdateInfo" */
298, /* "id-it-caProtEncCert" */
311, /* "id-it-confirmWaitTime" */
303, /* "id-it-currentCRL" */
300, /* "id-it-encKeyPairTypes" */
310, /* "id-it-implicitConfirm" */
308, /* "id-it-keyPairParamRep" */
307, /* "id-it-keyPairParamReq" */
312, /* "id-it-origPKIMessage" */
301, /* "id-it-preferredSymmAlg" */
309, /* "id-it-revPassphrase" */
299, /* "id-it-signKeyPairTypes" */
305, /* "id-it-subscriptionRequest" */
306, /* "id-it-subscriptionResponse" */
784, /* "id-it-suppLangTags" */
304, /* "id-it-unsupportedOIDs" */
128, /* "id-kp" */
280, /* "id-mod-attribute-cert" */
274, /* "id-mod-cmc" */
277, /* "id-mod-cmp" */
284, /* "id-mod-cmp2000" */
273, /* "id-mod-crmf" */
283, /* "id-mod-dvcs" */
275, /* "id-mod-kea-profile-88" */
276, /* "id-mod-kea-profile-93" */
282, /* "id-mod-ocsp" */
278, /* "id-mod-qualified-cert-88" */
279, /* "id-mod-qualified-cert-93" */
281, /* "id-mod-timestamp-protocol" */
264, /* "id-on" */
347, /* "id-on-personalData" */
265, /* "id-pda" */
352, /* "id-pda-countryOfCitizenship" */
353, /* "id-pda-countryOfResidence" */
348, /* "id-pda-dateOfBirth" */
351, /* "id-pda-gender" */
349, /* "id-pda-placeOfBirth" */
175, /* "id-pe" */
1031, /* "id-pkinit" */
261, /* "id-pkip" */
258, /* "id-pkix-mod" */
269, /* "id-pkix1-explicit-88" */
271, /* "id-pkix1-explicit-93" */
270, /* "id-pkix1-implicit-88" */
272, /* "id-pkix1-implicit-93" */
662, /* "id-ppl" */
267, /* "id-qcs" */
359, /* "id-qcs-pkixQCSyntax-v1" */
259, /* "id-qt" */
313, /* "id-regCtrl" */
316, /* "id-regCtrl-authenticator" */
319, /* "id-regCtrl-oldCertID" */
318, /* "id-regCtrl-pkiArchiveOptions" */
317, /* "id-regCtrl-pkiPublicationInfo" */
320, /* "id-regCtrl-protocolEncrKey" */
315, /* "id-regCtrl-regToken" */
314, /* "id-regInfo" */
322, /* "id-regInfo-certReq" */
321, /* "id-regInfo-utf8Pairs" */
191, /* "id-smime-aa" */
215, /* "id-smime-aa-contentHint" */
218, /* "id-smime-aa-contentIdentifier" */
221, /* "id-smime-aa-contentReference" */
240, /* "id-smime-aa-dvcs-dvc" */
217, /* "id-smime-aa-encapContentType" */
222, /* "id-smime-aa-encrypKeyPref" */
220, /* "id-smime-aa-equivalentLabels" */
232, /* "id-smime-aa-ets-CertificateRefs" */
233, /* "id-smime-aa-ets-RevocationRefs" */
238, /* "id-smime-aa-ets-archiveTimeStamp" */
237, /* "id-smime-aa-ets-certCRLTimestamp" */
234, /* "id-smime-aa-ets-certValues" */
227, /* "id-smime-aa-ets-commitmentType" */
231, /* "id-smime-aa-ets-contentTimestamp" */
236, /* "id-smime-aa-ets-escTimeStamp" */
230, /* "id-smime-aa-ets-otherSigCert" */
235, /* "id-smime-aa-ets-revocationValues" */
226, /* "id-smime-aa-ets-sigPolicyId" */
229, /* "id-smime-aa-ets-signerAttr" */
228, /* "id-smime-aa-ets-signerLocation" */
219, /* "id-smime-aa-macValue" */
214, /* "id-smime-aa-mlExpandHistory" */
216, /* "id-smime-aa-msgSigDigest" */
212, /* "id-smime-aa-receiptRequest" */
213, /* "id-smime-aa-securityLabel" */
239, /* "id-smime-aa-signatureType" */
223, /* "id-smime-aa-signingCertificate" */
1086, /* "id-smime-aa-signingCertificateV2" */
224, /* "id-smime-aa-smimeEncryptCerts" */
225, /* "id-smime-aa-timeStampToken" */
192, /* "id-smime-alg" */
243, /* "id-smime-alg-3DESwrap" */
246, /* "id-smime-alg-CMS3DESwrap" */
247, /* "id-smime-alg-CMSRC2wrap" */
245, /* "id-smime-alg-ESDH" */
241, /* "id-smime-alg-ESDHwith3DES" */
242, /* "id-smime-alg-ESDHwithRC2" */
244, /* "id-smime-alg-RC2wrap" */
193, /* "id-smime-cd" */
248, /* "id-smime-cd-ldap" */
190, /* "id-smime-ct" */
210, /* "id-smime-ct-DVCSRequestData" */
211, /* "id-smime-ct-DVCSResponseData" */
208, /* "id-smime-ct-TDTInfo" */
207, /* "id-smime-ct-TSTInfo" */
205, /* "id-smime-ct-authData" */
1059, /* "id-smime-ct-authEnvelopedData" */
786, /* "id-smime-ct-compressedData" */
1058, /* "id-smime-ct-contentCollection" */
209, /* "id-smime-ct-contentInfo" */
206, /* "id-smime-ct-publishCert" */
204, /* "id-smime-ct-receipt" */
195, /* "id-smime-cti" */
255, /* "id-smime-cti-ets-proofOfApproval" */
256, /* "id-smime-cti-ets-proofOfCreation" */
253, /* "id-smime-cti-ets-proofOfDelivery" */
251, /* "id-smime-cti-ets-proofOfOrigin" */
252, /* "id-smime-cti-ets-proofOfReceipt" */
254, /* "id-smime-cti-ets-proofOfSender" */
189, /* "id-smime-mod" */
196, /* "id-smime-mod-cms" */
197, /* "id-smime-mod-ess" */
202, /* "id-smime-mod-ets-eSigPolicy-88" */
203, /* "id-smime-mod-ets-eSigPolicy-97" */
200, /* "id-smime-mod-ets-eSignature-88" */
201, /* "id-smime-mod-ets-eSignature-97" */
199, /* "id-smime-mod-msg-v3" */
198, /* "id-smime-mod-oid" */
194, /* "id-smime-spq" */
250, /* "id-smime-spq-ets-sqt-unotice" */
249, /* "id-smime-spq-ets-sqt-uri" */
974, /* "id-tc26" */
991, /* "id-tc26-agreement" */
992, /* "id-tc26-agreement-gost-3410-2012-256" */
993, /* "id-tc26-agreement-gost-3410-2012-512" */
977, /* "id-tc26-algorithms" */
990, /* "id-tc26-cipher" */
1001, /* "id-tc26-cipher-constants" */
1176, /* "id-tc26-cipher-gostr3412-2015-kuznyechik" */
1177, /* "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm" */
1178, /* "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac" */
1173, /* "id-tc26-cipher-gostr3412-2015-magma" */
1174, /* "id-tc26-cipher-gostr3412-2015-magma-ctracpkm" */
1175, /* "id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac" */
994, /* "id-tc26-constants" */
981, /* "id-tc26-digest" */
1000, /* "id-tc26-digest-constants" */
1002, /* "id-tc26-gost-28147-constants" */
1147, /* "id-tc26-gost-3410-2012-256-constants" */
996, /* "id-tc26-gost-3410-2012-512-constants" */
987, /* "id-tc26-mac" */
978, /* "id-tc26-sign" */
995, /* "id-tc26-sign-constants" */
984, /* "id-tc26-signwithdigest" */
1179, /* "id-tc26-wrap" */
1182, /* "id-tc26-wrap-gostr3412-2015-kuznyechik" */
1183, /* "id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15" */
1180, /* "id-tc26-wrap-gostr3412-2015-magma" */
1181, /* "id-tc26-wrap-gostr3412-2015-magma-kexp15" */
34, /* "idea-cbc" */
35, /* "idea-cfb" */
36, /* "idea-ecb" */
46, /* "idea-ofb" */
676, /* "identified-organization" */
1170, /* "ieee" */
461, /* "info" */
101, /* "initials" */
869, /* "internationaliSDNNumber" */
1022, /* "ipsec Internet Key Exchange" */
749, /* "ipsec3" */
750, /* "ipsec4" */
181, /* "iso" */
623, /* "issuer capabilities" */
645, /* "itu-t" */
492, /* "janetMailbox" */
646, /* "joint-iso-itu-t" */
957, /* "jurisdictionCountryName" */
955, /* "jurisdictionLocalityName" */
956, /* "jurisdictionStateOrProvinceName" */
150, /* "keyBag" */
773, /* "kisa" */
1063, /* "kx-any" */
1039, /* "kx-dhe" */
1041, /* "kx-dhe-psk" */
1038, /* "kx-ecdhe" */
1040, /* "kx-ecdhe-psk" */
1045, /* "kx-gost" */
1043, /* "kx-psk" */
1037, /* "kx-rsa" */
1042, /* "kx-rsa-psk" */
1044, /* "kx-srp" */
477, /* "lastModifiedBy" */
476, /* "lastModifiedTime" */
157, /* "localKeyID" */
15, /* "localityName" */
480, /* "mXRecord" */
1190, /* "magma-cbc" */
1191, /* "magma-cfb" */
1188, /* "magma-ctr" */
1187, /* "magma-ecb" */
1192, /* "magma-mac" */
1189, /* "magma-ofb" */
493, /* "mailPreferenceOption" */
467, /* "manager" */
3, /* "md2" */
7, /* "md2WithRSAEncryption" */
257, /* "md4" */
396, /* "md4WithRSAEncryption" */
4, /* "md5" */
114, /* "md5-sha1" */
104, /* "md5WithRSA" */
8, /* "md5WithRSAEncryption" */
95, /* "mdc2" */
96, /* "mdc2WithRSA" */
875, /* "member" */
602, /* "merchant initiated auth" */
514, /* "message extensions" */
51, /* "messageDigest" */
911, /* "mgf1" */
506, /* "mime-mhs-bodies" */
505, /* "mime-mhs-headings" */
488, /* "mobileTelephoneNumber" */
481, /* "nSRecord" */
173, /* "name" */
681, /* "onBasis" */
379, /* "org" */
1089, /* "organizationIdentifier" */
17, /* "organizationName" */
491, /* "organizationalStatus" */
18, /* "organizationalUnitName" */
1141, /* "oscca" */
475, /* "otherMailbox" */
876, /* "owner" */
935, /* "pSpecified" */
489, /* "pagerTelephoneNumber" */
782, /* "password based MAC" */
374, /* "path" */
621, /* "payment gateway capabilities" */
9, /* "pbeWithMD2AndDES-CBC" */
168, /* "pbeWithMD2AndRC2-CBC" */
112, /* "pbeWithMD5AndCast5CBC" */
10, /* "pbeWithMD5AndDES-CBC" */
169, /* "pbeWithMD5AndRC2-CBC" */
148, /* "pbeWithSHA1And128BitRC2-CBC" */
144, /* "pbeWithSHA1And128BitRC4" */
147, /* "pbeWithSHA1And2-KeyTripleDES-CBC" */
146, /* "pbeWithSHA1And3-KeyTripleDES-CBC" */
149, /* "pbeWithSHA1And40BitRC2-CBC" */
145, /* "pbeWithSHA1And40BitRC4" */
170, /* "pbeWithSHA1AndDES-CBC" */
68, /* "pbeWithSHA1AndRC2-CBC" */
499, /* "personalSignature" */
487, /* "personalTitle" */
464, /* "photo" */
863, /* "physicalDeliveryOfficeName" */
437, /* "pilot" */
439, /* "pilotAttributeSyntax" */
438, /* "pilotAttributeType" */
479, /* "pilotAttributeType27" */
456, /* "pilotDSA" */
441, /* "pilotGroups" */
444, /* "pilotObject" */
440, /* "pilotObjectClass" */
455, /* "pilotOrganization" */
445, /* "pilotPerson" */
186, /* "pkcs1" */
27, /* "pkcs3" */
187, /* "pkcs5" */
20, /* "pkcs7" */
21, /* "pkcs7-data" */
25, /* "pkcs7-digestData" */
26, /* "pkcs7-encryptedData" */
23, /* "pkcs7-envelopedData" */
24, /* "pkcs7-signedAndEnvelopedData" */
22, /* "pkcs7-signedData" */
151, /* "pkcs8ShroudedKeyBag" */
47, /* "pkcs9" */
1061, /* "poly1305" */
862, /* "postOfficeBox" */
861, /* "postalAddress" */
661, /* "postalCode" */
683, /* "ppBasis" */
872, /* "preferredDeliveryMethod" */
873, /* "presentationAddress" */
406, /* "prime-field" */
409, /* "prime192v1" */
410, /* "prime192v2" */
411, /* "prime192v3" */
412, /* "prime239v1" */
413, /* "prime239v2" */
414, /* "prime239v3" */
415, /* "prime256v1" */
886, /* "protocolInformation" */
510, /* "pseudonym" */
435, /* "pss" */
286, /* "qcStatements" */
457, /* "qualityLabelledData" */
450, /* "rFC822localPart" */
98, /* "rc2-40-cbc" */
166, /* "rc2-64-cbc" */
37, /* "rc2-cbc" */
39, /* "rc2-cfb" */
38, /* "rc2-ecb" */
40, /* "rc2-ofb" */
5, /* "rc4" */
97, /* "rc4-40" */
915, /* "rc4-hmac-md5" */
120, /* "rc5-cbc" */
122, /* "rc5-cfb" */
121, /* "rc5-ecb" */
123, /* "rc5-ofb" */
870, /* "registeredAddress" */
460, /* "rfc822Mailbox" */
117, /* "ripemd160" */
119, /* "ripemd160WithRSA" */
400, /* "role" */
877, /* "roleOccupant" */
448, /* "room" */
463, /* "roomNumber" */
19, /* "rsa" */
6, /* "rsaEncryption" */
644, /* "rsaOAEPEncryptionSET" */
377, /* "rsaSignature" */
919, /* "rsaesOaep" */
912, /* "rsassaPss" */
482, /* "sOARecord" */
155, /* "safeContentsBag" */
291, /* "sbgp-autonomousSysNum" */
290, /* "sbgp-ipAddrBlock" */
292, /* "sbgp-routerIdentifier" */
973, /* "scrypt" */
159, /* "sdsiCertificate" */
859, /* "searchGuide" */
704, /* "secp112r1" */
705, /* "secp112r2" */
706, /* "secp128r1" */
707, /* "secp128r2" */
708, /* "secp160k1" */
709, /* "secp160r1" */
710, /* "secp160r2" */
711, /* "secp192k1" */
712, /* "secp224k1" */
713, /* "secp224r1" */
714, /* "secp256k1" */
715, /* "secp384r1" */
716, /* "secp521r1" */
154, /* "secretBag" */
474, /* "secretary" */
717, /* "sect113r1" */
718, /* "sect113r2" */
719, /* "sect131r1" */
720, /* "sect131r2" */
721, /* "sect163k1" */
722, /* "sect163r1" */
723, /* "sect163r2" */
724, /* "sect193r1" */
725, /* "sect193r2" */
726, /* "sect233k1" */
727, /* "sect233r1" */
728, /* "sect239k1" */
729, /* "sect283k1" */
730, /* "sect283r1" */
731, /* "sect409k1" */
732, /* "sect409r1" */
733, /* "sect571k1" */
734, /* "sect571r1" */
635, /* "secure device signature" */
878, /* "seeAlso" */
777, /* "seed-cbc" */
779, /* "seed-cfb" */
776, /* "seed-ecb" */
778, /* "seed-ofb" */
105, /* "serialNumber" */
625, /* "set-addPolicy" */
515, /* "set-attr" */
518, /* "set-brand" */
638, /* "set-brand-AmericanExpress" */
637, /* "set-brand-Diners" */
636, /* "set-brand-IATA-ATA" */
639, /* "set-brand-JCB" */
641, /* "set-brand-MasterCard" */
642, /* "set-brand-Novus" */
640, /* "set-brand-Visa" */
516, /* "set-policy" */
607, /* "set-policy-root" */
624, /* "set-rootKeyThumb" */
620, /* "setAttr-Cert" */
628, /* "setAttr-IssCap-CVM" */
630, /* "setAttr-IssCap-Sig" */
629, /* "setAttr-IssCap-T2" */
627, /* "setAttr-Token-B0Prime" */
626, /* "setAttr-Token-EMV" */
622, /* "setAttr-TokenType" */
619, /* "setCext-IssuerCapabilities" */
615, /* "setCext-PGWYcapabilities" */
616, /* "setCext-TokenIdentifier" */
618, /* "setCext-TokenType" */
617, /* "setCext-Track2Data" */
611, /* "setCext-cCertRequired" */
609, /* "setCext-certType" */
608, /* "setCext-hashedRoot" */
610, /* "setCext-merchData" */
613, /* "setCext-setExt" */
614, /* "setCext-setQualf" */
612, /* "setCext-tunneling" */
540, /* "setct-AcqCardCodeMsg" */
576, /* "setct-AcqCardCodeMsgTBE" */
570, /* "setct-AuthReqTBE" */
534, /* "setct-AuthReqTBS" */
527, /* "setct-AuthResBaggage" */
571, /* "setct-AuthResTBE" */
572, /* "setct-AuthResTBEX" */
535, /* "setct-AuthResTBS" */
536, /* "setct-AuthResTBSX" */
528, /* "setct-AuthRevReqBaggage" */
577, /* "setct-AuthRevReqTBE" */
541, /* "setct-AuthRevReqTBS" */
529, /* "setct-AuthRevResBaggage" */
542, /* "setct-AuthRevResData" */
578, /* "setct-AuthRevResTBE" */
579, /* "setct-AuthRevResTBEB" */
543, /* "setct-AuthRevResTBS" */
573, /* "setct-AuthTokenTBE" */
537, /* "setct-AuthTokenTBS" */
600, /* "setct-BCIDistributionTBS" */
558, /* "setct-BatchAdminReqData" */
592, /* "setct-BatchAdminReqTBE" */
559, /* "setct-BatchAdminResData" */
593, /* "setct-BatchAdminResTBE" */
599, /* "setct-CRLNotificationResTBS" */
598, /* "setct-CRLNotificationTBS" */
580, /* "setct-CapReqTBE" */
581, /* "setct-CapReqTBEX" */
544, /* "setct-CapReqTBS" */
545, /* "setct-CapReqTBSX" */
546, /* "setct-CapResData" */
582, /* "setct-CapResTBE" */
583, /* "setct-CapRevReqTBE" */
584, /* "setct-CapRevReqTBEX" */
547, /* "setct-CapRevReqTBS" */
548, /* "setct-CapRevReqTBSX" */
549, /* "setct-CapRevResData" */
585, /* "setct-CapRevResTBE" */
538, /* "setct-CapTokenData" */
530, /* "setct-CapTokenSeq" */
574, /* "setct-CapTokenTBE" */
575, /* "setct-CapTokenTBEX" */
539, /* "setct-CapTokenTBS" */
560, /* "setct-CardCInitResTBS" */
566, /* "setct-CertInqReqTBS" */
563, /* "setct-CertReqData" */
595, /* "setct-CertReqTBE" */
596, /* "setct-CertReqTBEX" */
564, /* "setct-CertReqTBS" */
565, /* "setct-CertResData" */
597, /* "setct-CertResTBE" */
586, /* "setct-CredReqTBE" */
587, /* "setct-CredReqTBEX" */
550, /* "setct-CredReqTBS" */
551, /* "setct-CredReqTBSX" */
552, /* "setct-CredResData" */
588, /* "setct-CredResTBE" */
589, /* "setct-CredRevReqTBE" */
590, /* "setct-CredRevReqTBEX" */
553, /* "setct-CredRevReqTBS" */
554, /* "setct-CredRevReqTBSX" */
555, /* "setct-CredRevResData" */
591, /* "setct-CredRevResTBE" */
567, /* "setct-ErrorTBS" */
526, /* "setct-HODInput" */
561, /* "setct-MeAqCInitResTBS" */
522, /* "setct-OIData" */
519, /* "setct-PANData" */
521, /* "setct-PANOnly" */
520, /* "setct-PANToken" */
556, /* "setct-PCertReqData" */
557, /* "setct-PCertResTBS" */
523, /* "setct-PI" */
532, /* "setct-PI-TBS" */
524, /* "setct-PIData" */
525, /* "setct-PIDataUnsigned" */
568, /* "setct-PIDualSignedTBE" */
569, /* "setct-PIUnsignedTBE" */
531, /* "setct-PInitResData" */
533, /* "setct-PResData" */
594, /* "setct-RegFormReqTBE" */
562, /* "setct-RegFormResTBS" */
604, /* "setext-pinAny" */
603, /* "setext-pinSecure" */
605, /* "setext-track2" */
41, /* "sha" */
64, /* "sha1" */
115, /* "sha1WithRSA" */
65, /* "sha1WithRSAEncryption" */
675, /* "sha224" */
671, /* "sha224WithRSAEncryption" */
672, /* "sha256" */
668, /* "sha256WithRSAEncryption" */
1096, /* "sha3-224" */
1097, /* "sha3-256" */
1098, /* "sha3-384" */
1099, /* "sha3-512" */
673, /* "sha384" */
669, /* "sha384WithRSAEncryption" */
674, /* "sha512" */
1094, /* "sha512-224" */
1145, /* "sha512-224WithRSAEncryption" */
1095, /* "sha512-256" */
1146, /* "sha512-256WithRSAEncryption" */
670, /* "sha512WithRSAEncryption" */
42, /* "shaWithRSAEncryption" */
1100, /* "shake128" */
1101, /* "shake256" */
52, /* "signingTime" */
454, /* "simpleSecurityObject" */
496, /* "singleLevelQuality" */
1062, /* "siphash" */
1142, /* "sm-scheme" */
1172, /* "sm2" */
1143, /* "sm3" */
1144, /* "sm3WithRSAEncryption" */
1134, /* "sm4-cbc" */
1137, /* "sm4-cfb" */
1136, /* "sm4-cfb1" */
1138, /* "sm4-cfb8" */
1139, /* "sm4-ctr" */
1133, /* "sm4-ecb" */
1135, /* "sm4-ofb" */
16, /* "stateOrProvinceName" */
660, /* "streetAddress" */
498, /* "subtreeMaximumQuality" */
497, /* "subtreeMinimumQuality" */
890, /* "supportedAlgorithms" */
874, /* "supportedApplicationContext" */
100, /* "surname" */
864, /* "telephoneNumber" */
866, /* "teletexTerminalIdentifier" */
865, /* "telexNumber" */
459, /* "textEncodedORAddress" */
293, /* "textNotice" */
106, /* "title" */
1021, /* "tls1-prf" */
682, /* "tpBasis" */
1151, /* "ua-pki" */
436, /* "ucl" */
0, /* "undefined" */
102, /* "uniqueIdentifier" */
888, /* "uniqueMember" */
55, /* "unstructuredAddress" */
49, /* "unstructuredName" */
880, /* "userCertificate" */
465, /* "userClass" */
458, /* "userId" */
879, /* "userPassword" */
373, /* "valid" */
678, /* "wap" */
679, /* "wap-wsg" */
735, /* "wap-wsg-idm-ecid-wtls1" */
743, /* "wap-wsg-idm-ecid-wtls10" */
744, /* "wap-wsg-idm-ecid-wtls11" */
745, /* "wap-wsg-idm-ecid-wtls12" */
736, /* "wap-wsg-idm-ecid-wtls3" */
737, /* "wap-wsg-idm-ecid-wtls4" */
738, /* "wap-wsg-idm-ecid-wtls5" */
739, /* "wap-wsg-idm-ecid-wtls6" */
740, /* "wap-wsg-idm-ecid-wtls7" */
741, /* "wap-wsg-idm-ecid-wtls8" */
742, /* "wap-wsg-idm-ecid-wtls9" */
804, /* "whirlpool" */
868, /* "x121Address" */
503, /* "x500UniqueIdentifier" */
158, /* "x509Certificate" */
160, /* "x509Crl" */
125, /* "zlib compression" */
};
#define NUM_OBJ 1071
static const unsigned int obj_objs[NUM_OBJ] = {
0, /* OBJ_undef 0 */
181, /* OBJ_iso 1 */
393, /* OBJ_joint_iso_ccitt OBJ_joint_iso_itu_t */
404, /* OBJ_ccitt OBJ_itu_t */
645, /* OBJ_itu_t 0 */
646, /* OBJ_joint_iso_itu_t 2 */
434, /* OBJ_data 0 9 */
182, /* OBJ_member_body 1 2 */
379, /* OBJ_org 1 3 */
676, /* OBJ_identified_organization 1 3 */
11, /* OBJ_X500 2 5 */
647, /* OBJ_international_organizations 2 23 */
380, /* OBJ_dod 1 3 6 */
1170, /* OBJ_ieee 1 3 111 */
12, /* OBJ_X509 2 5 4 */
378, /* OBJ_X500algorithms 2 5 8 */
81, /* OBJ_id_ce 2 5 29 */
512, /* OBJ_id_set 2 23 42 */
678, /* OBJ_wap 2 23 43 */
435, /* OBJ_pss 0 9 2342 */
1140, /* OBJ_ISO_CN 1 2 156 */
1150, /* OBJ_ISO_UA 1 2 804 */
183, /* OBJ_ISO_US 1 2 840 */
381, /* OBJ_iana 1 3 6 1 */
1034, /* OBJ_X25519 1 3 101 110 */
1035, /* OBJ_X448 1 3 101 111 */
1087, /* OBJ_ED25519 1 3 101 112 */
1088, /* OBJ_ED448 1 3 101 113 */
677, /* OBJ_certicom_arc 1 3 132 */
394, /* OBJ_selected_attribute_types 2 5 1 5 */
13, /* OBJ_commonName 2 5 4 3 */
100, /* OBJ_surname 2 5 4 4 */
105, /* OBJ_serialNumber 2 5 4 5 */
14, /* OBJ_countryName 2 5 4 6 */
15, /* OBJ_localityName 2 5 4 7 */
16, /* OBJ_stateOrProvinceName 2 5 4 8 */
660, /* OBJ_streetAddress 2 5 4 9 */
17, /* OBJ_organizationName 2 5 4 10 */
18, /* OBJ_organizationalUnitName 2 5 4 11 */
106, /* OBJ_title 2 5 4 12 */
107, /* OBJ_description 2 5 4 13 */
859, /* OBJ_searchGuide 2 5 4 14 */
860, /* OBJ_businessCategory 2 5 4 15 */
861, /* OBJ_postalAddress 2 5 4 16 */
661, /* OBJ_postalCode 2 5 4 17 */
862, /* OBJ_postOfficeBox 2 5 4 18 */
863, /* OBJ_physicalDeliveryOfficeName 2 5 4 19 */
864, /* OBJ_telephoneNumber 2 5 4 20 */
865, /* OBJ_telexNumber 2 5 4 21 */
866, /* OBJ_teletexTerminalIdentifier 2 5 4 22 */
867, /* OBJ_facsimileTelephoneNumber 2 5 4 23 */
868, /* OBJ_x121Address 2 5 4 24 */
869, /* OBJ_internationaliSDNNumber 2 5 4 25 */
870, /* OBJ_registeredAddress 2 5 4 26 */
871, /* OBJ_destinationIndicator 2 5 4 27 */
872, /* OBJ_preferredDeliveryMethod 2 5 4 28 */
873, /* OBJ_presentationAddress 2 5 4 29 */
874, /* OBJ_supportedApplicationContext 2 5 4 30 */
875, /* OBJ_member 2 5 4 31 */
876, /* OBJ_owner 2 5 4 32 */
877, /* OBJ_roleOccupant 2 5 4 33 */
878, /* OBJ_seeAlso 2 5 4 34 */
879, /* OBJ_userPassword 2 5 4 35 */
880, /* OBJ_userCertificate 2 5 4 36 */
881, /* OBJ_cACertificate 2 5 4 37 */
882, /* OBJ_authorityRevocationList 2 5 4 38 */
883, /* OBJ_certificateRevocationList 2 5 4 39 */
884, /* OBJ_crossCertificatePair 2 5 4 40 */
173, /* OBJ_name 2 5 4 41 */
99, /* OBJ_givenName 2 5 4 42 */
101, /* OBJ_initials 2 5 4 43 */
509, /* OBJ_generationQualifier 2 5 4 44 */
503, /* OBJ_x500UniqueIdentifier 2 5 4 45 */
174, /* OBJ_dnQualifier 2 5 4 46 */
885, /* OBJ_enhancedSearchGuide 2 5 4 47 */
886, /* OBJ_protocolInformation 2 5 4 48 */
887, /* OBJ_distinguishedName 2 5 4 49 */
888, /* OBJ_uniqueMember 2 5 4 50 */
889, /* OBJ_houseIdentifier 2 5 4 51 */
890, /* OBJ_supportedAlgorithms 2 5 4 52 */
891, /* OBJ_deltaRevocationList 2 5 4 53 */
892, /* OBJ_dmdName 2 5 4 54 */
510, /* OBJ_pseudonym 2 5 4 65 */
400, /* OBJ_role 2 5 4 72 */
1089, /* OBJ_organizationIdentifier 2 5 4 97 */
1090, /* OBJ_countryCode3c 2 5 4 98 */
1091, /* OBJ_countryCode3n 2 5 4 99 */
1092, /* OBJ_dnsName 2 5 4 100 */
769, /* OBJ_subject_directory_attributes 2 5 29 9 */
82, /* OBJ_subject_key_identifier 2 5 29 14 */
83, /* OBJ_key_usage 2 5 29 15 */
84, /* OBJ_private_key_usage_period 2 5 29 16 */
85, /* OBJ_subject_alt_name 2 5 29 17 */
86, /* OBJ_issuer_alt_name 2 5 29 18 */
87, /* OBJ_basic_constraints 2 5 29 19 */
88, /* OBJ_crl_number 2 5 29 20 */
141, /* OBJ_crl_reason 2 5 29 21 */
430, /* OBJ_hold_instruction_code 2 5 29 23 */
142, /* OBJ_invalidity_date 2 5 29 24 */
140, /* OBJ_delta_crl 2 5 29 27 */
770, /* OBJ_issuing_distribution_point 2 5 29 28 */
771, /* OBJ_certificate_issuer 2 5 29 29 */
666, /* OBJ_name_constraints 2 5 29 30 */
103, /* OBJ_crl_distribution_points 2 5 29 31 */
89, /* OBJ_certificate_policies 2 5 29 32 */
747, /* OBJ_policy_mappings 2 5 29 33 */
90, /* OBJ_authority_key_identifier 2 5 29 35 */
401, /* OBJ_policy_constraints 2 5 29 36 */
126, /* OBJ_ext_key_usage 2 5 29 37 */
857, /* OBJ_freshest_crl 2 5 29 46 */
748, /* OBJ_inhibit_any_policy 2 5 29 54 */
402, /* OBJ_target_information 2 5 29 55 */
403, /* OBJ_no_rev_avail 2 5 29 56 */
513, /* OBJ_set_ctype 2 23 42 0 */
514, /* OBJ_set_msgExt 2 23 42 1 */
515, /* OBJ_set_attr 2 23 42 3 */
516, /* OBJ_set_policy 2 23 42 5 */
517, /* OBJ_set_certExt 2 23 42 7 */
518, /* OBJ_set_brand 2 23 42 8 */
679, /* OBJ_wap_wsg 2 23 43 1 */
382, /* OBJ_Directory 1 3 6 1 1 */
383, /* OBJ_Management 1 3 6 1 2 */
384, /* OBJ_Experimental 1 3 6 1 3 */
385, /* OBJ_Private 1 3 6 1 4 */
386, /* OBJ_Security 1 3 6 1 5 */
387, /* OBJ_SNMPv2 1 3 6 1 6 */
388, /* OBJ_Mail 1 3 6 1 7 */
376, /* OBJ_algorithm 1 3 14 3 2 */
395, /* OBJ_clearance 2 5 1 5 55 */
19, /* OBJ_rsa 2 5 8 1 1 */
96, /* OBJ_mdc2WithRSA 2 5 8 3 100 */
95, /* OBJ_mdc2 2 5 8 3 101 */
746, /* OBJ_any_policy 2 5 29 32 0 */
910, /* OBJ_anyExtendedKeyUsage 2 5 29 37 0 */
519, /* OBJ_setct_PANData 2 23 42 0 0 */
520, /* OBJ_setct_PANToken 2 23 42 0 1 */
521, /* OBJ_setct_PANOnly 2 23 42 0 2 */
522, /* OBJ_setct_OIData 2 23 42 0 3 */
523, /* OBJ_setct_PI 2 23 42 0 4 */
524, /* OBJ_setct_PIData 2 23 42 0 5 */
525, /* OBJ_setct_PIDataUnsigned 2 23 42 0 6 */
526, /* OBJ_setct_HODInput 2 23 42 0 7 */
527, /* OBJ_setct_AuthResBaggage 2 23 42 0 8 */
528, /* OBJ_setct_AuthRevReqBaggage 2 23 42 0 9 */
529, /* OBJ_setct_AuthRevResBaggage 2 23 42 0 10 */
530, /* OBJ_setct_CapTokenSeq 2 23 42 0 11 */
531, /* OBJ_setct_PInitResData 2 23 42 0 12 */
532, /* OBJ_setct_PI_TBS 2 23 42 0 13 */
533, /* OBJ_setct_PResData 2 23 42 0 14 */
534, /* OBJ_setct_AuthReqTBS 2 23 42 0 16 */
535, /* OBJ_setct_AuthResTBS 2 23 42 0 17 */
536, /* OBJ_setct_AuthResTBSX 2 23 42 0 18 */
537, /* OBJ_setct_AuthTokenTBS 2 23 42 0 19 */
538, /* OBJ_setct_CapTokenData 2 23 42 0 20 */
539, /* OBJ_setct_CapTokenTBS 2 23 42 0 21 */
540, /* OBJ_setct_AcqCardCodeMsg 2 23 42 0 22 */
541, /* OBJ_setct_AuthRevReqTBS 2 23 42 0 23 */
542, /* OBJ_setct_AuthRevResData 2 23 42 0 24 */
543, /* OBJ_setct_AuthRevResTBS 2 23 42 0 25 */
544, /* OBJ_setct_CapReqTBS 2 23 42 0 26 */
545, /* OBJ_setct_CapReqTBSX 2 23 42 0 27 */
546, /* OBJ_setct_CapResData 2 23 42 0 28 */
547, /* OBJ_setct_CapRevReqTBS 2 23 42 0 29 */
548, /* OBJ_setct_CapRevReqTBSX 2 23 42 0 30 */
549, /* OBJ_setct_CapRevResData 2 23 42 0 31 */
550, /* OBJ_setct_CredReqTBS 2 23 42 0 32 */
551, /* OBJ_setct_CredReqTBSX 2 23 42 0 33 */
552, /* OBJ_setct_CredResData 2 23 42 0 34 */
553, /* OBJ_setct_CredRevReqTBS 2 23 42 0 35 */
554, /* OBJ_setct_CredRevReqTBSX 2 23 42 0 36 */
555, /* OBJ_setct_CredRevResData 2 23 42 0 37 */
556, /* OBJ_setct_PCertReqData 2 23 42 0 38 */
557, /* OBJ_setct_PCertResTBS 2 23 42 0 39 */
558, /* OBJ_setct_BatchAdminReqData 2 23 42 0 40 */
559, /* OBJ_setct_BatchAdminResData 2 23 42 0 41 */
560, /* OBJ_setct_CardCInitResTBS 2 23 42 0 42 */
561, /* OBJ_setct_MeAqCInitResTBS 2 23 42 0 43 */
562, /* OBJ_setct_RegFormResTBS 2 23 42 0 44 */
563, /* OBJ_setct_CertReqData 2 23 42 0 45 */
564, /* OBJ_setct_CertReqTBS 2 23 42 0 46 */
565, /* OBJ_setct_CertResData 2 23 42 0 47 */
566, /* OBJ_setct_CertInqReqTBS 2 23 42 0 48 */
567, /* OBJ_setct_ErrorTBS 2 23 42 0 49 */
568, /* OBJ_setct_PIDualSignedTBE 2 23 42 0 50 */
569, /* OBJ_setct_PIUnsignedTBE 2 23 42 0 51 */
570, /* OBJ_setct_AuthReqTBE 2 23 42 0 52 */
571, /* OBJ_setct_AuthResTBE 2 23 42 0 53 */
572, /* OBJ_setct_AuthResTBEX 2 23 42 0 54 */
573, /* OBJ_setct_AuthTokenTBE 2 23 42 0 55 */
574, /* OBJ_setct_CapTokenTBE 2 23 42 0 56 */
575, /* OBJ_setct_CapTokenTBEX 2 23 42 0 57 */
576, /* OBJ_setct_AcqCardCodeMsgTBE 2 23 42 0 58 */
577, /* OBJ_setct_AuthRevReqTBE 2 23 42 0 59 */
578, /* OBJ_setct_AuthRevResTBE 2 23 42 0 60 */
579, /* OBJ_setct_AuthRevResTBEB 2 23 42 0 61 */
580, /* OBJ_setct_CapReqTBE 2 23 42 0 62 */
581, /* OBJ_setct_CapReqTBEX 2 23 42 0 63 */
582, /* OBJ_setct_CapResTBE 2 23 42 0 64 */
583, /* OBJ_setct_CapRevReqTBE 2 23 42 0 65 */
584, /* OBJ_setct_CapRevReqTBEX 2 23 42 0 66 */
585, /* OBJ_setct_CapRevResTBE 2 23 42 0 67 */
586, /* OBJ_setct_CredReqTBE 2 23 42 0 68 */
587, /* OBJ_setct_CredReqTBEX 2 23 42 0 69 */
588, /* OBJ_setct_CredResTBE 2 23 42 0 70 */
589, /* OBJ_setct_CredRevReqTBE 2 23 42 0 71 */
590, /* OBJ_setct_CredRevReqTBEX 2 23 42 0 72 */
591, /* OBJ_setct_CredRevResTBE 2 23 42 0 73 */
592, /* OBJ_setct_BatchAdminReqTBE 2 23 42 0 74 */
593, /* OBJ_setct_BatchAdminResTBE 2 23 42 0 75 */
594, /* OBJ_setct_RegFormReqTBE 2 23 42 0 76 */
595, /* OBJ_setct_CertReqTBE 2 23 42 0 77 */
596, /* OBJ_setct_CertReqTBEX 2 23 42 0 78 */
597, /* OBJ_setct_CertResTBE 2 23 42 0 79 */
598, /* OBJ_setct_CRLNotificationTBS 2 23 42 0 80 */
599, /* OBJ_setct_CRLNotificationResTBS 2 23 42 0 81 */
600, /* OBJ_setct_BCIDistributionTBS 2 23 42 0 82 */
601, /* OBJ_setext_genCrypt 2 23 42 1 1 */
602, /* OBJ_setext_miAuth 2 23 42 1 3 */
603, /* OBJ_setext_pinSecure 2 23 42 1 4 */
604, /* OBJ_setext_pinAny 2 23 42 1 5 */
605, /* OBJ_setext_track2 2 23 42 1 7 */
606, /* OBJ_setext_cv 2 23 42 1 8 */
620, /* OBJ_setAttr_Cert 2 23 42 3 0 */
621, /* OBJ_setAttr_PGWYcap 2 23 42 3 1 */
622, /* OBJ_setAttr_TokenType 2 23 42 3 2 */
623, /* OBJ_setAttr_IssCap 2 23 42 3 3 */
607, /* OBJ_set_policy_root 2 23 42 5 0 */
608, /* OBJ_setCext_hashedRoot 2 23 42 7 0 */
609, /* OBJ_setCext_certType 2 23 42 7 1 */
610, /* OBJ_setCext_merchData 2 23 42 7 2 */
611, /* OBJ_setCext_cCertRequired 2 23 42 7 3 */
612, /* OBJ_setCext_tunneling 2 23 42 7 4 */
613, /* OBJ_setCext_setExt 2 23 42 7 5 */
614, /* OBJ_setCext_setQualf 2 23 42 7 6 */
615, /* OBJ_setCext_PGWYcapabilities 2 23 42 7 7 */
616, /* OBJ_setCext_TokenIdentifier 2 23 42 7 8 */
617, /* OBJ_setCext_Track2Data 2 23 42 7 9 */
618, /* OBJ_setCext_TokenType 2 23 42 7 10 */
619, /* OBJ_setCext_IssuerCapabilities 2 23 42 7 11 */
636, /* OBJ_set_brand_IATA_ATA 2 23 42 8 1 */
640, /* OBJ_set_brand_Visa 2 23 42 8 4 */
641, /* OBJ_set_brand_MasterCard 2 23 42 8 5 */
637, /* OBJ_set_brand_Diners 2 23 42 8 30 */
638, /* OBJ_set_brand_AmericanExpress 2 23 42 8 34 */
639, /* OBJ_set_brand_JCB 2 23 42 8 35 */
1141, /* OBJ_oscca 1 2 156 10197 */
805, /* OBJ_cryptopro 1 2 643 2 2 */
806, /* OBJ_cryptocom 1 2 643 2 9 */
974, /* OBJ_id_tc26 1 2 643 7 1 */
1005, /* OBJ_OGRN 1 2 643 100 1 */
1006, /* OBJ_SNILS 1 2 643 100 3 */
1007, /* OBJ_subjectSignTool 1 2 643 100 111 */
1008, /* OBJ_issuerSignTool 1 2 643 100 112 */
184, /* OBJ_X9_57 1 2 840 10040 */
405, /* OBJ_ansi_X9_62 1 2 840 10045 */
389, /* OBJ_Enterprises 1 3 6 1 4 1 */
504, /* OBJ_mime_mhs 1 3 6 1 7 1 */
104, /* OBJ_md5WithRSA 1 3 14 3 2 3 */
29, /* OBJ_des_ecb 1 3 14 3 2 6 */
31, /* OBJ_des_cbc 1 3 14 3 2 7 */
45, /* OBJ_des_ofb64 1 3 14 3 2 8 */
30, /* OBJ_des_cfb64 1 3 14 3 2 9 */
377, /* OBJ_rsaSignature 1 3 14 3 2 11 */
67, /* OBJ_dsa_2 1 3 14 3 2 12 */
66, /* OBJ_dsaWithSHA 1 3 14 3 2 13 */
42, /* OBJ_shaWithRSAEncryption 1 3 14 3 2 15 */
32, /* OBJ_des_ede_ecb 1 3 14 3 2 17 */
41, /* OBJ_sha 1 3 14 3 2 18 */
64, /* OBJ_sha1 1 3 14 3 2 26 */
70, /* OBJ_dsaWithSHA1_2 1 3 14 3 2 27 */
115, /* OBJ_sha1WithRSA 1 3 14 3 2 29 */
117, /* OBJ_ripemd160 1 3 36 3 2 1 */
1093, /* OBJ_x509ExtAdmission 1 3 36 8 3 3 */
143, /* OBJ_sxnet 1 3 101 1 4 1 */
1171, /* OBJ_ieee_siswg 1 3 111 2 1619 */
721, /* OBJ_sect163k1 1 3 132 0 1 */
722, /* OBJ_sect163r1 1 3 132 0 2 */
728, /* OBJ_sect239k1 1 3 132 0 3 */
717, /* OBJ_sect113r1 1 3 132 0 4 */
718, /* OBJ_sect113r2 1 3 132 0 5 */
704, /* OBJ_secp112r1 1 3 132 0 6 */
705, /* OBJ_secp112r2 1 3 132 0 7 */
709, /* OBJ_secp160r1 1 3 132 0 8 */
708, /* OBJ_secp160k1 1 3 132 0 9 */
714, /* OBJ_secp256k1 1 3 132 0 10 */
723, /* OBJ_sect163r2 1 3 132 0 15 */
729, /* OBJ_sect283k1 1 3 132 0 16 */
730, /* OBJ_sect283r1 1 3 132 0 17 */
719, /* OBJ_sect131r1 1 3 132 0 22 */
720, /* OBJ_sect131r2 1 3 132 0 23 */
724, /* OBJ_sect193r1 1 3 132 0 24 */
725, /* OBJ_sect193r2 1 3 132 0 25 */
726, /* OBJ_sect233k1 1 3 132 0 26 */
727, /* OBJ_sect233r1 1 3 132 0 27 */
706, /* OBJ_secp128r1 1 3 132 0 28 */
707, /* OBJ_secp128r2 1 3 132 0 29 */
710, /* OBJ_secp160r2 1 3 132 0 30 */
711, /* OBJ_secp192k1 1 3 132 0 31 */
712, /* OBJ_secp224k1 1 3 132 0 32 */
713, /* OBJ_secp224r1 1 3 132 0 33 */
715, /* OBJ_secp384r1 1 3 132 0 34 */
716, /* OBJ_secp521r1 1 3 132 0 35 */
731, /* OBJ_sect409k1 1 3 132 0 36 */
732, /* OBJ_sect409r1 1 3 132 0 37 */
733, /* OBJ_sect571k1 1 3 132 0 38 */
734, /* OBJ_sect571r1 1 3 132 0 39 */
624, /* OBJ_set_rootKeyThumb 2 23 42 3 0 0 */
625, /* OBJ_set_addPolicy 2 23 42 3 0 1 */
626, /* OBJ_setAttr_Token_EMV 2 23 42 3 2 1 */
627, /* OBJ_setAttr_Token_B0Prime 2 23 42 3 2 2 */
628, /* OBJ_setAttr_IssCap_CVM 2 23 42 3 3 3 */
629, /* OBJ_setAttr_IssCap_T2 2 23 42 3 3 4 */
630, /* OBJ_setAttr_IssCap_Sig 2 23 42 3 3 5 */
642, /* OBJ_set_brand_Novus 2 23 42 8 6011 */
735, /* OBJ_wap_wsg_idm_ecid_wtls1 2 23 43 1 4 1 */
736, /* OBJ_wap_wsg_idm_ecid_wtls3 2 23 43 1 4 3 */
737, /* OBJ_wap_wsg_idm_ecid_wtls4 2 23 43 1 4 4 */
738, /* OBJ_wap_wsg_idm_ecid_wtls5 2 23 43 1 4 5 */
739, /* OBJ_wap_wsg_idm_ecid_wtls6 2 23 43 1 4 6 */
740, /* OBJ_wap_wsg_idm_ecid_wtls7 2 23 43 1 4 7 */
741, /* OBJ_wap_wsg_idm_ecid_wtls8 2 23 43 1 4 8 */
742, /* OBJ_wap_wsg_idm_ecid_wtls9 2 23 43 1 4 9 */
743, /* OBJ_wap_wsg_idm_ecid_wtls10 2 23 43 1 4 10 */
744, /* OBJ_wap_wsg_idm_ecid_wtls11 2 23 43 1 4 11 */
745, /* OBJ_wap_wsg_idm_ecid_wtls12 2 23 43 1 4 12 */
804, /* OBJ_whirlpool 1 0 10118 3 0 55 */
1142, /* OBJ_sm_scheme 1 2 156 10197 1 */
773, /* OBJ_kisa 1 2 410 200004 */
807, /* OBJ_id_GostR3411_94_with_GostR3410_2001 1 2 643 2 2 3 */
808, /* OBJ_id_GostR3411_94_with_GostR3410_94 1 2 643 2 2 4 */
809, /* OBJ_id_GostR3411_94 1 2 643 2 2 9 */
810, /* OBJ_id_HMACGostR3411_94 1 2 643 2 2 10 */
811, /* OBJ_id_GostR3410_2001 1 2 643 2 2 19 */
812, /* OBJ_id_GostR3410_94 1 2 643 2 2 20 */
813, /* OBJ_id_Gost28147_89 1 2 643 2 2 21 */
815, /* OBJ_id_Gost28147_89_MAC 1 2 643 2 2 22 */
816, /* OBJ_id_GostR3411_94_prf 1 2 643 2 2 23 */
817, /* OBJ_id_GostR3410_2001DH 1 2 643 2 2 98 */
818, /* OBJ_id_GostR3410_94DH 1 2 643 2 2 99 */
977, /* OBJ_id_tc26_algorithms 1 2 643 7 1 1 */
994, /* OBJ_id_tc26_constants 1 2 643 7 1 2 */
1, /* OBJ_rsadsi 1 2 840 113549 */
185, /* OBJ_X9cm 1 2 840 10040 4 */
1031, /* OBJ_id_pkinit 1 3 6 1 5 2 3 */
127, /* OBJ_id_pkix 1 3 6 1 5 5 7 */
505, /* OBJ_mime_mhs_headings 1 3 6 1 7 1 1 */
506, /* OBJ_mime_mhs_bodies 1 3 6 1 7 1 2 */
119, /* OBJ_ripemd160WithRSA 1 3 36 3 3 1 2 */
937, /* OBJ_dhSinglePass_stdDH_sha224kdf_scheme 1 3 132 1 11 0 */
938, /* OBJ_dhSinglePass_stdDH_sha256kdf_scheme 1 3 132 1 11 1 */
939, /* OBJ_dhSinglePass_stdDH_sha384kdf_scheme 1 3 132 1 11 2 */
940, /* OBJ_dhSinglePass_stdDH_sha512kdf_scheme 1 3 132 1 11 3 */
942, /* OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme 1 3 132 1 14 0 */
943, /* OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme 1 3 132 1 14 1 */
944, /* OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme 1 3 132 1 14 2 */
945, /* OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme 1 3 132 1 14 3 */
631, /* OBJ_setAttr_GenCryptgrm 2 23 42 3 3 3 1 */
632, /* OBJ_setAttr_T2Enc 2 23 42 3 3 4 1 */
633, /* OBJ_setAttr_T2cleartxt 2 23 42 3 3 4 2 */
634, /* OBJ_setAttr_TokICCsig 2 23 42 3 3 5 1 */
635, /* OBJ_setAttr_SecDevSig 2 23 42 3 3 5 2 */
436, /* OBJ_ucl 0 9 2342 19200300 */
820, /* OBJ_id_Gost28147_89_None_KeyMeshing 1 2 643 2 2 14 0 */
819, /* OBJ_id_Gost28147_89_CryptoPro_KeyMeshing 1 2 643 2 2 14 1 */
845, /* OBJ_id_GostR3410_94_a 1 2 643 2 2 20 1 */
846, /* OBJ_id_GostR3410_94_aBis 1 2 643 2 2 20 2 */
847, /* OBJ_id_GostR3410_94_b 1 2 643 2 2 20 3 */
848, /* OBJ_id_GostR3410_94_bBis 1 2 643 2 2 20 4 */
821, /* OBJ_id_GostR3411_94_TestParamSet 1 2 643 2 2 30 0 */
822, /* OBJ_id_GostR3411_94_CryptoProParamSet 1 2 643 2 2 30 1 */
823, /* OBJ_id_Gost28147_89_TestParamSet 1 2 643 2 2 31 0 */
824, /* OBJ_id_Gost28147_89_CryptoPro_A_ParamSet 1 2 643 2 2 31 1 */
825, /* OBJ_id_Gost28147_89_CryptoPro_B_ParamSet 1 2 643 2 2 31 2 */
826, /* OBJ_id_Gost28147_89_CryptoPro_C_ParamSet 1 2 643 2 2 31 3 */
827, /* OBJ_id_Gost28147_89_CryptoPro_D_ParamSet 1 2 643 2 2 31 4 */
828, /* OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet 1 2 643 2 2 31 5 */
829, /* OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet 1 2 643 2 2 31 6 */
830, /* OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet 1 2 643 2 2 31 7 */
831, /* OBJ_id_GostR3410_94_TestParamSet 1 2 643 2 2 32 0 */
832, /* OBJ_id_GostR3410_94_CryptoPro_A_ParamSet 1 2 643 2 2 32 2 */
833, /* OBJ_id_GostR3410_94_CryptoPro_B_ParamSet 1 2 643 2 2 32 3 */
834, /* OBJ_id_GostR3410_94_CryptoPro_C_ParamSet 1 2 643 2 2 32 4 */
835, /* OBJ_id_GostR3410_94_CryptoPro_D_ParamSet 1 2 643 2 2 32 5 */
836, /* OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet 1 2 643 2 2 33 1 */
837, /* OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet 1 2 643 2 2 33 2 */
838, /* OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet 1 2 643 2 2 33 3 */
839, /* OBJ_id_GostR3410_2001_TestParamSet 1 2 643 2 2 35 0 */
840, /* OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet 1 2 643 2 2 35 1 */
841, /* OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet 1 2 643 2 2 35 2 */
842, /* OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet 1 2 643 2 2 35 3 */
843, /* OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet 1 2 643 2 2 36 0 */
844, /* OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet 1 2 643 2 2 36 1 */
978, /* OBJ_id_tc26_sign 1 2 643 7 1 1 1 */
981, /* OBJ_id_tc26_digest 1 2 643 7 1 1 2 */
984, /* OBJ_id_tc26_signwithdigest 1 2 643 7 1 1 3 */
987, /* OBJ_id_tc26_mac 1 2 643 7 1 1 4 */
990, /* OBJ_id_tc26_cipher 1 2 643 7 1 1 5 */
991, /* OBJ_id_tc26_agreement 1 2 643 7 1 1 6 */
1179, /* OBJ_id_tc26_wrap 1 2 643 7 1 1 7 */
995, /* OBJ_id_tc26_sign_constants 1 2 643 7 1 2 1 */
1000, /* OBJ_id_tc26_digest_constants 1 2 643 7 1 2 2 */
1001, /* OBJ_id_tc26_cipher_constants 1 2 643 7 1 2 5 */
1151, /* OBJ_ua_pki 1 2 804 2 1 1 1 */
2, /* OBJ_pkcs 1 2 840 113549 1 */
431, /* OBJ_hold_instruction_none 1 2 840 10040 2 1 */
432, /* OBJ_hold_instruction_call_issuer 1 2 840 10040 2 2 */
433, /* OBJ_hold_instruction_reject 1 2 840 10040 2 3 */
116, /* OBJ_dsa 1 2 840 10040 4 1 */
113, /* OBJ_dsaWithSHA1 1 2 840 10040 4 3 */
406, /* OBJ_X9_62_prime_field 1 2 840 10045 1 1 */
407, /* OBJ_X9_62_characteristic_two_field 1 2 840 10045 1 2 */
408, /* OBJ_X9_62_id_ecPublicKey 1 2 840 10045 2 1 */
416, /* OBJ_ecdsa_with_SHA1 1 2 840 10045 4 1 */
791, /* OBJ_ecdsa_with_Recommended 1 2 840 10045 4 2 */
792, /* OBJ_ecdsa_with_Specified 1 2 840 10045 4 3 */
920, /* OBJ_dhpublicnumber 1 2 840 10046 2 1 */
1032, /* OBJ_pkInitClientAuth 1 3 6 1 5 2 3 4 */
1033, /* OBJ_pkInitKDC 1 3 6 1 5 2 3 5 */
258, /* OBJ_id_pkix_mod 1 3 6 1 5 5 7 0 */
175, /* OBJ_id_pe 1 3 6 1 5 5 7 1 */
259, /* OBJ_id_qt 1 3 6 1 5 5 7 2 */
128, /* OBJ_id_kp 1 3 6 1 5 5 7 3 */
260, /* OBJ_id_it 1 3 6 1 5 5 7 4 */
261, /* OBJ_id_pkip 1 3 6 1 5 5 7 5 */
262, /* OBJ_id_alg 1 3 6 1 5 5 7 6 */
263, /* OBJ_id_cmc 1 3 6 1 5 5 7 7 */
264, /* OBJ_id_on 1 3 6 1 5 5 7 8 */
265, /* OBJ_id_pda 1 3 6 1 5 5 7 9 */
266, /* OBJ_id_aca 1 3 6 1 5 5 7 10 */
267, /* OBJ_id_qcs 1 3 6 1 5 5 7 11 */
268, /* OBJ_id_cct 1 3 6 1 5 5 7 12 */
662, /* OBJ_id_ppl 1 3 6 1 5 5 7 21 */
176, /* OBJ_id_ad 1 3 6 1 5 5 7 48 */
507, /* OBJ_id_hex_partial_message 1 3 6 1 7 1 1 1 */
508, /* OBJ_id_hex_multipart_message 1 3 6 1 7 1 1 2 */
57, /* OBJ_netscape 2 16 840 1 113730 */
754, /* OBJ_camellia_128_ecb 0 3 4401 5 3 1 9 1 */
766, /* OBJ_camellia_128_ofb128 0 3 4401 5 3 1 9 3 */
757, /* OBJ_camellia_128_cfb128 0 3 4401 5 3 1 9 4 */
961, /* OBJ_camellia_128_gcm 0 3 4401 5 3 1 9 6 */
962, /* OBJ_camellia_128_ccm 0 3 4401 5 3 1 9 7 */
963, /* OBJ_camellia_128_ctr 0 3 4401 5 3 1 9 9 */
964, /* OBJ_camellia_128_cmac 0 3 4401 5 3 1 9 10 */
755, /* OBJ_camellia_192_ecb 0 3 4401 5 3 1 9 21 */
767, /* OBJ_camellia_192_ofb128 0 3 4401 5 3 1 9 23 */
758, /* OBJ_camellia_192_cfb128 0 3 4401 5 3 1 9 24 */
965, /* OBJ_camellia_192_gcm 0 3 4401 5 3 1 9 26 */
966, /* OBJ_camellia_192_ccm 0 3 4401 5 3 1 9 27 */
967, /* OBJ_camellia_192_ctr 0 3 4401 5 3 1 9 29 */
968, /* OBJ_camellia_192_cmac 0 3 4401 5 3 1 9 30 */
756, /* OBJ_camellia_256_ecb 0 3 4401 5 3 1 9 41 */
768, /* OBJ_camellia_256_ofb128 0 3 4401 5 3 1 9 43 */
759, /* OBJ_camellia_256_cfb128 0 3 4401 5 3 1 9 44 */
969, /* OBJ_camellia_256_gcm 0 3 4401 5 3 1 9 46 */
970, /* OBJ_camellia_256_ccm 0 3 4401 5 3 1 9 47 */
971, /* OBJ_camellia_256_ctr 0 3 4401 5 3 1 9 49 */
972, /* OBJ_camellia_256_cmac 0 3 4401 5 3 1 9 50 */
437, /* OBJ_pilot 0 9 2342 19200300 100 */
1133, /* OBJ_sm4_ecb 1 2 156 10197 1 104 1 */
1134, /* OBJ_sm4_cbc 1 2 156 10197 1 104 2 */
1135, /* OBJ_sm4_ofb128 1 2 156 10197 1 104 3 */
1137, /* OBJ_sm4_cfb128 1 2 156 10197 1 104 4 */
1136, /* OBJ_sm4_cfb1 1 2 156 10197 1 104 5 */
1138, /* OBJ_sm4_cfb8 1 2 156 10197 1 104 6 */
1139, /* OBJ_sm4_ctr 1 2 156 10197 1 104 7 */
1172, /* OBJ_sm2 1 2 156 10197 1 301 */
1143, /* OBJ_sm3 1 2 156 10197 1 401 */
1144, /* OBJ_sm3WithRSAEncryption 1 2 156 10197 1 504 */
776, /* OBJ_seed_ecb 1 2 410 200004 1 3 */
777, /* OBJ_seed_cbc 1 2 410 200004 1 4 */
779, /* OBJ_seed_cfb128 1 2 410 200004 1 5 */
778, /* OBJ_seed_ofb128 1 2 410 200004 1 6 */
852, /* OBJ_id_GostR3411_94_with_GostR3410_94_cc 1 2 643 2 9 1 3 3 */
853, /* OBJ_id_GostR3411_94_with_GostR3410_2001_cc 1 2 643 2 9 1 3 4 */
850, /* OBJ_id_GostR3410_94_cc 1 2 643 2 9 1 5 3 */
851, /* OBJ_id_GostR3410_2001_cc 1 2 643 2 9 1 5 4 */
849, /* OBJ_id_Gost28147_89_cc 1 2 643 2 9 1 6 1 */
854, /* OBJ_id_GostR3410_2001_ParamSet_cc 1 2 643 2 9 1 8 1 */
1004, /* OBJ_INN 1 2 643 3 131 1 1 */
979, /* OBJ_id_GostR3410_2012_256 1 2 643 7 1 1 1 1 */
980, /* OBJ_id_GostR3410_2012_512 1 2 643 7 1 1 1 2 */
982, /* OBJ_id_GostR3411_2012_256 1 2 643 7 1 1 2 2 */
983, /* OBJ_id_GostR3411_2012_512 1 2 643 7 1 1 2 3 */
985, /* OBJ_id_tc26_signwithdigest_gost3410_2012_256 1 2 643 7 1 1 3 2 */
986, /* OBJ_id_tc26_signwithdigest_gost3410_2012_512 1 2 643 7 1 1 3 3 */
988, /* OBJ_id_tc26_hmac_gost_3411_2012_256 1 2 643 7 1 1 4 1 */
989, /* OBJ_id_tc26_hmac_gost_3411_2012_512 1 2 643 7 1 1 4 2 */
1173, /* OBJ_id_tc26_cipher_gostr3412_2015_magma 1 2 643 7 1 1 5 1 */
1176, /* OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik 1 2 643 7 1 1 5 2 */
992, /* OBJ_id_tc26_agreement_gost_3410_2012_256 1 2 643 7 1 1 6 1 */
993, /* OBJ_id_tc26_agreement_gost_3410_2012_512 1 2 643 7 1 1 6 2 */
1180, /* OBJ_id_tc26_wrap_gostr3412_2015_magma 1 2 643 7 1 1 7 1 */
1182, /* OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik 1 2 643 7 1 1 7 2 */
1147, /* OBJ_id_tc26_gost_3410_2012_256_constants 1 2 643 7 1 2 1 1 */
996, /* OBJ_id_tc26_gost_3410_2012_512_constants 1 2 643 7 1 2 1 2 */
1002, /* OBJ_id_tc26_gost_28147_constants 1 2 643 7 1 2 5 1 */
186, /* OBJ_pkcs1 1 2 840 113549 1 1 */
27, /* OBJ_pkcs3 1 2 840 113549 1 3 */
187, /* OBJ_pkcs5 1 2 840 113549 1 5 */
20, /* OBJ_pkcs7 1 2 840 113549 1 7 */
47, /* OBJ_pkcs9 1 2 840 113549 1 9 */
3, /* OBJ_md2 1 2 840 113549 2 2 */
257, /* OBJ_md4 1 2 840 113549 2 4 */
4, /* OBJ_md5 1 2 840 113549 2 5 */
797, /* OBJ_hmacWithMD5 1 2 840 113549 2 6 */
163, /* OBJ_hmacWithSHA1 1 2 840 113549 2 7 */
798, /* OBJ_hmacWithSHA224 1 2 840 113549 2 8 */
799, /* OBJ_hmacWithSHA256 1 2 840 113549 2 9 */
800, /* OBJ_hmacWithSHA384 1 2 840 113549 2 10 */
801, /* OBJ_hmacWithSHA512 1 2 840 113549 2 11 */
1193, /* OBJ_hmacWithSHA512_224 1 2 840 113549 2 12 */
1194, /* OBJ_hmacWithSHA512_256 1 2 840 113549 2 13 */
37, /* OBJ_rc2_cbc 1 2 840 113549 3 2 */
5, /* OBJ_rc4 1 2 840 113549 3 4 */
44, /* OBJ_des_ede3_cbc 1 2 840 113549 3 7 */
120, /* OBJ_rc5_cbc 1 2 840 113549 3 8 */
643, /* OBJ_des_cdmf 1 2 840 113549 3 10 */
680, /* OBJ_X9_62_id_characteristic_two_basis 1 2 840 10045 1 2 3 */
684, /* OBJ_X9_62_c2pnb163v1 1 2 840 10045 3 0 1 */
685, /* OBJ_X9_62_c2pnb163v2 1 2 840 10045 3 0 2 */
686, /* OBJ_X9_62_c2pnb163v3 1 2 840 10045 3 0 3 */
687, /* OBJ_X9_62_c2pnb176v1 1 2 840 10045 3 0 4 */
688, /* OBJ_X9_62_c2tnb191v1 1 2 840 10045 3 0 5 */
689, /* OBJ_X9_62_c2tnb191v2 1 2 840 10045 3 0 6 */
690, /* OBJ_X9_62_c2tnb191v3 1 2 840 10045 3 0 7 */
691, /* OBJ_X9_62_c2onb191v4 1 2 840 10045 3 0 8 */
692, /* OBJ_X9_62_c2onb191v5 1 2 840 10045 3 0 9 */
693, /* OBJ_X9_62_c2pnb208w1 1 2 840 10045 3 0 10 */
694, /* OBJ_X9_62_c2tnb239v1 1 2 840 10045 3 0 11 */
695, /* OBJ_X9_62_c2tnb239v2 1 2 840 10045 3 0 12 */
696, /* OBJ_X9_62_c2tnb239v3 1 2 840 10045 3 0 13 */
697, /* OBJ_X9_62_c2onb239v4 1 2 840 10045 3 0 14 */
698, /* OBJ_X9_62_c2onb239v5 1 2 840 10045 3 0 15 */
699, /* OBJ_X9_62_c2pnb272w1 1 2 840 10045 3 0 16 */
700, /* OBJ_X9_62_c2pnb304w1 1 2 840 10045 3 0 17 */
701, /* OBJ_X9_62_c2tnb359v1 1 2 840 10045 3 0 18 */
702, /* OBJ_X9_62_c2pnb368w1 1 2 840 10045 3 0 19 */
703, /* OBJ_X9_62_c2tnb431r1 1 2 840 10045 3 0 20 */
409, /* OBJ_X9_62_prime192v1 1 2 840 10045 3 1 1 */
410, /* OBJ_X9_62_prime192v2 1 2 840 10045 3 1 2 */
411, /* OBJ_X9_62_prime192v3 1 2 840 10045 3 1 3 */
412, /* OBJ_X9_62_prime239v1 1 2 840 10045 3 1 4 */
413, /* OBJ_X9_62_prime239v2 1 2 840 10045 3 1 5 */
414, /* OBJ_X9_62_prime239v3 1 2 840 10045 3 1 6 */
415, /* OBJ_X9_62_prime256v1 1 2 840 10045 3 1 7 */
793, /* OBJ_ecdsa_with_SHA224 1 2 840 10045 4 3 1 */
794, /* OBJ_ecdsa_with_SHA256 1 2 840 10045 4 3 2 */
795, /* OBJ_ecdsa_with_SHA384 1 2 840 10045 4 3 3 */
796, /* OBJ_ecdsa_with_SHA512 1 2 840 10045 4 3 4 */
269, /* OBJ_id_pkix1_explicit_88 1 3 6 1 5 5 7 0 1 */
270, /* OBJ_id_pkix1_implicit_88 1 3 6 1 5 5 7 0 2 */
271, /* OBJ_id_pkix1_explicit_93 1 3 6 1 5 5 7 0 3 */
272, /* OBJ_id_pkix1_implicit_93 1 3 6 1 5 5 7 0 4 */
273, /* OBJ_id_mod_crmf 1 3 6 1 5 5 7 0 5 */
274, /* OBJ_id_mod_cmc 1 3 6 1 5 5 7 0 6 */
275, /* OBJ_id_mod_kea_profile_88 1 3 6 1 5 5 7 0 7 */
276, /* OBJ_id_mod_kea_profile_93 1 3 6 1 5 5 7 0 8 */
277, /* OBJ_id_mod_cmp 1 3 6 1 5 5 7 0 9 */
278, /* OBJ_id_mod_qualified_cert_88 1 3 6 1 5 5 7 0 10 */
279, /* OBJ_id_mod_qualified_cert_93 1 3 6 1 5 5 7 0 11 */
280, /* OBJ_id_mod_attribute_cert 1 3 6 1 5 5 7 0 12 */
281, /* OBJ_id_mod_timestamp_protocol 1 3 6 1 5 5 7 0 13 */
282, /* OBJ_id_mod_ocsp 1 3 6 1 5 5 7 0 14 */
283, /* OBJ_id_mod_dvcs 1 3 6 1 5 5 7 0 15 */
284, /* OBJ_id_mod_cmp2000 1 3 6 1 5 5 7 0 16 */
177, /* OBJ_info_access 1 3 6 1 5 5 7 1 1 */
285, /* OBJ_biometricInfo 1 3 6 1 5 5 7 1 2 */
286, /* OBJ_qcStatements 1 3 6 1 5 5 7 1 3 */
287, /* OBJ_ac_auditEntity 1 3 6 1 5 5 7 1 4 */
288, /* OBJ_ac_targeting 1 3 6 1 5 5 7 1 5 */
289, /* OBJ_aaControls 1 3 6 1 5 5 7 1 6 */
290, /* OBJ_sbgp_ipAddrBlock 1 3 6 1 5 5 7 1 7 */
291, /* OBJ_sbgp_autonomousSysNum 1 3 6 1 5 5 7 1 8 */
292, /* OBJ_sbgp_routerIdentifier 1 3 6 1 5 5 7 1 9 */
397, /* OBJ_ac_proxying 1 3 6 1 5 5 7 1 10 */
398, /* OBJ_sinfo_access 1 3 6 1 5 5 7 1 11 */
663, /* OBJ_proxyCertInfo 1 3 6 1 5 5 7 1 14 */
1020, /* OBJ_tlsfeature 1 3 6 1 5 5 7 1 24 */
164, /* OBJ_id_qt_cps 1 3 6 1 5 5 7 2 1 */
165, /* OBJ_id_qt_unotice 1 3 6 1 5 5 7 2 2 */
293, /* OBJ_textNotice 1 3 6 1 5 5 7 2 3 */
129, /* OBJ_server_auth 1 3 6 1 5 5 7 3 1 */
130, /* OBJ_client_auth 1 3 6 1 5 5 7 3 2 */
131, /* OBJ_code_sign 1 3 6 1 5 5 7 3 3 */
132, /* OBJ_email_protect 1 3 6 1 5 5 7 3 4 */
294, /* OBJ_ipsecEndSystem 1 3 6 1 5 5 7 3 5 */
295, /* OBJ_ipsecTunnel 1 3 6 1 5 5 7 3 6 */
296, /* OBJ_ipsecUser 1 3 6 1 5 5 7 3 7 */
133, /* OBJ_time_stamp 1 3 6 1 5 5 7 3 8 */
180, /* OBJ_OCSP_sign 1 3 6 1 5 5 7 3 9 */
297, /* OBJ_dvcs 1 3 6 1 5 5 7 3 10 */
1022, /* OBJ_ipsec_IKE 1 3 6 1 5 5 7 3 17 */
1023, /* OBJ_capwapAC 1 3 6 1 5 5 7 3 18 */
1024, /* OBJ_capwapWTP 1 3 6 1 5 5 7 3 19 */
1025, /* OBJ_sshClient 1 3 6 1 5 5 7 3 21 */
1026, /* OBJ_sshServer 1 3 6 1 5 5 7 3 22 */
1027, /* OBJ_sendRouter 1 3 6 1 5 5 7 3 23 */
1028, /* OBJ_sendProxiedRouter 1 3 6 1 5 5 7 3 24 */
1029, /* OBJ_sendOwner 1 3 6 1 5 5 7 3 25 */
1030, /* OBJ_sendProxiedOwner 1 3 6 1 5 5 7 3 26 */
1131, /* OBJ_cmcCA 1 3 6 1 5 5 7 3 27 */
1132, /* OBJ_cmcRA 1 3 6 1 5 5 7 3 28 */
298, /* OBJ_id_it_caProtEncCert 1 3 6 1 5 5 7 4 1 */
299, /* OBJ_id_it_signKeyPairTypes 1 3 6 1 5 5 7 4 2 */
300, /* OBJ_id_it_encKeyPairTypes 1 3 6 1 5 5 7 4 3 */
301, /* OBJ_id_it_preferredSymmAlg 1 3 6 1 5 5 7 4 4 */
302, /* OBJ_id_it_caKeyUpdateInfo 1 3 6 1 5 5 7 4 5 */
303, /* OBJ_id_it_currentCRL 1 3 6 1 5 5 7 4 6 */
304, /* OBJ_id_it_unsupportedOIDs 1 3 6 1 5 5 7 4 7 */
305, /* OBJ_id_it_subscriptionRequest 1 3 6 1 5 5 7 4 8 */
306, /* OBJ_id_it_subscriptionResponse 1 3 6 1 5 5 7 4 9 */
307, /* OBJ_id_it_keyPairParamReq 1 3 6 1 5 5 7 4 10 */
308, /* OBJ_id_it_keyPairParamRep 1 3 6 1 5 5 7 4 11 */
309, /* OBJ_id_it_revPassphrase 1 3 6 1 5 5 7 4 12 */
310, /* OBJ_id_it_implicitConfirm 1 3 6 1 5 5 7 4 13 */
311, /* OBJ_id_it_confirmWaitTime 1 3 6 1 5 5 7 4 14 */
312, /* OBJ_id_it_origPKIMessage 1 3 6 1 5 5 7 4 15 */
784, /* OBJ_id_it_suppLangTags 1 3 6 1 5 5 7 4 16 */
313, /* OBJ_id_regCtrl 1 3 6 1 5 5 7 5 1 */
314, /* OBJ_id_regInfo 1 3 6 1 5 5 7 5 2 */
323, /* OBJ_id_alg_des40 1 3 6 1 5 5 7 6 1 */
324, /* OBJ_id_alg_noSignature 1 3 6 1 5 5 7 6 2 */
325, /* OBJ_id_alg_dh_sig_hmac_sha1 1 3 6 1 5 5 7 6 3 */
326, /* OBJ_id_alg_dh_pop 1 3 6 1 5 5 7 6 4 */
327, /* OBJ_id_cmc_statusInfo 1 3 6 1 5 5 7 7 1 */
328, /* OBJ_id_cmc_identification 1 3 6 1 5 5 7 7 2 */
329, /* OBJ_id_cmc_identityProof 1 3 6 1 5 5 7 7 3 */
330, /* OBJ_id_cmc_dataReturn 1 3 6 1 5 5 7 7 4 */
331, /* OBJ_id_cmc_transactionId 1 3 6 1 5 5 7 7 5 */
332, /* OBJ_id_cmc_senderNonce 1 3 6 1 5 5 7 7 6 */
333, /* OBJ_id_cmc_recipientNonce 1 3 6 1 5 5 7 7 7 */
334, /* OBJ_id_cmc_addExtensions 1 3 6 1 5 5 7 7 8 */
335, /* OBJ_id_cmc_encryptedPOP 1 3 6 1 5 5 7 7 9 */
336, /* OBJ_id_cmc_decryptedPOP 1 3 6 1 5 5 7 7 10 */
337, /* OBJ_id_cmc_lraPOPWitness 1 3 6 1 5 5 7 7 11 */
338, /* OBJ_id_cmc_getCert 1 3 6 1 5 5 7 7 15 */
339, /* OBJ_id_cmc_getCRL 1 3 6 1 5 5 7 7 16 */
340, /* OBJ_id_cmc_revokeRequest 1 3 6 1 5 5 7 7 17 */
341, /* OBJ_id_cmc_regInfo 1 3 6 1 5 5 7 7 18 */
342, /* OBJ_id_cmc_responseInfo 1 3 6 1 5 5 7 7 19 */
343, /* OBJ_id_cmc_queryPending 1 3 6 1 5 5 7 7 21 */
344, /* OBJ_id_cmc_popLinkRandom 1 3 6 1 5 5 7 7 22 */
345, /* OBJ_id_cmc_popLinkWitness 1 3 6 1 5 5 7 7 23 */
346, /* OBJ_id_cmc_confirmCertAcceptance 1 3 6 1 5 5 7 7 24 */
347, /* OBJ_id_on_personalData 1 3 6 1 5 5 7 8 1 */
858, /* OBJ_id_on_permanentIdentifier 1 3 6 1 5 5 7 8 3 */
348, /* OBJ_id_pda_dateOfBirth 1 3 6 1 5 5 7 9 1 */
349, /* OBJ_id_pda_placeOfBirth 1 3 6 1 5 5 7 9 2 */
351, /* OBJ_id_pda_gender 1 3 6 1 5 5 7 9 3 */
352, /* OBJ_id_pda_countryOfCitizenship 1 3 6 1 5 5 7 9 4 */
353, /* OBJ_id_pda_countryOfResidence 1 3 6 1 5 5 7 9 5 */
354, /* OBJ_id_aca_authenticationInfo 1 3 6 1 5 5 7 10 1 */
355, /* OBJ_id_aca_accessIdentity 1 3 6 1 5 5 7 10 2 */
356, /* OBJ_id_aca_chargingIdentity 1 3 6 1 5 5 7 10 3 */
357, /* OBJ_id_aca_group 1 3 6 1 5 5 7 10 4 */
358, /* OBJ_id_aca_role 1 3 6 1 5 5 7 10 5 */
399, /* OBJ_id_aca_encAttrs 1 3 6 1 5 5 7 10 6 */
359, /* OBJ_id_qcs_pkixQCSyntax_v1 1 3 6 1 5 5 7 11 1 */
360, /* OBJ_id_cct_crs 1 3 6 1 5 5 7 12 1 */
361, /* OBJ_id_cct_PKIData 1 3 6 1 5 5 7 12 2 */
362, /* OBJ_id_cct_PKIResponse 1 3 6 1 5 5 7 12 3 */
664, /* OBJ_id_ppl_anyLanguage 1 3 6 1 5 5 7 21 0 */
665, /* OBJ_id_ppl_inheritAll 1 3 6 1 5 5 7 21 1 */
667, /* OBJ_Independent 1 3 6 1 5 5 7 21 2 */
178, /* OBJ_ad_OCSP 1 3 6 1 5 5 7 48 1 */
179, /* OBJ_ad_ca_issuers 1 3 6 1 5 5 7 48 2 */
363, /* OBJ_ad_timeStamping 1 3 6 1 5 5 7 48 3 */
364, /* OBJ_ad_dvcs 1 3 6 1 5 5 7 48 4 */
785, /* OBJ_caRepository 1 3 6 1 5 5 7 48 5 */
780, /* OBJ_hmac_md5 1 3 6 1 5 5 8 1 1 */
781, /* OBJ_hmac_sha1 1 3 6 1 5 5 8 1 2 */
913, /* OBJ_aes_128_xts 1 3 111 2 1619 0 1 1 */
914, /* OBJ_aes_256_xts 1 3 111 2 1619 0 1 2 */
58, /* OBJ_netscape_cert_extension 2 16 840 1 113730 1 */
59, /* OBJ_netscape_data_type 2 16 840 1 113730 2 */
438, /* OBJ_pilotAttributeType 0 9 2342 19200300 100 1 */
439, /* OBJ_pilotAttributeSyntax 0 9 2342 19200300 100 3 */
440, /* OBJ_pilotObjectClass 0 9 2342 19200300 100 4 */
441, /* OBJ_pilotGroups 0 9 2342 19200300 100 10 */
1065, /* OBJ_aria_128_ecb 1 2 410 200046 1 1 1 */
1066, /* OBJ_aria_128_cbc 1 2 410 200046 1 1 2 */
1067, /* OBJ_aria_128_cfb128 1 2 410 200046 1 1 3 */
1068, /* OBJ_aria_128_ofb128 1 2 410 200046 1 1 4 */
1069, /* OBJ_aria_128_ctr 1 2 410 200046 1 1 5 */
1070, /* OBJ_aria_192_ecb 1 2 410 200046 1 1 6 */
1071, /* OBJ_aria_192_cbc 1 2 410 200046 1 1 7 */
1072, /* OBJ_aria_192_cfb128 1 2 410 200046 1 1 8 */
1073, /* OBJ_aria_192_ofb128 1 2 410 200046 1 1 9 */
1074, /* OBJ_aria_192_ctr 1 2 410 200046 1 1 10 */
1075, /* OBJ_aria_256_ecb 1 2 410 200046 1 1 11 */
1076, /* OBJ_aria_256_cbc 1 2 410 200046 1 1 12 */
1077, /* OBJ_aria_256_cfb128 1 2 410 200046 1 1 13 */
1078, /* OBJ_aria_256_ofb128 1 2 410 200046 1 1 14 */
1079, /* OBJ_aria_256_ctr 1 2 410 200046 1 1 15 */
1123, /* OBJ_aria_128_gcm 1 2 410 200046 1 1 34 */
1124, /* OBJ_aria_192_gcm 1 2 410 200046 1 1 35 */
1125, /* OBJ_aria_256_gcm 1 2 410 200046 1 1 36 */
1120, /* OBJ_aria_128_ccm 1 2 410 200046 1 1 37 */
1121, /* OBJ_aria_192_ccm 1 2 410 200046 1 1 38 */
1122, /* OBJ_aria_256_ccm 1 2 410 200046 1 1 39 */
1174, /* OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm 1 2 643 7 1 1 5 1 1 */
1175, /* OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac 1 2 643 7 1 1 5 1 2 */
1177, /* OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm 1 2 643 7 1 1 5 2 1 */
1178, /* OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac 1 2 643 7 1 1 5 2 2 */
1181, /* OBJ_id_tc26_wrap_gostr3412_2015_magma_kexp15 1 2 643 7 1 1 7 1 1 */
1183, /* OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 1 2 643 7 1 1 7 2 1 */
1148, /* OBJ_id_tc26_gost_3410_2012_256_paramSetA 1 2 643 7 1 2 1 1 1 */
1184, /* OBJ_id_tc26_gost_3410_2012_256_paramSetB 1 2 643 7 1 2 1 1 2 */
1185, /* OBJ_id_tc26_gost_3410_2012_256_paramSetC 1 2 643 7 1 2 1 1 3 */
1186, /* OBJ_id_tc26_gost_3410_2012_256_paramSetD 1 2 643 7 1 2 1 1 4 */
997, /* OBJ_id_tc26_gost_3410_2012_512_paramSetTest 1 2 643 7 1 2 1 2 0 */
998, /* OBJ_id_tc26_gost_3410_2012_512_paramSetA 1 2 643 7 1 2 1 2 1 */
999, /* OBJ_id_tc26_gost_3410_2012_512_paramSetB 1 2 643 7 1 2 1 2 2 */
1149, /* OBJ_id_tc26_gost_3410_2012_512_paramSetC 1 2 643 7 1 2 1 2 3 */
1003, /* OBJ_id_tc26_gost_28147_param_Z 1 2 643 7 1 2 5 1 1 */
108, /* OBJ_cast5_cbc 1 2 840 113533 7 66 10 */
112, /* OBJ_pbeWithMD5AndCast5_CBC 1 2 840 113533 7 66 12 */
782, /* OBJ_id_PasswordBasedMAC 1 2 840 113533 7 66 13 */
783, /* OBJ_id_DHBasedMac 1 2 840 113533 7 66 30 */
6, /* OBJ_rsaEncryption 1 2 840 113549 1 1 1 */
7, /* OBJ_md2WithRSAEncryption 1 2 840 113549 1 1 2 */
396, /* OBJ_md4WithRSAEncryption 1 2 840 113549 1 1 3 */
8, /* OBJ_md5WithRSAEncryption 1 2 840 113549 1 1 4 */
65, /* OBJ_sha1WithRSAEncryption 1 2 840 113549 1 1 5 */
644, /* OBJ_rsaOAEPEncryptionSET 1 2 840 113549 1 1 6 */
919, /* OBJ_rsaesOaep 1 2 840 113549 1 1 7 */
911, /* OBJ_mgf1 1 2 840 113549 1 1 8 */
935, /* OBJ_pSpecified 1 2 840 113549 1 1 9 */
912, /* OBJ_rsassaPss 1 2 840 113549 1 1 10 */
668, /* OBJ_sha256WithRSAEncryption 1 2 840 113549 1 1 11 */
669, /* OBJ_sha384WithRSAEncryption 1 2 840 113549 1 1 12 */
670, /* OBJ_sha512WithRSAEncryption 1 2 840 113549 1 1 13 */
671, /* OBJ_sha224WithRSAEncryption 1 2 840 113549 1 1 14 */
1145, /* OBJ_sha512_224WithRSAEncryption 1 2 840 113549 1 1 15 */
1146, /* OBJ_sha512_256WithRSAEncryption 1 2 840 113549 1 1 16 */
28, /* OBJ_dhKeyAgreement 1 2 840 113549 1 3 1 */
9, /* OBJ_pbeWithMD2AndDES_CBC 1 2 840 113549 1 5 1 */
10, /* OBJ_pbeWithMD5AndDES_CBC 1 2 840 113549 1 5 3 */
168, /* OBJ_pbeWithMD2AndRC2_CBC 1 2 840 113549 1 5 4 */
169, /* OBJ_pbeWithMD5AndRC2_CBC 1 2 840 113549 1 5 6 */
170, /* OBJ_pbeWithSHA1AndDES_CBC 1 2 840 113549 1 5 10 */
68, /* OBJ_pbeWithSHA1AndRC2_CBC 1 2 840 113549 1 5 11 */
69, /* OBJ_id_pbkdf2 1 2 840 113549 1 5 12 */
161, /* OBJ_pbes2 1 2 840 113549 1 5 13 */
162, /* OBJ_pbmac1 1 2 840 113549 1 5 14 */
21, /* OBJ_pkcs7_data 1 2 840 113549 1 7 1 */
22, /* OBJ_pkcs7_signed 1 2 840 113549 1 7 2 */
23, /* OBJ_pkcs7_enveloped 1 2 840 113549 1 7 3 */
24, /* OBJ_pkcs7_signedAndEnveloped 1 2 840 113549 1 7 4 */
25, /* OBJ_pkcs7_digest 1 2 840 113549 1 7 5 */
26, /* OBJ_pkcs7_encrypted 1 2 840 113549 1 7 6 */
48, /* OBJ_pkcs9_emailAddress 1 2 840 113549 1 9 1 */
49, /* OBJ_pkcs9_unstructuredName 1 2 840 113549 1 9 2 */
50, /* OBJ_pkcs9_contentType 1 2 840 113549 1 9 3 */
51, /* OBJ_pkcs9_messageDigest 1 2 840 113549 1 9 4 */
52, /* OBJ_pkcs9_signingTime 1 2 840 113549 1 9 5 */
53, /* OBJ_pkcs9_countersignature 1 2 840 113549 1 9 6 */
54, /* OBJ_pkcs9_challengePassword 1 2 840 113549 1 9 7 */
55, /* OBJ_pkcs9_unstructuredAddress 1 2 840 113549 1 9 8 */
56, /* OBJ_pkcs9_extCertAttributes 1 2 840 113549 1 9 9 */
172, /* OBJ_ext_req 1 2 840 113549 1 9 14 */
167, /* OBJ_SMIMECapabilities 1 2 840 113549 1 9 15 */
188, /* OBJ_SMIME 1 2 840 113549 1 9 16 */
156, /* OBJ_friendlyName 1 2 840 113549 1 9 20 */
157, /* OBJ_localKeyID 1 2 840 113549 1 9 21 */
681, /* OBJ_X9_62_onBasis 1 2 840 10045 1 2 3 1 */
682, /* OBJ_X9_62_tpBasis 1 2 840 10045 1 2 3 2 */
683, /* OBJ_X9_62_ppBasis 1 2 840 10045 1 2 3 3 */
417, /* OBJ_ms_csp_name 1 3 6 1 4 1 311 17 1 */
856, /* OBJ_LocalKeySet 1 3 6 1 4 1 311 17 2 */
390, /* OBJ_dcObject 1 3 6 1 4 1 1466 344 */
91, /* OBJ_bf_cbc 1 3 6 1 4 1 3029 1 2 */
973, /* OBJ_id_scrypt 1 3 6 1 4 1 11591 4 11 */
315, /* OBJ_id_regCtrl_regToken 1 3 6 1 5 5 7 5 1 1 */
316, /* OBJ_id_regCtrl_authenticator 1 3 6 1 5 5 7 5 1 2 */
317, /* OBJ_id_regCtrl_pkiPublicationInfo 1 3 6 1 5 5 7 5 1 3 */
318, /* OBJ_id_regCtrl_pkiArchiveOptions 1 3 6 1 5 5 7 5 1 4 */
319, /* OBJ_id_regCtrl_oldCertID 1 3 6 1 5 5 7 5 1 5 */
320, /* OBJ_id_regCtrl_protocolEncrKey 1 3 6 1 5 5 7 5 1 6 */
321, /* OBJ_id_regInfo_utf8Pairs 1 3 6 1 5 5 7 5 2 1 */
322, /* OBJ_id_regInfo_certReq 1 3 6 1 5 5 7 5 2 2 */
365, /* OBJ_id_pkix_OCSP_basic 1 3 6 1 5 5 7 48 1 1 */
366, /* OBJ_id_pkix_OCSP_Nonce 1 3 6 1 5 5 7 48 1 2 */
367, /* OBJ_id_pkix_OCSP_CrlID 1 3 6 1 5 5 7 48 1 3 */
368, /* OBJ_id_pkix_OCSP_acceptableResponses 1 3 6 1 5 5 7 48 1 4 */
369, /* OBJ_id_pkix_OCSP_noCheck 1 3 6 1 5 5 7 48 1 5 */
370, /* OBJ_id_pkix_OCSP_archiveCutoff 1 3 6 1 5 5 7 48 1 6 */
371, /* OBJ_id_pkix_OCSP_serviceLocator 1 3 6 1 5 5 7 48 1 7 */
372, /* OBJ_id_pkix_OCSP_extendedStatus 1 3 6 1 5 5 7 48 1 8 */
373, /* OBJ_id_pkix_OCSP_valid 1 3 6 1 5 5 7 48 1 9 */
374, /* OBJ_id_pkix_OCSP_path 1 3 6 1 5 5 7 48 1 10 */
375, /* OBJ_id_pkix_OCSP_trustRoot 1 3 6 1 5 5 7 48 1 11 */
921, /* OBJ_brainpoolP160r1 1 3 36 3 3 2 8 1 1 1 */
922, /* OBJ_brainpoolP160t1 1 3 36 3 3 2 8 1 1 2 */
923, /* OBJ_brainpoolP192r1 1 3 36 3 3 2 8 1 1 3 */
924, /* OBJ_brainpoolP192t1 1 3 36 3 3 2 8 1 1 4 */
925, /* OBJ_brainpoolP224r1 1 3 36 3 3 2 8 1 1 5 */
926, /* OBJ_brainpoolP224t1 1 3 36 3 3 2 8 1 1 6 */
927, /* OBJ_brainpoolP256r1 1 3 36 3 3 2 8 1 1 7 */
928, /* OBJ_brainpoolP256t1 1 3 36 3 3 2 8 1 1 8 */
929, /* OBJ_brainpoolP320r1 1 3 36 3 3 2 8 1 1 9 */
930, /* OBJ_brainpoolP320t1 1 3 36 3 3 2 8 1 1 10 */
931, /* OBJ_brainpoolP384r1 1 3 36 3 3 2 8 1 1 11 */
932, /* OBJ_brainpoolP384t1 1 3 36 3 3 2 8 1 1 12 */
933, /* OBJ_brainpoolP512r1 1 3 36 3 3 2 8 1 1 13 */
934, /* OBJ_brainpoolP512t1 1 3 36 3 3 2 8 1 1 14 */
936, /* OBJ_dhSinglePass_stdDH_sha1kdf_scheme 1 3 133 16 840 63 0 2 */
941, /* OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme 1 3 133 16 840 63 0 3 */
418, /* OBJ_aes_128_ecb 2 16 840 1 101 3 4 1 1 */
419, /* OBJ_aes_128_cbc 2 16 840 1 101 3 4 1 2 */
420, /* OBJ_aes_128_ofb128 2 16 840 1 101 3 4 1 3 */
421, /* OBJ_aes_128_cfb128 2 16 840 1 101 3 4 1 4 */
788, /* OBJ_id_aes128_wrap 2 16 840 1 101 3 4 1 5 */
895, /* OBJ_aes_128_gcm 2 16 840 1 101 3 4 1 6 */
896, /* OBJ_aes_128_ccm 2 16 840 1 101 3 4 1 7 */
897, /* OBJ_id_aes128_wrap_pad 2 16 840 1 101 3 4 1 8 */
422, /* OBJ_aes_192_ecb 2 16 840 1 101 3 4 1 21 */
423, /* OBJ_aes_192_cbc 2 16 840 1 101 3 4 1 22 */
424, /* OBJ_aes_192_ofb128 2 16 840 1 101 3 4 1 23 */
425, /* OBJ_aes_192_cfb128 2 16 840 1 101 3 4 1 24 */
789, /* OBJ_id_aes192_wrap 2 16 840 1 101 3 4 1 25 */
898, /* OBJ_aes_192_gcm 2 16 840 1 101 3 4 1 26 */
899, /* OBJ_aes_192_ccm 2 16 840 1 101 3 4 1 27 */
900, /* OBJ_id_aes192_wrap_pad 2 16 840 1 101 3 4 1 28 */
426, /* OBJ_aes_256_ecb 2 16 840 1 101 3 4 1 41 */
427, /* OBJ_aes_256_cbc 2 16 840 1 101 3 4 1 42 */
428, /* OBJ_aes_256_ofb128 2 16 840 1 101 3 4 1 43 */
429, /* OBJ_aes_256_cfb128 2 16 840 1 101 3 4 1 44 */
790, /* OBJ_id_aes256_wrap 2 16 840 1 101 3 4 1 45 */
901, /* OBJ_aes_256_gcm 2 16 840 1 101 3 4 1 46 */
902, /* OBJ_aes_256_ccm 2 16 840 1 101 3 4 1 47 */
903, /* OBJ_id_aes256_wrap_pad 2 16 840 1 101 3 4 1 48 */
672, /* OBJ_sha256 2 16 840 1 101 3 4 2 1 */
673, /* OBJ_sha384 2 16 840 1 101 3 4 2 2 */
674, /* OBJ_sha512 2 16 840 1 101 3 4 2 3 */
675, /* OBJ_sha224 2 16 840 1 101 3 4 2 4 */
1094, /* OBJ_sha512_224 2 16 840 1 101 3 4 2 5 */
1095, /* OBJ_sha512_256 2 16 840 1 101 3 4 2 6 */
1096, /* OBJ_sha3_224 2 16 840 1 101 3 4 2 7 */
1097, /* OBJ_sha3_256 2 16 840 1 101 3 4 2 8 */
1098, /* OBJ_sha3_384 2 16 840 1 101 3 4 2 9 */
1099, /* OBJ_sha3_512 2 16 840 1 101 3 4 2 10 */
1100, /* OBJ_shake128 2 16 840 1 101 3 4 2 11 */
1101, /* OBJ_shake256 2 16 840 1 101 3 4 2 12 */
1102, /* OBJ_hmac_sha3_224 2 16 840 1 101 3 4 2 13 */
1103, /* OBJ_hmac_sha3_256 2 16 840 1 101 3 4 2 14 */
1104, /* OBJ_hmac_sha3_384 2 16 840 1 101 3 4 2 15 */
1105, /* OBJ_hmac_sha3_512 2 16 840 1 101 3 4 2 16 */
802, /* OBJ_dsa_with_SHA224 2 16 840 1 101 3 4 3 1 */
803, /* OBJ_dsa_with_SHA256 2 16 840 1 101 3 4 3 2 */
1106, /* OBJ_dsa_with_SHA384 2 16 840 1 101 3 4 3 3 */
1107, /* OBJ_dsa_with_SHA512 2 16 840 1 101 3 4 3 4 */
1108, /* OBJ_dsa_with_SHA3_224 2 16 840 1 101 3 4 3 5 */
1109, /* OBJ_dsa_with_SHA3_256 2 16 840 1 101 3 4 3 6 */
1110, /* OBJ_dsa_with_SHA3_384 2 16 840 1 101 3 4 3 7 */
1111, /* OBJ_dsa_with_SHA3_512 2 16 840 1 101 3 4 3 8 */
1112, /* OBJ_ecdsa_with_SHA3_224 2 16 840 1 101 3 4 3 9 */
1113, /* OBJ_ecdsa_with_SHA3_256 2 16 840 1 101 3 4 3 10 */
1114, /* OBJ_ecdsa_with_SHA3_384 2 16 840 1 101 3 4 3 11 */
1115, /* OBJ_ecdsa_with_SHA3_512 2 16 840 1 101 3 4 3 12 */
1116, /* OBJ_RSA_SHA3_224 2 16 840 1 101 3 4 3 13 */
1117, /* OBJ_RSA_SHA3_256 2 16 840 1 101 3 4 3 14 */
1118, /* OBJ_RSA_SHA3_384 2 16 840 1 101 3 4 3 15 */
1119, /* OBJ_RSA_SHA3_512 2 16 840 1 101 3 4 3 16 */
71, /* OBJ_netscape_cert_type 2 16 840 1 113730 1 1 */
72, /* OBJ_netscape_base_url 2 16 840 1 113730 1 2 */
73, /* OBJ_netscape_revocation_url 2 16 840 1 113730 1 3 */
74, /* OBJ_netscape_ca_revocation_url 2 16 840 1 113730 1 4 */
75, /* OBJ_netscape_renewal_url 2 16 840 1 113730 1 7 */
76, /* OBJ_netscape_ca_policy_url 2 16 840 1 113730 1 8 */
77, /* OBJ_netscape_ssl_server_name 2 16 840 1 113730 1 12 */
78, /* OBJ_netscape_comment 2 16 840 1 113730 1 13 */
79, /* OBJ_netscape_cert_sequence 2 16 840 1 113730 2 5 */
139, /* OBJ_ns_sgc 2 16 840 1 113730 4 1 */
458, /* OBJ_userId 0 9 2342 19200300 100 1 1 */
459, /* OBJ_textEncodedORAddress 0 9 2342 19200300 100 1 2 */
460, /* OBJ_rfc822Mailbox 0 9 2342 19200300 100 1 3 */
461, /* OBJ_info 0 9 2342 19200300 100 1 4 */
462, /* OBJ_favouriteDrink 0 9 2342 19200300 100 1 5 */
463, /* OBJ_roomNumber 0 9 2342 19200300 100 1 6 */
464, /* OBJ_photo 0 9 2342 19200300 100 1 7 */
465, /* OBJ_userClass 0 9 2342 19200300 100 1 8 */
466, /* OBJ_host 0 9 2342 19200300 100 1 9 */
467, /* OBJ_manager 0 9 2342 19200300 100 1 10 */
468, /* OBJ_documentIdentifier 0 9 2342 19200300 100 1 11 */
469, /* OBJ_documentTitle 0 9 2342 19200300 100 1 12 */
470, /* OBJ_documentVersion 0 9 2342 19200300 100 1 13 */
471, /* OBJ_documentAuthor 0 9 2342 19200300 100 1 14 */
472, /* OBJ_documentLocation 0 9 2342 19200300 100 1 15 */
473, /* OBJ_homeTelephoneNumber 0 9 2342 19200300 100 1 20 */
474, /* OBJ_secretary 0 9 2342 19200300 100 1 21 */
475, /* OBJ_otherMailbox 0 9 2342 19200300 100 1 22 */
476, /* OBJ_lastModifiedTime 0 9 2342 19200300 100 1 23 */
477, /* OBJ_lastModifiedBy 0 9 2342 19200300 100 1 24 */
391, /* OBJ_domainComponent 0 9 2342 19200300 100 1 25 */
478, /* OBJ_aRecord 0 9 2342 19200300 100 1 26 */
479, /* OBJ_pilotAttributeType27 0 9 2342 19200300 100 1 27 */
480, /* OBJ_mXRecord 0 9 2342 19200300 100 1 28 */
481, /* OBJ_nSRecord 0 9 2342 19200300 100 1 29 */
482, /* OBJ_sOARecord 0 9 2342 19200300 100 1 30 */
483, /* OBJ_cNAMERecord 0 9 2342 19200300 100 1 31 */
484, /* OBJ_associatedDomain 0 9 2342 19200300 100 1 37 */
485, /* OBJ_associatedName 0 9 2342 19200300 100 1 38 */
486, /* OBJ_homePostalAddress 0 9 2342 19200300 100 1 39 */
487, /* OBJ_personalTitle 0 9 2342 19200300 100 1 40 */
488, /* OBJ_mobileTelephoneNumber 0 9 2342 19200300 100 1 41 */
489, /* OBJ_pagerTelephoneNumber 0 9 2342 19200300 100 1 42 */
490, /* OBJ_friendlyCountryName 0 9 2342 19200300 100 1 43 */
102, /* OBJ_uniqueIdentifier 0 9 2342 19200300 100 1 44 */
491, /* OBJ_organizationalStatus 0 9 2342 19200300 100 1 45 */
492, /* OBJ_janetMailbox 0 9 2342 19200300 100 1 46 */
493, /* OBJ_mailPreferenceOption 0 9 2342 19200300 100 1 47 */
494, /* OBJ_buildingName 0 9 2342 19200300 100 1 48 */
495, /* OBJ_dSAQuality 0 9 2342 19200300 100 1 49 */
496, /* OBJ_singleLevelQuality 0 9 2342 19200300 100 1 50 */
497, /* OBJ_subtreeMinimumQuality 0 9 2342 19200300 100 1 51 */
498, /* OBJ_subtreeMaximumQuality 0 9 2342 19200300 100 1 52 */
499, /* OBJ_personalSignature 0 9 2342 19200300 100 1 53 */
500, /* OBJ_dITRedirect 0 9 2342 19200300 100 1 54 */
501, /* OBJ_audio 0 9 2342 19200300 100 1 55 */
502, /* OBJ_documentPublisher 0 9 2342 19200300 100 1 56 */
442, /* OBJ_iA5StringSyntax 0 9 2342 19200300 100 3 4 */
443, /* OBJ_caseIgnoreIA5StringSyntax 0 9 2342 19200300 100 3 5 */
444, /* OBJ_pilotObject 0 9 2342 19200300 100 4 3 */
445, /* OBJ_pilotPerson 0 9 2342 19200300 100 4 4 */
446, /* OBJ_account 0 9 2342 19200300 100 4 5 */
447, /* OBJ_document 0 9 2342 19200300 100 4 6 */
448, /* OBJ_room 0 9 2342 19200300 100 4 7 */
449, /* OBJ_documentSeries 0 9 2342 19200300 100 4 9 */
392, /* OBJ_Domain 0 9 2342 19200300 100 4 13 */
450, /* OBJ_rFC822localPart 0 9 2342 19200300 100 4 14 */
451, /* OBJ_dNSDomain 0 9 2342 19200300 100 4 15 */
452, /* OBJ_domainRelatedObject 0 9 2342 19200300 100 4 17 */
453, /* OBJ_friendlyCountry 0 9 2342 19200300 100 4 18 */
454, /* OBJ_simpleSecurityObject 0 9 2342 19200300 100 4 19 */
455, /* OBJ_pilotOrganization 0 9 2342 19200300 100 4 20 */
456, /* OBJ_pilotDSA 0 9 2342 19200300 100 4 21 */
457, /* OBJ_qualityLabelledData 0 9 2342 19200300 100 4 22 */
1152, /* OBJ_dstu28147 1 2 804 2 1 1 1 1 1 1 */
1156, /* OBJ_hmacWithDstu34311 1 2 804 2 1 1 1 1 1 2 */
1157, /* OBJ_dstu34311 1 2 804 2 1 1 1 1 2 1 */
189, /* OBJ_id_smime_mod 1 2 840 113549 1 9 16 0 */
190, /* OBJ_id_smime_ct 1 2 840 113549 1 9 16 1 */
191, /* OBJ_id_smime_aa 1 2 840 113549 1 9 16 2 */
192, /* OBJ_id_smime_alg 1 2 840 113549 1 9 16 3 */
193, /* OBJ_id_smime_cd 1 2 840 113549 1 9 16 4 */
194, /* OBJ_id_smime_spq 1 2 840 113549 1 9 16 5 */
195, /* OBJ_id_smime_cti 1 2 840 113549 1 9 16 6 */
158, /* OBJ_x509Certificate 1 2 840 113549 1 9 22 1 */
159, /* OBJ_sdsiCertificate 1 2 840 113549 1 9 22 2 */
160, /* OBJ_x509Crl 1 2 840 113549 1 9 23 1 */
144, /* OBJ_pbe_WithSHA1And128BitRC4 1 2 840 113549 1 12 1 1 */
145, /* OBJ_pbe_WithSHA1And40BitRC4 1 2 840 113549 1 12 1 2 */
146, /* OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC 1 2 840 113549 1 12 1 3 */
147, /* OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC 1 2 840 113549 1 12 1 4 */
148, /* OBJ_pbe_WithSHA1And128BitRC2_CBC 1 2 840 113549 1 12 1 5 */
149, /* OBJ_pbe_WithSHA1And40BitRC2_CBC 1 2 840 113549 1 12 1 6 */
171, /* OBJ_ms_ext_req 1 3 6 1 4 1 311 2 1 14 */
134, /* OBJ_ms_code_ind 1 3 6 1 4 1 311 2 1 21 */
135, /* OBJ_ms_code_com 1 3 6 1 4 1 311 2 1 22 */
136, /* OBJ_ms_ctl_sign 1 3 6 1 4 1 311 10 3 1 */
137, /* OBJ_ms_sgc 1 3 6 1 4 1 311 10 3 3 */
138, /* OBJ_ms_efs 1 3 6 1 4 1 311 10 3 4 */
648, /* OBJ_ms_smartcard_login 1 3 6 1 4 1 311 20 2 2 */
649, /* OBJ_ms_upn 1 3 6 1 4 1 311 20 2 3 */
951, /* OBJ_ct_precert_scts 1 3 6 1 4 1 11129 2 4 2 */
952, /* OBJ_ct_precert_poison 1 3 6 1 4 1 11129 2 4 3 */
953, /* OBJ_ct_precert_signer 1 3 6 1 4 1 11129 2 4 4 */
954, /* OBJ_ct_cert_scts 1 3 6 1 4 1 11129 2 4 5 */
751, /* OBJ_camellia_128_cbc 1 2 392 200011 61 1 1 1 2 */
752, /* OBJ_camellia_192_cbc 1 2 392 200011 61 1 1 1 3 */
753, /* OBJ_camellia_256_cbc 1 2 392 200011 61 1 1 1 4 */
907, /* OBJ_id_camellia128_wrap 1 2 392 200011 61 1 1 3 2 */
908, /* OBJ_id_camellia192_wrap 1 2 392 200011 61 1 1 3 3 */
909, /* OBJ_id_camellia256_wrap 1 2 392 200011 61 1 1 3 4 */
1153, /* OBJ_dstu28147_ofb 1 2 804 2 1 1 1 1 1 1 2 */
1154, /* OBJ_dstu28147_cfb 1 2 804 2 1 1 1 1 1 1 3 */
1155, /* OBJ_dstu28147_wrap 1 2 804 2 1 1 1 1 1 1 5 */
1158, /* OBJ_dstu4145le 1 2 804 2 1 1 1 1 3 1 1 */
196, /* OBJ_id_smime_mod_cms 1 2 840 113549 1 9 16 0 1 */
197, /* OBJ_id_smime_mod_ess 1 2 840 113549 1 9 16 0 2 */
198, /* OBJ_id_smime_mod_oid 1 2 840 113549 1 9 16 0 3 */
199, /* OBJ_id_smime_mod_msg_v3 1 2 840 113549 1 9 16 0 4 */
200, /* OBJ_id_smime_mod_ets_eSignature_88 1 2 840 113549 1 9 16 0 5 */
201, /* OBJ_id_smime_mod_ets_eSignature_97 1 2 840 113549 1 9 16 0 6 */
202, /* OBJ_id_smime_mod_ets_eSigPolicy_88 1 2 840 113549 1 9 16 0 7 */
203, /* OBJ_id_smime_mod_ets_eSigPolicy_97 1 2 840 113549 1 9 16 0 8 */
204, /* OBJ_id_smime_ct_receipt 1 2 840 113549 1 9 16 1 1 */
205, /* OBJ_id_smime_ct_authData 1 2 840 113549 1 9 16 1 2 */
206, /* OBJ_id_smime_ct_publishCert 1 2 840 113549 1 9 16 1 3 */
207, /* OBJ_id_smime_ct_TSTInfo 1 2 840 113549 1 9 16 1 4 */
208, /* OBJ_id_smime_ct_TDTInfo 1 2 840 113549 1 9 16 1 5 */
209, /* OBJ_id_smime_ct_contentInfo 1 2 840 113549 1 9 16 1 6 */
210, /* OBJ_id_smime_ct_DVCSRequestData 1 2 840 113549 1 9 16 1 7 */
211, /* OBJ_id_smime_ct_DVCSResponseData 1 2 840 113549 1 9 16 1 8 */
786, /* OBJ_id_smime_ct_compressedData 1 2 840 113549 1 9 16 1 9 */
1058, /* OBJ_id_smime_ct_contentCollection 1 2 840 113549 1 9 16 1 19 */
1059, /* OBJ_id_smime_ct_authEnvelopedData 1 2 840 113549 1 9 16 1 23 */
787, /* OBJ_id_ct_asciiTextWithCRLF 1 2 840 113549 1 9 16 1 27 */
1060, /* OBJ_id_ct_xml 1 2 840 113549 1 9 16 1 28 */
212, /* OBJ_id_smime_aa_receiptRequest 1 2 840 113549 1 9 16 2 1 */
213, /* OBJ_id_smime_aa_securityLabel 1 2 840 113549 1 9 16 2 2 */
214, /* OBJ_id_smime_aa_mlExpandHistory 1 2 840 113549 1 9 16 2 3 */
215, /* OBJ_id_smime_aa_contentHint 1 2 840 113549 1 9 16 2 4 */
216, /* OBJ_id_smime_aa_msgSigDigest 1 2 840 113549 1 9 16 2 5 */
217, /* OBJ_id_smime_aa_encapContentType 1 2 840 113549 1 9 16 2 6 */
218, /* OBJ_id_smime_aa_contentIdentifier 1 2 840 113549 1 9 16 2 7 */
219, /* OBJ_id_smime_aa_macValue 1 2 840 113549 1 9 16 2 8 */
220, /* OBJ_id_smime_aa_equivalentLabels 1 2 840 113549 1 9 16 2 9 */
221, /* OBJ_id_smime_aa_contentReference 1 2 840 113549 1 9 16 2 10 */
222, /* OBJ_id_smime_aa_encrypKeyPref 1 2 840 113549 1 9 16 2 11 */
223, /* OBJ_id_smime_aa_signingCertificate 1 2 840 113549 1 9 16 2 12 */
224, /* OBJ_id_smime_aa_smimeEncryptCerts 1 2 840 113549 1 9 16 2 13 */
225, /* OBJ_id_smime_aa_timeStampToken 1 2 840 113549 1 9 16 2 14 */
226, /* OBJ_id_smime_aa_ets_sigPolicyId 1 2 840 113549 1 9 16 2 15 */
227, /* OBJ_id_smime_aa_ets_commitmentType 1 2 840 113549 1 9 16 2 16 */
228, /* OBJ_id_smime_aa_ets_signerLocation 1 2 840 113549 1 9 16 2 17 */
229, /* OBJ_id_smime_aa_ets_signerAttr 1 2 840 113549 1 9 16 2 18 */
230, /* OBJ_id_smime_aa_ets_otherSigCert 1 2 840 113549 1 9 16 2 19 */
231, /* OBJ_id_smime_aa_ets_contentTimestamp 1 2 840 113549 1 9 16 2 20 */
232, /* OBJ_id_smime_aa_ets_CertificateRefs 1 2 840 113549 1 9 16 2 21 */
233, /* OBJ_id_smime_aa_ets_RevocationRefs 1 2 840 113549 1 9 16 2 22 */
234, /* OBJ_id_smime_aa_ets_certValues 1 2 840 113549 1 9 16 2 23 */
235, /* OBJ_id_smime_aa_ets_revocationValues 1 2 840 113549 1 9 16 2 24 */
236, /* OBJ_id_smime_aa_ets_escTimeStamp 1 2 840 113549 1 9 16 2 25 */
237, /* OBJ_id_smime_aa_ets_certCRLTimestamp 1 2 840 113549 1 9 16 2 26 */
238, /* OBJ_id_smime_aa_ets_archiveTimeStamp 1 2 840 113549 1 9 16 2 27 */
239, /* OBJ_id_smime_aa_signatureType 1 2 840 113549 1 9 16 2 28 */
240, /* OBJ_id_smime_aa_dvcs_dvc 1 2 840 113549 1 9 16 2 29 */
1086, /* OBJ_id_smime_aa_signingCertificateV2 1 2 840 113549 1 9 16 2 47 */
241, /* OBJ_id_smime_alg_ESDHwith3DES 1 2 840 113549 1 9 16 3 1 */
242, /* OBJ_id_smime_alg_ESDHwithRC2 1 2 840 113549 1 9 16 3 2 */
243, /* OBJ_id_smime_alg_3DESwrap 1 2 840 113549 1 9 16 3 3 */
244, /* OBJ_id_smime_alg_RC2wrap 1 2 840 113549 1 9 16 3 4 */
245, /* OBJ_id_smime_alg_ESDH 1 2 840 113549 1 9 16 3 5 */
246, /* OBJ_id_smime_alg_CMS3DESwrap 1 2 840 113549 1 9 16 3 6 */
247, /* OBJ_id_smime_alg_CMSRC2wrap 1 2 840 113549 1 9 16 3 7 */
125, /* OBJ_zlib_compression 1 2 840 113549 1 9 16 3 8 */
893, /* OBJ_id_alg_PWRI_KEK 1 2 840 113549 1 9 16 3 9 */
248, /* OBJ_id_smime_cd_ldap 1 2 840 113549 1 9 16 4 1 */
249, /* OBJ_id_smime_spq_ets_sqt_uri 1 2 840 113549 1 9 16 5 1 */
250, /* OBJ_id_smime_spq_ets_sqt_unotice 1 2 840 113549 1 9 16 5 2 */
251, /* OBJ_id_smime_cti_ets_proofOfOrigin 1 2 840 113549 1 9 16 6 1 */
252, /* OBJ_id_smime_cti_ets_proofOfReceipt 1 2 840 113549 1 9 16 6 2 */
253, /* OBJ_id_smime_cti_ets_proofOfDelivery 1 2 840 113549 1 9 16 6 3 */
254, /* OBJ_id_smime_cti_ets_proofOfSender 1 2 840 113549 1 9 16 6 4 */
255, /* OBJ_id_smime_cti_ets_proofOfApproval 1 2 840 113549 1 9 16 6 5 */
256, /* OBJ_id_smime_cti_ets_proofOfCreation 1 2 840 113549 1 9 16 6 6 */
150, /* OBJ_keyBag 1 2 840 113549 1 12 10 1 1 */
151, /* OBJ_pkcs8ShroudedKeyBag 1 2 840 113549 1 12 10 1 2 */
152, /* OBJ_certBag 1 2 840 113549 1 12 10 1 3 */
153, /* OBJ_crlBag 1 2 840 113549 1 12 10 1 4 */
154, /* OBJ_secretBag 1 2 840 113549 1 12 10 1 5 */
155, /* OBJ_safeContentsBag 1 2 840 113549 1 12 10 1 6 */
34, /* OBJ_idea_cbc 1 3 6 1 4 1 188 7 1 1 2 */
955, /* OBJ_jurisdictionLocalityName 1 3 6 1 4 1 311 60 2 1 1 */
956, /* OBJ_jurisdictionStateOrProvinceName 1 3 6 1 4 1 311 60 2 1 2 */
957, /* OBJ_jurisdictionCountryName 1 3 6 1 4 1 311 60 2 1 3 */
1056, /* OBJ_blake2b512 1 3 6 1 4 1 1722 12 2 1 16 */
1057, /* OBJ_blake2s256 1 3 6 1 4 1 1722 12 2 2 8 */
1159, /* OBJ_dstu4145be 1 2 804 2 1 1 1 1 3 1 1 1 1 */
1160, /* OBJ_uacurve0 1 2 804 2 1 1 1 1 3 1 1 2 0 */
1161, /* OBJ_uacurve1 1 2 804 2 1 1 1 1 3 1 1 2 1 */
1162, /* OBJ_uacurve2 1 2 804 2 1 1 1 1 3 1 1 2 2 */
1163, /* OBJ_uacurve3 1 2 804 2 1 1 1 1 3 1 1 2 3 */
1164, /* OBJ_uacurve4 1 2 804 2 1 1 1 1 3 1 1 2 4 */
1165, /* OBJ_uacurve5 1 2 804 2 1 1 1 1 3 1 1 2 5 */
1166, /* OBJ_uacurve6 1 2 804 2 1 1 1 1 3 1 1 2 6 */
1167, /* OBJ_uacurve7 1 2 804 2 1 1 1 1 3 1 1 2 7 */
1168, /* OBJ_uacurve8 1 2 804 2 1 1 1 1 3 1 1 2 8 */
1169, /* OBJ_uacurve9 1 2 804 2 1 1 1 1 3 1 1 2 9 */
};
diff --git a/crypto/openssl/crypto/objects/obj_xref.h b/crypto/openssl/crypto/objects/obj_xref.h
index 5c3561ab7d7e..5ef094bbfd84 100644
--- a/crypto/openssl/crypto/objects/obj_xref.h
+++ b/crypto/openssl/crypto/objects/obj_xref.h
@@ -1,128 +1,128 @@
/*
* WARNING: do not edit!
* Generated by objxref.pl
*
- * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
typedef struct {
int sign_id;
int hash_id;
int pkey_id;
} nid_triple;
DEFINE_STACK_OF(nid_triple)
static const nid_triple sigoid_srt[] = {
{NID_md2WithRSAEncryption, NID_md2, NID_rsaEncryption},
{NID_md5WithRSAEncryption, NID_md5, NID_rsaEncryption},
{NID_shaWithRSAEncryption, NID_sha, NID_rsaEncryption},
{NID_sha1WithRSAEncryption, NID_sha1, NID_rsaEncryption},
{NID_dsaWithSHA, NID_sha, NID_dsa},
{NID_dsaWithSHA1_2, NID_sha1, NID_dsa_2},
{NID_mdc2WithRSA, NID_mdc2, NID_rsaEncryption},
{NID_md5WithRSA, NID_md5, NID_rsa},
{NID_dsaWithSHA1, NID_sha1, NID_dsa},
{NID_sha1WithRSA, NID_sha1, NID_rsa},
{NID_ripemd160WithRSA, NID_ripemd160, NID_rsaEncryption},
{NID_md4WithRSAEncryption, NID_md4, NID_rsaEncryption},
{NID_ecdsa_with_SHA1, NID_sha1, NID_X9_62_id_ecPublicKey},
{NID_sha256WithRSAEncryption, NID_sha256, NID_rsaEncryption},
{NID_sha384WithRSAEncryption, NID_sha384, NID_rsaEncryption},
{NID_sha512WithRSAEncryption, NID_sha512, NID_rsaEncryption},
{NID_sha224WithRSAEncryption, NID_sha224, NID_rsaEncryption},
{NID_ecdsa_with_Recommended, NID_undef, NID_X9_62_id_ecPublicKey},
{NID_ecdsa_with_Specified, NID_undef, NID_X9_62_id_ecPublicKey},
{NID_ecdsa_with_SHA224, NID_sha224, NID_X9_62_id_ecPublicKey},
{NID_ecdsa_with_SHA256, NID_sha256, NID_X9_62_id_ecPublicKey},
{NID_ecdsa_with_SHA384, NID_sha384, NID_X9_62_id_ecPublicKey},
{NID_ecdsa_with_SHA512, NID_sha512, NID_X9_62_id_ecPublicKey},
{NID_dsa_with_SHA224, NID_sha224, NID_dsa},
{NID_dsa_with_SHA256, NID_sha256, NID_dsa},
{NID_id_GostR3411_94_with_GostR3410_2001, NID_id_GostR3411_94,
NID_id_GostR3410_2001},
{NID_id_GostR3411_94_with_GostR3410_94, NID_id_GostR3411_94,
NID_id_GostR3410_94},
{NID_id_GostR3411_94_with_GostR3410_94_cc, NID_id_GostR3411_94,
NID_id_GostR3410_94_cc},
{NID_id_GostR3411_94_with_GostR3410_2001_cc, NID_id_GostR3411_94,
NID_id_GostR3410_2001_cc},
{NID_rsassaPss, NID_undef, NID_rsaEncryption},
{NID_dhSinglePass_stdDH_sha1kdf_scheme, NID_sha1, NID_dh_std_kdf},
{NID_dhSinglePass_stdDH_sha224kdf_scheme, NID_sha224, NID_dh_std_kdf},
{NID_dhSinglePass_stdDH_sha256kdf_scheme, NID_sha256, NID_dh_std_kdf},
{NID_dhSinglePass_stdDH_sha384kdf_scheme, NID_sha384, NID_dh_std_kdf},
{NID_dhSinglePass_stdDH_sha512kdf_scheme, NID_sha512, NID_dh_std_kdf},
{NID_dhSinglePass_cofactorDH_sha1kdf_scheme, NID_sha1,
NID_dh_cofactor_kdf},
{NID_dhSinglePass_cofactorDH_sha224kdf_scheme, NID_sha224,
NID_dh_cofactor_kdf},
{NID_dhSinglePass_cofactorDH_sha256kdf_scheme, NID_sha256,
NID_dh_cofactor_kdf},
{NID_dhSinglePass_cofactorDH_sha384kdf_scheme, NID_sha384,
NID_dh_cofactor_kdf},
{NID_dhSinglePass_cofactorDH_sha512kdf_scheme, NID_sha512,
NID_dh_cofactor_kdf},
{NID_id_tc26_signwithdigest_gost3410_2012_256, NID_id_GostR3411_2012_256,
NID_id_GostR3410_2012_256},
{NID_id_tc26_signwithdigest_gost3410_2012_512, NID_id_GostR3411_2012_512,
NID_id_GostR3410_2012_512},
{NID_ED25519, NID_undef, NID_ED25519},
{NID_ED448, NID_undef, NID_ED448},
{NID_RSA_SHA3_224, NID_sha3_224, NID_rsaEncryption},
{NID_RSA_SHA3_256, NID_sha3_256, NID_rsaEncryption},
{NID_RSA_SHA3_384, NID_sha3_384, NID_rsaEncryption},
{NID_RSA_SHA3_512, NID_sha3_512, NID_rsaEncryption},
};
static const nid_triple *const sigoid_srt_xref[] = {
&sigoid_srt[0],
&sigoid_srt[1],
&sigoid_srt[7],
&sigoid_srt[2],
&sigoid_srt[4],
&sigoid_srt[3],
&sigoid_srt[9],
&sigoid_srt[5],
&sigoid_srt[8],
&sigoid_srt[12],
&sigoid_srt[30],
&sigoid_srt[35],
&sigoid_srt[6],
&sigoid_srt[10],
&sigoid_srt[11],
&sigoid_srt[13],
&sigoid_srt[24],
&sigoid_srt[20],
&sigoid_srt[32],
&sigoid_srt[37],
&sigoid_srt[14],
&sigoid_srt[21],
&sigoid_srt[33],
&sigoid_srt[38],
&sigoid_srt[15],
&sigoid_srt[22],
&sigoid_srt[34],
&sigoid_srt[39],
&sigoid_srt[16],
&sigoid_srt[23],
&sigoid_srt[19],
&sigoid_srt[31],
&sigoid_srt[36],
&sigoid_srt[25],
&sigoid_srt[26],
&sigoid_srt[27],
&sigoid_srt[28],
&sigoid_srt[40],
&sigoid_srt[41],
&sigoid_srt[44],
&sigoid_srt[45],
&sigoid_srt[46],
&sigoid_srt[47],
};
diff --git a/crypto/openssl/crypto/ui/ui_openssl.c b/crypto/openssl/crypto/ui/ui_openssl.c
index 9526c16536cb..0f630a5bd963 100644
--- a/crypto/openssl/crypto/ui/ui_openssl.c
+++ b/crypto/openssl/crypto/ui/ui_openssl.c
@@ -1,754 +1,756 @@
/*
- * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "e_os.h"
#include <openssl/e_os2.h>
#include <openssl/err.h>
#include <openssl/ui.h>
#ifndef OPENSSL_NO_UI_CONSOLE
/*
* need for #define _POSIX_C_SOURCE arises whenever you pass -ansi to gcc
* [maybe others?], because it masks interfaces not discussed in standard,
* sigaction and fileno included. -pedantic would be more appropriate for the
* intended purposes, but we can't prevent users from adding -ansi.
*/
# if defined(OPENSSL_SYS_VXWORKS)
# include <sys/types.h>
# endif
# if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
# ifndef _POSIX_C_SOURCE
# define _POSIX_C_SOURCE 2
# endif
# endif
# include <signal.h>
# include <stdio.h>
# include <string.h>
# include <errno.h>
# if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS)
# ifdef OPENSSL_UNISTD
# include OPENSSL_UNISTD
# else
# include <unistd.h>
# endif
/*
* If unistd.h defines _POSIX_VERSION, we conclude that we are on a POSIX
* system and have sigaction and termios.
*/
# if defined(_POSIX_VERSION) && _POSIX_VERSION>=199309L
# define SIGACTION
# if !defined(TERMIOS) && !defined(TERMIO) && !defined(SGTTY)
# define TERMIOS
# endif
# endif
# endif
# include "ui_local.h"
# include "internal/cryptlib.h"
# ifdef OPENSSL_SYS_VMS /* prototypes for sys$whatever */
# include <starlet.h>
# ifdef __DECC
# pragma message disable DOLLARID
# endif
# endif
# ifdef WIN_CONSOLE_BUG
# include <windows.h>
# ifndef OPENSSL_SYS_WINCE
# include <wincon.h>
# endif
# endif
/*
* There are 6 types of terminal interface supported, TERMIO, TERMIOS, VMS,
* MSDOS, WIN32 Console and SGTTY.
*
* If someone defines one of the macros TERMIO, TERMIOS or SGTTY, it will
* remain respected. Otherwise, we default to TERMIOS except for a few
* systems that require something different.
*
* Note: we do not use SGTTY unless it's defined by the configuration. We
* may eventually opt to remove its use entirely.
*/
# if !defined(TERMIOS) && !defined(TERMIO) && !defined(SGTTY)
# if defined(_LIBC)
# undef TERMIOS
# define TERMIO
# undef SGTTY
/*
* We know that VMS, MSDOS, VXWORKS, use entirely other mechanisms.
*/
# elif !defined(OPENSSL_SYS_VMS) \
&& !defined(OPENSSL_SYS_MSDOS) \
&& !defined(OPENSSL_SYS_VXWORKS)
# define TERMIOS
# undef TERMIO
# undef SGTTY
# endif
# endif
# if defined(OPENSSL_SYS_VXWORKS)
# undef TERMIOS
# undef TERMIO
# undef SGTTY
# endif
# ifdef TERMIOS
# include <termios.h>
# define TTY_STRUCT struct termios
# define TTY_FLAGS c_lflag
# define TTY_get(tty,data) tcgetattr(tty,data)
# define TTY_set(tty,data) tcsetattr(tty,TCSANOW,data)
# endif
# ifdef TERMIO
# include <termio.h>
# define TTY_STRUCT struct termio
# define TTY_FLAGS c_lflag
# define TTY_get(tty,data) ioctl(tty,TCGETA,data)
# define TTY_set(tty,data) ioctl(tty,TCSETA,data)
# endif
# ifdef SGTTY
# include <sgtty.h>
# define TTY_STRUCT struct sgttyb
# define TTY_FLAGS sg_flags
# define TTY_get(tty,data) ioctl(tty,TIOCGETP,data)
# define TTY_set(tty,data) ioctl(tty,TIOCSETP,data)
# endif
# if !defined(_LIBC) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_VMS)
# include <sys/ioctl.h>
# endif
# ifdef OPENSSL_SYS_MSDOS
# include <conio.h>
# endif
# ifdef OPENSSL_SYS_VMS
# include <ssdef.h>
# include <iodef.h>
# include <ttdef.h>
# include <descrip.h>
struct IOSB {
short iosb$w_value;
short iosb$w_count;
long iosb$l_info;
};
# endif
# ifndef NX509_SIG
# define NX509_SIG 32
# endif
/* Define globals. They are protected by a lock */
# ifdef SIGACTION
static struct sigaction savsig[NX509_SIG];
# else
static void (*savsig[NX509_SIG]) (int);
# endif
# ifdef OPENSSL_SYS_VMS
static struct IOSB iosb;
static $DESCRIPTOR(terminal, "TT");
static long tty_orig[3], tty_new[3]; /* XXX Is there any guarantee that this
* will always suffice for the actual
* structures? */
static long status;
static unsigned short channel = 0;
# elif defined(_WIN32) && !defined(_WIN32_WCE)
static DWORD tty_orig, tty_new;
# else
# if !defined(OPENSSL_SYS_MSDOS) || defined(__DJGPP__)
static TTY_STRUCT tty_orig, tty_new;
# endif
# endif
static FILE *tty_in, *tty_out;
static int is_a_tty;
/* Declare static functions */
# if !defined(OPENSSL_SYS_WINCE)
static int read_till_nl(FILE *);
static void recsig(int);
static void pushsig(void);
static void popsig(void);
# endif
# if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
static int noecho_fgets(char *buf, int size, FILE *tty);
# endif
static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl);
static int read_string(UI *ui, UI_STRING *uis);
static int write_string(UI *ui, UI_STRING *uis);
static int open_console(UI *ui);
static int echo_console(UI *ui);
static int noecho_console(UI *ui);
static int close_console(UI *ui);
/*
* The following function makes sure that info and error strings are printed
* before any prompt.
*/
static int write_string(UI *ui, UI_STRING *uis)
{
switch (UI_get_string_type(uis)) {
case UIT_ERROR:
case UIT_INFO:
fputs(UI_get0_output_string(uis), tty_out);
fflush(tty_out);
break;
case UIT_NONE:
case UIT_PROMPT:
case UIT_VERIFY:
case UIT_BOOLEAN:
break;
}
return 1;
}
static int read_string(UI *ui, UI_STRING *uis)
{
int ok = 0;
switch (UI_get_string_type(uis)) {
case UIT_BOOLEAN:
fputs(UI_get0_output_string(uis), tty_out);
fputs(UI_get0_action_string(uis), tty_out);
fflush(tty_out);
return read_string_inner(ui, uis,
UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO,
0);
case UIT_PROMPT:
fputs(UI_get0_output_string(uis), tty_out);
fflush(tty_out);
return read_string_inner(ui, uis,
UI_get_input_flags(uis) & UI_INPUT_FLAG_ECHO,
1);
case UIT_VERIFY:
fprintf(tty_out, "Verifying - %s", UI_get0_output_string(uis));
fflush(tty_out);
if ((ok = read_string_inner(ui, uis,
UI_get_input_flags(uis) &
UI_INPUT_FLAG_ECHO, 1)) <= 0)
return ok;
if (strcmp(UI_get0_result_string(uis), UI_get0_test_string(uis)) != 0) {
fprintf(tty_out, "Verify failure\n");
fflush(tty_out);
return 0;
}
break;
case UIT_NONE:
case UIT_INFO:
case UIT_ERROR:
break;
}
return 1;
}
# if !defined(OPENSSL_SYS_WINCE)
/* Internal functions to read a string without echoing */
static int read_till_nl(FILE *in)
{
# define SIZE 4
char buf[SIZE + 1];
do {
if (!fgets(buf, SIZE, in))
return 0;
} while (strchr(buf, '\n') == NULL);
return 1;
}
static volatile sig_atomic_t intr_signal;
# endif
static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl)
{
static int ps;
int ok;
char result[BUFSIZ];
int maxsize = BUFSIZ - 1;
# if !defined(OPENSSL_SYS_WINCE)
char *p = NULL;
int echo_eol = !echo;
intr_signal = 0;
ok = 0;
ps = 0;
pushsig();
ps = 1;
if (!echo && !noecho_console(ui))
goto error;
ps = 2;
result[0] = '\0';
# if defined(_WIN32)
if (is_a_tty) {
DWORD numread;
# if defined(CP_UTF8)
if (GetEnvironmentVariableW(L"OPENSSL_WIN32_UTF8", NULL, 0) != 0) {
WCHAR wresult[BUFSIZ];
if (ReadConsoleW(GetStdHandle(STD_INPUT_HANDLE),
wresult, maxsize, &numread, NULL)) {
if (numread >= 2 &&
wresult[numread-2] == L'\r' &&
wresult[numread-1] == L'\n') {
wresult[numread-2] = L'\n';
numread--;
}
wresult[numread] = '\0';
if (WideCharToMultiByte(CP_UTF8, 0, wresult, -1,
result, sizeof(result), NULL, 0) > 0)
p = result;
OPENSSL_cleanse(wresult, sizeof(wresult));
}
} else
# endif
if (ReadConsoleA(GetStdHandle(STD_INPUT_HANDLE),
result, maxsize, &numread, NULL)) {
if (numread >= 2 &&
result[numread-2] == '\r' && result[numread-1] == '\n') {
result[numread-2] = '\n';
numread--;
}
result[numread] = '\0';
p = result;
}
} else
# elif defined(OPENSSL_SYS_MSDOS)
if (!echo) {
noecho_fgets(result, maxsize, tty_in);
p = result; /* FIXME: noecho_fgets doesn't return errors */
} else
# endif
p = fgets(result, maxsize, tty_in);
if (p == NULL)
goto error;
if (feof(tty_in))
goto error;
if (ferror(tty_in))
goto error;
if ((p = (char *)strchr(result, '\n')) != NULL) {
if (strip_nl)
*p = '\0';
} else if (!read_till_nl(tty_in))
goto error;
if (UI_set_result(ui, uis, result) >= 0)
ok = 1;
error:
if (intr_signal == SIGINT)
ok = -1;
if (echo_eol)
fprintf(tty_out, "\n");
if (ps >= 2 && !echo && !echo_console(ui))
ok = 0;
if (ps >= 1)
popsig();
# else
ok = 1;
# endif
OPENSSL_cleanse(result, BUFSIZ);
return ok;
}
/* Internal functions to open, handle and close a channel to the console. */
static int open_console(UI *ui)
{
CRYPTO_THREAD_write_lock(ui->lock);
is_a_tty = 1;
# if defined(OPENSSL_SYS_VXWORKS)
tty_in = stdin;
tty_out = stderr;
# elif defined(_WIN32) && !defined(_WIN32_WCE)
if ((tty_out = fopen("conout$", "w")) == NULL)
tty_out = stderr;
if (GetConsoleMode(GetStdHandle(STD_INPUT_HANDLE), &tty_orig)) {
tty_in = stdin;
} else {
is_a_tty = 0;
if ((tty_in = fopen("conin$", "r")) == NULL)
tty_in = stdin;
}
# else
# ifdef OPENSSL_SYS_MSDOS
# define DEV_TTY "con"
# else
# define DEV_TTY "/dev/tty"
# endif
if ((tty_in = fopen(DEV_TTY, "r")) == NULL)
tty_in = stdin;
if ((tty_out = fopen(DEV_TTY, "w")) == NULL)
tty_out = stderr;
# endif
# if defined(TTY_get) && !defined(OPENSSL_SYS_VMS)
if (TTY_get(fileno(tty_in), &tty_orig) == -1) {
# ifdef ENOTTY
if (errno == ENOTTY)
is_a_tty = 0;
else
# endif
# ifdef EINVAL
/*
* Ariel Glenn reports that solaris can return EINVAL instead.
* This should be ok
*/
if (errno == EINVAL)
is_a_tty = 0;
else
# endif
# ifdef ENXIO
/*
* Solaris can return ENXIO.
* This should be ok
*/
if (errno == ENXIO)
is_a_tty = 0;
else
# endif
# ifdef EIO
/*
* Linux can return EIO.
* This should be ok
*/
if (errno == EIO)
is_a_tty = 0;
else
# endif
# ifdef EPERM
/*
* Linux can return EPERM (Operation not permitted),
* e.g. if a daemon executes openssl via fork()+execve()
* This should be ok
*/
if (errno == EPERM)
is_a_tty = 0;
else
# endif
# ifdef ENODEV
/*
* MacOS X returns ENODEV (Operation not supported by device),
* which seems appropriate.
*/
if (errno == ENODEV)
is_a_tty = 0;
else
# endif
{
char tmp_num[10];
BIO_snprintf(tmp_num, sizeof(tmp_num) - 1, "%d", errno);
UIerr(UI_F_OPEN_CONSOLE, UI_R_UNKNOWN_TTYGET_ERRNO_VALUE);
ERR_add_error_data(2, "errno=", tmp_num);
return 0;
}
}
# endif
# ifdef OPENSSL_SYS_VMS
status = sys$assign(&terminal, &channel, 0, 0);
/* if there isn't a TT device, something is very wrong */
if (status != SS$_NORMAL) {
char tmp_num[12];
BIO_snprintf(tmp_num, sizeof(tmp_num) - 1, "%%X%08X", status);
UIerr(UI_F_OPEN_CONSOLE, UI_R_SYSASSIGN_ERROR);
ERR_add_error_data(2, "status=", tmp_num);
return 0;
}
status = sys$qiow(0, channel, IO$_SENSEMODE, &iosb, 0, 0, tty_orig, 12,
0, 0, 0, 0);
/* If IO$_SENSEMODE doesn't work, this is not a terminal device */
if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
is_a_tty = 0;
# endif
return 1;
}
static int noecho_console(UI *ui)
{
# ifdef TTY_FLAGS
memcpy(&(tty_new), &(tty_orig), sizeof(tty_orig));
tty_new.TTY_FLAGS &= ~ECHO;
# endif
# if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
if (is_a_tty && (TTY_set(fileno(tty_in), &tty_new) == -1))
return 0;
# endif
# ifdef OPENSSL_SYS_VMS
if (is_a_tty) {
tty_new[0] = tty_orig[0];
tty_new[1] = tty_orig[1] | TT$M_NOECHO;
tty_new[2] = tty_orig[2];
status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12,
0, 0, 0, 0);
if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL)) {
char tmp_num[2][12];
BIO_snprintf(tmp_num[0], sizeof(tmp_num[0]) - 1, "%%X%08X",
status);
BIO_snprintf(tmp_num[1], sizeof(tmp_num[1]) - 1, "%%X%08X",
iosb.iosb$w_value);
UIerr(UI_F_NOECHO_CONSOLE, UI_R_SYSQIOW_ERROR);
ERR_add_error_data(5, "status=", tmp_num[0],
",", "iosb.iosb$w_value=", tmp_num[1]);
return 0;
}
}
# endif
# if defined(_WIN32) && !defined(_WIN32_WCE)
if (is_a_tty) {
tty_new = tty_orig;
tty_new &= ~ENABLE_ECHO_INPUT;
SetConsoleMode(GetStdHandle(STD_INPUT_HANDLE), tty_new);
}
# endif
return 1;
}
static int echo_console(UI *ui)
{
# if defined(TTY_set) && !defined(OPENSSL_SYS_VMS)
memcpy(&(tty_new), &(tty_orig), sizeof(tty_orig));
if (is_a_tty && (TTY_set(fileno(tty_in), &tty_new) == -1))
return 0;
# endif
# ifdef OPENSSL_SYS_VMS
if (is_a_tty) {
tty_new[0] = tty_orig[0];
tty_new[1] = tty_orig[1];
tty_new[2] = tty_orig[2];
status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12,
0, 0, 0, 0);
if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL)) {
char tmp_num[2][12];
BIO_snprintf(tmp_num[0], sizeof(tmp_num[0]) - 1, "%%X%08X",
status);
BIO_snprintf(tmp_num[1], sizeof(tmp_num[1]) - 1, "%%X%08X",
iosb.iosb$w_value);
UIerr(UI_F_ECHO_CONSOLE, UI_R_SYSQIOW_ERROR);
ERR_add_error_data(5, "status=", tmp_num[0],
",", "iosb.iosb$w_value=", tmp_num[1]);
return 0;
}
}
# endif
# if defined(_WIN32) && !defined(_WIN32_WCE)
if (is_a_tty) {
tty_new = tty_orig;
SetConsoleMode(GetStdHandle(STD_INPUT_HANDLE), tty_new);
}
# endif
return 1;
}
static int close_console(UI *ui)
{
+ int ret = 1;
+
if (tty_in != stdin)
fclose(tty_in);
if (tty_out != stderr)
fclose(tty_out);
# ifdef OPENSSL_SYS_VMS
status = sys$dassgn(channel);
if (status != SS$_NORMAL) {
char tmp_num[12];
BIO_snprintf(tmp_num, sizeof(tmp_num) - 1, "%%X%08X", status);
UIerr(UI_F_CLOSE_CONSOLE, UI_R_SYSDASSGN_ERROR);
ERR_add_error_data(2, "status=", tmp_num);
- return 0;
+ ret = 0;
}
# endif
CRYPTO_THREAD_unlock(ui->lock);
- return 1;
+ return ret;
}
# if !defined(OPENSSL_SYS_WINCE)
/* Internal functions to handle signals and act on them */
static void pushsig(void)
{
# ifndef OPENSSL_SYS_WIN32
int i;
# endif
# ifdef SIGACTION
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_handler = recsig;
# endif
# ifdef OPENSSL_SYS_WIN32
savsig[SIGABRT] = signal(SIGABRT, recsig);
savsig[SIGFPE] = signal(SIGFPE, recsig);
savsig[SIGILL] = signal(SIGILL, recsig);
savsig[SIGINT] = signal(SIGINT, recsig);
savsig[SIGSEGV] = signal(SIGSEGV, recsig);
savsig[SIGTERM] = signal(SIGTERM, recsig);
# else
for (i = 1; i < NX509_SIG; i++) {
# ifdef SIGUSR1
if (i == SIGUSR1)
continue;
# endif
# ifdef SIGUSR2
if (i == SIGUSR2)
continue;
# endif
# ifdef SIGKILL
if (i == SIGKILL) /* We can't make any action on that. */
continue;
# endif
# ifdef SIGACTION
sigaction(i, &sa, &savsig[i]);
# else
savsig[i] = signal(i, recsig);
# endif
}
# endif
# ifdef SIGWINCH
signal(SIGWINCH, SIG_DFL);
# endif
}
static void popsig(void)
{
# ifdef OPENSSL_SYS_WIN32
signal(SIGABRT, savsig[SIGABRT]);
signal(SIGFPE, savsig[SIGFPE]);
signal(SIGILL, savsig[SIGILL]);
signal(SIGINT, savsig[SIGINT]);
signal(SIGSEGV, savsig[SIGSEGV]);
signal(SIGTERM, savsig[SIGTERM]);
# else
int i;
for (i = 1; i < NX509_SIG; i++) {
# ifdef SIGUSR1
if (i == SIGUSR1)
continue;
# endif
# ifdef SIGUSR2
if (i == SIGUSR2)
continue;
# endif
# ifdef SIGACTION
sigaction(i, &savsig[i], NULL);
# else
signal(i, savsig[i]);
# endif
}
# endif
}
static void recsig(int i)
{
intr_signal = i;
}
# endif
/* Internal functions specific for Windows */
# if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
static int noecho_fgets(char *buf, int size, FILE *tty)
{
int i;
char *p;
p = buf;
for (;;) {
if (size == 0) {
*p = '\0';
break;
}
size--;
# if defined(_WIN32)
i = _getch();
# else
i = getch();
# endif
if (i == '\r')
i = '\n';
*(p++) = i;
if (i == '\n') {
*p = '\0';
break;
}
}
# ifdef WIN_CONSOLE_BUG
/*
* Win95 has several evil console bugs: one of these is that the last
* character read using getch() is passed to the next read: this is
* usually a CR so this can be trouble. No STDIO fix seems to work but
* flushing the console appears to do the trick.
*/
{
HANDLE inh;
inh = GetStdHandle(STD_INPUT_HANDLE);
FlushConsoleInputBuffer(inh);
}
# endif
return strlen(buf);
}
# endif
static UI_METHOD ui_openssl = {
"OpenSSL default user interface",
open_console,
write_string,
NULL, /* No flusher is needed for command lines */
read_string,
close_console,
NULL
};
/* The method with all the built-in console thingies */
UI_METHOD *UI_OpenSSL(void)
{
return &ui_openssl;
}
static const UI_METHOD *default_UI_meth = &ui_openssl;
#else
static const UI_METHOD *default_UI_meth = NULL;
#endif
void UI_set_default_method(const UI_METHOD *meth)
{
default_UI_meth = meth;
}
const UI_METHOD *UI_get_default_method(void)
{
return default_UI_meth;
}
diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c
index e404fcc602df..b18489f67f6e 100644
--- a/crypto/openssl/crypto/x509/x509_vfy.c
+++ b/crypto/openssl/crypto/x509/x509_vfy.c
@@ -1,3389 +1,3390 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include <time.h>
#include <errno.h>
#include <limits.h>
#include "crypto/ctype.h"
#include "internal/cryptlib.h"
#include <openssl/crypto.h>
#include <openssl/buffer.h>
#include <openssl/evp.h>
#include <openssl/asn1.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/objects.h>
#include "internal/dane.h"
#include "crypto/x509.h"
#include "x509_local.h"
/* CRL score values */
/* No unhandled critical extensions */
#define CRL_SCORE_NOCRITICAL 0x100
/* certificate is within CRL scope */
#define CRL_SCORE_SCOPE 0x080
/* CRL times valid */
#define CRL_SCORE_TIME 0x040
/* Issuer name matches certificate */
#define CRL_SCORE_ISSUER_NAME 0x020
/* If this score or above CRL is probably valid */
#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
/* CRL issuer is certificate issuer */
#define CRL_SCORE_ISSUER_CERT 0x018
/* CRL issuer is on certificate path */
#define CRL_SCORE_SAME_PATH 0x008
/* CRL issuer matches CRL AKID */
#define CRL_SCORE_AKID 0x004
/* Have a delta CRL with valid times */
#define CRL_SCORE_TIME_DELTA 0x002
static int build_chain(X509_STORE_CTX *ctx);
static int verify_chain(X509_STORE_CTX *ctx);
static int dane_verify(X509_STORE_CTX *ctx);
static int null_callback(int ok, X509_STORE_CTX *e);
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
static int check_chain_extensions(X509_STORE_CTX *ctx);
static int check_name_constraints(X509_STORE_CTX *ctx);
static int check_id(X509_STORE_CTX *ctx);
static int check_trust(X509_STORE_CTX *ctx, int num_untrusted);
static int check_revocation(X509_STORE_CTX *ctx);
static int check_cert(X509_STORE_CTX *ctx);
static int check_policy(X509_STORE_CTX *ctx);
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
static int check_dane_issuer(X509_STORE_CTX *ctx, int depth);
static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert);
static int check_curve(X509 *cert);
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
unsigned int *preasons, X509_CRL *crl, X509 *x);
static int get_crl_delta(X509_STORE_CTX *ctx,
X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl,
int *pcrl_score, X509_CRL *base,
STACK_OF(X509_CRL) *crls);
static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,
int *pcrl_score);
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
unsigned int *preasons);
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
static int check_crl_chain(X509_STORE_CTX *ctx,
STACK_OF(X509) *cert_path,
STACK_OF(X509) *crl_path);
static int internal_verify(X509_STORE_CTX *ctx);
static int null_callback(int ok, X509_STORE_CTX *e)
{
return ok;
}
/*
* Return 1 if given cert is considered self-signed, 0 if not or on error.
* This does not verify self-signedness but relies on x509v3_cache_extensions()
* matching issuer and subject names (i.e., the cert being self-issued) and any
* present authority key identifier matching the subject key identifier, etc.
*/
static int cert_self_signed(X509 *x)
{
if (X509_check_purpose(x, -1, 0) != 1)
return 0;
if (x->ex_flags & EXFLAG_SS)
return 1;
else
return 0;
}
/* Given a certificate try and find an exact match in the store */
static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
{
STACK_OF(X509) *certs;
X509 *xtmp = NULL;
int i;
/* Lookup all certs with matching subject name */
certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
if (certs == NULL)
return NULL;
/* Look for exact match */
for (i = 0; i < sk_X509_num(certs); i++) {
xtmp = sk_X509_value(certs, i);
if (!X509_cmp(xtmp, x))
break;
xtmp = NULL;
}
if (xtmp != NULL && !X509_up_ref(xtmp))
xtmp = NULL;
sk_X509_pop_free(certs, X509_free);
return xtmp;
}
/*-
* Inform the verify callback of an error.
* If B<x> is not NULL it is the error cert, otherwise use the chain cert at
* B<depth>.
* If B<err> is not X509_V_OK, that's the error value, otherwise leave
* unchanged (presumably set by the caller).
*
* Returns 0 to abort verification with an error, non-zero to continue.
*/
static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err)
{
ctx->error_depth = depth;
ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth);
if (err != X509_V_OK)
ctx->error = err;
return ctx->verify_cb(0, ctx);
}
/*-
* Inform the verify callback of an error, CRL-specific variant. Here, the
* error depth and certificate are already set, we just specify the error
* number.
*
* Returns 0 to abort verification with an error, non-zero to continue.
*/
static int verify_cb_crl(X509_STORE_CTX *ctx, int err)
{
ctx->error = err;
return ctx->verify_cb(0, ctx);
}
static int check_auth_level(X509_STORE_CTX *ctx)
{
int i;
int num = sk_X509_num(ctx->chain);
if (ctx->param->auth_level <= 0)
return 1;
for (i = 0; i < num; ++i) {
X509 *cert = sk_X509_value(ctx->chain, i);
/*
* We've already checked the security of the leaf key, so here we only
* check the security of issuer keys.
*/
if (i > 0 && !check_key_level(ctx, cert) &&
verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL) == 0)
return 0;
/*
* We also check the signature algorithm security of all certificates
* except those of the trust anchor at index num-1.
*/
if (i < num - 1 && !check_sig_level(ctx, cert) &&
verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK) == 0)
return 0;
}
return 1;
}
static int verify_chain(X509_STORE_CTX *ctx)
{
int err;
int ok;
/*
* Before either returning with an error, or continuing with CRL checks,
* instantiate chain public key parameters.
*/
if ((ok = build_chain(ctx)) == 0 ||
(ok = check_chain_extensions(ctx)) == 0 ||
(ok = check_auth_level(ctx)) == 0 ||
(ok = check_id(ctx)) == 0 || 1)
X509_get_pubkey_parameters(NULL, ctx->chain);
if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0)
return ok;
err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
ctx->param->flags);
if (err != X509_V_OK) {
if ((ok = verify_cb_cert(ctx, NULL, ctx->error_depth, err)) == 0)
return ok;
}
/* Verify chain signatures and expiration times */
ok = (ctx->verify != NULL) ? ctx->verify(ctx) : internal_verify(ctx);
if (!ok)
return ok;
if ((ok = check_name_constraints(ctx)) == 0)
return ok;
#ifndef OPENSSL_NO_RFC3779
/* RFC 3779 path validation, now that CRL check has been done */
if ((ok = X509v3_asid_validate_path(ctx)) == 0)
return ok;
if ((ok = X509v3_addr_validate_path(ctx)) == 0)
return ok;
#endif
/* If we get this far evaluate policies */
if (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)
ok = ctx->check_policy(ctx);
return ok;
}
int X509_verify_cert(X509_STORE_CTX *ctx)
{
SSL_DANE *dane = ctx->dane;
int ret;
if (ctx->cert == NULL) {
X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
ctx->error = X509_V_ERR_INVALID_CALL;
return -1;
}
if (ctx->chain != NULL) {
/*
* This X509_STORE_CTX has already been used to verify a cert. We
* cannot do another one.
*/
X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
ctx->error = X509_V_ERR_INVALID_CALL;
return -1;
}
if (!X509_up_ref(ctx->cert)) {
X509err(X509_F_X509_VERIFY_CERT, ERR_R_INTERNAL_ERROR);
ctx->error = X509_V_ERR_UNSPECIFIED;
return -1;
}
/*
* first we make sure the chain we are going to build is present and that
* the first entry is in place
*/
if ((ctx->chain = sk_X509_new_null()) == NULL
|| !sk_X509_push(ctx->chain, ctx->cert)) {
X509_free(ctx->cert);
X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return -1;
}
ctx->num_untrusted = 1;
/* If the peer's public key is too weak, we can stop early. */
if (!check_key_level(ctx, ctx->cert) &&
!verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL))
return 0;
if (DANETLS_ENABLED(dane))
ret = dane_verify(ctx);
else
ret = verify_chain(ctx);
/*
* Safety-net. If we are returning an error, we must also set ctx->error,
* so that the chain is not considered verified should the error be ignored
* (e.g. TLS with SSL_VERIFY_NONE).
*/
if (ret <= 0 && ctx->error == X509_V_OK)
ctx->error = X509_V_ERR_UNSPECIFIED;
return ret;
}
static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert)
{
int i, n = sk_X509_num(sk);
for (i = 0; i < n; i++)
if (X509_cmp(sk_X509_value(sk, i), cert) == 0)
return 1;
return 0;
}
/*
* Find in given STACK_OF(X509) sk an issuer cert of given cert x.
* The issuer must not yet be in ctx->chain, where the exceptional case
* that x is self-issued and ctx->chain has just one element is allowed.
* Prefer the first one that is not expired, else take the last expired one.
*/
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{
int i;
X509 *issuer, *rv = NULL;
for (i = 0; i < sk_X509_num(sk); i++) {
issuer = sk_X509_value(sk, i);
if (ctx->check_issued(ctx, x, issuer)
&& (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)
|| !sk_X509_contains(ctx->chain, issuer))) {
rv = issuer;
if (x509_check_cert_time(ctx, rv, -1))
break;
}
}
return rv;
}
/* Check that the given certificate 'x' is issued by the certificate 'issuer' */
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
return x509_likely_issued(issuer, x) == X509_V_OK;
}
/* Alternative lookup method: look from a STACK stored in other_ctx */
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->other_ctx, x);
if (*issuer == NULL || !X509_up_ref(*issuer))
goto err;
return 1;
err:
*issuer = NULL;
return 0;
}
static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm)
{
STACK_OF(X509) *sk = NULL;
X509 *x;
int i;
for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) {
x = sk_X509_value(ctx->other_ctx, i);
if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) {
if (!X509_up_ref(x)) {
sk_X509_pop_free(sk, X509_free);
X509err(X509_F_LOOKUP_CERTS_SK, ERR_R_INTERNAL_ERROR);
ctx->error = X509_V_ERR_UNSPECIFIED;
return NULL;
}
if (sk == NULL)
sk = sk_X509_new_null();
if (sk == NULL || !sk_X509_push(sk, x)) {
X509_free(x);
sk_X509_pop_free(sk, X509_free);
X509err(X509_F_LOOKUP_CERTS_SK, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return NULL;
}
}
}
return sk;
}
/*
* Check EE or CA certificate purpose. For trusted certificates explicit local
* auxiliary trust can be used to override EKU-restrictions.
*/
static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth,
int must_be_ca)
{
int tr_ok = X509_TRUST_UNTRUSTED;
/*
* For trusted certificates we want to see whether any auxiliary trust
* settings trump the purpose constraints.
*
* This is complicated by the fact that the trust ordinals in
* ctx->param->trust are entirely independent of the purpose ordinals in
* ctx->param->purpose!
*
* What connects them is their mutual initialization via calls from
* X509_STORE_CTX_set_default() into X509_VERIFY_PARAM_lookup() which sets
* related values of both param->trust and param->purpose. It is however
* typically possible to infer associated trust values from a purpose value
* via the X509_PURPOSE API.
*
* Therefore, we can only check for trust overrides when the purpose we're
* checking is the same as ctx->param->purpose and ctx->param->trust is
* also set.
*/
if (depth >= ctx->num_untrusted && purpose == ctx->param->purpose)
tr_ok = X509_check_trust(x, ctx->param->trust, X509_TRUST_NO_SS_COMPAT);
switch (tr_ok) {
case X509_TRUST_TRUSTED:
return 1;
case X509_TRUST_REJECTED:
break;
default:
switch (X509_check_purpose(x, purpose, must_be_ca > 0)) {
case 1:
return 1;
case 0:
break;
default:
if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) == 0)
return 1;
}
break;
}
return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE);
}
/*
* Check a certificate chains extensions for consistency with the supplied
* purpose
*/
static int check_chain_extensions(X509_STORE_CTX *ctx)
{
int i, must_be_ca, plen = 0;
X509 *x;
int proxy_path_length = 0;
int purpose;
int allow_proxy_certs;
int num = sk_X509_num(ctx->chain);
/*-
* must_be_ca can have 1 of 3 values:
* -1: we accept both CA and non-CA certificates, to allow direct
* use of self-signed certificates (which are marked as CA).
* 0: we only accept non-CA certificates. This is currently not
* used, but the possibility is present for future extensions.
* 1: we only accept CA certificates. This is currently used for
* all certificates in the chain except the leaf certificate.
*/
must_be_ca = -1;
/* CRL path validation */
if (ctx->parent) {
allow_proxy_certs = 0;
purpose = X509_PURPOSE_CRL_SIGN;
} else {
allow_proxy_certs =
! !(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
purpose = ctx->param->purpose;
}
for (i = 0; i < num; i++) {
int ret;
x = sk_X509_value(ctx->chain, i);
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
&& (x->ex_flags & EXFLAG_CRITICAL)) {
if (!verify_cb_cert(ctx, x, i,
X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION))
return 0;
}
if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) {
if (!verify_cb_cert(ctx, x, i,
X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED))
return 0;
}
ret = X509_check_ca(x);
switch (must_be_ca) {
case -1:
if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
&& (ret != 1) && (ret != 0)) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
} else
ret = 1;
break;
case 0:
if (ret != 0) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_NON_CA;
} else
ret = 1;
break;
default:
/* X509_V_FLAG_X509_STRICT is implicit for intermediate CAs */
if ((ret == 0)
|| ((i + 1 < num || ctx->param->flags & X509_V_FLAG_X509_STRICT)
&& (ret != 1))) {
ret = 0;
ctx->error = X509_V_ERR_INVALID_CA;
} else
ret = 1;
break;
}
if (ret > 0
&& (ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
/* Check for presence of explicit elliptic curve parameters */
ret = check_curve(x);
if (ret < 0) {
ctx->error = X509_V_ERR_UNSPECIFIED;
ret = 0;
} else if (ret == 0) {
ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS;
}
}
if (ret > 0
&& (x->ex_flags & EXFLAG_CA) == 0
&& x->ex_pathlen != -1
&& (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
ctx->error = X509_V_ERR_INVALID_EXTENSION;
ret = 0;
}
if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
return 0;
/* check_purpose() makes the callback as needed */
if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
return 0;
/* Check pathlen */
if ((i > 1) && (x->ex_pathlen != -1)
&& (plen > (x->ex_pathlen + proxy_path_length))) {
if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
return 0;
}
/* Increment path length if not a self issued intermediate CA */
if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0)
plen++;
/*
* If this certificate is a proxy certificate, the next certificate
* must be another proxy certificate or a EE certificate. If not,
* the next certificate must be a CA certificate.
*/
if (x->ex_flags & EXFLAG_PROXY) {
/*
* RFC3820, 4.1.3 (b)(1) stipulates that if pCPathLengthConstraint
* is less than max_path_length, the former should be copied to
* the latter, and 4.1.4 (a) stipulates that max_path_length
* should be verified to be larger than zero and decrement it.
*
* Because we're checking the certs in the reverse order, we start
* with verifying that proxy_path_length isn't larger than pcPLC,
* and copy the latter to the former if it is, and finally,
* increment proxy_path_length.
*/
if (x->ex_pcpathlen != -1) {
if (proxy_path_length > x->ex_pcpathlen) {
if (!verify_cb_cert(ctx, x, i,
X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED))
return 0;
}
proxy_path_length = x->ex_pcpathlen;
}
proxy_path_length++;
must_be_ca = 0;
} else
must_be_ca = 1;
}
return 1;
}
static int has_san_id(X509 *x, int gtype)
{
int i;
int ret = 0;
GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
if (gs == NULL)
return 0;
for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) {
GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i);
if (g->type == gtype) {
ret = 1;
break;
}
}
GENERAL_NAMES_free(gs);
return ret;
}
static int check_name_constraints(X509_STORE_CTX *ctx)
{
int i;
/* Check name constraints for all certificates */
for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
X509 *x = sk_X509_value(ctx->chain, i);
int j;
/* Ignore self issued certs unless last in chain */
if (i && (x->ex_flags & EXFLAG_SI))
continue;
/*
* Proxy certificates policy has an extra constraint, where the
* certificate subject MUST be the issuer with a single CN entry
* added.
* (RFC 3820: 3.4, 4.1.3 (a)(4))
*/
if (x->ex_flags & EXFLAG_PROXY) {
X509_NAME *tmpsubject = X509_get_subject_name(x);
X509_NAME *tmpissuer = X509_get_issuer_name(x);
X509_NAME_ENTRY *tmpentry = NULL;
int last_object_nid = 0;
int err = X509_V_OK;
int last_object_loc = X509_NAME_entry_count(tmpsubject) - 1;
/* Check that there are at least two RDNs */
if (last_object_loc < 1) {
err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
goto proxy_name_done;
}
/*
* Check that there is exactly one more RDN in subject as
* there is in issuer.
*/
if (X509_NAME_entry_count(tmpsubject)
!= X509_NAME_entry_count(tmpissuer) + 1) {
err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
goto proxy_name_done;
}
/*
* Check that the last subject component isn't part of a
* multivalued RDN
*/
if (X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,
last_object_loc))
== X509_NAME_ENTRY_set(X509_NAME_get_entry(tmpsubject,
last_object_loc - 1))) {
err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
goto proxy_name_done;
}
/*
* Check that the last subject RDN is a commonName, and that
* all the previous RDNs match the issuer exactly
*/
tmpsubject = X509_NAME_dup(tmpsubject);
if (tmpsubject == NULL) {
X509err(X509_F_CHECK_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;
}
tmpentry =
X509_NAME_delete_entry(tmpsubject, last_object_loc);
last_object_nid =
OBJ_obj2nid(X509_NAME_ENTRY_get_object(tmpentry));
if (last_object_nid != NID_commonName
|| X509_NAME_cmp(tmpsubject, tmpissuer) != 0) {
err = X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION;
}
X509_NAME_ENTRY_free(tmpentry);
X509_NAME_free(tmpsubject);
proxy_name_done:
if (err != X509_V_OK
&& !verify_cb_cert(ctx, x, i, err))
return 0;
}
/*
* Check against constraints for all certificates higher in chain
* including trust anchor. Trust anchor not strictly speaking needed
* but if it includes constraints it is to be assumed it expects them
* to be obeyed.
*/
for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) {
NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
if (nc) {
int rv = NAME_CONSTRAINTS_check(x, nc);
/* If EE certificate check commonName too */
if (rv == X509_V_OK && i == 0
&& (ctx->param->hostflags
& X509_CHECK_FLAG_NEVER_CHECK_SUBJECT) == 0
&& ((ctx->param->hostflags
& X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT) != 0
|| !has_san_id(x, GEN_DNS)))
rv = NAME_CONSTRAINTS_check_CN(x, nc);
switch (rv) {
case X509_V_OK:
break;
case X509_V_ERR_OUT_OF_MEM:
return 0;
default:
if (!verify_cb_cert(ctx, x, i, rv))
return 0;
break;
}
}
}
}
return 1;
}
static int check_id_error(X509_STORE_CTX *ctx, int errcode)
{
return verify_cb_cert(ctx, ctx->cert, 0, errcode);
}
static int check_hosts(X509 *x, X509_VERIFY_PARAM *vpm)
{
int i;
int n = sk_OPENSSL_STRING_num(vpm->hosts);
char *name;
if (vpm->peername != NULL) {
OPENSSL_free(vpm->peername);
vpm->peername = NULL;
}
for (i = 0; i < n; ++i) {
name = sk_OPENSSL_STRING_value(vpm->hosts, i);
if (X509_check_host(x, name, 0, vpm->hostflags, &vpm->peername) > 0)
return 1;
}
return n == 0;
}
static int check_id(X509_STORE_CTX *ctx)
{
X509_VERIFY_PARAM *vpm = ctx->param;
X509 *x = ctx->cert;
if (vpm->hosts && check_hosts(x, vpm) <= 0) {
if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
return 0;
}
if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {
if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH))
return 0;
}
if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {
if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH))
return 0;
}
return 1;
}
static int check_trust(X509_STORE_CTX *ctx, int num_untrusted)
{
int i;
X509 *x = NULL;
X509 *mx;
SSL_DANE *dane = ctx->dane;
int num = sk_X509_num(ctx->chain);
int trust;
/*
* Check for a DANE issuer at depth 1 or greater, if it is a DANE-TA(2)
* match, we're done, otherwise we'll merely record the match depth.
*/
if (DANETLS_HAS_TA(dane) && num_untrusted > 0 && num_untrusted < num) {
switch (trust = check_dane_issuer(ctx, num_untrusted)) {
case X509_TRUST_TRUSTED:
case X509_TRUST_REJECTED:
return trust;
}
}
/*
* Check trusted certificates in chain at depth num_untrusted and up.
* Note, that depths 0..num_untrusted-1 may also contain trusted
* certificates, but the caller is expected to have already checked those,
* and wants to incrementally check just any added since.
*/
for (i = num_untrusted; i < num; i++) {
x = sk_X509_value(ctx->chain, i);
trust = X509_check_trust(x, ctx->param->trust, 0);
/* If explicitly trusted return trusted */
if (trust == X509_TRUST_TRUSTED)
goto trusted;
if (trust == X509_TRUST_REJECTED)
goto rejected;
}
/*
* If we are looking at a trusted certificate, and accept partial chains,
* the chain is PKIX trusted.
*/
if (num_untrusted < num) {
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
goto trusted;
return X509_TRUST_UNTRUSTED;
}
if (num_untrusted == num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
/*
* Last-resort call with no new trusted certificates, check the leaf
* for a direct trust store match.
*/
i = 0;
x = sk_X509_value(ctx->chain, i);
mx = lookup_cert_match(ctx, x);
if (!mx)
return X509_TRUST_UNTRUSTED;
/*
* Check explicit auxiliary trust/reject settings. If none are set,
* we'll accept X509_TRUST_UNTRUSTED when not self-signed.
*/
trust = X509_check_trust(mx, ctx->param->trust, 0);
if (trust == X509_TRUST_REJECTED) {
X509_free(mx);
goto rejected;
}
/* Replace leaf with trusted match */
(void) sk_X509_set(ctx->chain, 0, mx);
X509_free(x);
ctx->num_untrusted = 0;
goto trusted;
}
/*
* If no trusted certs in chain at all return untrusted and allow
* standard (no issuer cert) etc errors to be indicated.
*/
return X509_TRUST_UNTRUSTED;
rejected:
if (!verify_cb_cert(ctx, x, i, X509_V_ERR_CERT_REJECTED))
return X509_TRUST_REJECTED;
return X509_TRUST_UNTRUSTED;
trusted:
if (!DANETLS_ENABLED(dane))
return X509_TRUST_TRUSTED;
if (dane->pdpth < 0)
dane->pdpth = num_untrusted;
/* With DANE, PKIX alone is not trusted until we have both */
if (dane->mdpth >= 0)
return X509_TRUST_TRUSTED;
return X509_TRUST_UNTRUSTED;
}
static int check_revocation(X509_STORE_CTX *ctx)
{
int i = 0, last = 0, ok = 0;
if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
return 1;
if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
last = sk_X509_num(ctx->chain) - 1;
else {
/* If checking CRL paths this isn't the EE certificate */
if (ctx->parent)
return 1;
last = 0;
}
for (i = 0; i <= last; i++) {
ctx->error_depth = i;
ok = check_cert(ctx);
if (!ok)
return ok;
}
return 1;
}
static int check_cert(X509_STORE_CTX *ctx)
{
X509_CRL *crl = NULL, *dcrl = NULL;
int ok = 0;
int cnum = ctx->error_depth;
X509 *x = sk_X509_value(ctx->chain, cnum);
ctx->current_cert = x;
ctx->current_issuer = NULL;
ctx->current_crl_score = 0;
ctx->current_reasons = 0;
if (x->ex_flags & EXFLAG_PROXY)
return 1;
while (ctx->current_reasons != CRLDP_ALL_REASONS) {
unsigned int last_reasons = ctx->current_reasons;
/* Try to retrieve relevant CRL */
if (ctx->get_crl)
ok = ctx->get_crl(ctx, &crl, x);
else
ok = get_crl_delta(ctx, &crl, &dcrl, x);
/*
* If error looking up CRL, nothing we can do except notify callback
*/
if (!ok) {
ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);
goto done;
}
ctx->current_crl = crl;
ok = ctx->check_crl(ctx, crl);
if (!ok)
goto done;
if (dcrl) {
ok = ctx->check_crl(ctx, dcrl);
if (!ok)
goto done;
ok = ctx->cert_crl(ctx, dcrl, x);
if (!ok)
goto done;
} else
ok = 1;
/* Don't look in full CRL if delta reason is removefromCRL */
if (ok != 2) {
ok = ctx->cert_crl(ctx, crl, x);
if (!ok)
goto done;
}
X509_CRL_free(crl);
X509_CRL_free(dcrl);
crl = NULL;
dcrl = NULL;
/*
* If reasons not updated we won't get anywhere by another iteration,
* so exit loop.
*/
if (last_reasons == ctx->current_reasons) {
ok = verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL);
goto done;
}
}
done:
X509_CRL_free(crl);
X509_CRL_free(dcrl);
ctx->current_crl = NULL;
return ok;
}
/* Check CRL times against values in X509_STORE_CTX */
static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
{
time_t *ptime;
int i;
if (notify)
ctx->current_crl = crl;
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
ptime = &ctx->param->check_time;
else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
return 1;
else
ptime = NULL;
i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
if (i == 0) {
if (!notify)
return 0;
if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD))
return 0;
}
if (i > 0) {
if (!notify)
return 0;
if (!verify_cb_crl(ctx, X509_V_ERR_CRL_NOT_YET_VALID))
return 0;
}
if (X509_CRL_get0_nextUpdate(crl)) {
i = X509_cmp_time(X509_CRL_get0_nextUpdate(crl), ptime);
if (i == 0) {
if (!notify)
return 0;
if (!verify_cb_crl(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD))
return 0;
}
/* Ignore expiry of base CRL is delta is valid */
if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) {
if (!notify)
return 0;
if (!verify_cb_crl(ctx, X509_V_ERR_CRL_HAS_EXPIRED))
return 0;
}
}
if (notify)
ctx->current_crl = NULL;
return 1;
}
static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
X509 **pissuer, int *pscore, unsigned int *preasons,
STACK_OF(X509_CRL) *crls)
{
int i, crl_score, best_score = *pscore;
unsigned int reasons, best_reasons = 0;
X509 *x = ctx->current_cert;
X509_CRL *crl, *best_crl = NULL;
X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
crl = sk_X509_CRL_value(crls, i);
reasons = *preasons;
crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
if (crl_score < best_score || crl_score == 0)
continue;
/* If current CRL is equivalent use it if it is newer */
if (crl_score == best_score && best_crl != NULL) {
int day, sec;
if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),
X509_CRL_get0_lastUpdate(crl)) == 0)
continue;
/*
* ASN1_TIME_diff never returns inconsistent signs for |day|
* and |sec|.
*/
if (day <= 0 && sec <= 0)
continue;
}
best_crl = crl;
best_crl_issuer = crl_issuer;
best_score = crl_score;
best_reasons = reasons;
}
if (best_crl) {
X509_CRL_free(*pcrl);
*pcrl = best_crl;
*pissuer = best_crl_issuer;
*pscore = best_score;
*preasons = best_reasons;
X509_CRL_up_ref(best_crl);
X509_CRL_free(*pdcrl);
*pdcrl = NULL;
get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
}
if (best_score >= CRL_SCORE_VALID)
return 1;
return 0;
}
/*
* Compare two CRL extensions for delta checking purposes. They should be
* both present or both absent. If both present all fields must be identical.
*/
static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
{
ASN1_OCTET_STRING *exta, *extb;
int i;
i = X509_CRL_get_ext_by_NID(a, nid, -1);
if (i >= 0) {
/* Can't have multiple occurrences */
if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
return 0;
exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
} else
exta = NULL;
i = X509_CRL_get_ext_by_NID(b, nid, -1);
if (i >= 0) {
if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
return 0;
extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
} else
extb = NULL;
if (!exta && !extb)
return 1;
if (!exta || !extb)
return 0;
if (ASN1_OCTET_STRING_cmp(exta, extb))
return 0;
return 1;
}
/* See if a base and delta are compatible */
static int check_delta_base(X509_CRL *delta, X509_CRL *base)
{
/* Delta CRL must be a delta */
if (!delta->base_crl_number)
return 0;
/* Base must have a CRL number */
if (!base->crl_number)
return 0;
/* Issuer names must match */
if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta)))
return 0;
/* AKID and IDP must match */
if (!crl_extension_match(delta, base, NID_authority_key_identifier))
return 0;
if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
return 0;
/* Delta CRL base number must not exceed Full CRL number. */
if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
return 0;
/* Delta CRL number must exceed full CRL number */
if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
return 1;
return 0;
}
/*
* For a given base CRL find a delta... maybe extend to delta scoring or
* retrieve a chain of deltas...
*/
static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
X509_CRL *base, STACK_OF(X509_CRL) *crls)
{
X509_CRL *delta;
int i;
if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
return;
if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
return;
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
delta = sk_X509_CRL_value(crls, i);
if (check_delta_base(delta, base)) {
if (check_crl_time(ctx, delta, 0))
*pscore |= CRL_SCORE_TIME_DELTA;
X509_CRL_up_ref(delta);
*dcrl = delta;
return;
}
}
*dcrl = NULL;
}
/*
* For a given CRL return how suitable it is for the supplied certificate
* 'x'. The return value is a mask of several criteria. If the issuer is not
* the certificate issuer this is returned in *pissuer. The reasons mask is
* also used to determine if the CRL is suitable: if no new reasons the CRL
* is rejected, otherwise reasons is updated.
*/
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
unsigned int *preasons, X509_CRL *crl, X509 *x)
{
int crl_score = 0;
unsigned int tmp_reasons = *preasons, crl_reasons;
/* First see if we can reject CRL straight away */
/* Invalid IDP cannot be processed */
if (crl->idp_flags & IDP_INVALID)
return 0;
/* Reason codes or indirect CRLs need extended CRL support */
if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) {
if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
return 0;
} else if (crl->idp_flags & IDP_REASONS) {
/* If no new reasons reject */
if (!(crl->idp_reasons & ~tmp_reasons))
return 0;
}
/* Don't process deltas at this stage */
else if (crl->base_crl_number)
return 0;
/* If issuer name doesn't match certificate need indirect CRL */
if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {
if (!(crl->idp_flags & IDP_INDIRECT))
return 0;
} else
crl_score |= CRL_SCORE_ISSUER_NAME;
if (!(crl->flags & EXFLAG_CRITICAL))
crl_score |= CRL_SCORE_NOCRITICAL;
/* Check expiry */
if (check_crl_time(ctx, crl, 0))
crl_score |= CRL_SCORE_TIME;
/* Check authority key ID and locate certificate issuer */
crl_akid_check(ctx, crl, pissuer, &crl_score);
/* If we can't locate certificate issuer at this point forget it */
if (!(crl_score & CRL_SCORE_AKID))
return 0;
/* Check cert for matching CRL distribution points */
if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) {
/* If no new reasons reject */
if (!(crl_reasons & ~tmp_reasons))
return 0;
tmp_reasons |= crl_reasons;
crl_score |= CRL_SCORE_SCOPE;
}
*preasons = tmp_reasons;
return crl_score;
}
static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
X509 **pissuer, int *pcrl_score)
{
X509 *crl_issuer = NULL;
X509_NAME *cnm = X509_CRL_get_issuer(crl);
int cidx = ctx->error_depth;
int i;
if (cidx != sk_X509_num(ctx->chain) - 1)
cidx++;
crl_issuer = sk_X509_value(ctx->chain, cidx);
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
if (*pcrl_score & CRL_SCORE_ISSUER_NAME) {
*pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;
*pissuer = crl_issuer;
return;
}
}
for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) {
crl_issuer = sk_X509_value(ctx->chain, cidx);
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
continue;
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
*pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;
*pissuer = crl_issuer;
return;
}
}
/* Anything else needs extended CRL support */
if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
return;
/*
* Otherwise the CRL issuer is not on the path. Look for it in the set of
* untrusted certificates.
*/
for (i = 0; i < sk_X509_num(ctx->untrusted); i++) {
crl_issuer = sk_X509_value(ctx->untrusted, i);
if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
continue;
if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {
*pissuer = crl_issuer;
*pcrl_score |= CRL_SCORE_AKID;
return;
}
}
}
/*
* Check the path of a CRL issuer certificate. This creates a new
* X509_STORE_CTX and populates it with most of the parameters from the
* parent. This could be optimised somewhat since a lot of path checking will
* be duplicated by the parent, but this will rarely be used in practice.
*/
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
{
X509_STORE_CTX crl_ctx;
int ret;
/* Don't allow recursive CRL path validation */
if (ctx->parent)
return 0;
if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
return -1;
crl_ctx.crls = ctx->crls;
/* Copy verify params across */
X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
crl_ctx.parent = ctx;
crl_ctx.verify_cb = ctx->verify_cb;
/* Verify CRL issuer */
ret = X509_verify_cert(&crl_ctx);
if (ret <= 0)
goto err;
/* Check chain is acceptable */
ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
err:
X509_STORE_CTX_cleanup(&crl_ctx);
return ret;
}
/*
* RFC3280 says nothing about the relationship between CRL path and
* certificate path, which could lead to situations where a certificate could
* be revoked or validated by a CA not authorised to do so. RFC5280 is more
* strict and states that the two paths must end in the same trust anchor,
* though some discussions remain... until this is resolved we use the
* RFC5280 version
*/
static int check_crl_chain(X509_STORE_CTX *ctx,
STACK_OF(X509) *cert_path,
STACK_OF(X509) *crl_path)
{
X509 *cert_ta, *crl_ta;
cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
if (!X509_cmp(cert_ta, crl_ta))
return 1;
return 0;
}
/*-
* Check for match between two dist point names: three separate cases.
* 1. Both are relative names and compare X509_NAME types.
* 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
* 3. Both are full names and compare two GENERAL_NAMES.
* 4. One is NULL: automatic match.
*/
static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
{
X509_NAME *nm = NULL;
GENERAL_NAMES *gens = NULL;
GENERAL_NAME *gena, *genb;
int i, j;
if (!a || !b)
return 1;
if (a->type == 1) {
if (!a->dpname)
return 0;
/* Case 1: two X509_NAME */
if (b->type == 1) {
if (!b->dpname)
return 0;
if (!X509_NAME_cmp(a->dpname, b->dpname))
return 1;
else
return 0;
}
/* Case 2: set name and GENERAL_NAMES appropriately */
nm = a->dpname;
gens = b->name.fullname;
} else if (b->type == 1) {
if (!b->dpname)
return 0;
/* Case 2: set name and GENERAL_NAMES appropriately */
gens = a->name.fullname;
nm = b->dpname;
}
/* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
if (nm) {
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
gena = sk_GENERAL_NAME_value(gens, i);
if (gena->type != GEN_DIRNAME)
continue;
if (!X509_NAME_cmp(nm, gena->d.directoryName))
return 1;
}
return 0;
}
/* Else case 3: two GENERAL_NAMES */
for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {
gena = sk_GENERAL_NAME_value(a->name.fullname, i);
for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {
genb = sk_GENERAL_NAME_value(b->name.fullname, j);
if (!GENERAL_NAME_cmp(gena, genb))
return 1;
}
}
return 0;
}
static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
{
int i;
X509_NAME *nm = X509_CRL_get_issuer(crl);
/* If no CRLissuer return is successful iff don't need a match */
if (!dp->CRLissuer)
return ! !(crl_score & CRL_SCORE_ISSUER_NAME);
for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
if (gen->type != GEN_DIRNAME)
continue;
if (!X509_NAME_cmp(gen->d.directoryName, nm))
return 1;
}
return 0;
}
/* Check CRLDP and IDP */
static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
unsigned int *preasons)
{
int i;
if (crl->idp_flags & IDP_ONLYATTR)
return 0;
if (x->ex_flags & EXFLAG_CA) {
if (crl->idp_flags & IDP_ONLYUSER)
return 0;
} else {
if (crl->idp_flags & IDP_ONLYCA)
return 0;
}
*preasons = crl->idp_reasons;
for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {
DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
if (crldp_check_crlissuer(dp, crl, crl_score)) {
if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) {
*preasons &= dp->dp_reasons;
return 1;
}
}
}
if ((!crl->idp || !crl->idp->distpoint)
&& (crl_score & CRL_SCORE_ISSUER_NAME))
return 1;
return 0;
}
/*
* Retrieve CRL corresponding to current certificate. If deltas enabled try
* to find a delta CRL too
*/
static int get_crl_delta(X509_STORE_CTX *ctx,
X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
{
int ok;
X509 *issuer = NULL;
int crl_score = 0;
unsigned int reasons;
X509_CRL *crl = NULL, *dcrl = NULL;
STACK_OF(X509_CRL) *skcrl;
X509_NAME *nm = X509_get_issuer_name(x);
reasons = ctx->current_reasons;
ok = get_crl_sk(ctx, &crl, &dcrl,
&issuer, &crl_score, &reasons, ctx->crls);
if (ok)
goto done;
/* Lookup CRLs from store */
skcrl = ctx->lookup_crls(ctx, nm);
/* If no CRLs found and a near match from get_crl_sk use that */
if (!skcrl && crl)
goto done;
get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
done:
/* If we got any kind of CRL use it and return success */
if (crl) {
ctx->current_issuer = issuer;
ctx->current_crl_score = crl_score;
ctx->current_reasons = reasons;
*pcrl = crl;
*pdcrl = dcrl;
return 1;
}
return 0;
}
/* Check CRL validity */
static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
{
X509 *issuer = NULL;
EVP_PKEY *ikey = NULL;
int cnum = ctx->error_depth;
int chnum = sk_X509_num(ctx->chain) - 1;
/* if we have an alternative CRL issuer cert use that */
if (ctx->current_issuer)
issuer = ctx->current_issuer;
/*
* Else find CRL issuer: if not last certificate then issuer is next
* certificate in chain.
*/
else if (cnum < chnum)
issuer = sk_X509_value(ctx->chain, cnum + 1);
else {
issuer = sk_X509_value(ctx->chain, chnum);
/* If not self signed, can't check signature */
if (!ctx->check_issued(ctx, issuer, issuer) &&
!verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER))
return 0;
}
if (issuer == NULL)
return 1;
/*
* Skip most tests for deltas because they have already been done
*/
if (!crl->base_crl_number) {
/* Check for cRLSign bit if keyUsage present */
if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
!(issuer->ex_kusage & KU_CRL_SIGN) &&
!verify_cb_crl(ctx, X509_V_ERR_KEYUSAGE_NO_CRL_SIGN))
return 0;
if (!(ctx->current_crl_score & CRL_SCORE_SCOPE) &&
!verify_cb_crl(ctx, X509_V_ERR_DIFFERENT_CRL_SCOPE))
return 0;
if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH) &&
check_crl_path(ctx, ctx->current_issuer) <= 0 &&
!verify_cb_crl(ctx, X509_V_ERR_CRL_PATH_VALIDATION_ERROR))
return 0;
if ((crl->idp_flags & IDP_INVALID) &&
!verify_cb_crl(ctx, X509_V_ERR_INVALID_EXTENSION))
return 0;
}
if (!(ctx->current_crl_score & CRL_SCORE_TIME) &&
!check_crl_time(ctx, crl, 1))
return 0;
/* Attempt to get issuer certificate public key */
ikey = X509_get0_pubkey(issuer);
if (!ikey &&
!verify_cb_crl(ctx, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
return 0;
if (ikey) {
int rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
if (rv != X509_V_OK && !verify_cb_crl(ctx, rv))
return 0;
/* Verify CRL signature */
if (X509_CRL_verify(crl, ikey) <= 0 &&
!verify_cb_crl(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE))
return 0;
}
return 1;
}
/* Check certificate against CRL */
static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
{
X509_REVOKED *rev;
/*
* The rules changed for this... previously if a CRL contained unhandled
* critical extensions it could still be used to indicate a certificate
* was revoked. This has since been changed since critical extensions can
* change the meaning of CRL entries.
*/
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
&& (crl->flags & EXFLAG_CRITICAL) &&
!verify_cb_crl(ctx, X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION))
return 0;
/*
* Look for serial number of certificate in CRL. If found, make sure
* reason is not removeFromCRL.
*/
if (X509_CRL_get0_by_cert(crl, &rev, x)) {
if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
return 2;
if (!verify_cb_crl(ctx, X509_V_ERR_CERT_REVOKED))
return 0;
}
return 1;
}
static int check_policy(X509_STORE_CTX *ctx)
{
int ret;
if (ctx->parent)
return 1;
/*
* With DANE, the trust anchor might be a bare public key, not a
* certificate! In that case our chain does not have the trust anchor
* certificate as a top-most element. This comports well with RFC5280
* chain verification, since there too, the trust anchor is not part of the
* chain to be verified. In particular, X509_policy_check() does not look
* at the TA cert, but assumes that it is present as the top-most chain
* element. We therefore temporarily push a NULL cert onto the chain if it
* was verified via a bare public key, and pop it off right after the
* X509_policy_check() call.
*/
if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL)) {
X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;
}
ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
ctx->param->policies, ctx->param->flags);
if (ctx->bare_ta_signed)
sk_X509_pop(ctx->chain);
if (ret == X509_PCY_TREE_INTERNAL) {
X509err(X509_F_CHECK_POLICY, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;
}
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
int i;
/* Locate certificates with bad extensions and notify callback. */
for (i = 1; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
continue;
if (!verify_cb_cert(ctx, x, i,
X509_V_ERR_INVALID_POLICY_EXTENSION))
return 0;
}
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {
ctx->current_cert = NULL;
ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
return ctx->verify_cb(0, ctx);
}
if (ret != X509_PCY_TREE_VALID) {
X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
return 0;
}
if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
ctx->current_cert = NULL;
/*
* Verification errors need to be "sticky", a callback may have allowed
* an SSL handshake to continue despite an error, and we must then
* remain in an error state. Therefore, we MUST NOT clear earlier
* verification errors by setting the error to X509_V_OK.
*/
if (!ctx->verify_cb(2, ctx))
return 0;
}
return 1;
}
/*-
* Check certificate validity times.
* If depth >= 0, invoke verification callbacks on error, otherwise just return
* the validation status.
*
* Return 1 on success, 0 otherwise.
*/
int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
{
time_t *ptime;
int i;
if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
ptime = &ctx->param->check_time;
else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME)
return 1;
else
ptime = NULL;
i = X509_cmp_time(X509_get0_notBefore(x), ptime);
if (i >= 0 && depth < 0)
return 0;
if (i == 0 && !verify_cb_cert(ctx, x, depth,
X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD))
return 0;
if (i > 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_NOT_YET_VALID))
return 0;
i = X509_cmp_time(X509_get0_notAfter(x), ptime);
if (i <= 0 && depth < 0)
return 0;
if (i == 0 && !verify_cb_cert(ctx, x, depth,
X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD))
return 0;
if (i < 0 && !verify_cb_cert(ctx, x, depth, X509_V_ERR_CERT_HAS_EXPIRED))
return 0;
return 1;
}
/* verify the issuer signatures and cert times of ctx->chain */
static int internal_verify(X509_STORE_CTX *ctx)
{
int n = sk_X509_num(ctx->chain) - 1;
X509 *xi = sk_X509_value(ctx->chain, n);
X509 *xs;
/*
* With DANE-verified bare public key TA signatures, it remains only to
* check the timestamps of the top certificate. We report the issuer as
* NULL, since all we have is a bare key.
*/
if (ctx->bare_ta_signed) {
xs = xi;
xi = NULL;
goto check_cert_time;
}
if (ctx->check_issued(ctx, xi, xi))
xs = xi; /* the typical case: last cert in the chain is self-issued */
else {
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
xs = xi;
goto check_cert_time;
}
if (n <= 0) {
if (!verify_cb_cert(ctx, xi, 0,
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
return 0;
xs = xi;
goto check_cert_time;
}
n--;
ctx->error_depth = n;
xs = sk_X509_value(ctx->chain, n);
}
/*
* Do not clear ctx->error=0, it must be "sticky", only the user's callback
* is allowed to reset errors (at its own peril).
*/
while (n >= 0) {
/*
* For each iteration of this loop:
* n is the subject depth
* xs is the subject cert, for which the signature is to be checked
* xi is the supposed issuer cert containing the public key to use
* Initially xs == xi if the last cert in the chain is self-issued.
*
* Skip signature check for self-signed certificates unless explicitly
* asked for because it does not add any security and just wastes time.
*/
if (xs != xi || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)
&& (xi->ex_flags & EXFLAG_SS) != 0)) {
EVP_PKEY *pkey;
/*
* If the issuer's public key is not available or its key usage
* does not support issuing the subject cert, report the issuer
* cert and its depth (rather than n, the depth of the subject).
*/
int issuer_depth = n + (xs == xi ? 0 : 1);
/*
* According to https://tools.ietf.org/html/rfc5280#section-6.1.4
* step (n) we must check any given key usage extension in a CA cert
* when preparing the verification of a certificate issued by it.
* According to https://tools.ietf.org/html/rfc5280#section-4.2.1.3
* we must not verify a certifiate signature if the key usage of the
* CA certificate that issued the certificate prohibits signing.
* In case the 'issuing' certificate is the last in the chain and is
* not a CA certificate but a 'self-issued' end-entity cert (i.e.,
* xs == xi && !(xi->ex_flags & EXFLAG_CA)) RFC 5280 does not apply
* (see https://tools.ietf.org/html/rfc6818#section-2) and thus
* we are free to ignore any key usage restrictions on such certs.
*/
int ret = xs == xi && (xi->ex_flags & EXFLAG_CA) == 0
? X509_V_OK : x509_signing_allowed(xi, xs);
if (ret != X509_V_OK && !verify_cb_cert(ctx, xi, issuer_depth, ret))
return 0;
if ((pkey = X509_get0_pubkey(xi)) == NULL) {
ret = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
if (!verify_cb_cert(ctx, xi, issuer_depth, ret))
return 0;
} else if (X509_verify(xs, pkey) <= 0) {
ret = X509_V_ERR_CERT_SIGNATURE_FAILURE;
if (!verify_cb_cert(ctx, xs, n, ret))
return 0;
}
}
check_cert_time: /* in addition to RFC 5280, do also for trusted (root) cert */
/* Calls verify callback as needed */
if (!x509_check_cert_time(ctx, xs, n))
return 0;
/*
* Signal success at this depth. However, the previous error (if any)
* is retained.
*/
ctx->current_issuer = xi;
ctx->current_cert = xs;
ctx->error_depth = n;
if (!ctx->verify_cb(1, ctx))
return 0;
if (--n >= 0) {
xi = xs;
xs = sk_X509_value(ctx->chain, n);
}
}
return 1;
}
int X509_cmp_current_time(const ASN1_TIME *ctm)
{
return X509_cmp_time(ctm, NULL);
}
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
{
static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
static const size_t generalizedtime_length = sizeof("YYYYMMDDHHMMSSZ") - 1;
ASN1_TIME *asn1_cmp_time = NULL;
int i, day, sec, ret = 0;
#ifdef CHARSET_EBCDIC
const char upper_z = 0x5A;
#else
const char upper_z = 'Z';
#endif
/*
* Note that ASN.1 allows much more slack in the time format than RFC5280.
* In RFC5280, the representation is fixed:
* UTCTime: YYMMDDHHMMSSZ
* GeneralizedTime: YYYYMMDDHHMMSSZ
*
* We do NOT currently enforce the following RFC 5280 requirement:
* "CAs conforming to this profile MUST always encode certificate
* validity dates through the year 2049 as UTCTime; certificate validity
* dates in 2050 or later MUST be encoded as GeneralizedTime."
*/
switch (ctm->type) {
case V_ASN1_UTCTIME:
if (ctm->length != (int)(utctime_length))
return 0;
break;
case V_ASN1_GENERALIZEDTIME:
if (ctm->length != (int)(generalizedtime_length))
return 0;
break;
default:
return 0;
}
/**
* Verify the format: the ASN.1 functions we use below allow a more
* flexible format than what's mandated by RFC 5280.
* Digit and date ranges will be verified in the conversion methods.
*/
for (i = 0; i < ctm->length - 1; i++) {
if (!ascii_isdigit(ctm->data[i]))
return 0;
}
if (ctm->data[ctm->length - 1] != upper_z)
return 0;
/*
* There is ASN1_UTCTIME_cmp_time_t but no
* ASN1_GENERALIZEDTIME_cmp_time_t or ASN1_TIME_cmp_time_t,
* so we go through ASN.1
*/
asn1_cmp_time = X509_time_adj(NULL, 0, cmp_time);
if (asn1_cmp_time == NULL)
goto err;
if (!ASN1_TIME_diff(&day, &sec, ctm, asn1_cmp_time))
goto err;
/*
* X509_cmp_time comparison is <=.
* The return value 0 is reserved for errors.
*/
ret = (day >= 0 && sec >= 0) ? -1 : 1;
err:
ASN1_TIME_free(asn1_cmp_time);
return ret;
}
ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
{
return X509_time_adj(s, adj, NULL);
}
ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
{
return X509_time_adj_ex(s, 0, offset_sec, in_tm);
}
ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
int offset_day, long offset_sec, time_t *in_tm)
{
time_t t;
if (in_tm)
t = *in_tm;
else
time(&t);
if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) {
if (s->type == V_ASN1_UTCTIME)
return ASN1_UTCTIME_adj(s, t, offset_day, offset_sec);
if (s->type == V_ASN1_GENERALIZEDTIME)
return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, offset_sec);
}
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
{
EVP_PKEY *ktmp = NULL, *ktmp2;
int i, j;
if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey))
return 1;
for (i = 0; i < sk_X509_num(chain); i++) {
ktmp = X509_get0_pubkey(sk_X509_value(chain, i));
if (ktmp == NULL) {
X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
return 0;
}
if (!EVP_PKEY_missing_parameters(ktmp))
break;
}
if (ktmp == NULL) {
X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,
X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
return 0;
}
/* first, populate the other certs */
for (j = i - 1; j >= 0; j--) {
ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j));
EVP_PKEY_copy_parameters(ktmp2, ktmp);
}
if (pkey != NULL)
EVP_PKEY_copy_parameters(pkey, ktmp);
return 1;
}
/* Make a delta CRL as the diff between two full CRLs */
X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
{
X509_CRL *crl = NULL;
int i;
STACK_OF(X509_REVOKED) *revs = NULL;
/* CRLs can't be delta already */
if (base->base_crl_number || newer->base_crl_number) {
X509err(X509_F_X509_CRL_DIFF, X509_R_CRL_ALREADY_DELTA);
return NULL;
}
/* Base and new CRL must have a CRL number */
if (!base->crl_number || !newer->crl_number) {
X509err(X509_F_X509_CRL_DIFF, X509_R_NO_CRL_NUMBER);
return NULL;
}
/* Issuer names must match */
if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) {
X509err(X509_F_X509_CRL_DIFF, X509_R_ISSUER_MISMATCH);
return NULL;
}
/* AKID and IDP must match */
if (!crl_extension_match(base, newer, NID_authority_key_identifier)) {
X509err(X509_F_X509_CRL_DIFF, X509_R_AKID_MISMATCH);
return NULL;
}
if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) {
X509err(X509_F_X509_CRL_DIFF, X509_R_IDP_MISMATCH);
return NULL;
}
/* Newer CRL number must exceed full CRL number */
if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) {
X509err(X509_F_X509_CRL_DIFF, X509_R_NEWER_CRL_NOT_NEWER);
return NULL;
}
/* CRLs must verify */
if (skey && (X509_CRL_verify(base, skey) <= 0 ||
X509_CRL_verify(newer, skey) <= 0)) {
X509err(X509_F_X509_CRL_DIFF, X509_R_CRL_VERIFY_FAILURE);
return NULL;
}
/* Create new CRL */
crl = X509_CRL_new();
if (crl == NULL || !X509_CRL_set_version(crl, 1))
goto memerr;
/* Set issuer name */
if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
goto memerr;
if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer)))
goto memerr;
if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))
goto memerr;
/* Set base CRL number: must be critical */
if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))
goto memerr;
/*
* Copy extensions across from newest CRL to delta: this will set CRL
* number to correct value too.
*/
for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
X509_EXTENSION *ext;
ext = X509_CRL_get_ext(newer, i);
if (!X509_CRL_add_ext(crl, ext, -1))
goto memerr;
}
/* Go through revoked entries, copying as needed */
revs = X509_CRL_get_REVOKED(newer);
for (i = 0; i < sk_X509_REVOKED_num(revs); i++) {
X509_REVOKED *rvn, *rvtmp;
rvn = sk_X509_REVOKED_value(revs, i);
/*
* Add only if not also in base. TODO: need something cleverer here
* for some more complex CRLs covering multiple CAs.
*/
if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) {
rvtmp = X509_REVOKED_dup(rvn);
if (!rvtmp)
goto memerr;
if (!X509_CRL_add0_revoked(crl, rvtmp)) {
X509_REVOKED_free(rvtmp);
goto memerr;
}
}
}
/* TODO: optionally prune deleted entries */
if (skey && md && !X509_CRL_sign(crl, skey, md))
goto memerr;
return crl;
memerr:
X509err(X509_F_X509_CRL_DIFF, ERR_R_MALLOC_FAILURE);
X509_CRL_free(crl);
return NULL;
}
int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
{
return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);
}
void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
{
return CRYPTO_get_ex_data(&ctx->ex_data, idx);
}
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
{
return ctx->error;
}
void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
{
ctx->error = err;
}
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
{
return ctx->error_depth;
}
void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth)
{
ctx->error_depth = depth;
}
X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
{
return ctx->current_cert;
}
void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x)
{
ctx->current_cert = x;
}
STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx)
{
return ctx->chain;
}
STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
{
if (!ctx->chain)
return NULL;
return X509_chain_up_ref(ctx->chain);
}
X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
{
return ctx->current_issuer;
}
X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
{
return ctx->current_crl;
}
X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
{
return ctx->parent;
}
void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
{
ctx->cert = x;
}
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
{
ctx->crls = sk;
}
int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
{
/*
* XXX: Why isn't this function always used to set the associated trust?
* Should there even be a VPM->trust field at all? Or should the trust
* always be inferred from the purpose by X509_STORE_CTX_init().
*/
return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
}
int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
{
/*
* XXX: See above, this function would only be needed when the default
* trust for the purpose needs an override in a corner case.
*/
return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
}
/*
* This function is used to set the X509_STORE_CTX purpose and trust values.
* This is intended to be used when another structure has its own trust and
* purpose values which (if set) will be inherited by the ctx. If they aren't
* set then we will usually have a default purpose in mind which should then
* be used to set the trust value. An example of this is SSL use: an SSL
* structure will have its own purpose and trust settings which the
* application can set: if they aren't set then we use the default of SSL
* client/server.
*/
int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
int purpose, int trust)
{
int idx;
/* If purpose not set use default */
if (!purpose)
purpose = def_purpose;
+ /*
+ * If purpose is set but we don't have a default then set the default to
+ * the current purpose
+ */
+ else if (def_purpose == 0)
+ def_purpose = purpose;
/* If we have a purpose then check it is valid */
if (purpose) {
X509_PURPOSE *ptmp;
idx = X509_PURPOSE_get_by_id(purpose);
if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
X509_R_UNKNOWN_PURPOSE_ID);
return 0;
}
ptmp = X509_PURPOSE_get0(idx);
if (ptmp->trust == X509_TRUST_DEFAULT) {
idx = X509_PURPOSE_get_by_id(def_purpose);
- /*
- * XXX: In the two callers above def_purpose is always 0, which is
- * not a known value, so idx will always be -1. How is the
- * X509_TRUST_DEFAULT case actually supposed to be handled?
- */
if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
X509_R_UNKNOWN_PURPOSE_ID);
return 0;
}
ptmp = X509_PURPOSE_get0(idx);
}
/* If trust not set then get from purpose default */
if (!trust)
trust = ptmp->trust;
}
if (trust) {
idx = X509_TRUST_get_by_id(trust);
if (idx == -1) {
X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
X509_R_UNKNOWN_TRUST_ID);
return 0;
}
}
if (purpose && !ctx->param->purpose)
ctx->param->purpose = purpose;
if (trust && !ctx->param->trust)
ctx->param->trust = trust;
return 1;
}
X509_STORE_CTX *X509_STORE_CTX_new(void)
{
X509_STORE_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx == NULL) {
X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
return ctx;
}
void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
{
if (ctx == NULL)
return;
X509_STORE_CTX_cleanup(ctx);
OPENSSL_free(ctx);
}
int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
STACK_OF(X509) *chain)
{
int ret = 1;
ctx->ctx = store;
ctx->cert = x509;
ctx->untrusted = chain;
ctx->crls = NULL;
ctx->num_untrusted = 0;
ctx->other_ctx = NULL;
ctx->valid = 0;
ctx->chain = NULL;
ctx->error = 0;
ctx->explicit_policy = 0;
ctx->error_depth = 0;
ctx->current_cert = NULL;
ctx->current_issuer = NULL;
ctx->current_crl = NULL;
ctx->current_crl_score = 0;
ctx->current_reasons = 0;
ctx->tree = NULL;
ctx->parent = NULL;
ctx->dane = NULL;
ctx->bare_ta_signed = 0;
/* Zero ex_data to make sure we're cleanup-safe */
memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
/* store->cleanup is always 0 in OpenSSL, if set must be idempotent */
if (store)
ctx->cleanup = store->cleanup;
else
ctx->cleanup = 0;
if (store && store->check_issued)
ctx->check_issued = store->check_issued;
else
ctx->check_issued = check_issued;
if (store && store->get_issuer)
ctx->get_issuer = store->get_issuer;
else
ctx->get_issuer = X509_STORE_CTX_get1_issuer;
if (store && store->verify_cb)
ctx->verify_cb = store->verify_cb;
else
ctx->verify_cb = null_callback;
if (store && store->verify)
ctx->verify = store->verify;
else
ctx->verify = internal_verify;
if (store && store->check_revocation)
ctx->check_revocation = store->check_revocation;
else
ctx->check_revocation = check_revocation;
if (store && store->get_crl)
ctx->get_crl = store->get_crl;
else
ctx->get_crl = NULL;
if (store && store->check_crl)
ctx->check_crl = store->check_crl;
else
ctx->check_crl = check_crl;
if (store && store->cert_crl)
ctx->cert_crl = store->cert_crl;
else
ctx->cert_crl = cert_crl;
if (store && store->check_policy)
ctx->check_policy = store->check_policy;
else
ctx->check_policy = check_policy;
if (store && store->lookup_certs)
ctx->lookup_certs = store->lookup_certs;
else
ctx->lookup_certs = X509_STORE_CTX_get1_certs;
if (store && store->lookup_crls)
ctx->lookup_crls = store->lookup_crls;
else
ctx->lookup_crls = X509_STORE_CTX_get1_crls;
ctx->param = X509_VERIFY_PARAM_new();
if (ctx->param == NULL) {
X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
goto err;
}
/*
* Inherit callbacks and flags from X509_STORE if not set use defaults.
*/
if (store)
ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
else
ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE;
if (ret)
ret = X509_VERIFY_PARAM_inherit(ctx->param,
X509_VERIFY_PARAM_lookup("default"));
if (ret == 0) {
X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
goto err;
}
/*
* XXX: For now, continue to inherit trust from VPM, but infer from the
* purpose if this still yields the default value.
*/
if (ctx->param->trust == X509_TRUST_DEFAULT) {
int idx = X509_PURPOSE_get_by_id(ctx->param->purpose);
X509_PURPOSE *xp = X509_PURPOSE_get0(idx);
if (xp != NULL)
ctx->param->trust = X509_PURPOSE_get_trust(xp);
}
if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
&ctx->ex_data))
return 1;
X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
err:
/*
* On error clean up allocated storage, if the store context was not
* allocated with X509_STORE_CTX_new() this is our last chance to do so.
*/
X509_STORE_CTX_cleanup(ctx);
return 0;
}
/*
* Set alternative lookup method: just a STACK of trusted certificates. This
* avoids X509_STORE nastiness where it isn't needed.
*/
void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
ctx->other_ctx = sk;
ctx->get_issuer = get_issuer_sk;
ctx->lookup_certs = lookup_certs_sk;
}
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
{
/*
* We need to be idempotent because, unfortunately, free() also calls
* cleanup(), so the natural call sequence new(), init(), cleanup(), free()
* calls cleanup() for the same object twice! Thus we must zero the
* pointers below after they're freed!
*/
/* Seems to always be 0 in OpenSSL, do this at most once. */
if (ctx->cleanup != NULL) {
ctx->cleanup(ctx);
ctx->cleanup = NULL;
}
if (ctx->param != NULL) {
if (ctx->parent == NULL)
X509_VERIFY_PARAM_free(ctx->param);
ctx->param = NULL;
}
X509_policy_tree_free(ctx->tree);
ctx->tree = NULL;
sk_X509_pop_free(ctx->chain, X509_free);
ctx->chain = NULL;
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
}
void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
{
X509_VERIFY_PARAM_set_depth(ctx->param, depth);
}
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
{
X509_VERIFY_PARAM_set_flags(ctx->param, flags);
}
void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
time_t t)
{
X509_VERIFY_PARAM_set_time(ctx->param, t);
}
X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
{
return ctx->cert;
}
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
{
return ctx->untrusted;
}
void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
ctx->untrusted = sk;
}
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
sk_X509_pop_free(ctx->chain, X509_free);
ctx->chain = sk;
}
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
X509_STORE_CTX_verify_cb verify_cb)
{
ctx->verify_cb = verify_cb;
}
X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx)
{
return ctx->verify_cb;
}
void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx,
X509_STORE_CTX_verify_fn verify)
{
ctx->verify = verify;
}
X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx)
{
return ctx->verify;
}
X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx)
{
return ctx->get_issuer;
}
X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx)
{
return ctx->check_issued;
}
X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx)
{
return ctx->check_revocation;
}
X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx)
{
return ctx->get_crl;
}
X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx)
{
return ctx->check_crl;
}
X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx)
{
return ctx->cert_crl;
}
X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx)
{
return ctx->check_policy;
}
X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx)
{
return ctx->lookup_certs;
}
X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx)
{
return ctx->lookup_crls;
}
X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx)
{
return ctx->cleanup;
}
X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
{
return ctx->tree;
}
int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
{
return ctx->explicit_policy;
}
int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
{
return ctx->num_untrusted;
}
int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
{
const X509_VERIFY_PARAM *param;
param = X509_VERIFY_PARAM_lookup(name);
if (!param)
return 0;
return X509_VERIFY_PARAM_inherit(ctx->param, param);
}
X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
{
return ctx->param;
}
void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
{
X509_VERIFY_PARAM_free(ctx->param);
ctx->param = param;
}
void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane)
{
ctx->dane = dane;
}
static unsigned char *dane_i2d(
X509 *cert,
uint8_t selector,
unsigned int *i2dlen)
{
unsigned char *buf = NULL;
int len;
/*
* Extract ASN.1 DER form of certificate or public key.
*/
switch (selector) {
case DANETLS_SELECTOR_CERT:
len = i2d_X509(cert, &buf);
break;
case DANETLS_SELECTOR_SPKI:
len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf);
break;
default:
X509err(X509_F_DANE_I2D, X509_R_BAD_SELECTOR);
return NULL;
}
if (len < 0 || buf == NULL) {
X509err(X509_F_DANE_I2D, ERR_R_MALLOC_FAILURE);
return NULL;
}
*i2dlen = (unsigned int)len;
return buf;
}
#define DANETLS_NONE 256 /* impossible uint8_t */
static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth)
{
SSL_DANE *dane = ctx->dane;
unsigned usage = DANETLS_NONE;
unsigned selector = DANETLS_NONE;
unsigned ordinal = DANETLS_NONE;
unsigned mtype = DANETLS_NONE;
unsigned char *i2dbuf = NULL;
unsigned int i2dlen = 0;
unsigned char mdbuf[EVP_MAX_MD_SIZE];
unsigned char *cmpbuf = NULL;
unsigned int cmplen = 0;
int i;
int recnum;
int matched = 0;
danetls_record *t = NULL;
uint32_t mask;
mask = (depth == 0) ? DANETLS_EE_MASK : DANETLS_TA_MASK;
/*
* The trust store is not applicable with DANE-TA(2)
*/
if (depth >= ctx->num_untrusted)
mask &= DANETLS_PKIX_MASK;
/*
* If we've previously matched a PKIX-?? record, no need to test any
* further PKIX-?? records, it remains to just build the PKIX chain.
* Had the match been a DANE-?? record, we'd be done already.
*/
if (dane->mdpth >= 0)
mask &= ~DANETLS_PKIX_MASK;
/*-
* https://tools.ietf.org/html/rfc7671#section-5.1
* https://tools.ietf.org/html/rfc7671#section-5.2
* https://tools.ietf.org/html/rfc7671#section-5.3
* https://tools.ietf.org/html/rfc7671#section-5.4
*
* We handle DANE-EE(3) records first as they require no chain building
* and no expiration or hostname checks. We also process digests with
* higher ordinals first and ignore lower priorities except Full(0) which
* is always processed (last). If none match, we then process PKIX-EE(1).
*
* NOTE: This relies on DANE usages sorting before the corresponding PKIX
* usages in SSL_dane_tlsa_add(), and also on descending sorting of digest
* priorities. See twin comment in ssl/ssl_lib.c.
*
* We expect that most TLSA RRsets will have just a single usage, so we
* don't go out of our way to cache multiple selector-specific i2d buffers
* across usages, but if the selector happens to remain the same as switch
* usages, that's OK. Thus, a set of "3 1 1", "3 0 1", "1 1 1", "1 0 1",
* records would result in us generating each of the certificate and public
* key DER forms twice, but more typically we'd just see multiple "3 1 1"
* or multiple "3 0 1" records.
*
* As soon as we find a match at any given depth, we stop, because either
* we've matched a DANE-?? record and the peer is authenticated, or, after
* exhausting all DANE-?? records, we've matched a PKIX-?? record, which is
* sufficient for DANE, and what remains to do is ordinary PKIX validation.
*/
recnum = (dane->umask & mask) ? sk_danetls_record_num(dane->trecs) : 0;
for (i = 0; matched == 0 && i < recnum; ++i) {
t = sk_danetls_record_value(dane->trecs, i);
if ((DANETLS_USAGE_BIT(t->usage) & mask) == 0)
continue;
if (t->usage != usage) {
usage = t->usage;
/* Reset digest agility for each usage/selector pair */
mtype = DANETLS_NONE;
ordinal = dane->dctx->mdord[t->mtype];
}
if (t->selector != selector) {
selector = t->selector;
/* Update per-selector state */
OPENSSL_free(i2dbuf);
i2dbuf = dane_i2d(cert, selector, &i2dlen);
if (i2dbuf == NULL)
return -1;
/* Reset digest agility for each usage/selector pair */
mtype = DANETLS_NONE;
ordinal = dane->dctx->mdord[t->mtype];
} else if (t->mtype != DANETLS_MATCHING_FULL) {
/*-
* Digest agility:
*
* <https://tools.ietf.org/html/rfc7671#section-9>
*
* For a fixed selector, after processing all records with the
* highest mtype ordinal, ignore all mtypes with lower ordinals
* other than "Full".
*/
if (dane->dctx->mdord[t->mtype] < ordinal)
continue;
}
/*
* Each time we hit a (new selector or) mtype, re-compute the relevant
* digest, more complex caching is not worth the code space.
*/
if (t->mtype != mtype) {
const EVP_MD *md = dane->dctx->mdevp[mtype = t->mtype];
cmpbuf = i2dbuf;
cmplen = i2dlen;
if (md != NULL) {
cmpbuf = mdbuf;
if (!EVP_Digest(i2dbuf, i2dlen, cmpbuf, &cmplen, md, 0)) {
matched = -1;
break;
}
}
}
/*
* Squirrel away the certificate and depth if we have a match. Any
* DANE match is dispositive, but with PKIX we still need to build a
* full chain.
*/
if (cmplen == t->dlen &&
memcmp(cmpbuf, t->data, cmplen) == 0) {
if (DANETLS_USAGE_BIT(usage) & DANETLS_DANE_MASK)
matched = 1;
if (matched || dane->mdpth < 0) {
dane->mdpth = depth;
dane->mtlsa = t;
OPENSSL_free(dane->mcert);
dane->mcert = cert;
X509_up_ref(cert);
}
break;
}
}
/* Clear the one-element DER cache */
OPENSSL_free(i2dbuf);
return matched;
}
static int check_dane_issuer(X509_STORE_CTX *ctx, int depth)
{
SSL_DANE *dane = ctx->dane;
int matched = 0;
X509 *cert;
if (!DANETLS_HAS_TA(dane) || depth == 0)
return X509_TRUST_UNTRUSTED;
/*
* Record any DANE trust-anchor matches, for the first depth to test, if
* there's one at that depth. (This'll be false for length 1 chains looking
* for an exact match for the leaf certificate).
*/
cert = sk_X509_value(ctx->chain, depth);
if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0)
return X509_TRUST_REJECTED;
if (matched > 0) {
ctx->num_untrusted = depth - 1;
return X509_TRUST_TRUSTED;
}
return X509_TRUST_UNTRUSTED;
}
static int check_dane_pkeys(X509_STORE_CTX *ctx)
{
SSL_DANE *dane = ctx->dane;
danetls_record *t;
int num = ctx->num_untrusted;
X509 *cert = sk_X509_value(ctx->chain, num - 1);
int recnum = sk_danetls_record_num(dane->trecs);
int i;
for (i = 0; i < recnum; ++i) {
t = sk_danetls_record_value(dane->trecs, i);
if (t->usage != DANETLS_USAGE_DANE_TA ||
t->selector != DANETLS_SELECTOR_SPKI ||
t->mtype != DANETLS_MATCHING_FULL ||
X509_verify(cert, t->spki) <= 0)
continue;
/* Clear any PKIX-?? matches that failed to extend to a full chain */
X509_free(dane->mcert);
dane->mcert = NULL;
/* Record match via a bare TA public key */
ctx->bare_ta_signed = 1;
dane->mdpth = num - 1;
dane->mtlsa = t;
/* Prune any excess chain certificates */
num = sk_X509_num(ctx->chain);
for (; num > ctx->num_untrusted; --num)
X509_free(sk_X509_pop(ctx->chain));
return X509_TRUST_TRUSTED;
}
return X509_TRUST_UNTRUSTED;
}
static void dane_reset(SSL_DANE *dane)
{
/*
* Reset state to verify another chain, or clear after failure.
*/
X509_free(dane->mcert);
dane->mcert = NULL;
dane->mtlsa = NULL;
dane->mdpth = -1;
dane->pdpth = -1;
}
static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert)
{
int err = X509_chain_check_suiteb(NULL, cert, NULL, ctx->param->flags);
if (err == X509_V_OK)
return 1;
return verify_cb_cert(ctx, cert, 0, err);
}
static int dane_verify(X509_STORE_CTX *ctx)
{
X509 *cert = ctx->cert;
SSL_DANE *dane = ctx->dane;
int matched;
int done;
dane_reset(dane);
/*-
* When testing the leaf certificate, if we match a DANE-EE(3) record,
* dane_match() returns 1 and we're done. If however we match a PKIX-EE(1)
* record, the match depth and matching TLSA record are recorded, but the
* return value is 0, because we still need to find a PKIX trust-anchor.
* Therefore, when DANE authentication is enabled (required), we're done
* if:
* + matched < 0, internal error.
* + matched == 1, we matched a DANE-EE(3) record
* + matched == 0, mdepth < 0 (no PKIX-EE match) and there are no
* DANE-TA(2) or PKIX-TA(0) to test.
*/
matched = dane_match(ctx, ctx->cert, 0);
done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0);
if (done)
X509_get_pubkey_parameters(NULL, ctx->chain);
if (matched > 0) {
/* Callback invoked as needed */
if (!check_leaf_suiteb(ctx, cert))
return 0;
/* Callback invoked as needed */
if ((dane->flags & DANE_FLAG_NO_DANE_EE_NAMECHECKS) == 0 &&
!check_id(ctx))
return 0;
/* Bypass internal_verify(), issue depth 0 success callback */
ctx->error_depth = 0;
ctx->current_cert = cert;
return ctx->verify_cb(1, ctx);
}
if (matched < 0) {
ctx->error_depth = 0;
ctx->current_cert = cert;
ctx->error = X509_V_ERR_OUT_OF_MEM;
return -1;
}
if (done) {
/* Fail early, TA-based success is not possible */
if (!check_leaf_suiteb(ctx, cert))
return 0;
return verify_cb_cert(ctx, cert, 0, X509_V_ERR_DANE_NO_MATCH);
}
/*
* Chain verification for usages 0/1/2. TLSA record matching of depth > 0
* certificates happens in-line with building the rest of the chain.
*/
return verify_chain(ctx);
}
/* Get issuer, without duplicate suppression */
static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
{
STACK_OF(X509) *saved_chain = ctx->chain;
int ok;
ctx->chain = NULL;
ok = ctx->get_issuer(issuer, ctx, cert);
ctx->chain = saved_chain;
return ok;
}
static int augment_stack(STACK_OF(X509) *src, STACK_OF(X509) **dstPtr)
{
if (src) {
STACK_OF(X509) *dst;
int i;
if (*dstPtr == NULL)
return ((*dstPtr = sk_X509_dup(src)) != NULL);
for (dst = *dstPtr, i = 0; i < sk_X509_num(src); ++i) {
if (!sk_X509_push(dst, sk_X509_value(src, i))) {
sk_X509_free(dst);
*dstPtr = NULL;
return 0;
}
}
}
return 1;
}
static int build_chain(X509_STORE_CTX *ctx)
{
SSL_DANE *dane = ctx->dane;
int num = sk_X509_num(ctx->chain);
X509 *cert = sk_X509_value(ctx->chain, num - 1);
int ss = cert_self_signed(cert);
STACK_OF(X509) *sktmp = NULL;
unsigned int search;
int may_trusted = 0;
int may_alternate = 0;
int trust = X509_TRUST_UNTRUSTED;
int alt_untrusted = 0;
int depth;
int ok = 0;
int i;
/* Our chain starts with a single untrusted element. */
if (!ossl_assert(num == 1 && ctx->num_untrusted == num)) {
X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR);
ctx->error = X509_V_ERR_UNSPECIFIED;
return 0;
}
#define S_DOUNTRUSTED (1 << 0) /* Search untrusted chain */
#define S_DOTRUSTED (1 << 1) /* Search trusted store */
#define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */
/*
* Set up search policy, untrusted if possible, trusted-first if enabled.
* If we're doing DANE and not doing PKIX-TA/PKIX-EE, we never look in the
* trust_store, otherwise we might look there first. If not trusted-first,
* and alternate chains are not disabled, try building an alternate chain
* if no luck with untrusted first.
*/
search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0;
if (DANETLS_HAS_PKIX(dane) || !DANETLS_HAS_DANE(dane)) {
if (search == 0 || ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
search |= S_DOTRUSTED;
else if (!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS))
may_alternate = 1;
may_trusted = 1;
}
/*
* If we got any "Cert(0) Full(0)" issuer certificates from DNS, *prepend*
* them to our working copy of the untrusted certificate stack. Since the
* caller of X509_STORE_CTX_init() may have provided only a leaf cert with
* no corresponding stack of untrusted certificates, we may need to create
* an empty stack first. [ At present only the ssl library provides DANE
* support, and ssl_verify_cert_chain() always provides a non-null stack
* containing at least the leaf certificate, but we must be prepared for
* this to change. ]
*/
if (DANETLS_ENABLED(dane) && !augment_stack(dane->certs, &sktmp)) {
X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;
}
/*
* Shallow-copy the stack of untrusted certificates (with TLS, this is
* typically the content of the peer's certificate message) so can make
* multiple passes over it, while free to remove elements as we go.
*/
if (!augment_stack(ctx->untrusted, &sktmp)) {
X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;
}
/*
* Still absurdly large, but arithmetically safe, a lower hard upper bound
* might be reasonable.
*/
if (ctx->param->depth > INT_MAX/2)
ctx->param->depth = INT_MAX/2;
/*
* Try to Extend the chain until we reach an ultimately trusted issuer.
* Build chains up to one longer the limit, later fail if we hit the limit,
* with an X509_V_ERR_CERT_CHAIN_TOO_LONG error code.
*/
depth = ctx->param->depth + 1;
while (search != 0) {
X509 *x;
X509 *xtmp = NULL;
/*
* Look in the trust store if enabled for first lookup, or we've run
* out of untrusted issuers and search here is not disabled. When we
* reach the depth limit, we stop extending the chain, if by that point
* we've not found a trust-anchor, any trusted chain would be too long.
*
* The error reported to the application verify callback is at the
* maximal valid depth with the current certificate equal to the last
* not ultimately-trusted issuer. For example, with verify_depth = 0,
* the callback will report errors at depth=1 when the immediate issuer
* of the leaf certificate is not a trust anchor. No attempt will be
* made to locate an issuer for that certificate, since such a chain
* would be a-priori too long.
*/
if ((search & S_DOTRUSTED) != 0) {
i = num = sk_X509_num(ctx->chain);
if ((search & S_DOALTERNATE) != 0) {
/*
* As high up the chain as we can, look for an alternative
* trusted issuer of an untrusted certificate that currently
* has an untrusted issuer. We use the alt_untrusted variable
* to track how far up the chain we find the first match. It
* is only if and when we find a match, that we prune the chain
* and reset ctx->num_untrusted to the reduced count of
* untrusted certificates. While we're searching for such a
* match (which may never be found), it is neither safe nor
* wise to preemptively modify either the chain or
* ctx->num_untrusted.
*
* Note, like ctx->num_untrusted, alt_untrusted is a count of
* untrusted certificates, not a "depth".
*/
i = alt_untrusted;
}
x = sk_X509_value(ctx->chain, i-1);
ok = (depth < num) ? 0 : get_issuer(&xtmp, ctx, x);
if (ok < 0) {
trust = X509_TRUST_REJECTED;
ctx->error = X509_V_ERR_STORE_LOOKUP;
search = 0;
continue;
}
if (ok > 0) {
/*
* Alternative trusted issuer for a mid-chain untrusted cert?
* Pop the untrusted cert's successors and retry. We might now
* be able to complete a valid chain via the trust store. Note
* that despite the current trust-store match we might still
* fail complete the chain to a suitable trust-anchor, in which
* case we may prune some more untrusted certificates and try
* again. Thus the S_DOALTERNATE bit may yet be turned on
* again with an even shorter untrusted chain!
*
* If in the process we threw away our matching PKIX-TA trust
* anchor, reset DANE trust. We might find a suitable trusted
* certificate among the ones from the trust store.
*/
if ((search & S_DOALTERNATE) != 0) {
if (!ossl_assert(num > i && i > 0 && ss == 0)) {
X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR);
X509_free(xtmp);
trust = X509_TRUST_REJECTED;
ctx->error = X509_V_ERR_UNSPECIFIED;
search = 0;
continue;
}
search &= ~S_DOALTERNATE;
for (; num > i; --num)
X509_free(sk_X509_pop(ctx->chain));
ctx->num_untrusted = num;
if (DANETLS_ENABLED(dane) &&
dane->mdpth >= ctx->num_untrusted) {
dane->mdpth = -1;
X509_free(dane->mcert);
dane->mcert = NULL;
}
if (DANETLS_ENABLED(dane) &&
dane->pdpth >= ctx->num_untrusted)
dane->pdpth = -1;
}
/*
* Self-signed untrusted certificates get replaced by their
* trusted matching issuer. Otherwise, grow the chain.
*/
if (ss == 0) {
if (!sk_X509_push(ctx->chain, x = xtmp)) {
X509_free(xtmp);
X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
trust = X509_TRUST_REJECTED;
ctx->error = X509_V_ERR_OUT_OF_MEM;
search = 0;
continue;
}
ss = cert_self_signed(x);
} else if (num == ctx->num_untrusted) {
/*
* We have a self-signed certificate that has the same
* subject name (and perhaps keyid and/or serial number) as
* a trust-anchor. We must have an exact match to avoid
* possible impersonation via key substitution etc.
*/
if (X509_cmp(x, xtmp) != 0) {
/* Self-signed untrusted mimic. */
X509_free(xtmp);
ok = 0;
} else {
X509_free(x);
ctx->num_untrusted = --num;
(void) sk_X509_set(ctx->chain, num, x = xtmp);
}
}
/*
* We've added a new trusted certificate to the chain, recheck
* trust. If not done, and not self-signed look deeper.
* Whether or not we're doing "trusted first", we no longer
* look for untrusted certificates from the peer's chain.
*
* At this point ctx->num_trusted and num must reflect the
* correct number of untrusted certificates, since the DANE
* logic in check_trust() depends on distinguishing CAs from
* "the wire" from CAs from the trust store. In particular, the
* certificate at depth "num" should be the new trusted
* certificate with ctx->num_untrusted <= num.
*/
if (ok) {
if (!ossl_assert(ctx->num_untrusted <= num)) {
X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR);
trust = X509_TRUST_REJECTED;
ctx->error = X509_V_ERR_UNSPECIFIED;
search = 0;
continue;
}
search &= ~S_DOUNTRUSTED;
switch (trust = check_trust(ctx, num)) {
case X509_TRUST_TRUSTED:
case X509_TRUST_REJECTED:
search = 0;
continue;
}
if (ss == 0)
continue;
}
}
/*
* No dispositive decision, and either self-signed or no match, if
* we were doing untrusted-first, and alt-chains are not disabled,
* do that, by repeatedly losing one untrusted element at a time,
* and trying to extend the shorted chain.
*/
if ((search & S_DOUNTRUSTED) == 0) {
/* Continue search for a trusted issuer of a shorter chain? */
if ((search & S_DOALTERNATE) != 0 && --alt_untrusted > 0)
continue;
/* Still no luck and no fallbacks left? */
if (!may_alternate || (search & S_DOALTERNATE) != 0 ||
ctx->num_untrusted < 2)
break;
/* Search for a trusted issuer of a shorter chain */
search |= S_DOALTERNATE;
alt_untrusted = ctx->num_untrusted - 1;
ss = 0;
}
}
/*
* Extend chain with peer-provided certificates
*/
if ((search & S_DOUNTRUSTED) != 0) {
num = sk_X509_num(ctx->chain);
if (!ossl_assert(num == ctx->num_untrusted)) {
X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR);
trust = X509_TRUST_REJECTED;
ctx->error = X509_V_ERR_UNSPECIFIED;
search = 0;
continue;
}
x = sk_X509_value(ctx->chain, num-1);
/*
* Once we run out of untrusted issuers, we stop looking for more
* and start looking only in the trust store if enabled.
*/
xtmp = (ss || depth < num) ? NULL : find_issuer(ctx, sktmp, x);
if (xtmp == NULL) {
search &= ~S_DOUNTRUSTED;
if (may_trusted)
search |= S_DOTRUSTED;
continue;
}
/* Drop this issuer from future consideration */
(void) sk_X509_delete_ptr(sktmp, xtmp);
if (!X509_up_ref(xtmp)) {
X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR);
trust = X509_TRUST_REJECTED;
ctx->error = X509_V_ERR_UNSPECIFIED;
search = 0;
continue;
}
if (!sk_X509_push(ctx->chain, xtmp)) {
X509_free(xtmp);
X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
trust = X509_TRUST_REJECTED;
ctx->error = X509_V_ERR_OUT_OF_MEM;
search = 0;
continue;
}
x = xtmp;
++ctx->num_untrusted;
ss = cert_self_signed(xtmp);
/*
* Check for DANE-TA trust of the topmost untrusted certificate.
*/
switch (trust = check_dane_issuer(ctx, ctx->num_untrusted - 1)) {
case X509_TRUST_TRUSTED:
case X509_TRUST_REJECTED:
search = 0;
continue;
}
}
}
sk_X509_free(sktmp);
/*
* Last chance to make a trusted chain, either bare DANE-TA public-key
* signers, or else direct leaf PKIX trust.
*/
num = sk_X509_num(ctx->chain);
if (num <= depth) {
if (trust == X509_TRUST_UNTRUSTED && DANETLS_HAS_DANE_TA(dane))
trust = check_dane_pkeys(ctx);
if (trust == X509_TRUST_UNTRUSTED && num == ctx->num_untrusted)
trust = check_trust(ctx, num);
}
switch (trust) {
case X509_TRUST_TRUSTED:
return 1;
case X509_TRUST_REJECTED:
/* Callback already issued */
return 0;
case X509_TRUST_UNTRUSTED:
default:
num = sk_X509_num(ctx->chain);
if (num > depth)
return verify_cb_cert(ctx, NULL, num-1,
X509_V_ERR_CERT_CHAIN_TOO_LONG);
if (DANETLS_ENABLED(dane) &&
(!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0))
return verify_cb_cert(ctx, NULL, num-1, X509_V_ERR_DANE_NO_MATCH);
if (ss && sk_X509_num(ctx->chain) == 1)
return verify_cb_cert(ctx, NULL, num-1,
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT);
if (ss)
return verify_cb_cert(ctx, NULL, num-1,
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN);
if (ctx->num_untrusted < num)
return verify_cb_cert(ctx, NULL, num-1,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT);
return verify_cb_cert(ctx, NULL, num-1,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY);
}
}
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
/*
* Check whether the public key of ``cert`` meets the security level of
* ``ctx``.
*
* Returns 1 on success, 0 otherwise.
*/
static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
{
EVP_PKEY *pkey = X509_get0_pubkey(cert);
int level = ctx->param->auth_level;
/*
* At security level zero, return without checking for a supported public
* key type. Some engines support key types not understood outside the
* engine, and we only need to understand the key when enforcing a security
* floor.
*/
if (level <= 0)
return 1;
/* Unsupported or malformed keys are not secure */
if (pkey == NULL)
return 0;
if (level > NUM_AUTH_LEVELS)
level = NUM_AUTH_LEVELS;
return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1];
}
/*
* Check whether the public key of ``cert`` does not use explicit params
* for an elliptic curve.
*
* Returns 1 on success, 0 if check fails, -1 for other errors.
*/
static int check_curve(X509 *cert)
{
#ifndef OPENSSL_NO_EC
EVP_PKEY *pkey = X509_get0_pubkey(cert);
/* Unsupported or malformed key */
if (pkey == NULL)
return -1;
if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
int ret;
ret = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
return ret < 0 ? ret : !ret;
}
#endif
return 1;
}
/*
* Check whether the signature digest algorithm of ``cert`` meets the security
* level of ``ctx``. Should not be checked for trust anchors (whether
* self-signed or otherwise).
*
* Returns 1 on success, 0 otherwise.
*/
static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert)
{
int secbits = -1;
int level = ctx->param->auth_level;
if (level <= 0)
return 1;
if (level > NUM_AUTH_LEVELS)
level = NUM_AUTH_LEVELS;
if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
return 0;
return secbits >= minbits_table[level - 1];
}
diff --git a/crypto/openssl/crypto/x509v3/v3_utl.c b/crypto/openssl/crypto/x509v3/v3_utl.c
index f41c699b5af0..a7ff4b4fb4d3 100644
--- a/crypto/openssl/crypto/x509v3/v3_utl.c
+++ b/crypto/openssl/crypto/x509v3/v3_utl.c
@@ -1,1273 +1,1284 @@
/*
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
/* X509 v3 extension utilities */
#include "e_os.h"
#include "internal/cryptlib.h"
#include <stdio.h>
#include <string.h>
#include "crypto/ctype.h"
#include <openssl/conf.h>
#include <openssl/crypto.h>
#include <openssl/x509v3.h>
#include "crypto/x509.h"
#include <openssl/bn.h>
#include "ext_dat.h"
static char *strip_spaces(char *name);
static int sk_strcmp(const char *const *a, const char *const *b);
static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
GENERAL_NAMES *gens);
static void str_free(OPENSSL_STRING str);
static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email);
static int ipv4_from_asc(unsigned char *v4, const char *in);
static int ipv6_from_asc(unsigned char *v6, const char *in);
static int ipv6_cb(const char *elem, int len, void *usr);
static int ipv6_hex(unsigned char *out, const char *in, int inlen);
/* Add a CONF_VALUE name value pair to stack */
static int x509v3_add_len_value(const char *name, const char *value,
size_t vallen, STACK_OF(CONF_VALUE) **extlist)
{
CONF_VALUE *vtmp = NULL;
char *tname = NULL, *tvalue = NULL;
int sk_allocated = (*extlist == NULL);
if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL)
goto err;
if (value != NULL && vallen > 0) {
/*
* We tolerate a single trailing NUL character, but otherwise no
* embedded NULs
*/
if (memchr(value, 0, vallen - 1) != NULL)
goto err;
tvalue = OPENSSL_strndup(value, vallen);
if (tvalue == NULL)
goto err;
}
if ((vtmp = OPENSSL_malloc(sizeof(*vtmp))) == NULL)
goto err;
if (sk_allocated && (*extlist = sk_CONF_VALUE_new_null()) == NULL)
goto err;
vtmp->section = NULL;
vtmp->name = tname;
vtmp->value = tvalue;
if (!sk_CONF_VALUE_push(*extlist, vtmp))
goto err;
return 1;
err:
X509V3err(X509V3_F_X509V3_ADD_LEN_VALUE, ERR_R_MALLOC_FAILURE);
if (sk_allocated) {
sk_CONF_VALUE_free(*extlist);
*extlist = NULL;
}
OPENSSL_free(vtmp);
OPENSSL_free(tname);
OPENSSL_free(tvalue);
return 0;
}
int X509V3_add_value(const char *name, const char *value,
STACK_OF(CONF_VALUE) **extlist)
{
return x509v3_add_len_value(name, value,
value != NULL ? strlen((const char *)value) : 0,
extlist);
}
int X509V3_add_value_uchar(const char *name, const unsigned char *value,
STACK_OF(CONF_VALUE) **extlist)
{
return x509v3_add_len_value(name, (const char *)value,
value != NULL ? strlen((const char *)value) : 0,
extlist);
}
int x509v3_add_len_value_uchar(const char *name, const unsigned char *value,
size_t vallen, STACK_OF(CONF_VALUE) **extlist)
{
return x509v3_add_len_value(name, (const char *)value, vallen, extlist);
}
/* Free function for STACK_OF(CONF_VALUE) */
void X509V3_conf_free(CONF_VALUE *conf)
{
if (!conf)
return;
OPENSSL_free(conf->name);
OPENSSL_free(conf->value);
OPENSSL_free(conf->section);
OPENSSL_free(conf);
}
int X509V3_add_value_bool(const char *name, int asn1_bool,
STACK_OF(CONF_VALUE) **extlist)
{
if (asn1_bool)
return X509V3_add_value(name, "TRUE", extlist);
return X509V3_add_value(name, "FALSE", extlist);
}
int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
STACK_OF(CONF_VALUE) **extlist)
{
if (asn1_bool)
return X509V3_add_value(name, "TRUE", extlist);
return 1;
}
static char *bignum_to_string(const BIGNUM *bn)
{
char *tmp, *ret;
size_t len;
/*
* Display large numbers in hex and small numbers in decimal. Converting to
* decimal takes quadratic time and is no more useful than hex for large
* numbers.
*/
if (BN_num_bits(bn) < 128)
return BN_bn2dec(bn);
tmp = BN_bn2hex(bn);
if (tmp == NULL)
return NULL;
len = strlen(tmp) + 3;
ret = OPENSSL_malloc(len);
if (ret == NULL) {
X509V3err(X509V3_F_BIGNUM_TO_STRING, ERR_R_MALLOC_FAILURE);
OPENSSL_free(tmp);
return NULL;
}
/* Prepend "0x", but place it after the "-" if negative. */
if (tmp[0] == '-') {
OPENSSL_strlcpy(ret, "-0x", len);
OPENSSL_strlcat(ret, tmp + 1, len);
} else {
OPENSSL_strlcpy(ret, "0x", len);
OPENSSL_strlcat(ret, tmp, len);
}
OPENSSL_free(tmp);
return ret;
}
char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a)
{
BIGNUM *bntmp = NULL;
char *strtmp = NULL;
if (!a)
return NULL;
if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL
|| (strtmp = bignum_to_string(bntmp)) == NULL)
X509V3err(X509V3_F_I2S_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE);
BN_free(bntmp);
return strtmp;
}
char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a)
{
BIGNUM *bntmp = NULL;
char *strtmp = NULL;
if (!a)
return NULL;
if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL
|| (strtmp = bignum_to_string(bntmp)) == NULL)
X509V3err(X509V3_F_I2S_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
BN_free(bntmp);
return strtmp;
}
ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
{
BIGNUM *bn = NULL;
ASN1_INTEGER *aint;
int isneg, ishex;
int ret;
if (value == NULL) {
X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_INVALID_NULL_VALUE);
return NULL;
}
bn = BN_new();
if (bn == NULL) {
X509V3err(X509V3_F_S2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE);
return NULL;
}
if (value[0] == '-') {
value++;
isneg = 1;
} else
isneg = 0;
if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
value += 2;
ishex = 1;
} else
ishex = 0;
if (ishex)
ret = BN_hex2bn(&bn, value);
else
ret = BN_dec2bn(&bn, value);
if (!ret || value[ret]) {
BN_free(bn);
X509V3err(X509V3_F_S2I_ASN1_INTEGER, X509V3_R_BN_DEC2BN_ERROR);
return NULL;
}
if (isneg && BN_is_zero(bn))
isneg = 0;
aint = BN_to_ASN1_INTEGER(bn, NULL);
BN_free(bn);
if (!aint) {
X509V3err(X509V3_F_S2I_ASN1_INTEGER,
X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
return NULL;
}
if (isneg)
aint->type |= V_ASN1_NEG;
return aint;
}
int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
STACK_OF(CONF_VALUE) **extlist)
{
char *strtmp;
int ret;
if (!aint)
return 1;
if ((strtmp = i2s_ASN1_INTEGER(NULL, aint)) == NULL)
return 0;
ret = X509V3_add_value(name, strtmp, extlist);
OPENSSL_free(strtmp);
return ret;
}
int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
{
const char *btmp;
if ((btmp = value->value) == NULL)
goto err;
if (strcmp(btmp, "TRUE") == 0
|| strcmp(btmp, "true") == 0
|| strcmp(btmp, "Y") == 0
|| strcmp(btmp, "y") == 0
|| strcmp(btmp, "YES") == 0
|| strcmp(btmp, "yes") == 0) {
*asn1_bool = 0xff;
return 1;
}
if (strcmp(btmp, "FALSE") == 0
|| strcmp(btmp, "false") == 0
|| strcmp(btmp, "N") == 0
|| strcmp(btmp, "n") == 0
|| strcmp(btmp, "NO") == 0
|| strcmp(btmp, "no") == 0) {
*asn1_bool = 0;
return 1;
}
err:
X509V3err(X509V3_F_X509V3_GET_VALUE_BOOL,
X509V3_R_INVALID_BOOLEAN_STRING);
X509V3_conf_err(value);
return 0;
}
int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
{
ASN1_INTEGER *itmp;
if ((itmp = s2i_ASN1_INTEGER(NULL, value->value)) == NULL) {
X509V3_conf_err(value);
return 0;
}
*aint = itmp;
return 1;
}
#define HDR_NAME 1
#define HDR_VALUE 2
/*
* #define DEBUG
*/
STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line)
{
char *p, *q, c;
char *ntmp, *vtmp;
STACK_OF(CONF_VALUE) *values = NULL;
char *linebuf;
int state;
/* We are going to modify the line so copy it first */
linebuf = OPENSSL_strdup(line);
if (linebuf == NULL) {
X509V3err(X509V3_F_X509V3_PARSE_LIST, ERR_R_MALLOC_FAILURE);
goto err;
}
state = HDR_NAME;
ntmp = NULL;
/* Go through all characters */
for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') && (c != '\n');
p++) {
switch (state) {
case HDR_NAME:
if (c == ':') {
state = HDR_VALUE;
*p = 0;
ntmp = strip_spaces(q);
if (!ntmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST,
X509V3_R_INVALID_NULL_NAME);
goto err;
}
q = p + 1;
} else if (c == ',') {
*p = 0;
ntmp = strip_spaces(q);
q = p + 1;
if (!ntmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST,
X509V3_R_INVALID_NULL_NAME);
goto err;
}
X509V3_add_value(ntmp, NULL, &values);
}
break;
case HDR_VALUE:
if (c == ',') {
state = HDR_NAME;
*p = 0;
vtmp = strip_spaces(q);
if (!vtmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST,
X509V3_R_INVALID_NULL_VALUE);
goto err;
}
X509V3_add_value(ntmp, vtmp, &values);
ntmp = NULL;
q = p + 1;
}
}
}
if (state == HDR_VALUE) {
vtmp = strip_spaces(q);
if (!vtmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST,
X509V3_R_INVALID_NULL_VALUE);
goto err;
}
X509V3_add_value(ntmp, vtmp, &values);
} else {
ntmp = strip_spaces(q);
if (!ntmp) {
X509V3err(X509V3_F_X509V3_PARSE_LIST, X509V3_R_INVALID_NULL_NAME);
goto err;
}
X509V3_add_value(ntmp, NULL, &values);
}
OPENSSL_free(linebuf);
return values;
err:
OPENSSL_free(linebuf);
sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
return NULL;
}
/* Delete leading and trailing spaces from a string */
static char *strip_spaces(char *name)
{
char *p, *q;
/* Skip over leading spaces */
p = name;
while (*p && ossl_isspace(*p))
p++;
if (!*p)
return NULL;
q = p + strlen(p) - 1;
while ((q != p) && ossl_isspace(*q))
q--;
if (p != q)
q[1] = 0;
if (!*p)
return NULL;
return p;
}
/*
* V2I name comparison function: returns zero if 'name' matches cmp or cmp.*
*/
int name_cmp(const char *name, const char *cmp)
{
int len, ret;
char c;
len = strlen(cmp);
if ((ret = strncmp(name, cmp, len)))
return ret;
c = name[len];
if (!c || (c == '.'))
return 0;
return 1;
}
static int sk_strcmp(const char *const *a, const char *const *b)
{
return strcmp(*a, *b);
}
STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x)
{
GENERAL_NAMES *gens;
STACK_OF(OPENSSL_STRING) *ret;
gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
ret = get_email(X509_get_subject_name(x), gens);
sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
return ret;
}
STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x)
{
AUTHORITY_INFO_ACCESS *info;
STACK_OF(OPENSSL_STRING) *ret = NULL;
int i;
info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
if (!info)
return NULL;
for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
if (ad->location->type == GEN_URI) {
if (!append_ia5
(&ret, ad->location->d.uniformResourceIdentifier))
break;
}
}
}
AUTHORITY_INFO_ACCESS_free(info);
return ret;
}
STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x)
{
GENERAL_NAMES *gens;
STACK_OF(X509_EXTENSION) *exts;
STACK_OF(OPENSSL_STRING) *ret;
exts = X509_REQ_get_extensions(x);
gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
ret = get_email(X509_REQ_get_subject_name(x), gens);
sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
return ret;
}
static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
GENERAL_NAMES *gens)
{
STACK_OF(OPENSSL_STRING) *ret = NULL;
X509_NAME_ENTRY *ne;
const ASN1_IA5STRING *email;
GENERAL_NAME *gen;
int i = -1;
/* Now add any email address(es) to STACK */
/* First supplied X509_NAME */
while ((i = X509_NAME_get_index_by_NID(name,
NID_pkcs9_emailAddress, i)) >= 0) {
ne = X509_NAME_get_entry(name, i);
email = X509_NAME_ENTRY_get_data(ne);
if (!append_ia5(&ret, email))
return NULL;
}
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
gen = sk_GENERAL_NAME_value(gens, i);
if (gen->type != GEN_EMAIL)
continue;
if (!append_ia5(&ret, gen->d.ia5))
return NULL;
}
return ret;
}
static void str_free(OPENSSL_STRING str)
{
OPENSSL_free(str);
}
static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email)
{
char *emtmp;
/* First some sanity checks */
if (email->type != V_ASN1_IA5STRING)
return 1;
if (email->data == NULL || email->length == 0)
return 1;
if (memchr(email->data, 0, email->length) != NULL)
return 1;
if (*sk == NULL)
*sk = sk_OPENSSL_STRING_new(sk_strcmp);
if (*sk == NULL)
return 0;
emtmp = OPENSSL_strndup((char *)email->data, email->length);
- if (emtmp == NULL)
+ if (emtmp == NULL) {
+ X509_email_free(*sk);
+ *sk = NULL;
return 0;
+ }
/* Don't add duplicates */
if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) {
OPENSSL_free(emtmp);
return 1;
}
if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {
OPENSSL_free(emtmp); /* free on push failure */
X509_email_free(*sk);
*sk = NULL;
return 0;
}
return 1;
}
void X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
{
sk_OPENSSL_STRING_pop_free(sk, str_free);
}
typedef int (*equal_fn) (const unsigned char *pattern, size_t pattern_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags);
/* Skip pattern prefix to match "wildcard" subject */
static void skip_prefix(const unsigned char **p, size_t *plen,
size_t subject_len,
unsigned int flags)
{
const unsigned char *pattern = *p;
size_t pattern_len = *plen;
/*
* If subject starts with a leading '.' followed by more octets, and
* pattern is longer, compare just an equal-length suffix with the
* full subject (starting at the '.'), provided the prefix contains
* no NULs.
*/
if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
return;
while (pattern_len > subject_len && *pattern) {
if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) &&
*pattern == '.')
break;
++pattern;
--pattern_len;
}
/* Skip if entire prefix acceptable */
if (pattern_len == subject_len) {
*p = pattern;
*plen = pattern_len;
}
}
/* Compare while ASCII ignoring case. */
static int equal_nocase(const unsigned char *pattern, size_t pattern_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags)
{
skip_prefix(&pattern, &pattern_len, subject_len, flags);
if (pattern_len != subject_len)
return 0;
while (pattern_len) {
unsigned char l = *pattern;
unsigned char r = *subject;
/* The pattern must not contain NUL characters. */
if (l == 0)
return 0;
if (l != r) {
if ('A' <= l && l <= 'Z')
l = (l - 'A') + 'a';
if ('A' <= r && r <= 'Z')
r = (r - 'A') + 'a';
if (l != r)
return 0;
}
++pattern;
++subject;
--pattern_len;
}
return 1;
}
/* Compare using memcmp. */
static int equal_case(const unsigned char *pattern, size_t pattern_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags)
{
skip_prefix(&pattern, &pattern_len, subject_len, flags);
if (pattern_len != subject_len)
return 0;
return !memcmp(pattern, subject, pattern_len);
}
/*
* RFC 5280, section 7.5, requires that only the domain is compared in a
* case-insensitive manner.
*/
static int equal_email(const unsigned char *a, size_t a_len,
const unsigned char *b, size_t b_len,
unsigned int unused_flags)
{
size_t i = a_len;
if (a_len != b_len)
return 0;
/*
* We search backwards for the '@' character, so that we do not have to
* deal with quoted local-parts. The domain part is compared in a
* case-insensitive manner.
*/
while (i > 0) {
--i;
if (a[i] == '@' || b[i] == '@') {
if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0))
return 0;
break;
}
}
if (i == 0)
i = a_len;
return equal_case(a, i, b, i, 0);
}
/*
* Compare the prefix and suffix with the subject, and check that the
* characters in-between are valid.
*/
static int wildcard_match(const unsigned char *prefix, size_t prefix_len,
const unsigned char *suffix, size_t suffix_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags)
{
const unsigned char *wildcard_start;
const unsigned char *wildcard_end;
const unsigned char *p;
int allow_multi = 0;
int allow_idna = 0;
if (subject_len < prefix_len + suffix_len)
return 0;
if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags))
return 0;
wildcard_start = subject + prefix_len;
wildcard_end = subject + (subject_len - suffix_len);
if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags))
return 0;
/*
* If the wildcard makes up the entire first label, it must match at
* least one character.
*/
if (prefix_len == 0 && *suffix == '.') {
if (wildcard_start == wildcard_end)
return 0;
allow_idna = 1;
if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS)
allow_multi = 1;
}
/* IDNA labels cannot match partial wildcards */
if (!allow_idna &&
subject_len >= 4 && strncasecmp((char *)subject, "xn--", 4) == 0)
return 0;
/* The wildcard may match a literal '*' */
if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*')
return 1;
/*
* Check that the part matched by the wildcard contains only
* permitted characters and only matches a single label unless
* allow_multi is set.
*/
for (p = wildcard_start; p != wildcard_end; ++p)
if (!(('0' <= *p && *p <= '9') ||
('A' <= *p && *p <= 'Z') ||
('a' <= *p && *p <= 'z') ||
*p == '-' || (allow_multi && *p == '.')))
return 0;
return 1;
}
#define LABEL_START (1 << 0)
#define LABEL_END (1 << 1)
#define LABEL_HYPHEN (1 << 2)
#define LABEL_IDNA (1 << 3)
static const unsigned char *valid_star(const unsigned char *p, size_t len,
unsigned int flags)
{
const unsigned char *star = 0;
size_t i;
int state = LABEL_START;
int dots = 0;
for (i = 0; i < len; ++i) {
/*
* Locate first and only legal wildcard, either at the start
* or end of a non-IDNA first and not final label.
*/
if (p[i] == '*') {
int atstart = (state & LABEL_START);
int atend = (i == len - 1 || p[i + 1] == '.');
/*-
* At most one wildcard per pattern.
* No wildcards in IDNA labels.
* No wildcards after the first label.
*/
if (star != NULL || (state & LABEL_IDNA) != 0 || dots)
return NULL;
/* Only full-label '*.example.com' wildcards? */
if ((flags & X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
&& (!atstart || !atend))
return NULL;
/* No 'foo*bar' wildcards */
if (!atstart && !atend)
return NULL;
star = &p[i];
state &= ~LABEL_START;
} else if (('a' <= p[i] && p[i] <= 'z')
|| ('A' <= p[i] && p[i] <= 'Z')
|| ('0' <= p[i] && p[i] <= '9')) {
if ((state & LABEL_START) != 0
&& len - i >= 4 && strncasecmp((char *)&p[i], "xn--", 4) == 0)
state |= LABEL_IDNA;
state &= ~(LABEL_HYPHEN | LABEL_START);
} else if (p[i] == '.') {
if ((state & (LABEL_HYPHEN | LABEL_START)) != 0)
return NULL;
state = LABEL_START;
++dots;
} else if (p[i] == '-') {
/* no domain/subdomain starts with '-' */
if ((state & LABEL_START) != 0)
return NULL;
state |= LABEL_HYPHEN;
} else
return NULL;
}
/*
* The final label must not end in a hyphen or ".", and
* there must be at least two dots after the star.
*/
if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2)
return NULL;
return star;
}
/* Compare using wildcards. */
static int equal_wildcard(const unsigned char *pattern, size_t pattern_len,
const unsigned char *subject, size_t subject_len,
unsigned int flags)
{
const unsigned char *star = NULL;
/*
* Subject names starting with '.' can only match a wildcard pattern
* via a subject sub-domain pattern suffix match.
*/
if (!(subject_len > 1 && subject[0] == '.'))
star = valid_star(pattern, pattern_len, flags);
if (star == NULL)
return equal_nocase(pattern, pattern_len,
subject, subject_len, flags);
return wildcard_match(pattern, star - pattern,
star + 1, (pattern + pattern_len) - star - 1,
subject, subject_len, flags);
}
/*
* Compare an ASN1_STRING to a supplied string. If they match return 1. If
* cmp_type > 0 only compare if string matches the type, otherwise convert it
* to UTF8.
*/
static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,
unsigned int flags, const char *b, size_t blen,
char **peername)
{
int rv = 0;
if (!a->data || !a->length)
return 0;
if (cmp_type > 0) {
if (cmp_type != a->type)
return 0;
if (cmp_type == V_ASN1_IA5STRING)
rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);
else if (a->length == (int)blen && !memcmp(a->data, b, blen))
rv = 1;
- if (rv > 0 && peername)
+ if (rv > 0 && peername != NULL) {
*peername = OPENSSL_strndup((char *)a->data, a->length);
+ if (*peername == NULL)
+ return -1;
+ }
} else {
int astrlen;
unsigned char *astr;
astrlen = ASN1_STRING_to_UTF8(&astr, a);
if (astrlen < 0) {
/*
* -1 could be an internal malloc failure or a decoding error from
* malformed input; we can't distinguish.
*/
return -1;
}
rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
- if (rv > 0 && peername)
+ if (rv > 0 && peername != NULL) {
*peername = OPENSSL_strndup((char *)astr, astrlen);
+ if (*peername == NULL) {
+ OPENSSL_free(astr);
+ return -1;
+ }
+ }
OPENSSL_free(astr);
}
return rv;
}
static int do_x509_check(X509 *x, const char *chk, size_t chklen,
unsigned int flags, int check_type, char **peername)
{
GENERAL_NAMES *gens = NULL;
X509_NAME *name = NULL;
int i;
int cnid = NID_undef;
int alt_type;
int san_present = 0;
int rv = 0;
equal_fn equal;
/* See below, this flag is internal-only */
flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
if (check_type == GEN_EMAIL) {
cnid = NID_pkcs9_emailAddress;
alt_type = V_ASN1_IA5STRING;
equal = equal_email;
} else if (check_type == GEN_DNS) {
cnid = NID_commonName;
/* Implicit client-side DNS sub-domain pattern */
if (chklen > 1 && chk[0] == '.')
flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
alt_type = V_ASN1_IA5STRING;
if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
equal = equal_nocase;
else
equal = equal_wildcard;
} else {
alt_type = V_ASN1_OCTET_STRING;
equal = equal_case;
}
if (chklen == 0)
chklen = strlen(chk);
gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
if (gens) {
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
GENERAL_NAME *gen;
ASN1_STRING *cstr;
gen = sk_GENERAL_NAME_value(gens, i);
if (gen->type != check_type)
continue;
san_present = 1;
if (check_type == GEN_EMAIL)
cstr = gen->d.rfc822Name;
else if (check_type == GEN_DNS)
cstr = gen->d.dNSName;
else
cstr = gen->d.iPAddress;
/* Positive on success, negative on error! */
if ((rv = do_check_string(cstr, alt_type, equal, flags,
chk, chklen, peername)) != 0)
break;
}
GENERAL_NAMES_free(gens);
if (rv != 0)
return rv;
if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))
return 0;
}
/* We're done if CN-ID is not pertinent */
if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT))
return 0;
i = -1;
name = X509_get_subject_name(x);
while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) {
const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);
const ASN1_STRING *str = X509_NAME_ENTRY_get_data(ne);
/* Positive on success, negative on error! */
if ((rv = do_check_string(str, -1, equal, flags,
chk, chklen, peername)) != 0)
return rv;
}
return 0;
}
int X509_check_host(X509 *x, const char *chk, size_t chklen,
unsigned int flags, char **peername)
{
if (chk == NULL)
return -2;
/*
* Embedded NULs are disallowed, except as the last character of a
* string of length 2 or more (tolerate caller including terminating
* NUL in string length).
*/
if (chklen == 0)
chklen = strlen(chk);
else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
return -2;
if (chklen > 1 && chk[chklen - 1] == '\0')
--chklen;
return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
}
int X509_check_email(X509 *x, const char *chk, size_t chklen,
unsigned int flags)
{
if (chk == NULL)
return -2;
/*
* Embedded NULs are disallowed, except as the last character of a
* string of length 2 or more (tolerate caller including terminating
* NUL in string length).
*/
if (chklen == 0)
chklen = strlen((char *)chk);
else if (memchr(chk, '\0', chklen > 1 ? chklen - 1 : chklen))
return -2;
if (chklen > 1 && chk[chklen - 1] == '\0')
--chklen;
return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
}
int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
unsigned int flags)
{
if (chk == NULL)
return -2;
return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
}
int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
{
unsigned char ipout[16];
size_t iplen;
if (ipasc == NULL)
return -2;
iplen = (size_t)a2i_ipadd(ipout, ipasc);
if (iplen == 0)
return -2;
return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
}
/*
* Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible
* with RFC3280.
*/
ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc)
{
unsigned char ipout[16];
ASN1_OCTET_STRING *ret;
int iplen;
/* If string contains a ':' assume IPv6 */
iplen = a2i_ipadd(ipout, ipasc);
if (!iplen)
return NULL;
ret = ASN1_OCTET_STRING_new();
if (ret == NULL)
return NULL;
if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
ASN1_OCTET_STRING_free(ret);
return NULL;
}
return ret;
}
ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc)
{
ASN1_OCTET_STRING *ret = NULL;
unsigned char ipout[32];
char *iptmp = NULL, *p;
int iplen1, iplen2;
p = strchr(ipasc, '/');
if (!p)
return NULL;
iptmp = OPENSSL_strdup(ipasc);
if (!iptmp)
return NULL;
p = iptmp + (p - ipasc);
*p++ = 0;
iplen1 = a2i_ipadd(ipout, iptmp);
if (!iplen1)
goto err;
iplen2 = a2i_ipadd(ipout + iplen1, p);
OPENSSL_free(iptmp);
iptmp = NULL;
if (!iplen2 || (iplen1 != iplen2))
goto err;
ret = ASN1_OCTET_STRING_new();
if (ret == NULL)
goto err;
if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
goto err;
return ret;
err:
OPENSSL_free(iptmp);
ASN1_OCTET_STRING_free(ret);
return NULL;
}
int a2i_ipadd(unsigned char *ipout, const char *ipasc)
{
/* If string contains a ':' assume IPv6 */
if (strchr(ipasc, ':')) {
if (!ipv6_from_asc(ipout, ipasc))
return 0;
return 16;
} else {
if (!ipv4_from_asc(ipout, ipasc))
return 0;
return 4;
}
}
static int ipv4_from_asc(unsigned char *v4, const char *in)
{
int a0, a1, a2, a3;
if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
return 0;
if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255)
|| (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
return 0;
v4[0] = a0;
v4[1] = a1;
v4[2] = a2;
v4[3] = a3;
return 1;
}
typedef struct {
/* Temporary store for IPV6 output */
unsigned char tmp[16];
/* Total number of bytes in tmp */
int total;
/* The position of a zero (corresponding to '::') */
int zero_pos;
/* Number of zeroes */
int zero_cnt;
} IPV6_STAT;
static int ipv6_from_asc(unsigned char *v6, const char *in)
{
IPV6_STAT v6stat;
v6stat.total = 0;
v6stat.zero_pos = -1;
v6stat.zero_cnt = 0;
/*
* Treat the IPv6 representation as a list of values separated by ':'.
* The presence of a '::' will parse as one, two or three zero length
* elements.
*/
if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
return 0;
/* Now for some sanity checks */
if (v6stat.zero_pos == -1) {
/* If no '::' must have exactly 16 bytes */
if (v6stat.total != 16)
return 0;
} else {
/* If '::' must have less than 16 bytes */
if (v6stat.total == 16)
return 0;
/* More than three zeroes is an error */
if (v6stat.zero_cnt > 3)
return 0;
/* Can only have three zeroes if nothing else present */
else if (v6stat.zero_cnt == 3) {
if (v6stat.total > 0)
return 0;
}
/* Can only have two zeroes if at start or end */
else if (v6stat.zero_cnt == 2) {
if ((v6stat.zero_pos != 0)
&& (v6stat.zero_pos != v6stat.total))
return 0;
} else
/* Can only have one zero if *not* start or end */
{
if ((v6stat.zero_pos == 0)
|| (v6stat.zero_pos == v6stat.total))
return 0;
}
}
/* Format result */
if (v6stat.zero_pos >= 0) {
/* Copy initial part */
memcpy(v6, v6stat.tmp, v6stat.zero_pos);
/* Zero middle */
memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
/* Copy final part */
if (v6stat.total != v6stat.zero_pos)
memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
v6stat.tmp + v6stat.zero_pos,
v6stat.total - v6stat.zero_pos);
} else
memcpy(v6, v6stat.tmp, 16);
return 1;
}
static int ipv6_cb(const char *elem, int len, void *usr)
{
IPV6_STAT *s = usr;
/* Error if 16 bytes written */
if (s->total == 16)
return 0;
if (len == 0) {
/* Zero length element, corresponds to '::' */
if (s->zero_pos == -1)
s->zero_pos = s->total;
/* If we've already got a :: its an error */
else if (s->zero_pos != s->total)
return 0;
s->zero_cnt++;
} else {
/* If more than 4 characters could be final a.b.c.d form */
if (len > 4) {
/* Need at least 4 bytes left */
if (s->total > 12)
return 0;
/* Must be end of string */
if (elem[len])
return 0;
if (!ipv4_from_asc(s->tmp + s->total, elem))
return 0;
s->total += 4;
} else {
if (!ipv6_hex(s->tmp + s->total, elem, len))
return 0;
s->total += 2;
}
}
return 1;
}
/*
* Convert a string of up to 4 hex digits into the corresponding IPv6 form.
*/
static int ipv6_hex(unsigned char *out, const char *in, int inlen)
{
unsigned char c;
unsigned int num = 0;
int x;
if (inlen > 4)
return 0;
while (inlen--) {
c = *in++;
num <<= 4;
x = OPENSSL_hexchar2int(c);
if (x < 0)
return 0;
num |= (char)x;
}
out[0] = num >> 8;
out[1] = num & 0xff;
return 1;
}
int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
unsigned long chtype)
{
CONF_VALUE *v;
int i, mval, spec_char, plus_char;
char *p, *type;
if (!nm)
return 0;
for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
v = sk_CONF_VALUE_value(dn_sk, i);
type = v->name;
/*
* Skip past any leading X. X: X, etc to allow for multiple instances
*/
for (p = type; *p; p++) {
#ifndef CHARSET_EBCDIC
spec_char = ((*p == ':') || (*p == ',') || (*p == '.'));
#else
spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[','])
|| (*p == os_toascii['.']));
#endif
if (spec_char) {
p++;
if (*p)
type = p;
break;
}
}
#ifndef CHARSET_EBCDIC
plus_char = (*type == '+');
#else
plus_char = (*type == os_toascii['+']);
#endif
if (plus_char) {
mval = -1;
type++;
} else
mval = 0;
if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
(unsigned char *)v->value, -1, -1,
mval))
return 0;
}
return 1;
}
diff --git a/crypto/openssl/doc/man1/cms.pod b/crypto/openssl/doc/man1/cms.pod
index 2caf3ef4d156..c30e834cfae7 100644
--- a/crypto/openssl/doc/man1/cms.pod
+++ b/crypto/openssl/doc/man1/cms.pod
@@ -1,745 +1,748 @@
=pod
=head1 NAME
openssl-cms,
cms - CMS utility
=head1 SYNOPSIS
B<openssl> B<cms>
[B<-help>]
[B<-encrypt>]
[B<-decrypt>]
[B<-sign>]
[B<-verify>]
[B<-cmsout>]
[B<-resign>]
[B<-data_create>]
[B<-data_out>]
[B<-digest_create>]
[B<-digest_verify>]
[B<-compress>]
[B<-uncompress>]
[B<-EncryptedData_encrypt>]
[B<-sign_receipt>]
[B<-verify_receipt receipt>]
[B<-in filename>]
[B<-inform SMIME|PEM|DER>]
[B<-rctform SMIME|PEM|DER>]
[B<-out filename>]
[B<-outform SMIME|PEM|DER>]
[B<-stream -indef -noindef>]
[B<-noindef>]
[B<-content filename>]
[B<-text>]
[B<-noout>]
[B<-print>]
[B<-CAfile file>]
[B<-CApath dir>]
[B<-no-CAfile>]
[B<-no-CApath>]
[B<-attime timestamp>]
[B<-check_ss_sig>]
[B<-crl_check>]
[B<-crl_check_all>]
[B<-explicit_policy>]
[B<-extended_crl>]
[B<-ignore_critical>]
[B<-inhibit_any>]
[B<-inhibit_map>]
[B<-no_check_time>]
[B<-partial_chain>]
[B<-policy arg>]
[B<-policy_check>]
[B<-policy_print>]
[B<-purpose purpose>]
[B<-suiteB_128>]
[B<-suiteB_128_only>]
[B<-suiteB_192>]
[B<-trusted_first>]
[B<-no_alt_chains>]
[B<-use_deltas>]
[B<-auth_level num>]
[B<-verify_depth num>]
[B<-verify_email email>]
[B<-verify_hostname hostname>]
[B<-verify_ip ip>]
[B<-verify_name name>]
[B<-x509_strict>]
[B<-md digest>]
[B<-I<cipher>>]
[B<-nointern>]
[B<-noverify>]
[B<-nocerts>]
[B<-noattr>]
[B<-nosmimecap>]
[B<-binary>]
[B<-crlfeol>]
[B<-asciicrlf>]
[B<-nodetach>]
[B<-certfile file>]
[B<-certsout file>]
[B<-signer file>]
[B<-recip file>]
[B<-keyid>]
[B<-receipt_request_all>]
[B<-receipt_request_first>]
[B<-receipt_request_from emailaddress>]
[B<-receipt_request_to emailaddress>]
[B<-receipt_request_print>]
[B<-secretkey key>]
[B<-secretkeyid id>]
[B<-econtent_type type>]
[B<-inkey file>]
[B<-keyopt name:parameter>]
[B<-passin arg>]
[B<-rand file...>]
[B<-writerand file>]
[B<cert.pem...>]
[B<-to addr>]
[B<-from addr>]
[B<-subject subj>]
[cert.pem]...
=head1 DESCRIPTION
The B<cms> command handles S/MIME v3.1 mail. It can encrypt, decrypt, sign and
verify, compress and uncompress S/MIME messages.
=head1 OPTIONS
There are fourteen operation options that set the type of operation to be
performed. The meaning of the other options varies according to the operation
type.
=over 4
=item B<-help>
Print out a usage message.
=item B<-encrypt>
Encrypt mail for the given recipient certificates. Input file is the message
to be encrypted. The output file is the encrypted mail in MIME format. The
actual CMS type is <B>EnvelopedData<B>.
Note that no revocation check is done for the recipient cert, so if that
key has been compromised, others may be able to decrypt the text.
=item B<-decrypt>
Decrypt mail using the supplied certificate and private key. Expects an
encrypted mail message in MIME format for the input file. The decrypted mail
is written to the output file.
=item B<-debug_decrypt>
This option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
with caution: see the notes section below.
=item B<-sign>
Sign mail using the supplied certificate and private key. Input file is
the message to be signed. The signed message in MIME format is written
to the output file.
=item B<-verify>
Verify signed mail. Expects a signed mail message on input and outputs
the signed data. Both clear text and opaque signing is supported.
=item B<-cmsout>
Takes an input message and writes out a PEM encoded CMS structure.
=item B<-resign>
Resign a message: take an existing message and one or more new signers.
=item B<-data_create>
Create a CMS B<Data> type.
=item B<-data_out>
B<Data> type and output the content.
=item B<-digest_create>
Create a CMS B<DigestedData> type.
=item B<-digest_verify>
Verify a CMS B<DigestedData> type and output the content.
=item B<-compress>
Create a CMS B<CompressedData> type. OpenSSL must be compiled with B<zlib>
support for this option to work, otherwise it will output an error.
=item B<-uncompress>
Uncompress a CMS B<CompressedData> type and output the content. OpenSSL must be
compiled with B<zlib> support for this option to work, otherwise it will
output an error.
=item B<-EncryptedData_encrypt>
Encrypt content using supplied symmetric key and algorithm using a CMS
B<EncryptedData> type and output the content.
=item B<-sign_receipt>
Generate and output a signed receipt for the supplied message. The input
message B<must> contain a signed receipt request. Functionality is otherwise
similar to the B<-sign> operation.
=item B<-verify_receipt receipt>
Verify a signed receipt in filename B<receipt>. The input message B<must>
contain the original receipt request. Functionality is otherwise similar
to the B<-verify> operation.
=item B<-in filename>
The input message to be encrypted or signed or the message to be decrypted
or verified.
=item B<-inform SMIME|PEM|DER>
This specifies the input format for the CMS structure. The default
is B<SMIME> which reads an S/MIME format message. B<PEM> and B<DER>
format change this to expect PEM and DER format CMS structures
instead. This currently only affects the input format of the CMS
structure, if no CMS structure is being input (for example with
B<-encrypt> or B<-sign>) this option has no effect.
=item B<-rctform SMIME|PEM|DER>
Specify the format for a signed receipt for use with the B<-receipt_verify>
operation.
=item B<-out filename>
The message text that has been decrypted or verified or the output MIME
format message that has been signed or verified.
=item B<-outform SMIME|PEM|DER>
This specifies the output format for the CMS structure. The default
is B<SMIME> which writes an S/MIME format message. B<PEM> and B<DER>
format change this to write PEM and DER format CMS structures
instead. This currently only affects the output format of the CMS
structure, if no CMS structure is being output (for example with
B<-verify> or B<-decrypt>) this option has no effect.
=item B<-stream -indef -noindef>
The B<-stream> and B<-indef> options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
the need to hold the entire contents in memory, potentially supporting very
large files. Streaming is automatically set for S/MIME signing with detached
data if the output format is B<SMIME> it is currently off by default for all
other operations.
=item B<-noindef>
Disable streaming I/O where it would produce and indefinite length constructed
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
=item B<-content filename>
This specifies a file containing the detached content, this is only
useful with the B<-verify> command. This is only usable if the CMS
structure is using the detached signature form where the content is
not included. This option will override any content if the input format
is S/MIME and it uses the multipart/signed MIME content type.
=item B<-text>
This option adds plain text (text/plain) MIME headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
off text headers: if the decrypted or verified message is not of MIME
type text/plain then an error occurs.
=item B<-noout>
For the B<-cmsout> operation do not output the parsed CMS structure. This
is useful when combined with the B<-print> option or if the syntax of the CMS
structure is being checked.
=item B<-print>
For the B<-cmsout> operation print out all fields of the CMS structure. This
is mainly useful for testing purposes.
=item B<-CAfile file>
A file containing trusted CA certificates, only used with B<-verify>.
=item B<-CApath dir>
A directory containing trusted CA certificates, only used with
B<-verify>. This directory must be a standard certificate directory: that
is a hash of each subject name (using B<x509 -hash>) should be linked
to each certificate.
=item B<-no-CAfile>
Do not load the trusted CA certificates from the default file location
=item B<-no-CApath>
Do not load the trusted CA certificates from the default directory location
=item B<-md digest>
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
=item B<-I<cipher>>
The encryption algorithm to use. For example triple DES (168 bits) - B<-des3>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes-128-cbc>. See L<enc(1)> for a list of ciphers
supported by your version of OpenSSL.
If not specified triple DES is used. Only used with B<-encrypt> and
B<-EncryptedData_create> commands.
=item B<-nointern>
When verifying a message normally certificates (if any) included in
the message are searched for the signing certificate. With this option
only the certificates specified in the B<-certfile> option are used.
The supplied certificates can still be used as untrusted CAs however.
=item B<-noverify>
Do not verify the signers certificate of a signed message.
=item B<-nocerts>
When signing a message the signer's certificate is normally included
with this option it is excluded. This will reduce the size of the
signed message but the verifier must have a copy of the signers certificate
available locally (passed using the B<-certfile> option for example).
=item B<-noattr>
Normally when a message is signed a set of attributes are included which
include the signing time and supported symmetric algorithms. With this
option they are not included.
=item B<-nosmimecap>
Exclude the list of supported algorithms from signed attributes, other options
such as signing time and content type are still included.
=item B<-binary>
Normally the input message is converted to "canonical" format which is
effectively using CR and LF as end of line: as required by the S/MIME
specification. When this option is present no translation occurs. This
is useful when handling binary data which may not be in MIME format.
=item B<-crlfeol>
Normally the output file uses a single B<LF> as end of line. When this
option is present B<CRLF> is used instead.
=item B<-asciicrlf>
When signing use ASCII CRLF format canonicalisation. This strips trailing
whitespace from all lines, deletes trailing blank lines at EOF and sets
the encapsulated content type. This option is normally used with detached
content and an output signature format of DER. This option is not normally
needed when verifying as it is enabled automatically if the encapsulated
content format is detected.
=item B<-nodetach>
When signing a message use opaque signing: this form is more resistant
to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the MIME type multipart/signed is used.
=item B<-certfile file>
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in PEM format.
=item B<-certsout file>
Any certificates contained in the message are written to B<file>.
=item B<-signer file>
A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
=item B<-recip file>
When decrypting a message this specifies the recipients certificate. The
certificate must match one of the recipients of the message or an error
occurs.
When encrypting a message this option may be used multiple times to specify
each recipient. This form B<must> be used if customised parameters are
required (for example to specify RSA-OAEP).
Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
option.
=item B<-keyid>
Use subject key identifier to identify certificates instead of issuer name and
serial number. The supplied certificate B<must> include a subject key
identifier extension. Supported by B<-sign> and B<-encrypt> options.
=item B<-receipt_request_all>, B<-receipt_request_first>
For B<-sign> option include a signed receipt request. Indicate requests should
be provided by all recipient or first tier recipients (those mailed directly
and not from a mailing list). Ignored it B<-receipt_request_from> is included.
=item B<-receipt_request_from emailaddress>
For B<-sign> option include a signed receipt request. Add an explicit email
address where receipts should be supplied.
=item B<-receipt_request_to emailaddress>
Add an explicit email address where signed receipts should be sent to. This
option B<must> but supplied if a signed receipt it requested.
=item B<-receipt_request_print>
For the B<-verify> operation print out the contents of any signed receipt
requests.
=item B<-secretkey key>
Specify symmetric key to use. The key must be supplied in hex format and be
consistent with the algorithm used. Supported by the B<-EncryptedData_encrypt>
B<-EncryptedData_decrypt>, B<-encrypt> and B<-decrypt> options. When used
with B<-encrypt> or B<-decrypt> the supplied key is used to wrap or unwrap the
content encryption key using an AES key in the B<KEKRecipientInfo> type.
=item B<-secretkeyid id>
The key identifier for the supplied symmetric key for B<KEKRecipientInfo> type.
This option B<must> be present if the B<-secretkey> option is used with
B<-encrypt>. With B<-decrypt> operations the B<id> is used to locate the
relevant key if it is not supplied then an attempt is used to decrypt any
B<KEKRecipientInfo> structures.
=item B<-econtent_type type>
Set the encapsulated content type to B<type> if not supplied the B<Data> type
is used. The B<type> argument can be any valid OID name in either text or
numerical format.
=item B<-inkey file>
The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
private key must be included in the certificate file specified with
the B<-recip> or B<-signer> file. When signing this option can be used
multiple times to specify successive keys.
=item B<-keyopt name:opt>
For signing and encryption this option can be used multiple times to
set customised parameters for the preceding key or certificate. It can
currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
or to modify default parameters for ECDH.
=item B<-passin arg>
The private key password source. For more information about the format of B<arg>
see L<openssl(1)/Pass Phrase Options>.
=item B<-rand file...>
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
=item [B<-writerand file>]
Writes random data to the specified I<file> upon exit.
This can be used with a subsequent B<-rand> flag.
=item B<cert.pem...>
One or more certificates of message recipients: used when encrypting
a message.
=item B<-to, -from, -subject>
The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, B<-inhibit_any>,
B<-inhibit_map>, B<-no_alt_chains>, B<-no_check_time>, B<-partial_chain>, B<-policy>,
B<-policy_check>, B<-policy_print>, B<-purpose>, B<-suiteB_128>,
B<-suiteB_128_only>, B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>,
B<-auth_level>, B<-verify_depth>, B<-verify_email>, B<-verify_hostname>,
B<-verify_ip>, B<-verify_name>, B<-x509_strict>
Set various certificate chain validation options. See the
L<verify(1)> manual page for details.
=back
=head1 NOTES
The MIME message must be sent without any blank lines between the
headers and the output. Some mail programs will automatically add
a blank line. Piping the mail directly to sendmail is one way to
achieve the correct format.
The supplied message to be signed or encrypted must include the
necessary MIME headers or many S/MIME clients won't display it
properly (if at all). You can use the B<-text> option to automatically
add plain text headers.
A "signed and encrypted" message is one where a signed message is
then encrypted. This can be produced by encrypting an already signed
message: see the examples section.
This version of the program only allows one signer per message but it
will verify multiple signers on received messages. Some S/MIME clients
choke if a message contains multiple signers. It is possible to sign
messages "in parallel" by signing an already signed message.
The options B<-encrypt> and B<-decrypt> reflect common usage in S/MIME
clients. Strictly speaking these process CMS enveloped data: CMS
encrypted data is used for other purposes.
The B<-resign> option uses an existing message digest when adding a new
signer. This means that attributes must be present in at least one existing
signer using the same message digest or this operation will fail.
The B<-stream> and B<-indef> options enable streaming I/O support.
As a result the encoding is BER using indefinite length constructed encoding
and no longer DER. Streaming is supported for the B<-encrypt> operation and the
B<-sign> operation if the content is not detached.
Streaming is always used for the B<-sign> operation with detached data but
since the content is no longer part of the CMS structure the encoding
remains DER.
If the B<-decrypt> option is used without a recipient certificate then an
attempt is made to locate the recipient by trying each potential recipient
in turn using the supplied private key. To thwart the MMA attack
(Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are
tried whether they succeed or not and if no recipients match the message
is "decrypted" using a random key which will typically output garbage.
The B<-debug_decrypt> option can be used to disable the MMA attack protection
and return an error if no recipient can be found: this option should be used
with caution. For a fuller description see L<CMS_decrypt(3)>).
=head1 EXIT CODES
=over 4
=item Z<>0
The operation was completely successfully.
=item Z<>1
An error occurred parsing the command options.
=item Z<>2
One of the input files could not be read.
=item Z<>3
An error occurred creating the CMS file or when reading the MIME
message.
=item Z<>4
An error occurred decrypting or verifying the message.
=item Z<>5
The message was verified correctly but an error occurred writing out
the signers certificates.
=back
=head1 COMPATIBILITY WITH PKCS#7 format.
The B<smime> utility can only process the older B<PKCS#7> format. The B<cms>
utility supports Cryptographic Message Syntax format. Use of some features
will result in messages which cannot be processed by applications which only
support the older format. These are detailed below.
The use of the B<-keyid> option with B<-sign> or B<-encrypt>.
The B<-outform PEM> option uses different headers.
The B<-compress> option.
The B<-secretkey> option when used with B<-encrypt>.
The use of PSS with B<-sign>.
The use of OAEP or non-RSA keys with B<-encrypt>.
Additionally the B<-EncryptedData_create> and B<-data_create> type cannot
be processed by the older B<smime> command.
=head1 EXAMPLES
Create a cleartext signed message:
openssl cms -sign -in message.txt -text -out mail.msg \
-signer mycert.pem
Create an opaque signed message
openssl cms -sign -in message.txt -text -out mail.msg -nodetach \
-signer mycert.pem
Create a signed message, include some additional certificates and
read the private key from another file:
openssl cms -sign -in in.txt -text -out mail.msg \
-signer mycert.pem -inkey mykey.pem -certfile mycerts.pem
Create a signed message with two signers, use key identifier:
openssl cms -sign -in message.txt -text -out mail.msg \
-signer mycert.pem -signer othercert.pem -keyid
Send a signed message under Unix directly to sendmail, including headers:
openssl cms -sign -in in.txt -text -signer mycert.pem \
-from steve@openssl.org -to someone@somewhere \
-subject "Signed message" | sendmail someone@somewhere
Verify a message and extract the signer's certificate if successful:
openssl cms -verify -in mail.msg -signer user.pem -out signedtext.txt
Send encrypted mail using triple DES:
openssl cms -encrypt -in in.txt -from steve@openssl.org \
-to someone@somewhere -subject "Encrypted message" \
-des3 user.pem -out mail.msg
Sign and encrypt mail:
openssl cms -sign -in ml.txt -signer my.pem -text \
| openssl cms -encrypt -out mail.msg \
-from steve@openssl.org -to someone@somewhere \
-subject "Signed and Encrypted message" -des3 user.pem
Note: the encryption command does not include the B<-text> option because the
message being encrypted already has MIME headers.
Decrypt mail:
openssl cms -decrypt -in mail.msg -recip mycert.pem -inkey key.pem
The output from Netscape form signing is a PKCS#7 structure with the
detached signature format. You can use this program to verify the
signature by line wrapping the base64 encoded structure and surrounding
it with:
-----BEGIN PKCS7-----
-----END PKCS7-----
and using the command,
openssl cms -verify -inform PEM -in signature.pem -content content.txt
alternatively you can base64 decode the signature and use
openssl cms -verify -inform DER -in signature.der -content content.txt
Create an encrypted message using 128 bit Camellia:
openssl cms -encrypt -in plain.txt -camellia128 -out mail.msg cert.pem
Add a signer to an existing message:
openssl cms -resign -in mail.msg -signer newsign.pem -out mail2.msg
Sign mail using RSA-PSS:
openssl cms -sign -in message.txt -text -out mail.msg \
-signer mycert.pem -keyopt rsa_padding_mode:pss
Create encrypted mail using RSA-OAEP:
openssl cms -encrypt -in plain.txt -out mail.msg \
-recip cert.pem -keyopt rsa_padding_mode:oaep
Use SHA256 KDF with an ECDH certificate:
openssl cms -encrypt -in plain.txt -out mail.msg \
-recip ecdhcert.pem -keyopt ecdh_kdf_md:sha256
=head1 BUGS
The MIME parser isn't very clever: it seems to handle most messages that I've
thrown at it but it may choke on others.
The code currently will only write out the signer's certificate to a file: if
the signer has a separate encryption certificate this must be manually
extracted. There should be some heuristic that determines the correct
encryption certificate.
Ideally a database should be maintained of a certificates for each email
address.
The code doesn't currently take note of the permitted symmetric encryption
algorithms as supplied in the SMIMECapabilities signed attribute. this means the
user has to manually include the correct encryption algorithm. It should store
the list of permitted ciphers in a database and only use those.
No revocation checking is done on the signer's certificate.
+The B<-binary> option does not work correctly when processing text input which
+(contrary to the S/MIME specification) uses LF rather than CRLF line endings.
+
=head1 HISTORY
The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0.
The B<keyopt> option was added in OpenSSL 1.0.2.
Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
The use of non-RSA keys with B<-encrypt> and B<-decrypt>
was added in OpenSSL 1.0.2.
The -no_alt_chains option was added in OpenSSL 1.0.2b.
=head1 COPYRIGHT
-Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut
diff --git a/crypto/openssl/doc/man3/BIO_ctrl.pod b/crypto/openssl/doc/man3/BIO_ctrl.pod
index 31b18b2879fe..fc51173c8d7a 100644
--- a/crypto/openssl/doc/man3/BIO_ctrl.pod
+++ b/crypto/openssl/doc/man3/BIO_ctrl.pod
@@ -1,155 +1,155 @@
=pod
=head1 NAME
BIO_ctrl, BIO_callback_ctrl, BIO_ptr_ctrl, BIO_int_ctrl, BIO_reset,
BIO_seek, BIO_tell, BIO_flush, BIO_eof, BIO_set_close, BIO_get_close,
BIO_pending, BIO_wpending, BIO_ctrl_pending, BIO_ctrl_wpending,
BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb, BIO_get_ktls_send,
BIO_get_ktls_recv
- BIO control operations
=head1 SYNOPSIS
#include <openssl/bio.h>
typedef int BIO_info_cb(BIO *b, int state, int res);
long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg);
long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb);
- char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
+ void *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg);
int BIO_reset(BIO *b);
int BIO_seek(BIO *b, int ofs);
int BIO_tell(BIO *b);
int BIO_flush(BIO *b);
int BIO_eof(BIO *b);
int BIO_set_close(BIO *b, long flag);
int BIO_get_close(BIO *b);
int BIO_pending(BIO *b);
int BIO_wpending(BIO *b);
size_t BIO_ctrl_pending(BIO *b);
size_t BIO_ctrl_wpending(BIO *b);
int BIO_get_info_callback(BIO *b, BIO_info_cb **cbp);
int BIO_set_info_callback(BIO *b, BIO_info_cb *cb);
int BIO_get_ktls_send(BIO *b);
int BIO_get_ktls_recv(BIO *b);
=head1 DESCRIPTION
BIO_ctrl(), BIO_callback_ctrl(), BIO_ptr_ctrl() and BIO_int_ctrl()
are BIO "control" operations taking arguments of various types.
These functions are not normally called directly, various macros
are used instead. The standard macros are described below, macros
specific to a particular type of BIO are described in the specific
BIOs manual page as well as any special features of the standard
calls.
BIO_reset() typically resets a BIO to some initial state, in the case
of file related BIOs for example it rewinds the file pointer to the
start of the file.
BIO_seek() resets a file related BIO's (that is file descriptor and
FILE BIOs) file position pointer to B<ofs> bytes from start of file.
BIO_tell() returns the current file position of a file related BIO.
BIO_flush() normally writes out any internally buffered data, in some
cases it is used to signal EOF and that no more data will be written.
BIO_eof() returns 1 if the BIO has read EOF, the precise meaning of
"EOF" varies according to the BIO type.
BIO_set_close() sets the BIO B<b> close flag to B<flag>. B<flag> can
take the value BIO_CLOSE or BIO_NOCLOSE. Typically BIO_CLOSE is used
in a source/sink BIO to indicate that the underlying I/O stream should
be closed when the BIO is freed.
BIO_get_close() returns the BIOs close flag.
BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending()
return the number of pending characters in the BIOs read and write buffers.
Not all BIOs support these calls. BIO_ctrl_pending() and BIO_ctrl_wpending()
return a size_t type and are functions, BIO_pending() and BIO_wpending() are
macros which call BIO_ctrl().
BIO_get_ktls_send() returns 1 if the BIO is using the Kernel TLS data-path for
sending. Otherwise, it returns zero.
BIO_get_ktls_recv() returns 1 if the BIO is using the Kernel TLS data-path for
receiving. Otherwise, it returns zero.
=head1 RETURN VALUES
BIO_reset() normally returns 1 for success and 0 or -1 for failure. File
BIOs are an exception, they return 0 for success and -1 for failure.
BIO_seek() and BIO_tell() both return the current file position on success
and -1 for failure, except file BIOs which for BIO_seek() always return 0
for success and -1 for failure.
BIO_flush() returns 1 for success and 0 or -1 for failure.
BIO_eof() returns 1 if EOF has been reached 0 otherwise.
BIO_set_close() always returns 1.
BIO_get_close() returns the close flag value: BIO_CLOSE or BIO_NOCLOSE.
BIO_pending(), BIO_ctrl_pending(), BIO_wpending() and BIO_ctrl_wpending()
return the amount of pending data.
BIO_get_ktls_send() returns 1 if the BIO is using the Kernel TLS data-path for
sending. Otherwise, it returns zero.
BIO_get_ktls_recv() returns 1 if the BIO is using the Kernel TLS data-path for
receiving. Otherwise, it returns zero.
=head1 NOTES
BIO_flush(), because it can write data may return 0 or -1 indicating
that the call should be retried later in a similar manner to BIO_write_ex().
The BIO_should_retry() call should be used and appropriate action taken
is the call fails.
The return values of BIO_pending() and BIO_wpending() may not reliably
determine the amount of pending data in all cases. For example in the
case of a file BIO some data may be available in the FILE structures
internal buffers but it is not possible to determine this in a
portably way. For other types of BIO they may not be supported.
Filter BIOs if they do not internally handle a particular BIO_ctrl()
operation usually pass the operation to the next BIO in the chain.
This often means there is no need to locate the required BIO for
a particular operation, it can be called on a chain and it will
be automatically passed to the relevant BIO. However, this can cause
unexpected results: for example no current filter BIOs implement
BIO_seek(), but this may still succeed if the chain ends in a FILE
or file descriptor BIO.
Source/sink BIOs return an 0 if they do not recognize the BIO_ctrl()
operation.
=head1 BUGS
Some of the return values are ambiguous and care should be taken. In
particular a return value of 0 can be returned if an operation is not
supported, if an error occurred, if EOF has not been reached and in
the case of BIO_seek() on a file BIO for a successful operation.
=head1 HISTORY
The BIO_get_ktls_send() and BIO_get_ktls_recv() functions were added in
OpenSSL 3.0.0.
=head1 COPYRIGHT
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut
diff --git a/crypto/openssl/doc/man3/BIO_f_base64.pod b/crypto/openssl/doc/man3/BIO_f_base64.pod
index 5097c2849ba1..c2c5309a6017 100644
--- a/crypto/openssl/doc/man3/BIO_f_base64.pod
+++ b/crypto/openssl/doc/man3/BIO_f_base64.pod
@@ -1,91 +1,104 @@
=pod
=head1 NAME
BIO_f_base64 - base64 BIO filter
=head1 SYNOPSIS
=for comment multiple includes
#include <openssl/bio.h>
#include <openssl/evp.h>
const BIO_METHOD *BIO_f_base64(void);
=head1 DESCRIPTION
BIO_f_base64() returns the base64 BIO method. This is a filter
BIO that base64 encodes any data written through it and decodes
any data read through it.
Base64 BIOs do not support BIO_gets() or BIO_puts().
+For writing, output is by default divided to lines of length 64
+characters and there is always a newline at the end of output.
+
+For reading, first line should be at most 1024
+characters long. If it is longer then it is ignored completely.
+Other input lines can be of any length. There must be a newline
+at the end of input.
+
+This behavior can be changed with BIO_FLAGS_BASE64_NO_NL flag.
+
BIO_flush() on a base64 BIO that is being written through is
used to signal that no more data is to be encoded: this is used
to flush the final block through the BIO.
-The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags()
-to encode the data all on one line or expect the data to be all
-on one line.
+The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags().
+For writing, it causes all data to be written on one line without
+newline at the end.
+For reading, it forces the decoder to process the data regardless
+of newlines. All newlines are ignored and the input does not need
+to contain any newline at all.
=head1 NOTES
Because of the format of base64 encoding the end of the encoded
block cannot always be reliably determined.
=head1 RETURN VALUES
BIO_f_base64() returns the base64 BIO method.
=head1 EXAMPLES
Base64 encode the string "Hello World\n" and write the result
to standard output:
BIO *bio, *b64;
char message[] = "Hello World \n";
b64 = BIO_new(BIO_f_base64());
bio = BIO_new_fp(stdout, BIO_NOCLOSE);
BIO_push(b64, bio);
BIO_write(b64, message, strlen(message));
BIO_flush(b64);
BIO_free_all(b64);
Read Base64 encoded data from standard input and write the decoded
data to standard output:
BIO *bio, *b64, *bio_out;
char inbuf[512];
int inlen;
b64 = BIO_new(BIO_f_base64());
bio = BIO_new_fp(stdin, BIO_NOCLOSE);
bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
BIO_push(b64, bio);
while ((inlen = BIO_read(b64, inbuf, 512)) > 0)
BIO_write(bio_out, inbuf, inlen);
BIO_flush(bio_out);
BIO_free_all(b64);
=head1 BUGS
The ambiguity of EOF in base64 encoded data can cause additional
data following the base64 encoded block to be misinterpreted.
There should be some way of specifying a test that the BIO can perform
to reliably determine EOF (for example a MIME boundary).
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut
diff --git a/crypto/openssl/doc/man3/BN_add.pod b/crypto/openssl/doc/man3/BN_add.pod
index 1f5e37a4d183..a4912fbab1d5 100644
--- a/crypto/openssl/doc/man3/BN_add.pod
+++ b/crypto/openssl/doc/man3/BN_add.pod
@@ -1,140 +1,140 @@
=pod
=head1 NAME
BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add,
BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd -
arithmetic operations on BIGNUMs
=head1 SYNOPSIS
#include <openssl/bn.h>
int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
BN_CTX *ctx);
int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
int BN_nnmod(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
int BN_mod_add(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
BN_CTX *ctx);
int BN_mod_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
BN_CTX *ctx);
int BN_mod_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
BN_CTX *ctx);
int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx);
int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
=head1 DESCRIPTION
BN_add() adds I<a> and I<b> and places the result in I<r> (C<r=a+b>).
I<r> may be the same B<BIGNUM> as I<a> or I<b>.
BN_sub() subtracts I<b> from I<a> and places the result in I<r> (C<r=a-b>).
I<r> may be the same B<BIGNUM> as I<a> or I<b>.
BN_mul() multiplies I<a> and I<b> and places the result in I<r> (C<r=a*b>).
I<r> may be the same B<BIGNUM> as I<a> or I<b>.
For multiplication by powers of 2, use L<BN_lshift(3)>.
BN_sqr() takes the square of I<a> and places the result in I<r>
(C<r=a^2>). I<r> and I<a> may be the same B<BIGNUM>.
This function is faster than BN_mul(r,a,a).
BN_div() divides I<a> by I<d> and places the result in I<dv> and the
remainder in I<rem> (C<dv=a/d, rem=a%d>). Either of I<dv> and I<rem> may
be B<NULL>, in which case the respective value is not returned.
The result is rounded towards zero; thus if I<a> is negative, the
remainder will be zero or negative.
For division by powers of 2, use BN_rshift(3).
BN_mod() corresponds to BN_div() with I<dv> set to B<NULL>.
BN_nnmod() reduces I<a> modulo I<m> and places the nonnegative
remainder in I<r>.
BN_mod_add() adds I<a> to I<b> modulo I<m> and places the nonnegative
result in I<r>.
BN_mod_sub() subtracts I<b> from I<a> modulo I<m> and places the
nonnegative result in I<r>.
BN_mod_mul() multiplies I<a> by I<b> and finds the nonnegative
remainder respective to modulus I<m> (C<r=(a*b) mod m>). I<r> may be
the same B<BIGNUM> as I<a> or I<b>. For more efficient algorithms for
repeated computations using the same modulus, see
L<BN_mod_mul_montgomery(3)> and
L<BN_mod_mul_reciprocal(3)>.
BN_mod_sqr() takes the square of I<a> modulo B<m> and places the
result in I<r>.
BN_mod_sqrt() returns the modular square root of I<a> such that
C<in^2 = a (mod p)>. The modulus I<p> must be a
prime, otherwise an error or an incorrect "result" will be returned.
The result is stored into I<in> which can be NULL. The result will be
newly allocated in that case.
BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
(C<r=a^p>). This function is faster than repeated applications of
BN_mul().
BN_mod_exp() computes I<a> to the I<p>-th power modulo I<m> (C<r=a^p %
m>). This function uses less time and space than BN_exp(). Do not call this
function when B<m> is even and any of the parameters have the
B<BN_FLG_CONSTTIME> flag set.
BN_gcd() computes the greatest common divisor of I<a> and I<b> and
places the result in I<r>. I<r> may be the same B<BIGNUM> as I<a> or
I<b>.
For all functions, I<ctx> is a previously allocated B<BN_CTX> used for
temporary variables; see L<BN_CTX_new(3)>.
Unless noted otherwise, the result B<BIGNUM> must be different from
the arguments.
=head1 RETURN VALUES
The BN_mod_sqrt() returns the result (possibly incorrect if I<p> is
not a prime), or NULL.
For all remaining functions, 1 is returned for success, 0 on error. The return
value should always be checked (e.g., C<if (!BN_add(r,a,b)) goto err;>).
The error codes can be obtained by L<ERR_get_error(3)>.
=head1 SEE ALSO
L<ERR_get_error(3)>, L<BN_CTX_new(3)>,
L<BN_add_word(3)>, L<BN_set_bit(3)>
=head1 COPYRIGHT
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut
diff --git a/crypto/openssl/doc/man3/DEFINE_STACK_OF.pod b/crypto/openssl/doc/man3/DEFINE_STACK_OF.pod
index 43a3214d584a..6f4ac7ec0ef0 100644
--- a/crypto/openssl/doc/man3/DEFINE_STACK_OF.pod
+++ b/crypto/openssl/doc/man3/DEFINE_STACK_OF.pod
@@ -1,271 +1,272 @@
=pod
=head1 NAME
DEFINE_STACK_OF, DEFINE_STACK_OF_CONST, DEFINE_SPECIAL_STACK_OF,
DEFINE_SPECIAL_STACK_OF_CONST,
sk_TYPE_num, sk_TYPE_value, sk_TYPE_new, sk_TYPE_new_null,
sk_TYPE_reserve, sk_TYPE_free, sk_TYPE_zero, sk_TYPE_delete,
sk_TYPE_delete_ptr, sk_TYPE_push, sk_TYPE_unshift, sk_TYPE_pop,
sk_TYPE_shift, sk_TYPE_pop_free, sk_TYPE_insert, sk_TYPE_set,
sk_TYPE_find, sk_TYPE_find_ex, sk_TYPE_sort, sk_TYPE_is_sorted,
sk_TYPE_dup, sk_TYPE_deep_copy, sk_TYPE_set_cmp_func, sk_TYPE_new_reserve
- stack container
=head1 SYNOPSIS
=for comment generic
#include <openssl/safestack.h>
STACK_OF(TYPE)
DEFINE_STACK_OF(TYPE)
DEFINE_STACK_OF_CONST(TYPE)
DEFINE_SPECIAL_STACK_OF(FUNCTYPE, TYPE)
DEFINE_SPECIAL_STACK_OF_CONST(FUNCTYPE, TYPE)
typedef int (*sk_TYPE_compfunc)(const TYPE *const *a, const TYPE *const *b);
typedef TYPE * (*sk_TYPE_copyfunc)(const TYPE *a);
typedef void (*sk_TYPE_freefunc)(TYPE *a);
int sk_TYPE_num(const STACK_OF(TYPE) *sk);
TYPE *sk_TYPE_value(const STACK_OF(TYPE) *sk, int idx);
STACK_OF(TYPE) *sk_TYPE_new(sk_TYPE_compfunc compare);
STACK_OF(TYPE) *sk_TYPE_new_null(void);
int sk_TYPE_reserve(STACK_OF(TYPE) *sk, int n);
void sk_TYPE_free(const STACK_OF(TYPE) *sk);
void sk_TYPE_zero(const STACK_OF(TYPE) *sk);
TYPE *sk_TYPE_delete(STACK_OF(TYPE) *sk, int i);
TYPE *sk_TYPE_delete_ptr(STACK_OF(TYPE) *sk, TYPE *ptr);
int sk_TYPE_push(STACK_OF(TYPE) *sk, const TYPE *ptr);
int sk_TYPE_unshift(STACK_OF(TYPE) *sk, const TYPE *ptr);
TYPE *sk_TYPE_pop(STACK_OF(TYPE) *sk);
TYPE *sk_TYPE_shift(STACK_OF(TYPE) *sk);
void sk_TYPE_pop_free(STACK_OF(TYPE) *sk, sk_TYPE_freefunc freefunc);
int sk_TYPE_insert(STACK_OF(TYPE) *sk, TYPE *ptr, int idx);
TYPE *sk_TYPE_set(STACK_OF(TYPE) *sk, int idx, const TYPE *ptr);
int sk_TYPE_find(STACK_OF(TYPE) *sk, TYPE *ptr);
int sk_TYPE_find_ex(STACK_OF(TYPE) *sk, TYPE *ptr);
void sk_TYPE_sort(const STACK_OF(TYPE) *sk);
int sk_TYPE_is_sorted(const STACK_OF(TYPE) *sk);
STACK_OF(TYPE) *sk_TYPE_dup(const STACK_OF(TYPE) *sk);
STACK_OF(TYPE) *sk_TYPE_deep_copy(const STACK_OF(TYPE) *sk,
sk_TYPE_copyfunc copyfunc,
sk_TYPE_freefunc freefunc);
sk_TYPE_compfunc (*sk_TYPE_set_cmp_func(STACK_OF(TYPE) *sk,
sk_TYPE_compfunc compare));
STACK_OF(TYPE) *sk_TYPE_new_reserve(sk_TYPE_compfunc compare, int n);
=head1 DESCRIPTION
Applications can create and use their own stacks by placing any of the macros
described below in a header file. These macros define typesafe inline
functions that wrap around the utility B<OPENSSL_sk_> API.
In the description here, I<TYPE> is used
as a placeholder for any of the OpenSSL datatypes, such as I<X509>.
STACK_OF() returns the name for a stack of the specified B<TYPE>.
DEFINE_STACK_OF() creates set of functions for a stack of B<TYPE>. This
will mean that type B<TYPE> is stored in each stack, the type is referenced by
STACK_OF(TYPE) and each function name begins with I<sk_TYPE_>. For example:
TYPE *sk_TYPE_value(STACK_OF(TYPE) *sk, int idx);
DEFINE_STACK_OF_CONST() is identical to DEFINE_STACK_OF() except
each element is constant. For example:
const TYPE *sk_TYPE_value(STACK_OF(TYPE) *sk, int idx);
DEFINE_SPECIAL_STACK_OF() defines a stack of B<TYPE> but
each function uses B<FUNCNAME> in the function name. For example:
TYPE *sk_FUNCNAME_value(STACK_OF(TYPE) *sk, int idx);
DEFINE_SPECIAL_STACK_OF_CONST() is similar except that each element is
constant:
const TYPE *sk_FUNCNAME_value(STACK_OF(TYPE) *sk, int idx);
sk_TYPE_num() returns the number of elements in B<sk> or -1 if B<sk> is
B<NULL>.
sk_TYPE_value() returns element B<idx> in B<sk>, where B<idx> starts at
zero. If B<idx> is out of range then B<NULL> is returned.
sk_TYPE_new() allocates a new empty stack using comparison function B<compare>.
If B<compare> is B<NULL> then no comparison function is used. This function is
equivalent to sk_TYPE_new_reserve(compare, 0).
sk_TYPE_new_null() allocates a new empty stack with no comparison function. This
function is equivalent to sk_TYPE_new_reserve(NULL, 0).
sk_TYPE_reserve() allocates additional memory in the B<sk> structure
such that the next B<n> calls to sk_TYPE_insert(), sk_TYPE_push()
or sk_TYPE_unshift() will not fail or cause memory to be allocated
or reallocated. If B<n> is zero, any excess space allocated in the
B<sk> structure is freed. On error B<sk> is unchanged.
sk_TYPE_new_reserve() allocates a new stack. The new stack will have additional
memory allocated to hold B<n> elements if B<n> is positive. The next B<n> calls
to sk_TYPE_insert(), sk_TYPE_push() or sk_TYPE_unshift() will not fail or cause
memory to be allocated or reallocated. If B<n> is zero or less than zero, no
memory is allocated. sk_TYPE_new_reserve() also sets the comparison function
B<compare> to the newly created stack. If B<compare> is B<NULL> then no
comparison function is used.
sk_TYPE_set_cmp_func() sets the comparison function of B<sk> to B<compare>.
The previous comparison function is returned or B<NULL> if there was
no previous comparison function.
sk_TYPE_free() frees up the B<sk> structure. It does B<not> free up any
elements of B<sk>. After this call B<sk> is no longer valid.
sk_TYPE_zero() sets the number of elements in B<sk> to zero. It does not free
B<sk> so after this call B<sk> is still valid.
sk_TYPE_pop_free() frees up all elements of B<sk> and B<sk> itself. The
free function freefunc() is called on each element to free it.
sk_TYPE_delete() deletes element B<i> from B<sk>. It returns the deleted
element or B<NULL> if B<i> is out of range.
sk_TYPE_delete_ptr() deletes element matching B<ptr> from B<sk>. It returns
the deleted element or B<NULL> if no element matching B<ptr> was found.
sk_TYPE_insert() inserts B<ptr> into B<sk> at position B<idx>. Any existing
elements at or after B<idx> are moved downwards. If B<idx> is out of range
the new element is appended to B<sk>. sk_TYPE_insert() either returns the
number of elements in B<sk> after the new element is inserted or zero if
an error (such as memory allocation failure) occurred.
sk_TYPE_push() appends B<ptr> to B<sk> it is equivalent to:
sk_TYPE_insert(sk, ptr, -1);
sk_TYPE_unshift() inserts B<ptr> at the start of B<sk> it is equivalent to:
sk_TYPE_insert(sk, ptr, 0);
sk_TYPE_pop() returns and removes the last element from B<sk>.
sk_TYPE_shift() returns and removes the first element from B<sk>.
sk_TYPE_set() sets element B<idx> of B<sk> to B<ptr> replacing the current
element. The new element value is returned or B<NULL> if an error occurred:
this will only happen if B<sk> is B<NULL> or B<idx> is out of range.
sk_TYPE_find() searches B<sk> for the element B<ptr>. In the case
where no comparison function has been specified, the function performs
a linear search for a pointer equal to B<ptr>. The index of the first
matching element is returned or B<-1> if there is no match. In the case
where a comparison function has been specified, B<sk> is sorted then
sk_TYPE_find() returns the index of a matching element or B<-1> if there
is no match. Note that, in this case, the matching element returned is
not guaranteed to be the first; the comparison function will usually
compare the values pointed to rather than the pointers themselves and
the order of elements in B<sk> could change.
sk_TYPE_find_ex() operates like sk_TYPE_find() except when a comparison
function has been specified and no matching element is found. Instead
of returning B<-1>, sk_TYPE_find_ex() returns the index of the element
either before or after the location where B<ptr> would be if it were
present in B<sk>.
sk_TYPE_sort() sorts B<sk> using the supplied comparison function.
sk_TYPE_is_sorted() returns B<1> if B<sk> is sorted and B<0> otherwise.
sk_TYPE_dup() returns a copy of B<sk>. Note the pointers in the copy
are identical to the original.
sk_TYPE_deep_copy() returns a new stack where each element has been copied.
Copying is performed by the supplied copyfunc() and freeing by freefunc(). The
function freefunc() is only called if an error occurs.
=head1 NOTES
Care should be taken when accessing stacks in multi-threaded environments.
Any operation which increases the size of a stack such as sk_TYPE_insert() or
sk_push() can "grow" the size of an internal array and cause race conditions
if the same stack is accessed in a different thread. Operations such as
sk_find() and sk_sort() can also reorder the stack.
Any comparison function supplied should use a metric suitable
for use in a binary search operation. That is it should return zero, a
positive or negative value if B<a> is equal to, greater than
or less than B<b> respectively.
Care should be taken when checking the return values of the functions
sk_TYPE_find() and sk_TYPE_find_ex(). They return an index to the
matching element. In particular B<0> indicates a matching first element.
A failed search is indicated by a B<-1> return value.
STACK_OF(), DEFINE_STACK_OF(), DEFINE_STACK_OF_CONST(), and
DEFINE_SPECIAL_STACK_OF() are implemented as macros.
The underlying utility B<OPENSSL_sk_> API should not be used directly.
It defines these functions: OPENSSL_sk_deep_copy(),
OPENSSL_sk_delete(), OPENSSL_sk_delete_ptr(), OPENSSL_sk_dup(),
OPENSSL_sk_find(), OPENSSL_sk_find_ex(), OPENSSL_sk_free(),
OPENSSL_sk_insert(), OPENSSL_sk_is_sorted(), OPENSSL_sk_new(),
OPENSSL_sk_new_null(), OPENSSL_sk_num(), OPENSSL_sk_pop(),
OPENSSL_sk_pop_free(), OPENSSL_sk_push(), OPENSSL_sk_reserve(),
OPENSSL_sk_set(), OPENSSL_sk_set_cmp_func(), OPENSSL_sk_shift(),
OPENSSL_sk_sort(), OPENSSL_sk_unshift(), OPENSSL_sk_value(),
OPENSSL_sk_zero().
=head1 RETURN VALUES
sk_TYPE_num() returns the number of elements in the stack or B<-1> if the
passed stack is B<NULL>.
sk_TYPE_value() returns a pointer to a stack element or B<NULL> if the
index is out of range.
sk_TYPE_new(), sk_TYPE_new_null() and sk_TYPE_new_reserve() return an empty
stack or B<NULL> if an error occurs.
sk_TYPE_reserve() returns B<1> on successful allocation of the required memory
or B<0> on error.
sk_TYPE_set_cmp_func() returns the old comparison function or B<NULL> if
there was no old comparison function.
sk_TYPE_free(), sk_TYPE_zero(), sk_TYPE_pop_free() and sk_TYPE_sort() do
not return values.
sk_TYPE_pop(), sk_TYPE_shift(), sk_TYPE_delete() and sk_TYPE_delete_ptr()
return a pointer to the deleted element or B<NULL> on error.
sk_TYPE_insert(), sk_TYPE_push() and sk_TYPE_unshift() return the total
-number of elements in the stack and 0 if an error occurred.
+number of elements in the stack and 0 if an error occurred. sk_TYPE_push()
+further returns -1 if B<sk> is B<NULL>.
sk_TYPE_set() returns a pointer to the replacement element or B<NULL> on
error.
sk_TYPE_find() and sk_TYPE_find_ex() return an index to the found element
or B<-1> on error.
sk_TYPE_is_sorted() returns B<1> if the stack is sorted and B<0> if it is
not.
sk_TYPE_dup() and sk_TYPE_deep_copy() return a pointer to the copy of the
stack.
=head1 HISTORY
Before OpenSSL 1.1.0, this was implemented via macros and not inline functions
and was not a public API.
sk_TYPE_reserve() and sk_TYPE_new_reserve() were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut
diff --git a/crypto/openssl/doc/man3/OBJ_nid2obj.pod b/crypto/openssl/doc/man3/OBJ_nid2obj.pod
index 74379ad817da..b37d992307c2 100644
--- a/crypto/openssl/doc/man3/OBJ_nid2obj.pod
+++ b/crypto/openssl/doc/man3/OBJ_nid2obj.pod
@@ -1,191 +1,191 @@
=pod
=head1 NAME
i2t_ASN1_OBJECT,
OBJ_length, OBJ_get0_data, OBJ_nid2obj, OBJ_nid2ln,
OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid, OBJ_sn2nid, OBJ_cmp,
OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup
- ASN1 object utility functions
=head1 SYNOPSIS
#include <openssl/objects.h>
ASN1_OBJECT *OBJ_nid2obj(int n);
const char *OBJ_nid2ln(int n);
const char *OBJ_nid2sn(int n);
int OBJ_obj2nid(const ASN1_OBJECT *o);
int OBJ_ln2nid(const char *ln);
int OBJ_sn2nid(const char *sn);
int OBJ_txt2nid(const char *s);
ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name);
int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name);
int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a);
int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b);
ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o);
int OBJ_create(const char *oid, const char *sn, const char *ln);
size_t OBJ_length(const ASN1_OBJECT *obj);
const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj);
Deprecated:
#if OPENSSL_API_COMPAT < 0x10100000L
void OBJ_cleanup(void)
#endif
=head1 DESCRIPTION
The ASN1 object utility functions process ASN1_OBJECT structures which are
a representation of the ASN1 OBJECT IDENTIFIER (OID) type.
For convenience, OIDs are usually represented in source code as numeric
identifiers, or I<NID>s. OpenSSL has an internal table of OIDs that
are generated when the library is built, and their corresponding NIDs
are available as defined constants. For the functions below, application
code should treat all returned values -- OIDs, NIDs, or names -- as
constants.
OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID I<n> to
an ASN1_OBJECT structure, its long name and its short name respectively,
or B<NULL> if an error occurred.
OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() return the corresponding NID
for the object I<o>, the long name <ln> or the short name <sn> respectively
or NID_undef if an error occurred.
OBJ_txt2nid() returns NID corresponding to text string I<s>. I<s> can be
a long name, a short name or the numerical representation of an object.
OBJ_txt2obj() converts the text string I<s> into an ASN1_OBJECT structure.
If I<no_name> is 0 then long names and short names will be interpreted
as well as numerical forms. If I<no_name> is 1 only the numerical form
is acceptable.
-OBJ_obj2txt() converts the B<ASN1_OBJECT> B<a> into a textual representation.
-The representation is written as a null terminated string to B<buf>
-at most B<buf_len> bytes are written, truncating the result if necessary.
-The total amount of space required is returned. If B<no_name> is 0 then
-if the object has a long or short name then that will be used, otherwise
-the numerical form will be used. If B<no_name> is 1 then the numerical
-form will always be used.
+OBJ_obj2txt() converts the B<ASN1_OBJECT> I<a> into a textual representation.
+Unless I<buf> is NULL,
+the representation is written as a NUL-terminated string to I<buf>, where
+at most I<buf_len> bytes are written, truncating the result if necessary.
+In any case it returns the total string length, excluding the NUL character,
+required for non-truncated representation, or -1 on error.
+If I<no_name> is 0 then if the object has a long or short name
+then that will be used, otherwise the numerical form will be used.
+If I<no_name> is 1 then the numerical form will always be used.
i2t_ASN1_OBJECT() is the same as OBJ_obj2txt() with the I<no_name> set to zero.
OBJ_cmp() compares I<a> to I<b>. If the two are identical 0 is returned.
OBJ_dup() returns a copy of I<o>.
OBJ_create() adds a new object to the internal table. I<oid> is the
numerical form of the object, I<sn> the short name and I<ln> the
long name. A new NID is returned for the created object in case of
success and NID_undef in case of failure.
OBJ_length() returns the size of the content octets of I<obj>.
OBJ_get0_data() returns a pointer to the content octets of I<obj>.
The returned pointer is an internal pointer which B<must not> be freed.
OBJ_cleanup() releases any resources allocated by creating new objects.
=head1 NOTES
Objects in OpenSSL can have a short name, a long name and a numerical
identifier (NID) associated with them. A standard set of objects is
represented in an internal table. The appropriate values are defined
in the header file B<objects.h>.
For example the OID for commonName has the following definitions:
#define SN_commonName "CN"
#define LN_commonName "commonName"
#define NID_commonName 13
New objects can be added by calling OBJ_create().
Table objects have certain advantages over other objects: for example
their NIDs can be used in a C language switch statement. They are
also static constant structures which are shared: that is there
is only a single constant structure for each table object.
Objects which are not in the table have the NID value NID_undef.
Objects do not need to be in the internal tables to be processed,
the functions OBJ_txt2obj() and OBJ_obj2txt() can process the numerical
form of an OID.
Some objects are used to represent algorithms which do not have a
corresponding ASN.1 OBJECT IDENTIFIER encoding (for example no OID currently
exists for a particular algorithm). As a result they B<cannot> be encoded or
decoded as part of ASN.1 structures. Applications can determine if there
is a corresponding OBJECT IDENTIFIER by checking OBJ_length() is not zero.
These functions cannot return B<const> because an B<ASN1_OBJECT> can
represent both an internal, constant, OID and a dynamically-created one.
The latter cannot be constant because it needs to be freed after use.
=head1 RETURN VALUES
OBJ_nid2obj() returns an B<ASN1_OBJECT> structure or B<NULL> is an
error occurred.
OBJ_nid2ln() and OBJ_nid2sn() returns a valid string or B<NULL>
on error.
OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() and OBJ_txt2nid() return
a NID or B<NID_undef> on error.
+OBJ_add_sigid() returns 1 on success or 0 on error.
+
+i2t_ASN1_OBJECT() an OBJ_obj2txt() return -1 on error.
+On success, they return the length of the string written to I<buf> if I<buf> is
+not NULL and I<buf_len> is big enough, otherwise the total string length.
+Note that this does not count the trailing NUL character.
+
=head1 EXAMPLES
Create an object for B<commonName>:
ASN1_OBJECT *o = OBJ_nid2obj(NID_commonName);
Check if an object is B<commonName>
if (OBJ_obj2nid(obj) == NID_commonName)
/* Do something */
Create a new NID and initialize an object from it:
int new_nid = OBJ_create("1.2.3.4", "NewOID", "New Object Identifier");
ASN1_OBJECT *obj = OBJ_nid2obj(new_nid);
Create a new object directly:
obj = OBJ_txt2obj("1.2.3.4", 1);
-=head1 BUGS
-
-OBJ_obj2txt() is awkward and messy to use: it doesn't follow the
-convention of other OpenSSL functions where the buffer can be set
-to B<NULL> to determine the amount of data that should be written.
-Instead B<buf> must point to a valid buffer and B<buf_len> should
-be set to a positive value. A buffer length of 80 should be more
-than enough to handle any OID encountered in practice.
-
=head1 SEE ALSO
L<ERR_get_error(3)>
=head1 HISTORY
OBJ_cleanup() was deprecated in OpenSSL 1.1.0 by L<OPENSSL_init_crypto(3)>
and should not be used.
=head1 COPYRIGHT
-Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut
diff --git a/crypto/openssl/doc/man3/SSL_CONF_cmd.pod b/crypto/openssl/doc/man3/SSL_CONF_cmd.pod
index a3f447a986e3..c7cce5486b50 100644
--- a/crypto/openssl/doc/man3/SSL_CONF_cmd.pod
+++ b/crypto/openssl/doc/man3/SSL_CONF_cmd.pod
@@ -1,708 +1,708 @@
=pod
=head1 NAME
SSL_CONF_cmd_value_type,
SSL_CONF_cmd - send configuration command
=head1 SYNOPSIS
#include <openssl/ssl.h>
int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
=head1 DESCRIPTION
The function SSL_CONF_cmd() performs configuration operation B<cmd> with
optional parameter B<value> on B<ctx>. Its purpose is to simplify application
configuration of B<SSL_CTX> or B<SSL> structures by providing a common
framework for command line options or configuration files.
SSL_CONF_cmd_value_type() returns the type of value that B<cmd> refers to.
=head1 SUPPORTED COMMAND LINE COMMANDS
Currently supported B<cmd> names for command lines (i.e. when the
flag B<SSL_CONF_CMDLINE> is set) are listed below. Note: all B<cmd> names
are case sensitive. Unless otherwise stated commands can be used by
both clients and servers and the B<value> parameter is not used. The default
prefix for command line commands is B<-> and that is reflected below.
=over 4
=item B<-sigalgs>
This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
For clients this
value is used directly for the supported signature algorithms extension. For
servers it is used to determine which signature algorithms to support.
The B<value> argument should be a colon separated list of signature algorithms
in order of decreasing preference of the form B<algorithm+hash> or
B<signature_scheme>. B<algorithm>
is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
Note: algorithm and hash names are case sensitive.
B<signature_scheme> is one of the signature schemes defined in TLSv1.3,
specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, B<ed25519>,
or B<rsa_pss_pss_sha256>.
If this option is not set then all signature algorithms supported by the
OpenSSL library are permissible.
Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*>
identifiers) are ignored in TLSv1.3 and will not be negotiated.
=item B<-client_sigalgs>
This sets the supported signature algorithms associated with client
authentication for TLSv1.2 and TLSv1.3.
For servers the value is used in the
B<signature_algorithms> field of a B<CertificateRequest> message.
For clients it is
used to determine which signature algorithm to use with the client certificate.
If a server does not request a certificate this option has no effect.
The syntax of B<value> is identical to B<-sigalgs>. If not set then
the value set for B<-sigalgs> will be used instead.
=item B<-groups>
This sets the supported groups. For clients, the groups are
sent using the supported groups extension. For servers, it is used
to determine which group to use. This setting affects groups used for
signatures (in TLSv1.2 and earlier) and key exchange. The first group listed
will also be used for the B<key_share> sent by a client in a TLSv1.3
B<ClientHello>.
The B<value> argument is a colon separated list of groups. The group can be
either the B<NIST> name (e.g. B<P-256>), some other commonly used name where
applicable (e.g. B<X25519>) or an OpenSSL OID name (e.g. B<prime256v1>). Group
names are case sensitive. The list should be in order of preference with the
most preferred group first.
=item B<-curves>
This is a synonym for the "-groups" command.
=item B<-named_curve>
This sets the temporary curve used for ephemeral ECDH modes. Only used by
servers
The B<value> argument is a curve name or the special value B<auto> which
picks an appropriate curve based on client and server preferences. The curve
can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
(e.g. B<prime256v1>). Curve names are case sensitive.
=item B<-cipher>
Sets the TLSv1.2 and below ciphersuite list to B<value>. This list will be
combined with any configured TLSv1.3 ciphersuites. Note: syntax checking
of B<value> is currently not performed unless a B<SSL> or B<SSL_CTX> structure is
associated with B<cctx>.
=item B<-ciphersuites>
Sets the available ciphersuites for TLSv1.3 to value. This is a simple colon
(":") separated list of TLSv1.3 ciphersuite names in order of preference. This
list will be combined any configured TLSv1.2 and below ciphersuites.
See L<ciphers(1)> for more information.
=item B<-cert>
Attempts to use the file B<value> as the certificate for the appropriate
context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX>
structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL>
structure is set. This option is only supported if certificate operations
are permitted.
=item B<-key>
Attempts to use the file B<value> as the private key for the appropriate
context. This option is only supported if certificate operations
are permitted. Note: if no B<-key> option is set then a private key is
not loaded unless the flag B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set.
=item B<-dhparam>
Attempts to use the file B<value> as the set of temporary DH parameters for
the appropriate context. This option is only supported if certificate
operations are permitted.
=item B<-record_padding>
Attempts to pad TLSv1.3 records so that they are a multiple of B<value> in
length on send. A B<value> of 0 or 1 turns off padding. Otherwise, the
B<value> must be >1 or <=16384.
=item B<-no_renegotiation>
Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting
B<SSL_OP_NO_RENEGOTIATION>.
=item B<-min_protocol>, B<-max_protocol>
Sets the minimum and maximum supported protocol.
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3> for TLS; B<DTLSv1>, B<DTLSv1.2> for DTLS, and B<None>
for no limit.
If either the lower or upper bound is not specified then only the other bound
applies, if specified.
If your application supports both TLS and DTLS you can specify any of these
options twice, once with a bound for TLS and again with an appropriate bound
for DTLS.
To restrict the supported protocol versions use these commands rather than the
deprecated alternative commands below.
=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by
setting the corresponding options B<SSL_OP_NO_SSLv3>, B<SSL_OP_NO_TLSv1>,
B<SSL_OP_NO_TLSv1_1>, B<SSL_OP_NO_TLSv1_2> and B<SSL_OP_NO_TLSv1_3>
respectively. These options are deprecated, instead use B<-min_protocol> and
B<-max_protocol>.
=item B<-bugs>
Various bug workarounds are set, same as setting B<SSL_OP_ALL>.
=item B<-comp>
Enables support for SSL/TLS compression, same as clearing
B<SSL_OP_NO_COMPRESSION>.
This command was introduced in OpenSSL 1.1.0.
As of OpenSSL 1.1.0, compression is off by default.
=item B<-no_comp>
Disables support for SSL/TLS compression, same as setting
B<SSL_OP_NO_COMPRESSION>.
As of OpenSSL 1.1.0, compression is off by default.
=item B<-no_ticket>
Disables support for session tickets, same as setting B<SSL_OP_NO_TICKET>.
=item B<-serverpref>
Use server and not client preference order when determining which cipher suite,
signature algorithm or elliptic curve to use for an incoming connection.
Equivalent to B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
=item B<-prioritize_chacha>
Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of
its preference list. This usually indicates a client without AES hardware
acceleration (e.g. mobile) is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>.
Only used by servers. Requires B<-serverpref>.
=item B<-no_resumption_on_reneg>
set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Only used by servers.
=item B<-legacyrenegotiation>
permits the use of unsafe legacy renegotiation. Equivalent to setting
B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
=item B<-legacy_server_connect>, B<-no_legacy_server_connect>
permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
clients only. Equivalent to setting or clearing B<SSL_OP_LEGACY_SERVER_CONNECT>.
Set by default.
=item B<-allow_no_dhe_kex>
In TLSv1.3 allow a non-(ec)dhe based key exchange mode on resumption. This means
that there will be no forward secrecy for the resumed session.
=item B<-strict>
enables strict mode protocol handling. Equivalent to setting
B<SSL_CERT_FLAG_TLS_STRICT>.
=item B<-anti_replay>, B<-no_anti_replay>
Switches replay protection, on or off respectively. With replay protection on,
OpenSSL will automatically detect if a session ticket has been used more than
once, TLSv1.3 has been negotiated, and early data is enabled on the server. A
full handshake is forced if a session ticket is used a second or subsequent
time. Anti-Replay is on by default unless overridden by a configuration file and
is only used by servers. Anti-replay measures are required for compliance with
the TLSv1.3 specification. Some applications may be able to mitigate the replay
risks in other ways and in such cases the built-in OpenSSL functionality is not
required. Switching off anti-replay is equivalent to B<SSL_OP_NO_ANTI_REPLAY>.
=back
=head1 SUPPORTED CONFIGURATION FILE COMMANDS
Currently supported B<cmd> names for configuration files (i.e. when the
flag B<SSL_CONF_FLAG_FILE> is set) are listed below. All configuration file
B<cmd> names are case insensitive so B<signaturealgorithms> is recognised
as well as B<SignatureAlgorithms>. Unless otherwise stated the B<value> names
are also case insensitive.
Note: the command prefix (if set) alters the recognised B<cmd> values.
=over 4
=item B<CipherString>
Sets the ciphersuite list for TLSv1.2 and below to B<value>. This list will be
combined with any configured TLSv1.3 ciphersuites. Note: syntax
checking of B<value> is currently not performed unless an B<SSL> or B<SSL_CTX>
structure is associated with B<cctx>.
=item B<Ciphersuites>
Sets the available ciphersuites for TLSv1.3 to B<value>. This is a simple colon
(":") separated list of TLSv1.3 ciphersuite names in order of preference. This
list will be combined any configured TLSv1.2 and below ciphersuites.
See L<ciphers(1)> for more information.
=item B<Certificate>
Attempts to use the file B<value> as the certificate for the appropriate
context. It currently uses SSL_CTX_use_certificate_chain_file() if an B<SSL_CTX>
structure is set or SSL_use_certificate_file() with filetype PEM if an B<SSL>
structure is set. This option is only supported if certificate operations
are permitted.
=item B<PrivateKey>
Attempts to use the file B<value> as the private key for the appropriate
context. This option is only supported if certificate operations
are permitted. Note: if no B<PrivateKey> option is set then a private key is
not loaded unless the B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set.
=item B<ChainCAFile>, B<ChainCAPath>, B<VerifyCAFile>, B<VerifyCAPath>
These options indicate a file or directory used for building certificate
chains or verifying certificate chains. These options are only supported
if certificate operations are permitted.
=item B<RequestCAFile>
This option indicates a file containing a set of certificates in PEM form.
The subject names of the certificates are sent to the peer in the
B<certificate_authorities> extension for TLS 1.3 (in ClientHello or
CertificateRequest) or in a certificate request for previous versions or
TLS.
=item B<ServerInfoFile>
Attempts to use the file B<value> in the "serverinfo" extension using the
function SSL_CTX_use_serverinfo_file.
=item B<DHParameters>
Attempts to use the file B<value> as the set of temporary DH parameters for
the appropriate context. This option is only supported if certificate
operations are permitted.
=item B<RecordPadding>
Attempts to pad TLSv1.3 records so that they are a multiple of B<value> in
length on send. A B<value> of 0 or 1 turns off padding. Otherwise, the
B<value> must be >1 or <=16384.
=item B<SignatureAlgorithms>
This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
For clients this
value is used directly for the supported signature algorithms extension. For
servers it is used to determine which signature algorithms to support.
The B<value> argument should be a colon separated list of signature algorithms
in order of decreasing preference of the form B<algorithm+hash> or
B<signature_scheme>. B<algorithm>
is one of B<RSA>, B<DSA> or B<ECDSA> and B<hash> is a supported algorithm
OID short name such as B<SHA1>, B<SHA224>, B<SHA256>, B<SHA384> of B<SHA512>.
Note: algorithm and hash names are case sensitive.
B<signature_scheme> is one of the signature schemes defined in TLSv1.3,
specified using the IETF name, e.g., B<ecdsa_secp256r1_sha256>, B<ed25519>,
or B<rsa_pss_pss_sha256>.
If this option is not set then all signature algorithms supported by the
OpenSSL library are permissible.
Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
using B<RSA> as the B<algorithm> or by using one of the B<rsa_pkcs1_*>
identifiers) are ignored in TLSv1.3 and will not be negotiated.
=item B<ClientSignatureAlgorithms>
This sets the supported signature algorithms associated with client
authentication for TLSv1.2 and TLSv1.3.
For servers the value is used in the
B<signature_algorithms> field of a B<CertificateRequest> message.
For clients it is
used to determine which signature algorithm to use with the client certificate.
If a server does not request a certificate this option has no effect.
The syntax of B<value> is identical to B<SignatureAlgorithms>. If not set then
the value set for B<SignatureAlgorithms> will be used instead.
=item B<Groups>
This sets the supported groups. For clients, the groups are
sent using the supported groups extension. For servers, it is used
to determine which group to use. This setting affects groups used for
signatures (in TLSv1.2 and earlier) and key exchange. The first group listed
will also be used for the B<key_share> sent by a client in a TLSv1.3
B<ClientHello>.
The B<value> argument is a colon separated list of groups. The group can be
either the B<NIST> name (e.g. B<P-256>), some other commonly used name where
applicable (e.g. B<X25519>) or an OpenSSL OID name (e.g. B<prime256v1>). Group
names are case sensitive. The list should be in order of preference with the
most preferred group first.
=item B<Curves>
This is a synonym for the "Groups" command.
=item B<MinProtocol>
This sets the minimum supported SSL, TLS or DTLS version.
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>.
The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
apply only to DTLS-based contexts.
The command can be repeated with one instance setting a TLS bound, and the
other setting a DTLS bound.
The value B<None> applies to both types of contexts and disables the limits.
=item B<MaxProtocol>
This sets the maximum supported SSL, TLS or DTLS version.
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>.
The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
apply only to DTLS-based contexts.
The command can be repeated with one instance setting a TLS bound, and the
other setting a DTLS bound.
The value B<None> applies to both types of contexts and disables the limits.
=item B<Protocol>
This can be used to enable or disable certain versions of the SSL,
TLS or DTLS protocol.
The B<value> argument is a comma separated list of supported protocols
to enable or disable.
If a protocol is preceded by B<-> that version is disabled.
All protocol versions are enabled by default.
You need to disable at least one protocol version for this setting have any
effect.
Only enabling some protocol versions does not disable the other protocol
versions.
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>.
The special value B<ALL> refers to all supported versions.
This can't enable protocols that are disabled using B<MinProtocol>
or B<MaxProtocol>, but can disable protocols that are still allowed
by them.
The B<Protocol> command is fragile and deprecated; do not use it.
Use B<MinProtocol> and B<MaxProtocol> instead.
If you do use B<Protocol>, make sure that the resulting range of enabled
protocols has no "holes", e.g. if TLS 1.0 and TLS 1.2 are both enabled, make
sure to also leave TLS 1.1 enabled.
=item B<Options>
The B<value> argument is a comma separated list of various flags to set.
If a flag string is preceded B<-> it is disabled.
See the L<SSL_CTX_set_options(3)> function for more details of
individual options.
Each option is listed below. Where an operation is enabled by default
the B<-flag> syntax is needed to disable it.
B<SessionTicket>: session ticket support, enabled by default. Inverse of
B<SSL_OP_NO_TICKET>: that is B<-SessionTicket> is the same as setting
B<SSL_OP_NO_TICKET>.
-B<Compression>: SSL/TLS compression support, enabled by default. Inverse
+B<Compression>: SSL/TLS compression support, disabled by default. Inverse
of B<SSL_OP_NO_COMPRESSION>.
B<EmptyFragments>: use empty fragments as a countermeasure against a
SSL 3.0/TLS 1.0 protocol vulnerability affecting CBC ciphers. It
is set by default. Inverse of B<SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS>.
B<Bugs>: enable various bug workarounds. Same as B<SSL_OP_ALL>.
B<DHSingle>: enable single use DH keys, set by default. Inverse of
B<SSL_OP_DH_SINGLE>. Only used by servers.
B<ECDHSingle>: enable single use ECDH keys, set by default. Inverse of
B<SSL_OP_ECDH_SINGLE>. Only used by servers.
B<ServerPreference>: use server and not client preference order when
determining which cipher suite, signature algorithm or elliptic curve
to use for an incoming connection. Equivalent to
B<SSL_OP_CIPHER_SERVER_PREFERENCE>. Only used by servers.
B<PrioritizeChaCha>: prioritizes ChaCha ciphers when the client has a
ChaCha20 cipher at the top of its preference list. This usually indicates
a mobile client is in use. Equivalent to B<SSL_OP_PRIORITIZE_CHACHA>.
Only used by servers.
B<NoResumptionOnRenegotiation>: set
B<SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION> flag. Only used by servers.
B<NoRenegotiation>: disables all attempts at renegotiation in TLSv1.2 and
earlier, same as setting B<SSL_OP_NO_RENEGOTIATION>.
B<UnsafeLegacyRenegotiation>: permits the use of unsafe legacy renegotiation.
Equivalent to B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.
B<UnsafeLegacyServerConnect>: permits the use of unsafe legacy renegotiation
for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>.
Set by default.
B<EncryptThenMac>: use encrypt-then-mac extension, enabled by
default. Inverse of B<SSL_OP_NO_ENCRYPT_THEN_MAC>: that is,
B<-EncryptThenMac> is the same as setting B<SSL_OP_NO_ENCRYPT_THEN_MAC>.
B<AllowNoDHEKEX>: In TLSv1.3 allow a non-(ec)dhe based key exchange mode on
resumption. This means that there will be no forward secrecy for the resumed
session. Equivalent to B<SSL_OP_ALLOW_NO_DHE_KEX>.
B<MiddleboxCompat>: If set then dummy Change Cipher Spec (CCS) messages are sent
in TLSv1.3. This has the effect of making TLSv1.3 look more like TLSv1.2 so that
middleboxes that do not understand TLSv1.3 will not drop the connection. This
option is set by default. A future version of OpenSSL may not set this by
default. Equivalent to B<SSL_OP_ENABLE_MIDDLEBOX_COMPAT>.
B<AntiReplay>: If set then OpenSSL will automatically detect if a session ticket
has been used more than once, TLSv1.3 has been negotiated, and early data is
enabled on the server. A full handshake is forced if a session ticket is used a
second or subsequent time. This option is set by default and is only used by
servers. Anti-replay measures are required to comply with the TLSv1.3
specification. Some applications may be able to mitigate the replay risks in
other ways and in such cases the built-in OpenSSL functionality is not required.
Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>.
B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported
by the negotiated ciphersuites and extensions. Equivalent to
B<SSL_OP_ENABLE_KTLS>.
=item B<VerifyMode>
The B<value> argument is a comma separated list of flags to set.
B<Peer> enables peer verification: for clients only.
B<Request> requests but does not require a certificate from the client.
Servers only.
B<Require> requests and requires a certificate from the client: an error
occurs if the client does not present a certificate. Servers only.
B<Once> requests a certificate from a client only on the initial connection:
not when renegotiating. Servers only.
B<RequestPostHandshake> configures the connection to support requests but does
not require a certificate from the client post-handshake. A certificate will
not be requested during the initial handshake. The server application must
provide a mechanism to request a certificate post-handshake. Servers only.
TLSv1.3 only.
B<RequiresPostHandshake> configures the connection to support requests and
requires a certificate from the client post-handshake: an error occurs if the
client does not present a certificate. A certificate will not be requested
during the initial handshake. The server application must provide a mechanism
to request a certificate post-handshake. Servers only. TLSv1.3 only.
=item B<ClientCAFile>, B<ClientCAPath>
A file or directory of certificates in PEM format whose names are used as the
set of acceptable names for client CAs. Servers only. This option is only
supported if certificate operations are permitted.
=back
=head1 SUPPORTED COMMAND TYPES
The function SSL_CONF_cmd_value_type() currently returns one of the following
types:
=over 4
=item B<SSL_CONF_TYPE_UNKNOWN>
The B<cmd> string is unrecognised, this return value can be use to flag
syntax errors.
=item B<SSL_CONF_TYPE_STRING>
The value is a string without any specific structure.
=item B<SSL_CONF_TYPE_FILE>
The value is a filename.
=item B<SSL_CONF_TYPE_DIR>
The value is a directory name.
=item B<SSL_CONF_TYPE_NONE>
The value string is not used e.g. a command line option which doesn't take an
argument.
=back
=head1 NOTES
The order of operations is significant. This can be used to set either defaults
or values which cannot be overridden. For example if an application calls:
SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
SSL_CONF_cmd(ctx, userparam, uservalue);
it will disable SSLv3 support by default but the user can override it. If
however the call sequence is:
SSL_CONF_cmd(ctx, userparam, uservalue);
SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
SSLv3 is B<always> disabled and attempt to override this by the user are
ignored.
By checking the return code of SSL_CONF_cmd() it is possible to query if a
given B<cmd> is recognised, this is useful if SSL_CONF_cmd() values are
mixed with additional application specific operations.
For example an application might call SSL_CONF_cmd() and if it returns
-2 (unrecognised command) continue with processing of application specific
commands.
Applications can also use SSL_CONF_cmd() to process command lines though the
utility function SSL_CONF_cmd_argv() is normally used instead. One way
to do this is to set the prefix to an appropriate value using
SSL_CONF_CTX_set1_prefix(), pass the current argument to B<cmd> and the
following argument to B<value> (which may be NULL).
In this case if the return value is positive then it is used to skip that
number of arguments as they have been processed by SSL_CONF_cmd(). If -2 is
returned then B<cmd> is not recognised and application specific arguments
can be checked instead. If -3 is returned a required argument is missing
and an error is indicated. If 0 is returned some other error occurred and
this can be reported back to the user.
The function SSL_CONF_cmd_value_type() can be used by applications to
check for the existence of a command or to perform additional syntax
checking or translation of the command value. For example if the return
value is B<SSL_CONF_TYPE_FILE> an application could translate a relative
pathname to an absolute pathname.
=head1 RETURN VALUES
SSL_CONF_cmd() returns 1 if the value of B<cmd> is recognised and B<value> is
B<NOT> used and 2 if both B<cmd> and B<value> are used. In other words it
returns the number of arguments processed. This is useful when processing
command lines.
A return value of -2 means B<cmd> is not recognised.
A return value of -3 means B<cmd> is recognised and the command requires a
value but B<value> is NULL.
A return code of 0 indicates that both B<cmd> and B<value> are valid but an
error occurred attempting to perform the operation: for example due to an
error in the syntax of B<value> in this case the error queue may provide
additional information.
=head1 EXAMPLES
Set supported signature algorithms:
SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
There are various ways to select the supported protocols.
This set the minimum protocol version to TLSv1, and so disables SSLv3.
This is the recommended way to disable protocols.
SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1");
The following also disables SSLv3:
SSL_CONF_cmd(ctx, "Protocol", "-SSLv3");
The following will first enable all protocols, and then disable
SSLv3.
If no protocol versions were disabled before this has the same effect as
"-SSLv3", but if some versions were disables this will re-enable them before
disabling SSLv3.
SSL_CONF_cmd(ctx, "Protocol", "ALL,-SSLv3");
Only enable TLSv1.2:
SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2");
SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2");
This also only enables TLSv1.2:
SSL_CONF_cmd(ctx, "Protocol", "-ALL,TLSv1.2");
Disable TLS session tickets:
SSL_CONF_cmd(ctx, "Options", "-SessionTicket");
Enable compression:
SSL_CONF_cmd(ctx, "Options", "Compression");
Set supported curves to P-256, P-384:
SSL_CONF_cmd(ctx, "Curves", "P-256:P-384");
=head1 SEE ALSO
L<SSL_CONF_CTX_new(3)>,
L<SSL_CONF_CTX_set_flags(3)>,
L<SSL_CONF_CTX_set1_prefix(3)>,
L<SSL_CONF_CTX_set_ssl_ctx(3)>,
L<SSL_CONF_cmd_argv(3)>,
L<SSL_CTX_set_options(3)>
=head1 HISTORY
The SSL_CONF_cmd() function was added in OpenSSL 1.0.2.
The B<SSL_OP_NO_SSL2> option doesn't have effect since 1.1.0, but the macro
is retained for backwards compatibility.
The B<SSL_CONF_TYPE_NONE> was added in OpenSSL 1.1.0. In earlier versions of
OpenSSL passing a command which didn't take an argument would return
B<SSL_CONF_TYPE_UNKNOWN>.
B<MinProtocol> and B<MaxProtocol> where added in OpenSSL 1.1.0.
B<AllowNoDHEKEX> and B<PrioritizeChaCha> were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
-Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012-2022 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut
diff --git a/crypto/openssl/doc/man3/X509_STORE_CTX_new.pod b/crypto/openssl/doc/man3/X509_STORE_CTX_new.pod
index aba7fff781e5..b8024dc4af66 100644
--- a/crypto/openssl/doc/man3/X509_STORE_CTX_new.pod
+++ b/crypto/openssl/doc/man3/X509_STORE_CTX_new.pod
@@ -1,174 +1,241 @@
=pod
=head1 NAME
X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free,
X509_STORE_CTX_init, X509_STORE_CTX_set0_trusted_stack, X509_STORE_CTX_set_cert,
X509_STORE_CTX_set0_crls,
X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain,
X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param,
X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted,
X509_STORE_CTX_get_num_untrusted,
X509_STORE_CTX_set_default,
X509_STORE_CTX_set_verify,
-X509_STORE_CTX_verify_fn
+X509_STORE_CTX_verify_fn,
+X509_STORE_CTX_set_purpose,
+X509_STORE_CTX_set_trust,
+X509_STORE_CTX_purpose_inherit
- X509_STORE_CTX initialisation
=head1 SYNOPSIS
#include <openssl/x509_vfy.h>
X509_STORE_CTX *X509_STORE_CTX_new(void);
void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
X509 *x509, STACK_OF(X509) *chain);
void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x);
STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *chain);
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx);
void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);
typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify);
+ int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
+ int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
+ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
+ int purpose, int trust);
+
=head1 DESCRIPTION
These functions initialise an B<X509_STORE_CTX> structure for subsequent use
by X509_verify_cert().
X509_STORE_CTX_new() returns a newly initialised B<X509_STORE_CTX> structure.
X509_STORE_CTX_cleanup() internally cleans up an B<X509_STORE_CTX> structure.
The context can then be reused with a new call to X509_STORE_CTX_init().
X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx>
is no longer valid.
If B<ctx> is NULL nothing is done.
X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
good for one call to X509_verify_cert(); if you want to verify a second
certificate with the same B<ctx> then you must call X509_STORE_CTX_cleanup()
and then X509_STORE_CTX_init() again before the second call to
X509_verify_cert(). The trusted certificate store is set to B<store>, the end
entity certificate to be verified is set to B<x509> and a set of additional
certificates (which will be untrusted but may be used to build the chain) in
B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
B<NULL>.
X509_STORE_CTX_set0_trusted_stack() sets the set of trusted certificates of
B<ctx> to B<sk>. This is an alternative way of specifying trusted certificates
instead of using an B<X509_STORE>.
X509_STORE_CTX_set_cert() sets the certificate to be verified in B<ctx> to
B<x>.
X509_STORE_CTX_set0_verified_chain() sets the validated chain used
by B<ctx> to be B<chain>.
Ownership of the chain is transferred to B<ctx> and should not be
free'd by the caller.
X509_STORE_CTX_get0_chain() returns the internal pointer used by the
B<ctx> that contains the validated chain.
X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate
verification to B<sk>. These CRLs will only be used if CRL verification is
enabled in the associated B<X509_VERIFY_PARAM> structure. This might be
used where additional "useful" CRLs are supplied as part of a protocol,
for example in a PKCS#7 structure.
X509_STORE_CTX_get0_param() retrieves an internal pointer
to the verification parameters associated with B<ctx>.
X509_STORE_CTX_get0_untrusted() retrieves an internal pointer to the
stack of untrusted certificates associated with B<ctx>.
X509_STORE_CTX_set0_untrusted() sets the internal point to the stack
of untrusted certificates associated with B<ctx> to B<sk>.
X509_STORE_CTX_set0_param() sets the internal verification parameter pointer
to B<param>. After this call B<param> should not be used.
X509_STORE_CTX_set_default() looks up and sets the default verification
method to B<name>. This uses the function X509_VERIFY_PARAM_lookup() to
find an appropriate set of parameters from B<name>.
X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
that were used in building the chain following a call to X509_verify_cert().
X509_STORE_CTX_set_verify() provides the capability for overriding the default
verify function. This function is responsible for verifying chain signatures and
expiration times.
A verify function is defined as an X509_STORE_CTX_verify type which has the
following signature:
int (*verify)(X509_STORE_CTX *);
This function should receive the current X509_STORE_CTX as a parameter and
return 1 on success or 0 on failure.
+X509 certificates may contain information about what purposes keys contained
+within them can be used for. For example "TLS WWW Server Authentication" or
+"Email Protection". This "key usage" information is held internally to the
+certificate itself. In addition the trust store containing trusted certificates
+can declare what purposes we trust different certificates for. This "trust"
+information is not held within the certificate itself but is "meta" information
+held alongside it. This "meta" information is associated with the certificate
+after it is issued and could be determined by a system administrator. For
+example a certificate might declare that it is suitable for use for both
+"TLS WWW Server Authentication" and "TLS Client Authentication", but a system
+administrator might only trust it for the former. An X.509 certificate extension
+exists that can record extended key usage information to supplement the purpose
+information described above. This extended mechanism is arbitrarily extensible
+and not well suited for a generic library API; applications that need to
+validate extended key usage information in certifiates will need to define a
+custom "purpose" (see below) or supply a nondefault verification callback
+(L<X509_STORE_set_verify_cb_func(3)>).
+
+X509_STORE_CTX_set_purpose() sets the purpose for the target certificate being
+verified in the I<ctx>. Built-in available values for the I<purpose> argument
+are B<X509_PURPOSE_SSL_CLIENT>, B<X509_PURPOSE_SSL_SERVER>,
+B<X509_PURPOSE_NS_SSL_SERVER>, B<X509_PURPOSE_SMIME_SIGN>,
+B<X509_PURPOSE_SMIME_ENCRYPT>, B<X509_PURPOSE_CRL_SIGN>, B<X509_PURPOSE_ANY>,
+B<X509_PURPOSE_OCSP_HELPER> and B<X509_PURPOSE_TIMESTAMP_SIGN>. It is also
+possible to create a custom purpose value. Setting a purpose will ensure that
+the key usage declared within certificates in the chain being verified is
+consistent with that purpose as well as, potentially, other checks. Every
+purpose also has an associated default trust value which will also be set at the
+same time. During verification this trust setting will be verified to check it
+is consistent with the trust set by the system administrator for certificates in
+the chain.
+
+X509_STORE_CTX_set_trust() sets the trust value for the target certificate
+being verified in the I<ctx>. Built-in available values for the I<trust>
+argument are B<X509_TRUST_COMPAT>, B<X509_TRUST_SSL_CLIENT>,
+B<X509_TRUST_SSL_SERVER>, B<X509_TRUST_EMAIL>, B<X509_TRUST_OBJECT_SIGN>,
+B<X509_TRUST_OCSP_SIGN>, B<X509_TRUST_OCSP_REQUEST> and B<X509_TRUST_TSA>. It is
+also possible to create a custom trust value. Since X509_STORE_CTX_set_purpose()
+also sets the trust value it is normally sufficient to only call that function.
+If both are called then X509_STORE_CTX_set_trust() should be called after
+X509_STORE_CTX_set_purpose() since the trust setting of the last call will be
+used.
+
+It should not normally be necessary for end user applications to call
+X509_STORE_CTX_purpose_inherit() directly. Typically applications should call
+X509_STORE_CTX_set_purpose() or X509_STORE_CTX_set_trust() instead. Using this
+function it is possible to set the purpose and trust values for the I<ctx> at
+the same time. The I<def_purpose> and I<purpose> arguments can have the same
+purpose values as described for X509_STORE_CTX_set_purpose() above. The I<trust>
+argument can have the same trust values as described in
+X509_STORE_CTX_set_trust() above. Any of the I<def_purpose>, I<purpose> or
+I<trust> values may also have the value 0 to indicate that the supplied
+parameter should be ignored. After calling this function the purpose to be used
+for verification is set from the I<purpose> argument, and the trust is set from
+the I<trust> argument. If I<trust> is 0 then the trust value will be set from
+the default trust value for I<purpose>. If the default trust value for the
+purpose is I<X509_TRUST_DEFAULT> and I<trust> is 0 then the default trust value
+associated with the I<def_purpose> value is used for the trust setting instead.
+
=head1 NOTES
The certificates and CRLs in a store are used internally and should B<not>
be freed up until after the associated B<X509_STORE_CTX> is freed.
=head1 BUGS
The certificates and CRLs in a context are used internally and should B<not>
be freed up until after the associated B<X509_STORE_CTX> is freed. Copies
should be made or reference counts increased instead.
=head1 RETURN VALUES
X509_STORE_CTX_new() returns a newly allocated context or B<NULL> if an
error occurred.
X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred.
X509_STORE_CTX_get0_param() returns a pointer to an B<X509_VERIFY_PARAM>
structure or B<NULL> if an error occurred.
X509_STORE_CTX_cleanup(), X509_STORE_CTX_free(),
X509_STORE_CTX_set0_trusted_stack(),
X509_STORE_CTX_set_cert(),
X509_STORE_CTX_set0_crls() and X509_STORE_CTX_set0_param() do not return
values.
X509_STORE_CTX_set_default() returns 1 for success or 0 if an error occurred.
X509_STORE_CTX_get_num_untrusted() returns the number of untrusted certificates
used.
=head1 SEE ALSO
L<X509_verify_cert(3)>
L<X509_VERIFY_PARAM_set_flags(3)>
=head1 HISTORY
The X509_STORE_CTX_set0_crls() function was added in OpenSSL 1.0.0.
The X509_STORE_CTX_get_num_untrusted() function was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
-Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut
diff --git a/crypto/openssl/include/internal/sockets.h b/crypto/openssl/include/internal/sockets.h
index 39186efef207..4fc1aecdbb20 100644
--- a/crypto/openssl/include/internal/sockets.h
+++ b/crypto/openssl/include/internal/sockets.h
@@ -1,155 +1,157 @@
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef OSSL_INTERNAL_SOCKETS_H
# define OSSL_INTERNAL_SOCKETS_H
# if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)
# define NO_SYS_PARAM_H
# endif
# ifdef WIN32
# define NO_SYS_UN_H
# endif
# ifdef OPENSSL_SYS_VMS
# define NO_SYS_PARAM_H
# define NO_SYS_UN_H
# endif
# ifdef OPENSSL_NO_SOCK
# elif defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
# if defined(__DJGPP__)
# include <sys/socket.h>
# include <sys/un.h>
# include <tcp.h>
# include <netdb.h>
+# include <arpa/inet.h>
+# include <netinet/tcp.h>
# elif defined(_WIN32_WCE) && _WIN32_WCE<410
# define getservbyname _masked_declaration_getservbyname
# endif
# if !defined(IPPROTO_IP)
/* winsock[2].h was included already? */
# include <winsock.h>
# endif
# ifdef getservbyname
/* this is used to be wcecompat/include/winsock_extras.h */
# undef getservbyname
struct servent *PASCAL getservbyname(const char *, const char *);
# endif
# ifdef _WIN64
/*
* Even though sizeof(SOCKET) is 8, it's safe to cast it to int, because
* the value constitutes an index in per-process table of limited size
* and not a real pointer. And we also depend on fact that all processors
* Windows run on happen to be two's-complement, which allows to
* interchange INVALID_SOCKET and -1.
*/
# define socket(d,t,p) ((int)socket(d,t,p))
# define accept(s,f,l) ((int)accept(s,f,l))
# endif
# else
# ifndef NO_SYS_PARAM_H
# include <sys/param.h>
# endif
# ifdef OPENSSL_SYS_VXWORKS
# include <time.h>
# endif
# include <netdb.h>
# if defined(OPENSSL_SYS_VMS_NODECC)
# include <socket.h>
# include <in.h>
# include <inet.h>
# else
# include <sys/socket.h>
# ifndef NO_SYS_UN_H
# include <sys/un.h>
# ifndef UNIX_PATH_MAX
# define UNIX_PATH_MAX sizeof(((struct sockaddr_un *)NULL)->sun_path)
# endif
# endif
# ifdef FILIO_H
# include <sys/filio.h> /* FIONBIO in some SVR4, e.g. unixware, solaris */
# endif
# include <netinet/in.h>
# include <arpa/inet.h>
# include <netinet/tcp.h>
# endif
# ifdef OPENSSL_SYS_AIX
# include <sys/select.h>
# endif
# ifndef VMS
# include <sys/ioctl.h>
# else
# if !defined(TCPIP_TYPE_SOCKETSHR) && defined(__VMS_VER) && (__VMS_VER > 70000000)
/* ioctl is only in VMS > 7.0 and when socketshr is not used */
# include <sys/ioctl.h>
# endif
# include <unixio.h>
# if defined(TCPIP_TYPE_SOCKETSHR)
# include <socketshr.h>
# endif
# endif
# ifndef INVALID_SOCKET
# define INVALID_SOCKET (-1)
# endif
# endif
/*
* Some IPv6 implementations are broken, you can disable them in known
* bad versions.
*/
# if !defined(OPENSSL_USE_IPV6)
# if defined(AF_INET6)
# define OPENSSL_USE_IPV6 1
# else
# define OPENSSL_USE_IPV6 0
# endif
# endif
# define get_last_socket_error() errno
# define clear_socket_error() errno=0
# if defined(OPENSSL_SYS_WINDOWS)
# undef get_last_socket_error
# undef clear_socket_error
# define get_last_socket_error() WSAGetLastError()
# define clear_socket_error() WSASetLastError(0)
# define readsocket(s,b,n) recv((s),(b),(n),0)
# define writesocket(s,b,n) send((s),(b),(n),0)
# elif defined(__DJGPP__)
# define WATT32
# define WATT32_NO_OLDIES
# define closesocket(s) close_s(s)
# define readsocket(s,b,n) read_s(s,b,n)
# define writesocket(s,b,n) send(s,b,n,0)
# elif defined(OPENSSL_SYS_VMS)
# define ioctlsocket(a,b,c) ioctl(a,b,c)
# define closesocket(s) close(s)
# define readsocket(s,b,n) recv((s),(b),(n),0)
# define writesocket(s,b,n) send((s),(b),(n),0)
# elif defined(OPENSSL_SYS_VXWORKS)
# define ioctlsocket(a,b,c) ioctl((a),(b),(int)(c))
# define closesocket(s) close(s)
# define readsocket(s,b,n) read((s),(b),(n))
# define writesocket(s,b,n) write((s),(char *)(b),(n))
# else
# define ioctlsocket(a,b,c) ioctl(a,b,c)
# define closesocket(s) close(s)
# define readsocket(s,b,n) read((s),(b),(n))
# define writesocket(s,b,n) write((s),(b),(n))
# endif
#endif
diff --git a/crypto/openssl/include/openssl/engine.h b/crypto/openssl/include/openssl/engine.h
index 0780f0fb5f32..d707eaeb6ee3 100644
--- a/crypto/openssl/include/openssl/engine.h
+++ b/crypto/openssl/include/openssl/engine.h
@@ -1,751 +1,752 @@
/*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_ENGINE_H
# define HEADER_ENGINE_H
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_ENGINE
# if OPENSSL_API_COMPAT < 0x10100000L
# include <openssl/bn.h>
# include <openssl/rsa.h>
# include <openssl/dsa.h>
# include <openssl/dh.h>
# include <openssl/ec.h>
# include <openssl/rand.h>
# include <openssl/ui.h>
# include <openssl/err.h>
# endif
# include <openssl/ossl_typ.h>
# include <openssl/symhacks.h>
# include <openssl/x509.h>
# include <openssl/engineerr.h>
# ifdef __cplusplus
extern "C" {
# endif
/*
* These flags are used to control combinations of algorithm (methods) by
* bitwise "OR"ing.
*/
# define ENGINE_METHOD_RSA (unsigned int)0x0001
# define ENGINE_METHOD_DSA (unsigned int)0x0002
# define ENGINE_METHOD_DH (unsigned int)0x0004
# define ENGINE_METHOD_RAND (unsigned int)0x0008
# define ENGINE_METHOD_CIPHERS (unsigned int)0x0040
# define ENGINE_METHOD_DIGESTS (unsigned int)0x0080
# define ENGINE_METHOD_PKEY_METHS (unsigned int)0x0200
# define ENGINE_METHOD_PKEY_ASN1_METHS (unsigned int)0x0400
# define ENGINE_METHOD_EC (unsigned int)0x0800
/* Obvious all-or-nothing cases. */
# define ENGINE_METHOD_ALL (unsigned int)0xFFFF
# define ENGINE_METHOD_NONE (unsigned int)0x0000
/*
* This(ese) flag(s) controls behaviour of the ENGINE_TABLE mechanism used
* internally to control registration of ENGINE implementations, and can be
* set by ENGINE_set_table_flags(). The "NOINIT" flag prevents attempts to
* initialise registered ENGINEs if they are not already initialised.
*/
# define ENGINE_TABLE_FLAG_NOINIT (unsigned int)0x0001
/* ENGINE flags that can be set by ENGINE_set_flags(). */
/* Not used */
/* #define ENGINE_FLAGS_MALLOCED 0x0001 */
/*
* This flag is for ENGINEs that wish to handle the various 'CMD'-related
* control commands on their own. Without this flag, ENGINE_ctrl() handles
* these control commands on behalf of the ENGINE using their "cmd_defns"
* data.
*/
# define ENGINE_FLAGS_MANUAL_CMD_CTRL (int)0x0002
/*
* This flag is for ENGINEs who return new duplicate structures when found
* via "ENGINE_by_id()". When an ENGINE must store state (eg. if
* ENGINE_ctrl() commands are called in sequence as part of some stateful
* process like key-generation setup and execution), it can set this flag -
* then each attempt to obtain the ENGINE will result in it being copied into
* a new structure. Normally, ENGINEs don't declare this flag so
* ENGINE_by_id() just increments the existing ENGINE's structural reference
* count.
*/
# define ENGINE_FLAGS_BY_ID_COPY (int)0x0004
/*
* This flag if for an ENGINE that does not want its methods registered as
* part of ENGINE_register_all_complete() for example if the methods are not
* usable as default methods.
*/
# define ENGINE_FLAGS_NO_REGISTER_ALL (int)0x0008
/*
* ENGINEs can support their own command types, and these flags are used in
* ENGINE_CTRL_GET_CMD_FLAGS to indicate to the caller what kind of input
* each command expects. Currently only numeric and string input is
* supported. If a control command supports none of the _NUMERIC, _STRING, or
* _NO_INPUT options, then it is regarded as an "internal" control command -
* and not for use in config setting situations. As such, they're not
* available to the ENGINE_ctrl_cmd_string() function, only raw ENGINE_ctrl()
* access. Changes to this list of 'command types' should be reflected
* carefully in ENGINE_cmd_is_executable() and ENGINE_ctrl_cmd_string().
*/
/* accepts a 'long' input value (3rd parameter to ENGINE_ctrl) */
# define ENGINE_CMD_FLAG_NUMERIC (unsigned int)0x0001
/*
* accepts string input (cast from 'void*' to 'const char *', 4th parameter
* to ENGINE_ctrl)
*/
# define ENGINE_CMD_FLAG_STRING (unsigned int)0x0002
/*
* Indicates that the control command takes *no* input. Ie. the control
* command is unparameterised.
*/
# define ENGINE_CMD_FLAG_NO_INPUT (unsigned int)0x0004
/*
* Indicates that the control command is internal. This control command won't
* be shown in any output, and is only usable through the ENGINE_ctrl_cmd()
* function.
*/
# define ENGINE_CMD_FLAG_INTERNAL (unsigned int)0x0008
/*
* NB: These 3 control commands are deprecated and should not be used.
* ENGINEs relying on these commands should compile conditional support for
* compatibility (eg. if these symbols are defined) but should also migrate
* the same functionality to their own ENGINE-specific control functions that
* can be "discovered" by calling applications. The fact these control
* commands wouldn't be "executable" (ie. usable by text-based config)
* doesn't change the fact that application code can find and use them
* without requiring per-ENGINE hacking.
*/
/*
* These flags are used to tell the ctrl function what should be done. All
* command numbers are shared between all engines, even if some don't make
* sense to some engines. In such a case, they do nothing but return the
* error ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED.
*/
# define ENGINE_CTRL_SET_LOGSTREAM 1
# define ENGINE_CTRL_SET_PASSWORD_CALLBACK 2
# define ENGINE_CTRL_HUP 3/* Close and reinitialise
* any handles/connections
* etc. */
# define ENGINE_CTRL_SET_USER_INTERFACE 4/* Alternative to callback */
# define ENGINE_CTRL_SET_CALLBACK_DATA 5/* User-specific data, used
* when calling the password
* callback and the user
* interface */
# define ENGINE_CTRL_LOAD_CONFIGURATION 6/* Load a configuration,
* given a string that
* represents a file name
* or so */
# define ENGINE_CTRL_LOAD_SECTION 7/* Load data from a given
* section in the already
* loaded configuration */
/*
* These control commands allow an application to deal with an arbitrary
* engine in a dynamic way. Warn: Negative return values indicate errors FOR
* THESE COMMANDS because zero is used to indicate 'end-of-list'. Other
* commands, including ENGINE-specific command types, return zero for an
* error. An ENGINE can choose to implement these ctrl functions, and can
* internally manage things however it chooses - it does so by setting the
* ENGINE_FLAGS_MANUAL_CMD_CTRL flag (using ENGINE_set_flags()). Otherwise
* the ENGINE_ctrl() code handles this on the ENGINE's behalf using the
* cmd_defns data (set using ENGINE_set_cmd_defns()). This means an ENGINE's
* ctrl() handler need only implement its own commands - the above "meta"
* commands will be taken care of.
*/
/*
* Returns non-zero if the supplied ENGINE has a ctrl() handler. If "not",
* then all the remaining control commands will return failure, so it is
* worth checking this first if the caller is trying to "discover" the
* engine's capabilities and doesn't want errors generated unnecessarily.
*/
# define ENGINE_CTRL_HAS_CTRL_FUNCTION 10
/*
* Returns a positive command number for the first command supported by the
* engine. Returns zero if no ctrl commands are supported.
*/
# define ENGINE_CTRL_GET_FIRST_CMD_TYPE 11
/*
* The 'long' argument specifies a command implemented by the engine, and the
* return value is the next command supported, or zero if there are no more.
*/
# define ENGINE_CTRL_GET_NEXT_CMD_TYPE 12
/*
* The 'void*' argument is a command name (cast from 'const char *'), and the
* return value is the command that corresponds to it.
*/
# define ENGINE_CTRL_GET_CMD_FROM_NAME 13
/*
* The next two allow a command to be converted into its corresponding string
* form. In each case, the 'long' argument supplies the command. In the
* NAME_LEN case, the return value is the length of the command name (not
* counting a trailing EOL). In the NAME case, the 'void*' argument must be a
* string buffer large enough, and it will be populated with the name of the
* command (WITH a trailing EOL).
*/
# define ENGINE_CTRL_GET_NAME_LEN_FROM_CMD 14
# define ENGINE_CTRL_GET_NAME_FROM_CMD 15
/* The next two are similar but give a "short description" of a command. */
# define ENGINE_CTRL_GET_DESC_LEN_FROM_CMD 16
# define ENGINE_CTRL_GET_DESC_FROM_CMD 17
/*
* With this command, the return value is the OR'd combination of
* ENGINE_CMD_FLAG_*** values that indicate what kind of input a given
* engine-specific ctrl command expects.
*/
# define ENGINE_CTRL_GET_CMD_FLAGS 18
/*
* ENGINE implementations should start the numbering of their own control
* commands from this value. (ie. ENGINE_CMD_BASE, ENGINE_CMD_BASE + 1, etc).
*/
# define ENGINE_CMD_BASE 200
/*
* NB: These 2 nCipher "chil" control commands are deprecated, and their
* functionality is now available through ENGINE-specific control commands
* (exposed through the above-mentioned 'CMD'-handling). Code using these 2
* commands should be migrated to the more general command handling before
* these are removed.
*/
/* Flags specific to the nCipher "chil" engine */
# define ENGINE_CTRL_CHIL_SET_FORKCHECK 100
/*
* Depending on the value of the (long)i argument, this sets or
* unsets the SimpleForkCheck flag in the CHIL API to enable or
* disable checking and workarounds for applications that fork().
*/
# define ENGINE_CTRL_CHIL_NO_LOCKING 101
/*
* This prevents the initialisation function from providing mutex
* callbacks to the nCipher library.
*/
/*
* If an ENGINE supports its own specific control commands and wishes the
* framework to handle the above 'ENGINE_CMD_***'-manipulation commands on
* its behalf, it should supply a null-terminated array of ENGINE_CMD_DEFN
* entries to ENGINE_set_cmd_defns(). It should also implement a ctrl()
* handler that supports the stated commands (ie. the "cmd_num" entries as
* described by the array). NB: The array must be ordered in increasing order
* of cmd_num. "null-terminated" means that the last ENGINE_CMD_DEFN element
* has cmd_num set to zero and/or cmd_name set to NULL.
*/
typedef struct ENGINE_CMD_DEFN_st {
unsigned int cmd_num; /* The command number */
const char *cmd_name; /* The command name itself */
const char *cmd_desc; /* A short description of the command */
unsigned int cmd_flags; /* The input the command expects */
} ENGINE_CMD_DEFN;
/* Generic function pointer */
typedef int (*ENGINE_GEN_FUNC_PTR) (void);
/* Generic function pointer taking no arguments */
typedef int (*ENGINE_GEN_INT_FUNC_PTR) (ENGINE *);
/* Specific control function pointer */
typedef int (*ENGINE_CTRL_FUNC_PTR) (ENGINE *, int, long, void *,
void (*f) (void));
/* Generic load_key function pointer */
typedef EVP_PKEY *(*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *,
UI_METHOD *ui_method,
void *callback_data);
typedef int (*ENGINE_SSL_CLIENT_CERT_PTR) (ENGINE *, SSL *ssl,
STACK_OF(X509_NAME) *ca_dn,
X509 **pcert, EVP_PKEY **pkey,
STACK_OF(X509) **pother,
UI_METHOD *ui_method,
void *callback_data);
/*-
* These callback types are for an ENGINE's handler for cipher and digest logic.
* These handlers have these prototypes;
* int foo(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
* int foo(ENGINE *e, const EVP_MD **digest, const int **nids, int nid);
* Looking at how to implement these handlers in the case of cipher support, if
* the framework wants the EVP_CIPHER for 'nid', it will call;
* foo(e, &p_evp_cipher, NULL, nid); (return zero for failure)
* If the framework wants a list of supported 'nid's, it will call;
* foo(e, NULL, &p_nids, 0); (returns number of 'nids' or -1 for error)
*/
/*
* Returns to a pointer to the array of supported cipher 'nid's. If the
* second parameter is non-NULL it is set to the size of the returned array.
*/
typedef int (*ENGINE_CIPHERS_PTR) (ENGINE *, const EVP_CIPHER **,
const int **, int);
typedef int (*ENGINE_DIGESTS_PTR) (ENGINE *, const EVP_MD **, const int **,
int);
typedef int (*ENGINE_PKEY_METHS_PTR) (ENGINE *, EVP_PKEY_METHOD **,
const int **, int);
typedef int (*ENGINE_PKEY_ASN1_METHS_PTR) (ENGINE *, EVP_PKEY_ASN1_METHOD **,
const int **, int);
/*
* STRUCTURE functions ... all of these functions deal with pointers to
* ENGINE structures where the pointers have a "structural reference". This
* means that their reference is to allowed access to the structure but it
* does not imply that the structure is functional. To simply increment or
* decrement the structural reference count, use ENGINE_by_id and
* ENGINE_free. NB: This is not required when iterating using ENGINE_get_next
* as it will automatically decrement the structural reference count of the
* "current" ENGINE and increment the structural reference count of the
* ENGINE it returns (unless it is NULL).
*/
/* Get the first/last "ENGINE" type available. */
ENGINE *ENGINE_get_first(void);
ENGINE *ENGINE_get_last(void);
/* Iterate to the next/previous "ENGINE" type (NULL = end of the list). */
ENGINE *ENGINE_get_next(ENGINE *e);
ENGINE *ENGINE_get_prev(ENGINE *e);
/* Add another "ENGINE" type into the array. */
int ENGINE_add(ENGINE *e);
/* Remove an existing "ENGINE" type from the array. */
int ENGINE_remove(ENGINE *e);
/* Retrieve an engine from the list by its unique "id" value. */
ENGINE *ENGINE_by_id(const char *id);
#if OPENSSL_API_COMPAT < 0x10100000L
# define ENGINE_load_openssl() \
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_OPENSSL, NULL)
# define ENGINE_load_dynamic() \
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_DYNAMIC, NULL)
# ifndef OPENSSL_NO_STATIC_ENGINE
# define ENGINE_load_padlock() \
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_PADLOCK, NULL)
# define ENGINE_load_capi() \
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_CAPI, NULL)
# define ENGINE_load_afalg() \
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_AFALG, NULL)
# endif
# define ENGINE_load_cryptodev() \
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_CRYPTODEV, NULL)
# define ENGINE_load_rdrand() \
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_RDRAND, NULL)
#endif
void ENGINE_load_builtin_engines(void);
/*
* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
* "registry" handling.
*/
unsigned int ENGINE_get_table_flags(void);
void ENGINE_set_table_flags(unsigned int flags);
/*- Manage registration of ENGINEs per "table". For each type, there are 3
* functions;
* ENGINE_register_***(e) - registers the implementation from 'e' (if it has one)
* ENGINE_unregister_***(e) - unregister the implementation from 'e'
* ENGINE_register_all_***() - call ENGINE_register_***() for each 'e' in the list
* Cleanup is automatically registered from each table when required.
*/
int ENGINE_register_RSA(ENGINE *e);
void ENGINE_unregister_RSA(ENGINE *e);
void ENGINE_register_all_RSA(void);
int ENGINE_register_DSA(ENGINE *e);
void ENGINE_unregister_DSA(ENGINE *e);
void ENGINE_register_all_DSA(void);
int ENGINE_register_EC(ENGINE *e);
void ENGINE_unregister_EC(ENGINE *e);
void ENGINE_register_all_EC(void);
int ENGINE_register_DH(ENGINE *e);
void ENGINE_unregister_DH(ENGINE *e);
void ENGINE_register_all_DH(void);
int ENGINE_register_RAND(ENGINE *e);
void ENGINE_unregister_RAND(ENGINE *e);
void ENGINE_register_all_RAND(void);
int ENGINE_register_ciphers(ENGINE *e);
void ENGINE_unregister_ciphers(ENGINE *e);
void ENGINE_register_all_ciphers(void);
int ENGINE_register_digests(ENGINE *e);
void ENGINE_unregister_digests(ENGINE *e);
void ENGINE_register_all_digests(void);
int ENGINE_register_pkey_meths(ENGINE *e);
void ENGINE_unregister_pkey_meths(ENGINE *e);
void ENGINE_register_all_pkey_meths(void);
int ENGINE_register_pkey_asn1_meths(ENGINE *e);
void ENGINE_unregister_pkey_asn1_meths(ENGINE *e);
void ENGINE_register_all_pkey_asn1_meths(void);
/*
* These functions register all support from the above categories. Note, use
* of these functions can result in static linkage of code your application
* may not need. If you only need a subset of functionality, consider using
* more selective initialisation.
*/
int ENGINE_register_complete(ENGINE *e);
int ENGINE_register_all_complete(void);
/*
* Send parameterised control commands to the engine. The possibilities to
* send down an integer, a pointer to data or a function pointer are
* provided. Any of the parameters may or may not be NULL, depending on the
* command number. In actuality, this function only requires a structural
* (rather than functional) reference to an engine, but many control commands
* may require the engine be functional. The caller should be aware of trying
* commands that require an operational ENGINE, and only use functional
* references in such situations.
*/
int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) (void));
/*
* This function tests if an ENGINE-specific command is usable as a
* "setting". Eg. in an application's config file that gets processed through
* ENGINE_ctrl_cmd_string(). If this returns zero, it is not available to
* ENGINE_ctrl_cmd_string(), only ENGINE_ctrl().
*/
int ENGINE_cmd_is_executable(ENGINE *e, int cmd);
/*
* This function works like ENGINE_ctrl() with the exception of taking a
* command name instead of a command number, and can handle optional
* commands. See the comment on ENGINE_ctrl_cmd_string() for an explanation
* on how to use the cmd_name and cmd_optional.
*/
int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
long i, void *p, void (*f) (void), int cmd_optional);
/*
* This function passes a command-name and argument to an ENGINE. The
* cmd_name is converted to a command number and the control command is
* called using 'arg' as an argument (unless the ENGINE doesn't support such
* a command, in which case no control command is called). The command is
* checked for input flags, and if necessary the argument will be converted
* to a numeric value. If cmd_optional is non-zero, then if the ENGINE
* doesn't support the given cmd_name the return value will be success
* anyway. This function is intended for applications to use so that users
* (or config files) can supply engine-specific config data to the ENGINE at
* run-time to control behaviour of specific engines. As such, it shouldn't
* be used for calling ENGINE_ctrl() functions that return data, deal with
* binary data, or that are otherwise supposed to be used directly through
* ENGINE_ctrl() in application code. Any "return" data from an ENGINE_ctrl()
* operation in this function will be lost - the return value is interpreted
* as failure if the return value is zero, success otherwise, and this
* function returns a boolean value as a result. In other words, vendors of
* 'ENGINE'-enabled devices should write ENGINE implementations with
* parameterisations that work in this scheme, so that compliant ENGINE-based
* applications can work consistently with the same configuration for the
* same ENGINE-enabled devices, across applications.
*/
int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
int cmd_optional);
/*
* These functions are useful for manufacturing new ENGINE structures. They
* don't address reference counting at all - one uses them to populate an
* ENGINE structure with personalised implementations of things prior to
* using it directly or adding it to the builtin ENGINE list in OpenSSL.
* These are also here so that the ENGINE structure doesn't have to be
* exposed and break binary compatibility!
*/
ENGINE *ENGINE_new(void);
int ENGINE_free(ENGINE *e);
int ENGINE_up_ref(ENGINE *e);
int ENGINE_set_id(ENGINE *e, const char *id);
int ENGINE_set_name(ENGINE *e, const char *name);
int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth);
int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth);
int ENGINE_set_EC(ENGINE *e, const EC_KEY_METHOD *ecdsa_meth);
int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth);
int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth);
int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f);
int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f);
int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f);
int ENGINE_set_load_privkey_function(ENGINE *e,
ENGINE_LOAD_KEY_PTR loadpriv_f);
int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f);
int ENGINE_set_load_ssl_client_cert_function(ENGINE *e,
ENGINE_SSL_CLIENT_CERT_PTR
loadssl_f);
int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f);
int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f);
int ENGINE_set_pkey_meths(ENGINE *e, ENGINE_PKEY_METHS_PTR f);
int ENGINE_set_pkey_asn1_meths(ENGINE *e, ENGINE_PKEY_ASN1_METHS_PTR f);
int ENGINE_set_flags(ENGINE *e, int flags);
int ENGINE_set_cmd_defns(ENGINE *e, const ENGINE_CMD_DEFN *defns);
/* These functions allow control over any per-structure ENGINE data. */
#define ENGINE_get_ex_new_index(l, p, newf, dupf, freef) \
CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_ENGINE, l, p, newf, dupf, freef)
int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg);
void *ENGINE_get_ex_data(const ENGINE *e, int idx);
#if OPENSSL_API_COMPAT < 0x10100000L
/*
* This function previously cleaned up anything that needs it. Auto-deinit will
* now take care of it so it is no longer required to call this function.
*/
# define ENGINE_cleanup() while(0) continue
#endif
/*
* These return values from within the ENGINE structure. These can be useful
* with functional references as well as structural references - it depends
* which you obtained. Using the result for functional purposes if you only
* obtained a structural reference may be problematic!
*/
const char *ENGINE_get_id(const ENGINE *e);
const char *ENGINE_get_name(const ENGINE *e);
const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e);
const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e);
const EC_KEY_METHOD *ENGINE_get_EC(const ENGINE *e);
const DH_METHOD *ENGINE_get_DH(const ENGINE *e);
const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e);
ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e);
ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e);
ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e);
ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e);
ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e);
ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e);
ENGINE_SSL_CLIENT_CERT_PTR ENGINE_get_ssl_client_cert_function(const ENGINE
*e);
ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e);
ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e);
ENGINE_PKEY_METHS_PTR ENGINE_get_pkey_meths(const ENGINE *e);
ENGINE_PKEY_ASN1_METHS_PTR ENGINE_get_pkey_asn1_meths(const ENGINE *e);
const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid);
const EVP_MD *ENGINE_get_digest(ENGINE *e, int nid);
const EVP_PKEY_METHOD *ENGINE_get_pkey_meth(ENGINE *e, int nid);
const EVP_PKEY_ASN1_METHOD *ENGINE_get_pkey_asn1_meth(ENGINE *e, int nid);
const EVP_PKEY_ASN1_METHOD *ENGINE_get_pkey_asn1_meth_str(ENGINE *e,
const char *str,
int len);
const EVP_PKEY_ASN1_METHOD *ENGINE_pkey_asn1_find_str(ENGINE **pe,
const char *str,
int len);
const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *e);
int ENGINE_get_flags(const ENGINE *e);
/*
* FUNCTIONAL functions. These functions deal with ENGINE structures that
* have (or will) be initialised for use. Broadly speaking, the structural
* functions are useful for iterating the list of available engine types,
* creating new engine types, and other "list" operations. These functions
* actually deal with ENGINEs that are to be used. As such these functions
* can fail (if applicable) when particular engines are unavailable - eg. if
* a hardware accelerator is not attached or not functioning correctly. Each
* ENGINE has 2 reference counts; structural and functional. Every time a
* functional reference is obtained or released, a corresponding structural
* reference is automatically obtained or released too.
*/
/*
* Initialise a engine type for use (or up its reference count if it's
* already in use). This will fail if the engine is not currently operational
* and cannot initialise.
*/
int ENGINE_init(ENGINE *e);
/*
* Free a functional reference to a engine type. This does not require a
* corresponding call to ENGINE_free as it also releases a structural
* reference.
*/
int ENGINE_finish(ENGINE *e);
/*
* The following functions handle keys that are stored in some secondary
* location, handled by the engine. The storage may be on a card or
* whatever.
*/
EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
UI_METHOD *ui_method, void *callback_data);
EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
UI_METHOD *ui_method, void *callback_data);
int ENGINE_load_ssl_client_cert(ENGINE *e, SSL *s,
STACK_OF(X509_NAME) *ca_dn, X509 **pcert,
EVP_PKEY **ppkey, STACK_OF(X509) **pother,
UI_METHOD *ui_method, void *callback_data);
/*
* This returns a pointer for the current ENGINE structure that is (by
* default) performing any RSA operations. The value returned is an
* incremented reference, so it should be free'd (ENGINE_finish) before it is
* discarded.
*/
ENGINE *ENGINE_get_default_RSA(void);
/* Same for the other "methods" */
ENGINE *ENGINE_get_default_DSA(void);
ENGINE *ENGINE_get_default_EC(void);
ENGINE *ENGINE_get_default_DH(void);
ENGINE *ENGINE_get_default_RAND(void);
/*
* These functions can be used to get a functional reference to perform
* ciphering or digesting corresponding to "nid".
*/
ENGINE *ENGINE_get_cipher_engine(int nid);
ENGINE *ENGINE_get_digest_engine(int nid);
ENGINE *ENGINE_get_pkey_meth_engine(int nid);
ENGINE *ENGINE_get_pkey_asn1_meth_engine(int nid);
/*
* This sets a new default ENGINE structure for performing RSA operations. If
* the result is non-zero (success) then the ENGINE structure will have had
* its reference count up'd so the caller should still free their own
* reference 'e'.
*/
int ENGINE_set_default_RSA(ENGINE *e);
int ENGINE_set_default_string(ENGINE *e, const char *def_list);
/* Same for the other "methods" */
int ENGINE_set_default_DSA(ENGINE *e);
int ENGINE_set_default_EC(ENGINE *e);
int ENGINE_set_default_DH(ENGINE *e);
int ENGINE_set_default_RAND(ENGINE *e);
int ENGINE_set_default_ciphers(ENGINE *e);
int ENGINE_set_default_digests(ENGINE *e);
int ENGINE_set_default_pkey_meths(ENGINE *e);
int ENGINE_set_default_pkey_asn1_meths(ENGINE *e);
/*
* The combination "set" - the flags are bitwise "OR"d from the
* ENGINE_METHOD_*** defines above. As with the "ENGINE_register_complete()"
* function, this function can result in unnecessary static linkage. If your
* application requires only specific functionality, consider using more
* selective functions.
*/
int ENGINE_set_default(ENGINE *e, unsigned int flags);
void ENGINE_add_conf_module(void);
/* Deprecated functions ... */
/* int ENGINE_clear_defaults(void); */
/**************************/
/* DYNAMIC ENGINE SUPPORT */
/**************************/
/* Binary/behaviour compatibility levels */
# define OSSL_DYNAMIC_VERSION (unsigned long)0x00030000
/*
* Binary versions older than this are too old for us (whether we're a loader
* or a loadee)
*/
# define OSSL_DYNAMIC_OLDEST (unsigned long)0x00030000
/*
* When compiling an ENGINE entirely as an external shared library, loadable
* by the "dynamic" ENGINE, these types are needed. The 'dynamic_fns'
* structure type provides the calling application's (or library's) error
* functionality and memory management function pointers to the loaded
* library. These should be used/set in the loaded library code so that the
* loading application's 'state' will be used/changed in all operations. The
* 'static_state' pointer allows the loaded library to know if it shares the
* same static data as the calling application (or library), and thus whether
* these callbacks need to be set or not.
*/
typedef void *(*dyn_MEM_malloc_fn) (size_t, const char *, int);
typedef void *(*dyn_MEM_realloc_fn) (void *, size_t, const char *, int);
typedef void (*dyn_MEM_free_fn) (void *, const char *, int);
typedef struct st_dynamic_MEM_fns {
dyn_MEM_malloc_fn malloc_fn;
dyn_MEM_realloc_fn realloc_fn;
dyn_MEM_free_fn free_fn;
} dynamic_MEM_fns;
/*
* FIXME: Perhaps the memory and locking code (crypto.h) should declare and
* use these types so we (and any other dependent code) can simplify a bit??
*/
/* The top-level structure */
typedef struct st_dynamic_fns {
void *static_state;
dynamic_MEM_fns mem_fns;
} dynamic_fns;
/*
* The version checking function should be of this prototype. NB: The
* ossl_version value passed in is the OSSL_DYNAMIC_VERSION of the loading
* code. If this function returns zero, it indicates a (potential) version
* incompatibility and the loaded library doesn't believe it can proceed.
* Otherwise, the returned value is the (latest) version supported by the
* loading library. The loader may still decide that the loaded code's
* version is unsatisfactory and could veto the load. The function is
* expected to be implemented with the symbol name "v_check", and a default
* implementation can be fully instantiated with
* IMPLEMENT_DYNAMIC_CHECK_FN().
*/
typedef unsigned long (*dynamic_v_check_fn) (unsigned long ossl_version);
# define IMPLEMENT_DYNAMIC_CHECK_FN() \
OPENSSL_EXPORT unsigned long v_check(unsigned long v); \
OPENSSL_EXPORT unsigned long v_check(unsigned long v) { \
if (v >= OSSL_DYNAMIC_OLDEST) return OSSL_DYNAMIC_VERSION; \
return 0; }
/*
* This function is passed the ENGINE structure to initialise with its own
* function and command settings. It should not adjust the structural or
* functional reference counts. If this function returns zero, (a) the load
* will be aborted, (b) the previous ENGINE state will be memcpy'd back onto
* the structure, and (c) the shared library will be unloaded. So
* implementations should do their own internal cleanup in failure
* circumstances otherwise they could leak. The 'id' parameter, if non-NULL,
* represents the ENGINE id that the loader is looking for. If this is NULL,
* the shared library can choose to return failure or to initialise a
* 'default' ENGINE. If non-NULL, the shared library must initialise only an
* ENGINE matching the passed 'id'. The function is expected to be
* implemented with the symbol name "bind_engine". A standard implementation
* can be instantiated with IMPLEMENT_DYNAMIC_BIND_FN(fn) where the parameter
* 'fn' is a callback function that populates the ENGINE structure and
* returns an int value (zero for failure). 'fn' should have prototype;
* [static] int fn(ENGINE *e, const char *id);
*/
typedef int (*dynamic_bind_engine) (ENGINE *e, const char *id,
const dynamic_fns *fns);
# define IMPLEMENT_DYNAMIC_BIND_FN(fn) \
OPENSSL_EXPORT \
int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns); \
OPENSSL_EXPORT \
int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { \
if (ENGINE_get_static_state() == fns->static_state) goto skip_cbs; \
CRYPTO_set_mem_functions(fns->mem_fns.malloc_fn, \
fns->mem_fns.realloc_fn, \
fns->mem_fns.free_fn); \
+ OPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL); \
skip_cbs: \
if (!fn(e, id)) return 0; \
return 1; }
/*
* If the loading application (or library) and the loaded ENGINE library
* share the same static data (eg. they're both dynamically linked to the
* same libcrypto.so) we need a way to avoid trying to set system callbacks -
* this would fail, and for the same reason that it's unnecessary to try. If
* the loaded ENGINE has (or gets from through the loader) its own copy of
* the libcrypto static data, we will need to set the callbacks. The easiest
* way to detect this is to have a function that returns a pointer to some
* static data and let the loading application and loaded ENGINE compare
* their respective values.
*/
void *ENGINE_get_static_state(void);
# if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(__DragonFly__)
DEPRECATEDIN_1_1_0(void ENGINE_setup_bsd_cryptodev(void))
# endif
# ifdef __cplusplus
}
# endif
# endif
#endif
diff --git a/crypto/openssl/include/openssl/obj_mac.h b/crypto/openssl/include/openssl/obj_mac.h
index eb812ed18dcc..53516a06c69b 100644
--- a/crypto/openssl/include/openssl/obj_mac.h
+++ b/crypto/openssl/include/openssl/obj_mac.h
@@ -1,5198 +1,5198 @@
/*
* WARNING: do not edit!
* Generated by crypto/objects/objects.pl
*
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#define SN_undef "UNDEF"
#define LN_undef "undefined"
#define NID_undef 0
#define OBJ_undef 0L
#define SN_itu_t "ITU-T"
#define LN_itu_t "itu-t"
#define NID_itu_t 645
#define OBJ_itu_t 0L
#define NID_ccitt 404
#define OBJ_ccitt OBJ_itu_t
#define SN_iso "ISO"
#define LN_iso "iso"
#define NID_iso 181
#define OBJ_iso 1L
#define SN_joint_iso_itu_t "JOINT-ISO-ITU-T"
#define LN_joint_iso_itu_t "joint-iso-itu-t"
#define NID_joint_iso_itu_t 646
#define OBJ_joint_iso_itu_t 2L
#define NID_joint_iso_ccitt 393
#define OBJ_joint_iso_ccitt OBJ_joint_iso_itu_t
#define SN_member_body "member-body"
#define LN_member_body "ISO Member Body"
#define NID_member_body 182
#define OBJ_member_body OBJ_iso,2L
#define SN_identified_organization "identified-organization"
#define NID_identified_organization 676
#define OBJ_identified_organization OBJ_iso,3L
#define SN_hmac_md5 "HMAC-MD5"
#define LN_hmac_md5 "hmac-md5"
#define NID_hmac_md5 780
#define OBJ_hmac_md5 OBJ_identified_organization,6L,1L,5L,5L,8L,1L,1L
#define SN_hmac_sha1 "HMAC-SHA1"
#define LN_hmac_sha1 "hmac-sha1"
#define NID_hmac_sha1 781
#define OBJ_hmac_sha1 OBJ_identified_organization,6L,1L,5L,5L,8L,1L,2L
#define SN_x509ExtAdmission "x509ExtAdmission"
#define LN_x509ExtAdmission "Professional Information or basis for Admission"
#define NID_x509ExtAdmission 1093
#define OBJ_x509ExtAdmission OBJ_identified_organization,36L,8L,3L,3L
#define SN_certicom_arc "certicom-arc"
#define NID_certicom_arc 677
#define OBJ_certicom_arc OBJ_identified_organization,132L
#define SN_ieee "ieee"
#define NID_ieee 1170
#define OBJ_ieee OBJ_identified_organization,111L
#define SN_ieee_siswg "ieee-siswg"
#define LN_ieee_siswg "IEEE Security in Storage Working Group"
#define NID_ieee_siswg 1171
#define OBJ_ieee_siswg OBJ_ieee,2L,1619L
#define SN_international_organizations "international-organizations"
#define LN_international_organizations "International Organizations"
#define NID_international_organizations 647
#define OBJ_international_organizations OBJ_joint_iso_itu_t,23L
#define SN_wap "wap"
#define NID_wap 678
#define OBJ_wap OBJ_international_organizations,43L
#define SN_wap_wsg "wap-wsg"
#define NID_wap_wsg 679
#define OBJ_wap_wsg OBJ_wap,1L
#define SN_selected_attribute_types "selected-attribute-types"
#define LN_selected_attribute_types "Selected Attribute Types"
#define NID_selected_attribute_types 394
#define OBJ_selected_attribute_types OBJ_joint_iso_itu_t,5L,1L,5L
#define SN_clearance "clearance"
#define NID_clearance 395
#define OBJ_clearance OBJ_selected_attribute_types,55L
#define SN_ISO_US "ISO-US"
#define LN_ISO_US "ISO US Member Body"
#define NID_ISO_US 183
#define OBJ_ISO_US OBJ_member_body,840L
#define SN_X9_57 "X9-57"
#define LN_X9_57 "X9.57"
#define NID_X9_57 184
#define OBJ_X9_57 OBJ_ISO_US,10040L
#define SN_X9cm "X9cm"
#define LN_X9cm "X9.57 CM ?"
#define NID_X9cm 185
#define OBJ_X9cm OBJ_X9_57,4L
#define SN_ISO_CN "ISO-CN"
#define LN_ISO_CN "ISO CN Member Body"
#define NID_ISO_CN 1140
#define OBJ_ISO_CN OBJ_member_body,156L
#define SN_oscca "oscca"
#define NID_oscca 1141
#define OBJ_oscca OBJ_ISO_CN,10197L
#define SN_sm_scheme "sm-scheme"
#define NID_sm_scheme 1142
#define OBJ_sm_scheme OBJ_oscca,1L
#define SN_dsa "DSA"
#define LN_dsa "dsaEncryption"
#define NID_dsa 116
#define OBJ_dsa OBJ_X9cm,1L
#define SN_dsaWithSHA1 "DSA-SHA1"
#define LN_dsaWithSHA1 "dsaWithSHA1"
#define NID_dsaWithSHA1 113
#define OBJ_dsaWithSHA1 OBJ_X9cm,3L
#define SN_ansi_X9_62 "ansi-X9-62"
#define LN_ansi_X9_62 "ANSI X9.62"
#define NID_ansi_X9_62 405
#define OBJ_ansi_X9_62 OBJ_ISO_US,10045L
#define OBJ_X9_62_id_fieldType OBJ_ansi_X9_62,1L
#define SN_X9_62_prime_field "prime-field"
#define NID_X9_62_prime_field 406
#define OBJ_X9_62_prime_field OBJ_X9_62_id_fieldType,1L
#define SN_X9_62_characteristic_two_field "characteristic-two-field"
#define NID_X9_62_characteristic_two_field 407
#define OBJ_X9_62_characteristic_two_field OBJ_X9_62_id_fieldType,2L
#define SN_X9_62_id_characteristic_two_basis "id-characteristic-two-basis"
#define NID_X9_62_id_characteristic_two_basis 680
#define OBJ_X9_62_id_characteristic_two_basis OBJ_X9_62_characteristic_two_field,3L
#define SN_X9_62_onBasis "onBasis"
#define NID_X9_62_onBasis 681
#define OBJ_X9_62_onBasis OBJ_X9_62_id_characteristic_two_basis,1L
#define SN_X9_62_tpBasis "tpBasis"
#define NID_X9_62_tpBasis 682
#define OBJ_X9_62_tpBasis OBJ_X9_62_id_characteristic_two_basis,2L
#define SN_X9_62_ppBasis "ppBasis"
#define NID_X9_62_ppBasis 683
#define OBJ_X9_62_ppBasis OBJ_X9_62_id_characteristic_two_basis,3L
#define OBJ_X9_62_id_publicKeyType OBJ_ansi_X9_62,2L
#define SN_X9_62_id_ecPublicKey "id-ecPublicKey"
#define NID_X9_62_id_ecPublicKey 408
#define OBJ_X9_62_id_ecPublicKey OBJ_X9_62_id_publicKeyType,1L
#define OBJ_X9_62_ellipticCurve OBJ_ansi_X9_62,3L
#define OBJ_X9_62_c_TwoCurve OBJ_X9_62_ellipticCurve,0L
#define SN_X9_62_c2pnb163v1 "c2pnb163v1"
#define NID_X9_62_c2pnb163v1 684
#define OBJ_X9_62_c2pnb163v1 OBJ_X9_62_c_TwoCurve,1L
#define SN_X9_62_c2pnb163v2 "c2pnb163v2"
#define NID_X9_62_c2pnb163v2 685
#define OBJ_X9_62_c2pnb163v2 OBJ_X9_62_c_TwoCurve,2L
#define SN_X9_62_c2pnb163v3 "c2pnb163v3"
#define NID_X9_62_c2pnb163v3 686
#define OBJ_X9_62_c2pnb163v3 OBJ_X9_62_c_TwoCurve,3L
#define SN_X9_62_c2pnb176v1 "c2pnb176v1"
#define NID_X9_62_c2pnb176v1 687
#define OBJ_X9_62_c2pnb176v1 OBJ_X9_62_c_TwoCurve,4L
#define SN_X9_62_c2tnb191v1 "c2tnb191v1"
#define NID_X9_62_c2tnb191v1 688
#define OBJ_X9_62_c2tnb191v1 OBJ_X9_62_c_TwoCurve,5L
#define SN_X9_62_c2tnb191v2 "c2tnb191v2"
#define NID_X9_62_c2tnb191v2 689
#define OBJ_X9_62_c2tnb191v2 OBJ_X9_62_c_TwoCurve,6L
#define SN_X9_62_c2tnb191v3 "c2tnb191v3"
#define NID_X9_62_c2tnb191v3 690
#define OBJ_X9_62_c2tnb191v3 OBJ_X9_62_c_TwoCurve,7L
#define SN_X9_62_c2onb191v4 "c2onb191v4"
#define NID_X9_62_c2onb191v4 691
#define OBJ_X9_62_c2onb191v4 OBJ_X9_62_c_TwoCurve,8L
#define SN_X9_62_c2onb191v5 "c2onb191v5"
#define NID_X9_62_c2onb191v5 692
#define OBJ_X9_62_c2onb191v5 OBJ_X9_62_c_TwoCurve,9L
#define SN_X9_62_c2pnb208w1 "c2pnb208w1"
#define NID_X9_62_c2pnb208w1 693
#define OBJ_X9_62_c2pnb208w1 OBJ_X9_62_c_TwoCurve,10L
#define SN_X9_62_c2tnb239v1 "c2tnb239v1"
#define NID_X9_62_c2tnb239v1 694
#define OBJ_X9_62_c2tnb239v1 OBJ_X9_62_c_TwoCurve,11L
#define SN_X9_62_c2tnb239v2 "c2tnb239v2"
#define NID_X9_62_c2tnb239v2 695
#define OBJ_X9_62_c2tnb239v2 OBJ_X9_62_c_TwoCurve,12L
#define SN_X9_62_c2tnb239v3 "c2tnb239v3"
#define NID_X9_62_c2tnb239v3 696
#define OBJ_X9_62_c2tnb239v3 OBJ_X9_62_c_TwoCurve,13L
#define SN_X9_62_c2onb239v4 "c2onb239v4"
#define NID_X9_62_c2onb239v4 697
#define OBJ_X9_62_c2onb239v4 OBJ_X9_62_c_TwoCurve,14L
#define SN_X9_62_c2onb239v5 "c2onb239v5"
#define NID_X9_62_c2onb239v5 698
#define OBJ_X9_62_c2onb239v5 OBJ_X9_62_c_TwoCurve,15L
#define SN_X9_62_c2pnb272w1 "c2pnb272w1"
#define NID_X9_62_c2pnb272w1 699
#define OBJ_X9_62_c2pnb272w1 OBJ_X9_62_c_TwoCurve,16L
#define SN_X9_62_c2pnb304w1 "c2pnb304w1"
#define NID_X9_62_c2pnb304w1 700
#define OBJ_X9_62_c2pnb304w1 OBJ_X9_62_c_TwoCurve,17L
#define SN_X9_62_c2tnb359v1 "c2tnb359v1"
#define NID_X9_62_c2tnb359v1 701
#define OBJ_X9_62_c2tnb359v1 OBJ_X9_62_c_TwoCurve,18L
#define SN_X9_62_c2pnb368w1 "c2pnb368w1"
#define NID_X9_62_c2pnb368w1 702
#define OBJ_X9_62_c2pnb368w1 OBJ_X9_62_c_TwoCurve,19L
#define SN_X9_62_c2tnb431r1 "c2tnb431r1"
#define NID_X9_62_c2tnb431r1 703
#define OBJ_X9_62_c2tnb431r1 OBJ_X9_62_c_TwoCurve,20L
#define OBJ_X9_62_primeCurve OBJ_X9_62_ellipticCurve,1L
#define SN_X9_62_prime192v1 "prime192v1"
#define NID_X9_62_prime192v1 409
#define OBJ_X9_62_prime192v1 OBJ_X9_62_primeCurve,1L
#define SN_X9_62_prime192v2 "prime192v2"
#define NID_X9_62_prime192v2 410
#define OBJ_X9_62_prime192v2 OBJ_X9_62_primeCurve,2L
#define SN_X9_62_prime192v3 "prime192v3"
#define NID_X9_62_prime192v3 411
#define OBJ_X9_62_prime192v3 OBJ_X9_62_primeCurve,3L
#define SN_X9_62_prime239v1 "prime239v1"
#define NID_X9_62_prime239v1 412
#define OBJ_X9_62_prime239v1 OBJ_X9_62_primeCurve,4L
#define SN_X9_62_prime239v2 "prime239v2"
#define NID_X9_62_prime239v2 413
#define OBJ_X9_62_prime239v2 OBJ_X9_62_primeCurve,5L
#define SN_X9_62_prime239v3 "prime239v3"
#define NID_X9_62_prime239v3 414
#define OBJ_X9_62_prime239v3 OBJ_X9_62_primeCurve,6L
#define SN_X9_62_prime256v1 "prime256v1"
#define NID_X9_62_prime256v1 415
#define OBJ_X9_62_prime256v1 OBJ_X9_62_primeCurve,7L
#define OBJ_X9_62_id_ecSigType OBJ_ansi_X9_62,4L
#define SN_ecdsa_with_SHA1 "ecdsa-with-SHA1"
#define NID_ecdsa_with_SHA1 416
#define OBJ_ecdsa_with_SHA1 OBJ_X9_62_id_ecSigType,1L
#define SN_ecdsa_with_Recommended "ecdsa-with-Recommended"
#define NID_ecdsa_with_Recommended 791
#define OBJ_ecdsa_with_Recommended OBJ_X9_62_id_ecSigType,2L
#define SN_ecdsa_with_Specified "ecdsa-with-Specified"
#define NID_ecdsa_with_Specified 792
#define OBJ_ecdsa_with_Specified OBJ_X9_62_id_ecSigType,3L
#define SN_ecdsa_with_SHA224 "ecdsa-with-SHA224"
#define NID_ecdsa_with_SHA224 793
#define OBJ_ecdsa_with_SHA224 OBJ_ecdsa_with_Specified,1L
#define SN_ecdsa_with_SHA256 "ecdsa-with-SHA256"
#define NID_ecdsa_with_SHA256 794
#define OBJ_ecdsa_with_SHA256 OBJ_ecdsa_with_Specified,2L
#define SN_ecdsa_with_SHA384 "ecdsa-with-SHA384"
#define NID_ecdsa_with_SHA384 795
#define OBJ_ecdsa_with_SHA384 OBJ_ecdsa_with_Specified,3L
#define SN_ecdsa_with_SHA512 "ecdsa-with-SHA512"
#define NID_ecdsa_with_SHA512 796
#define OBJ_ecdsa_with_SHA512 OBJ_ecdsa_with_Specified,4L
#define OBJ_secg_ellipticCurve OBJ_certicom_arc,0L
#define SN_secp112r1 "secp112r1"
#define NID_secp112r1 704
#define OBJ_secp112r1 OBJ_secg_ellipticCurve,6L
#define SN_secp112r2 "secp112r2"
#define NID_secp112r2 705
#define OBJ_secp112r2 OBJ_secg_ellipticCurve,7L
#define SN_secp128r1 "secp128r1"
#define NID_secp128r1 706
#define OBJ_secp128r1 OBJ_secg_ellipticCurve,28L
#define SN_secp128r2 "secp128r2"
#define NID_secp128r2 707
#define OBJ_secp128r2 OBJ_secg_ellipticCurve,29L
#define SN_secp160k1 "secp160k1"
#define NID_secp160k1 708
#define OBJ_secp160k1 OBJ_secg_ellipticCurve,9L
#define SN_secp160r1 "secp160r1"
#define NID_secp160r1 709
#define OBJ_secp160r1 OBJ_secg_ellipticCurve,8L
#define SN_secp160r2 "secp160r2"
#define NID_secp160r2 710
#define OBJ_secp160r2 OBJ_secg_ellipticCurve,30L
#define SN_secp192k1 "secp192k1"
#define NID_secp192k1 711
#define OBJ_secp192k1 OBJ_secg_ellipticCurve,31L
#define SN_secp224k1 "secp224k1"
#define NID_secp224k1 712
#define OBJ_secp224k1 OBJ_secg_ellipticCurve,32L
#define SN_secp224r1 "secp224r1"
#define NID_secp224r1 713
#define OBJ_secp224r1 OBJ_secg_ellipticCurve,33L
#define SN_secp256k1 "secp256k1"
#define NID_secp256k1 714
#define OBJ_secp256k1 OBJ_secg_ellipticCurve,10L
#define SN_secp384r1 "secp384r1"
#define NID_secp384r1 715
#define OBJ_secp384r1 OBJ_secg_ellipticCurve,34L
#define SN_secp521r1 "secp521r1"
#define NID_secp521r1 716
#define OBJ_secp521r1 OBJ_secg_ellipticCurve,35L
#define SN_sect113r1 "sect113r1"
#define NID_sect113r1 717
#define OBJ_sect113r1 OBJ_secg_ellipticCurve,4L
#define SN_sect113r2 "sect113r2"
#define NID_sect113r2 718
#define OBJ_sect113r2 OBJ_secg_ellipticCurve,5L
#define SN_sect131r1 "sect131r1"
#define NID_sect131r1 719
#define OBJ_sect131r1 OBJ_secg_ellipticCurve,22L
#define SN_sect131r2 "sect131r2"
#define NID_sect131r2 720
#define OBJ_sect131r2 OBJ_secg_ellipticCurve,23L
#define SN_sect163k1 "sect163k1"
#define NID_sect163k1 721
#define OBJ_sect163k1 OBJ_secg_ellipticCurve,1L
#define SN_sect163r1 "sect163r1"
#define NID_sect163r1 722
#define OBJ_sect163r1 OBJ_secg_ellipticCurve,2L
#define SN_sect163r2 "sect163r2"
#define NID_sect163r2 723
#define OBJ_sect163r2 OBJ_secg_ellipticCurve,15L
#define SN_sect193r1 "sect193r1"
#define NID_sect193r1 724
#define OBJ_sect193r1 OBJ_secg_ellipticCurve,24L
#define SN_sect193r2 "sect193r2"
#define NID_sect193r2 725
#define OBJ_sect193r2 OBJ_secg_ellipticCurve,25L
#define SN_sect233k1 "sect233k1"
#define NID_sect233k1 726
#define OBJ_sect233k1 OBJ_secg_ellipticCurve,26L
#define SN_sect233r1 "sect233r1"
#define NID_sect233r1 727
#define OBJ_sect233r1 OBJ_secg_ellipticCurve,27L
#define SN_sect239k1 "sect239k1"
#define NID_sect239k1 728
#define OBJ_sect239k1 OBJ_secg_ellipticCurve,3L
#define SN_sect283k1 "sect283k1"
#define NID_sect283k1 729
#define OBJ_sect283k1 OBJ_secg_ellipticCurve,16L
#define SN_sect283r1 "sect283r1"
#define NID_sect283r1 730
#define OBJ_sect283r1 OBJ_secg_ellipticCurve,17L
#define SN_sect409k1 "sect409k1"
#define NID_sect409k1 731
#define OBJ_sect409k1 OBJ_secg_ellipticCurve,36L
#define SN_sect409r1 "sect409r1"
#define NID_sect409r1 732
#define OBJ_sect409r1 OBJ_secg_ellipticCurve,37L
#define SN_sect571k1 "sect571k1"
#define NID_sect571k1 733
#define OBJ_sect571k1 OBJ_secg_ellipticCurve,38L
#define SN_sect571r1 "sect571r1"
#define NID_sect571r1 734
#define OBJ_sect571r1 OBJ_secg_ellipticCurve,39L
#define OBJ_wap_wsg_idm_ecid OBJ_wap_wsg,4L
#define SN_wap_wsg_idm_ecid_wtls1 "wap-wsg-idm-ecid-wtls1"
#define NID_wap_wsg_idm_ecid_wtls1 735
#define OBJ_wap_wsg_idm_ecid_wtls1 OBJ_wap_wsg_idm_ecid,1L
#define SN_wap_wsg_idm_ecid_wtls3 "wap-wsg-idm-ecid-wtls3"
#define NID_wap_wsg_idm_ecid_wtls3 736
#define OBJ_wap_wsg_idm_ecid_wtls3 OBJ_wap_wsg_idm_ecid,3L
#define SN_wap_wsg_idm_ecid_wtls4 "wap-wsg-idm-ecid-wtls4"
#define NID_wap_wsg_idm_ecid_wtls4 737
#define OBJ_wap_wsg_idm_ecid_wtls4 OBJ_wap_wsg_idm_ecid,4L
#define SN_wap_wsg_idm_ecid_wtls5 "wap-wsg-idm-ecid-wtls5"
#define NID_wap_wsg_idm_ecid_wtls5 738
#define OBJ_wap_wsg_idm_ecid_wtls5 OBJ_wap_wsg_idm_ecid,5L
#define SN_wap_wsg_idm_ecid_wtls6 "wap-wsg-idm-ecid-wtls6"
#define NID_wap_wsg_idm_ecid_wtls6 739
#define OBJ_wap_wsg_idm_ecid_wtls6 OBJ_wap_wsg_idm_ecid,6L
#define SN_wap_wsg_idm_ecid_wtls7 "wap-wsg-idm-ecid-wtls7"
#define NID_wap_wsg_idm_ecid_wtls7 740
#define OBJ_wap_wsg_idm_ecid_wtls7 OBJ_wap_wsg_idm_ecid,7L
#define SN_wap_wsg_idm_ecid_wtls8 "wap-wsg-idm-ecid-wtls8"
#define NID_wap_wsg_idm_ecid_wtls8 741
#define OBJ_wap_wsg_idm_ecid_wtls8 OBJ_wap_wsg_idm_ecid,8L
#define SN_wap_wsg_idm_ecid_wtls9 "wap-wsg-idm-ecid-wtls9"
#define NID_wap_wsg_idm_ecid_wtls9 742
#define OBJ_wap_wsg_idm_ecid_wtls9 OBJ_wap_wsg_idm_ecid,9L
#define SN_wap_wsg_idm_ecid_wtls10 "wap-wsg-idm-ecid-wtls10"
#define NID_wap_wsg_idm_ecid_wtls10 743
#define OBJ_wap_wsg_idm_ecid_wtls10 OBJ_wap_wsg_idm_ecid,10L
#define SN_wap_wsg_idm_ecid_wtls11 "wap-wsg-idm-ecid-wtls11"
#define NID_wap_wsg_idm_ecid_wtls11 744
#define OBJ_wap_wsg_idm_ecid_wtls11 OBJ_wap_wsg_idm_ecid,11L
#define SN_wap_wsg_idm_ecid_wtls12 "wap-wsg-idm-ecid-wtls12"
#define NID_wap_wsg_idm_ecid_wtls12 745
#define OBJ_wap_wsg_idm_ecid_wtls12 OBJ_wap_wsg_idm_ecid,12L
#define SN_cast5_cbc "CAST5-CBC"
#define LN_cast5_cbc "cast5-cbc"
#define NID_cast5_cbc 108
#define OBJ_cast5_cbc OBJ_ISO_US,113533L,7L,66L,10L
#define SN_cast5_ecb "CAST5-ECB"
#define LN_cast5_ecb "cast5-ecb"
#define NID_cast5_ecb 109
#define SN_cast5_cfb64 "CAST5-CFB"
#define LN_cast5_cfb64 "cast5-cfb"
#define NID_cast5_cfb64 110
#define SN_cast5_ofb64 "CAST5-OFB"
#define LN_cast5_ofb64 "cast5-ofb"
#define NID_cast5_ofb64 111
#define LN_pbeWithMD5AndCast5_CBC "pbeWithMD5AndCast5CBC"
#define NID_pbeWithMD5AndCast5_CBC 112
#define OBJ_pbeWithMD5AndCast5_CBC OBJ_ISO_US,113533L,7L,66L,12L
#define SN_id_PasswordBasedMAC "id-PasswordBasedMAC"
#define LN_id_PasswordBasedMAC "password based MAC"
#define NID_id_PasswordBasedMAC 782
#define OBJ_id_PasswordBasedMAC OBJ_ISO_US,113533L,7L,66L,13L
#define SN_id_DHBasedMac "id-DHBasedMac"
#define LN_id_DHBasedMac "Diffie-Hellman based MAC"
#define NID_id_DHBasedMac 783
#define OBJ_id_DHBasedMac OBJ_ISO_US,113533L,7L,66L,30L
#define SN_rsadsi "rsadsi"
#define LN_rsadsi "RSA Data Security, Inc."
#define NID_rsadsi 1
#define OBJ_rsadsi OBJ_ISO_US,113549L
#define SN_pkcs "pkcs"
#define LN_pkcs "RSA Data Security, Inc. PKCS"
#define NID_pkcs 2
#define OBJ_pkcs OBJ_rsadsi,1L
#define SN_pkcs1 "pkcs1"
#define NID_pkcs1 186
#define OBJ_pkcs1 OBJ_pkcs,1L
#define LN_rsaEncryption "rsaEncryption"
#define NID_rsaEncryption 6
#define OBJ_rsaEncryption OBJ_pkcs1,1L
#define SN_md2WithRSAEncryption "RSA-MD2"
#define LN_md2WithRSAEncryption "md2WithRSAEncryption"
#define NID_md2WithRSAEncryption 7
#define OBJ_md2WithRSAEncryption OBJ_pkcs1,2L
#define SN_md4WithRSAEncryption "RSA-MD4"
#define LN_md4WithRSAEncryption "md4WithRSAEncryption"
#define NID_md4WithRSAEncryption 396
#define OBJ_md4WithRSAEncryption OBJ_pkcs1,3L
#define SN_md5WithRSAEncryption "RSA-MD5"
#define LN_md5WithRSAEncryption "md5WithRSAEncryption"
#define NID_md5WithRSAEncryption 8
#define OBJ_md5WithRSAEncryption OBJ_pkcs1,4L
#define SN_sha1WithRSAEncryption "RSA-SHA1"
#define LN_sha1WithRSAEncryption "sha1WithRSAEncryption"
#define NID_sha1WithRSAEncryption 65
#define OBJ_sha1WithRSAEncryption OBJ_pkcs1,5L
#define SN_rsaesOaep "RSAES-OAEP"
#define LN_rsaesOaep "rsaesOaep"
#define NID_rsaesOaep 919
#define OBJ_rsaesOaep OBJ_pkcs1,7L
#define SN_mgf1 "MGF1"
#define LN_mgf1 "mgf1"
#define NID_mgf1 911
#define OBJ_mgf1 OBJ_pkcs1,8L
#define SN_pSpecified "PSPECIFIED"
#define LN_pSpecified "pSpecified"
#define NID_pSpecified 935
#define OBJ_pSpecified OBJ_pkcs1,9L
#define SN_rsassaPss "RSASSA-PSS"
#define LN_rsassaPss "rsassaPss"
#define NID_rsassaPss 912
#define OBJ_rsassaPss OBJ_pkcs1,10L
#define SN_sha256WithRSAEncryption "RSA-SHA256"
#define LN_sha256WithRSAEncryption "sha256WithRSAEncryption"
#define NID_sha256WithRSAEncryption 668
#define OBJ_sha256WithRSAEncryption OBJ_pkcs1,11L
#define SN_sha384WithRSAEncryption "RSA-SHA384"
#define LN_sha384WithRSAEncryption "sha384WithRSAEncryption"
#define NID_sha384WithRSAEncryption 669
#define OBJ_sha384WithRSAEncryption OBJ_pkcs1,12L
#define SN_sha512WithRSAEncryption "RSA-SHA512"
#define LN_sha512WithRSAEncryption "sha512WithRSAEncryption"
#define NID_sha512WithRSAEncryption 670
#define OBJ_sha512WithRSAEncryption OBJ_pkcs1,13L
#define SN_sha224WithRSAEncryption "RSA-SHA224"
#define LN_sha224WithRSAEncryption "sha224WithRSAEncryption"
#define NID_sha224WithRSAEncryption 671
#define OBJ_sha224WithRSAEncryption OBJ_pkcs1,14L
#define SN_sha512_224WithRSAEncryption "RSA-SHA512/224"
#define LN_sha512_224WithRSAEncryption "sha512-224WithRSAEncryption"
#define NID_sha512_224WithRSAEncryption 1145
#define OBJ_sha512_224WithRSAEncryption OBJ_pkcs1,15L
#define SN_sha512_256WithRSAEncryption "RSA-SHA512/256"
#define LN_sha512_256WithRSAEncryption "sha512-256WithRSAEncryption"
#define NID_sha512_256WithRSAEncryption 1146
#define OBJ_sha512_256WithRSAEncryption OBJ_pkcs1,16L
#define SN_pkcs3 "pkcs3"
#define NID_pkcs3 27
#define OBJ_pkcs3 OBJ_pkcs,3L
#define LN_dhKeyAgreement "dhKeyAgreement"
#define NID_dhKeyAgreement 28
#define OBJ_dhKeyAgreement OBJ_pkcs3,1L
#define SN_pkcs5 "pkcs5"
#define NID_pkcs5 187
#define OBJ_pkcs5 OBJ_pkcs,5L
#define SN_pbeWithMD2AndDES_CBC "PBE-MD2-DES"
#define LN_pbeWithMD2AndDES_CBC "pbeWithMD2AndDES-CBC"
#define NID_pbeWithMD2AndDES_CBC 9
#define OBJ_pbeWithMD2AndDES_CBC OBJ_pkcs5,1L
#define SN_pbeWithMD5AndDES_CBC "PBE-MD5-DES"
#define LN_pbeWithMD5AndDES_CBC "pbeWithMD5AndDES-CBC"
#define NID_pbeWithMD5AndDES_CBC 10
#define OBJ_pbeWithMD5AndDES_CBC OBJ_pkcs5,3L
#define SN_pbeWithMD2AndRC2_CBC "PBE-MD2-RC2-64"
#define LN_pbeWithMD2AndRC2_CBC "pbeWithMD2AndRC2-CBC"
#define NID_pbeWithMD2AndRC2_CBC 168
#define OBJ_pbeWithMD2AndRC2_CBC OBJ_pkcs5,4L
#define SN_pbeWithMD5AndRC2_CBC "PBE-MD5-RC2-64"
#define LN_pbeWithMD5AndRC2_CBC "pbeWithMD5AndRC2-CBC"
#define NID_pbeWithMD5AndRC2_CBC 169
#define OBJ_pbeWithMD5AndRC2_CBC OBJ_pkcs5,6L
#define SN_pbeWithSHA1AndDES_CBC "PBE-SHA1-DES"
#define LN_pbeWithSHA1AndDES_CBC "pbeWithSHA1AndDES-CBC"
#define NID_pbeWithSHA1AndDES_CBC 170
#define OBJ_pbeWithSHA1AndDES_CBC OBJ_pkcs5,10L
#define SN_pbeWithSHA1AndRC2_CBC "PBE-SHA1-RC2-64"
#define LN_pbeWithSHA1AndRC2_CBC "pbeWithSHA1AndRC2-CBC"
#define NID_pbeWithSHA1AndRC2_CBC 68
#define OBJ_pbeWithSHA1AndRC2_CBC OBJ_pkcs5,11L
#define LN_id_pbkdf2 "PBKDF2"
#define NID_id_pbkdf2 69
#define OBJ_id_pbkdf2 OBJ_pkcs5,12L
#define LN_pbes2 "PBES2"
#define NID_pbes2 161
#define OBJ_pbes2 OBJ_pkcs5,13L
#define LN_pbmac1 "PBMAC1"
#define NID_pbmac1 162
#define OBJ_pbmac1 OBJ_pkcs5,14L
#define SN_pkcs7 "pkcs7"
#define NID_pkcs7 20
#define OBJ_pkcs7 OBJ_pkcs,7L
#define LN_pkcs7_data "pkcs7-data"
#define NID_pkcs7_data 21
#define OBJ_pkcs7_data OBJ_pkcs7,1L
#define LN_pkcs7_signed "pkcs7-signedData"
#define NID_pkcs7_signed 22
#define OBJ_pkcs7_signed OBJ_pkcs7,2L
#define LN_pkcs7_enveloped "pkcs7-envelopedData"
#define NID_pkcs7_enveloped 23
#define OBJ_pkcs7_enveloped OBJ_pkcs7,3L
#define LN_pkcs7_signedAndEnveloped "pkcs7-signedAndEnvelopedData"
#define NID_pkcs7_signedAndEnveloped 24
#define OBJ_pkcs7_signedAndEnveloped OBJ_pkcs7,4L
#define LN_pkcs7_digest "pkcs7-digestData"
#define NID_pkcs7_digest 25
#define OBJ_pkcs7_digest OBJ_pkcs7,5L
#define LN_pkcs7_encrypted "pkcs7-encryptedData"
#define NID_pkcs7_encrypted 26
#define OBJ_pkcs7_encrypted OBJ_pkcs7,6L
#define SN_pkcs9 "pkcs9"
#define NID_pkcs9 47
#define OBJ_pkcs9 OBJ_pkcs,9L
#define LN_pkcs9_emailAddress "emailAddress"
#define NID_pkcs9_emailAddress 48
#define OBJ_pkcs9_emailAddress OBJ_pkcs9,1L
#define LN_pkcs9_unstructuredName "unstructuredName"
#define NID_pkcs9_unstructuredName 49
#define OBJ_pkcs9_unstructuredName OBJ_pkcs9,2L
#define LN_pkcs9_contentType "contentType"
#define NID_pkcs9_contentType 50
#define OBJ_pkcs9_contentType OBJ_pkcs9,3L
#define LN_pkcs9_messageDigest "messageDigest"
#define NID_pkcs9_messageDigest 51
#define OBJ_pkcs9_messageDigest OBJ_pkcs9,4L
#define LN_pkcs9_signingTime "signingTime"
#define NID_pkcs9_signingTime 52
#define OBJ_pkcs9_signingTime OBJ_pkcs9,5L
#define LN_pkcs9_countersignature "countersignature"
#define NID_pkcs9_countersignature 53
#define OBJ_pkcs9_countersignature OBJ_pkcs9,6L
#define LN_pkcs9_challengePassword "challengePassword"
#define NID_pkcs9_challengePassword 54
#define OBJ_pkcs9_challengePassword OBJ_pkcs9,7L
#define LN_pkcs9_unstructuredAddress "unstructuredAddress"
#define NID_pkcs9_unstructuredAddress 55
#define OBJ_pkcs9_unstructuredAddress OBJ_pkcs9,8L
#define LN_pkcs9_extCertAttributes "extendedCertificateAttributes"
#define NID_pkcs9_extCertAttributes 56
#define OBJ_pkcs9_extCertAttributes OBJ_pkcs9,9L
#define SN_ext_req "extReq"
#define LN_ext_req "Extension Request"
#define NID_ext_req 172
#define OBJ_ext_req OBJ_pkcs9,14L
#define SN_SMIMECapabilities "SMIME-CAPS"
#define LN_SMIMECapabilities "S/MIME Capabilities"
#define NID_SMIMECapabilities 167
#define OBJ_SMIMECapabilities OBJ_pkcs9,15L
#define SN_SMIME "SMIME"
#define LN_SMIME "S/MIME"
#define NID_SMIME 188
#define OBJ_SMIME OBJ_pkcs9,16L
#define SN_id_smime_mod "id-smime-mod"
#define NID_id_smime_mod 189
#define OBJ_id_smime_mod OBJ_SMIME,0L
#define SN_id_smime_ct "id-smime-ct"
#define NID_id_smime_ct 190
#define OBJ_id_smime_ct OBJ_SMIME,1L
#define SN_id_smime_aa "id-smime-aa"
#define NID_id_smime_aa 191
#define OBJ_id_smime_aa OBJ_SMIME,2L
#define SN_id_smime_alg "id-smime-alg"
#define NID_id_smime_alg 192
#define OBJ_id_smime_alg OBJ_SMIME,3L
#define SN_id_smime_cd "id-smime-cd"
#define NID_id_smime_cd 193
#define OBJ_id_smime_cd OBJ_SMIME,4L
#define SN_id_smime_spq "id-smime-spq"
#define NID_id_smime_spq 194
#define OBJ_id_smime_spq OBJ_SMIME,5L
#define SN_id_smime_cti "id-smime-cti"
#define NID_id_smime_cti 195
#define OBJ_id_smime_cti OBJ_SMIME,6L
#define SN_id_smime_mod_cms "id-smime-mod-cms"
#define NID_id_smime_mod_cms 196
#define OBJ_id_smime_mod_cms OBJ_id_smime_mod,1L
#define SN_id_smime_mod_ess "id-smime-mod-ess"
#define NID_id_smime_mod_ess 197
#define OBJ_id_smime_mod_ess OBJ_id_smime_mod,2L
#define SN_id_smime_mod_oid "id-smime-mod-oid"
#define NID_id_smime_mod_oid 198
#define OBJ_id_smime_mod_oid OBJ_id_smime_mod,3L
#define SN_id_smime_mod_msg_v3 "id-smime-mod-msg-v3"
#define NID_id_smime_mod_msg_v3 199
#define OBJ_id_smime_mod_msg_v3 OBJ_id_smime_mod,4L
#define SN_id_smime_mod_ets_eSignature_88 "id-smime-mod-ets-eSignature-88"
#define NID_id_smime_mod_ets_eSignature_88 200
#define OBJ_id_smime_mod_ets_eSignature_88 OBJ_id_smime_mod,5L
#define SN_id_smime_mod_ets_eSignature_97 "id-smime-mod-ets-eSignature-97"
#define NID_id_smime_mod_ets_eSignature_97 201
#define OBJ_id_smime_mod_ets_eSignature_97 OBJ_id_smime_mod,6L
#define SN_id_smime_mod_ets_eSigPolicy_88 "id-smime-mod-ets-eSigPolicy-88"
#define NID_id_smime_mod_ets_eSigPolicy_88 202
#define OBJ_id_smime_mod_ets_eSigPolicy_88 OBJ_id_smime_mod,7L
#define SN_id_smime_mod_ets_eSigPolicy_97 "id-smime-mod-ets-eSigPolicy-97"
#define NID_id_smime_mod_ets_eSigPolicy_97 203
#define OBJ_id_smime_mod_ets_eSigPolicy_97 OBJ_id_smime_mod,8L
#define SN_id_smime_ct_receipt "id-smime-ct-receipt"
#define NID_id_smime_ct_receipt 204
#define OBJ_id_smime_ct_receipt OBJ_id_smime_ct,1L
#define SN_id_smime_ct_authData "id-smime-ct-authData"
#define NID_id_smime_ct_authData 205
#define OBJ_id_smime_ct_authData OBJ_id_smime_ct,2L
#define SN_id_smime_ct_publishCert "id-smime-ct-publishCert"
#define NID_id_smime_ct_publishCert 206
#define OBJ_id_smime_ct_publishCert OBJ_id_smime_ct,3L
#define SN_id_smime_ct_TSTInfo "id-smime-ct-TSTInfo"
#define NID_id_smime_ct_TSTInfo 207
#define OBJ_id_smime_ct_TSTInfo OBJ_id_smime_ct,4L
#define SN_id_smime_ct_TDTInfo "id-smime-ct-TDTInfo"
#define NID_id_smime_ct_TDTInfo 208
#define OBJ_id_smime_ct_TDTInfo OBJ_id_smime_ct,5L
#define SN_id_smime_ct_contentInfo "id-smime-ct-contentInfo"
#define NID_id_smime_ct_contentInfo 209
#define OBJ_id_smime_ct_contentInfo OBJ_id_smime_ct,6L
#define SN_id_smime_ct_DVCSRequestData "id-smime-ct-DVCSRequestData"
#define NID_id_smime_ct_DVCSRequestData 210
#define OBJ_id_smime_ct_DVCSRequestData OBJ_id_smime_ct,7L
#define SN_id_smime_ct_DVCSResponseData "id-smime-ct-DVCSResponseData"
#define NID_id_smime_ct_DVCSResponseData 211
#define OBJ_id_smime_ct_DVCSResponseData OBJ_id_smime_ct,8L
#define SN_id_smime_ct_compressedData "id-smime-ct-compressedData"
#define NID_id_smime_ct_compressedData 786
#define OBJ_id_smime_ct_compressedData OBJ_id_smime_ct,9L
#define SN_id_smime_ct_contentCollection "id-smime-ct-contentCollection"
#define NID_id_smime_ct_contentCollection 1058
#define OBJ_id_smime_ct_contentCollection OBJ_id_smime_ct,19L
#define SN_id_smime_ct_authEnvelopedData "id-smime-ct-authEnvelopedData"
#define NID_id_smime_ct_authEnvelopedData 1059
#define OBJ_id_smime_ct_authEnvelopedData OBJ_id_smime_ct,23L
#define SN_id_ct_asciiTextWithCRLF "id-ct-asciiTextWithCRLF"
#define NID_id_ct_asciiTextWithCRLF 787
#define OBJ_id_ct_asciiTextWithCRLF OBJ_id_smime_ct,27L
#define SN_id_ct_xml "id-ct-xml"
#define NID_id_ct_xml 1060
#define OBJ_id_ct_xml OBJ_id_smime_ct,28L
#define SN_id_smime_aa_receiptRequest "id-smime-aa-receiptRequest"
#define NID_id_smime_aa_receiptRequest 212
#define OBJ_id_smime_aa_receiptRequest OBJ_id_smime_aa,1L
#define SN_id_smime_aa_securityLabel "id-smime-aa-securityLabel"
#define NID_id_smime_aa_securityLabel 213
#define OBJ_id_smime_aa_securityLabel OBJ_id_smime_aa,2L
#define SN_id_smime_aa_mlExpandHistory "id-smime-aa-mlExpandHistory"
#define NID_id_smime_aa_mlExpandHistory 214
#define OBJ_id_smime_aa_mlExpandHistory OBJ_id_smime_aa,3L
#define SN_id_smime_aa_contentHint "id-smime-aa-contentHint"
#define NID_id_smime_aa_contentHint 215
#define OBJ_id_smime_aa_contentHint OBJ_id_smime_aa,4L
#define SN_id_smime_aa_msgSigDigest "id-smime-aa-msgSigDigest"
#define NID_id_smime_aa_msgSigDigest 216
#define OBJ_id_smime_aa_msgSigDigest OBJ_id_smime_aa,5L
#define SN_id_smime_aa_encapContentType "id-smime-aa-encapContentType"
#define NID_id_smime_aa_encapContentType 217
#define OBJ_id_smime_aa_encapContentType OBJ_id_smime_aa,6L
#define SN_id_smime_aa_contentIdentifier "id-smime-aa-contentIdentifier"
#define NID_id_smime_aa_contentIdentifier 218
#define OBJ_id_smime_aa_contentIdentifier OBJ_id_smime_aa,7L
#define SN_id_smime_aa_macValue "id-smime-aa-macValue"
#define NID_id_smime_aa_macValue 219
#define OBJ_id_smime_aa_macValue OBJ_id_smime_aa,8L
#define SN_id_smime_aa_equivalentLabels "id-smime-aa-equivalentLabels"
#define NID_id_smime_aa_equivalentLabels 220
#define OBJ_id_smime_aa_equivalentLabels OBJ_id_smime_aa,9L
#define SN_id_smime_aa_contentReference "id-smime-aa-contentReference"
#define NID_id_smime_aa_contentReference 221
#define OBJ_id_smime_aa_contentReference OBJ_id_smime_aa,10L
#define SN_id_smime_aa_encrypKeyPref "id-smime-aa-encrypKeyPref"
#define NID_id_smime_aa_encrypKeyPref 222
#define OBJ_id_smime_aa_encrypKeyPref OBJ_id_smime_aa,11L
#define SN_id_smime_aa_signingCertificate "id-smime-aa-signingCertificate"
#define NID_id_smime_aa_signingCertificate 223
#define OBJ_id_smime_aa_signingCertificate OBJ_id_smime_aa,12L
#define SN_id_smime_aa_smimeEncryptCerts "id-smime-aa-smimeEncryptCerts"
#define NID_id_smime_aa_smimeEncryptCerts 224
#define OBJ_id_smime_aa_smimeEncryptCerts OBJ_id_smime_aa,13L
#define SN_id_smime_aa_timeStampToken "id-smime-aa-timeStampToken"
#define NID_id_smime_aa_timeStampToken 225
#define OBJ_id_smime_aa_timeStampToken OBJ_id_smime_aa,14L
#define SN_id_smime_aa_ets_sigPolicyId "id-smime-aa-ets-sigPolicyId"
#define NID_id_smime_aa_ets_sigPolicyId 226
#define OBJ_id_smime_aa_ets_sigPolicyId OBJ_id_smime_aa,15L
#define SN_id_smime_aa_ets_commitmentType "id-smime-aa-ets-commitmentType"
#define NID_id_smime_aa_ets_commitmentType 227
#define OBJ_id_smime_aa_ets_commitmentType OBJ_id_smime_aa,16L
#define SN_id_smime_aa_ets_signerLocation "id-smime-aa-ets-signerLocation"
#define NID_id_smime_aa_ets_signerLocation 228
#define OBJ_id_smime_aa_ets_signerLocation OBJ_id_smime_aa,17L
#define SN_id_smime_aa_ets_signerAttr "id-smime-aa-ets-signerAttr"
#define NID_id_smime_aa_ets_signerAttr 229
#define OBJ_id_smime_aa_ets_signerAttr OBJ_id_smime_aa,18L
#define SN_id_smime_aa_ets_otherSigCert "id-smime-aa-ets-otherSigCert"
#define NID_id_smime_aa_ets_otherSigCert 230
#define OBJ_id_smime_aa_ets_otherSigCert OBJ_id_smime_aa,19L
#define SN_id_smime_aa_ets_contentTimestamp "id-smime-aa-ets-contentTimestamp"
#define NID_id_smime_aa_ets_contentTimestamp 231
#define OBJ_id_smime_aa_ets_contentTimestamp OBJ_id_smime_aa,20L
#define SN_id_smime_aa_ets_CertificateRefs "id-smime-aa-ets-CertificateRefs"
#define NID_id_smime_aa_ets_CertificateRefs 232
#define OBJ_id_smime_aa_ets_CertificateRefs OBJ_id_smime_aa,21L
#define SN_id_smime_aa_ets_RevocationRefs "id-smime-aa-ets-RevocationRefs"
#define NID_id_smime_aa_ets_RevocationRefs 233
#define OBJ_id_smime_aa_ets_RevocationRefs OBJ_id_smime_aa,22L
#define SN_id_smime_aa_ets_certValues "id-smime-aa-ets-certValues"
#define NID_id_smime_aa_ets_certValues 234
#define OBJ_id_smime_aa_ets_certValues OBJ_id_smime_aa,23L
#define SN_id_smime_aa_ets_revocationValues "id-smime-aa-ets-revocationValues"
#define NID_id_smime_aa_ets_revocationValues 235
#define OBJ_id_smime_aa_ets_revocationValues OBJ_id_smime_aa,24L
#define SN_id_smime_aa_ets_escTimeStamp "id-smime-aa-ets-escTimeStamp"
#define NID_id_smime_aa_ets_escTimeStamp 236
#define OBJ_id_smime_aa_ets_escTimeStamp OBJ_id_smime_aa,25L
#define SN_id_smime_aa_ets_certCRLTimestamp "id-smime-aa-ets-certCRLTimestamp"
#define NID_id_smime_aa_ets_certCRLTimestamp 237
#define OBJ_id_smime_aa_ets_certCRLTimestamp OBJ_id_smime_aa,26L
#define SN_id_smime_aa_ets_archiveTimeStamp "id-smime-aa-ets-archiveTimeStamp"
#define NID_id_smime_aa_ets_archiveTimeStamp 238
#define OBJ_id_smime_aa_ets_archiveTimeStamp OBJ_id_smime_aa,27L
#define SN_id_smime_aa_signatureType "id-smime-aa-signatureType"
#define NID_id_smime_aa_signatureType 239
#define OBJ_id_smime_aa_signatureType OBJ_id_smime_aa,28L
#define SN_id_smime_aa_dvcs_dvc "id-smime-aa-dvcs-dvc"
#define NID_id_smime_aa_dvcs_dvc 240
#define OBJ_id_smime_aa_dvcs_dvc OBJ_id_smime_aa,29L
#define SN_id_smime_aa_signingCertificateV2 "id-smime-aa-signingCertificateV2"
#define NID_id_smime_aa_signingCertificateV2 1086
#define OBJ_id_smime_aa_signingCertificateV2 OBJ_id_smime_aa,47L
#define SN_id_smime_alg_ESDHwith3DES "id-smime-alg-ESDHwith3DES"
#define NID_id_smime_alg_ESDHwith3DES 241
#define OBJ_id_smime_alg_ESDHwith3DES OBJ_id_smime_alg,1L
#define SN_id_smime_alg_ESDHwithRC2 "id-smime-alg-ESDHwithRC2"
#define NID_id_smime_alg_ESDHwithRC2 242
#define OBJ_id_smime_alg_ESDHwithRC2 OBJ_id_smime_alg,2L
#define SN_id_smime_alg_3DESwrap "id-smime-alg-3DESwrap"
#define NID_id_smime_alg_3DESwrap 243
#define OBJ_id_smime_alg_3DESwrap OBJ_id_smime_alg,3L
#define SN_id_smime_alg_RC2wrap "id-smime-alg-RC2wrap"
#define NID_id_smime_alg_RC2wrap 244
#define OBJ_id_smime_alg_RC2wrap OBJ_id_smime_alg,4L
#define SN_id_smime_alg_ESDH "id-smime-alg-ESDH"
#define NID_id_smime_alg_ESDH 245
#define OBJ_id_smime_alg_ESDH OBJ_id_smime_alg,5L
#define SN_id_smime_alg_CMS3DESwrap "id-smime-alg-CMS3DESwrap"
#define NID_id_smime_alg_CMS3DESwrap 246
#define OBJ_id_smime_alg_CMS3DESwrap OBJ_id_smime_alg,6L
#define SN_id_smime_alg_CMSRC2wrap "id-smime-alg-CMSRC2wrap"
#define NID_id_smime_alg_CMSRC2wrap 247
#define OBJ_id_smime_alg_CMSRC2wrap OBJ_id_smime_alg,7L
#define SN_id_alg_PWRI_KEK "id-alg-PWRI-KEK"
#define NID_id_alg_PWRI_KEK 893
#define OBJ_id_alg_PWRI_KEK OBJ_id_smime_alg,9L
#define SN_id_smime_cd_ldap "id-smime-cd-ldap"
#define NID_id_smime_cd_ldap 248
#define OBJ_id_smime_cd_ldap OBJ_id_smime_cd,1L
#define SN_id_smime_spq_ets_sqt_uri "id-smime-spq-ets-sqt-uri"
#define NID_id_smime_spq_ets_sqt_uri 249
#define OBJ_id_smime_spq_ets_sqt_uri OBJ_id_smime_spq,1L
#define SN_id_smime_spq_ets_sqt_unotice "id-smime-spq-ets-sqt-unotice"
#define NID_id_smime_spq_ets_sqt_unotice 250
#define OBJ_id_smime_spq_ets_sqt_unotice OBJ_id_smime_spq,2L
#define SN_id_smime_cti_ets_proofOfOrigin "id-smime-cti-ets-proofOfOrigin"
#define NID_id_smime_cti_ets_proofOfOrigin 251
#define OBJ_id_smime_cti_ets_proofOfOrigin OBJ_id_smime_cti,1L
#define SN_id_smime_cti_ets_proofOfReceipt "id-smime-cti-ets-proofOfReceipt"
#define NID_id_smime_cti_ets_proofOfReceipt 252
#define OBJ_id_smime_cti_ets_proofOfReceipt OBJ_id_smime_cti,2L
#define SN_id_smime_cti_ets_proofOfDelivery "id-smime-cti-ets-proofOfDelivery"
#define NID_id_smime_cti_ets_proofOfDelivery 253
#define OBJ_id_smime_cti_ets_proofOfDelivery OBJ_id_smime_cti,3L
#define SN_id_smime_cti_ets_proofOfSender "id-smime-cti-ets-proofOfSender"
#define NID_id_smime_cti_ets_proofOfSender 254
#define OBJ_id_smime_cti_ets_proofOfSender OBJ_id_smime_cti,4L
#define SN_id_smime_cti_ets_proofOfApproval "id-smime-cti-ets-proofOfApproval"
#define NID_id_smime_cti_ets_proofOfApproval 255
#define OBJ_id_smime_cti_ets_proofOfApproval OBJ_id_smime_cti,5L
#define SN_id_smime_cti_ets_proofOfCreation "id-smime-cti-ets-proofOfCreation"
#define NID_id_smime_cti_ets_proofOfCreation 256
#define OBJ_id_smime_cti_ets_proofOfCreation OBJ_id_smime_cti,6L
#define LN_friendlyName "friendlyName"
#define NID_friendlyName 156
#define OBJ_friendlyName OBJ_pkcs9,20L
#define LN_localKeyID "localKeyID"
#define NID_localKeyID 157
#define OBJ_localKeyID OBJ_pkcs9,21L
#define SN_ms_csp_name "CSPName"
#define LN_ms_csp_name "Microsoft CSP Name"
#define NID_ms_csp_name 417
#define OBJ_ms_csp_name 1L,3L,6L,1L,4L,1L,311L,17L,1L
#define SN_LocalKeySet "LocalKeySet"
#define LN_LocalKeySet "Microsoft Local Key set"
#define NID_LocalKeySet 856
#define OBJ_LocalKeySet 1L,3L,6L,1L,4L,1L,311L,17L,2L
#define OBJ_certTypes OBJ_pkcs9,22L
#define LN_x509Certificate "x509Certificate"
#define NID_x509Certificate 158
#define OBJ_x509Certificate OBJ_certTypes,1L
#define LN_sdsiCertificate "sdsiCertificate"
#define NID_sdsiCertificate 159
#define OBJ_sdsiCertificate OBJ_certTypes,2L
#define OBJ_crlTypes OBJ_pkcs9,23L
#define LN_x509Crl "x509Crl"
#define NID_x509Crl 160
#define OBJ_x509Crl OBJ_crlTypes,1L
#define OBJ_pkcs12 OBJ_pkcs,12L
#define OBJ_pkcs12_pbeids OBJ_pkcs12,1L
#define SN_pbe_WithSHA1And128BitRC4 "PBE-SHA1-RC4-128"
#define LN_pbe_WithSHA1And128BitRC4 "pbeWithSHA1And128BitRC4"
#define NID_pbe_WithSHA1And128BitRC4 144
#define OBJ_pbe_WithSHA1And128BitRC4 OBJ_pkcs12_pbeids,1L
#define SN_pbe_WithSHA1And40BitRC4 "PBE-SHA1-RC4-40"
#define LN_pbe_WithSHA1And40BitRC4 "pbeWithSHA1And40BitRC4"
#define NID_pbe_WithSHA1And40BitRC4 145
#define OBJ_pbe_WithSHA1And40BitRC4 OBJ_pkcs12_pbeids,2L
#define SN_pbe_WithSHA1And3_Key_TripleDES_CBC "PBE-SHA1-3DES"
#define LN_pbe_WithSHA1And3_Key_TripleDES_CBC "pbeWithSHA1And3-KeyTripleDES-CBC"
#define NID_pbe_WithSHA1And3_Key_TripleDES_CBC 146
#define OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC OBJ_pkcs12_pbeids,3L
#define SN_pbe_WithSHA1And2_Key_TripleDES_CBC "PBE-SHA1-2DES"
#define LN_pbe_WithSHA1And2_Key_TripleDES_CBC "pbeWithSHA1And2-KeyTripleDES-CBC"
#define NID_pbe_WithSHA1And2_Key_TripleDES_CBC 147
#define OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC OBJ_pkcs12_pbeids,4L
#define SN_pbe_WithSHA1And128BitRC2_CBC "PBE-SHA1-RC2-128"
#define LN_pbe_WithSHA1And128BitRC2_CBC "pbeWithSHA1And128BitRC2-CBC"
#define NID_pbe_WithSHA1And128BitRC2_CBC 148
#define OBJ_pbe_WithSHA1And128BitRC2_CBC OBJ_pkcs12_pbeids,5L
#define SN_pbe_WithSHA1And40BitRC2_CBC "PBE-SHA1-RC2-40"
#define LN_pbe_WithSHA1And40BitRC2_CBC "pbeWithSHA1And40BitRC2-CBC"
#define NID_pbe_WithSHA1And40BitRC2_CBC 149
#define OBJ_pbe_WithSHA1And40BitRC2_CBC OBJ_pkcs12_pbeids,6L
#define OBJ_pkcs12_Version1 OBJ_pkcs12,10L
#define OBJ_pkcs12_BagIds OBJ_pkcs12_Version1,1L
#define LN_keyBag "keyBag"
#define NID_keyBag 150
#define OBJ_keyBag OBJ_pkcs12_BagIds,1L
#define LN_pkcs8ShroudedKeyBag "pkcs8ShroudedKeyBag"
#define NID_pkcs8ShroudedKeyBag 151
#define OBJ_pkcs8ShroudedKeyBag OBJ_pkcs12_BagIds,2L
#define LN_certBag "certBag"
#define NID_certBag 152
#define OBJ_certBag OBJ_pkcs12_BagIds,3L
#define LN_crlBag "crlBag"
#define NID_crlBag 153
#define OBJ_crlBag OBJ_pkcs12_BagIds,4L
#define LN_secretBag "secretBag"
#define NID_secretBag 154
#define OBJ_secretBag OBJ_pkcs12_BagIds,5L
#define LN_safeContentsBag "safeContentsBag"
#define NID_safeContentsBag 155
#define OBJ_safeContentsBag OBJ_pkcs12_BagIds,6L
#define SN_md2 "MD2"
#define LN_md2 "md2"
#define NID_md2 3
#define OBJ_md2 OBJ_rsadsi,2L,2L
#define SN_md4 "MD4"
#define LN_md4 "md4"
#define NID_md4 257
#define OBJ_md4 OBJ_rsadsi,2L,4L
#define SN_md5 "MD5"
#define LN_md5 "md5"
#define NID_md5 4
#define OBJ_md5 OBJ_rsadsi,2L,5L
#define SN_md5_sha1 "MD5-SHA1"
#define LN_md5_sha1 "md5-sha1"
#define NID_md5_sha1 114
#define LN_hmacWithMD5 "hmacWithMD5"
#define NID_hmacWithMD5 797
#define OBJ_hmacWithMD5 OBJ_rsadsi,2L,6L
#define LN_hmacWithSHA1 "hmacWithSHA1"
#define NID_hmacWithSHA1 163
#define OBJ_hmacWithSHA1 OBJ_rsadsi,2L,7L
#define SN_sm2 "SM2"
#define LN_sm2 "sm2"
#define NID_sm2 1172
#define OBJ_sm2 OBJ_sm_scheme,301L
#define SN_sm3 "SM3"
#define LN_sm3 "sm3"
#define NID_sm3 1143
#define OBJ_sm3 OBJ_sm_scheme,401L
#define SN_sm3WithRSAEncryption "RSA-SM3"
#define LN_sm3WithRSAEncryption "sm3WithRSAEncryption"
#define NID_sm3WithRSAEncryption 1144
#define OBJ_sm3WithRSAEncryption OBJ_sm_scheme,504L
#define LN_hmacWithSHA224 "hmacWithSHA224"
#define NID_hmacWithSHA224 798
#define OBJ_hmacWithSHA224 OBJ_rsadsi,2L,8L
#define LN_hmacWithSHA256 "hmacWithSHA256"
#define NID_hmacWithSHA256 799
#define OBJ_hmacWithSHA256 OBJ_rsadsi,2L,9L
#define LN_hmacWithSHA384 "hmacWithSHA384"
#define NID_hmacWithSHA384 800
#define OBJ_hmacWithSHA384 OBJ_rsadsi,2L,10L
#define LN_hmacWithSHA512 "hmacWithSHA512"
#define NID_hmacWithSHA512 801
#define OBJ_hmacWithSHA512 OBJ_rsadsi,2L,11L
#define LN_hmacWithSHA512_224 "hmacWithSHA512-224"
#define NID_hmacWithSHA512_224 1193
#define OBJ_hmacWithSHA512_224 OBJ_rsadsi,2L,12L
#define LN_hmacWithSHA512_256 "hmacWithSHA512-256"
#define NID_hmacWithSHA512_256 1194
#define OBJ_hmacWithSHA512_256 OBJ_rsadsi,2L,13L
#define SN_rc2_cbc "RC2-CBC"
#define LN_rc2_cbc "rc2-cbc"
#define NID_rc2_cbc 37
#define OBJ_rc2_cbc OBJ_rsadsi,3L,2L
#define SN_rc2_ecb "RC2-ECB"
#define LN_rc2_ecb "rc2-ecb"
#define NID_rc2_ecb 38
#define SN_rc2_cfb64 "RC2-CFB"
#define LN_rc2_cfb64 "rc2-cfb"
#define NID_rc2_cfb64 39
#define SN_rc2_ofb64 "RC2-OFB"
#define LN_rc2_ofb64 "rc2-ofb"
#define NID_rc2_ofb64 40
#define SN_rc2_40_cbc "RC2-40-CBC"
#define LN_rc2_40_cbc "rc2-40-cbc"
#define NID_rc2_40_cbc 98
#define SN_rc2_64_cbc "RC2-64-CBC"
#define LN_rc2_64_cbc "rc2-64-cbc"
#define NID_rc2_64_cbc 166
#define SN_rc4 "RC4"
#define LN_rc4 "rc4"
#define NID_rc4 5
#define OBJ_rc4 OBJ_rsadsi,3L,4L
#define SN_rc4_40 "RC4-40"
#define LN_rc4_40 "rc4-40"
#define NID_rc4_40 97
#define SN_des_ede3_cbc "DES-EDE3-CBC"
#define LN_des_ede3_cbc "des-ede3-cbc"
#define NID_des_ede3_cbc 44
#define OBJ_des_ede3_cbc OBJ_rsadsi,3L,7L
#define SN_rc5_cbc "RC5-CBC"
#define LN_rc5_cbc "rc5-cbc"
#define NID_rc5_cbc 120
#define OBJ_rc5_cbc OBJ_rsadsi,3L,8L
#define SN_rc5_ecb "RC5-ECB"
#define LN_rc5_ecb "rc5-ecb"
#define NID_rc5_ecb 121
#define SN_rc5_cfb64 "RC5-CFB"
#define LN_rc5_cfb64 "rc5-cfb"
#define NID_rc5_cfb64 122
#define SN_rc5_ofb64 "RC5-OFB"
#define LN_rc5_ofb64 "rc5-ofb"
#define NID_rc5_ofb64 123
#define SN_ms_ext_req "msExtReq"
#define LN_ms_ext_req "Microsoft Extension Request"
#define NID_ms_ext_req 171
#define OBJ_ms_ext_req 1L,3L,6L,1L,4L,1L,311L,2L,1L,14L
#define SN_ms_code_ind "msCodeInd"
#define LN_ms_code_ind "Microsoft Individual Code Signing"
#define NID_ms_code_ind 134
#define OBJ_ms_code_ind 1L,3L,6L,1L,4L,1L,311L,2L,1L,21L
#define SN_ms_code_com "msCodeCom"
#define LN_ms_code_com "Microsoft Commercial Code Signing"
#define NID_ms_code_com 135
#define OBJ_ms_code_com 1L,3L,6L,1L,4L,1L,311L,2L,1L,22L
#define SN_ms_ctl_sign "msCTLSign"
#define LN_ms_ctl_sign "Microsoft Trust List Signing"
#define NID_ms_ctl_sign 136
#define OBJ_ms_ctl_sign 1L,3L,6L,1L,4L,1L,311L,10L,3L,1L
#define SN_ms_sgc "msSGC"
#define LN_ms_sgc "Microsoft Server Gated Crypto"
#define NID_ms_sgc 137
#define OBJ_ms_sgc 1L,3L,6L,1L,4L,1L,311L,10L,3L,3L
#define SN_ms_efs "msEFS"
#define LN_ms_efs "Microsoft Encrypted File System"
#define NID_ms_efs 138
#define OBJ_ms_efs 1L,3L,6L,1L,4L,1L,311L,10L,3L,4L
#define SN_ms_smartcard_login "msSmartcardLogin"
#define LN_ms_smartcard_login "Microsoft Smartcard Login"
#define NID_ms_smartcard_login 648
#define OBJ_ms_smartcard_login 1L,3L,6L,1L,4L,1L,311L,20L,2L,2L
#define SN_ms_upn "msUPN"
#define LN_ms_upn "Microsoft User Principal Name"
#define NID_ms_upn 649
#define OBJ_ms_upn 1L,3L,6L,1L,4L,1L,311L,20L,2L,3L
#define SN_idea_cbc "IDEA-CBC"
#define LN_idea_cbc "idea-cbc"
#define NID_idea_cbc 34
#define OBJ_idea_cbc 1L,3L,6L,1L,4L,1L,188L,7L,1L,1L,2L
#define SN_idea_ecb "IDEA-ECB"
#define LN_idea_ecb "idea-ecb"
#define NID_idea_ecb 36
#define SN_idea_cfb64 "IDEA-CFB"
#define LN_idea_cfb64 "idea-cfb"
#define NID_idea_cfb64 35
#define SN_idea_ofb64 "IDEA-OFB"
#define LN_idea_ofb64 "idea-ofb"
#define NID_idea_ofb64 46
#define SN_bf_cbc "BF-CBC"
#define LN_bf_cbc "bf-cbc"
#define NID_bf_cbc 91
#define OBJ_bf_cbc 1L,3L,6L,1L,4L,1L,3029L,1L,2L
#define SN_bf_ecb "BF-ECB"
#define LN_bf_ecb "bf-ecb"
#define NID_bf_ecb 92
#define SN_bf_cfb64 "BF-CFB"
#define LN_bf_cfb64 "bf-cfb"
#define NID_bf_cfb64 93
#define SN_bf_ofb64 "BF-OFB"
#define LN_bf_ofb64 "bf-ofb"
#define NID_bf_ofb64 94
#define SN_id_pkix "PKIX"
#define NID_id_pkix 127
#define OBJ_id_pkix 1L,3L,6L,1L,5L,5L,7L
#define SN_id_pkix_mod "id-pkix-mod"
#define NID_id_pkix_mod 258
#define OBJ_id_pkix_mod OBJ_id_pkix,0L
#define SN_id_pe "id-pe"
#define NID_id_pe 175
#define OBJ_id_pe OBJ_id_pkix,1L
#define SN_id_qt "id-qt"
#define NID_id_qt 259
#define OBJ_id_qt OBJ_id_pkix,2L
#define SN_id_kp "id-kp"
#define NID_id_kp 128
#define OBJ_id_kp OBJ_id_pkix,3L
#define SN_id_it "id-it"
#define NID_id_it 260
#define OBJ_id_it OBJ_id_pkix,4L
#define SN_id_pkip "id-pkip"
#define NID_id_pkip 261
#define OBJ_id_pkip OBJ_id_pkix,5L
#define SN_id_alg "id-alg"
#define NID_id_alg 262
#define OBJ_id_alg OBJ_id_pkix,6L
#define SN_id_cmc "id-cmc"
#define NID_id_cmc 263
#define OBJ_id_cmc OBJ_id_pkix,7L
#define SN_id_on "id-on"
#define NID_id_on 264
#define OBJ_id_on OBJ_id_pkix,8L
#define SN_id_pda "id-pda"
#define NID_id_pda 265
#define OBJ_id_pda OBJ_id_pkix,9L
#define SN_id_aca "id-aca"
#define NID_id_aca 266
#define OBJ_id_aca OBJ_id_pkix,10L
#define SN_id_qcs "id-qcs"
#define NID_id_qcs 267
#define OBJ_id_qcs OBJ_id_pkix,11L
#define SN_id_cct "id-cct"
#define NID_id_cct 268
#define OBJ_id_cct OBJ_id_pkix,12L
#define SN_id_ppl "id-ppl"
#define NID_id_ppl 662
#define OBJ_id_ppl OBJ_id_pkix,21L
#define SN_id_ad "id-ad"
#define NID_id_ad 176
#define OBJ_id_ad OBJ_id_pkix,48L
#define SN_id_pkix1_explicit_88 "id-pkix1-explicit-88"
#define NID_id_pkix1_explicit_88 269
#define OBJ_id_pkix1_explicit_88 OBJ_id_pkix_mod,1L
#define SN_id_pkix1_implicit_88 "id-pkix1-implicit-88"
#define NID_id_pkix1_implicit_88 270
#define OBJ_id_pkix1_implicit_88 OBJ_id_pkix_mod,2L
#define SN_id_pkix1_explicit_93 "id-pkix1-explicit-93"
#define NID_id_pkix1_explicit_93 271
#define OBJ_id_pkix1_explicit_93 OBJ_id_pkix_mod,3L
#define SN_id_pkix1_implicit_93 "id-pkix1-implicit-93"
#define NID_id_pkix1_implicit_93 272
#define OBJ_id_pkix1_implicit_93 OBJ_id_pkix_mod,4L
#define SN_id_mod_crmf "id-mod-crmf"
#define NID_id_mod_crmf 273
#define OBJ_id_mod_crmf OBJ_id_pkix_mod,5L
#define SN_id_mod_cmc "id-mod-cmc"
#define NID_id_mod_cmc 274
#define OBJ_id_mod_cmc OBJ_id_pkix_mod,6L
#define SN_id_mod_kea_profile_88 "id-mod-kea-profile-88"
#define NID_id_mod_kea_profile_88 275
#define OBJ_id_mod_kea_profile_88 OBJ_id_pkix_mod,7L
#define SN_id_mod_kea_profile_93 "id-mod-kea-profile-93"
#define NID_id_mod_kea_profile_93 276
#define OBJ_id_mod_kea_profile_93 OBJ_id_pkix_mod,8L
#define SN_id_mod_cmp "id-mod-cmp"
#define NID_id_mod_cmp 277
#define OBJ_id_mod_cmp OBJ_id_pkix_mod,9L
#define SN_id_mod_qualified_cert_88 "id-mod-qualified-cert-88"
#define NID_id_mod_qualified_cert_88 278
#define OBJ_id_mod_qualified_cert_88 OBJ_id_pkix_mod,10L
#define SN_id_mod_qualified_cert_93 "id-mod-qualified-cert-93"
#define NID_id_mod_qualified_cert_93 279
#define OBJ_id_mod_qualified_cert_93 OBJ_id_pkix_mod,11L
#define SN_id_mod_attribute_cert "id-mod-attribute-cert"
#define NID_id_mod_attribute_cert 280
#define OBJ_id_mod_attribute_cert OBJ_id_pkix_mod,12L
#define SN_id_mod_timestamp_protocol "id-mod-timestamp-protocol"
#define NID_id_mod_timestamp_protocol 281
#define OBJ_id_mod_timestamp_protocol OBJ_id_pkix_mod,13L
#define SN_id_mod_ocsp "id-mod-ocsp"
#define NID_id_mod_ocsp 282
#define OBJ_id_mod_ocsp OBJ_id_pkix_mod,14L
#define SN_id_mod_dvcs "id-mod-dvcs"
#define NID_id_mod_dvcs 283
#define OBJ_id_mod_dvcs OBJ_id_pkix_mod,15L
#define SN_id_mod_cmp2000 "id-mod-cmp2000"
#define NID_id_mod_cmp2000 284
#define OBJ_id_mod_cmp2000 OBJ_id_pkix_mod,16L
#define SN_info_access "authorityInfoAccess"
#define LN_info_access "Authority Information Access"
#define NID_info_access 177
#define OBJ_info_access OBJ_id_pe,1L
#define SN_biometricInfo "biometricInfo"
#define LN_biometricInfo "Biometric Info"
#define NID_biometricInfo 285
#define OBJ_biometricInfo OBJ_id_pe,2L
#define SN_qcStatements "qcStatements"
#define NID_qcStatements 286
#define OBJ_qcStatements OBJ_id_pe,3L
#define SN_ac_auditEntity "ac-auditEntity"
#define NID_ac_auditEntity 287
#define OBJ_ac_auditEntity OBJ_id_pe,4L
#define SN_ac_targeting "ac-targeting"
#define NID_ac_targeting 288
#define OBJ_ac_targeting OBJ_id_pe,5L
#define SN_aaControls "aaControls"
#define NID_aaControls 289
#define OBJ_aaControls OBJ_id_pe,6L
#define SN_sbgp_ipAddrBlock "sbgp-ipAddrBlock"
#define NID_sbgp_ipAddrBlock 290
#define OBJ_sbgp_ipAddrBlock OBJ_id_pe,7L
#define SN_sbgp_autonomousSysNum "sbgp-autonomousSysNum"
#define NID_sbgp_autonomousSysNum 291
#define OBJ_sbgp_autonomousSysNum OBJ_id_pe,8L
#define SN_sbgp_routerIdentifier "sbgp-routerIdentifier"
#define NID_sbgp_routerIdentifier 292
#define OBJ_sbgp_routerIdentifier OBJ_id_pe,9L
#define SN_ac_proxying "ac-proxying"
#define NID_ac_proxying 397
#define OBJ_ac_proxying OBJ_id_pe,10L
#define SN_sinfo_access "subjectInfoAccess"
#define LN_sinfo_access "Subject Information Access"
#define NID_sinfo_access 398
#define OBJ_sinfo_access OBJ_id_pe,11L
#define SN_proxyCertInfo "proxyCertInfo"
#define LN_proxyCertInfo "Proxy Certificate Information"
#define NID_proxyCertInfo 663
#define OBJ_proxyCertInfo OBJ_id_pe,14L
#define SN_tlsfeature "tlsfeature"
#define LN_tlsfeature "TLS Feature"
#define NID_tlsfeature 1020
#define OBJ_tlsfeature OBJ_id_pe,24L
#define SN_id_qt_cps "id-qt-cps"
#define LN_id_qt_cps "Policy Qualifier CPS"
#define NID_id_qt_cps 164
#define OBJ_id_qt_cps OBJ_id_qt,1L
#define SN_id_qt_unotice "id-qt-unotice"
#define LN_id_qt_unotice "Policy Qualifier User Notice"
#define NID_id_qt_unotice 165
#define OBJ_id_qt_unotice OBJ_id_qt,2L
#define SN_textNotice "textNotice"
#define NID_textNotice 293
#define OBJ_textNotice OBJ_id_qt,3L
#define SN_server_auth "serverAuth"
#define LN_server_auth "TLS Web Server Authentication"
#define NID_server_auth 129
#define OBJ_server_auth OBJ_id_kp,1L
#define SN_client_auth "clientAuth"
#define LN_client_auth "TLS Web Client Authentication"
#define NID_client_auth 130
#define OBJ_client_auth OBJ_id_kp,2L
#define SN_code_sign "codeSigning"
#define LN_code_sign "Code Signing"
#define NID_code_sign 131
#define OBJ_code_sign OBJ_id_kp,3L
#define SN_email_protect "emailProtection"
#define LN_email_protect "E-mail Protection"
#define NID_email_protect 132
#define OBJ_email_protect OBJ_id_kp,4L
#define SN_ipsecEndSystem "ipsecEndSystem"
#define LN_ipsecEndSystem "IPSec End System"
#define NID_ipsecEndSystem 294
#define OBJ_ipsecEndSystem OBJ_id_kp,5L
#define SN_ipsecTunnel "ipsecTunnel"
#define LN_ipsecTunnel "IPSec Tunnel"
#define NID_ipsecTunnel 295
#define OBJ_ipsecTunnel OBJ_id_kp,6L
#define SN_ipsecUser "ipsecUser"
#define LN_ipsecUser "IPSec User"
#define NID_ipsecUser 296
#define OBJ_ipsecUser OBJ_id_kp,7L
#define SN_time_stamp "timeStamping"
#define LN_time_stamp "Time Stamping"
#define NID_time_stamp 133
#define OBJ_time_stamp OBJ_id_kp,8L
#define SN_OCSP_sign "OCSPSigning"
#define LN_OCSP_sign "OCSP Signing"
#define NID_OCSP_sign 180
#define OBJ_OCSP_sign OBJ_id_kp,9L
#define SN_dvcs "DVCS"
#define LN_dvcs "dvcs"
#define NID_dvcs 297
#define OBJ_dvcs OBJ_id_kp,10L
#define SN_ipsec_IKE "ipsecIKE"
#define LN_ipsec_IKE "ipsec Internet Key Exchange"
#define NID_ipsec_IKE 1022
#define OBJ_ipsec_IKE OBJ_id_kp,17L
#define SN_capwapAC "capwapAC"
#define LN_capwapAC "Ctrl/provision WAP Access"
#define NID_capwapAC 1023
#define OBJ_capwapAC OBJ_id_kp,18L
#define SN_capwapWTP "capwapWTP"
#define LN_capwapWTP "Ctrl/Provision WAP Termination"
#define NID_capwapWTP 1024
#define OBJ_capwapWTP OBJ_id_kp,19L
#define SN_sshClient "secureShellClient"
#define LN_sshClient "SSH Client"
#define NID_sshClient 1025
#define OBJ_sshClient OBJ_id_kp,21L
#define SN_sshServer "secureShellServer"
#define LN_sshServer "SSH Server"
#define NID_sshServer 1026
#define OBJ_sshServer OBJ_id_kp,22L
#define SN_sendRouter "sendRouter"
#define LN_sendRouter "Send Router"
#define NID_sendRouter 1027
#define OBJ_sendRouter OBJ_id_kp,23L
#define SN_sendProxiedRouter "sendProxiedRouter"
#define LN_sendProxiedRouter "Send Proxied Router"
#define NID_sendProxiedRouter 1028
#define OBJ_sendProxiedRouter OBJ_id_kp,24L
#define SN_sendOwner "sendOwner"
#define LN_sendOwner "Send Owner"
#define NID_sendOwner 1029
#define OBJ_sendOwner OBJ_id_kp,25L
#define SN_sendProxiedOwner "sendProxiedOwner"
#define LN_sendProxiedOwner "Send Proxied Owner"
#define NID_sendProxiedOwner 1030
#define OBJ_sendProxiedOwner OBJ_id_kp,26L
#define SN_cmcCA "cmcCA"
#define LN_cmcCA "CMC Certificate Authority"
#define NID_cmcCA 1131
#define OBJ_cmcCA OBJ_id_kp,27L
#define SN_cmcRA "cmcRA"
#define LN_cmcRA "CMC Registration Authority"
#define NID_cmcRA 1132
#define OBJ_cmcRA OBJ_id_kp,28L
#define SN_id_it_caProtEncCert "id-it-caProtEncCert"
#define NID_id_it_caProtEncCert 298
#define OBJ_id_it_caProtEncCert OBJ_id_it,1L
#define SN_id_it_signKeyPairTypes "id-it-signKeyPairTypes"
#define NID_id_it_signKeyPairTypes 299
#define OBJ_id_it_signKeyPairTypes OBJ_id_it,2L
#define SN_id_it_encKeyPairTypes "id-it-encKeyPairTypes"
#define NID_id_it_encKeyPairTypes 300
#define OBJ_id_it_encKeyPairTypes OBJ_id_it,3L
#define SN_id_it_preferredSymmAlg "id-it-preferredSymmAlg"
#define NID_id_it_preferredSymmAlg 301
#define OBJ_id_it_preferredSymmAlg OBJ_id_it,4L
#define SN_id_it_caKeyUpdateInfo "id-it-caKeyUpdateInfo"
#define NID_id_it_caKeyUpdateInfo 302
#define OBJ_id_it_caKeyUpdateInfo OBJ_id_it,5L
#define SN_id_it_currentCRL "id-it-currentCRL"
#define NID_id_it_currentCRL 303
#define OBJ_id_it_currentCRL OBJ_id_it,6L
#define SN_id_it_unsupportedOIDs "id-it-unsupportedOIDs"
#define NID_id_it_unsupportedOIDs 304
#define OBJ_id_it_unsupportedOIDs OBJ_id_it,7L
#define SN_id_it_subscriptionRequest "id-it-subscriptionRequest"
#define NID_id_it_subscriptionRequest 305
#define OBJ_id_it_subscriptionRequest OBJ_id_it,8L
#define SN_id_it_subscriptionResponse "id-it-subscriptionResponse"
#define NID_id_it_subscriptionResponse 306
#define OBJ_id_it_subscriptionResponse OBJ_id_it,9L
#define SN_id_it_keyPairParamReq "id-it-keyPairParamReq"
#define NID_id_it_keyPairParamReq 307
#define OBJ_id_it_keyPairParamReq OBJ_id_it,10L
#define SN_id_it_keyPairParamRep "id-it-keyPairParamRep"
#define NID_id_it_keyPairParamRep 308
#define OBJ_id_it_keyPairParamRep OBJ_id_it,11L
#define SN_id_it_revPassphrase "id-it-revPassphrase"
#define NID_id_it_revPassphrase 309
#define OBJ_id_it_revPassphrase OBJ_id_it,12L
#define SN_id_it_implicitConfirm "id-it-implicitConfirm"
#define NID_id_it_implicitConfirm 310
#define OBJ_id_it_implicitConfirm OBJ_id_it,13L
#define SN_id_it_confirmWaitTime "id-it-confirmWaitTime"
#define NID_id_it_confirmWaitTime 311
#define OBJ_id_it_confirmWaitTime OBJ_id_it,14L
#define SN_id_it_origPKIMessage "id-it-origPKIMessage"
#define NID_id_it_origPKIMessage 312
#define OBJ_id_it_origPKIMessage OBJ_id_it,15L
#define SN_id_it_suppLangTags "id-it-suppLangTags"
#define NID_id_it_suppLangTags 784
#define OBJ_id_it_suppLangTags OBJ_id_it,16L
#define SN_id_regCtrl "id-regCtrl"
#define NID_id_regCtrl 313
#define OBJ_id_regCtrl OBJ_id_pkip,1L
#define SN_id_regInfo "id-regInfo"
#define NID_id_regInfo 314
#define OBJ_id_regInfo OBJ_id_pkip,2L
#define SN_id_regCtrl_regToken "id-regCtrl-regToken"
#define NID_id_regCtrl_regToken 315
#define OBJ_id_regCtrl_regToken OBJ_id_regCtrl,1L
#define SN_id_regCtrl_authenticator "id-regCtrl-authenticator"
#define NID_id_regCtrl_authenticator 316
#define OBJ_id_regCtrl_authenticator OBJ_id_regCtrl,2L
#define SN_id_regCtrl_pkiPublicationInfo "id-regCtrl-pkiPublicationInfo"
#define NID_id_regCtrl_pkiPublicationInfo 317
#define OBJ_id_regCtrl_pkiPublicationInfo OBJ_id_regCtrl,3L
#define SN_id_regCtrl_pkiArchiveOptions "id-regCtrl-pkiArchiveOptions"
#define NID_id_regCtrl_pkiArchiveOptions 318
#define OBJ_id_regCtrl_pkiArchiveOptions OBJ_id_regCtrl,4L
#define SN_id_regCtrl_oldCertID "id-regCtrl-oldCertID"
#define NID_id_regCtrl_oldCertID 319
#define OBJ_id_regCtrl_oldCertID OBJ_id_regCtrl,5L
#define SN_id_regCtrl_protocolEncrKey "id-regCtrl-protocolEncrKey"
#define NID_id_regCtrl_protocolEncrKey 320
#define OBJ_id_regCtrl_protocolEncrKey OBJ_id_regCtrl,6L
#define SN_id_regInfo_utf8Pairs "id-regInfo-utf8Pairs"
#define NID_id_regInfo_utf8Pairs 321
#define OBJ_id_regInfo_utf8Pairs OBJ_id_regInfo,1L
#define SN_id_regInfo_certReq "id-regInfo-certReq"
#define NID_id_regInfo_certReq 322
#define OBJ_id_regInfo_certReq OBJ_id_regInfo,2L
#define SN_id_alg_des40 "id-alg-des40"
#define NID_id_alg_des40 323
#define OBJ_id_alg_des40 OBJ_id_alg,1L
#define SN_id_alg_noSignature "id-alg-noSignature"
#define NID_id_alg_noSignature 324
#define OBJ_id_alg_noSignature OBJ_id_alg,2L
#define SN_id_alg_dh_sig_hmac_sha1 "id-alg-dh-sig-hmac-sha1"
#define NID_id_alg_dh_sig_hmac_sha1 325
#define OBJ_id_alg_dh_sig_hmac_sha1 OBJ_id_alg,3L
#define SN_id_alg_dh_pop "id-alg-dh-pop"
#define NID_id_alg_dh_pop 326
#define OBJ_id_alg_dh_pop OBJ_id_alg,4L
#define SN_id_cmc_statusInfo "id-cmc-statusInfo"
#define NID_id_cmc_statusInfo 327
#define OBJ_id_cmc_statusInfo OBJ_id_cmc,1L
#define SN_id_cmc_identification "id-cmc-identification"
#define NID_id_cmc_identification 328
#define OBJ_id_cmc_identification OBJ_id_cmc,2L
#define SN_id_cmc_identityProof "id-cmc-identityProof"
#define NID_id_cmc_identityProof 329
#define OBJ_id_cmc_identityProof OBJ_id_cmc,3L
#define SN_id_cmc_dataReturn "id-cmc-dataReturn"
#define NID_id_cmc_dataReturn 330
#define OBJ_id_cmc_dataReturn OBJ_id_cmc,4L
#define SN_id_cmc_transactionId "id-cmc-transactionId"
#define NID_id_cmc_transactionId 331
#define OBJ_id_cmc_transactionId OBJ_id_cmc,5L
#define SN_id_cmc_senderNonce "id-cmc-senderNonce"
#define NID_id_cmc_senderNonce 332
#define OBJ_id_cmc_senderNonce OBJ_id_cmc,6L
#define SN_id_cmc_recipientNonce "id-cmc-recipientNonce"
#define NID_id_cmc_recipientNonce 333
#define OBJ_id_cmc_recipientNonce OBJ_id_cmc,7L
#define SN_id_cmc_addExtensions "id-cmc-addExtensions"
#define NID_id_cmc_addExtensions 334
#define OBJ_id_cmc_addExtensions OBJ_id_cmc,8L
#define SN_id_cmc_encryptedPOP "id-cmc-encryptedPOP"
#define NID_id_cmc_encryptedPOP 335
#define OBJ_id_cmc_encryptedPOP OBJ_id_cmc,9L
#define SN_id_cmc_decryptedPOP "id-cmc-decryptedPOP"
#define NID_id_cmc_decryptedPOP 336
#define OBJ_id_cmc_decryptedPOP OBJ_id_cmc,10L
#define SN_id_cmc_lraPOPWitness "id-cmc-lraPOPWitness"
#define NID_id_cmc_lraPOPWitness 337
#define OBJ_id_cmc_lraPOPWitness OBJ_id_cmc,11L
#define SN_id_cmc_getCert "id-cmc-getCert"
#define NID_id_cmc_getCert 338
#define OBJ_id_cmc_getCert OBJ_id_cmc,15L
#define SN_id_cmc_getCRL "id-cmc-getCRL"
#define NID_id_cmc_getCRL 339
#define OBJ_id_cmc_getCRL OBJ_id_cmc,16L
#define SN_id_cmc_revokeRequest "id-cmc-revokeRequest"
#define NID_id_cmc_revokeRequest 340
#define OBJ_id_cmc_revokeRequest OBJ_id_cmc,17L
#define SN_id_cmc_regInfo "id-cmc-regInfo"
#define NID_id_cmc_regInfo 341
#define OBJ_id_cmc_regInfo OBJ_id_cmc,18L
#define SN_id_cmc_responseInfo "id-cmc-responseInfo"
#define NID_id_cmc_responseInfo 342
#define OBJ_id_cmc_responseInfo OBJ_id_cmc,19L
#define SN_id_cmc_queryPending "id-cmc-queryPending"
#define NID_id_cmc_queryPending 343
#define OBJ_id_cmc_queryPending OBJ_id_cmc,21L
#define SN_id_cmc_popLinkRandom "id-cmc-popLinkRandom"
#define NID_id_cmc_popLinkRandom 344
#define OBJ_id_cmc_popLinkRandom OBJ_id_cmc,22L
#define SN_id_cmc_popLinkWitness "id-cmc-popLinkWitness"
#define NID_id_cmc_popLinkWitness 345
#define OBJ_id_cmc_popLinkWitness OBJ_id_cmc,23L
#define SN_id_cmc_confirmCertAcceptance "id-cmc-confirmCertAcceptance"
#define NID_id_cmc_confirmCertAcceptance 346
#define OBJ_id_cmc_confirmCertAcceptance OBJ_id_cmc,24L
#define SN_id_on_personalData "id-on-personalData"
#define NID_id_on_personalData 347
#define OBJ_id_on_personalData OBJ_id_on,1L
#define SN_id_on_permanentIdentifier "id-on-permanentIdentifier"
#define LN_id_on_permanentIdentifier "Permanent Identifier"
#define NID_id_on_permanentIdentifier 858
#define OBJ_id_on_permanentIdentifier OBJ_id_on,3L
#define SN_id_pda_dateOfBirth "id-pda-dateOfBirth"
#define NID_id_pda_dateOfBirth 348
#define OBJ_id_pda_dateOfBirth OBJ_id_pda,1L
#define SN_id_pda_placeOfBirth "id-pda-placeOfBirth"
#define NID_id_pda_placeOfBirth 349
#define OBJ_id_pda_placeOfBirth OBJ_id_pda,2L
#define SN_id_pda_gender "id-pda-gender"
#define NID_id_pda_gender 351
#define OBJ_id_pda_gender OBJ_id_pda,3L
#define SN_id_pda_countryOfCitizenship "id-pda-countryOfCitizenship"
#define NID_id_pda_countryOfCitizenship 352
#define OBJ_id_pda_countryOfCitizenship OBJ_id_pda,4L
#define SN_id_pda_countryOfResidence "id-pda-countryOfResidence"
#define NID_id_pda_countryOfResidence 353
#define OBJ_id_pda_countryOfResidence OBJ_id_pda,5L
#define SN_id_aca_authenticationInfo "id-aca-authenticationInfo"
#define NID_id_aca_authenticationInfo 354
#define OBJ_id_aca_authenticationInfo OBJ_id_aca,1L
#define SN_id_aca_accessIdentity "id-aca-accessIdentity"
#define NID_id_aca_accessIdentity 355
#define OBJ_id_aca_accessIdentity OBJ_id_aca,2L
#define SN_id_aca_chargingIdentity "id-aca-chargingIdentity"
#define NID_id_aca_chargingIdentity 356
#define OBJ_id_aca_chargingIdentity OBJ_id_aca,3L
#define SN_id_aca_group "id-aca-group"
#define NID_id_aca_group 357
#define OBJ_id_aca_group OBJ_id_aca,4L
#define SN_id_aca_role "id-aca-role"
#define NID_id_aca_role 358
#define OBJ_id_aca_role OBJ_id_aca,5L
#define SN_id_aca_encAttrs "id-aca-encAttrs"
#define NID_id_aca_encAttrs 399
#define OBJ_id_aca_encAttrs OBJ_id_aca,6L
#define SN_id_qcs_pkixQCSyntax_v1 "id-qcs-pkixQCSyntax-v1"
#define NID_id_qcs_pkixQCSyntax_v1 359
#define OBJ_id_qcs_pkixQCSyntax_v1 OBJ_id_qcs,1L
#define SN_id_cct_crs "id-cct-crs"
#define NID_id_cct_crs 360
#define OBJ_id_cct_crs OBJ_id_cct,1L
#define SN_id_cct_PKIData "id-cct-PKIData"
#define NID_id_cct_PKIData 361
#define OBJ_id_cct_PKIData OBJ_id_cct,2L
#define SN_id_cct_PKIResponse "id-cct-PKIResponse"
#define NID_id_cct_PKIResponse 362
#define OBJ_id_cct_PKIResponse OBJ_id_cct,3L
#define SN_id_ppl_anyLanguage "id-ppl-anyLanguage"
#define LN_id_ppl_anyLanguage "Any language"
#define NID_id_ppl_anyLanguage 664
#define OBJ_id_ppl_anyLanguage OBJ_id_ppl,0L
#define SN_id_ppl_inheritAll "id-ppl-inheritAll"
#define LN_id_ppl_inheritAll "Inherit all"
#define NID_id_ppl_inheritAll 665
#define OBJ_id_ppl_inheritAll OBJ_id_ppl,1L
#define SN_Independent "id-ppl-independent"
#define LN_Independent "Independent"
#define NID_Independent 667
#define OBJ_Independent OBJ_id_ppl,2L
#define SN_ad_OCSP "OCSP"
#define LN_ad_OCSP "OCSP"
#define NID_ad_OCSP 178
#define OBJ_ad_OCSP OBJ_id_ad,1L
#define SN_ad_ca_issuers "caIssuers"
#define LN_ad_ca_issuers "CA Issuers"
#define NID_ad_ca_issuers 179
#define OBJ_ad_ca_issuers OBJ_id_ad,2L
#define SN_ad_timeStamping "ad_timestamping"
#define LN_ad_timeStamping "AD Time Stamping"
#define NID_ad_timeStamping 363
#define OBJ_ad_timeStamping OBJ_id_ad,3L
#define SN_ad_dvcs "AD_DVCS"
#define LN_ad_dvcs "ad dvcs"
#define NID_ad_dvcs 364
#define OBJ_ad_dvcs OBJ_id_ad,4L
#define SN_caRepository "caRepository"
#define LN_caRepository "CA Repository"
#define NID_caRepository 785
#define OBJ_caRepository OBJ_id_ad,5L
#define OBJ_id_pkix_OCSP OBJ_ad_OCSP
#define SN_id_pkix_OCSP_basic "basicOCSPResponse"
#define LN_id_pkix_OCSP_basic "Basic OCSP Response"
#define NID_id_pkix_OCSP_basic 365
#define OBJ_id_pkix_OCSP_basic OBJ_id_pkix_OCSP,1L
#define SN_id_pkix_OCSP_Nonce "Nonce"
#define LN_id_pkix_OCSP_Nonce "OCSP Nonce"
#define NID_id_pkix_OCSP_Nonce 366
#define OBJ_id_pkix_OCSP_Nonce OBJ_id_pkix_OCSP,2L
#define SN_id_pkix_OCSP_CrlID "CrlID"
#define LN_id_pkix_OCSP_CrlID "OCSP CRL ID"
#define NID_id_pkix_OCSP_CrlID 367
#define OBJ_id_pkix_OCSP_CrlID OBJ_id_pkix_OCSP,3L
#define SN_id_pkix_OCSP_acceptableResponses "acceptableResponses"
#define LN_id_pkix_OCSP_acceptableResponses "Acceptable OCSP Responses"
#define NID_id_pkix_OCSP_acceptableResponses 368
#define OBJ_id_pkix_OCSP_acceptableResponses OBJ_id_pkix_OCSP,4L
#define SN_id_pkix_OCSP_noCheck "noCheck"
#define LN_id_pkix_OCSP_noCheck "OCSP No Check"
#define NID_id_pkix_OCSP_noCheck 369
#define OBJ_id_pkix_OCSP_noCheck OBJ_id_pkix_OCSP,5L
#define SN_id_pkix_OCSP_archiveCutoff "archiveCutoff"
#define LN_id_pkix_OCSP_archiveCutoff "OCSP Archive Cutoff"
#define NID_id_pkix_OCSP_archiveCutoff 370
#define OBJ_id_pkix_OCSP_archiveCutoff OBJ_id_pkix_OCSP,6L
#define SN_id_pkix_OCSP_serviceLocator "serviceLocator"
#define LN_id_pkix_OCSP_serviceLocator "OCSP Service Locator"
#define NID_id_pkix_OCSP_serviceLocator 371
#define OBJ_id_pkix_OCSP_serviceLocator OBJ_id_pkix_OCSP,7L
#define SN_id_pkix_OCSP_extendedStatus "extendedStatus"
#define LN_id_pkix_OCSP_extendedStatus "Extended OCSP Status"
#define NID_id_pkix_OCSP_extendedStatus 372
#define OBJ_id_pkix_OCSP_extendedStatus OBJ_id_pkix_OCSP,8L
#define SN_id_pkix_OCSP_valid "valid"
#define NID_id_pkix_OCSP_valid 373
#define OBJ_id_pkix_OCSP_valid OBJ_id_pkix_OCSP,9L
#define SN_id_pkix_OCSP_path "path"
#define NID_id_pkix_OCSP_path 374
#define OBJ_id_pkix_OCSP_path OBJ_id_pkix_OCSP,10L
#define SN_id_pkix_OCSP_trustRoot "trustRoot"
#define LN_id_pkix_OCSP_trustRoot "Trust Root"
#define NID_id_pkix_OCSP_trustRoot 375
#define OBJ_id_pkix_OCSP_trustRoot OBJ_id_pkix_OCSP,11L
#define SN_algorithm "algorithm"
#define LN_algorithm "algorithm"
#define NID_algorithm 376
#define OBJ_algorithm 1L,3L,14L,3L,2L
#define SN_md5WithRSA "RSA-NP-MD5"
#define LN_md5WithRSA "md5WithRSA"
#define NID_md5WithRSA 104
#define OBJ_md5WithRSA OBJ_algorithm,3L
#define SN_des_ecb "DES-ECB"
#define LN_des_ecb "des-ecb"
#define NID_des_ecb 29
#define OBJ_des_ecb OBJ_algorithm,6L
#define SN_des_cbc "DES-CBC"
#define LN_des_cbc "des-cbc"
#define NID_des_cbc 31
#define OBJ_des_cbc OBJ_algorithm,7L
#define SN_des_ofb64 "DES-OFB"
#define LN_des_ofb64 "des-ofb"
#define NID_des_ofb64 45
#define OBJ_des_ofb64 OBJ_algorithm,8L
#define SN_des_cfb64 "DES-CFB"
#define LN_des_cfb64 "des-cfb"
#define NID_des_cfb64 30
#define OBJ_des_cfb64 OBJ_algorithm,9L
#define SN_rsaSignature "rsaSignature"
#define NID_rsaSignature 377
#define OBJ_rsaSignature OBJ_algorithm,11L
#define SN_dsa_2 "DSA-old"
#define LN_dsa_2 "dsaEncryption-old"
#define NID_dsa_2 67
#define OBJ_dsa_2 OBJ_algorithm,12L
#define SN_dsaWithSHA "DSA-SHA"
#define LN_dsaWithSHA "dsaWithSHA"
#define NID_dsaWithSHA 66
#define OBJ_dsaWithSHA OBJ_algorithm,13L
#define SN_shaWithRSAEncryption "RSA-SHA"
#define LN_shaWithRSAEncryption "shaWithRSAEncryption"
#define NID_shaWithRSAEncryption 42
#define OBJ_shaWithRSAEncryption OBJ_algorithm,15L
#define SN_des_ede_ecb "DES-EDE"
#define LN_des_ede_ecb "des-ede"
#define NID_des_ede_ecb 32
#define OBJ_des_ede_ecb OBJ_algorithm,17L
#define SN_des_ede3_ecb "DES-EDE3"
#define LN_des_ede3_ecb "des-ede3"
#define NID_des_ede3_ecb 33
#define SN_des_ede_cbc "DES-EDE-CBC"
#define LN_des_ede_cbc "des-ede-cbc"
#define NID_des_ede_cbc 43
#define SN_des_ede_cfb64 "DES-EDE-CFB"
#define LN_des_ede_cfb64 "des-ede-cfb"
#define NID_des_ede_cfb64 60
#define SN_des_ede3_cfb64 "DES-EDE3-CFB"
#define LN_des_ede3_cfb64 "des-ede3-cfb"
#define NID_des_ede3_cfb64 61
#define SN_des_ede_ofb64 "DES-EDE-OFB"
#define LN_des_ede_ofb64 "des-ede-ofb"
#define NID_des_ede_ofb64 62
#define SN_des_ede3_ofb64 "DES-EDE3-OFB"
#define LN_des_ede3_ofb64 "des-ede3-ofb"
#define NID_des_ede3_ofb64 63
#define SN_desx_cbc "DESX-CBC"
#define LN_desx_cbc "desx-cbc"
#define NID_desx_cbc 80
#define SN_sha "SHA"
#define LN_sha "sha"
#define NID_sha 41
#define OBJ_sha OBJ_algorithm,18L
#define SN_sha1 "SHA1"
#define LN_sha1 "sha1"
#define NID_sha1 64
#define OBJ_sha1 OBJ_algorithm,26L
#define SN_dsaWithSHA1_2 "DSA-SHA1-old"
#define LN_dsaWithSHA1_2 "dsaWithSHA1-old"
#define NID_dsaWithSHA1_2 70
#define OBJ_dsaWithSHA1_2 OBJ_algorithm,27L
#define SN_sha1WithRSA "RSA-SHA1-2"
#define LN_sha1WithRSA "sha1WithRSA"
#define NID_sha1WithRSA 115
#define OBJ_sha1WithRSA OBJ_algorithm,29L
#define SN_ripemd160 "RIPEMD160"
#define LN_ripemd160 "ripemd160"
#define NID_ripemd160 117
#define OBJ_ripemd160 1L,3L,36L,3L,2L,1L
#define SN_ripemd160WithRSA "RSA-RIPEMD160"
#define LN_ripemd160WithRSA "ripemd160WithRSA"
#define NID_ripemd160WithRSA 119
#define OBJ_ripemd160WithRSA 1L,3L,36L,3L,3L,1L,2L
#define SN_blake2b512 "BLAKE2b512"
#define LN_blake2b512 "blake2b512"
#define NID_blake2b512 1056
#define OBJ_blake2b512 1L,3L,6L,1L,4L,1L,1722L,12L,2L,1L,16L
#define SN_blake2s256 "BLAKE2s256"
#define LN_blake2s256 "blake2s256"
#define NID_blake2s256 1057
#define OBJ_blake2s256 1L,3L,6L,1L,4L,1L,1722L,12L,2L,2L,8L
#define SN_sxnet "SXNetID"
#define LN_sxnet "Strong Extranet ID"
#define NID_sxnet 143
#define OBJ_sxnet 1L,3L,101L,1L,4L,1L
#define SN_X500 "X500"
#define LN_X500 "directory services (X.500)"
#define NID_X500 11
#define OBJ_X500 2L,5L
#define SN_X509 "X509"
#define NID_X509 12
#define OBJ_X509 OBJ_X500,4L
#define SN_commonName "CN"
#define LN_commonName "commonName"
#define NID_commonName 13
#define OBJ_commonName OBJ_X509,3L
#define SN_surname "SN"
#define LN_surname "surname"
#define NID_surname 100
#define OBJ_surname OBJ_X509,4L
#define LN_serialNumber "serialNumber"
#define NID_serialNumber 105
#define OBJ_serialNumber OBJ_X509,5L
#define SN_countryName "C"
#define LN_countryName "countryName"
#define NID_countryName 14
#define OBJ_countryName OBJ_X509,6L
#define SN_localityName "L"
#define LN_localityName "localityName"
#define NID_localityName 15
#define OBJ_localityName OBJ_X509,7L
#define SN_stateOrProvinceName "ST"
#define LN_stateOrProvinceName "stateOrProvinceName"
#define NID_stateOrProvinceName 16
#define OBJ_stateOrProvinceName OBJ_X509,8L
#define SN_streetAddress "street"
#define LN_streetAddress "streetAddress"
#define NID_streetAddress 660
#define OBJ_streetAddress OBJ_X509,9L
#define SN_organizationName "O"
#define LN_organizationName "organizationName"
#define NID_organizationName 17
#define OBJ_organizationName OBJ_X509,10L
#define SN_organizationalUnitName "OU"
#define LN_organizationalUnitName "organizationalUnitName"
#define NID_organizationalUnitName 18
#define OBJ_organizationalUnitName OBJ_X509,11L
#define SN_title "title"
#define LN_title "title"
#define NID_title 106
#define OBJ_title OBJ_X509,12L
#define LN_description "description"
#define NID_description 107
#define OBJ_description OBJ_X509,13L
#define LN_searchGuide "searchGuide"
#define NID_searchGuide 859
#define OBJ_searchGuide OBJ_X509,14L
#define LN_businessCategory "businessCategory"
#define NID_businessCategory 860
#define OBJ_businessCategory OBJ_X509,15L
#define LN_postalAddress "postalAddress"
#define NID_postalAddress 861
#define OBJ_postalAddress OBJ_X509,16L
#define LN_postalCode "postalCode"
#define NID_postalCode 661
#define OBJ_postalCode OBJ_X509,17L
#define LN_postOfficeBox "postOfficeBox"
#define NID_postOfficeBox 862
#define OBJ_postOfficeBox OBJ_X509,18L
#define LN_physicalDeliveryOfficeName "physicalDeliveryOfficeName"
#define NID_physicalDeliveryOfficeName 863
#define OBJ_physicalDeliveryOfficeName OBJ_X509,19L
#define LN_telephoneNumber "telephoneNumber"
#define NID_telephoneNumber 864
#define OBJ_telephoneNumber OBJ_X509,20L
#define LN_telexNumber "telexNumber"
#define NID_telexNumber 865
#define OBJ_telexNumber OBJ_X509,21L
#define LN_teletexTerminalIdentifier "teletexTerminalIdentifier"
#define NID_teletexTerminalIdentifier 866
#define OBJ_teletexTerminalIdentifier OBJ_X509,22L
#define LN_facsimileTelephoneNumber "facsimileTelephoneNumber"
#define NID_facsimileTelephoneNumber 867
#define OBJ_facsimileTelephoneNumber OBJ_X509,23L
#define LN_x121Address "x121Address"
#define NID_x121Address 868
#define OBJ_x121Address OBJ_X509,24L
#define LN_internationaliSDNNumber "internationaliSDNNumber"
#define NID_internationaliSDNNumber 869
#define OBJ_internationaliSDNNumber OBJ_X509,25L
#define LN_registeredAddress "registeredAddress"
#define NID_registeredAddress 870
#define OBJ_registeredAddress OBJ_X509,26L
#define LN_destinationIndicator "destinationIndicator"
#define NID_destinationIndicator 871
#define OBJ_destinationIndicator OBJ_X509,27L
#define LN_preferredDeliveryMethod "preferredDeliveryMethod"
#define NID_preferredDeliveryMethod 872
#define OBJ_preferredDeliveryMethod OBJ_X509,28L
#define LN_presentationAddress "presentationAddress"
#define NID_presentationAddress 873
#define OBJ_presentationAddress OBJ_X509,29L
#define LN_supportedApplicationContext "supportedApplicationContext"
#define NID_supportedApplicationContext 874
#define OBJ_supportedApplicationContext OBJ_X509,30L
#define SN_member "member"
#define NID_member 875
#define OBJ_member OBJ_X509,31L
#define SN_owner "owner"
#define NID_owner 876
#define OBJ_owner OBJ_X509,32L
#define LN_roleOccupant "roleOccupant"
#define NID_roleOccupant 877
#define OBJ_roleOccupant OBJ_X509,33L
#define SN_seeAlso "seeAlso"
#define NID_seeAlso 878
#define OBJ_seeAlso OBJ_X509,34L
#define LN_userPassword "userPassword"
#define NID_userPassword 879
#define OBJ_userPassword OBJ_X509,35L
#define LN_userCertificate "userCertificate"
#define NID_userCertificate 880
#define OBJ_userCertificate OBJ_X509,36L
#define LN_cACertificate "cACertificate"
#define NID_cACertificate 881
#define OBJ_cACertificate OBJ_X509,37L
#define LN_authorityRevocationList "authorityRevocationList"
#define NID_authorityRevocationList 882
#define OBJ_authorityRevocationList OBJ_X509,38L
#define LN_certificateRevocationList "certificateRevocationList"
#define NID_certificateRevocationList 883
#define OBJ_certificateRevocationList OBJ_X509,39L
#define LN_crossCertificatePair "crossCertificatePair"
#define NID_crossCertificatePair 884
#define OBJ_crossCertificatePair OBJ_X509,40L
#define SN_name "name"
#define LN_name "name"
#define NID_name 173
#define OBJ_name OBJ_X509,41L
#define SN_givenName "GN"
#define LN_givenName "givenName"
#define NID_givenName 99
#define OBJ_givenName OBJ_X509,42L
#define SN_initials "initials"
#define LN_initials "initials"
#define NID_initials 101
#define OBJ_initials OBJ_X509,43L
#define LN_generationQualifier "generationQualifier"
#define NID_generationQualifier 509
#define OBJ_generationQualifier OBJ_X509,44L
#define LN_x500UniqueIdentifier "x500UniqueIdentifier"
#define NID_x500UniqueIdentifier 503
#define OBJ_x500UniqueIdentifier OBJ_X509,45L
#define SN_dnQualifier "dnQualifier"
#define LN_dnQualifier "dnQualifier"
#define NID_dnQualifier 174
#define OBJ_dnQualifier OBJ_X509,46L
#define LN_enhancedSearchGuide "enhancedSearchGuide"
#define NID_enhancedSearchGuide 885
#define OBJ_enhancedSearchGuide OBJ_X509,47L
#define LN_protocolInformation "protocolInformation"
#define NID_protocolInformation 886
#define OBJ_protocolInformation OBJ_X509,48L
#define LN_distinguishedName "distinguishedName"
#define NID_distinguishedName 887
#define OBJ_distinguishedName OBJ_X509,49L
#define LN_uniqueMember "uniqueMember"
#define NID_uniqueMember 888
#define OBJ_uniqueMember OBJ_X509,50L
#define LN_houseIdentifier "houseIdentifier"
#define NID_houseIdentifier 889
#define OBJ_houseIdentifier OBJ_X509,51L
#define LN_supportedAlgorithms "supportedAlgorithms"
#define NID_supportedAlgorithms 890
#define OBJ_supportedAlgorithms OBJ_X509,52L
#define LN_deltaRevocationList "deltaRevocationList"
#define NID_deltaRevocationList 891
#define OBJ_deltaRevocationList OBJ_X509,53L
#define SN_dmdName "dmdName"
#define NID_dmdName 892
#define OBJ_dmdName OBJ_X509,54L
#define LN_pseudonym "pseudonym"
#define NID_pseudonym 510
#define OBJ_pseudonym OBJ_X509,65L
#define SN_role "role"
#define LN_role "role"
#define NID_role 400
#define OBJ_role OBJ_X509,72L
#define LN_organizationIdentifier "organizationIdentifier"
#define NID_organizationIdentifier 1089
#define OBJ_organizationIdentifier OBJ_X509,97L
#define SN_countryCode3c "c3"
#define LN_countryCode3c "countryCode3c"
#define NID_countryCode3c 1090
#define OBJ_countryCode3c OBJ_X509,98L
#define SN_countryCode3n "n3"
#define LN_countryCode3n "countryCode3n"
#define NID_countryCode3n 1091
#define OBJ_countryCode3n OBJ_X509,99L
#define LN_dnsName "dnsName"
#define NID_dnsName 1092
#define OBJ_dnsName OBJ_X509,100L
#define SN_X500algorithms "X500algorithms"
#define LN_X500algorithms "directory services - algorithms"
#define NID_X500algorithms 378
#define OBJ_X500algorithms OBJ_X500,8L
#define SN_rsa "RSA"
#define LN_rsa "rsa"
#define NID_rsa 19
#define OBJ_rsa OBJ_X500algorithms,1L,1L
#define SN_mdc2WithRSA "RSA-MDC2"
#define LN_mdc2WithRSA "mdc2WithRSA"
#define NID_mdc2WithRSA 96
#define OBJ_mdc2WithRSA OBJ_X500algorithms,3L,100L
#define SN_mdc2 "MDC2"
#define LN_mdc2 "mdc2"
#define NID_mdc2 95
#define OBJ_mdc2 OBJ_X500algorithms,3L,101L
#define SN_id_ce "id-ce"
#define NID_id_ce 81
#define OBJ_id_ce OBJ_X500,29L
#define SN_subject_directory_attributes "subjectDirectoryAttributes"
#define LN_subject_directory_attributes "X509v3 Subject Directory Attributes"
#define NID_subject_directory_attributes 769
#define OBJ_subject_directory_attributes OBJ_id_ce,9L
#define SN_subject_key_identifier "subjectKeyIdentifier"
#define LN_subject_key_identifier "X509v3 Subject Key Identifier"
#define NID_subject_key_identifier 82
#define OBJ_subject_key_identifier OBJ_id_ce,14L
#define SN_key_usage "keyUsage"
#define LN_key_usage "X509v3 Key Usage"
#define NID_key_usage 83
#define OBJ_key_usage OBJ_id_ce,15L
#define SN_private_key_usage_period "privateKeyUsagePeriod"
#define LN_private_key_usage_period "X509v3 Private Key Usage Period"
#define NID_private_key_usage_period 84
#define OBJ_private_key_usage_period OBJ_id_ce,16L
#define SN_subject_alt_name "subjectAltName"
#define LN_subject_alt_name "X509v3 Subject Alternative Name"
#define NID_subject_alt_name 85
#define OBJ_subject_alt_name OBJ_id_ce,17L
#define SN_issuer_alt_name "issuerAltName"
#define LN_issuer_alt_name "X509v3 Issuer Alternative Name"
#define NID_issuer_alt_name 86
#define OBJ_issuer_alt_name OBJ_id_ce,18L
#define SN_basic_constraints "basicConstraints"
#define LN_basic_constraints "X509v3 Basic Constraints"
#define NID_basic_constraints 87
#define OBJ_basic_constraints OBJ_id_ce,19L
#define SN_crl_number "crlNumber"
#define LN_crl_number "X509v3 CRL Number"
#define NID_crl_number 88
#define OBJ_crl_number OBJ_id_ce,20L
#define SN_crl_reason "CRLReason"
#define LN_crl_reason "X509v3 CRL Reason Code"
#define NID_crl_reason 141
#define OBJ_crl_reason OBJ_id_ce,21L
#define SN_invalidity_date "invalidityDate"
#define LN_invalidity_date "Invalidity Date"
#define NID_invalidity_date 142
#define OBJ_invalidity_date OBJ_id_ce,24L
#define SN_delta_crl "deltaCRL"
#define LN_delta_crl "X509v3 Delta CRL Indicator"
#define NID_delta_crl 140
#define OBJ_delta_crl OBJ_id_ce,27L
#define SN_issuing_distribution_point "issuingDistributionPoint"
#define LN_issuing_distribution_point "X509v3 Issuing Distribution Point"
#define NID_issuing_distribution_point 770
#define OBJ_issuing_distribution_point OBJ_id_ce,28L
#define SN_certificate_issuer "certificateIssuer"
#define LN_certificate_issuer "X509v3 Certificate Issuer"
#define NID_certificate_issuer 771
#define OBJ_certificate_issuer OBJ_id_ce,29L
#define SN_name_constraints "nameConstraints"
#define LN_name_constraints "X509v3 Name Constraints"
#define NID_name_constraints 666
#define OBJ_name_constraints OBJ_id_ce,30L
#define SN_crl_distribution_points "crlDistributionPoints"
#define LN_crl_distribution_points "X509v3 CRL Distribution Points"
#define NID_crl_distribution_points 103
#define OBJ_crl_distribution_points OBJ_id_ce,31L
#define SN_certificate_policies "certificatePolicies"
#define LN_certificate_policies "X509v3 Certificate Policies"
#define NID_certificate_policies 89
#define OBJ_certificate_policies OBJ_id_ce,32L
#define SN_any_policy "anyPolicy"
#define LN_any_policy "X509v3 Any Policy"
#define NID_any_policy 746
#define OBJ_any_policy OBJ_certificate_policies,0L
#define SN_policy_mappings "policyMappings"
#define LN_policy_mappings "X509v3 Policy Mappings"
#define NID_policy_mappings 747
#define OBJ_policy_mappings OBJ_id_ce,33L
#define SN_authority_key_identifier "authorityKeyIdentifier"
#define LN_authority_key_identifier "X509v3 Authority Key Identifier"
#define NID_authority_key_identifier 90
#define OBJ_authority_key_identifier OBJ_id_ce,35L
#define SN_policy_constraints "policyConstraints"
#define LN_policy_constraints "X509v3 Policy Constraints"
#define NID_policy_constraints 401
#define OBJ_policy_constraints OBJ_id_ce,36L
#define SN_ext_key_usage "extendedKeyUsage"
#define LN_ext_key_usage "X509v3 Extended Key Usage"
#define NID_ext_key_usage 126
#define OBJ_ext_key_usage OBJ_id_ce,37L
#define SN_freshest_crl "freshestCRL"
#define LN_freshest_crl "X509v3 Freshest CRL"
#define NID_freshest_crl 857
#define OBJ_freshest_crl OBJ_id_ce,46L
#define SN_inhibit_any_policy "inhibitAnyPolicy"
#define LN_inhibit_any_policy "X509v3 Inhibit Any Policy"
#define NID_inhibit_any_policy 748
#define OBJ_inhibit_any_policy OBJ_id_ce,54L
#define SN_target_information "targetInformation"
#define LN_target_information "X509v3 AC Targeting"
#define NID_target_information 402
#define OBJ_target_information OBJ_id_ce,55L
#define SN_no_rev_avail "noRevAvail"
#define LN_no_rev_avail "X509v3 No Revocation Available"
#define NID_no_rev_avail 403
#define OBJ_no_rev_avail OBJ_id_ce,56L
#define SN_anyExtendedKeyUsage "anyExtendedKeyUsage"
#define LN_anyExtendedKeyUsage "Any Extended Key Usage"
#define NID_anyExtendedKeyUsage 910
#define OBJ_anyExtendedKeyUsage OBJ_ext_key_usage,0L
#define SN_netscape "Netscape"
#define LN_netscape "Netscape Communications Corp."
#define NID_netscape 57
#define OBJ_netscape 2L,16L,840L,1L,113730L
#define SN_netscape_cert_extension "nsCertExt"
#define LN_netscape_cert_extension "Netscape Certificate Extension"
#define NID_netscape_cert_extension 58
#define OBJ_netscape_cert_extension OBJ_netscape,1L
#define SN_netscape_data_type "nsDataType"
#define LN_netscape_data_type "Netscape Data Type"
#define NID_netscape_data_type 59
#define OBJ_netscape_data_type OBJ_netscape,2L
#define SN_netscape_cert_type "nsCertType"
#define LN_netscape_cert_type "Netscape Cert Type"
#define NID_netscape_cert_type 71
#define OBJ_netscape_cert_type OBJ_netscape_cert_extension,1L
#define SN_netscape_base_url "nsBaseUrl"
#define LN_netscape_base_url "Netscape Base Url"
#define NID_netscape_base_url 72
#define OBJ_netscape_base_url OBJ_netscape_cert_extension,2L
#define SN_netscape_revocation_url "nsRevocationUrl"
#define LN_netscape_revocation_url "Netscape Revocation Url"
#define NID_netscape_revocation_url 73
#define OBJ_netscape_revocation_url OBJ_netscape_cert_extension,3L
#define SN_netscape_ca_revocation_url "nsCaRevocationUrl"
#define LN_netscape_ca_revocation_url "Netscape CA Revocation Url"
#define NID_netscape_ca_revocation_url 74
#define OBJ_netscape_ca_revocation_url OBJ_netscape_cert_extension,4L
#define SN_netscape_renewal_url "nsRenewalUrl"
#define LN_netscape_renewal_url "Netscape Renewal Url"
#define NID_netscape_renewal_url 75
#define OBJ_netscape_renewal_url OBJ_netscape_cert_extension,7L
#define SN_netscape_ca_policy_url "nsCaPolicyUrl"
#define LN_netscape_ca_policy_url "Netscape CA Policy Url"
#define NID_netscape_ca_policy_url 76
#define OBJ_netscape_ca_policy_url OBJ_netscape_cert_extension,8L
#define SN_netscape_ssl_server_name "nsSslServerName"
#define LN_netscape_ssl_server_name "Netscape SSL Server Name"
#define NID_netscape_ssl_server_name 77
#define OBJ_netscape_ssl_server_name OBJ_netscape_cert_extension,12L
#define SN_netscape_comment "nsComment"
#define LN_netscape_comment "Netscape Comment"
#define NID_netscape_comment 78
#define OBJ_netscape_comment OBJ_netscape_cert_extension,13L
#define SN_netscape_cert_sequence "nsCertSequence"
#define LN_netscape_cert_sequence "Netscape Certificate Sequence"
#define NID_netscape_cert_sequence 79
#define OBJ_netscape_cert_sequence OBJ_netscape_data_type,5L
#define SN_ns_sgc "nsSGC"
#define LN_ns_sgc "Netscape Server Gated Crypto"
#define NID_ns_sgc 139
#define OBJ_ns_sgc OBJ_netscape,4L,1L
#define SN_org "ORG"
#define LN_org "org"
#define NID_org 379
#define OBJ_org OBJ_iso,3L
#define SN_dod "DOD"
#define LN_dod "dod"
#define NID_dod 380
#define OBJ_dod OBJ_org,6L
#define SN_iana "IANA"
#define LN_iana "iana"
#define NID_iana 381
#define OBJ_iana OBJ_dod,1L
#define OBJ_internet OBJ_iana
#define SN_Directory "directory"
#define LN_Directory "Directory"
#define NID_Directory 382
#define OBJ_Directory OBJ_internet,1L
#define SN_Management "mgmt"
#define LN_Management "Management"
#define NID_Management 383
#define OBJ_Management OBJ_internet,2L
#define SN_Experimental "experimental"
#define LN_Experimental "Experimental"
#define NID_Experimental 384
#define OBJ_Experimental OBJ_internet,3L
#define SN_Private "private"
#define LN_Private "Private"
#define NID_Private 385
#define OBJ_Private OBJ_internet,4L
#define SN_Security "security"
#define LN_Security "Security"
#define NID_Security 386
#define OBJ_Security OBJ_internet,5L
#define SN_SNMPv2 "snmpv2"
#define LN_SNMPv2 "SNMPv2"
#define NID_SNMPv2 387
#define OBJ_SNMPv2 OBJ_internet,6L
#define LN_Mail "Mail"
#define NID_Mail 388
#define OBJ_Mail OBJ_internet,7L
#define SN_Enterprises "enterprises"
#define LN_Enterprises "Enterprises"
#define NID_Enterprises 389
#define OBJ_Enterprises OBJ_Private,1L
#define SN_dcObject "dcobject"
#define LN_dcObject "dcObject"
#define NID_dcObject 390
#define OBJ_dcObject OBJ_Enterprises,1466L,344L
#define SN_mime_mhs "mime-mhs"
#define LN_mime_mhs "MIME MHS"
#define NID_mime_mhs 504
#define OBJ_mime_mhs OBJ_Mail,1L
#define SN_mime_mhs_headings "mime-mhs-headings"
#define LN_mime_mhs_headings "mime-mhs-headings"
#define NID_mime_mhs_headings 505
#define OBJ_mime_mhs_headings OBJ_mime_mhs,1L
#define SN_mime_mhs_bodies "mime-mhs-bodies"
#define LN_mime_mhs_bodies "mime-mhs-bodies"
#define NID_mime_mhs_bodies 506
#define OBJ_mime_mhs_bodies OBJ_mime_mhs,2L
#define SN_id_hex_partial_message "id-hex-partial-message"
#define LN_id_hex_partial_message "id-hex-partial-message"
#define NID_id_hex_partial_message 507
#define OBJ_id_hex_partial_message OBJ_mime_mhs_headings,1L
#define SN_id_hex_multipart_message "id-hex-multipart-message"
#define LN_id_hex_multipart_message "id-hex-multipart-message"
#define NID_id_hex_multipart_message 508
#define OBJ_id_hex_multipart_message OBJ_mime_mhs_headings,2L
#define SN_zlib_compression "ZLIB"
#define LN_zlib_compression "zlib compression"
#define NID_zlib_compression 125
#define OBJ_zlib_compression OBJ_id_smime_alg,8L
#define OBJ_csor 2L,16L,840L,1L,101L,3L
#define OBJ_nistAlgorithms OBJ_csor,4L
#define OBJ_aes OBJ_nistAlgorithms,1L
#define SN_aes_128_ecb "AES-128-ECB"
#define LN_aes_128_ecb "aes-128-ecb"
#define NID_aes_128_ecb 418
#define OBJ_aes_128_ecb OBJ_aes,1L
#define SN_aes_128_cbc "AES-128-CBC"
#define LN_aes_128_cbc "aes-128-cbc"
#define NID_aes_128_cbc 419
#define OBJ_aes_128_cbc OBJ_aes,2L
#define SN_aes_128_ofb128 "AES-128-OFB"
#define LN_aes_128_ofb128 "aes-128-ofb"
#define NID_aes_128_ofb128 420
#define OBJ_aes_128_ofb128 OBJ_aes,3L
#define SN_aes_128_cfb128 "AES-128-CFB"
#define LN_aes_128_cfb128 "aes-128-cfb"
#define NID_aes_128_cfb128 421
#define OBJ_aes_128_cfb128 OBJ_aes,4L
#define SN_id_aes128_wrap "id-aes128-wrap"
#define NID_id_aes128_wrap 788
#define OBJ_id_aes128_wrap OBJ_aes,5L
#define SN_aes_128_gcm "id-aes128-GCM"
#define LN_aes_128_gcm "aes-128-gcm"
#define NID_aes_128_gcm 895
#define OBJ_aes_128_gcm OBJ_aes,6L
#define SN_aes_128_ccm "id-aes128-CCM"
#define LN_aes_128_ccm "aes-128-ccm"
#define NID_aes_128_ccm 896
#define OBJ_aes_128_ccm OBJ_aes,7L
#define SN_id_aes128_wrap_pad "id-aes128-wrap-pad"
#define NID_id_aes128_wrap_pad 897
#define OBJ_id_aes128_wrap_pad OBJ_aes,8L
#define SN_aes_192_ecb "AES-192-ECB"
#define LN_aes_192_ecb "aes-192-ecb"
#define NID_aes_192_ecb 422
#define OBJ_aes_192_ecb OBJ_aes,21L
#define SN_aes_192_cbc "AES-192-CBC"
#define LN_aes_192_cbc "aes-192-cbc"
#define NID_aes_192_cbc 423
#define OBJ_aes_192_cbc OBJ_aes,22L
#define SN_aes_192_ofb128 "AES-192-OFB"
#define LN_aes_192_ofb128 "aes-192-ofb"
#define NID_aes_192_ofb128 424
#define OBJ_aes_192_ofb128 OBJ_aes,23L
#define SN_aes_192_cfb128 "AES-192-CFB"
#define LN_aes_192_cfb128 "aes-192-cfb"
#define NID_aes_192_cfb128 425
#define OBJ_aes_192_cfb128 OBJ_aes,24L
#define SN_id_aes192_wrap "id-aes192-wrap"
#define NID_id_aes192_wrap 789
#define OBJ_id_aes192_wrap OBJ_aes,25L
#define SN_aes_192_gcm "id-aes192-GCM"
#define LN_aes_192_gcm "aes-192-gcm"
#define NID_aes_192_gcm 898
#define OBJ_aes_192_gcm OBJ_aes,26L
#define SN_aes_192_ccm "id-aes192-CCM"
#define LN_aes_192_ccm "aes-192-ccm"
#define NID_aes_192_ccm 899
#define OBJ_aes_192_ccm OBJ_aes,27L
#define SN_id_aes192_wrap_pad "id-aes192-wrap-pad"
#define NID_id_aes192_wrap_pad 900
#define OBJ_id_aes192_wrap_pad OBJ_aes,28L
#define SN_aes_256_ecb "AES-256-ECB"
#define LN_aes_256_ecb "aes-256-ecb"
#define NID_aes_256_ecb 426
#define OBJ_aes_256_ecb OBJ_aes,41L
#define SN_aes_256_cbc "AES-256-CBC"
#define LN_aes_256_cbc "aes-256-cbc"
#define NID_aes_256_cbc 427
#define OBJ_aes_256_cbc OBJ_aes,42L
#define SN_aes_256_ofb128 "AES-256-OFB"
#define LN_aes_256_ofb128 "aes-256-ofb"
#define NID_aes_256_ofb128 428
#define OBJ_aes_256_ofb128 OBJ_aes,43L
#define SN_aes_256_cfb128 "AES-256-CFB"
#define LN_aes_256_cfb128 "aes-256-cfb"
#define NID_aes_256_cfb128 429
#define OBJ_aes_256_cfb128 OBJ_aes,44L
#define SN_id_aes256_wrap "id-aes256-wrap"
#define NID_id_aes256_wrap 790
#define OBJ_id_aes256_wrap OBJ_aes,45L
#define SN_aes_256_gcm "id-aes256-GCM"
#define LN_aes_256_gcm "aes-256-gcm"
#define NID_aes_256_gcm 901
#define OBJ_aes_256_gcm OBJ_aes,46L
#define SN_aes_256_ccm "id-aes256-CCM"
#define LN_aes_256_ccm "aes-256-ccm"
#define NID_aes_256_ccm 902
#define OBJ_aes_256_ccm OBJ_aes,47L
#define SN_id_aes256_wrap_pad "id-aes256-wrap-pad"
#define NID_id_aes256_wrap_pad 903
#define OBJ_id_aes256_wrap_pad OBJ_aes,48L
#define SN_aes_128_xts "AES-128-XTS"
#define LN_aes_128_xts "aes-128-xts"
#define NID_aes_128_xts 913
#define OBJ_aes_128_xts OBJ_ieee_siswg,0L,1L,1L
#define SN_aes_256_xts "AES-256-XTS"
#define LN_aes_256_xts "aes-256-xts"
#define NID_aes_256_xts 914
#define OBJ_aes_256_xts OBJ_ieee_siswg,0L,1L,2L
#define SN_aes_128_cfb1 "AES-128-CFB1"
#define LN_aes_128_cfb1 "aes-128-cfb1"
#define NID_aes_128_cfb1 650
#define SN_aes_192_cfb1 "AES-192-CFB1"
#define LN_aes_192_cfb1 "aes-192-cfb1"
#define NID_aes_192_cfb1 651
#define SN_aes_256_cfb1 "AES-256-CFB1"
#define LN_aes_256_cfb1 "aes-256-cfb1"
#define NID_aes_256_cfb1 652
#define SN_aes_128_cfb8 "AES-128-CFB8"
#define LN_aes_128_cfb8 "aes-128-cfb8"
#define NID_aes_128_cfb8 653
#define SN_aes_192_cfb8 "AES-192-CFB8"
#define LN_aes_192_cfb8 "aes-192-cfb8"
#define NID_aes_192_cfb8 654
#define SN_aes_256_cfb8 "AES-256-CFB8"
#define LN_aes_256_cfb8 "aes-256-cfb8"
#define NID_aes_256_cfb8 655
#define SN_aes_128_ctr "AES-128-CTR"
#define LN_aes_128_ctr "aes-128-ctr"
#define NID_aes_128_ctr 904
#define SN_aes_192_ctr "AES-192-CTR"
#define LN_aes_192_ctr "aes-192-ctr"
#define NID_aes_192_ctr 905
#define SN_aes_256_ctr "AES-256-CTR"
#define LN_aes_256_ctr "aes-256-ctr"
#define NID_aes_256_ctr 906
#define SN_aes_128_ocb "AES-128-OCB"
#define LN_aes_128_ocb "aes-128-ocb"
#define NID_aes_128_ocb 958
#define SN_aes_192_ocb "AES-192-OCB"
#define LN_aes_192_ocb "aes-192-ocb"
#define NID_aes_192_ocb 959
#define SN_aes_256_ocb "AES-256-OCB"
#define LN_aes_256_ocb "aes-256-ocb"
#define NID_aes_256_ocb 960
#define SN_des_cfb1 "DES-CFB1"
#define LN_des_cfb1 "des-cfb1"
#define NID_des_cfb1 656
#define SN_des_cfb8 "DES-CFB8"
#define LN_des_cfb8 "des-cfb8"
#define NID_des_cfb8 657
#define SN_des_ede3_cfb1 "DES-EDE3-CFB1"
#define LN_des_ede3_cfb1 "des-ede3-cfb1"
#define NID_des_ede3_cfb1 658
#define SN_des_ede3_cfb8 "DES-EDE3-CFB8"
#define LN_des_ede3_cfb8 "des-ede3-cfb8"
#define NID_des_ede3_cfb8 659
#define OBJ_nist_hashalgs OBJ_nistAlgorithms,2L
#define SN_sha256 "SHA256"
#define LN_sha256 "sha256"
#define NID_sha256 672
#define OBJ_sha256 OBJ_nist_hashalgs,1L
#define SN_sha384 "SHA384"
#define LN_sha384 "sha384"
#define NID_sha384 673
#define OBJ_sha384 OBJ_nist_hashalgs,2L
#define SN_sha512 "SHA512"
#define LN_sha512 "sha512"
#define NID_sha512 674
#define OBJ_sha512 OBJ_nist_hashalgs,3L
#define SN_sha224 "SHA224"
#define LN_sha224 "sha224"
#define NID_sha224 675
#define OBJ_sha224 OBJ_nist_hashalgs,4L
#define SN_sha512_224 "SHA512-224"
#define LN_sha512_224 "sha512-224"
#define NID_sha512_224 1094
#define OBJ_sha512_224 OBJ_nist_hashalgs,5L
#define SN_sha512_256 "SHA512-256"
#define LN_sha512_256 "sha512-256"
#define NID_sha512_256 1095
#define OBJ_sha512_256 OBJ_nist_hashalgs,6L
#define SN_sha3_224 "SHA3-224"
#define LN_sha3_224 "sha3-224"
#define NID_sha3_224 1096
#define OBJ_sha3_224 OBJ_nist_hashalgs,7L
#define SN_sha3_256 "SHA3-256"
#define LN_sha3_256 "sha3-256"
#define NID_sha3_256 1097
#define OBJ_sha3_256 OBJ_nist_hashalgs,8L
#define SN_sha3_384 "SHA3-384"
#define LN_sha3_384 "sha3-384"
#define NID_sha3_384 1098
#define OBJ_sha3_384 OBJ_nist_hashalgs,9L
#define SN_sha3_512 "SHA3-512"
#define LN_sha3_512 "sha3-512"
#define NID_sha3_512 1099
#define OBJ_sha3_512 OBJ_nist_hashalgs,10L
#define SN_shake128 "SHAKE128"
#define LN_shake128 "shake128"
#define NID_shake128 1100
#define OBJ_shake128 OBJ_nist_hashalgs,11L
#define SN_shake256 "SHAKE256"
#define LN_shake256 "shake256"
#define NID_shake256 1101
#define OBJ_shake256 OBJ_nist_hashalgs,12L
#define SN_hmac_sha3_224 "id-hmacWithSHA3-224"
#define LN_hmac_sha3_224 "hmac-sha3-224"
#define NID_hmac_sha3_224 1102
#define OBJ_hmac_sha3_224 OBJ_nist_hashalgs,13L
#define SN_hmac_sha3_256 "id-hmacWithSHA3-256"
#define LN_hmac_sha3_256 "hmac-sha3-256"
#define NID_hmac_sha3_256 1103
#define OBJ_hmac_sha3_256 OBJ_nist_hashalgs,14L
#define SN_hmac_sha3_384 "id-hmacWithSHA3-384"
#define LN_hmac_sha3_384 "hmac-sha3-384"
#define NID_hmac_sha3_384 1104
#define OBJ_hmac_sha3_384 OBJ_nist_hashalgs,15L
#define SN_hmac_sha3_512 "id-hmacWithSHA3-512"
#define LN_hmac_sha3_512 "hmac-sha3-512"
#define NID_hmac_sha3_512 1105
#define OBJ_hmac_sha3_512 OBJ_nist_hashalgs,16L
#define OBJ_dsa_with_sha2 OBJ_nistAlgorithms,3L
#define SN_dsa_with_SHA224 "dsa_with_SHA224"
#define NID_dsa_with_SHA224 802
#define OBJ_dsa_with_SHA224 OBJ_dsa_with_sha2,1L
#define SN_dsa_with_SHA256 "dsa_with_SHA256"
#define NID_dsa_with_SHA256 803
#define OBJ_dsa_with_SHA256 OBJ_dsa_with_sha2,2L
#define OBJ_sigAlgs OBJ_nistAlgorithms,3L
#define SN_dsa_with_SHA384 "id-dsa-with-sha384"
#define LN_dsa_with_SHA384 "dsa_with_SHA384"
#define NID_dsa_with_SHA384 1106
#define OBJ_dsa_with_SHA384 OBJ_sigAlgs,3L
#define SN_dsa_with_SHA512 "id-dsa-with-sha512"
#define LN_dsa_with_SHA512 "dsa_with_SHA512"
#define NID_dsa_with_SHA512 1107
#define OBJ_dsa_with_SHA512 OBJ_sigAlgs,4L
#define SN_dsa_with_SHA3_224 "id-dsa-with-sha3-224"
#define LN_dsa_with_SHA3_224 "dsa_with_SHA3-224"
#define NID_dsa_with_SHA3_224 1108
#define OBJ_dsa_with_SHA3_224 OBJ_sigAlgs,5L
#define SN_dsa_with_SHA3_256 "id-dsa-with-sha3-256"
#define LN_dsa_with_SHA3_256 "dsa_with_SHA3-256"
#define NID_dsa_with_SHA3_256 1109
#define OBJ_dsa_with_SHA3_256 OBJ_sigAlgs,6L
#define SN_dsa_with_SHA3_384 "id-dsa-with-sha3-384"
#define LN_dsa_with_SHA3_384 "dsa_with_SHA3-384"
#define NID_dsa_with_SHA3_384 1110
#define OBJ_dsa_with_SHA3_384 OBJ_sigAlgs,7L
#define SN_dsa_with_SHA3_512 "id-dsa-with-sha3-512"
#define LN_dsa_with_SHA3_512 "dsa_with_SHA3-512"
#define NID_dsa_with_SHA3_512 1111
#define OBJ_dsa_with_SHA3_512 OBJ_sigAlgs,8L
#define SN_ecdsa_with_SHA3_224 "id-ecdsa-with-sha3-224"
#define LN_ecdsa_with_SHA3_224 "ecdsa_with_SHA3-224"
#define NID_ecdsa_with_SHA3_224 1112
#define OBJ_ecdsa_with_SHA3_224 OBJ_sigAlgs,9L
#define SN_ecdsa_with_SHA3_256 "id-ecdsa-with-sha3-256"
#define LN_ecdsa_with_SHA3_256 "ecdsa_with_SHA3-256"
#define NID_ecdsa_with_SHA3_256 1113
#define OBJ_ecdsa_with_SHA3_256 OBJ_sigAlgs,10L
#define SN_ecdsa_with_SHA3_384 "id-ecdsa-with-sha3-384"
#define LN_ecdsa_with_SHA3_384 "ecdsa_with_SHA3-384"
#define NID_ecdsa_with_SHA3_384 1114
#define OBJ_ecdsa_with_SHA3_384 OBJ_sigAlgs,11L
#define SN_ecdsa_with_SHA3_512 "id-ecdsa-with-sha3-512"
#define LN_ecdsa_with_SHA3_512 "ecdsa_with_SHA3-512"
#define NID_ecdsa_with_SHA3_512 1115
#define OBJ_ecdsa_with_SHA3_512 OBJ_sigAlgs,12L
#define SN_RSA_SHA3_224 "id-rsassa-pkcs1-v1_5-with-sha3-224"
#define LN_RSA_SHA3_224 "RSA-SHA3-224"
#define NID_RSA_SHA3_224 1116
#define OBJ_RSA_SHA3_224 OBJ_sigAlgs,13L
#define SN_RSA_SHA3_256 "id-rsassa-pkcs1-v1_5-with-sha3-256"
#define LN_RSA_SHA3_256 "RSA-SHA3-256"
#define NID_RSA_SHA3_256 1117
#define OBJ_RSA_SHA3_256 OBJ_sigAlgs,14L
#define SN_RSA_SHA3_384 "id-rsassa-pkcs1-v1_5-with-sha3-384"
#define LN_RSA_SHA3_384 "RSA-SHA3-384"
#define NID_RSA_SHA3_384 1118
#define OBJ_RSA_SHA3_384 OBJ_sigAlgs,15L
#define SN_RSA_SHA3_512 "id-rsassa-pkcs1-v1_5-with-sha3-512"
#define LN_RSA_SHA3_512 "RSA-SHA3-512"
#define NID_RSA_SHA3_512 1119
#define OBJ_RSA_SHA3_512 OBJ_sigAlgs,16L
#define SN_hold_instruction_code "holdInstructionCode"
#define LN_hold_instruction_code "Hold Instruction Code"
#define NID_hold_instruction_code 430
#define OBJ_hold_instruction_code OBJ_id_ce,23L
#define OBJ_holdInstruction OBJ_X9_57,2L
#define SN_hold_instruction_none "holdInstructionNone"
#define LN_hold_instruction_none "Hold Instruction None"
#define NID_hold_instruction_none 431
#define OBJ_hold_instruction_none OBJ_holdInstruction,1L
#define SN_hold_instruction_call_issuer "holdInstructionCallIssuer"
#define LN_hold_instruction_call_issuer "Hold Instruction Call Issuer"
#define NID_hold_instruction_call_issuer 432
#define OBJ_hold_instruction_call_issuer OBJ_holdInstruction,2L
#define SN_hold_instruction_reject "holdInstructionReject"
#define LN_hold_instruction_reject "Hold Instruction Reject"
#define NID_hold_instruction_reject 433
#define OBJ_hold_instruction_reject OBJ_holdInstruction,3L
#define SN_data "data"
#define NID_data 434
#define OBJ_data OBJ_itu_t,9L
#define SN_pss "pss"
#define NID_pss 435
#define OBJ_pss OBJ_data,2342L
#define SN_ucl "ucl"
#define NID_ucl 436
#define OBJ_ucl OBJ_pss,19200300L
#define SN_pilot "pilot"
#define NID_pilot 437
#define OBJ_pilot OBJ_ucl,100L
#define LN_pilotAttributeType "pilotAttributeType"
#define NID_pilotAttributeType 438
#define OBJ_pilotAttributeType OBJ_pilot,1L
#define LN_pilotAttributeSyntax "pilotAttributeSyntax"
#define NID_pilotAttributeSyntax 439
#define OBJ_pilotAttributeSyntax OBJ_pilot,3L
#define LN_pilotObjectClass "pilotObjectClass"
#define NID_pilotObjectClass 440
#define OBJ_pilotObjectClass OBJ_pilot,4L
#define LN_pilotGroups "pilotGroups"
#define NID_pilotGroups 441
#define OBJ_pilotGroups OBJ_pilot,10L
#define LN_iA5StringSyntax "iA5StringSyntax"
#define NID_iA5StringSyntax 442
#define OBJ_iA5StringSyntax OBJ_pilotAttributeSyntax,4L
#define LN_caseIgnoreIA5StringSyntax "caseIgnoreIA5StringSyntax"
#define NID_caseIgnoreIA5StringSyntax 443
#define OBJ_caseIgnoreIA5StringSyntax OBJ_pilotAttributeSyntax,5L
#define LN_pilotObject "pilotObject"
#define NID_pilotObject 444
#define OBJ_pilotObject OBJ_pilotObjectClass,3L
#define LN_pilotPerson "pilotPerson"
#define NID_pilotPerson 445
#define OBJ_pilotPerson OBJ_pilotObjectClass,4L
#define SN_account "account"
#define NID_account 446
#define OBJ_account OBJ_pilotObjectClass,5L
#define SN_document "document"
#define NID_document 447
#define OBJ_document OBJ_pilotObjectClass,6L
#define SN_room "room"
#define NID_room 448
#define OBJ_room OBJ_pilotObjectClass,7L
#define LN_documentSeries "documentSeries"
#define NID_documentSeries 449
#define OBJ_documentSeries OBJ_pilotObjectClass,9L
#define SN_Domain "domain"
#define LN_Domain "Domain"
#define NID_Domain 392
#define OBJ_Domain OBJ_pilotObjectClass,13L
#define LN_rFC822localPart "rFC822localPart"
#define NID_rFC822localPart 450
#define OBJ_rFC822localPart OBJ_pilotObjectClass,14L
#define LN_dNSDomain "dNSDomain"
#define NID_dNSDomain 451
#define OBJ_dNSDomain OBJ_pilotObjectClass,15L
#define LN_domainRelatedObject "domainRelatedObject"
#define NID_domainRelatedObject 452
#define OBJ_domainRelatedObject OBJ_pilotObjectClass,17L
#define LN_friendlyCountry "friendlyCountry"
#define NID_friendlyCountry 453
#define OBJ_friendlyCountry OBJ_pilotObjectClass,18L
#define LN_simpleSecurityObject "simpleSecurityObject"
#define NID_simpleSecurityObject 454
#define OBJ_simpleSecurityObject OBJ_pilotObjectClass,19L
#define LN_pilotOrganization "pilotOrganization"
#define NID_pilotOrganization 455
#define OBJ_pilotOrganization OBJ_pilotObjectClass,20L
#define LN_pilotDSA "pilotDSA"
#define NID_pilotDSA 456
#define OBJ_pilotDSA OBJ_pilotObjectClass,21L
#define LN_qualityLabelledData "qualityLabelledData"
#define NID_qualityLabelledData 457
#define OBJ_qualityLabelledData OBJ_pilotObjectClass,22L
#define SN_userId "UID"
#define LN_userId "userId"
#define NID_userId 458
#define OBJ_userId OBJ_pilotAttributeType,1L
#define LN_textEncodedORAddress "textEncodedORAddress"
#define NID_textEncodedORAddress 459
#define OBJ_textEncodedORAddress OBJ_pilotAttributeType,2L
#define SN_rfc822Mailbox "mail"
#define LN_rfc822Mailbox "rfc822Mailbox"
#define NID_rfc822Mailbox 460
#define OBJ_rfc822Mailbox OBJ_pilotAttributeType,3L
#define SN_info "info"
#define NID_info 461
#define OBJ_info OBJ_pilotAttributeType,4L
#define LN_favouriteDrink "favouriteDrink"
#define NID_favouriteDrink 462
#define OBJ_favouriteDrink OBJ_pilotAttributeType,5L
#define LN_roomNumber "roomNumber"
#define NID_roomNumber 463
#define OBJ_roomNumber OBJ_pilotAttributeType,6L
#define SN_photo "photo"
#define NID_photo 464
#define OBJ_photo OBJ_pilotAttributeType,7L
#define LN_userClass "userClass"
#define NID_userClass 465
#define OBJ_userClass OBJ_pilotAttributeType,8L
#define SN_host "host"
#define NID_host 466
#define OBJ_host OBJ_pilotAttributeType,9L
#define SN_manager "manager"
#define NID_manager 467
#define OBJ_manager OBJ_pilotAttributeType,10L
#define LN_documentIdentifier "documentIdentifier"
#define NID_documentIdentifier 468
#define OBJ_documentIdentifier OBJ_pilotAttributeType,11L
#define LN_documentTitle "documentTitle"
#define NID_documentTitle 469
#define OBJ_documentTitle OBJ_pilotAttributeType,12L
#define LN_documentVersion "documentVersion"
#define NID_documentVersion 470
#define OBJ_documentVersion OBJ_pilotAttributeType,13L
#define LN_documentAuthor "documentAuthor"
#define NID_documentAuthor 471
#define OBJ_documentAuthor OBJ_pilotAttributeType,14L
#define LN_documentLocation "documentLocation"
#define NID_documentLocation 472
#define OBJ_documentLocation OBJ_pilotAttributeType,15L
#define LN_homeTelephoneNumber "homeTelephoneNumber"
#define NID_homeTelephoneNumber 473
#define OBJ_homeTelephoneNumber OBJ_pilotAttributeType,20L
#define SN_secretary "secretary"
#define NID_secretary 474
#define OBJ_secretary OBJ_pilotAttributeType,21L
#define LN_otherMailbox "otherMailbox"
#define NID_otherMailbox 475
#define OBJ_otherMailbox OBJ_pilotAttributeType,22L
#define LN_lastModifiedTime "lastModifiedTime"
#define NID_lastModifiedTime 476
#define OBJ_lastModifiedTime OBJ_pilotAttributeType,23L
#define LN_lastModifiedBy "lastModifiedBy"
#define NID_lastModifiedBy 477
#define OBJ_lastModifiedBy OBJ_pilotAttributeType,24L
#define SN_domainComponent "DC"
#define LN_domainComponent "domainComponent"
#define NID_domainComponent 391
#define OBJ_domainComponent OBJ_pilotAttributeType,25L
#define LN_aRecord "aRecord"
#define NID_aRecord 478
#define OBJ_aRecord OBJ_pilotAttributeType,26L
#define LN_pilotAttributeType27 "pilotAttributeType27"
#define NID_pilotAttributeType27 479
#define OBJ_pilotAttributeType27 OBJ_pilotAttributeType,27L
#define LN_mXRecord "mXRecord"
#define NID_mXRecord 480
#define OBJ_mXRecord OBJ_pilotAttributeType,28L
#define LN_nSRecord "nSRecord"
#define NID_nSRecord 481
#define OBJ_nSRecord OBJ_pilotAttributeType,29L
#define LN_sOARecord "sOARecord"
#define NID_sOARecord 482
#define OBJ_sOARecord OBJ_pilotAttributeType,30L
#define LN_cNAMERecord "cNAMERecord"
#define NID_cNAMERecord 483
#define OBJ_cNAMERecord OBJ_pilotAttributeType,31L
#define LN_associatedDomain "associatedDomain"
#define NID_associatedDomain 484
#define OBJ_associatedDomain OBJ_pilotAttributeType,37L
#define LN_associatedName "associatedName"
#define NID_associatedName 485
#define OBJ_associatedName OBJ_pilotAttributeType,38L
#define LN_homePostalAddress "homePostalAddress"
#define NID_homePostalAddress 486
#define OBJ_homePostalAddress OBJ_pilotAttributeType,39L
#define LN_personalTitle "personalTitle"
#define NID_personalTitle 487
#define OBJ_personalTitle OBJ_pilotAttributeType,40L
#define LN_mobileTelephoneNumber "mobileTelephoneNumber"
#define NID_mobileTelephoneNumber 488
#define OBJ_mobileTelephoneNumber OBJ_pilotAttributeType,41L
#define LN_pagerTelephoneNumber "pagerTelephoneNumber"
#define NID_pagerTelephoneNumber 489
#define OBJ_pagerTelephoneNumber OBJ_pilotAttributeType,42L
#define LN_friendlyCountryName "friendlyCountryName"
#define NID_friendlyCountryName 490
#define OBJ_friendlyCountryName OBJ_pilotAttributeType,43L
#define SN_uniqueIdentifier "uid"
#define LN_uniqueIdentifier "uniqueIdentifier"
#define NID_uniqueIdentifier 102
#define OBJ_uniqueIdentifier OBJ_pilotAttributeType,44L
#define LN_organizationalStatus "organizationalStatus"
#define NID_organizationalStatus 491
#define OBJ_organizationalStatus OBJ_pilotAttributeType,45L
#define LN_janetMailbox "janetMailbox"
#define NID_janetMailbox 492
#define OBJ_janetMailbox OBJ_pilotAttributeType,46L
#define LN_mailPreferenceOption "mailPreferenceOption"
#define NID_mailPreferenceOption 493
#define OBJ_mailPreferenceOption OBJ_pilotAttributeType,47L
#define LN_buildingName "buildingName"
#define NID_buildingName 494
#define OBJ_buildingName OBJ_pilotAttributeType,48L
#define LN_dSAQuality "dSAQuality"
#define NID_dSAQuality 495
#define OBJ_dSAQuality OBJ_pilotAttributeType,49L
#define LN_singleLevelQuality "singleLevelQuality"
#define NID_singleLevelQuality 496
#define OBJ_singleLevelQuality OBJ_pilotAttributeType,50L
#define LN_subtreeMinimumQuality "subtreeMinimumQuality"
#define NID_subtreeMinimumQuality 497
#define OBJ_subtreeMinimumQuality OBJ_pilotAttributeType,51L
#define LN_subtreeMaximumQuality "subtreeMaximumQuality"
#define NID_subtreeMaximumQuality 498
#define OBJ_subtreeMaximumQuality OBJ_pilotAttributeType,52L
#define LN_personalSignature "personalSignature"
#define NID_personalSignature 499
#define OBJ_personalSignature OBJ_pilotAttributeType,53L
#define LN_dITRedirect "dITRedirect"
#define NID_dITRedirect 500
#define OBJ_dITRedirect OBJ_pilotAttributeType,54L
#define SN_audio "audio"
#define NID_audio 501
#define OBJ_audio OBJ_pilotAttributeType,55L
#define LN_documentPublisher "documentPublisher"
#define NID_documentPublisher 502
#define OBJ_documentPublisher OBJ_pilotAttributeType,56L
#define SN_id_set "id-set"
#define LN_id_set "Secure Electronic Transactions"
#define NID_id_set 512
#define OBJ_id_set OBJ_international_organizations,42L
#define SN_set_ctype "set-ctype"
#define LN_set_ctype "content types"
#define NID_set_ctype 513
#define OBJ_set_ctype OBJ_id_set,0L
#define SN_set_msgExt "set-msgExt"
#define LN_set_msgExt "message extensions"
#define NID_set_msgExt 514
#define OBJ_set_msgExt OBJ_id_set,1L
#define SN_set_attr "set-attr"
#define NID_set_attr 515
#define OBJ_set_attr OBJ_id_set,3L
#define SN_set_policy "set-policy"
#define NID_set_policy 516
#define OBJ_set_policy OBJ_id_set,5L
#define SN_set_certExt "set-certExt"
#define LN_set_certExt "certificate extensions"
#define NID_set_certExt 517
#define OBJ_set_certExt OBJ_id_set,7L
#define SN_set_brand "set-brand"
#define NID_set_brand 518
#define OBJ_set_brand OBJ_id_set,8L
#define SN_setct_PANData "setct-PANData"
#define NID_setct_PANData 519
#define OBJ_setct_PANData OBJ_set_ctype,0L
#define SN_setct_PANToken "setct-PANToken"
#define NID_setct_PANToken 520
#define OBJ_setct_PANToken OBJ_set_ctype,1L
#define SN_setct_PANOnly "setct-PANOnly"
#define NID_setct_PANOnly 521
#define OBJ_setct_PANOnly OBJ_set_ctype,2L
#define SN_setct_OIData "setct-OIData"
#define NID_setct_OIData 522
#define OBJ_setct_OIData OBJ_set_ctype,3L
#define SN_setct_PI "setct-PI"
#define NID_setct_PI 523
#define OBJ_setct_PI OBJ_set_ctype,4L
#define SN_setct_PIData "setct-PIData"
#define NID_setct_PIData 524
#define OBJ_setct_PIData OBJ_set_ctype,5L
#define SN_setct_PIDataUnsigned "setct-PIDataUnsigned"
#define NID_setct_PIDataUnsigned 525
#define OBJ_setct_PIDataUnsigned OBJ_set_ctype,6L
#define SN_setct_HODInput "setct-HODInput"
#define NID_setct_HODInput 526
#define OBJ_setct_HODInput OBJ_set_ctype,7L
#define SN_setct_AuthResBaggage "setct-AuthResBaggage"
#define NID_setct_AuthResBaggage 527
#define OBJ_setct_AuthResBaggage OBJ_set_ctype,8L
#define SN_setct_AuthRevReqBaggage "setct-AuthRevReqBaggage"
#define NID_setct_AuthRevReqBaggage 528
#define OBJ_setct_AuthRevReqBaggage OBJ_set_ctype,9L
#define SN_setct_AuthRevResBaggage "setct-AuthRevResBaggage"
#define NID_setct_AuthRevResBaggage 529
#define OBJ_setct_AuthRevResBaggage OBJ_set_ctype,10L
#define SN_setct_CapTokenSeq "setct-CapTokenSeq"
#define NID_setct_CapTokenSeq 530
#define OBJ_setct_CapTokenSeq OBJ_set_ctype,11L
#define SN_setct_PInitResData "setct-PInitResData"
#define NID_setct_PInitResData 531
#define OBJ_setct_PInitResData OBJ_set_ctype,12L
#define SN_setct_PI_TBS "setct-PI-TBS"
#define NID_setct_PI_TBS 532
#define OBJ_setct_PI_TBS OBJ_set_ctype,13L
#define SN_setct_PResData "setct-PResData"
#define NID_setct_PResData 533
#define OBJ_setct_PResData OBJ_set_ctype,14L
#define SN_setct_AuthReqTBS "setct-AuthReqTBS"
#define NID_setct_AuthReqTBS 534
#define OBJ_setct_AuthReqTBS OBJ_set_ctype,16L
#define SN_setct_AuthResTBS "setct-AuthResTBS"
#define NID_setct_AuthResTBS 535
#define OBJ_setct_AuthResTBS OBJ_set_ctype,17L
#define SN_setct_AuthResTBSX "setct-AuthResTBSX"
#define NID_setct_AuthResTBSX 536
#define OBJ_setct_AuthResTBSX OBJ_set_ctype,18L
#define SN_setct_AuthTokenTBS "setct-AuthTokenTBS"
#define NID_setct_AuthTokenTBS 537
#define OBJ_setct_AuthTokenTBS OBJ_set_ctype,19L
#define SN_setct_CapTokenData "setct-CapTokenData"
#define NID_setct_CapTokenData 538
#define OBJ_setct_CapTokenData OBJ_set_ctype,20L
#define SN_setct_CapTokenTBS "setct-CapTokenTBS"
#define NID_setct_CapTokenTBS 539
#define OBJ_setct_CapTokenTBS OBJ_set_ctype,21L
#define SN_setct_AcqCardCodeMsg "setct-AcqCardCodeMsg"
#define NID_setct_AcqCardCodeMsg 540
#define OBJ_setct_AcqCardCodeMsg OBJ_set_ctype,22L
#define SN_setct_AuthRevReqTBS "setct-AuthRevReqTBS"
#define NID_setct_AuthRevReqTBS 541
#define OBJ_setct_AuthRevReqTBS OBJ_set_ctype,23L
#define SN_setct_AuthRevResData "setct-AuthRevResData"
#define NID_setct_AuthRevResData 542
#define OBJ_setct_AuthRevResData OBJ_set_ctype,24L
#define SN_setct_AuthRevResTBS "setct-AuthRevResTBS"
#define NID_setct_AuthRevResTBS 543
#define OBJ_setct_AuthRevResTBS OBJ_set_ctype,25L
#define SN_setct_CapReqTBS "setct-CapReqTBS"
#define NID_setct_CapReqTBS 544
#define OBJ_setct_CapReqTBS OBJ_set_ctype,26L
#define SN_setct_CapReqTBSX "setct-CapReqTBSX"
#define NID_setct_CapReqTBSX 545
#define OBJ_setct_CapReqTBSX OBJ_set_ctype,27L
#define SN_setct_CapResData "setct-CapResData"
#define NID_setct_CapResData 546
#define OBJ_setct_CapResData OBJ_set_ctype,28L
#define SN_setct_CapRevReqTBS "setct-CapRevReqTBS"
#define NID_setct_CapRevReqTBS 547
#define OBJ_setct_CapRevReqTBS OBJ_set_ctype,29L
#define SN_setct_CapRevReqTBSX "setct-CapRevReqTBSX"
#define NID_setct_CapRevReqTBSX 548
#define OBJ_setct_CapRevReqTBSX OBJ_set_ctype,30L
#define SN_setct_CapRevResData "setct-CapRevResData"
#define NID_setct_CapRevResData 549
#define OBJ_setct_CapRevResData OBJ_set_ctype,31L
#define SN_setct_CredReqTBS "setct-CredReqTBS"
#define NID_setct_CredReqTBS 550
#define OBJ_setct_CredReqTBS OBJ_set_ctype,32L
#define SN_setct_CredReqTBSX "setct-CredReqTBSX"
#define NID_setct_CredReqTBSX 551
#define OBJ_setct_CredReqTBSX OBJ_set_ctype,33L
#define SN_setct_CredResData "setct-CredResData"
#define NID_setct_CredResData 552
#define OBJ_setct_CredResData OBJ_set_ctype,34L
#define SN_setct_CredRevReqTBS "setct-CredRevReqTBS"
#define NID_setct_CredRevReqTBS 553
#define OBJ_setct_CredRevReqTBS OBJ_set_ctype,35L
#define SN_setct_CredRevReqTBSX "setct-CredRevReqTBSX"
#define NID_setct_CredRevReqTBSX 554
#define OBJ_setct_CredRevReqTBSX OBJ_set_ctype,36L
#define SN_setct_CredRevResData "setct-CredRevResData"
#define NID_setct_CredRevResData 555
#define OBJ_setct_CredRevResData OBJ_set_ctype,37L
#define SN_setct_PCertReqData "setct-PCertReqData"
#define NID_setct_PCertReqData 556
#define OBJ_setct_PCertReqData OBJ_set_ctype,38L
#define SN_setct_PCertResTBS "setct-PCertResTBS"
#define NID_setct_PCertResTBS 557
#define OBJ_setct_PCertResTBS OBJ_set_ctype,39L
#define SN_setct_BatchAdminReqData "setct-BatchAdminReqData"
#define NID_setct_BatchAdminReqData 558
#define OBJ_setct_BatchAdminReqData OBJ_set_ctype,40L
#define SN_setct_BatchAdminResData "setct-BatchAdminResData"
#define NID_setct_BatchAdminResData 559
#define OBJ_setct_BatchAdminResData OBJ_set_ctype,41L
#define SN_setct_CardCInitResTBS "setct-CardCInitResTBS"
#define NID_setct_CardCInitResTBS 560
#define OBJ_setct_CardCInitResTBS OBJ_set_ctype,42L
#define SN_setct_MeAqCInitResTBS "setct-MeAqCInitResTBS"
#define NID_setct_MeAqCInitResTBS 561
#define OBJ_setct_MeAqCInitResTBS OBJ_set_ctype,43L
#define SN_setct_RegFormResTBS "setct-RegFormResTBS"
#define NID_setct_RegFormResTBS 562
#define OBJ_setct_RegFormResTBS OBJ_set_ctype,44L
#define SN_setct_CertReqData "setct-CertReqData"
#define NID_setct_CertReqData 563
#define OBJ_setct_CertReqData OBJ_set_ctype,45L
#define SN_setct_CertReqTBS "setct-CertReqTBS"
#define NID_setct_CertReqTBS 564
#define OBJ_setct_CertReqTBS OBJ_set_ctype,46L
#define SN_setct_CertResData "setct-CertResData"
#define NID_setct_CertResData 565
#define OBJ_setct_CertResData OBJ_set_ctype,47L
#define SN_setct_CertInqReqTBS "setct-CertInqReqTBS"
#define NID_setct_CertInqReqTBS 566
#define OBJ_setct_CertInqReqTBS OBJ_set_ctype,48L
#define SN_setct_ErrorTBS "setct-ErrorTBS"
#define NID_setct_ErrorTBS 567
#define OBJ_setct_ErrorTBS OBJ_set_ctype,49L
#define SN_setct_PIDualSignedTBE "setct-PIDualSignedTBE"
#define NID_setct_PIDualSignedTBE 568
#define OBJ_setct_PIDualSignedTBE OBJ_set_ctype,50L
#define SN_setct_PIUnsignedTBE "setct-PIUnsignedTBE"
#define NID_setct_PIUnsignedTBE 569
#define OBJ_setct_PIUnsignedTBE OBJ_set_ctype,51L
#define SN_setct_AuthReqTBE "setct-AuthReqTBE"
#define NID_setct_AuthReqTBE 570
#define OBJ_setct_AuthReqTBE OBJ_set_ctype,52L
#define SN_setct_AuthResTBE "setct-AuthResTBE"
#define NID_setct_AuthResTBE 571
#define OBJ_setct_AuthResTBE OBJ_set_ctype,53L
#define SN_setct_AuthResTBEX "setct-AuthResTBEX"
#define NID_setct_AuthResTBEX 572
#define OBJ_setct_AuthResTBEX OBJ_set_ctype,54L
#define SN_setct_AuthTokenTBE "setct-AuthTokenTBE"
#define NID_setct_AuthTokenTBE 573
#define OBJ_setct_AuthTokenTBE OBJ_set_ctype,55L
#define SN_setct_CapTokenTBE "setct-CapTokenTBE"
#define NID_setct_CapTokenTBE 574
#define OBJ_setct_CapTokenTBE OBJ_set_ctype,56L
#define SN_setct_CapTokenTBEX "setct-CapTokenTBEX"
#define NID_setct_CapTokenTBEX 575
#define OBJ_setct_CapTokenTBEX OBJ_set_ctype,57L
#define SN_setct_AcqCardCodeMsgTBE "setct-AcqCardCodeMsgTBE"
#define NID_setct_AcqCardCodeMsgTBE 576
#define OBJ_setct_AcqCardCodeMsgTBE OBJ_set_ctype,58L
#define SN_setct_AuthRevReqTBE "setct-AuthRevReqTBE"
#define NID_setct_AuthRevReqTBE 577
#define OBJ_setct_AuthRevReqTBE OBJ_set_ctype,59L
#define SN_setct_AuthRevResTBE "setct-AuthRevResTBE"
#define NID_setct_AuthRevResTBE 578
#define OBJ_setct_AuthRevResTBE OBJ_set_ctype,60L
#define SN_setct_AuthRevResTBEB "setct-AuthRevResTBEB"
#define NID_setct_AuthRevResTBEB 579
#define OBJ_setct_AuthRevResTBEB OBJ_set_ctype,61L
#define SN_setct_CapReqTBE "setct-CapReqTBE"
#define NID_setct_CapReqTBE 580
#define OBJ_setct_CapReqTBE OBJ_set_ctype,62L
#define SN_setct_CapReqTBEX "setct-CapReqTBEX"
#define NID_setct_CapReqTBEX 581
#define OBJ_setct_CapReqTBEX OBJ_set_ctype,63L
#define SN_setct_CapResTBE "setct-CapResTBE"
#define NID_setct_CapResTBE 582
#define OBJ_setct_CapResTBE OBJ_set_ctype,64L
#define SN_setct_CapRevReqTBE "setct-CapRevReqTBE"
#define NID_setct_CapRevReqTBE 583
#define OBJ_setct_CapRevReqTBE OBJ_set_ctype,65L
#define SN_setct_CapRevReqTBEX "setct-CapRevReqTBEX"
#define NID_setct_CapRevReqTBEX 584
#define OBJ_setct_CapRevReqTBEX OBJ_set_ctype,66L
#define SN_setct_CapRevResTBE "setct-CapRevResTBE"
#define NID_setct_CapRevResTBE 585
#define OBJ_setct_CapRevResTBE OBJ_set_ctype,67L
#define SN_setct_CredReqTBE "setct-CredReqTBE"
#define NID_setct_CredReqTBE 586
#define OBJ_setct_CredReqTBE OBJ_set_ctype,68L
#define SN_setct_CredReqTBEX "setct-CredReqTBEX"
#define NID_setct_CredReqTBEX 587
#define OBJ_setct_CredReqTBEX OBJ_set_ctype,69L
#define SN_setct_CredResTBE "setct-CredResTBE"
#define NID_setct_CredResTBE 588
#define OBJ_setct_CredResTBE OBJ_set_ctype,70L
#define SN_setct_CredRevReqTBE "setct-CredRevReqTBE"
#define NID_setct_CredRevReqTBE 589
#define OBJ_setct_CredRevReqTBE OBJ_set_ctype,71L
#define SN_setct_CredRevReqTBEX "setct-CredRevReqTBEX"
#define NID_setct_CredRevReqTBEX 590
#define OBJ_setct_CredRevReqTBEX OBJ_set_ctype,72L
#define SN_setct_CredRevResTBE "setct-CredRevResTBE"
#define NID_setct_CredRevResTBE 591
#define OBJ_setct_CredRevResTBE OBJ_set_ctype,73L
#define SN_setct_BatchAdminReqTBE "setct-BatchAdminReqTBE"
#define NID_setct_BatchAdminReqTBE 592
#define OBJ_setct_BatchAdminReqTBE OBJ_set_ctype,74L
#define SN_setct_BatchAdminResTBE "setct-BatchAdminResTBE"
#define NID_setct_BatchAdminResTBE 593
#define OBJ_setct_BatchAdminResTBE OBJ_set_ctype,75L
#define SN_setct_RegFormReqTBE "setct-RegFormReqTBE"
#define NID_setct_RegFormReqTBE 594
#define OBJ_setct_RegFormReqTBE OBJ_set_ctype,76L
#define SN_setct_CertReqTBE "setct-CertReqTBE"
#define NID_setct_CertReqTBE 595
#define OBJ_setct_CertReqTBE OBJ_set_ctype,77L
#define SN_setct_CertReqTBEX "setct-CertReqTBEX"
#define NID_setct_CertReqTBEX 596
#define OBJ_setct_CertReqTBEX OBJ_set_ctype,78L
#define SN_setct_CertResTBE "setct-CertResTBE"
#define NID_setct_CertResTBE 597
#define OBJ_setct_CertResTBE OBJ_set_ctype,79L
#define SN_setct_CRLNotificationTBS "setct-CRLNotificationTBS"
#define NID_setct_CRLNotificationTBS 598
#define OBJ_setct_CRLNotificationTBS OBJ_set_ctype,80L
#define SN_setct_CRLNotificationResTBS "setct-CRLNotificationResTBS"
#define NID_setct_CRLNotificationResTBS 599
#define OBJ_setct_CRLNotificationResTBS OBJ_set_ctype,81L
#define SN_setct_BCIDistributionTBS "setct-BCIDistributionTBS"
#define NID_setct_BCIDistributionTBS 600
#define OBJ_setct_BCIDistributionTBS OBJ_set_ctype,82L
#define SN_setext_genCrypt "setext-genCrypt"
#define LN_setext_genCrypt "generic cryptogram"
#define NID_setext_genCrypt 601
#define OBJ_setext_genCrypt OBJ_set_msgExt,1L
#define SN_setext_miAuth "setext-miAuth"
#define LN_setext_miAuth "merchant initiated auth"
#define NID_setext_miAuth 602
#define OBJ_setext_miAuth OBJ_set_msgExt,3L
#define SN_setext_pinSecure "setext-pinSecure"
#define NID_setext_pinSecure 603
#define OBJ_setext_pinSecure OBJ_set_msgExt,4L
#define SN_setext_pinAny "setext-pinAny"
#define NID_setext_pinAny 604
#define OBJ_setext_pinAny OBJ_set_msgExt,5L
#define SN_setext_track2 "setext-track2"
#define NID_setext_track2 605
#define OBJ_setext_track2 OBJ_set_msgExt,7L
#define SN_setext_cv "setext-cv"
#define LN_setext_cv "additional verification"
#define NID_setext_cv 606
#define OBJ_setext_cv OBJ_set_msgExt,8L
#define SN_set_policy_root "set-policy-root"
#define NID_set_policy_root 607
#define OBJ_set_policy_root OBJ_set_policy,0L
#define SN_setCext_hashedRoot "setCext-hashedRoot"
#define NID_setCext_hashedRoot 608
#define OBJ_setCext_hashedRoot OBJ_set_certExt,0L
#define SN_setCext_certType "setCext-certType"
#define NID_setCext_certType 609
#define OBJ_setCext_certType OBJ_set_certExt,1L
#define SN_setCext_merchData "setCext-merchData"
#define NID_setCext_merchData 610
#define OBJ_setCext_merchData OBJ_set_certExt,2L
#define SN_setCext_cCertRequired "setCext-cCertRequired"
#define NID_setCext_cCertRequired 611
#define OBJ_setCext_cCertRequired OBJ_set_certExt,3L
#define SN_setCext_tunneling "setCext-tunneling"
#define NID_setCext_tunneling 612
#define OBJ_setCext_tunneling OBJ_set_certExt,4L
#define SN_setCext_setExt "setCext-setExt"
#define NID_setCext_setExt 613
#define OBJ_setCext_setExt OBJ_set_certExt,5L
#define SN_setCext_setQualf "setCext-setQualf"
#define NID_setCext_setQualf 614
#define OBJ_setCext_setQualf OBJ_set_certExt,6L
#define SN_setCext_PGWYcapabilities "setCext-PGWYcapabilities"
#define NID_setCext_PGWYcapabilities 615
#define OBJ_setCext_PGWYcapabilities OBJ_set_certExt,7L
#define SN_setCext_TokenIdentifier "setCext-TokenIdentifier"
#define NID_setCext_TokenIdentifier 616
#define OBJ_setCext_TokenIdentifier OBJ_set_certExt,8L
#define SN_setCext_Track2Data "setCext-Track2Data"
#define NID_setCext_Track2Data 617
#define OBJ_setCext_Track2Data OBJ_set_certExt,9L
#define SN_setCext_TokenType "setCext-TokenType"
#define NID_setCext_TokenType 618
#define OBJ_setCext_TokenType OBJ_set_certExt,10L
#define SN_setCext_IssuerCapabilities "setCext-IssuerCapabilities"
#define NID_setCext_IssuerCapabilities 619
#define OBJ_setCext_IssuerCapabilities OBJ_set_certExt,11L
#define SN_setAttr_Cert "setAttr-Cert"
#define NID_setAttr_Cert 620
#define OBJ_setAttr_Cert OBJ_set_attr,0L
#define SN_setAttr_PGWYcap "setAttr-PGWYcap"
#define LN_setAttr_PGWYcap "payment gateway capabilities"
#define NID_setAttr_PGWYcap 621
#define OBJ_setAttr_PGWYcap OBJ_set_attr,1L
#define SN_setAttr_TokenType "setAttr-TokenType"
#define NID_setAttr_TokenType 622
#define OBJ_setAttr_TokenType OBJ_set_attr,2L
#define SN_setAttr_IssCap "setAttr-IssCap"
#define LN_setAttr_IssCap "issuer capabilities"
#define NID_setAttr_IssCap 623
#define OBJ_setAttr_IssCap OBJ_set_attr,3L
#define SN_set_rootKeyThumb "set-rootKeyThumb"
#define NID_set_rootKeyThumb 624
#define OBJ_set_rootKeyThumb OBJ_setAttr_Cert,0L
#define SN_set_addPolicy "set-addPolicy"
#define NID_set_addPolicy 625
#define OBJ_set_addPolicy OBJ_setAttr_Cert,1L
#define SN_setAttr_Token_EMV "setAttr-Token-EMV"
#define NID_setAttr_Token_EMV 626
#define OBJ_setAttr_Token_EMV OBJ_setAttr_TokenType,1L
#define SN_setAttr_Token_B0Prime "setAttr-Token-B0Prime"
#define NID_setAttr_Token_B0Prime 627
#define OBJ_setAttr_Token_B0Prime OBJ_setAttr_TokenType,2L
#define SN_setAttr_IssCap_CVM "setAttr-IssCap-CVM"
#define NID_setAttr_IssCap_CVM 628
#define OBJ_setAttr_IssCap_CVM OBJ_setAttr_IssCap,3L
#define SN_setAttr_IssCap_T2 "setAttr-IssCap-T2"
#define NID_setAttr_IssCap_T2 629
#define OBJ_setAttr_IssCap_T2 OBJ_setAttr_IssCap,4L
#define SN_setAttr_IssCap_Sig "setAttr-IssCap-Sig"
#define NID_setAttr_IssCap_Sig 630
#define OBJ_setAttr_IssCap_Sig OBJ_setAttr_IssCap,5L
#define SN_setAttr_GenCryptgrm "setAttr-GenCryptgrm"
#define LN_setAttr_GenCryptgrm "generate cryptogram"
#define NID_setAttr_GenCryptgrm 631
#define OBJ_setAttr_GenCryptgrm OBJ_setAttr_IssCap_CVM,1L
#define SN_setAttr_T2Enc "setAttr-T2Enc"
#define LN_setAttr_T2Enc "encrypted track 2"
#define NID_setAttr_T2Enc 632
#define OBJ_setAttr_T2Enc OBJ_setAttr_IssCap_T2,1L
#define SN_setAttr_T2cleartxt "setAttr-T2cleartxt"
#define LN_setAttr_T2cleartxt "cleartext track 2"
#define NID_setAttr_T2cleartxt 633
#define OBJ_setAttr_T2cleartxt OBJ_setAttr_IssCap_T2,2L
#define SN_setAttr_TokICCsig "setAttr-TokICCsig"
#define LN_setAttr_TokICCsig "ICC or token signature"
#define NID_setAttr_TokICCsig 634
#define OBJ_setAttr_TokICCsig OBJ_setAttr_IssCap_Sig,1L
#define SN_setAttr_SecDevSig "setAttr-SecDevSig"
#define LN_setAttr_SecDevSig "secure device signature"
#define NID_setAttr_SecDevSig 635
#define OBJ_setAttr_SecDevSig OBJ_setAttr_IssCap_Sig,2L
#define SN_set_brand_IATA_ATA "set-brand-IATA-ATA"
#define NID_set_brand_IATA_ATA 636
#define OBJ_set_brand_IATA_ATA OBJ_set_brand,1L
#define SN_set_brand_Diners "set-brand-Diners"
#define NID_set_brand_Diners 637
#define OBJ_set_brand_Diners OBJ_set_brand,30L
#define SN_set_brand_AmericanExpress "set-brand-AmericanExpress"
#define NID_set_brand_AmericanExpress 638
#define OBJ_set_brand_AmericanExpress OBJ_set_brand,34L
#define SN_set_brand_JCB "set-brand-JCB"
#define NID_set_brand_JCB 639
#define OBJ_set_brand_JCB OBJ_set_brand,35L
#define SN_set_brand_Visa "set-brand-Visa"
#define NID_set_brand_Visa 640
#define OBJ_set_brand_Visa OBJ_set_brand,4L
#define SN_set_brand_MasterCard "set-brand-MasterCard"
#define NID_set_brand_MasterCard 641
#define OBJ_set_brand_MasterCard OBJ_set_brand,5L
#define SN_set_brand_Novus "set-brand-Novus"
#define NID_set_brand_Novus 642
#define OBJ_set_brand_Novus OBJ_set_brand,6011L
#define SN_des_cdmf "DES-CDMF"
#define LN_des_cdmf "des-cdmf"
#define NID_des_cdmf 643
#define OBJ_des_cdmf OBJ_rsadsi,3L,10L
#define SN_rsaOAEPEncryptionSET "rsaOAEPEncryptionSET"
#define NID_rsaOAEPEncryptionSET 644
#define OBJ_rsaOAEPEncryptionSET OBJ_rsadsi,1L,1L,6L
#define SN_ipsec3 "Oakley-EC2N-3"
#define LN_ipsec3 "ipsec3"
#define NID_ipsec3 749
#define SN_ipsec4 "Oakley-EC2N-4"
#define LN_ipsec4 "ipsec4"
#define NID_ipsec4 750
#define SN_whirlpool "whirlpool"
#define NID_whirlpool 804
#define OBJ_whirlpool OBJ_iso,0L,10118L,3L,0L,55L
#define SN_cryptopro "cryptopro"
#define NID_cryptopro 805
#define OBJ_cryptopro OBJ_member_body,643L,2L,2L
#define SN_cryptocom "cryptocom"
#define NID_cryptocom 806
#define OBJ_cryptocom OBJ_member_body,643L,2L,9L
#define SN_id_tc26 "id-tc26"
#define NID_id_tc26 974
#define OBJ_id_tc26 OBJ_member_body,643L,7L,1L
#define SN_id_GostR3411_94_with_GostR3410_2001 "id-GostR3411-94-with-GostR3410-2001"
#define LN_id_GostR3411_94_with_GostR3410_2001 "GOST R 34.11-94 with GOST R 34.10-2001"
#define NID_id_GostR3411_94_with_GostR3410_2001 807
#define OBJ_id_GostR3411_94_with_GostR3410_2001 OBJ_cryptopro,3L
#define SN_id_GostR3411_94_with_GostR3410_94 "id-GostR3411-94-with-GostR3410-94"
#define LN_id_GostR3411_94_with_GostR3410_94 "GOST R 34.11-94 with GOST R 34.10-94"
#define NID_id_GostR3411_94_with_GostR3410_94 808
#define OBJ_id_GostR3411_94_with_GostR3410_94 OBJ_cryptopro,4L
#define SN_id_GostR3411_94 "md_gost94"
#define LN_id_GostR3411_94 "GOST R 34.11-94"
#define NID_id_GostR3411_94 809
#define OBJ_id_GostR3411_94 OBJ_cryptopro,9L
#define SN_id_HMACGostR3411_94 "id-HMACGostR3411-94"
#define LN_id_HMACGostR3411_94 "HMAC GOST 34.11-94"
#define NID_id_HMACGostR3411_94 810
#define OBJ_id_HMACGostR3411_94 OBJ_cryptopro,10L
#define SN_id_GostR3410_2001 "gost2001"
#define LN_id_GostR3410_2001 "GOST R 34.10-2001"
#define NID_id_GostR3410_2001 811
#define OBJ_id_GostR3410_2001 OBJ_cryptopro,19L
#define SN_id_GostR3410_94 "gost94"
#define LN_id_GostR3410_94 "GOST R 34.10-94"
#define NID_id_GostR3410_94 812
#define OBJ_id_GostR3410_94 OBJ_cryptopro,20L
#define SN_id_Gost28147_89 "gost89"
#define LN_id_Gost28147_89 "GOST 28147-89"
#define NID_id_Gost28147_89 813
#define OBJ_id_Gost28147_89 OBJ_cryptopro,21L
#define SN_gost89_cnt "gost89-cnt"
#define NID_gost89_cnt 814
#define SN_gost89_cnt_12 "gost89-cnt-12"
#define NID_gost89_cnt_12 975
#define SN_gost89_cbc "gost89-cbc"
#define NID_gost89_cbc 1009
#define SN_gost89_ecb "gost89-ecb"
#define NID_gost89_ecb 1010
#define SN_gost89_ctr "gost89-ctr"
#define NID_gost89_ctr 1011
#define SN_id_Gost28147_89_MAC "gost-mac"
#define LN_id_Gost28147_89_MAC "GOST 28147-89 MAC"
#define NID_id_Gost28147_89_MAC 815
#define OBJ_id_Gost28147_89_MAC OBJ_cryptopro,22L
#define SN_gost_mac_12 "gost-mac-12"
#define NID_gost_mac_12 976
#define SN_id_GostR3411_94_prf "prf-gostr3411-94"
#define LN_id_GostR3411_94_prf "GOST R 34.11-94 PRF"
#define NID_id_GostR3411_94_prf 816
#define OBJ_id_GostR3411_94_prf OBJ_cryptopro,23L
#define SN_id_GostR3410_2001DH "id-GostR3410-2001DH"
#define LN_id_GostR3410_2001DH "GOST R 34.10-2001 DH"
#define NID_id_GostR3410_2001DH 817
#define OBJ_id_GostR3410_2001DH OBJ_cryptopro,98L
#define SN_id_GostR3410_94DH "id-GostR3410-94DH"
#define LN_id_GostR3410_94DH "GOST R 34.10-94 DH"
#define NID_id_GostR3410_94DH 818
#define OBJ_id_GostR3410_94DH OBJ_cryptopro,99L
#define SN_id_Gost28147_89_CryptoPro_KeyMeshing "id-Gost28147-89-CryptoPro-KeyMeshing"
#define NID_id_Gost28147_89_CryptoPro_KeyMeshing 819
#define OBJ_id_Gost28147_89_CryptoPro_KeyMeshing OBJ_cryptopro,14L,1L
#define SN_id_Gost28147_89_None_KeyMeshing "id-Gost28147-89-None-KeyMeshing"
#define NID_id_Gost28147_89_None_KeyMeshing 820
#define OBJ_id_Gost28147_89_None_KeyMeshing OBJ_cryptopro,14L,0L
#define SN_id_GostR3411_94_TestParamSet "id-GostR3411-94-TestParamSet"
#define NID_id_GostR3411_94_TestParamSet 821
#define OBJ_id_GostR3411_94_TestParamSet OBJ_cryptopro,30L,0L
#define SN_id_GostR3411_94_CryptoProParamSet "id-GostR3411-94-CryptoProParamSet"
#define NID_id_GostR3411_94_CryptoProParamSet 822
#define OBJ_id_GostR3411_94_CryptoProParamSet OBJ_cryptopro,30L,1L
#define SN_id_Gost28147_89_TestParamSet "id-Gost28147-89-TestParamSet"
#define NID_id_Gost28147_89_TestParamSet 823
#define OBJ_id_Gost28147_89_TestParamSet OBJ_cryptopro,31L,0L
#define SN_id_Gost28147_89_CryptoPro_A_ParamSet "id-Gost28147-89-CryptoPro-A-ParamSet"
#define NID_id_Gost28147_89_CryptoPro_A_ParamSet 824
#define OBJ_id_Gost28147_89_CryptoPro_A_ParamSet OBJ_cryptopro,31L,1L
#define SN_id_Gost28147_89_CryptoPro_B_ParamSet "id-Gost28147-89-CryptoPro-B-ParamSet"
#define NID_id_Gost28147_89_CryptoPro_B_ParamSet 825
#define OBJ_id_Gost28147_89_CryptoPro_B_ParamSet OBJ_cryptopro,31L,2L
#define SN_id_Gost28147_89_CryptoPro_C_ParamSet "id-Gost28147-89-CryptoPro-C-ParamSet"
#define NID_id_Gost28147_89_CryptoPro_C_ParamSet 826
#define OBJ_id_Gost28147_89_CryptoPro_C_ParamSet OBJ_cryptopro,31L,3L
#define SN_id_Gost28147_89_CryptoPro_D_ParamSet "id-Gost28147-89-CryptoPro-D-ParamSet"
#define NID_id_Gost28147_89_CryptoPro_D_ParamSet 827
#define OBJ_id_Gost28147_89_CryptoPro_D_ParamSet OBJ_cryptopro,31L,4L
#define SN_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet"
#define NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet 828
#define OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet OBJ_cryptopro,31L,5L
#define SN_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet"
#define NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet 829
#define OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet OBJ_cryptopro,31L,6L
#define SN_id_Gost28147_89_CryptoPro_RIC_1_ParamSet "id-Gost28147-89-CryptoPro-RIC-1-ParamSet"
#define NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet 830
#define OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet OBJ_cryptopro,31L,7L
#define SN_id_GostR3410_94_TestParamSet "id-GostR3410-94-TestParamSet"
#define NID_id_GostR3410_94_TestParamSet 831
#define OBJ_id_GostR3410_94_TestParamSet OBJ_cryptopro,32L,0L
#define SN_id_GostR3410_94_CryptoPro_A_ParamSet "id-GostR3410-94-CryptoPro-A-ParamSet"
#define NID_id_GostR3410_94_CryptoPro_A_ParamSet 832
#define OBJ_id_GostR3410_94_CryptoPro_A_ParamSet OBJ_cryptopro,32L,2L
#define SN_id_GostR3410_94_CryptoPro_B_ParamSet "id-GostR3410-94-CryptoPro-B-ParamSet"
#define NID_id_GostR3410_94_CryptoPro_B_ParamSet 833
#define OBJ_id_GostR3410_94_CryptoPro_B_ParamSet OBJ_cryptopro,32L,3L
#define SN_id_GostR3410_94_CryptoPro_C_ParamSet "id-GostR3410-94-CryptoPro-C-ParamSet"
#define NID_id_GostR3410_94_CryptoPro_C_ParamSet 834
#define OBJ_id_GostR3410_94_CryptoPro_C_ParamSet OBJ_cryptopro,32L,4L
#define SN_id_GostR3410_94_CryptoPro_D_ParamSet "id-GostR3410-94-CryptoPro-D-ParamSet"
#define NID_id_GostR3410_94_CryptoPro_D_ParamSet 835
#define OBJ_id_GostR3410_94_CryptoPro_D_ParamSet OBJ_cryptopro,32L,5L
#define SN_id_GostR3410_94_CryptoPro_XchA_ParamSet "id-GostR3410-94-CryptoPro-XchA-ParamSet"
#define NID_id_GostR3410_94_CryptoPro_XchA_ParamSet 836
#define OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet OBJ_cryptopro,33L,1L
#define SN_id_GostR3410_94_CryptoPro_XchB_ParamSet "id-GostR3410-94-CryptoPro-XchB-ParamSet"
#define NID_id_GostR3410_94_CryptoPro_XchB_ParamSet 837
#define OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet OBJ_cryptopro,33L,2L
#define SN_id_GostR3410_94_CryptoPro_XchC_ParamSet "id-GostR3410-94-CryptoPro-XchC-ParamSet"
#define NID_id_GostR3410_94_CryptoPro_XchC_ParamSet 838
#define OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet OBJ_cryptopro,33L,3L
#define SN_id_GostR3410_2001_TestParamSet "id-GostR3410-2001-TestParamSet"
#define NID_id_GostR3410_2001_TestParamSet 839
#define OBJ_id_GostR3410_2001_TestParamSet OBJ_cryptopro,35L,0L
#define SN_id_GostR3410_2001_CryptoPro_A_ParamSet "id-GostR3410-2001-CryptoPro-A-ParamSet"
#define NID_id_GostR3410_2001_CryptoPro_A_ParamSet 840
#define OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet OBJ_cryptopro,35L,1L
#define SN_id_GostR3410_2001_CryptoPro_B_ParamSet "id-GostR3410-2001-CryptoPro-B-ParamSet"
#define NID_id_GostR3410_2001_CryptoPro_B_ParamSet 841
#define OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet OBJ_cryptopro,35L,2L
#define SN_id_GostR3410_2001_CryptoPro_C_ParamSet "id-GostR3410-2001-CryptoPro-C-ParamSet"
#define NID_id_GostR3410_2001_CryptoPro_C_ParamSet 842
#define OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet OBJ_cryptopro,35L,3L
#define SN_id_GostR3410_2001_CryptoPro_XchA_ParamSet "id-GostR3410-2001-CryptoPro-XchA-ParamSet"
#define NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet 843
#define OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet OBJ_cryptopro,36L,0L
#define SN_id_GostR3410_2001_CryptoPro_XchB_ParamSet "id-GostR3410-2001-CryptoPro-XchB-ParamSet"
#define NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet 844
#define OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet OBJ_cryptopro,36L,1L
#define SN_id_GostR3410_94_a "id-GostR3410-94-a"
#define NID_id_GostR3410_94_a 845
#define OBJ_id_GostR3410_94_a OBJ_id_GostR3410_94,1L
#define SN_id_GostR3410_94_aBis "id-GostR3410-94-aBis"
#define NID_id_GostR3410_94_aBis 846
#define OBJ_id_GostR3410_94_aBis OBJ_id_GostR3410_94,2L
#define SN_id_GostR3410_94_b "id-GostR3410-94-b"
#define NID_id_GostR3410_94_b 847
#define OBJ_id_GostR3410_94_b OBJ_id_GostR3410_94,3L
#define SN_id_GostR3410_94_bBis "id-GostR3410-94-bBis"
#define NID_id_GostR3410_94_bBis 848
#define OBJ_id_GostR3410_94_bBis OBJ_id_GostR3410_94,4L
#define SN_id_Gost28147_89_cc "id-Gost28147-89-cc"
#define LN_id_Gost28147_89_cc "GOST 28147-89 Cryptocom ParamSet"
#define NID_id_Gost28147_89_cc 849
#define OBJ_id_Gost28147_89_cc OBJ_cryptocom,1L,6L,1L
#define SN_id_GostR3410_94_cc "gost94cc"
#define LN_id_GostR3410_94_cc "GOST 34.10-94 Cryptocom"
#define NID_id_GostR3410_94_cc 850
#define OBJ_id_GostR3410_94_cc OBJ_cryptocom,1L,5L,3L
#define SN_id_GostR3410_2001_cc "gost2001cc"
#define LN_id_GostR3410_2001_cc "GOST 34.10-2001 Cryptocom"
#define NID_id_GostR3410_2001_cc 851
#define OBJ_id_GostR3410_2001_cc OBJ_cryptocom,1L,5L,4L
#define SN_id_GostR3411_94_with_GostR3410_94_cc "id-GostR3411-94-with-GostR3410-94-cc"
#define LN_id_GostR3411_94_with_GostR3410_94_cc "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom"
#define NID_id_GostR3411_94_with_GostR3410_94_cc 852
#define OBJ_id_GostR3411_94_with_GostR3410_94_cc OBJ_cryptocom,1L,3L,3L
#define SN_id_GostR3411_94_with_GostR3410_2001_cc "id-GostR3411-94-with-GostR3410-2001-cc"
#define LN_id_GostR3411_94_with_GostR3410_2001_cc "GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom"
#define NID_id_GostR3411_94_with_GostR3410_2001_cc 853
#define OBJ_id_GostR3411_94_with_GostR3410_2001_cc OBJ_cryptocom,1L,3L,4L
#define SN_id_GostR3410_2001_ParamSet_cc "id-GostR3410-2001-ParamSet-cc"
#define LN_id_GostR3410_2001_ParamSet_cc "GOST R 3410-2001 Parameter Set Cryptocom"
#define NID_id_GostR3410_2001_ParamSet_cc 854
#define OBJ_id_GostR3410_2001_ParamSet_cc OBJ_cryptocom,1L,8L,1L
#define SN_id_tc26_algorithms "id-tc26-algorithms"
#define NID_id_tc26_algorithms 977
#define OBJ_id_tc26_algorithms OBJ_id_tc26,1L
#define SN_id_tc26_sign "id-tc26-sign"
#define NID_id_tc26_sign 978
#define OBJ_id_tc26_sign OBJ_id_tc26_algorithms,1L
#define SN_id_GostR3410_2012_256 "gost2012_256"
#define LN_id_GostR3410_2012_256 "GOST R 34.10-2012 with 256 bit modulus"
#define NID_id_GostR3410_2012_256 979
#define OBJ_id_GostR3410_2012_256 OBJ_id_tc26_sign,1L
#define SN_id_GostR3410_2012_512 "gost2012_512"
#define LN_id_GostR3410_2012_512 "GOST R 34.10-2012 with 512 bit modulus"
#define NID_id_GostR3410_2012_512 980
#define OBJ_id_GostR3410_2012_512 OBJ_id_tc26_sign,2L
#define SN_id_tc26_digest "id-tc26-digest"
#define NID_id_tc26_digest 981
#define OBJ_id_tc26_digest OBJ_id_tc26_algorithms,2L
#define SN_id_GostR3411_2012_256 "md_gost12_256"
#define LN_id_GostR3411_2012_256 "GOST R 34.11-2012 with 256 bit hash"
#define NID_id_GostR3411_2012_256 982
#define OBJ_id_GostR3411_2012_256 OBJ_id_tc26_digest,2L
#define SN_id_GostR3411_2012_512 "md_gost12_512"
#define LN_id_GostR3411_2012_512 "GOST R 34.11-2012 with 512 bit hash"
#define NID_id_GostR3411_2012_512 983
#define OBJ_id_GostR3411_2012_512 OBJ_id_tc26_digest,3L
#define SN_id_tc26_signwithdigest "id-tc26-signwithdigest"
#define NID_id_tc26_signwithdigest 984
#define OBJ_id_tc26_signwithdigest OBJ_id_tc26_algorithms,3L
#define SN_id_tc26_signwithdigest_gost3410_2012_256 "id-tc26-signwithdigest-gost3410-2012-256"
#define LN_id_tc26_signwithdigest_gost3410_2012_256 "GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)"
#define NID_id_tc26_signwithdigest_gost3410_2012_256 985
#define OBJ_id_tc26_signwithdigest_gost3410_2012_256 OBJ_id_tc26_signwithdigest,2L
#define SN_id_tc26_signwithdigest_gost3410_2012_512 "id-tc26-signwithdigest-gost3410-2012-512"
#define LN_id_tc26_signwithdigest_gost3410_2012_512 "GOST R 34.10-2012 with GOST R 34.11-2012 (512 bit)"
#define NID_id_tc26_signwithdigest_gost3410_2012_512 986
#define OBJ_id_tc26_signwithdigest_gost3410_2012_512 OBJ_id_tc26_signwithdigest,3L
#define SN_id_tc26_mac "id-tc26-mac"
#define NID_id_tc26_mac 987
#define OBJ_id_tc26_mac OBJ_id_tc26_algorithms,4L
#define SN_id_tc26_hmac_gost_3411_2012_256 "id-tc26-hmac-gost-3411-2012-256"
#define LN_id_tc26_hmac_gost_3411_2012_256 "HMAC GOST 34.11-2012 256 bit"
#define NID_id_tc26_hmac_gost_3411_2012_256 988
#define OBJ_id_tc26_hmac_gost_3411_2012_256 OBJ_id_tc26_mac,1L
#define SN_id_tc26_hmac_gost_3411_2012_512 "id-tc26-hmac-gost-3411-2012-512"
#define LN_id_tc26_hmac_gost_3411_2012_512 "HMAC GOST 34.11-2012 512 bit"
#define NID_id_tc26_hmac_gost_3411_2012_512 989
#define OBJ_id_tc26_hmac_gost_3411_2012_512 OBJ_id_tc26_mac,2L
#define SN_id_tc26_cipher "id-tc26-cipher"
#define NID_id_tc26_cipher 990
#define OBJ_id_tc26_cipher OBJ_id_tc26_algorithms,5L
#define SN_id_tc26_cipher_gostr3412_2015_magma "id-tc26-cipher-gostr3412-2015-magma"
#define NID_id_tc26_cipher_gostr3412_2015_magma 1173
#define OBJ_id_tc26_cipher_gostr3412_2015_magma OBJ_id_tc26_cipher,1L
#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm "id-tc26-cipher-gostr3412-2015-magma-ctracpkm"
#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm 1174
#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm OBJ_id_tc26_cipher_gostr3412_2015_magma,1L
#define SN_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac "id-tc26-cipher-gostr3412-2015-magma-ctracpkm-omac"
#define NID_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac 1175
#define OBJ_id_tc26_cipher_gostr3412_2015_magma_ctracpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_magma,2L
#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik "id-tc26-cipher-gostr3412-2015-kuznyechik"
#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik 1176
#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik OBJ_id_tc26_cipher,2L
#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm"
#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm 1177
#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,1L
#define SN_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac "id-tc26-cipher-gostr3412-2015-kuznyechik-ctracpkm-omac"
#define NID_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac 1178
#define OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik_ctracpkm_omac OBJ_id_tc26_cipher_gostr3412_2015_kuznyechik,2L
#define SN_id_tc26_agreement "id-tc26-agreement"
#define NID_id_tc26_agreement 991
#define OBJ_id_tc26_agreement OBJ_id_tc26_algorithms,6L
#define SN_id_tc26_agreement_gost_3410_2012_256 "id-tc26-agreement-gost-3410-2012-256"
#define NID_id_tc26_agreement_gost_3410_2012_256 992
#define OBJ_id_tc26_agreement_gost_3410_2012_256 OBJ_id_tc26_agreement,1L
#define SN_id_tc26_agreement_gost_3410_2012_512 "id-tc26-agreement-gost-3410-2012-512"
#define NID_id_tc26_agreement_gost_3410_2012_512 993
#define OBJ_id_tc26_agreement_gost_3410_2012_512 OBJ_id_tc26_agreement,2L
#define SN_id_tc26_wrap "id-tc26-wrap"
#define NID_id_tc26_wrap 1179
#define OBJ_id_tc26_wrap OBJ_id_tc26_algorithms,7L
#define SN_id_tc26_wrap_gostr3412_2015_magma "id-tc26-wrap-gostr3412-2015-magma"
#define NID_id_tc26_wrap_gostr3412_2015_magma 1180
#define OBJ_id_tc26_wrap_gostr3412_2015_magma OBJ_id_tc26_wrap,1L
#define SN_id_tc26_wrap_gostr3412_2015_magma_kexp15 "id-tc26-wrap-gostr3412-2015-magma-kexp15"
#define NID_id_tc26_wrap_gostr3412_2015_magma_kexp15 1181
#define OBJ_id_tc26_wrap_gostr3412_2015_magma_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_magma,1L
#define SN_id_tc26_wrap_gostr3412_2015_kuznyechik "id-tc26-wrap-gostr3412-2015-kuznyechik"
#define NID_id_tc26_wrap_gostr3412_2015_kuznyechik 1182
#define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik OBJ_id_tc26_wrap,2L
#define SN_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 "id-tc26-wrap-gostr3412-2015-kuznyechik-kexp15"
#define NID_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 1183
#define OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik_kexp15 OBJ_id_tc26_wrap_gostr3412_2015_kuznyechik,1L
#define SN_id_tc26_constants "id-tc26-constants"
#define NID_id_tc26_constants 994
#define OBJ_id_tc26_constants OBJ_id_tc26,2L
#define SN_id_tc26_sign_constants "id-tc26-sign-constants"
#define NID_id_tc26_sign_constants 995
#define OBJ_id_tc26_sign_constants OBJ_id_tc26_constants,1L
#define SN_id_tc26_gost_3410_2012_256_constants "id-tc26-gost-3410-2012-256-constants"
#define NID_id_tc26_gost_3410_2012_256_constants 1147
#define OBJ_id_tc26_gost_3410_2012_256_constants OBJ_id_tc26_sign_constants,1L
#define SN_id_tc26_gost_3410_2012_256_paramSetA "id-tc26-gost-3410-2012-256-paramSetA"
#define LN_id_tc26_gost_3410_2012_256_paramSetA "GOST R 34.10-2012 (256 bit) ParamSet A"
#define NID_id_tc26_gost_3410_2012_256_paramSetA 1148
#define OBJ_id_tc26_gost_3410_2012_256_paramSetA OBJ_id_tc26_gost_3410_2012_256_constants,1L
#define SN_id_tc26_gost_3410_2012_256_paramSetB "id-tc26-gost-3410-2012-256-paramSetB"
#define LN_id_tc26_gost_3410_2012_256_paramSetB "GOST R 34.10-2012 (256 bit) ParamSet B"
#define NID_id_tc26_gost_3410_2012_256_paramSetB 1184
#define OBJ_id_tc26_gost_3410_2012_256_paramSetB OBJ_id_tc26_gost_3410_2012_256_constants,2L
#define SN_id_tc26_gost_3410_2012_256_paramSetC "id-tc26-gost-3410-2012-256-paramSetC"
#define LN_id_tc26_gost_3410_2012_256_paramSetC "GOST R 34.10-2012 (256 bit) ParamSet C"
#define NID_id_tc26_gost_3410_2012_256_paramSetC 1185
#define OBJ_id_tc26_gost_3410_2012_256_paramSetC OBJ_id_tc26_gost_3410_2012_256_constants,3L
#define SN_id_tc26_gost_3410_2012_256_paramSetD "id-tc26-gost-3410-2012-256-paramSetD"
#define LN_id_tc26_gost_3410_2012_256_paramSetD "GOST R 34.10-2012 (256 bit) ParamSet D"
#define NID_id_tc26_gost_3410_2012_256_paramSetD 1186
#define OBJ_id_tc26_gost_3410_2012_256_paramSetD OBJ_id_tc26_gost_3410_2012_256_constants,4L
#define SN_id_tc26_gost_3410_2012_512_constants "id-tc26-gost-3410-2012-512-constants"
#define NID_id_tc26_gost_3410_2012_512_constants 996
#define OBJ_id_tc26_gost_3410_2012_512_constants OBJ_id_tc26_sign_constants,2L
#define SN_id_tc26_gost_3410_2012_512_paramSetTest "id-tc26-gost-3410-2012-512-paramSetTest"
#define LN_id_tc26_gost_3410_2012_512_paramSetTest "GOST R 34.10-2012 (512 bit) testing parameter set"
#define NID_id_tc26_gost_3410_2012_512_paramSetTest 997
#define OBJ_id_tc26_gost_3410_2012_512_paramSetTest OBJ_id_tc26_gost_3410_2012_512_constants,0L
#define SN_id_tc26_gost_3410_2012_512_paramSetA "id-tc26-gost-3410-2012-512-paramSetA"
#define LN_id_tc26_gost_3410_2012_512_paramSetA "GOST R 34.10-2012 (512 bit) ParamSet A"
#define NID_id_tc26_gost_3410_2012_512_paramSetA 998
#define OBJ_id_tc26_gost_3410_2012_512_paramSetA OBJ_id_tc26_gost_3410_2012_512_constants,1L
#define SN_id_tc26_gost_3410_2012_512_paramSetB "id-tc26-gost-3410-2012-512-paramSetB"
#define LN_id_tc26_gost_3410_2012_512_paramSetB "GOST R 34.10-2012 (512 bit) ParamSet B"
#define NID_id_tc26_gost_3410_2012_512_paramSetB 999
#define OBJ_id_tc26_gost_3410_2012_512_paramSetB OBJ_id_tc26_gost_3410_2012_512_constants,2L
#define SN_id_tc26_gost_3410_2012_512_paramSetC "id-tc26-gost-3410-2012-512-paramSetC"
#define LN_id_tc26_gost_3410_2012_512_paramSetC "GOST R 34.10-2012 (512 bit) ParamSet C"
#define NID_id_tc26_gost_3410_2012_512_paramSetC 1149
#define OBJ_id_tc26_gost_3410_2012_512_paramSetC OBJ_id_tc26_gost_3410_2012_512_constants,3L
#define SN_id_tc26_digest_constants "id-tc26-digest-constants"
#define NID_id_tc26_digest_constants 1000
#define OBJ_id_tc26_digest_constants OBJ_id_tc26_constants,2L
#define SN_id_tc26_cipher_constants "id-tc26-cipher-constants"
#define NID_id_tc26_cipher_constants 1001
#define OBJ_id_tc26_cipher_constants OBJ_id_tc26_constants,5L
#define SN_id_tc26_gost_28147_constants "id-tc26-gost-28147-constants"
#define NID_id_tc26_gost_28147_constants 1002
#define OBJ_id_tc26_gost_28147_constants OBJ_id_tc26_cipher_constants,1L
#define SN_id_tc26_gost_28147_param_Z "id-tc26-gost-28147-param-Z"
#define LN_id_tc26_gost_28147_param_Z "GOST 28147-89 TC26 parameter set"
#define NID_id_tc26_gost_28147_param_Z 1003
#define OBJ_id_tc26_gost_28147_param_Z OBJ_id_tc26_gost_28147_constants,1L
#define SN_INN "INN"
#define LN_INN "INN"
#define NID_INN 1004
#define OBJ_INN OBJ_member_body,643L,3L,131L,1L,1L
#define SN_OGRN "OGRN"
#define LN_OGRN "OGRN"
#define NID_OGRN 1005
#define OBJ_OGRN OBJ_member_body,643L,100L,1L
#define SN_SNILS "SNILS"
#define LN_SNILS "SNILS"
#define NID_SNILS 1006
#define OBJ_SNILS OBJ_member_body,643L,100L,3L
#define SN_subjectSignTool "subjectSignTool"
#define LN_subjectSignTool "Signing Tool of Subject"
#define NID_subjectSignTool 1007
#define OBJ_subjectSignTool OBJ_member_body,643L,100L,111L
#define SN_issuerSignTool "issuerSignTool"
#define LN_issuerSignTool "Signing Tool of Issuer"
#define NID_issuerSignTool 1008
#define OBJ_issuerSignTool OBJ_member_body,643L,100L,112L
#define SN_grasshopper_ecb "grasshopper-ecb"
#define NID_grasshopper_ecb 1012
#define SN_grasshopper_ctr "grasshopper-ctr"
#define NID_grasshopper_ctr 1013
#define SN_grasshopper_ofb "grasshopper-ofb"
#define NID_grasshopper_ofb 1014
#define SN_grasshopper_cbc "grasshopper-cbc"
#define NID_grasshopper_cbc 1015
#define SN_grasshopper_cfb "grasshopper-cfb"
#define NID_grasshopper_cfb 1016
#define SN_grasshopper_mac "grasshopper-mac"
#define NID_grasshopper_mac 1017
#define SN_magma_ecb "magma-ecb"
#define NID_magma_ecb 1187
#define SN_magma_ctr "magma-ctr"
#define NID_magma_ctr 1188
#define SN_magma_ofb "magma-ofb"
#define NID_magma_ofb 1189
#define SN_magma_cbc "magma-cbc"
#define NID_magma_cbc 1190
#define SN_magma_cfb "magma-cfb"
#define NID_magma_cfb 1191
#define SN_magma_mac "magma-mac"
#define NID_magma_mac 1192
#define SN_camellia_128_cbc "CAMELLIA-128-CBC"
#define LN_camellia_128_cbc "camellia-128-cbc"
#define NID_camellia_128_cbc 751
#define OBJ_camellia_128_cbc 1L,2L,392L,200011L,61L,1L,1L,1L,2L
#define SN_camellia_192_cbc "CAMELLIA-192-CBC"
#define LN_camellia_192_cbc "camellia-192-cbc"
#define NID_camellia_192_cbc 752
#define OBJ_camellia_192_cbc 1L,2L,392L,200011L,61L,1L,1L,1L,3L
#define SN_camellia_256_cbc "CAMELLIA-256-CBC"
#define LN_camellia_256_cbc "camellia-256-cbc"
#define NID_camellia_256_cbc 753
#define OBJ_camellia_256_cbc 1L,2L,392L,200011L,61L,1L,1L,1L,4L
#define SN_id_camellia128_wrap "id-camellia128-wrap"
#define NID_id_camellia128_wrap 907
#define OBJ_id_camellia128_wrap 1L,2L,392L,200011L,61L,1L,1L,3L,2L
#define SN_id_camellia192_wrap "id-camellia192-wrap"
#define NID_id_camellia192_wrap 908
#define OBJ_id_camellia192_wrap 1L,2L,392L,200011L,61L,1L,1L,3L,3L
#define SN_id_camellia256_wrap "id-camellia256-wrap"
#define NID_id_camellia256_wrap 909
#define OBJ_id_camellia256_wrap 1L,2L,392L,200011L,61L,1L,1L,3L,4L
#define OBJ_ntt_ds 0L,3L,4401L,5L
#define OBJ_camellia OBJ_ntt_ds,3L,1L,9L
#define SN_camellia_128_ecb "CAMELLIA-128-ECB"
#define LN_camellia_128_ecb "camellia-128-ecb"
#define NID_camellia_128_ecb 754
#define OBJ_camellia_128_ecb OBJ_camellia,1L
#define SN_camellia_128_ofb128 "CAMELLIA-128-OFB"
#define LN_camellia_128_ofb128 "camellia-128-ofb"
#define NID_camellia_128_ofb128 766
#define OBJ_camellia_128_ofb128 OBJ_camellia,3L
#define SN_camellia_128_cfb128 "CAMELLIA-128-CFB"
#define LN_camellia_128_cfb128 "camellia-128-cfb"
#define NID_camellia_128_cfb128 757
#define OBJ_camellia_128_cfb128 OBJ_camellia,4L
#define SN_camellia_128_gcm "CAMELLIA-128-GCM"
#define LN_camellia_128_gcm "camellia-128-gcm"
#define NID_camellia_128_gcm 961
#define OBJ_camellia_128_gcm OBJ_camellia,6L
#define SN_camellia_128_ccm "CAMELLIA-128-CCM"
#define LN_camellia_128_ccm "camellia-128-ccm"
#define NID_camellia_128_ccm 962
#define OBJ_camellia_128_ccm OBJ_camellia,7L
#define SN_camellia_128_ctr "CAMELLIA-128-CTR"
#define LN_camellia_128_ctr "camellia-128-ctr"
#define NID_camellia_128_ctr 963
#define OBJ_camellia_128_ctr OBJ_camellia,9L
#define SN_camellia_128_cmac "CAMELLIA-128-CMAC"
#define LN_camellia_128_cmac "camellia-128-cmac"
#define NID_camellia_128_cmac 964
#define OBJ_camellia_128_cmac OBJ_camellia,10L
#define SN_camellia_192_ecb "CAMELLIA-192-ECB"
#define LN_camellia_192_ecb "camellia-192-ecb"
#define NID_camellia_192_ecb 755
#define OBJ_camellia_192_ecb OBJ_camellia,21L
#define SN_camellia_192_ofb128 "CAMELLIA-192-OFB"
#define LN_camellia_192_ofb128 "camellia-192-ofb"
#define NID_camellia_192_ofb128 767
#define OBJ_camellia_192_ofb128 OBJ_camellia,23L
#define SN_camellia_192_cfb128 "CAMELLIA-192-CFB"
#define LN_camellia_192_cfb128 "camellia-192-cfb"
#define NID_camellia_192_cfb128 758
#define OBJ_camellia_192_cfb128 OBJ_camellia,24L
#define SN_camellia_192_gcm "CAMELLIA-192-GCM"
#define LN_camellia_192_gcm "camellia-192-gcm"
#define NID_camellia_192_gcm 965
#define OBJ_camellia_192_gcm OBJ_camellia,26L
#define SN_camellia_192_ccm "CAMELLIA-192-CCM"
#define LN_camellia_192_ccm "camellia-192-ccm"
#define NID_camellia_192_ccm 966
#define OBJ_camellia_192_ccm OBJ_camellia,27L
#define SN_camellia_192_ctr "CAMELLIA-192-CTR"
#define LN_camellia_192_ctr "camellia-192-ctr"
#define NID_camellia_192_ctr 967
#define OBJ_camellia_192_ctr OBJ_camellia,29L
#define SN_camellia_192_cmac "CAMELLIA-192-CMAC"
#define LN_camellia_192_cmac "camellia-192-cmac"
#define NID_camellia_192_cmac 968
#define OBJ_camellia_192_cmac OBJ_camellia,30L
#define SN_camellia_256_ecb "CAMELLIA-256-ECB"
#define LN_camellia_256_ecb "camellia-256-ecb"
#define NID_camellia_256_ecb 756
#define OBJ_camellia_256_ecb OBJ_camellia,41L
#define SN_camellia_256_ofb128 "CAMELLIA-256-OFB"
#define LN_camellia_256_ofb128 "camellia-256-ofb"
#define NID_camellia_256_ofb128 768
#define OBJ_camellia_256_ofb128 OBJ_camellia,43L
#define SN_camellia_256_cfb128 "CAMELLIA-256-CFB"
#define LN_camellia_256_cfb128 "camellia-256-cfb"
#define NID_camellia_256_cfb128 759
#define OBJ_camellia_256_cfb128 OBJ_camellia,44L
#define SN_camellia_256_gcm "CAMELLIA-256-GCM"
#define LN_camellia_256_gcm "camellia-256-gcm"
#define NID_camellia_256_gcm 969
#define OBJ_camellia_256_gcm OBJ_camellia,46L
#define SN_camellia_256_ccm "CAMELLIA-256-CCM"
#define LN_camellia_256_ccm "camellia-256-ccm"
#define NID_camellia_256_ccm 970
#define OBJ_camellia_256_ccm OBJ_camellia,47L
#define SN_camellia_256_ctr "CAMELLIA-256-CTR"
#define LN_camellia_256_ctr "camellia-256-ctr"
#define NID_camellia_256_ctr 971
#define OBJ_camellia_256_ctr OBJ_camellia,49L
#define SN_camellia_256_cmac "CAMELLIA-256-CMAC"
#define LN_camellia_256_cmac "camellia-256-cmac"
#define NID_camellia_256_cmac 972
#define OBJ_camellia_256_cmac OBJ_camellia,50L
#define SN_camellia_128_cfb1 "CAMELLIA-128-CFB1"
#define LN_camellia_128_cfb1 "camellia-128-cfb1"
#define NID_camellia_128_cfb1 760
#define SN_camellia_192_cfb1 "CAMELLIA-192-CFB1"
#define LN_camellia_192_cfb1 "camellia-192-cfb1"
#define NID_camellia_192_cfb1 761
#define SN_camellia_256_cfb1 "CAMELLIA-256-CFB1"
#define LN_camellia_256_cfb1 "camellia-256-cfb1"
#define NID_camellia_256_cfb1 762
#define SN_camellia_128_cfb8 "CAMELLIA-128-CFB8"
#define LN_camellia_128_cfb8 "camellia-128-cfb8"
#define NID_camellia_128_cfb8 763
#define SN_camellia_192_cfb8 "CAMELLIA-192-CFB8"
#define LN_camellia_192_cfb8 "camellia-192-cfb8"
#define NID_camellia_192_cfb8 764
#define SN_camellia_256_cfb8 "CAMELLIA-256-CFB8"
#define LN_camellia_256_cfb8 "camellia-256-cfb8"
#define NID_camellia_256_cfb8 765
#define OBJ_aria 1L,2L,410L,200046L,1L,1L
#define SN_aria_128_ecb "ARIA-128-ECB"
#define LN_aria_128_ecb "aria-128-ecb"
#define NID_aria_128_ecb 1065
#define OBJ_aria_128_ecb OBJ_aria,1L
#define SN_aria_128_cbc "ARIA-128-CBC"
#define LN_aria_128_cbc "aria-128-cbc"
#define NID_aria_128_cbc 1066
#define OBJ_aria_128_cbc OBJ_aria,2L
#define SN_aria_128_cfb128 "ARIA-128-CFB"
#define LN_aria_128_cfb128 "aria-128-cfb"
#define NID_aria_128_cfb128 1067
#define OBJ_aria_128_cfb128 OBJ_aria,3L
#define SN_aria_128_ofb128 "ARIA-128-OFB"
#define LN_aria_128_ofb128 "aria-128-ofb"
#define NID_aria_128_ofb128 1068
#define OBJ_aria_128_ofb128 OBJ_aria,4L
#define SN_aria_128_ctr "ARIA-128-CTR"
#define LN_aria_128_ctr "aria-128-ctr"
#define NID_aria_128_ctr 1069
#define OBJ_aria_128_ctr OBJ_aria,5L
#define SN_aria_192_ecb "ARIA-192-ECB"
#define LN_aria_192_ecb "aria-192-ecb"
#define NID_aria_192_ecb 1070
#define OBJ_aria_192_ecb OBJ_aria,6L
#define SN_aria_192_cbc "ARIA-192-CBC"
#define LN_aria_192_cbc "aria-192-cbc"
#define NID_aria_192_cbc 1071
#define OBJ_aria_192_cbc OBJ_aria,7L
#define SN_aria_192_cfb128 "ARIA-192-CFB"
#define LN_aria_192_cfb128 "aria-192-cfb"
#define NID_aria_192_cfb128 1072
#define OBJ_aria_192_cfb128 OBJ_aria,8L
#define SN_aria_192_ofb128 "ARIA-192-OFB"
#define LN_aria_192_ofb128 "aria-192-ofb"
#define NID_aria_192_ofb128 1073
#define OBJ_aria_192_ofb128 OBJ_aria,9L
#define SN_aria_192_ctr "ARIA-192-CTR"
#define LN_aria_192_ctr "aria-192-ctr"
#define NID_aria_192_ctr 1074
#define OBJ_aria_192_ctr OBJ_aria,10L
#define SN_aria_256_ecb "ARIA-256-ECB"
#define LN_aria_256_ecb "aria-256-ecb"
#define NID_aria_256_ecb 1075
#define OBJ_aria_256_ecb OBJ_aria,11L
#define SN_aria_256_cbc "ARIA-256-CBC"
#define LN_aria_256_cbc "aria-256-cbc"
#define NID_aria_256_cbc 1076
#define OBJ_aria_256_cbc OBJ_aria,12L
#define SN_aria_256_cfb128 "ARIA-256-CFB"
#define LN_aria_256_cfb128 "aria-256-cfb"
#define NID_aria_256_cfb128 1077
#define OBJ_aria_256_cfb128 OBJ_aria,13L
#define SN_aria_256_ofb128 "ARIA-256-OFB"
#define LN_aria_256_ofb128 "aria-256-ofb"
#define NID_aria_256_ofb128 1078
#define OBJ_aria_256_ofb128 OBJ_aria,14L
#define SN_aria_256_ctr "ARIA-256-CTR"
#define LN_aria_256_ctr "aria-256-ctr"
#define NID_aria_256_ctr 1079
#define OBJ_aria_256_ctr OBJ_aria,15L
#define SN_aria_128_cfb1 "ARIA-128-CFB1"
#define LN_aria_128_cfb1 "aria-128-cfb1"
#define NID_aria_128_cfb1 1080
#define SN_aria_192_cfb1 "ARIA-192-CFB1"
#define LN_aria_192_cfb1 "aria-192-cfb1"
#define NID_aria_192_cfb1 1081
#define SN_aria_256_cfb1 "ARIA-256-CFB1"
#define LN_aria_256_cfb1 "aria-256-cfb1"
#define NID_aria_256_cfb1 1082
#define SN_aria_128_cfb8 "ARIA-128-CFB8"
#define LN_aria_128_cfb8 "aria-128-cfb8"
#define NID_aria_128_cfb8 1083
#define SN_aria_192_cfb8 "ARIA-192-CFB8"
#define LN_aria_192_cfb8 "aria-192-cfb8"
#define NID_aria_192_cfb8 1084
#define SN_aria_256_cfb8 "ARIA-256-CFB8"
#define LN_aria_256_cfb8 "aria-256-cfb8"
#define NID_aria_256_cfb8 1085
#define SN_aria_128_ccm "ARIA-128-CCM"
#define LN_aria_128_ccm "aria-128-ccm"
#define NID_aria_128_ccm 1120
#define OBJ_aria_128_ccm OBJ_aria,37L
#define SN_aria_192_ccm "ARIA-192-CCM"
#define LN_aria_192_ccm "aria-192-ccm"
#define NID_aria_192_ccm 1121
#define OBJ_aria_192_ccm OBJ_aria,38L
#define SN_aria_256_ccm "ARIA-256-CCM"
#define LN_aria_256_ccm "aria-256-ccm"
#define NID_aria_256_ccm 1122
#define OBJ_aria_256_ccm OBJ_aria,39L
#define SN_aria_128_gcm "ARIA-128-GCM"
#define LN_aria_128_gcm "aria-128-gcm"
#define NID_aria_128_gcm 1123
#define OBJ_aria_128_gcm OBJ_aria,34L
#define SN_aria_192_gcm "ARIA-192-GCM"
#define LN_aria_192_gcm "aria-192-gcm"
#define NID_aria_192_gcm 1124
#define OBJ_aria_192_gcm OBJ_aria,35L
#define SN_aria_256_gcm "ARIA-256-GCM"
#define LN_aria_256_gcm "aria-256-gcm"
#define NID_aria_256_gcm 1125
#define OBJ_aria_256_gcm OBJ_aria,36L
#define SN_kisa "KISA"
#define LN_kisa "kisa"
#define NID_kisa 773
#define OBJ_kisa OBJ_member_body,410L,200004L
#define SN_seed_ecb "SEED-ECB"
#define LN_seed_ecb "seed-ecb"
#define NID_seed_ecb 776
#define OBJ_seed_ecb OBJ_kisa,1L,3L
#define SN_seed_cbc "SEED-CBC"
#define LN_seed_cbc "seed-cbc"
#define NID_seed_cbc 777
#define OBJ_seed_cbc OBJ_kisa,1L,4L
#define SN_seed_cfb128 "SEED-CFB"
#define LN_seed_cfb128 "seed-cfb"
#define NID_seed_cfb128 779
#define OBJ_seed_cfb128 OBJ_kisa,1L,5L
#define SN_seed_ofb128 "SEED-OFB"
#define LN_seed_ofb128 "seed-ofb"
#define NID_seed_ofb128 778
#define OBJ_seed_ofb128 OBJ_kisa,1L,6L
#define SN_sm4_ecb "SM4-ECB"
#define LN_sm4_ecb "sm4-ecb"
#define NID_sm4_ecb 1133
#define OBJ_sm4_ecb OBJ_sm_scheme,104L,1L
#define SN_sm4_cbc "SM4-CBC"
#define LN_sm4_cbc "sm4-cbc"
#define NID_sm4_cbc 1134
#define OBJ_sm4_cbc OBJ_sm_scheme,104L,2L
#define SN_sm4_ofb128 "SM4-OFB"
#define LN_sm4_ofb128 "sm4-ofb"
#define NID_sm4_ofb128 1135
#define OBJ_sm4_ofb128 OBJ_sm_scheme,104L,3L
#define SN_sm4_cfb128 "SM4-CFB"
#define LN_sm4_cfb128 "sm4-cfb"
#define NID_sm4_cfb128 1137
#define OBJ_sm4_cfb128 OBJ_sm_scheme,104L,4L
#define SN_sm4_cfb1 "SM4-CFB1"
#define LN_sm4_cfb1 "sm4-cfb1"
#define NID_sm4_cfb1 1136
#define OBJ_sm4_cfb1 OBJ_sm_scheme,104L,5L
#define SN_sm4_cfb8 "SM4-CFB8"
#define LN_sm4_cfb8 "sm4-cfb8"
#define NID_sm4_cfb8 1138
#define OBJ_sm4_cfb8 OBJ_sm_scheme,104L,6L
#define SN_sm4_ctr "SM4-CTR"
#define LN_sm4_ctr "sm4-ctr"
#define NID_sm4_ctr 1139
#define OBJ_sm4_ctr OBJ_sm_scheme,104L,7L
#define SN_hmac "HMAC"
#define LN_hmac "hmac"
#define NID_hmac 855
#define SN_cmac "CMAC"
#define LN_cmac "cmac"
#define NID_cmac 894
#define SN_rc4_hmac_md5 "RC4-HMAC-MD5"
#define LN_rc4_hmac_md5 "rc4-hmac-md5"
#define NID_rc4_hmac_md5 915
#define SN_aes_128_cbc_hmac_sha1 "AES-128-CBC-HMAC-SHA1"
#define LN_aes_128_cbc_hmac_sha1 "aes-128-cbc-hmac-sha1"
#define NID_aes_128_cbc_hmac_sha1 916
#define SN_aes_192_cbc_hmac_sha1 "AES-192-CBC-HMAC-SHA1"
#define LN_aes_192_cbc_hmac_sha1 "aes-192-cbc-hmac-sha1"
#define NID_aes_192_cbc_hmac_sha1 917
#define SN_aes_256_cbc_hmac_sha1 "AES-256-CBC-HMAC-SHA1"
#define LN_aes_256_cbc_hmac_sha1 "aes-256-cbc-hmac-sha1"
#define NID_aes_256_cbc_hmac_sha1 918
#define SN_aes_128_cbc_hmac_sha256 "AES-128-CBC-HMAC-SHA256"
#define LN_aes_128_cbc_hmac_sha256 "aes-128-cbc-hmac-sha256"
#define NID_aes_128_cbc_hmac_sha256 948
#define SN_aes_192_cbc_hmac_sha256 "AES-192-CBC-HMAC-SHA256"
#define LN_aes_192_cbc_hmac_sha256 "aes-192-cbc-hmac-sha256"
#define NID_aes_192_cbc_hmac_sha256 949
#define SN_aes_256_cbc_hmac_sha256 "AES-256-CBC-HMAC-SHA256"
#define LN_aes_256_cbc_hmac_sha256 "aes-256-cbc-hmac-sha256"
#define NID_aes_256_cbc_hmac_sha256 950
#define SN_chacha20_poly1305 "ChaCha20-Poly1305"
#define LN_chacha20_poly1305 "chacha20-poly1305"
#define NID_chacha20_poly1305 1018
#define SN_chacha20 "ChaCha20"
#define LN_chacha20 "chacha20"
#define NID_chacha20 1019
#define SN_dhpublicnumber "dhpublicnumber"
#define LN_dhpublicnumber "X9.42 DH"
#define NID_dhpublicnumber 920
#define OBJ_dhpublicnumber OBJ_ISO_US,10046L,2L,1L
#define SN_brainpoolP160r1 "brainpoolP160r1"
#define NID_brainpoolP160r1 921
#define OBJ_brainpoolP160r1 1L,3L,36L,3L,3L,2L,8L,1L,1L,1L
#define SN_brainpoolP160t1 "brainpoolP160t1"
#define NID_brainpoolP160t1 922
#define OBJ_brainpoolP160t1 1L,3L,36L,3L,3L,2L,8L,1L,1L,2L
#define SN_brainpoolP192r1 "brainpoolP192r1"
#define NID_brainpoolP192r1 923
#define OBJ_brainpoolP192r1 1L,3L,36L,3L,3L,2L,8L,1L,1L,3L
#define SN_brainpoolP192t1 "brainpoolP192t1"
#define NID_brainpoolP192t1 924
#define OBJ_brainpoolP192t1 1L,3L,36L,3L,3L,2L,8L,1L,1L,4L
#define SN_brainpoolP224r1 "brainpoolP224r1"
#define NID_brainpoolP224r1 925
#define OBJ_brainpoolP224r1 1L,3L,36L,3L,3L,2L,8L,1L,1L,5L
#define SN_brainpoolP224t1 "brainpoolP224t1"
#define NID_brainpoolP224t1 926
#define OBJ_brainpoolP224t1 1L,3L,36L,3L,3L,2L,8L,1L,1L,6L
#define SN_brainpoolP256r1 "brainpoolP256r1"
#define NID_brainpoolP256r1 927
#define OBJ_brainpoolP256r1 1L,3L,36L,3L,3L,2L,8L,1L,1L,7L
#define SN_brainpoolP256t1 "brainpoolP256t1"
#define NID_brainpoolP256t1 928
#define OBJ_brainpoolP256t1 1L,3L,36L,3L,3L,2L,8L,1L,1L,8L
#define SN_brainpoolP320r1 "brainpoolP320r1"
#define NID_brainpoolP320r1 929
#define OBJ_brainpoolP320r1 1L,3L,36L,3L,3L,2L,8L,1L,1L,9L
#define SN_brainpoolP320t1 "brainpoolP320t1"
#define NID_brainpoolP320t1 930
#define OBJ_brainpoolP320t1 1L,3L,36L,3L,3L,2L,8L,1L,1L,10L
#define SN_brainpoolP384r1 "brainpoolP384r1"
#define NID_brainpoolP384r1 931
#define OBJ_brainpoolP384r1 1L,3L,36L,3L,3L,2L,8L,1L,1L,11L
#define SN_brainpoolP384t1 "brainpoolP384t1"
#define NID_brainpoolP384t1 932
#define OBJ_brainpoolP384t1 1L,3L,36L,3L,3L,2L,8L,1L,1L,12L
#define SN_brainpoolP512r1 "brainpoolP512r1"
#define NID_brainpoolP512r1 933
#define OBJ_brainpoolP512r1 1L,3L,36L,3L,3L,2L,8L,1L,1L,13L
#define SN_brainpoolP512t1 "brainpoolP512t1"
#define NID_brainpoolP512t1 934
#define OBJ_brainpoolP512t1 1L,3L,36L,3L,3L,2L,8L,1L,1L,14L
#define OBJ_x9_63_scheme 1L,3L,133L,16L,840L,63L,0L
#define OBJ_secg_scheme OBJ_certicom_arc,1L
#define SN_dhSinglePass_stdDH_sha1kdf_scheme "dhSinglePass-stdDH-sha1kdf-scheme"
#define NID_dhSinglePass_stdDH_sha1kdf_scheme 936
#define OBJ_dhSinglePass_stdDH_sha1kdf_scheme OBJ_x9_63_scheme,2L
#define SN_dhSinglePass_stdDH_sha224kdf_scheme "dhSinglePass-stdDH-sha224kdf-scheme"
#define NID_dhSinglePass_stdDH_sha224kdf_scheme 937
#define OBJ_dhSinglePass_stdDH_sha224kdf_scheme OBJ_secg_scheme,11L,0L
#define SN_dhSinglePass_stdDH_sha256kdf_scheme "dhSinglePass-stdDH-sha256kdf-scheme"
#define NID_dhSinglePass_stdDH_sha256kdf_scheme 938
#define OBJ_dhSinglePass_stdDH_sha256kdf_scheme OBJ_secg_scheme,11L,1L
#define SN_dhSinglePass_stdDH_sha384kdf_scheme "dhSinglePass-stdDH-sha384kdf-scheme"
#define NID_dhSinglePass_stdDH_sha384kdf_scheme 939
#define OBJ_dhSinglePass_stdDH_sha384kdf_scheme OBJ_secg_scheme,11L,2L
#define SN_dhSinglePass_stdDH_sha512kdf_scheme "dhSinglePass-stdDH-sha512kdf-scheme"
#define NID_dhSinglePass_stdDH_sha512kdf_scheme 940
#define OBJ_dhSinglePass_stdDH_sha512kdf_scheme OBJ_secg_scheme,11L,3L
#define SN_dhSinglePass_cofactorDH_sha1kdf_scheme "dhSinglePass-cofactorDH-sha1kdf-scheme"
#define NID_dhSinglePass_cofactorDH_sha1kdf_scheme 941
#define OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme OBJ_x9_63_scheme,3L
#define SN_dhSinglePass_cofactorDH_sha224kdf_scheme "dhSinglePass-cofactorDH-sha224kdf-scheme"
#define NID_dhSinglePass_cofactorDH_sha224kdf_scheme 942
#define OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme OBJ_secg_scheme,14L,0L
#define SN_dhSinglePass_cofactorDH_sha256kdf_scheme "dhSinglePass-cofactorDH-sha256kdf-scheme"
#define NID_dhSinglePass_cofactorDH_sha256kdf_scheme 943
#define OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme OBJ_secg_scheme,14L,1L
#define SN_dhSinglePass_cofactorDH_sha384kdf_scheme "dhSinglePass-cofactorDH-sha384kdf-scheme"
#define NID_dhSinglePass_cofactorDH_sha384kdf_scheme 944
#define OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme OBJ_secg_scheme,14L,2L
#define SN_dhSinglePass_cofactorDH_sha512kdf_scheme "dhSinglePass-cofactorDH-sha512kdf-scheme"
#define NID_dhSinglePass_cofactorDH_sha512kdf_scheme 945
#define OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme OBJ_secg_scheme,14L,3L
#define SN_dh_std_kdf "dh-std-kdf"
#define NID_dh_std_kdf 946
#define SN_dh_cofactor_kdf "dh-cofactor-kdf"
#define NID_dh_cofactor_kdf 947
#define SN_ct_precert_scts "ct_precert_scts"
#define LN_ct_precert_scts "CT Precertificate SCTs"
#define NID_ct_precert_scts 951
#define OBJ_ct_precert_scts 1L,3L,6L,1L,4L,1L,11129L,2L,4L,2L
#define SN_ct_precert_poison "ct_precert_poison"
#define LN_ct_precert_poison "CT Precertificate Poison"
#define NID_ct_precert_poison 952
#define OBJ_ct_precert_poison 1L,3L,6L,1L,4L,1L,11129L,2L,4L,3L
#define SN_ct_precert_signer "ct_precert_signer"
#define LN_ct_precert_signer "CT Precertificate Signer"
#define NID_ct_precert_signer 953
#define OBJ_ct_precert_signer 1L,3L,6L,1L,4L,1L,11129L,2L,4L,4L
#define SN_ct_cert_scts "ct_cert_scts"
#define LN_ct_cert_scts "CT Certificate SCTs"
#define NID_ct_cert_scts 954
#define OBJ_ct_cert_scts 1L,3L,6L,1L,4L,1L,11129L,2L,4L,5L
#define SN_jurisdictionLocalityName "jurisdictionL"
#define LN_jurisdictionLocalityName "jurisdictionLocalityName"
#define NID_jurisdictionLocalityName 955
#define OBJ_jurisdictionLocalityName 1L,3L,6L,1L,4L,1L,311L,60L,2L,1L,1L
#define SN_jurisdictionStateOrProvinceName "jurisdictionST"
#define LN_jurisdictionStateOrProvinceName "jurisdictionStateOrProvinceName"
#define NID_jurisdictionStateOrProvinceName 956
#define OBJ_jurisdictionStateOrProvinceName 1L,3L,6L,1L,4L,1L,311L,60L,2L,1L,2L
#define SN_jurisdictionCountryName "jurisdictionC"
#define LN_jurisdictionCountryName "jurisdictionCountryName"
#define NID_jurisdictionCountryName 957
#define OBJ_jurisdictionCountryName 1L,3L,6L,1L,4L,1L,311L,60L,2L,1L,3L
#define SN_id_scrypt "id-scrypt"
#define LN_id_scrypt "scrypt"
#define NID_id_scrypt 973
#define OBJ_id_scrypt 1L,3L,6L,1L,4L,1L,11591L,4L,11L
#define SN_tls1_prf "TLS1-PRF"
#define LN_tls1_prf "tls1-prf"
#define NID_tls1_prf 1021
#define SN_hkdf "HKDF"
#define LN_hkdf "hkdf"
#define NID_hkdf 1036
#define SN_id_pkinit "id-pkinit"
#define NID_id_pkinit 1031
#define OBJ_id_pkinit 1L,3L,6L,1L,5L,2L,3L
#define SN_pkInitClientAuth "pkInitClientAuth"
#define LN_pkInitClientAuth "PKINIT Client Auth"
#define NID_pkInitClientAuth 1032
#define OBJ_pkInitClientAuth OBJ_id_pkinit,4L
#define SN_pkInitKDC "pkInitKDC"
#define LN_pkInitKDC "Signing KDC Response"
#define NID_pkInitKDC 1033
#define OBJ_pkInitKDC OBJ_id_pkinit,5L
#define SN_X25519 "X25519"
#define NID_X25519 1034
#define OBJ_X25519 1L,3L,101L,110L
#define SN_X448 "X448"
#define NID_X448 1035
#define OBJ_X448 1L,3L,101L,111L
#define SN_ED25519 "ED25519"
#define NID_ED25519 1087
#define OBJ_ED25519 1L,3L,101L,112L
#define SN_ED448 "ED448"
#define NID_ED448 1088
#define OBJ_ED448 1L,3L,101L,113L
#define SN_kx_rsa "KxRSA"
#define LN_kx_rsa "kx-rsa"
#define NID_kx_rsa 1037
#define SN_kx_ecdhe "KxECDHE"
#define LN_kx_ecdhe "kx-ecdhe"
#define NID_kx_ecdhe 1038
#define SN_kx_dhe "KxDHE"
#define LN_kx_dhe "kx-dhe"
#define NID_kx_dhe 1039
#define SN_kx_ecdhe_psk "KxECDHE-PSK"
#define LN_kx_ecdhe_psk "kx-ecdhe-psk"
#define NID_kx_ecdhe_psk 1040
#define SN_kx_dhe_psk "KxDHE-PSK"
#define LN_kx_dhe_psk "kx-dhe-psk"
#define NID_kx_dhe_psk 1041
#define SN_kx_rsa_psk "KxRSA_PSK"
#define LN_kx_rsa_psk "kx-rsa-psk"
#define NID_kx_rsa_psk 1042
#define SN_kx_psk "KxPSK"
#define LN_kx_psk "kx-psk"
#define NID_kx_psk 1043
#define SN_kx_srp "KxSRP"
#define LN_kx_srp "kx-srp"
#define NID_kx_srp 1044
#define SN_kx_gost "KxGOST"
#define LN_kx_gost "kx-gost"
#define NID_kx_gost 1045
#define SN_kx_any "KxANY"
#define LN_kx_any "kx-any"
#define NID_kx_any 1063
#define SN_auth_rsa "AuthRSA"
#define LN_auth_rsa "auth-rsa"
#define NID_auth_rsa 1046
#define SN_auth_ecdsa "AuthECDSA"
#define LN_auth_ecdsa "auth-ecdsa"
#define NID_auth_ecdsa 1047
#define SN_auth_psk "AuthPSK"
#define LN_auth_psk "auth-psk"
#define NID_auth_psk 1048
#define SN_auth_dss "AuthDSS"
#define LN_auth_dss "auth-dss"
#define NID_auth_dss 1049
#define SN_auth_gost01 "AuthGOST01"
#define LN_auth_gost01 "auth-gost01"
#define NID_auth_gost01 1050
#define SN_auth_gost12 "AuthGOST12"
#define LN_auth_gost12 "auth-gost12"
#define NID_auth_gost12 1051
#define SN_auth_srp "AuthSRP"
#define LN_auth_srp "auth-srp"
#define NID_auth_srp 1052
#define SN_auth_null "AuthNULL"
#define LN_auth_null "auth-null"
#define NID_auth_null 1053
#define SN_auth_any "AuthANY"
#define LN_auth_any "auth-any"
#define NID_auth_any 1064
#define SN_poly1305 "Poly1305"
#define LN_poly1305 "poly1305"
#define NID_poly1305 1061
#define SN_siphash "SipHash"
#define LN_siphash "siphash"
#define NID_siphash 1062
#define SN_ffdhe2048 "ffdhe2048"
#define NID_ffdhe2048 1126
#define SN_ffdhe3072 "ffdhe3072"
#define NID_ffdhe3072 1127
#define SN_ffdhe4096 "ffdhe4096"
#define NID_ffdhe4096 1128
#define SN_ffdhe6144 "ffdhe6144"
#define NID_ffdhe6144 1129
#define SN_ffdhe8192 "ffdhe8192"
#define NID_ffdhe8192 1130
#define SN_ISO_UA "ISO-UA"
#define NID_ISO_UA 1150
#define OBJ_ISO_UA OBJ_member_body,804L
#define SN_ua_pki "ua-pki"
#define NID_ua_pki 1151
#define OBJ_ua_pki OBJ_ISO_UA,2L,1L,1L,1L
#define SN_dstu28147 "dstu28147"
#define LN_dstu28147 "DSTU Gost 28147-2009"
#define NID_dstu28147 1152
#define OBJ_dstu28147 OBJ_ua_pki,1L,1L,1L
#define SN_dstu28147_ofb "dstu28147-ofb"
#define LN_dstu28147_ofb "DSTU Gost 28147-2009 OFB mode"
#define NID_dstu28147_ofb 1153
#define OBJ_dstu28147_ofb OBJ_dstu28147,2L
#define SN_dstu28147_cfb "dstu28147-cfb"
#define LN_dstu28147_cfb "DSTU Gost 28147-2009 CFB mode"
#define NID_dstu28147_cfb 1154
#define OBJ_dstu28147_cfb OBJ_dstu28147,3L
#define SN_dstu28147_wrap "dstu28147-wrap"
#define LN_dstu28147_wrap "DSTU Gost 28147-2009 key wrap"
#define NID_dstu28147_wrap 1155
#define OBJ_dstu28147_wrap OBJ_dstu28147,5L
#define SN_hmacWithDstu34311 "hmacWithDstu34311"
#define LN_hmacWithDstu34311 "HMAC DSTU Gost 34311-95"
#define NID_hmacWithDstu34311 1156
#define OBJ_hmacWithDstu34311 OBJ_ua_pki,1L,1L,2L
#define SN_dstu34311 "dstu34311"
#define LN_dstu34311 "DSTU Gost 34311-95"
#define NID_dstu34311 1157
#define OBJ_dstu34311 OBJ_ua_pki,1L,2L,1L
#define SN_dstu4145le "dstu4145le"
#define LN_dstu4145le "DSTU 4145-2002 little endian"
#define NID_dstu4145le 1158
#define OBJ_dstu4145le OBJ_ua_pki,1L,3L,1L,1L
#define SN_dstu4145be "dstu4145be"
#define LN_dstu4145be "DSTU 4145-2002 big endian"
#define NID_dstu4145be 1159
#define OBJ_dstu4145be OBJ_dstu4145le,1L,1L
#define SN_uacurve0 "uacurve0"
#define LN_uacurve0 "DSTU curve 0"
#define NID_uacurve0 1160
#define OBJ_uacurve0 OBJ_dstu4145le,2L,0L
#define SN_uacurve1 "uacurve1"
#define LN_uacurve1 "DSTU curve 1"
#define NID_uacurve1 1161
#define OBJ_uacurve1 OBJ_dstu4145le,2L,1L
#define SN_uacurve2 "uacurve2"
#define LN_uacurve2 "DSTU curve 2"
#define NID_uacurve2 1162
#define OBJ_uacurve2 OBJ_dstu4145le,2L,2L
#define SN_uacurve3 "uacurve3"
#define LN_uacurve3 "DSTU curve 3"
#define NID_uacurve3 1163
#define OBJ_uacurve3 OBJ_dstu4145le,2L,3L
#define SN_uacurve4 "uacurve4"
#define LN_uacurve4 "DSTU curve 4"
#define NID_uacurve4 1164
#define OBJ_uacurve4 OBJ_dstu4145le,2L,4L
#define SN_uacurve5 "uacurve5"
#define LN_uacurve5 "DSTU curve 5"
#define NID_uacurve5 1165
#define OBJ_uacurve5 OBJ_dstu4145le,2L,5L
#define SN_uacurve6 "uacurve6"
#define LN_uacurve6 "DSTU curve 6"
#define NID_uacurve6 1166
#define OBJ_uacurve6 OBJ_dstu4145le,2L,6L
#define SN_uacurve7 "uacurve7"
#define LN_uacurve7 "DSTU curve 7"
#define NID_uacurve7 1167
#define OBJ_uacurve7 OBJ_dstu4145le,2L,7L
#define SN_uacurve8 "uacurve8"
#define LN_uacurve8 "DSTU curve 8"
#define NID_uacurve8 1168
#define OBJ_uacurve8 OBJ_dstu4145le,2L,8L
#define SN_uacurve9 "uacurve9"
#define LN_uacurve9 "DSTU curve 9"
#define NID_uacurve9 1169
#define OBJ_uacurve9 OBJ_dstu4145le,2L,9L
diff --git a/crypto/openssl/include/openssl/opensslv.h b/crypto/openssl/include/openssl/opensslv.h
index 69b6351f42ef..cef157da5f64 100644
--- a/crypto/openssl/include/openssl/opensslv.h
+++ b/crypto/openssl/include/openssl/opensslv.h
@@ -1,101 +1,101 @@
/*
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_OPENSSLV_H
# define HEADER_OPENSSLV_H
#ifdef __cplusplus
extern "C" {
#endif
/*-
* Numeric release version identifier:
* MNNFFPPS: major minor fix patch status
* The status nibble has one of the values 0 for development, 1 to e for betas
* 1 to 14, and f for release. The patch level is exactly that.
* For example:
* 0.9.3-dev 0x00903000
* 0.9.3-beta1 0x00903001
* 0.9.3-beta2-dev 0x00903002
* 0.9.3-beta2 0x00903002 (same as ...beta2-dev)
* 0.9.3 0x0090300f
* 0.9.3a 0x0090301f
* 0.9.4 0x0090400f
* 1.2.3z 0x102031af
*
* For continuity reasons (because 0.9.5 is already out, and is coded
* 0x00905100), between 0.9.5 and 0.9.6 the coding of the patch level
* part is slightly different, by setting the highest bit. This means
* that 0.9.5a looks like this: 0x0090581f. At 0.9.6, we can start
* with 0x0090600S...
*
* (Prior to 0.9.3-dev a different scheme was used: 0.9.2b is 0x0922.)
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x101010dfL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1m-freebsd 14 Dec 2021"
+# define OPENSSL_VERSION_NUMBER 0x101010efL
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1n-freebsd 15 Mar 2022"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
* versioning. That kind of versioning works a bit differently between
* operating systems. The most usual scheme is to set a major and a minor
* number, and have the runtime loader check that the major number is equal
* to what it was at application link time, while the minor number has to
* be greater or equal to what it was at application link time. With this
* scheme, the version number is usually part of the file name, like this:
*
* libcrypto.so.0.9
*
* Some unixen also make a softlink with the major version number only:
*
* libcrypto.so.0
*
* On Tru64 and IRIX 6.x it works a little bit differently. There, the
* shared library version is stored in the file, and is actually a series
* of versions, separated by colons. The rightmost version present in the
* library when linking an application is stored in the application to be
* matched at run time. When the application is run, a check is done to
* see if the library version stored in the application matches any of the
* versions in the version string of the library itself.
* This version string can be constructed in any way, depending on what
* kind of matching is desired. However, to implement the same scheme as
* the one used in the other unixen, all compatible versions, from lowest
* to highest, should be part of the string. Consecutive builds would
* give the following versions strings:
*
* 3.0
* 3.0:3.1
* 3.0:3.1:3.2
* 4.0
* 4.0:4.1
*
* Notice how version 4 is completely incompatible with version, and
* therefore give the breach you can see.
*
* There may be other schemes as well that I haven't yet discovered.
*
* So, here's the way it works here: first of all, the library version
* number doesn't need at all to match the overall OpenSSL version.
* However, it's nice and more understandable if it actually does.
* The current library version is stored in the macro SHLIB_VERSION_NUMBER,
* which is just a piece of text in the format "M.m.e" (Major, minor, edit).
* For the sake of Tru64, IRIX, and any other OS that behaves in similar ways,
* we need to keep a history of version numbers, which is done in the
* macro SHLIB_VERSION_HISTORY. The numbers are separated by colons and
* should only keep the versions that are binary compatible with the current.
*/
# define SHLIB_VERSION_HISTORY ""
# define SHLIB_VERSION_NUMBER "111"
#ifdef __cplusplus
}
#endif
#endif /* HEADER_OPENSSLV_H */
diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c
index b256a4b93503..e4cf007f82a5 100644
--- a/crypto/openssl/ssl/s3_lib.c
+++ b/crypto/openssl/ssl/s3_lib.c
@@ -1,4858 +1,4858 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include <openssl/objects.h>
#include "internal/nelem.h"
#include "ssl_local.h"
#include <openssl/md5.h>
#include <openssl/dh.h>
#include <openssl/rand.h>
#include "internal/cryptlib.h"
#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers)
#define SSL3_NUM_CIPHERS OSSL_NELEM(ssl3_ciphers)
#define SSL3_NUM_SCSVS OSSL_NELEM(ssl3_scsvs)
/* TLSv1.3 downgrade protection sentinel values */
const unsigned char tls11downgrade[] = {
0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00
};
const unsigned char tls12downgrade[] = {
0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01
};
/* The list of available TLSv1.3 ciphers */
static SSL_CIPHER tls13_ciphers[] = {
{
1,
TLS1_3_RFC_AES_128_GCM_SHA256,
TLS1_3_RFC_AES_128_GCM_SHA256,
TLS1_3_CK_AES_128_GCM_SHA256,
SSL_kANY,
SSL_aANY,
SSL_AES128GCM,
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256,
128,
128,
}, {
1,
TLS1_3_RFC_AES_256_GCM_SHA384,
TLS1_3_RFC_AES_256_GCM_SHA384,
TLS1_3_CK_AES_256_GCM_SHA384,
SSL_kANY,
SSL_aANY,
SSL_AES256GCM,
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384,
256,
256,
},
#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
{
1,
TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
TLS1_3_CK_CHACHA20_POLY1305_SHA256,
SSL_kANY,
SSL_aANY,
SSL_CHACHA20POLY1305,
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256,
256,
256,
},
#endif
{
1,
TLS1_3_RFC_AES_128_CCM_SHA256,
TLS1_3_RFC_AES_128_CCM_SHA256,
TLS1_3_CK_AES_128_CCM_SHA256,
SSL_kANY,
SSL_aANY,
SSL_AES128CCM,
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256,
128,
128,
}, {
1,
TLS1_3_RFC_AES_128_CCM_8_SHA256,
TLS1_3_RFC_AES_128_CCM_8_SHA256,
TLS1_3_CK_AES_128_CCM_8_SHA256,
SSL_kANY,
SSL_aANY,
SSL_AES128CCM8,
SSL_AEAD,
TLS1_3_VERSION, TLS1_3_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256,
128,
128,
}
};
/*
* The list of available ciphers, mostly organized into the following
* groups:
* Always there
* EC
* PSK
* SRP (within that: RSA EC PSK)
* Cipher families: Chacha/poly, Camellia, Gost, IDEA, SEED
* Weak ciphers
*/
static SSL_CIPHER ssl3_ciphers[] = {
{
1,
SSL3_TXT_RSA_NULL_MD5,
SSL3_RFC_RSA_NULL_MD5,
SSL3_CK_RSA_NULL_MD5,
SSL_kRSA,
SSL_aRSA,
SSL_eNULL,
SSL_MD5,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
{
1,
SSL3_TXT_RSA_NULL_SHA,
SSL3_RFC_RSA_NULL_SHA,
SSL3_CK_RSA_NULL_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_eNULL,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_DES_192_CBC3_SHA,
SSL3_RFC_RSA_DES_192_CBC3_SHA,
SSL3_CK_RSA_DES_192_CBC3_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
{
1,
SSL3_TXT_DHE_DSS_DES_192_CBC3_SHA,
SSL3_RFC_DHE_DSS_DES_192_CBC3_SHA,
SSL3_CK_DHE_DSS_DES_192_CBC3_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
{
1,
SSL3_TXT_DHE_RSA_DES_192_CBC3_SHA,
SSL3_RFC_DHE_RSA_DES_192_CBC3_SHA,
SSL3_CK_DHE_RSA_DES_192_CBC3_SHA,
SSL_kDHE,
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
{
1,
SSL3_TXT_ADH_DES_192_CBC_SHA,
SSL3_RFC_ADH_DES_192_CBC_SHA,
SSL3_CK_ADH_DES_192_CBC_SHA,
SSL_kDHE,
SSL_aNULL,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
#endif
{
1,
TLS1_TXT_RSA_WITH_AES_128_SHA,
TLS1_RFC_RSA_WITH_AES_128_SHA,
TLS1_CK_RSA_WITH_AES_128_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
TLS1_RFC_DHE_DSS_WITH_AES_128_SHA,
TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
TLS1_RFC_DHE_RSA_WITH_AES_128_SHA,
TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
SSL_kDHE,
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ADH_WITH_AES_128_SHA,
TLS1_RFC_ADH_WITH_AES_128_SHA,
TLS1_CK_ADH_WITH_AES_128_SHA,
SSL_kDHE,
SSL_aNULL,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_RSA_WITH_AES_256_SHA,
TLS1_RFC_RSA_WITH_AES_256_SHA,
TLS1_CK_RSA_WITH_AES_256_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
TLS1_RFC_DHE_DSS_WITH_AES_256_SHA,
TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
TLS1_RFC_DHE_RSA_WITH_AES_256_SHA,
TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
SSL_kDHE,
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_ADH_WITH_AES_256_SHA,
TLS1_RFC_ADH_WITH_AES_256_SHA,
TLS1_CK_ADH_WITH_AES_256_SHA,
SSL_kDHE,
SSL_aNULL,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_RSA_WITH_NULL_SHA256,
TLS1_RFC_RSA_WITH_NULL_SHA256,
TLS1_CK_RSA_WITH_NULL_SHA256,
SSL_kRSA,
SSL_aRSA,
SSL_eNULL,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
{
1,
TLS1_TXT_RSA_WITH_AES_128_SHA256,
TLS1_RFC_RSA_WITH_AES_128_SHA256,
TLS1_CK_RSA_WITH_AES_128_SHA256,
SSL_kRSA,
SSL_aRSA,
SSL_AES128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_RSA_WITH_AES_256_SHA256,
TLS1_RFC_RSA_WITH_AES_256_SHA256,
TLS1_CK_RSA_WITH_AES_256_SHA256,
SSL_kRSA,
SSL_aRSA,
SSL_AES256,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256,
TLS1_RFC_DHE_DSS_WITH_AES_128_SHA256,
TLS1_CK_DHE_DSS_WITH_AES_128_SHA256,
SSL_kDHE,
SSL_aDSS,
SSL_AES128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256,
TLS1_RFC_DHE_RSA_WITH_AES_128_SHA256,
TLS1_CK_DHE_RSA_WITH_AES_128_SHA256,
SSL_kDHE,
SSL_aRSA,
SSL_AES128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256,
TLS1_RFC_DHE_DSS_WITH_AES_256_SHA256,
TLS1_CK_DHE_DSS_WITH_AES_256_SHA256,
SSL_kDHE,
SSL_aDSS,
SSL_AES256,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256,
TLS1_RFC_DHE_RSA_WITH_AES_256_SHA256,
TLS1_CK_DHE_RSA_WITH_AES_256_SHA256,
SSL_kDHE,
SSL_aRSA,
SSL_AES256,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_ADH_WITH_AES_128_SHA256,
TLS1_RFC_ADH_WITH_AES_128_SHA256,
TLS1_CK_ADH_WITH_AES_128_SHA256,
SSL_kDHE,
SSL_aNULL,
SSL_AES128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ADH_WITH_AES_256_SHA256,
TLS1_RFC_ADH_WITH_AES_256_SHA256,
TLS1_CK_ADH_WITH_AES_256_SHA256,
SSL_kDHE,
SSL_aNULL,
SSL_AES256,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
TLS1_RFC_RSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
SSL_kRSA,
SSL_aRSA,
SSL_AES128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
TLS1_RFC_RSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
SSL_kRSA,
SSL_aRSA,
SSL_AES256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS1_RFC_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_kDHE,
SSL_aRSA,
SSL_AES128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS1_RFC_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_kDHE,
SSL_aRSA,
SSL_AES256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS1_RFC_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256,
SSL_kDHE,
SSL_aDSS,
SSL_AES128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS1_RFC_DHE_DSS_WITH_AES_256_GCM_SHA384,
TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384,
SSL_kDHE,
SSL_aDSS,
SSL_AES256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256,
TLS1_RFC_ADH_WITH_AES_128_GCM_SHA256,
TLS1_CK_ADH_WITH_AES_128_GCM_SHA256,
SSL_kDHE,
SSL_aNULL,
SSL_AES128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384,
TLS1_RFC_ADH_WITH_AES_256_GCM_SHA384,
TLS1_CK_ADH_WITH_AES_256_GCM_SHA384,
SSL_kDHE,
SSL_aNULL,
SSL_AES256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_RSA_WITH_AES_128_CCM,
TLS1_RFC_RSA_WITH_AES_128_CCM,
TLS1_CK_RSA_WITH_AES_128_CCM,
SSL_kRSA,
SSL_aRSA,
SSL_AES128CCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_RSA_WITH_AES_256_CCM,
TLS1_RFC_RSA_WITH_AES_256_CCM,
TLS1_CK_RSA_WITH_AES_256_CCM,
SSL_kRSA,
SSL_aRSA,
SSL_AES256CCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_AES_128_CCM,
TLS1_RFC_DHE_RSA_WITH_AES_128_CCM,
TLS1_CK_DHE_RSA_WITH_AES_128_CCM,
SSL_kDHE,
SSL_aRSA,
SSL_AES128CCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_AES_256_CCM,
TLS1_RFC_DHE_RSA_WITH_AES_256_CCM,
TLS1_CK_DHE_RSA_WITH_AES_256_CCM,
SSL_kDHE,
SSL_aRSA,
SSL_AES256CCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_RSA_WITH_AES_128_CCM_8,
TLS1_RFC_RSA_WITH_AES_128_CCM_8,
TLS1_CK_RSA_WITH_AES_128_CCM_8,
SSL_kRSA,
SSL_aRSA,
SSL_AES128CCM8,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_RSA_WITH_AES_256_CCM_8,
TLS1_RFC_RSA_WITH_AES_256_CCM_8,
TLS1_CK_RSA_WITH_AES_256_CCM_8,
SSL_kRSA,
SSL_aRSA,
SSL_AES256CCM8,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_AES_128_CCM_8,
TLS1_RFC_DHE_RSA_WITH_AES_128_CCM_8,
TLS1_CK_DHE_RSA_WITH_AES_128_CCM_8,
SSL_kDHE,
SSL_aRSA,
SSL_AES128CCM8,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_AES_256_CCM_8,
TLS1_RFC_DHE_RSA_WITH_AES_256_CCM_8,
TLS1_CK_DHE_RSA_WITH_AES_256_CCM_8,
SSL_kDHE,
SSL_aRSA,
SSL_AES256CCM8,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_PSK_WITH_AES_128_CCM,
TLS1_RFC_PSK_WITH_AES_128_CCM,
TLS1_CK_PSK_WITH_AES_128_CCM,
SSL_kPSK,
SSL_aPSK,
SSL_AES128CCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_PSK_WITH_AES_256_CCM,
TLS1_RFC_PSK_WITH_AES_256_CCM,
TLS1_CK_PSK_WITH_AES_256_CCM,
SSL_kPSK,
SSL_aPSK,
SSL_AES256CCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_AES_128_CCM,
TLS1_RFC_DHE_PSK_WITH_AES_128_CCM,
TLS1_CK_DHE_PSK_WITH_AES_128_CCM,
SSL_kDHEPSK,
SSL_aPSK,
SSL_AES128CCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_AES_256_CCM,
TLS1_RFC_DHE_PSK_WITH_AES_256_CCM,
TLS1_CK_DHE_PSK_WITH_AES_256_CCM,
SSL_kDHEPSK,
SSL_aPSK,
SSL_AES256CCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_PSK_WITH_AES_128_CCM_8,
TLS1_RFC_PSK_WITH_AES_128_CCM_8,
TLS1_CK_PSK_WITH_AES_128_CCM_8,
SSL_kPSK,
SSL_aPSK,
SSL_AES128CCM8,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_PSK_WITH_AES_256_CCM_8,
TLS1_RFC_PSK_WITH_AES_256_CCM_8,
TLS1_CK_PSK_WITH_AES_256_CCM_8,
SSL_kPSK,
SSL_aPSK,
SSL_AES256CCM8,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_AES_128_CCM_8,
TLS1_RFC_DHE_PSK_WITH_AES_128_CCM_8,
TLS1_CK_DHE_PSK_WITH_AES_128_CCM_8,
SSL_kDHEPSK,
SSL_aPSK,
SSL_AES128CCM8,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_AES_256_CCM_8,
TLS1_RFC_DHE_PSK_WITH_AES_256_CCM_8,
TLS1_CK_DHE_PSK_WITH_AES_256_CCM_8,
SSL_kDHEPSK,
SSL_aPSK,
SSL_AES256CCM8,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_CCM,
TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM,
SSL_kECDHE,
SSL_aECDSA,
SSL_AES128CCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_CCM,
TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM,
SSL_kECDHE,
SSL_aECDSA,
SSL_AES256CCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_CCM_8,
TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CCM_8,
SSL_kECDHE,
SSL_aECDSA,
SSL_AES128CCM8,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_CCM_8,
TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CCM_8,
SSL_kECDHE,
SSL_aECDSA,
SSL_AES256CCM8,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA,
TLS1_RFC_ECDHE_ECDSA_WITH_NULL_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA,
SSL_kECDHE,
SSL_aECDSA,
SSL_eNULL,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
TLS1_RFC_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA,
SSL_kECDHE,
SSL_aECDSA,
SSL_3DES,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
# endif
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_kECDHE,
SSL_aECDSA,
SSL_AES128,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_kECDHE,
SSL_aECDSA,
SSL_AES256,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA,
TLS1_RFC_ECDHE_RSA_WITH_NULL_SHA,
TLS1_CK_ECDHE_RSA_WITH_NULL_SHA,
SSL_kECDHE,
SSL_aRSA,
SSL_eNULL,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
TLS1_RFC_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA,
SSL_kECDHE,
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
# endif
{
1,
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS1_RFC_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
SSL_kECDHE,
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS1_RFC_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
SSL_kECDHE,
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_ECDH_anon_WITH_NULL_SHA,
TLS1_RFC_ECDH_anon_WITH_NULL_SHA,
TLS1_CK_ECDH_anon_WITH_NULL_SHA,
SSL_kECDHE,
SSL_aNULL,
SSL_eNULL,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA,
TLS1_RFC_ECDH_anon_WITH_DES_192_CBC3_SHA,
TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA,
SSL_kECDHE,
SSL_aNULL,
SSL_3DES,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
# endif
{
1,
TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA,
TLS1_RFC_ECDH_anon_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA,
SSL_kECDHE,
SSL_aNULL,
SSL_AES128,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA,
TLS1_RFC_ECDH_anon_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA,
SSL_kECDHE,
SSL_aNULL,
SSL_AES256,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_SHA256,
TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256,
SSL_kECDHE,
SSL_aECDSA,
SSL_AES128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_SHA384,
TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384,
SSL_kECDHE,
SSL_aECDSA,
SSL_AES256,
SSL_SHA384,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
TLS1_RFC_ECDHE_RSA_WITH_AES_128_SHA256,
TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256,
SSL_kECDHE,
SSL_aRSA,
SSL_AES128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
TLS1_RFC_ECDHE_RSA_WITH_AES_256_SHA384,
TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384,
SSL_kECDHE,
SSL_aRSA,
SSL_AES256,
SSL_SHA384,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS1_RFC_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_kECDHE,
SSL_aECDSA,
SSL_AES128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS1_RFC_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_kECDHE,
SSL_aECDSA,
SSL_AES256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS1_RFC_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_kECDHE,
SSL_aRSA,
SSL_AES128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS1_RFC_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_kECDHE,
SSL_aRSA,
SSL_AES256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_PSK_WITH_NULL_SHA,
TLS1_RFC_PSK_WITH_NULL_SHA,
TLS1_CK_PSK_WITH_NULL_SHA,
SSL_kPSK,
SSL_aPSK,
SSL_eNULL,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_NULL_SHA,
TLS1_RFC_DHE_PSK_WITH_NULL_SHA,
TLS1_CK_DHE_PSK_WITH_NULL_SHA,
SSL_kDHEPSK,
SSL_aPSK,
SSL_eNULL,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_NULL_SHA,
TLS1_RFC_RSA_PSK_WITH_NULL_SHA,
TLS1_CK_RSA_PSK_WITH_NULL_SHA,
SSL_kRSAPSK,
SSL_aRSA,
SSL_eNULL,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA,
TLS1_RFC_PSK_WITH_3DES_EDE_CBC_SHA,
TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA,
SSL_kPSK,
SSL_aPSK,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
# endif
{
1,
TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
TLS1_RFC_PSK_WITH_AES_128_CBC_SHA,
TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
SSL_kPSK,
SSL_aPSK,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
TLS1_RFC_PSK_WITH_AES_256_CBC_SHA,
TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
SSL_kPSK,
SSL_aPSK,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
TLS1_RFC_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
TLS1_CK_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
SSL_kDHEPSK,
SSL_aPSK,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
# endif
{
1,
TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA,
TLS1_RFC_DHE_PSK_WITH_AES_128_CBC_SHA,
TLS1_CK_DHE_PSK_WITH_AES_128_CBC_SHA,
SSL_kDHEPSK,
SSL_aPSK,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_AES_256_CBC_SHA,
TLS1_RFC_DHE_PSK_WITH_AES_256_CBC_SHA,
TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA,
SSL_kDHEPSK,
SSL_aPSK,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
TLS1_RFC_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
TLS1_CK_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
SSL_kRSAPSK,
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
# endif
{
1,
TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA,
TLS1_RFC_RSA_PSK_WITH_AES_128_CBC_SHA,
TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA,
SSL_kRSAPSK,
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA,
TLS1_RFC_RSA_PSK_WITH_AES_256_CBC_SHA,
TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA,
SSL_kRSAPSK,
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_PSK_WITH_AES_128_GCM_SHA256,
TLS1_RFC_PSK_WITH_AES_128_GCM_SHA256,
TLS1_CK_PSK_WITH_AES_128_GCM_SHA256,
SSL_kPSK,
SSL_aPSK,
SSL_AES128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_PSK_WITH_AES_256_GCM_SHA384,
TLS1_RFC_PSK_WITH_AES_256_GCM_SHA384,
TLS1_CK_PSK_WITH_AES_256_GCM_SHA384,
SSL_kPSK,
SSL_aPSK,
SSL_AES256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_AES_128_GCM_SHA256,
TLS1_RFC_DHE_PSK_WITH_AES_128_GCM_SHA256,
TLS1_CK_DHE_PSK_WITH_AES_128_GCM_SHA256,
SSL_kDHEPSK,
SSL_aPSK,
SSL_AES128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_AES_256_GCM_SHA384,
TLS1_RFC_DHE_PSK_WITH_AES_256_GCM_SHA384,
TLS1_CK_DHE_PSK_WITH_AES_256_GCM_SHA384,
SSL_kDHEPSK,
SSL_aPSK,
SSL_AES256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_AES_128_GCM_SHA256,
TLS1_RFC_RSA_PSK_WITH_AES_128_GCM_SHA256,
TLS1_CK_RSA_PSK_WITH_AES_128_GCM_SHA256,
SSL_kRSAPSK,
SSL_aRSA,
SSL_AES128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_AES_256_GCM_SHA384,
TLS1_RFC_RSA_PSK_WITH_AES_256_GCM_SHA384,
TLS1_CK_RSA_PSK_WITH_AES_256_GCM_SHA384,
SSL_kRSAPSK,
SSL_aRSA,
SSL_AES256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_PSK_WITH_AES_128_CBC_SHA256,
TLS1_RFC_PSK_WITH_AES_128_CBC_SHA256,
TLS1_CK_PSK_WITH_AES_128_CBC_SHA256,
SSL_kPSK,
SSL_aPSK,
SSL_AES128,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_PSK_WITH_AES_256_CBC_SHA384,
TLS1_RFC_PSK_WITH_AES_256_CBC_SHA384,
TLS1_CK_PSK_WITH_AES_256_CBC_SHA384,
SSL_kPSK,
SSL_aPSK,
SSL_AES256,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_PSK_WITH_NULL_SHA256,
TLS1_RFC_PSK_WITH_NULL_SHA256,
TLS1_CK_PSK_WITH_NULL_SHA256,
SSL_kPSK,
SSL_aPSK,
SSL_eNULL,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
{
1,
TLS1_TXT_PSK_WITH_NULL_SHA384,
TLS1_RFC_PSK_WITH_NULL_SHA384,
TLS1_CK_PSK_WITH_NULL_SHA384,
SSL_kPSK,
SSL_aPSK,
SSL_eNULL,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_AES_128_CBC_SHA256,
TLS1_RFC_DHE_PSK_WITH_AES_128_CBC_SHA256,
TLS1_CK_DHE_PSK_WITH_AES_128_CBC_SHA256,
SSL_kDHEPSK,
SSL_aPSK,
SSL_AES128,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_AES_256_CBC_SHA384,
TLS1_RFC_DHE_PSK_WITH_AES_256_CBC_SHA384,
TLS1_CK_DHE_PSK_WITH_AES_256_CBC_SHA384,
SSL_kDHEPSK,
SSL_aPSK,
SSL_AES256,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_NULL_SHA256,
TLS1_RFC_DHE_PSK_WITH_NULL_SHA256,
TLS1_CK_DHE_PSK_WITH_NULL_SHA256,
SSL_kDHEPSK,
SSL_aPSK,
SSL_eNULL,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_NULL_SHA384,
TLS1_RFC_DHE_PSK_WITH_NULL_SHA384,
TLS1_CK_DHE_PSK_WITH_NULL_SHA384,
SSL_kDHEPSK,
SSL_aPSK,
SSL_eNULL,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_AES_128_CBC_SHA256,
TLS1_RFC_RSA_PSK_WITH_AES_128_CBC_SHA256,
TLS1_CK_RSA_PSK_WITH_AES_128_CBC_SHA256,
SSL_kRSAPSK,
SSL_aRSA,
SSL_AES128,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_AES_256_CBC_SHA384,
TLS1_RFC_RSA_PSK_WITH_AES_256_CBC_SHA384,
TLS1_CK_RSA_PSK_WITH_AES_256_CBC_SHA384,
SSL_kRSAPSK,
SSL_aRSA,
SSL_AES256,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_NULL_SHA256,
TLS1_RFC_RSA_PSK_WITH_NULL_SHA256,
TLS1_CK_RSA_PSK_WITH_NULL_SHA256,
SSL_kRSAPSK,
SSL_aRSA,
SSL_eNULL,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_NULL_SHA384,
TLS1_RFC_RSA_PSK_WITH_NULL_SHA384,
TLS1_CK_RSA_PSK_WITH_NULL_SHA384,
SSL_kRSAPSK,
SSL_aRSA,
SSL_eNULL,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
},
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
TLS1_RFC_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
TLS1_CK_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_3DES,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
# endif
{
1,
TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
TLS1_RFC_ECDHE_PSK_WITH_AES_128_CBC_SHA,
TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_AES128,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
TLS1_RFC_ECDHE_PSK_WITH_AES_256_CBC_SHA,
TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_AES256,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
TLS1_RFC_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_AES128,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
TLS1_RFC_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_AES256,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA,
TLS1_RFC_ECDHE_PSK_WITH_NULL_SHA,
TLS1_CK_ECDHE_PSK_WITH_NULL_SHA,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_eNULL,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
{
1,
TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA256,
TLS1_RFC_ECDHE_PSK_WITH_NULL_SHA256,
TLS1_CK_ECDHE_PSK_WITH_NULL_SHA256,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_eNULL,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
0,
0,
},
{
1,
TLS1_TXT_ECDHE_PSK_WITH_NULL_SHA384,
TLS1_RFC_ECDHE_PSK_WITH_NULL_SHA384,
TLS1_CK_ECDHE_PSK_WITH_NULL_SHA384,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_eNULL,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_STRONG_NONE | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
0,
0,
},
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
TLS1_RFC_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
SSL_kSRP,
SSL_aSRP,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
{
1,
TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
TLS1_RFC_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_kSRP,
SSL_aRSA,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
{
1,
TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
TLS1_RFC_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_kSRP,
SSL_aDSS,
SSL_3DES,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
},
# endif
{
1,
TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
TLS1_RFC_SRP_SHA_WITH_AES_128_CBC_SHA,
TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
SSL_kSRP,
SSL_aSRP,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
TLS1_RFC_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
SSL_kSRP,
SSL_aRSA,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
TLS1_RFC_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
SSL_kSRP,
SSL_aDSS,
SSL_AES128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
TLS1_RFC_SRP_SHA_WITH_AES_256_CBC_SHA,
TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
SSL_kSRP,
SSL_aSRP,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
TLS1_RFC_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
SSL_kSRP,
SSL_aRSA,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
TLS1_RFC_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
SSL_kSRP,
SSL_aDSS,
SSL_AES256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
{
1,
TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305,
TLS1_RFC_DHE_RSA_WITH_CHACHA20_POLY1305,
TLS1_CK_DHE_RSA_WITH_CHACHA20_POLY1305,
SSL_kDHE,
SSL_aRSA,
SSL_CHACHA20POLY1305,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS1_RFC_ECDHE_RSA_WITH_CHACHA20_POLY1305,
TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305,
SSL_kECDHE,
SSL_aRSA,
SSL_CHACHA20POLY1305,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
TLS1_RFC_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
SSL_kECDHE,
SSL_aECDSA,
SSL_CHACHA20POLY1305,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_PSK_WITH_CHACHA20_POLY1305,
TLS1_RFC_PSK_WITH_CHACHA20_POLY1305,
TLS1_CK_PSK_WITH_CHACHA20_POLY1305,
SSL_kPSK,
SSL_aPSK,
SSL_CHACHA20POLY1305,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305,
TLS1_RFC_ECDHE_PSK_WITH_CHACHA20_POLY1305,
TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_CHACHA20POLY1305,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_CHACHA20_POLY1305,
TLS1_RFC_DHE_PSK_WITH_CHACHA20_POLY1305,
TLS1_CK_DHE_PSK_WITH_CHACHA20_POLY1305,
SSL_kDHEPSK,
SSL_aPSK,
SSL_CHACHA20POLY1305,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_CHACHA20_POLY1305,
TLS1_RFC_RSA_PSK_WITH_CHACHA20_POLY1305,
TLS1_CK_RSA_PSK_WITH_CHACHA20_POLY1305,
SSL_kRSAPSK,
SSL_aRSA,
SSL_CHACHA20POLY1305,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
#endif /* !defined(OPENSSL_NO_CHACHA) &&
* !defined(OPENSSL_NO_POLY1305) */
#ifndef OPENSSL_NO_CAMELLIA
{
1,
TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_RFC_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kRSA,
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_RFC_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
- SSL_kEDH,
+ SSL_kDHE,
SSL_aDSS,
SSL_CAMELLIA128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_RFC_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
- SSL_kEDH,
+ SSL_kDHE,
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_RFC_ADH_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA256,
- SSL_kEDH,
+ SSL_kDHE,
SSL_aNULL,
SSL_CAMELLIA128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS1_RFC_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA256,
SSL_kRSA,
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
- SSL_kEDH,
+ SSL_kDHE,
SSL_aDSS,
SSL_CAMELLIA256,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
- SSL_kEDH,
+ SSL_kDHE,
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA256,
TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA256,
TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256,
- SSL_kEDH,
+ SSL_kDHE,
SSL_aNULL,
SSL_CAMELLIA256,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
256,
256,
},
{
1,
TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS1_RFC_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
TLS1_RFC_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_CAMELLIA256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS1_RFC_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
SSL_kDHE,
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA,
TLS1_RFC_ADH_WITH_CAMELLIA_256_CBC_SHA,
TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA,
SSL_kDHE,
SSL_aNULL,
SSL_CAMELLIA256,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
},
{
1,
TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS1_RFC_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
TLS1_RFC_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_CAMELLIA128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS1_RFC_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
SSL_kDHE,
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA,
TLS1_RFC_ADH_WITH_CAMELLIA_128_CBC_SHA,
TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA,
SSL_kDHE,
SSL_aNULL,
SSL_CAMELLIA128,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_RFC_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kECDHE,
SSL_aECDSA,
SSL_CAMELLIA128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_RFC_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_CK_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
SSL_kECDHE,
SSL_aECDSA,
SSL_CAMELLIA256,
SSL_SHA384,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_RFC_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kECDHE,
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA256,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_RFC_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_CK_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
SSL_kECDHE,
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA384,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_RFC_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_PSK_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kPSK,
SSL_aPSK,
SSL_CAMELLIA128,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_RFC_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_CK_PSK_WITH_CAMELLIA_256_CBC_SHA384,
SSL_kPSK,
SSL_aPSK,
SSL_CAMELLIA256,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_RFC_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kDHEPSK,
SSL_aPSK,
SSL_CAMELLIA128,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_RFC_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_CK_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
SSL_kDHEPSK,
SSL_aPSK,
SSL_CAMELLIA256,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_RFC_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kRSAPSK,
SSL_aRSA,
SSL_CAMELLIA128,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_RFC_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_CK_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
SSL_kRSAPSK,
SSL_aRSA,
SSL_CAMELLIA256,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_RFC_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_CAMELLIA128,
SSL_SHA256,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_RFC_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
TLS1_CK_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_CAMELLIA256,
SSL_SHA384,
TLS1_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
#endif /* OPENSSL_NO_CAMELLIA */
#ifndef OPENSSL_NO_GOST
{
1,
"GOST2001-GOST89-GOST89",
"TLS_GOSTR341001_WITH_28147_CNT_IMIT",
0x3000081,
SSL_kGOST,
SSL_aGOST01,
SSL_eGOST2814789CNT,
SSL_GOST89MAC,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_HIGH,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94 | TLS1_STREAM_MAC,
256,
256,
},
{
1,
"GOST2001-NULL-GOST94",
"TLS_GOSTR341001_WITH_NULL_GOSTR3411",
0x3000083,
SSL_kGOST,
SSL_aGOST01,
SSL_eNULL,
SSL_GOST94,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_GOST94 | TLS1_PRF_GOST94,
0,
0,
},
{
1,
"GOST2012-GOST8912-GOST8912",
NULL,
0x0300ff85,
SSL_kGOST,
SSL_aGOST12 | SSL_aGOST01,
SSL_eGOST2814789CNT12,
SSL_GOST89MAC12,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_HIGH,
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
256,
256,
},
{
1,
"GOST2012-NULL-GOST12",
NULL,
0x0300ff87,
SSL_kGOST,
SSL_aGOST12 | SSL_aGOST01,
SSL_eNULL,
SSL_GOST12_256,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_STRONG_NONE,
SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC,
0,
0,
},
#endif /* OPENSSL_NO_GOST */
#ifndef OPENSSL_NO_IDEA
{
1,
SSL3_TXT_RSA_IDEA_128_SHA,
SSL3_RFC_RSA_IDEA_128_SHA,
SSL3_CK_RSA_IDEA_128_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_IDEA,
SSL_SHA1,
SSL3_VERSION, TLS1_1_VERSION,
DTLS1_BAD_VER, DTLS1_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
#endif
#ifndef OPENSSL_NO_SEED
{
1,
TLS1_TXT_RSA_WITH_SEED_SHA,
TLS1_RFC_RSA_WITH_SEED_SHA,
TLS1_CK_RSA_WITH_SEED_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_SEED,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_SEED_SHA,
TLS1_RFC_DHE_DSS_WITH_SEED_SHA,
TLS1_CK_DHE_DSS_WITH_SEED_SHA,
SSL_kDHE,
SSL_aDSS,
SSL_SEED,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_SEED_SHA,
TLS1_RFC_DHE_RSA_WITH_SEED_SHA,
TLS1_CK_DHE_RSA_WITH_SEED_SHA,
SSL_kDHE,
SSL_aRSA,
SSL_SEED,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ADH_WITH_SEED_SHA,
TLS1_RFC_ADH_WITH_SEED_SHA,
TLS1_CK_ADH_WITH_SEED_SHA,
SSL_kDHE,
SSL_aNULL,
SSL_SEED,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
DTLS1_BAD_VER, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
#endif /* OPENSSL_NO_SEED */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{
1,
SSL3_TXT_RSA_RC4_128_MD5,
SSL3_RFC_RSA_RC4_128_MD5,
SSL3_CK_RSA_RC4_128_MD5,
SSL_kRSA,
SSL_aRSA,
SSL_RC4,
SSL_MD5,
SSL3_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
SSL3_TXT_RSA_RC4_128_SHA,
SSL3_RFC_RSA_RC4_128_SHA,
SSL3_CK_RSA_RC4_128_SHA,
SSL_kRSA,
SSL_aRSA,
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
SSL3_TXT_ADH_RC4_128_MD5,
SSL3_RFC_ADH_RC4_128_MD5,
SSL3_CK_ADH_RC4_128_MD5,
SSL_kDHE,
SSL_aNULL,
SSL_RC4,
SSL_MD5,
SSL3_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_PSK_WITH_RC4_128_SHA,
TLS1_RFC_ECDHE_PSK_WITH_RC4_128_SHA,
TLS1_CK_ECDHE_PSK_WITH_RC4_128_SHA,
SSL_kECDHEPSK,
SSL_aPSK,
SSL_RC4,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA,
TLS1_RFC_ECDH_anon_WITH_RC4_128_SHA,
TLS1_CK_ECDH_anon_WITH_RC4_128_SHA,
SSL_kECDHE,
SSL_aNULL,
SSL_RC4,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS1_RFC_ECDHE_ECDSA_WITH_RC4_128_SHA,
TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA,
SSL_kECDHE,
SSL_aECDSA,
SSL_RC4,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA,
TLS1_RFC_ECDHE_RSA_WITH_RC4_128_SHA,
TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_kECDHE,
SSL_aRSA,
SSL_RC4,
SSL_SHA1,
TLS1_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_PSK_WITH_RC4_128_SHA,
TLS1_RFC_PSK_WITH_RC4_128_SHA,
TLS1_CK_PSK_WITH_RC4_128_SHA,
SSL_kPSK,
SSL_aPSK,
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_RC4_128_SHA,
TLS1_RFC_RSA_PSK_WITH_RC4_128_SHA,
TLS1_CK_RSA_PSK_WITH_RC4_128_SHA,
SSL_kRSAPSK,
SSL_aRSA,
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_RC4_128_SHA,
TLS1_RFC_DHE_PSK_WITH_RC4_128_SHA,
TLS1_CK_DHE_PSK_WITH_RC4_128_SHA,
SSL_kDHEPSK,
SSL_aPSK,
SSL_RC4,
SSL_SHA1,
SSL3_VERSION, TLS1_2_VERSION,
0, 0,
SSL_NOT_DEFAULT | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
},
#endif /* OPENSSL_NO_WEAK_SSL_CIPHERS */
#ifndef OPENSSL_NO_ARIA
{
1,
TLS1_TXT_RSA_WITH_ARIA_128_GCM_SHA256,
TLS1_RFC_RSA_WITH_ARIA_128_GCM_SHA256,
TLS1_CK_RSA_WITH_ARIA_128_GCM_SHA256,
SSL_kRSA,
SSL_aRSA,
SSL_ARIA128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_RSA_WITH_ARIA_256_GCM_SHA384,
TLS1_RFC_RSA_WITH_ARIA_256_GCM_SHA384,
TLS1_CK_RSA_WITH_ARIA_256_GCM_SHA384,
SSL_kRSA,
SSL_aRSA,
SSL_ARIA256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLS1_RFC_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLS1_CK_DHE_RSA_WITH_ARIA_128_GCM_SHA256,
SSL_kDHE,
SSL_aRSA,
SSL_ARIA128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS1_RFC_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS1_CK_DHE_RSA_WITH_ARIA_256_GCM_SHA384,
SSL_kDHE,
SSL_aRSA,
SSL_ARIA256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
TLS1_RFC_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
TLS1_CK_DHE_DSS_WITH_ARIA_128_GCM_SHA256,
SSL_kDHE,
SSL_aDSS,
SSL_ARIA128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
TLS1_RFC_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
TLS1_CK_DHE_DSS_WITH_ARIA_256_GCM_SHA384,
SSL_kDHE,
SSL_aDSS,
SSL_ARIA256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
TLS1_RFC_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
TLS1_CK_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256,
SSL_kECDHE,
SSL_aECDSA,
SSL_ARIA128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
TLS1_RFC_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
TLS1_CK_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384,
SSL_kECDHE,
SSL_aECDSA,
SSL_ARIA256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLS1_RFC_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
TLS1_CK_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,
SSL_kECDHE,
SSL_aRSA,
SSL_ARIA128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS1_RFC_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
TLS1_CK_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,
SSL_kECDHE,
SSL_aRSA,
SSL_ARIA256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_PSK_WITH_ARIA_128_GCM_SHA256,
TLS1_RFC_PSK_WITH_ARIA_128_GCM_SHA256,
TLS1_CK_PSK_WITH_ARIA_128_GCM_SHA256,
SSL_kPSK,
SSL_aPSK,
SSL_ARIA128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_PSK_WITH_ARIA_256_GCM_SHA384,
TLS1_RFC_PSK_WITH_ARIA_256_GCM_SHA384,
TLS1_CK_PSK_WITH_ARIA_256_GCM_SHA384,
SSL_kPSK,
SSL_aPSK,
SSL_ARIA256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
TLS1_RFC_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
TLS1_CK_DHE_PSK_WITH_ARIA_128_GCM_SHA256,
SSL_kDHEPSK,
SSL_aPSK,
SSL_ARIA128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
TLS1_RFC_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
TLS1_CK_DHE_PSK_WITH_ARIA_256_GCM_SHA384,
SSL_kDHEPSK,
SSL_aPSK,
SSL_ARIA256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
TLS1_RFC_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
TLS1_CK_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
SSL_kRSAPSK,
SSL_aRSA,
SSL_ARIA128GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
},
{
1,
TLS1_TXT_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
TLS1_RFC_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
TLS1_CK_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
SSL_kRSAPSK,
SSL_aRSA,
SSL_ARIA256GCM,
SSL_AEAD,
TLS1_2_VERSION, TLS1_2_VERSION,
DTLS1_2_VERSION, DTLS1_2_VERSION,
SSL_NOT_DEFAULT | SSL_HIGH,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
},
#endif /* OPENSSL_NO_ARIA */
};
/*
* The list of known Signalling Cipher-Suite Value "ciphers", non-valid
* values stuffed into the ciphers field of the wire protocol for signalling
* purposes.
*/
static SSL_CIPHER ssl3_scsvs[] = {
{
0,
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
SSL3_CK_SCSV,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
},
{
0,
"TLS_FALLBACK_SCSV",
"TLS_FALLBACK_SCSV",
SSL3_CK_FALLBACK_SCSV,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
},
};
static int cipher_compare(const void *a, const void *b)
{
const SSL_CIPHER *ap = (const SSL_CIPHER *)a;
const SSL_CIPHER *bp = (const SSL_CIPHER *)b;
if (ap->id == bp->id)
return 0;
return ap->id < bp->id ? -1 : 1;
}
void ssl_sort_cipher_list(void)
{
qsort(tls13_ciphers, TLS13_NUM_CIPHERS, sizeof(tls13_ciphers[0]),
cipher_compare);
qsort(ssl3_ciphers, SSL3_NUM_CIPHERS, sizeof(ssl3_ciphers[0]),
cipher_compare);
qsort(ssl3_scsvs, SSL3_NUM_SCSVS, sizeof(ssl3_scsvs[0]), cipher_compare);
}
static int ssl_undefined_function_1(SSL *ssl, unsigned char *r, size_t s,
const char * t, size_t u,
const unsigned char * v, size_t w, int x)
{
(void)r;
(void)s;
(void)t;
(void)u;
(void)v;
(void)w;
(void)x;
return ssl_undefined_function(ssl);
}
const SSL3_ENC_METHOD SSLv3_enc_data = {
ssl3_enc,
n_ssl3_mac,
ssl3_setup_key_block,
ssl3_generate_master_secret,
ssl3_change_cipher_state,
ssl3_final_finish_mac,
SSL3_MD_CLIENT_FINISHED_CONST, 4,
SSL3_MD_SERVER_FINISHED_CONST, 4,
ssl3_alert_code,
ssl_undefined_function_1,
0,
ssl3_set_handshake_header,
tls_close_construct_packet,
ssl3_handshake_write
};
long ssl3_default_timeout(void)
{
/*
* 2 hours, the 24 hours mentioned in the SSLv3 spec is way too long for
* http, the cache would over fill
*/
return (60 * 60 * 2);
}
int ssl3_num_ciphers(void)
{
return SSL3_NUM_CIPHERS;
}
const SSL_CIPHER *ssl3_get_cipher(unsigned int u)
{
if (u < SSL3_NUM_CIPHERS)
return &(ssl3_ciphers[SSL3_NUM_CIPHERS - 1 - u]);
else
return NULL;
}
int ssl3_set_handshake_header(SSL *s, WPACKET *pkt, int htype)
{
/* No header in the event of a CCS */
if (htype == SSL3_MT_CHANGE_CIPHER_SPEC)
return 1;
/* Set the content type and 3 bytes for the message len */
if (!WPACKET_put_bytes_u8(pkt, htype)
|| !WPACKET_start_sub_packet_u24(pkt))
return 0;
return 1;
}
int ssl3_handshake_write(SSL *s)
{
return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
}
int ssl3_new(SSL *s)
{
SSL3_STATE *s3;
if ((s3 = OPENSSL_zalloc(sizeof(*s3))) == NULL)
goto err;
s->s3 = s3;
#ifndef OPENSSL_NO_SRP
if (!SSL_SRP_CTX_init(s))
goto err;
#endif
if (!s->method->ssl_clear(s))
return 0;
return 1;
err:
return 0;
}
void ssl3_free(SSL *s)
{
if (s == NULL || s->s3 == NULL)
return;
ssl3_cleanup_key_block(s);
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
EVP_PKEY_free(s->s3->peer_tmp);
s->s3->peer_tmp = NULL;
EVP_PKEY_free(s->s3->tmp.pkey);
s->s3->tmp.pkey = NULL;
#endif
OPENSSL_free(s->s3->tmp.ctype);
sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
OPENSSL_free(s->s3->tmp.ciphers_raw);
OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
OPENSSL_free(s->s3->tmp.peer_sigalgs);
OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
ssl3_free_digest_list(s);
OPENSSL_free(s->s3->alpn_selected);
OPENSSL_free(s->s3->alpn_proposed);
#ifndef OPENSSL_NO_SRP
SSL_SRP_CTX_free(s);
#endif
OPENSSL_clear_free(s->s3, sizeof(*s->s3));
s->s3 = NULL;
}
int ssl3_clear(SSL *s)
{
ssl3_cleanup_key_block(s);
OPENSSL_free(s->s3->tmp.ctype);
sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
OPENSSL_free(s->s3->tmp.ciphers_raw);
OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
OPENSSL_free(s->s3->tmp.peer_sigalgs);
OPENSSL_free(s->s3->tmp.peer_cert_sigalgs);
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
EVP_PKEY_free(s->s3->tmp.pkey);
EVP_PKEY_free(s->s3->peer_tmp);
#endif /* !OPENSSL_NO_EC */
ssl3_free_digest_list(s);
OPENSSL_free(s->s3->alpn_selected);
OPENSSL_free(s->s3->alpn_proposed);
/* NULL/zero-out everything in the s3 struct */
memset(s->s3, 0, sizeof(*s->s3));
if (!ssl_free_wbio_buffer(s))
return 0;
s->version = SSL3_VERSION;
#if !defined(OPENSSL_NO_NEXTPROTONEG)
OPENSSL_free(s->ext.npn);
s->ext.npn = NULL;
s->ext.npn_len = 0;
#endif
return 1;
}
#ifndef OPENSSL_NO_SRP
static char *srp_password_from_info_cb(SSL *s, void *arg)
{
return OPENSSL_strdup(s->srp_ctx.info);
}
#endif
static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len);
long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
{
int ret = 0;
switch (cmd) {
case SSL_CTRL_GET_CLIENT_CERT_REQUEST:
break;
case SSL_CTRL_GET_NUM_RENEGOTIATIONS:
ret = s->s3->num_renegotiations;
break;
case SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS:
ret = s->s3->num_renegotiations;
s->s3->num_renegotiations = 0;
break;
case SSL_CTRL_GET_TOTAL_RENEGOTIATIONS:
ret = s->s3->total_renegotiations;
break;
case SSL_CTRL_GET_FLAGS:
ret = (int)(s->s3->flags);
break;
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *dh = (DH *)parg;
EVP_PKEY *pkdh = NULL;
if (dh == NULL) {
SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
return ret;
}
pkdh = ssl_dh_to_pkey(dh);
if (pkdh == NULL) {
SSLerr(SSL_F_SSL3_CTRL, ERR_R_MALLOC_FAILURE);
return 0;
}
if (!ssl_security(s, SSL_SECOP_TMP_DH,
EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
SSLerr(SSL_F_SSL3_CTRL, SSL_R_DH_KEY_TOO_SMALL);
EVP_PKEY_free(pkdh);
return ret;
}
EVP_PKEY_free(s->cert->dh_tmp);
s->cert->dh_tmp = pkdh;
ret = 1;
}
break;
case SSL_CTRL_SET_TMP_DH_CB:
{
SSLerr(SSL_F_SSL3_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return ret;
}
case SSL_CTRL_SET_DH_AUTO:
s->cert->dh_tmp_auto = larg;
return 1;
#endif
#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_TMP_ECDH:
{
const EC_GROUP *group = NULL;
int nid;
if (parg == NULL) {
SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
group = EC_KEY_get0_group((const EC_KEY *)parg);
if (group == NULL) {
SSLerr(SSL_F_SSL3_CTRL, EC_R_MISSING_PARAMETERS);
return 0;
}
nid = EC_GROUP_get_curve_name(group);
if (nid == NID_undef)
return 0;
return tls1_set_groups(&s->ext.supportedgroups,
&s->ext.supportedgroups_len,
&nid, 1);
}
break;
#endif /* !OPENSSL_NO_EC */
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
/*
* TODO(OpenSSL1.2)
* This API is only used for a client to set what SNI it will request
* from the server, but we currently allow it to be used on servers
* as well, which is a programming error. Currently we just clear
* the field in SSL_do_handshake() for server SSLs, but when we can
* make ABI-breaking changes, we may want to make use of this API
* an error on server SSLs.
*/
if (larg == TLSEXT_NAMETYPE_host_name) {
size_t len;
OPENSSL_free(s->ext.hostname);
s->ext.hostname = NULL;
ret = 1;
if (parg == NULL)
break;
len = strlen((char *)parg);
if (len == 0 || len > TLSEXT_MAXLEN_host_name) {
SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
return 0;
}
if ((s->ext.hostname = OPENSSL_strdup((char *)parg)) == NULL) {
SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR);
return 0;
}
} else {
SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE);
return 0;
}
break;
case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
s->ext.debug_arg = parg;
ret = 1;
break;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
ret = s->ext.status_type;
break;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
s->ext.status_type = larg;
ret = 1;
break;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
*(STACK_OF(X509_EXTENSION) **)parg = s->ext.ocsp.exts;
ret = 1;
break;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
s->ext.ocsp.exts = parg;
ret = 1;
break;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
*(STACK_OF(OCSP_RESPID) **)parg = s->ext.ocsp.ids;
ret = 1;
break;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
s->ext.ocsp.ids = parg;
ret = 1;
break;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
*(unsigned char **)parg = s->ext.ocsp.resp;
if (s->ext.ocsp.resp_len == 0
|| s->ext.ocsp.resp_len > LONG_MAX)
return -1;
return (long)s->ext.ocsp.resp_len;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
OPENSSL_free(s->ext.ocsp.resp);
s->ext.ocsp.resp = parg;
s->ext.ocsp.resp_len = larg;
ret = 1;
break;
#ifndef OPENSSL_NO_HEARTBEATS
case SSL_CTRL_DTLS_EXT_SEND_HEARTBEAT:
case SSL_CTRL_GET_DTLS_EXT_HEARTBEAT_PENDING:
case SSL_CTRL_SET_DTLS_EXT_HEARTBEAT_NO_REQUESTS:
break;
#endif
case SSL_CTRL_CHAIN:
if (larg)
return ssl_cert_set1_chain(s, NULL, (STACK_OF(X509) *)parg);
else
return ssl_cert_set0_chain(s, NULL, (STACK_OF(X509) *)parg);
case SSL_CTRL_CHAIN_CERT:
if (larg)
return ssl_cert_add1_chain_cert(s, NULL, (X509 *)parg);
else
return ssl_cert_add0_chain_cert(s, NULL, (X509 *)parg);
case SSL_CTRL_GET_CHAIN_CERTS:
*(STACK_OF(X509) **)parg = s->cert->key->chain;
ret = 1;
break;
case SSL_CTRL_SELECT_CURRENT_CERT:
return ssl_cert_select_current(s->cert, (X509 *)parg);
case SSL_CTRL_SET_CURRENT_CERT:
if (larg == SSL_CERT_SET_SERVER) {
const SSL_CIPHER *cipher;
if (!s->server)
return 0;
cipher = s->s3->tmp.new_cipher;
if (cipher == NULL)
return 0;
/*
* No certificate for unauthenticated ciphersuites or using SRP
* authentication
*/
if (cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
return 2;
if (s->s3->tmp.cert == NULL)
return 0;
s->cert->key = s->s3->tmp.cert;
return 1;
}
return ssl_cert_set_current(s->cert, larg);
#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_GROUPS:
{
uint16_t *clist;
size_t clistlen;
if (!s->session)
return 0;
clist = s->ext.peer_supportedgroups;
clistlen = s->ext.peer_supportedgroups_len;
if (parg) {
size_t i;
int *cptr = parg;
for (i = 0; i < clistlen; i++) {
const TLS_GROUP_INFO *cinf = tls1_group_id_lookup(clist[i]);
if (cinf != NULL)
cptr[i] = cinf->nid;
else
cptr[i] = TLSEXT_nid_unknown | clist[i];
}
}
return (int)clistlen;
}
case SSL_CTRL_SET_GROUPS:
return tls1_set_groups(&s->ext.supportedgroups,
&s->ext.supportedgroups_len, parg, larg);
case SSL_CTRL_SET_GROUPS_LIST:
return tls1_set_groups_list(&s->ext.supportedgroups,
&s->ext.supportedgroups_len, parg);
case SSL_CTRL_GET_SHARED_GROUP:
{
uint16_t id = tls1_shared_group(s, larg);
if (larg != -1) {
const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id);
return ginf == NULL ? 0 : ginf->nid;
}
return id;
}
#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 0);
case SSL_CTRL_SET_SIGALGS_LIST:
return tls1_set_sigalgs_list(s->cert, parg, 0);
case SSL_CTRL_SET_CLIENT_SIGALGS:
return tls1_set_sigalgs(s->cert, parg, larg, 1);
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
return tls1_set_sigalgs_list(s->cert, parg, 1);
case SSL_CTRL_GET_CLIENT_CERT_TYPES:
{
const unsigned char **pctype = parg;
if (s->server || !s->s3->tmp.cert_req)
return 0;
if (pctype)
*pctype = s->s3->tmp.ctype;
return s->s3->tmp.ctype_len;
}
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
if (!s->server)
return 0;
return ssl3_set_req_cert_type(s->cert, parg, larg);
case SSL_CTRL_BUILD_CERT_CHAIN:
return ssl_build_cert_chain(s, NULL, larg);
case SSL_CTRL_SET_VERIFY_CERT_STORE:
return ssl_cert_set_cert_store(s->cert, parg, 0, larg);
case SSL_CTRL_SET_CHAIN_CERT_STORE:
return ssl_cert_set_cert_store(s->cert, parg, 1, larg);
case SSL_CTRL_GET_PEER_SIGNATURE_NID:
if (s->s3->tmp.peer_sigalg == NULL)
return 0;
*(int *)parg = s->s3->tmp.peer_sigalg->hash;
return 1;
case SSL_CTRL_GET_SIGNATURE_NID:
if (s->s3->tmp.sigalg == NULL)
return 0;
*(int *)parg = s->s3->tmp.sigalg->hash;
return 1;
case SSL_CTRL_GET_PEER_TMP_KEY:
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
if (s->session == NULL || s->s3->peer_tmp == NULL) {
return 0;
} else {
EVP_PKEY_up_ref(s->s3->peer_tmp);
*(EVP_PKEY **)parg = s->s3->peer_tmp;
return 1;
}
#else
return 0;
#endif
case SSL_CTRL_GET_TMP_KEY:
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_EC)
if (s->session == NULL || s->s3->tmp.pkey == NULL) {
return 0;
} else {
EVP_PKEY_up_ref(s->s3->tmp.pkey);
*(EVP_PKEY **)parg = s->s3->tmp.pkey;
return 1;
}
#else
return 0;
#endif
#ifndef OPENSSL_NO_EC
case SSL_CTRL_GET_EC_POINT_FORMATS:
{
const unsigned char **pformat = parg;
if (s->ext.peer_ecpointformats == NULL)
return 0;
*pformat = s->ext.peer_ecpointformats;
return (int)s->ext.peer_ecpointformats_len;
}
#endif
default:
break;
}
return ret;
}
long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
{
int ret = 0;
switch (cmd) {
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
s->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
}
break;
#endif
case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
s->ext.debug_cb = (void (*)(SSL *, int, int,
const unsigned char *, int, void *))fp;
break;
case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
{
s->not_resumable_session_cb = (int (*)(SSL *, int))fp;
}
break;
default:
break;
}
return ret;
}
long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
{
switch (cmd) {
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH:
{
DH *dh = (DH *)parg;
EVP_PKEY *pkdh = NULL;
if (dh == NULL) {
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
pkdh = ssl_dh_to_pkey(dh);
if (pkdh == NULL) {
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE);
return 0;
}
if (!ssl_ctx_security(ctx, SSL_SECOP_TMP_DH,
EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
EVP_PKEY_free(pkdh);
return 0;
}
EVP_PKEY_free(ctx->cert->dh_tmp);
ctx->cert->dh_tmp = pkdh;
return 1;
}
case SSL_CTRL_SET_TMP_DH_CB:
{
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
case SSL_CTRL_SET_DH_AUTO:
ctx->cert->dh_tmp_auto = larg;
return 1;
#endif
#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_TMP_ECDH:
{
const EC_GROUP *group = NULL;
int nid;
if (parg == NULL) {
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
group = EC_KEY_get0_group((const EC_KEY *)parg);
if (group == NULL) {
SSLerr(SSL_F_SSL3_CTX_CTRL, EC_R_MISSING_PARAMETERS);
return 0;
}
nid = EC_GROUP_get_curve_name(group);
if (nid == NID_undef)
return 0;
return tls1_set_groups(&ctx->ext.supportedgroups,
&ctx->ext.supportedgroups_len,
&nid, 1);
}
#endif /* !OPENSSL_NO_EC */
case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
ctx->ext.servername_arg = parg;
break;
case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
{
unsigned char *keys = parg;
long tick_keylen = (sizeof(ctx->ext.tick_key_name) +
sizeof(ctx->ext.secure->tick_hmac_key) +
sizeof(ctx->ext.secure->tick_aes_key));
if (keys == NULL)
return tick_keylen;
if (larg != tick_keylen) {
SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
return 0;
}
if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {
memcpy(ctx->ext.tick_key_name, keys,
sizeof(ctx->ext.tick_key_name));
memcpy(ctx->ext.secure->tick_hmac_key,
keys + sizeof(ctx->ext.tick_key_name),
sizeof(ctx->ext.secure->tick_hmac_key));
memcpy(ctx->ext.secure->tick_aes_key,
keys + sizeof(ctx->ext.tick_key_name) +
sizeof(ctx->ext.secure->tick_hmac_key),
sizeof(ctx->ext.secure->tick_aes_key));
} else {
memcpy(keys, ctx->ext.tick_key_name,
sizeof(ctx->ext.tick_key_name));
memcpy(keys + sizeof(ctx->ext.tick_key_name),
ctx->ext.secure->tick_hmac_key,
sizeof(ctx->ext.secure->tick_hmac_key));
memcpy(keys + sizeof(ctx->ext.tick_key_name) +
sizeof(ctx->ext.secure->tick_hmac_key),
ctx->ext.secure->tick_aes_key,
sizeof(ctx->ext.secure->tick_aes_key));
}
return 1;
}
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
return ctx->ext.status_type;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
ctx->ext.status_type = larg;
break;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
ctx->ext.status_arg = parg;
return 1;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
*(void**)parg = ctx->ext.status_arg;
break;
case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
*(int (**)(SSL*, void*))parg = ctx->ext.status_cb;
break;
#ifndef OPENSSL_NO_SRP
case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
ctx->srp_ctx.srp_Mask |= SSL_kSRP;
OPENSSL_free(ctx->srp_ctx.login);
ctx->srp_ctx.login = NULL;
if (parg == NULL)
break;
if (strlen((const char *)parg) > 255 || strlen((const char *)parg) < 1) {
SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
return 0;
}
if ((ctx->srp_ctx.login = OPENSSL_strdup((char *)parg)) == NULL) {
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
return 0;
}
break;
case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
srp_password_from_info_cb;
if (ctx->srp_ctx.info != NULL)
OPENSSL_free(ctx->srp_ctx.info);
if ((ctx->srp_ctx.info = BUF_strdup((char *)parg)) == NULL) {
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_INTERNAL_ERROR);
return 0;
}
break;
case SSL_CTRL_SET_SRP_ARG:
ctx->srp_ctx.srp_Mask |= SSL_kSRP;
ctx->srp_ctx.SRP_cb_arg = parg;
break;
case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
ctx->srp_ctx.strength = larg;
break;
#endif
#ifndef OPENSSL_NO_EC
case SSL_CTRL_SET_GROUPS:
return tls1_set_groups(&ctx->ext.supportedgroups,
&ctx->ext.supportedgroups_len,
parg, larg);
case SSL_CTRL_SET_GROUPS_LIST:
return tls1_set_groups_list(&ctx->ext.supportedgroups,
&ctx->ext.supportedgroups_len,
parg);
#endif
case SSL_CTRL_SET_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 0);
case SSL_CTRL_SET_SIGALGS_LIST:
return tls1_set_sigalgs_list(ctx->cert, parg, 0);
case SSL_CTRL_SET_CLIENT_SIGALGS:
return tls1_set_sigalgs(ctx->cert, parg, larg, 1);
case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
return tls1_set_sigalgs_list(ctx->cert, parg, 1);
case SSL_CTRL_SET_CLIENT_CERT_TYPES:
return ssl3_set_req_cert_type(ctx->cert, parg, larg);
case SSL_CTRL_BUILD_CERT_CHAIN:
return ssl_build_cert_chain(NULL, ctx, larg);
case SSL_CTRL_SET_VERIFY_CERT_STORE:
return ssl_cert_set_cert_store(ctx->cert, parg, 0, larg);
case SSL_CTRL_SET_CHAIN_CERT_STORE:
return ssl_cert_set_cert_store(ctx->cert, parg, 1, larg);
/* A Thawte special :-) */
case SSL_CTRL_EXTRA_CHAIN_CERT:
if (ctx->extra_certs == NULL) {
if ((ctx->extra_certs = sk_X509_new_null()) == NULL) {
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE);
return 0;
}
}
if (!sk_X509_push(ctx->extra_certs, (X509 *)parg)) {
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE);
return 0;
}
break;
case SSL_CTRL_GET_EXTRA_CHAIN_CERTS:
if (ctx->extra_certs == NULL && larg == 0)
*(STACK_OF(X509) **)parg = ctx->cert->key->chain;
else
*(STACK_OF(X509) **)parg = ctx->extra_certs;
break;
case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS:
sk_X509_pop_free(ctx->extra_certs, X509_free);
ctx->extra_certs = NULL;
break;
case SSL_CTRL_CHAIN:
if (larg)
return ssl_cert_set1_chain(NULL, ctx, (STACK_OF(X509) *)parg);
else
return ssl_cert_set0_chain(NULL, ctx, (STACK_OF(X509) *)parg);
case SSL_CTRL_CHAIN_CERT:
if (larg)
return ssl_cert_add1_chain_cert(NULL, ctx, (X509 *)parg);
else
return ssl_cert_add0_chain_cert(NULL, ctx, (X509 *)parg);
case SSL_CTRL_GET_CHAIN_CERTS:
*(STACK_OF(X509) **)parg = ctx->cert->key->chain;
break;
case SSL_CTRL_SELECT_CURRENT_CERT:
return ssl_cert_select_current(ctx->cert, (X509 *)parg);
case SSL_CTRL_SET_CURRENT_CERT:
return ssl_cert_set_current(ctx->cert, larg);
default:
return 0;
}
return 1;
}
long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
{
switch (cmd) {
#ifndef OPENSSL_NO_DH
case SSL_CTRL_SET_TMP_DH_CB:
{
ctx->cert->dh_tmp_cb = (DH *(*)(SSL *, int, int))fp;
}
break;
#endif
case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
ctx->ext.servername_cb = (int (*)(SSL *, int *, void *))fp;
break;
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
ctx->ext.status_cb = (int (*)(SSL *, void *))fp;
break;
case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
ctx->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *,
unsigned char *,
EVP_CIPHER_CTX *,
HMAC_CTX *, int))fp;
break;
#ifndef OPENSSL_NO_SRP
case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
ctx->srp_ctx.srp_Mask |= SSL_kSRP;
ctx->srp_ctx.SRP_verify_param_callback = (int (*)(SSL *, void *))fp;
break;
case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB:
ctx->srp_ctx.srp_Mask |= SSL_kSRP;
ctx->srp_ctx.TLS_ext_srp_username_callback =
(int (*)(SSL *, int *, void *))fp;
break;
case SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB:
ctx->srp_ctx.srp_Mask |= SSL_kSRP;
ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
(char *(*)(SSL *, void *))fp;
break;
#endif
case SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB:
{
ctx->not_resumable_session_cb = (int (*)(SSL *, int))fp;
}
break;
default:
return 0;
}
return 1;
}
const SSL_CIPHER *ssl3_get_cipher_by_id(uint32_t id)
{
SSL_CIPHER c;
const SSL_CIPHER *cp;
c.id = id;
cp = OBJ_bsearch_ssl_cipher_id(&c, tls13_ciphers, TLS13_NUM_CIPHERS);
if (cp != NULL)
return cp;
cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
if (cp != NULL)
return cp;
return OBJ_bsearch_ssl_cipher_id(&c, ssl3_scsvs, SSL3_NUM_SCSVS);
}
const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname)
{
SSL_CIPHER *tbl;
SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers, ssl3_scsvs};
size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS,
SSL3_NUM_SCSVS};
/* this is not efficient, necessary to optimize this? */
for (j = 0; j < OSSL_NELEM(alltabs); j++) {
for (i = 0, tbl = alltabs[j]; i < tblsize[j]; i++, tbl++) {
if (tbl->stdname == NULL)
continue;
if (strcmp(stdname, tbl->stdname) == 0) {
return tbl;
}
}
}
return NULL;
}
/*
* This function needs to check if the ciphers required are actually
* available
*/
const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
{
return ssl3_get_cipher_by_id(SSL3_CK_CIPHERSUITE_FLAG
| ((uint32_t)p[0] << 8L)
| (uint32_t)p[1]);
}
int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
{
if ((c->id & 0xff000000) != SSL3_CK_CIPHERSUITE_FLAG) {
*len = 0;
return 1;
}
if (!WPACKET_put_bytes_u16(pkt, c->id & 0xffff))
return 0;
*len = 2;
return 1;
}
/*
* ssl3_choose_cipher - choose a cipher from those offered by the client
* @s: SSL connection
* @clnt: ciphers offered by the client
* @srvr: ciphers enabled on the server?
*
* Returns the selected cipher or NULL when no common ciphers.
*/
const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
STACK_OF(SSL_CIPHER) *srvr)
{
const SSL_CIPHER *c, *ret = NULL;
STACK_OF(SSL_CIPHER) *prio, *allow;
int i, ii, ok, prefer_sha256 = 0;
unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
const EVP_MD *mdsha256 = EVP_sha256();
#ifndef OPENSSL_NO_CHACHA
STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
#endif
/* Let's see which ciphers we can support */
/*
* Do not set the compare functions, because this may lead to a
* reordering by "id". We want to keep the original ordering. We may pay
* a price in performance during sk_SSL_CIPHER_find(), but would have to
* pay with the price of sk_SSL_CIPHER_dup().
*/
#ifdef CIPHER_DEBUG
fprintf(stderr, "Server has %d from %p:\n", sk_SSL_CIPHER_num(srvr),
(void *)srvr);
for (i = 0; i < sk_SSL_CIPHER_num(srvr); ++i) {
c = sk_SSL_CIPHER_value(srvr, i);
fprintf(stderr, "%p:%s\n", (void *)c, c->name);
}
fprintf(stderr, "Client sent %d from %p:\n", sk_SSL_CIPHER_num(clnt),
(void *)clnt);
for (i = 0; i < sk_SSL_CIPHER_num(clnt); ++i) {
c = sk_SSL_CIPHER_value(clnt, i);
fprintf(stderr, "%p:%s\n", (void *)c, c->name);
}
#endif
/* SUITE-B takes precedence over server preference and ChaCha priortiy */
if (tls1_suiteb(s)) {
prio = srvr;
allow = clnt;
} else if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
prio = srvr;
allow = clnt;
#ifndef OPENSSL_NO_CHACHA
/* If ChaCha20 is at the top of the client preference list,
and there are ChaCha20 ciphers in the server list, then
temporarily prioritize all ChaCha20 ciphers in the servers list. */
if (s->options & SSL_OP_PRIORITIZE_CHACHA && sk_SSL_CIPHER_num(clnt) > 0) {
c = sk_SSL_CIPHER_value(clnt, 0);
if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
/* ChaCha20 is client preferred, check server... */
int num = sk_SSL_CIPHER_num(srvr);
int found = 0;
for (i = 0; i < num; i++) {
c = sk_SSL_CIPHER_value(srvr, i);
if (c->algorithm_enc == SSL_CHACHA20POLY1305) {
found = 1;
break;
}
}
if (found) {
prio_chacha = sk_SSL_CIPHER_new_reserve(NULL, num);
/* if reserve fails, then there's likely a memory issue */
if (prio_chacha != NULL) {
/* Put all ChaCha20 at the top, starting with the one we just found */
sk_SSL_CIPHER_push(prio_chacha, c);
for (i++; i < num; i++) {
c = sk_SSL_CIPHER_value(srvr, i);
if (c->algorithm_enc == SSL_CHACHA20POLY1305)
sk_SSL_CIPHER_push(prio_chacha, c);
}
/* Pull in the rest */
for (i = 0; i < num; i++) {
c = sk_SSL_CIPHER_value(srvr, i);
if (c->algorithm_enc != SSL_CHACHA20POLY1305)
sk_SSL_CIPHER_push(prio_chacha, c);
}
prio = prio_chacha;
}
}
}
}
# endif
} else {
prio = clnt;
allow = srvr;
}
if (SSL_IS_TLS13(s)) {
#ifndef OPENSSL_NO_PSK
int j;
/*
* If we allow "old" style PSK callbacks, and we have no certificate (so
* we're not going to succeed without a PSK anyway), and we're in
* TLSv1.3 then the default hash for a PSK is SHA-256 (as per the
* TLSv1.3 spec). Therefore we should prioritise ciphersuites using
* that.
*/
if (s->psk_server_callback != NULL) {
for (j = 0; j < SSL_PKEY_NUM && !ssl_has_cert(s, j); j++);
if (j == SSL_PKEY_NUM) {
/* There are no certificates */
prefer_sha256 = 1;
}
}
#endif
} else {
tls1_set_cert_validity(s);
ssl_set_masks(s);
}
for (i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
c = sk_SSL_CIPHER_value(prio, i);
/* Skip ciphers not supported by the protocol version */
if (!SSL_IS_DTLS(s) &&
((s->version < c->min_tls) || (s->version > c->max_tls)))
continue;
if (SSL_IS_DTLS(s) &&
(DTLS_VERSION_LT(s->version, c->min_dtls) ||
DTLS_VERSION_GT(s->version, c->max_dtls)))
continue;
/*
* Since TLS 1.3 ciphersuites can be used with any auth or
* key exchange scheme skip tests.
*/
if (!SSL_IS_TLS13(s)) {
mask_k = s->s3->tmp.mask_k;
mask_a = s->s3->tmp.mask_a;
#ifndef OPENSSL_NO_SRP
if (s->srp_ctx.srp_Mask & SSL_kSRP) {
mask_k |= SSL_kSRP;
mask_a |= SSL_aSRP;
}
#endif
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth;
#ifndef OPENSSL_NO_PSK
/* with PSK there must be server callback set */
if ((alg_k & SSL_PSK) && s->psk_server_callback == NULL)
continue;
#endif /* OPENSSL_NO_PSK */
ok = (alg_k & mask_k) && (alg_a & mask_a);
#ifdef CIPHER_DEBUG
fprintf(stderr, "%d:[%08lX:%08lX:%08lX:%08lX]%p:%s\n", ok, alg_k,
alg_a, mask_k, mask_a, (void *)c, c->name);
#endif
#ifndef OPENSSL_NO_EC
/*
* if we are considering an ECC cipher suite that uses an ephemeral
* EC key check it
*/
if (alg_k & SSL_kECDHE)
ok = ok && tls1_check_ec_tmp_key(s, c->id);
#endif /* OPENSSL_NO_EC */
if (!ok)
continue;
}
ii = sk_SSL_CIPHER_find(allow, c);
if (ii >= 0) {
/* Check security callback permits this cipher */
if (!ssl_security(s, SSL_SECOP_CIPHER_SHARED,
c->strength_bits, 0, (void *)c))
continue;
#if !defined(OPENSSL_NO_EC)
if ((alg_k & SSL_kECDHE) && (alg_a & SSL_aECDSA)
&& s->s3->is_probably_safari) {
if (!ret)
ret = sk_SSL_CIPHER_value(allow, ii);
continue;
}
#endif
if (prefer_sha256) {
const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
if (ssl_md(tmp->algorithm2) == mdsha256) {
ret = tmp;
break;
}
if (ret == NULL)
ret = tmp;
continue;
}
ret = sk_SSL_CIPHER_value(allow, ii);
break;
}
}
#ifndef OPENSSL_NO_CHACHA
sk_SSL_CIPHER_free(prio_chacha);
#endif
return ret;
}
int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt)
{
uint32_t alg_k, alg_a = 0;
/* If we have custom certificate types set, use them */
if (s->cert->ctype)
return WPACKET_memcpy(pkt, s->cert->ctype, s->cert->ctype_len);
/* Get mask of algorithms disabled by signature list */
ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK);
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
#ifndef OPENSSL_NO_GOST
if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST))
return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN)
&& WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN)
&& WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN);
#endif
if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) {
#ifndef OPENSSL_NO_DH
# ifndef OPENSSL_NO_RSA
if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_EPHEMERAL_DH))
return 0;
# endif
# ifndef OPENSSL_NO_DSA
if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_EPHEMERAL_DH))
return 0;
# endif
#endif /* !OPENSSL_NO_DH */
}
#ifndef OPENSSL_NO_RSA
if (!(alg_a & SSL_aRSA) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_SIGN))
return 0;
#endif
#ifndef OPENSSL_NO_DSA
if (!(alg_a & SSL_aDSS) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_SIGN))
return 0;
#endif
#ifndef OPENSSL_NO_EC
/*
* ECDSA certs can be used with RSA cipher suites too so we don't
* need to check for SSL_kECDH or SSL_kECDHE
*/
if (s->version >= TLS1_VERSION
&& !(alg_a & SSL_aECDSA)
&& !WPACKET_put_bytes_u8(pkt, TLS_CT_ECDSA_SIGN))
return 0;
#endif
return 1;
}
static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len)
{
OPENSSL_free(c->ctype);
c->ctype = NULL;
c->ctype_len = 0;
if (p == NULL || len == 0)
return 1;
if (len > 0xff)
return 0;
c->ctype = OPENSSL_memdup(p, len);
if (c->ctype == NULL)
return 0;
c->ctype_len = len;
return 1;
}
int ssl3_shutdown(SSL *s)
{
int ret;
/*
* Don't do anything much if we have not done the handshake or we don't
* want to send messages :-)
*/
if (s->quiet_shutdown || SSL_in_before(s)) {
s->shutdown = (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
return 1;
}
if (!(s->shutdown & SSL_SENT_SHUTDOWN)) {
s->shutdown |= SSL_SENT_SHUTDOWN;
ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
/*
* our shutdown alert has been sent now, and if it still needs to be
* written, s->s3->alert_dispatch will be true
*/
if (s->s3->alert_dispatch)
return -1; /* return WANT_WRITE */
} else if (s->s3->alert_dispatch) {
/* resend it if not sent */
ret = s->method->ssl_dispatch_alert(s);
if (ret == -1) {
/*
* we only get to return -1 here the 2nd/Nth invocation, we must
* have already signalled return 0 upon a previous invocation,
* return WANT_WRITE
*/
return ret;
}
} else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
size_t readbytes;
/*
* If we are waiting for a close from our peer, we are closed
*/
s->method->ssl_read_bytes(s, 0, NULL, NULL, 0, 0, &readbytes);
if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
return -1; /* return WANT_READ */
}
}
if ((s->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN)) &&
!s->s3->alert_dispatch)
return 1;
else
return 0;
}
int ssl3_write(SSL *s, const void *buf, size_t len, size_t *written)
{
clear_sys_error();
if (s->s3->renegotiate)
ssl3_renegotiate_check(s, 0);
return s->method->ssl_write_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len,
written);
}
static int ssl3_read_internal(SSL *s, void *buf, size_t len, int peek,
size_t *readbytes)
{
int ret;
clear_sys_error();
if (s->s3->renegotiate)
ssl3_renegotiate_check(s, 0);
s->s3->in_read_app_data = 1;
ret =
s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf, len,
peek, readbytes);
if ((ret == -1) && (s->s3->in_read_app_data == 2)) {
/*
* ssl3_read_bytes decided to call s->handshake_func, which called
* ssl3_read_bytes to read handshake data. However, ssl3_read_bytes
* actually found application data and thinks that application data
* makes sense here; so disable handshake processing and try to read
* application data again.
*/
ossl_statem_set_in_handshake(s, 1);
ret =
s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, NULL, buf,
len, peek, readbytes);
ossl_statem_set_in_handshake(s, 0);
} else
s->s3->in_read_app_data = 0;
return ret;
}
int ssl3_read(SSL *s, void *buf, size_t len, size_t *readbytes)
{
return ssl3_read_internal(s, buf, len, 0, readbytes);
}
int ssl3_peek(SSL *s, void *buf, size_t len, size_t *readbytes)
{
return ssl3_read_internal(s, buf, len, 1, readbytes);
}
int ssl3_renegotiate(SSL *s)
{
if (s->handshake_func == NULL)
return 1;
s->s3->renegotiate = 1;
return 1;
}
/*
* Check if we are waiting to do a renegotiation and if so whether now is a
* good time to do it. If |initok| is true then we are being called from inside
* the state machine so ignore the result of SSL_in_init(s). Otherwise we
* should not do a renegotiation if SSL_in_init(s) is true. Returns 1 if we
* should do a renegotiation now and sets up the state machine for it. Otherwise
* returns 0.
*/
int ssl3_renegotiate_check(SSL *s, int initok)
{
int ret = 0;
if (s->s3->renegotiate) {
if (!RECORD_LAYER_read_pending(&s->rlayer)
&& !RECORD_LAYER_write_pending(&s->rlayer)
&& (initok || !SSL_in_init(s))) {
/*
* if we are the server, and we have sent a 'RENEGOTIATE'
* message, we need to set the state machine into the renegotiate
* state.
*/
ossl_statem_set_renegotiate(s);
s->s3->renegotiate = 0;
s->s3->num_renegotiations++;
s->s3->total_renegotiations++;
ret = 1;
}
}
return ret;
}
/*
* If we are using default SHA1+MD5 algorithms switch to new SHA256 PRF and
* handshake macs if required.
*
* If PSK and using SHA384 for TLS < 1.2 switch to default.
*/
long ssl_get_algorithm2(SSL *s)
{
long alg2;
if (s->s3 == NULL || s->s3->tmp.new_cipher == NULL)
return -1;
alg2 = s->s3->tmp.new_cipher->algorithm2;
if (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_SHA256_PRF) {
if (alg2 == (SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF))
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
} else if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK) {
if (alg2 == (SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384))
return SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF;
}
return alg2;
}
/*
* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0 on
* failure, 1 on success.
*/
int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, size_t len,
DOWNGRADE dgrd)
{
int send_time = 0, ret;
if (len < 4)
return 0;
if (server)
send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
else
send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
if (send_time) {
unsigned long Time = (unsigned long)time(NULL);
unsigned char *p = result;
l2n(Time, p);
ret = RAND_bytes(p, len - 4);
} else {
ret = RAND_bytes(result, len);
}
if (ret > 0) {
if (!ossl_assert(sizeof(tls11downgrade) < len)
|| !ossl_assert(sizeof(tls12downgrade) < len))
return 0;
if (dgrd == DOWNGRADE_TO_1_2)
memcpy(result + len - sizeof(tls12downgrade), tls12downgrade,
sizeof(tls12downgrade));
else if (dgrd == DOWNGRADE_TO_1_1)
memcpy(result + len - sizeof(tls11downgrade), tls11downgrade,
sizeof(tls11downgrade));
}
return ret;
}
int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
int free_pms)
{
unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
int ret = 0;
if (alg_k & SSL_PSK) {
#ifndef OPENSSL_NO_PSK
unsigned char *pskpms, *t;
size_t psklen = s->s3->tmp.psklen;
size_t pskpmslen;
/* create PSK premaster_secret */
/* For plain PSK "other_secret" is psklen zeroes */
if (alg_k & SSL_kPSK)
pmslen = psklen;
pskpmslen = 4 + pmslen + psklen;
pskpms = OPENSSL_malloc(pskpmslen);
if (pskpms == NULL)
goto err;
t = pskpms;
s2n(pmslen, t);
if (alg_k & SSL_kPSK)
memset(t, 0, pmslen);
else
memcpy(t, pms, pmslen);
t += pmslen;
s2n(psklen, t);
memcpy(t, s->s3->tmp.psk, psklen);
OPENSSL_clear_free(s->s3->tmp.psk, psklen);
s->s3->tmp.psk = NULL;
s->s3->tmp.psklen = 0;
if (!s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, pskpms, pskpmslen,
&s->session->master_key_length)) {
OPENSSL_clear_free(pskpms, pskpmslen);
/* SSLfatal() already called */
goto err;
}
OPENSSL_clear_free(pskpms, pskpmslen);
#else
/* Should never happen */
goto err;
#endif
} else {
if (!s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key, pms, pmslen,
&s->session->master_key_length)) {
/* SSLfatal() already called */
goto err;
}
}
ret = 1;
err:
if (pms) {
if (free_pms)
OPENSSL_clear_free(pms, pmslen);
else
OPENSSL_cleanse(pms, pmslen);
}
if (s->server == 0) {
s->s3->tmp.pms = NULL;
s->s3->tmp.pmslen = 0;
}
return ret;
}
/* Generate a private key from parameters */
EVP_PKEY *ssl_generate_pkey(EVP_PKEY *pm)
{
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY *pkey = NULL;
if (pm == NULL)
return NULL;
pctx = EVP_PKEY_CTX_new(pm, NULL);
if (pctx == NULL)
goto err;
if (EVP_PKEY_keygen_init(pctx) <= 0)
goto err;
if (EVP_PKEY_keygen(pctx, &pkey) <= 0) {
EVP_PKEY_free(pkey);
pkey = NULL;
}
err:
EVP_PKEY_CTX_free(pctx);
return pkey;
}
#ifndef OPENSSL_NO_EC
/* Generate a private key from a group ID */
EVP_PKEY *ssl_generate_pkey_group(SSL *s, uint16_t id)
{
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY *pkey = NULL;
const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id);
uint16_t gtype;
if (ginf == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
ERR_R_INTERNAL_ERROR);
goto err;
}
gtype = ginf->flags & TLS_CURVE_TYPE;
if (gtype == TLS_CURVE_CUSTOM)
pctx = EVP_PKEY_CTX_new_id(ginf->nid, NULL);
else
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
if (pctx == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
ERR_R_MALLOC_FAILURE);
goto err;
}
if (EVP_PKEY_keygen_init(pctx) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
ERR_R_EVP_LIB);
goto err;
}
if (gtype != TLS_CURVE_CUSTOM
&& EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
ERR_R_EVP_LIB);
goto err;
}
if (EVP_PKEY_keygen(pctx, &pkey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_GENERATE_PKEY_GROUP,
ERR_R_EVP_LIB);
EVP_PKEY_free(pkey);
pkey = NULL;
}
err:
EVP_PKEY_CTX_free(pctx);
return pkey;
}
/*
* Generate parameters from a group ID
*/
EVP_PKEY *ssl_generate_param_group(uint16_t id)
{
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY *pkey = NULL;
const TLS_GROUP_INFO *ginf = tls1_group_id_lookup(id);
if (ginf == NULL)
goto err;
if ((ginf->flags & TLS_CURVE_TYPE) == TLS_CURVE_CUSTOM) {
pkey = EVP_PKEY_new();
if (pkey != NULL && EVP_PKEY_set_type(pkey, ginf->nid))
return pkey;
EVP_PKEY_free(pkey);
return NULL;
}
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
if (pctx == NULL)
goto err;
if (EVP_PKEY_paramgen_init(pctx) <= 0)
goto err;
if (EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, ginf->nid) <= 0)
goto err;
if (EVP_PKEY_paramgen(pctx, &pkey) <= 0) {
EVP_PKEY_free(pkey);
pkey = NULL;
}
err:
EVP_PKEY_CTX_free(pctx);
return pkey;
}
#endif
/* Derive secrets for ECDH/DH */
int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey, int gensecret)
{
int rv = 0;
unsigned char *pms = NULL;
size_t pmslen = 0;
EVP_PKEY_CTX *pctx;
if (privkey == NULL || pubkey == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE,
ERR_R_INTERNAL_ERROR);
return 0;
}
pctx = EVP_PKEY_CTX_new(privkey, NULL);
if (EVP_PKEY_derive_init(pctx) <= 0
|| EVP_PKEY_derive_set_peer(pctx, pubkey) <= 0
|| EVP_PKEY_derive(pctx, NULL, &pmslen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE,
ERR_R_INTERNAL_ERROR);
goto err;
}
pms = OPENSSL_malloc(pmslen);
if (pms == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE,
ERR_R_MALLOC_FAILURE);
goto err;
}
if (EVP_PKEY_derive(pctx, pms, &pmslen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_DERIVE,
ERR_R_INTERNAL_ERROR);
goto err;
}
if (gensecret) {
/* SSLfatal() called as appropriate in the below functions */
if (SSL_IS_TLS13(s)) {
/*
* If we are resuming then we already generated the early secret
* when we created the ClientHello, so don't recreate it.
*/
if (!s->hit)
rv = tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL,
0,
(unsigned char *)&s->early_secret);
else
rv = 1;
rv = rv && tls13_generate_handshake_secret(s, pms, pmslen);
} else {
rv = ssl_generate_master_secret(s, pms, pmslen, 0);
}
} else {
/* Save premaster secret */
s->s3->tmp.pms = pms;
s->s3->tmp.pmslen = pmslen;
pms = NULL;
rv = 1;
}
err:
OPENSSL_clear_free(pms, pmslen);
EVP_PKEY_CTX_free(pctx);
return rv;
}
#ifndef OPENSSL_NO_DH
EVP_PKEY *ssl_dh_to_pkey(DH *dh)
{
EVP_PKEY *ret;
if (dh == NULL)
return NULL;
ret = EVP_PKEY_new();
if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
EVP_PKEY_free(ret);
return NULL;
}
return ret;
}
#endif
diff --git a/crypto/openssl/ssl/ssl_cert.c b/crypto/openssl/ssl/ssl_cert.c
index e7feda81d046..eba96b207eee 100644
--- a/crypto/openssl/ssl/ssl_cert.c
+++ b/crypto/openssl/ssl/ssl_cert.c
@@ -1,1024 +1,1025 @@
/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <stdio.h>
#include <sys/types.h>
#include "internal/nelem.h"
#include "internal/o_dir.h"
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/crypto.h>
#include "internal/refcount.h"
#include "ssl_local.h"
#include "ssl_cert_table.h"
#include "internal/thread_once.h"
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
int op, int bits, int nid, void *other,
void *ex);
static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
static volatile int ssl_x509_store_ctx_idx = -1;
DEFINE_RUN_ONCE_STATIC(ssl_x509_store_ctx_init)
{
ssl_x509_store_ctx_idx = X509_STORE_CTX_get_ex_new_index(0,
"SSL for verify callback",
NULL, NULL, NULL);
return ssl_x509_store_ctx_idx >= 0;
}
int SSL_get_ex_data_X509_STORE_CTX_idx(void)
{
if (!RUN_ONCE(&ssl_x509_store_ctx_once, ssl_x509_store_ctx_init))
return -1;
return ssl_x509_store_ctx_idx;
}
CERT *ssl_cert_new(void)
{
CERT *ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL) {
SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->key = &(ret->pkeys[SSL_PKEY_RSA]);
ret->references = 1;
ret->sec_cb = ssl_security_default_callback;
ret->sec_level = OPENSSL_TLS_SECURITY_LEVEL;
ret->sec_ex = NULL;
ret->lock = CRYPTO_THREAD_lock_new();
if (ret->lock == NULL) {
SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE);
OPENSSL_free(ret);
return NULL;
}
return ret;
}
CERT *ssl_cert_dup(CERT *cert)
{
CERT *ret = OPENSSL_zalloc(sizeof(*ret));
int i;
if (ret == NULL) {
SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->references = 1;
ret->key = &ret->pkeys[cert->key - cert->pkeys];
ret->lock = CRYPTO_THREAD_lock_new();
if (ret->lock == NULL) {
SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
OPENSSL_free(ret);
return NULL;
}
#ifndef OPENSSL_NO_DH
if (cert->dh_tmp != NULL) {
ret->dh_tmp = cert->dh_tmp;
EVP_PKEY_up_ref(ret->dh_tmp);
}
ret->dh_tmp_cb = cert->dh_tmp_cb;
ret->dh_tmp_auto = cert->dh_tmp_auto;
#endif
for (i = 0; i < SSL_PKEY_NUM; i++) {
CERT_PKEY *cpk = cert->pkeys + i;
CERT_PKEY *rpk = ret->pkeys + i;
if (cpk->x509 != NULL) {
rpk->x509 = cpk->x509;
X509_up_ref(rpk->x509);
}
if (cpk->privatekey != NULL) {
rpk->privatekey = cpk->privatekey;
EVP_PKEY_up_ref(cpk->privatekey);
}
if (cpk->chain) {
rpk->chain = X509_chain_up_ref(cpk->chain);
if (!rpk->chain) {
SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
goto err;
}
}
if (cert->pkeys[i].serverinfo != NULL) {
/* Just copy everything. */
ret->pkeys[i].serverinfo =
OPENSSL_malloc(cert->pkeys[i].serverinfo_length);
if (ret->pkeys[i].serverinfo == NULL) {
SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
goto err;
}
ret->pkeys[i].serverinfo_length = cert->pkeys[i].serverinfo_length;
memcpy(ret->pkeys[i].serverinfo,
cert->pkeys[i].serverinfo, cert->pkeys[i].serverinfo_length);
}
}
/* Configured sigalgs copied across */
if (cert->conf_sigalgs) {
ret->conf_sigalgs = OPENSSL_malloc(cert->conf_sigalgslen
* sizeof(*cert->conf_sigalgs));
if (ret->conf_sigalgs == NULL)
goto err;
memcpy(ret->conf_sigalgs, cert->conf_sigalgs,
cert->conf_sigalgslen * sizeof(*cert->conf_sigalgs));
ret->conf_sigalgslen = cert->conf_sigalgslen;
} else
ret->conf_sigalgs = NULL;
if (cert->client_sigalgs) {
ret->client_sigalgs = OPENSSL_malloc(cert->client_sigalgslen
* sizeof(*cert->client_sigalgs));
if (ret->client_sigalgs == NULL)
goto err;
memcpy(ret->client_sigalgs, cert->client_sigalgs,
cert->client_sigalgslen * sizeof(*cert->client_sigalgs));
ret->client_sigalgslen = cert->client_sigalgslen;
} else
ret->client_sigalgs = NULL;
/* Copy any custom client certificate types */
if (cert->ctype) {
ret->ctype = OPENSSL_memdup(cert->ctype, cert->ctype_len);
if (ret->ctype == NULL)
goto err;
ret->ctype_len = cert->ctype_len;
}
ret->cert_flags = cert->cert_flags;
ret->cert_cb = cert->cert_cb;
ret->cert_cb_arg = cert->cert_cb_arg;
if (cert->verify_store) {
X509_STORE_up_ref(cert->verify_store);
ret->verify_store = cert->verify_store;
}
if (cert->chain_store) {
X509_STORE_up_ref(cert->chain_store);
ret->chain_store = cert->chain_store;
}
ret->sec_cb = cert->sec_cb;
ret->sec_level = cert->sec_level;
ret->sec_ex = cert->sec_ex;
if (!custom_exts_copy(&ret->custext, &cert->custext))
goto err;
#ifndef OPENSSL_NO_PSK
if (cert->psk_identity_hint) {
ret->psk_identity_hint = OPENSSL_strdup(cert->psk_identity_hint);
if (ret->psk_identity_hint == NULL)
goto err;
}
#endif
return ret;
err:
ssl_cert_free(ret);
return NULL;
}
/* Free up and clear all certificates and chains */
void ssl_cert_clear_certs(CERT *c)
{
int i;
if (c == NULL)
return;
for (i = 0; i < SSL_PKEY_NUM; i++) {
CERT_PKEY *cpk = c->pkeys + i;
X509_free(cpk->x509);
cpk->x509 = NULL;
EVP_PKEY_free(cpk->privatekey);
cpk->privatekey = NULL;
sk_X509_pop_free(cpk->chain, X509_free);
cpk->chain = NULL;
OPENSSL_free(cpk->serverinfo);
cpk->serverinfo = NULL;
cpk->serverinfo_length = 0;
}
}
void ssl_cert_free(CERT *c)
{
int i;
if (c == NULL)
return;
CRYPTO_DOWN_REF(&c->references, &i, c->lock);
REF_PRINT_COUNT("CERT", c);
if (i > 0)
return;
REF_ASSERT_ISNT(i < 0);
#ifndef OPENSSL_NO_DH
EVP_PKEY_free(c->dh_tmp);
#endif
ssl_cert_clear_certs(c);
OPENSSL_free(c->conf_sigalgs);
OPENSSL_free(c->client_sigalgs);
OPENSSL_free(c->ctype);
X509_STORE_free(c->verify_store);
X509_STORE_free(c->chain_store);
custom_exts_free(&c->custext);
#ifndef OPENSSL_NO_PSK
OPENSSL_free(c->psk_identity_hint);
#endif
CRYPTO_THREAD_lock_free(c->lock);
OPENSSL_free(c);
}
int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
{
int i, r;
CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key;
if (!cpk)
return 0;
for (i = 0; i < sk_X509_num(chain); i++) {
r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0);
if (r != 1) {
SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r);
return 0;
}
}
sk_X509_pop_free(cpk->chain, X509_free);
cpk->chain = chain;
return 1;
}
int ssl_cert_set1_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
{
STACK_OF(X509) *dchain;
if (!chain)
return ssl_cert_set0_chain(s, ctx, NULL);
dchain = X509_chain_up_ref(chain);
if (!dchain)
return 0;
if (!ssl_cert_set0_chain(s, ctx, dchain)) {
sk_X509_pop_free(dchain, X509_free);
return 0;
}
return 1;
}
int ssl_cert_add0_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x)
{
int r;
CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key;
if (!cpk)
return 0;
r = ssl_security_cert(s, ctx, x, 0, 0);
if (r != 1) {
SSLerr(SSL_F_SSL_CERT_ADD0_CHAIN_CERT, r);
return 0;
}
if (!cpk->chain)
cpk->chain = sk_X509_new_null();
if (!cpk->chain || !sk_X509_push(cpk->chain, x))
return 0;
return 1;
}
int ssl_cert_add1_chain_cert(SSL *s, SSL_CTX *ctx, X509 *x)
{
if (!ssl_cert_add0_chain_cert(s, ctx, x))
return 0;
X509_up_ref(x);
return 1;
}
int ssl_cert_select_current(CERT *c, X509 *x)
{
int i;
if (x == NULL)
return 0;
for (i = 0; i < SSL_PKEY_NUM; i++) {
CERT_PKEY *cpk = c->pkeys + i;
if (cpk->x509 == x && cpk->privatekey) {
c->key = cpk;
return 1;
}
}
for (i = 0; i < SSL_PKEY_NUM; i++) {
CERT_PKEY *cpk = c->pkeys + i;
if (cpk->privatekey && cpk->x509 && !X509_cmp(cpk->x509, x)) {
c->key = cpk;
return 1;
}
}
return 0;
}
int ssl_cert_set_current(CERT *c, long op)
{
int i, idx;
if (!c)
return 0;
if (op == SSL_CERT_SET_FIRST)
idx = 0;
else if (op == SSL_CERT_SET_NEXT) {
idx = (int)(c->key - c->pkeys + 1);
if (idx >= SSL_PKEY_NUM)
return 0;
} else
return 0;
for (i = idx; i < SSL_PKEY_NUM; i++) {
CERT_PKEY *cpk = c->pkeys + i;
if (cpk->x509 && cpk->privatekey) {
c->key = cpk;
return 1;
}
}
return 0;
}
void ssl_cert_set_cert_cb(CERT *c, int (*cb) (SSL *ssl, void *arg), void *arg)
{
c->cert_cb = cb;
c->cert_cb_arg = arg;
}
int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
{
X509 *x;
int i = 0;
X509_STORE *verify_store;
X509_STORE_CTX *ctx = NULL;
X509_VERIFY_PARAM *param;
if ((sk == NULL) || (sk_X509_num(sk) == 0))
return 0;
if (s->cert->verify_store)
verify_store = s->cert->verify_store;
else
verify_store = s->ctx->cert_store;
ctx = X509_STORE_CTX_new();
if (ctx == NULL) {
SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE);
return 0;
}
x = sk_X509_value(sk, 0);
if (!X509_STORE_CTX_init(ctx, verify_store, x, sk)) {
SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_X509_LIB);
goto end;
}
param = X509_STORE_CTX_get0_param(ctx);
/*
* XXX: Separate @AUTHSECLEVEL and @TLSSECLEVEL would be useful at some
* point, for now a single @SECLEVEL sets the same policy for TLS crypto
* and PKI authentication.
*/
X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
/* Set suite B flags if needed */
X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
if (!X509_STORE_CTX_set_ex_data
(ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
goto end;
}
/* Verify via DANE if enabled */
if (DANETLS_ENABLED(&s->dane))
X509_STORE_CTX_set0_dane(ctx, &s->dane);
/*
* We need to inherit the verify parameters. These can be determined by
* the context: if its a server it will verify SSL client certificates or
* vice versa.
*/
X509_STORE_CTX_set_default(ctx, s->server ? "ssl_client" : "ssl_server");
/*
* Anything non-default in "s->param" should overwrite anything in the ctx.
*/
X509_VERIFY_PARAM_set1(param, s->param);
if (s->verify_callback)
X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback);
if (s->ctx->app_verify_callback != NULL)
i = s->ctx->app_verify_callback(ctx, s->ctx->app_verify_arg);
else
i = X509_verify_cert(ctx);
s->verify_result = X509_STORE_CTX_get_error(ctx);
sk_X509_pop_free(s->verified_chain, X509_free);
s->verified_chain = NULL;
if (X509_STORE_CTX_get0_chain(ctx) != NULL) {
s->verified_chain = X509_STORE_CTX_get1_chain(ctx);
if (s->verified_chain == NULL) {
SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE);
i = 0;
}
}
/* Move peername from the store context params to the SSL handle's */
X509_VERIFY_PARAM_move_peername(s->param, param);
end:
X509_STORE_CTX_free(ctx);
return i;
}
static void set0_CA_list(STACK_OF(X509_NAME) **ca_list,
STACK_OF(X509_NAME) *name_list)
{
sk_X509_NAME_pop_free(*ca_list, X509_NAME_free);
*ca_list = name_list;
}
STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk)
{
int i;
const int num = sk_X509_NAME_num(sk);
STACK_OF(X509_NAME) *ret;
X509_NAME *name;
ret = sk_X509_NAME_new_reserve(NULL, num);
if (ret == NULL) {
SSLerr(SSL_F_SSL_DUP_CA_LIST, ERR_R_MALLOC_FAILURE);
return NULL;
}
for (i = 0; i < num; i++) {
name = X509_NAME_dup(sk_X509_NAME_value(sk, i));
if (name == NULL) {
SSLerr(SSL_F_SSL_DUP_CA_LIST, ERR_R_MALLOC_FAILURE);
sk_X509_NAME_pop_free(ret, X509_NAME_free);
return NULL;
}
sk_X509_NAME_push(ret, name); /* Cannot fail after reserve call */
}
return ret;
}
void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
{
set0_CA_list(&s->ca_names, name_list);
}
void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
{
set0_CA_list(&ctx->ca_names, name_list);
}
const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx)
{
return ctx->ca_names;
}
const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s)
{
return s->ca_names != NULL ? s->ca_names : s->ctx->ca_names;
}
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list)
{
set0_CA_list(&ctx->client_ca_names, name_list);
}
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
{
return ctx->client_ca_names;
}
void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list)
{
set0_CA_list(&s->client_ca_names, name_list);
}
const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s)
{
return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL;
}
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
{
if (!s->server)
return s->s3 != NULL ? s->s3->tmp.peer_ca_names : NULL;
return s->client_ca_names != NULL ? s->client_ca_names
: s->ctx->client_ca_names;
}
static int add_ca_name(STACK_OF(X509_NAME) **sk, const X509 *x)
{
X509_NAME *name;
if (x == NULL)
return 0;
if (*sk == NULL && ((*sk = sk_X509_NAME_new_null()) == NULL))
return 0;
if ((name = X509_NAME_dup(X509_get_subject_name(x))) == NULL)
return 0;
if (!sk_X509_NAME_push(*sk, name)) {
X509_NAME_free(name);
return 0;
}
return 1;
}
int SSL_add1_to_CA_list(SSL *ssl, const X509 *x)
{
return add_ca_name(&ssl->ca_names, x);
}
int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x)
{
return add_ca_name(&ctx->ca_names, x);
}
/*
* The following two are older names are to be replaced with
* SSL(_CTX)_add1_to_CA_list
*/
int SSL_add_client_CA(SSL *ssl, X509 *x)
{
return add_ca_name(&ssl->client_ca_names, x);
}
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
{
return add_ca_name(&ctx->client_ca_names, x);
}
static int xname_cmp(const X509_NAME *a, const X509_NAME *b)
{
unsigned char *abuf = NULL, *bbuf = NULL;
int alen, blen, ret;
/* X509_NAME_cmp() itself casts away constness in this way, so
* assume it's safe:
*/
alen = i2d_X509_NAME((X509_NAME *)a, &abuf);
blen = i2d_X509_NAME((X509_NAME *)b, &bbuf);
if (alen < 0 || blen < 0)
ret = -2;
else if (alen != blen)
ret = alen - blen;
else /* alen == blen */
ret = memcmp(abuf, bbuf, alen);
OPENSSL_free(abuf);
OPENSSL_free(bbuf);
return ret;
}
static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
{
return xname_cmp(*a, *b);
}
static unsigned long xname_hash(const X509_NAME *a)
{
return X509_NAME_hash((X509_NAME *)a);
}
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file)
{
BIO *in = BIO_new(BIO_s_file());
X509 *x = NULL;
X509_NAME *xn = NULL;
STACK_OF(X509_NAME) *ret = NULL;
LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp);
if ((name_hash == NULL) || (in == NULL)) {
SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!BIO_read_filename(in, file))
goto err;
for (;;) {
if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
break;
if (ret == NULL) {
ret = sk_X509_NAME_new_null();
if (ret == NULL) {
SSLerr(SSL_F_SSL_LOAD_CLIENT_CA_FILE, ERR_R_MALLOC_FAILURE);
goto err;
}
}
if ((xn = X509_get_subject_name(x)) == NULL)
goto err;
/* check for duplicates */
xn = X509_NAME_dup(xn);
if (xn == NULL)
goto err;
if (lh_X509_NAME_retrieve(name_hash, xn) != NULL) {
/* Duplicate. */
X509_NAME_free(xn);
xn = NULL;
} else {
lh_X509_NAME_insert(name_hash, xn);
if (!sk_X509_NAME_push(ret, xn))
goto err;
}
}
goto done;
err:
X509_NAME_free(xn);
sk_X509_NAME_pop_free(ret, X509_NAME_free);
ret = NULL;
done:
BIO_free(in);
X509_free(x);
lh_X509_NAME_free(name_hash);
if (ret != NULL)
ERR_clear_error();
return ret;
}
int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *file)
{
BIO *in;
X509 *x = NULL;
X509_NAME *xn = NULL;
int ret = 1;
int (*oldcmp) (const X509_NAME *const *a, const X509_NAME *const *b);
oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_sk_cmp);
in = BIO_new(BIO_s_file());
if (in == NULL) {
SSLerr(SSL_F_SSL_ADD_FILE_CERT_SUBJECTS_TO_STACK, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!BIO_read_filename(in, file))
goto err;
for (;;) {
if (PEM_read_bio_X509(in, &x, NULL, NULL) == NULL)
break;
if ((xn = X509_get_subject_name(x)) == NULL)
goto err;
xn = X509_NAME_dup(xn);
if (xn == NULL)
goto err;
if (sk_X509_NAME_find(stack, xn) >= 0) {
/* Duplicate. */
X509_NAME_free(xn);
} else if (!sk_X509_NAME_push(stack, xn)) {
X509_NAME_free(xn);
goto err;
}
}
ERR_clear_error();
goto done;
err:
ret = 0;
done:
BIO_free(in);
X509_free(x);
(void)sk_X509_NAME_set_cmp_func(stack, oldcmp);
return ret;
}
int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *dir)
{
OPENSSL_DIR_CTX *d = NULL;
const char *filename;
int ret = 0;
/* Note that a side effect is that the CAs will be sorted by name */
while ((filename = OPENSSL_DIR_read(&d, dir))) {
char buf[1024];
int r;
if (strlen(dir) + strlen(filename) + 2 > sizeof(buf)) {
SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK,
SSL_R_PATH_TOO_LONG);
goto err;
}
#ifdef OPENSSL_SYS_VMS
r = BIO_snprintf(buf, sizeof(buf), "%s%s", dir, filename);
#else
r = BIO_snprintf(buf, sizeof(buf), "%s/%s", dir, filename);
#endif
if (r <= 0 || r >= (int)sizeof(buf))
goto err;
if (!SSL_add_file_cert_subjects_to_stack(stack, buf))
goto err;
}
if (errno) {
SYSerr(SYS_F_OPENDIR, get_last_sys_error());
ERR_add_error_data(3, "OPENSSL_DIR_read(&ctx, '", dir, "')");
SSLerr(SSL_F_SSL_ADD_DIR_CERT_SUBJECTS_TO_STACK, ERR_R_SYS_LIB);
goto err;
}
ret = 1;
err:
if (d)
OPENSSL_DIR_end(&d);
return ret;
}
/* Build a certificate chain for current certificate */
int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags)
{
CERT *c = s ? s->cert : ctx->cert;
CERT_PKEY *cpk = c->key;
X509_STORE *chain_store = NULL;
X509_STORE_CTX *xs_ctx = NULL;
STACK_OF(X509) *chain = NULL, *untrusted = NULL;
X509 *x;
int i, rv = 0;
if (!cpk->x509) {
SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, SSL_R_NO_CERTIFICATE_SET);
goto err;
}
/* Rearranging and check the chain: add everything to a store */
if (flags & SSL_BUILD_CHAIN_FLAG_CHECK) {
chain_store = X509_STORE_new();
if (chain_store == NULL)
goto err;
for (i = 0; i < sk_X509_num(cpk->chain); i++) {
x = sk_X509_value(cpk->chain, i);
if (!X509_STORE_add_cert(chain_store, x))
goto err;
}
/* Add EE cert too: it might be self signed */
if (!X509_STORE_add_cert(chain_store, cpk->x509))
goto err;
} else {
if (c->chain_store)
chain_store = c->chain_store;
else if (s)
chain_store = s->ctx->cert_store;
else
chain_store = ctx->cert_store;
if (flags & SSL_BUILD_CHAIN_FLAG_UNTRUSTED)
untrusted = cpk->chain;
}
xs_ctx = X509_STORE_CTX_new();
if (xs_ctx == NULL) {
SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!X509_STORE_CTX_init(xs_ctx, chain_store, cpk->x509, untrusted)) {
SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, ERR_R_X509_LIB);
goto err;
}
/* Set suite B flags if needed */
X509_STORE_CTX_set_flags(xs_ctx,
c->cert_flags & SSL_CERT_FLAG_SUITEB_128_LOS);
i = X509_verify_cert(xs_ctx);
if (i <= 0 && flags & SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR) {
if (flags & SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR)
ERR_clear_error();
i = 1;
rv = 2;
}
if (i > 0)
chain = X509_STORE_CTX_get1_chain(xs_ctx);
if (i <= 0) {
SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, SSL_R_CERTIFICATE_VERIFY_FAILED);
i = X509_STORE_CTX_get_error(xs_ctx);
ERR_add_error_data(2, "Verify error:",
X509_verify_cert_error_string(i));
goto err;
}
/* Remove EE certificate from chain */
x = sk_X509_shift(chain);
X509_free(x);
if (flags & SSL_BUILD_CHAIN_FLAG_NO_ROOT) {
if (sk_X509_num(chain) > 0) {
/* See if last cert is self signed */
x = sk_X509_value(chain, sk_X509_num(chain) - 1);
if (X509_get_extension_flags(x) & EXFLAG_SS) {
x = sk_X509_pop(chain);
X509_free(x);
}
}
}
/*
* Check security level of all CA certificates: EE will have been checked
* already.
*/
for (i = 0; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
rv = ssl_security_cert(s, ctx, x, 0, 0);
if (rv != 1) {
SSLerr(SSL_F_SSL_BUILD_CERT_CHAIN, rv);
sk_X509_pop_free(chain, X509_free);
rv = 0;
goto err;
}
}
sk_X509_pop_free(cpk->chain, X509_free);
cpk->chain = chain;
if (rv == 0)
rv = 1;
err:
if (flags & SSL_BUILD_CHAIN_FLAG_CHECK)
X509_STORE_free(chain_store);
X509_STORE_CTX_free(xs_ctx);
return rv;
}
int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref)
{
X509_STORE **pstore;
if (chain)
pstore = &c->chain_store;
else
pstore = &c->verify_store;
X509_STORE_free(*pstore);
*pstore = store;
if (ref && store)
X509_STORE_up_ref(store);
return 1;
}
int ssl_get_security_level_bits(const SSL *s, const SSL_CTX *ctx, int *levelp)
{
int level;
static const int minbits_table[5 + 1] = { 0, 80, 112, 128, 192, 256 };
if (ctx != NULL)
level = SSL_CTX_get_security_level(ctx);
else
level = SSL_get_security_level(s);
if (level > 5)
level = 5;
else if (level < 0)
level = 0;
if (levelp != NULL)
*levelp = level;
return minbits_table[level];
}
static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
int op, int bits, int nid, void *other,
void *ex)
{
- int level, minbits;
+ int level, minbits, pfs_mask;
minbits = ssl_get_security_level_bits(s, ctx, &level);
if (level == 0) {
/*
* No EDH keys weaker than 1024-bits even at level 0, otherwise,
* anything goes.
*/
if (op == SSL_SECOP_TMP_DH && bits < 80)
return 0;
return 1;
}
switch (op) {
case SSL_SECOP_CIPHER_SUPPORTED:
case SSL_SECOP_CIPHER_SHARED:
case SSL_SECOP_CIPHER_CHECK:
{
const SSL_CIPHER *c = other;
/* No ciphers below security level */
if (bits < minbits)
return 0;
/* No unauthenticated ciphersuites */
if (c->algorithm_auth & SSL_aNULL)
return 0;
/* No MD5 mac ciphersuites */
if (c->algorithm_mac & SSL_MD5)
return 0;
/* SHA1 HMAC is 160 bits of security */
if (minbits > 160 && c->algorithm_mac & SSL_SHA1)
return 0;
/* Level 2: no RC4 */
if (level >= 2 && c->algorithm_enc == SSL_RC4)
return 0;
/* Level 3: forward secure ciphersuites only */
+ pfs_mask = SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK;
if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
- !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
+ !(c->algorithm_mkey & pfs_mask))
return 0;
break;
}
case SSL_SECOP_VERSION:
if (!SSL_IS_DTLS(s)) {
/* SSLv3 not allowed at level 2 */
if (nid <= SSL3_VERSION && level >= 2)
return 0;
/* TLS v1.1 and above only for level 3 */
if (nid <= TLS1_VERSION && level >= 3)
return 0;
/* TLS v1.2 only for level 4 and above */
if (nid <= TLS1_1_VERSION && level >= 4)
return 0;
} else {
/* DTLS v1.2 only for level 4 and above */
if (DTLS_VERSION_LT(nid, DTLS1_2_VERSION) && level >= 4)
return 0;
}
break;
case SSL_SECOP_COMPRESSION:
if (level >= 2)
return 0;
break;
case SSL_SECOP_TICKET:
if (level >= 3)
return 0;
break;
default:
if (bits < minbits)
return 0;
}
return 1;
}
int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
{
return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
}
int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, void *other)
{
return ctx->cert->sec_cb(NULL, ctx, op, bits, nid, other,
ctx->cert->sec_ex);
}
int ssl_cert_lookup_by_nid(int nid, size_t *pidx)
{
size_t i;
for (i = 0; i < OSSL_NELEM(ssl_cert_info); i++) {
if (ssl_cert_info[i].nid == nid) {
*pidx = i;
return 1;
}
}
return 0;
}
const SSL_CERT_LOOKUP *ssl_cert_lookup_by_pkey(const EVP_PKEY *pk, size_t *pidx)
{
int nid = EVP_PKEY_id(pk);
size_t tmpidx;
if (nid == NID_undef)
return NULL;
if (!ssl_cert_lookup_by_nid(nid, &tmpidx))
return NULL;
if (pidx != NULL)
*pidx = tmpidx;
return &ssl_cert_info[tmpidx];
}
const SSL_CERT_LOOKUP *ssl_cert_lookup_by_idx(size_t idx)
{
if (idx >= OSSL_NELEM(ssl_cert_info))
return NULL;
return &ssl_cert_info[idx];
}
diff --git a/secure/lib/libcrypto/Makefile.inc b/secure/lib/libcrypto/Makefile.inc
index c944e3242caa..8f60c9062dbe 100644
--- a/secure/lib/libcrypto/Makefile.inc
+++ b/secure/lib/libcrypto/Makefile.inc
@@ -1,115 +1,115 @@
# $FreeBSD$
.include <bsd.own.mk>
# OpenSSL version used for manual page generation
-OPENSSL_VER= 1.1.1m
-OPENSSL_DATE= 2021-12-14
+OPENSSL_VER= 1.1.1n
+OPENSSL_DATE= 2022-03-15
LCRYPTO_SRC= ${SRCTOP}/crypto/openssl
LCRYPTO_DOC= ${LCRYPTO_SRC}/doc
CFLAGS+= -I${LCRYPTO_SRC}
CFLAGS+= -I${LCRYPTO_SRC}/include
.include <bsd.endian.mk>
.if ${TARGET_ENDIANNESS} == 1234
CFLAGS+= -DL_ENDIAN
.elif ${TARGET_ENDIANNESS} == 4321
CFLAGS+= -DB_ENDIAN
.endif
.if ${MACHINE_CPUARCH} == "aarch64" || ${MACHINE_CPUARCH} == "amd64" || \
${MACHINE_CPUARCH} == "arm" || ${MACHINE_CPUARCH} == "i386"
ASM_${MACHINE_CPUARCH}=
.elif ${MACHINE_ARCH} == "powerpc" || ${MACHINE_ARCH} == "powerpc64" || \
${MACHINE_ARCH} == "powerpc64le"
ASM_${MACHINE_ARCH}=
.endif
.if defined(ASM_${MACHINE_CPUARCH}) || defined(ASM_${MACHINE_ARCH})
CFLAGS+= -DOPENSSL_CPUID_OBJ
.if defined(ASM_aarch64)
CFLAGS+= -DOPENSSL_BN_ASM_MONT
CFLAGS+= -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
CFLAGS+= -DKECCAK1600_ASM
CFLAGS+= -DVPAES_ASM
CFLAGS+= -DECP_NISTZ256_ASM
CFLAGS+= -DPOLY1305_ASM
.elif defined(ASM_amd64)
CFLAGS+= -DOPENSSL_IA32_SSE2
CFLAGS+= -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
CFLAGS+= -DOPENSSL_BN_ASM_GF2m
CFLAGS+= -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
CFLAGS+= -DKECCAK1600_ASM
CFLAGS+= -DRC4_ASM
CFLAGS+= -DMD5_ASM
CFLAGS+= -DVPAES_ASM
CFLAGS+= -DGHASH_ASM
CFLAGS+= -DECP_NISTZ256_ASM -DX25519_ASM
CFLAGS+= -DPADLOCK_ASM
CFLAGS+= -DPOLY1305_ASM
.elif defined(ASM_arm)
CFLAGS+= -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m
CFLAGS+= -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
CFLAGS+= -DKECCAK1600_ASM
CFLAGS+= -DBSAES_ASM
CFLAGS+= -DGHASH_ASM
CFLAGS+= -DECP_NISTZ256_ASM
CFLAGS+= -DPOLY1305_ASM
.elif defined(ASM_i386)
CFLAGS+= -DOPENSSL_IA32_SSE2
CFLAGS+= -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT
CFLAGS+= -DOPENSSL_BN_ASM_GF2m
CFLAGS+= -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
CFLAGS+= -DRC4_ASM
CFLAGS+= -DMD5_ASM
CFLAGS+= -DRMD160_ASM
CFLAGS+= -DVPAES_ASM
CFLAGS+= -DWHIRLPOOL_ASM
CFLAGS+= -DGHASH_ASM
CFLAGS+= -DECP_NISTZ256_ASM
CFLAGS+= -DPADLOCK_ASM
CFLAGS+= -DPOLY1305_ASM
.elif defined(ASM_powerpc)
CFLAGS+= -DOPENSSL_BN_ASM_MONT
CFLAGS+= -DAES_ASM
CFLAGS+= -DVPAES_ASM
CFLAGS+= -DSHA1_ASM
CFLAGS+= -DSHA256_ASM
CFLAGS+= -DSHA512_ASM
CFLAGS+= -DPOLY1305_ASM
.elif defined(ASM_powerpc64)
CFLAGS+= -DOPENSSL_BN_ASM_MONT
CFLAGS+= -DAES_ASM
CFLAGS+= -DVPAES_ASM
CFLAGS+= -DSHA1_ASM
CFLAGS+= -DSHA256_ASM
CFLAGS+= -DSHA512_ASM
CFLAGS+= -DPOLY1305_ASM
CFLAGS+= -DECP_NISTZ256_ASM
CFLAGS+= -DX25519_ASM
CFLAGS+= -DKECCAK1600_ASM
.elif defined(ASM_powerpc64le)
CFLAGS+= -DOPENSSL_BN_ASM_MONT
CFLAGS+= -DAES_ASM
CFLAGS+= -DVPAES_ASM
CFLAGS+= -DSHA1_ASM
CFLAGS+= -DSHA256_ASM
CFLAGS+= -DSHA512_ASM
CFLAGS+= -DPOLY1305_ASM
CFLAGS+= -DECP_NISTZ256_ASM
CFLAGS+= -DX25519_ASM
CFLAGS+= -DKECCAK1600_ASM
.endif
.endif
.if defined(LIB)
CFLAGS+= -DOPENSSLDIR="\"/etc/ssl\""
CFLAGS+= -DENGINESDIR="\"${LIBDIR}/engines\""
.endif
CFLAGS+= -DNDEBUG
MANDIR= ${SHAREDIR}/openssl/man/man
diff --git a/secure/lib/libcrypto/man/man3/ADMISSIONS.3 b/secure/lib/libcrypto/man/man3/ADMISSIONS.3
index 7b57b3ecb02e..5b181cfe6734 100644
--- a/secure/lib/libcrypto/man/man3/ADMISSIONS.3
+++ b/secure/lib/libcrypto/man/man3/ADMISSIONS.3
@@ -1,280 +1,280 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ADMISSIONS 3"
-.TH ADMISSIONS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ADMISSIONS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ADMISSIONS, ADMISSIONS_get0_admissionAuthority, ADMISSIONS_get0_namingAuthority, ADMISSIONS_get0_professionInfos, ADMISSIONS_set0_admissionAuthority, ADMISSIONS_set0_namingAuthority, ADMISSIONS_set0_professionInfos, ADMISSION_SYNTAX, ADMISSION_SYNTAX_get0_admissionAuthority, ADMISSION_SYNTAX_get0_contentsOfAdmissions, ADMISSION_SYNTAX_set0_admissionAuthority, ADMISSION_SYNTAX_set0_contentsOfAdmissions, NAMING_AUTHORITY, NAMING_AUTHORITY_get0_authorityId, NAMING_AUTHORITY_get0_authorityURL, NAMING_AUTHORITY_get0_authorityText, NAMING_AUTHORITY_set0_authorityId, NAMING_AUTHORITY_set0_authorityURL, NAMING_AUTHORITY_set0_authorityText, PROFESSION_INFO, PROFESSION_INFOS, PROFESSION_INFO_get0_addProfessionInfo, PROFESSION_INFO_get0_namingAuthority, PROFESSION_INFO_get0_professionItems, PROFESSION_INFO_get0_professionOIDs, PROFESSION_INFO_get0_registrationNumber, PROFESSION_INFO_set0_addProfessionInfo, PROFESSION_INFO_set0_namingAuthority, PROFESSION_INFO_set0_professionItems, PROFESSION_INFO_set0_professionOIDs, PROFESSION_INFO_set0_registrationNumber \&\- Accessors and settors for ADMISSION_SYNTAX
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 5
\& typedef struct NamingAuthority_st NAMING_AUTHORITY;
\& typedef struct ProfessionInfo_st PROFESSION_INFO;
\& typedef STACK_OF(PROFESSION_INFO) PROFESSION_INFOS;
\& typedef struct Admissions_st ADMISSIONS;
\& typedef struct AdmissionSyntax_st ADMISSION_SYNTAX;
\&
\& const ASN1_OBJECT *NAMING_AUTHORITY_get0_authorityId(
\& const NAMING_AUTHORITY *n);
\& void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY *n,
\& ASN1_OBJECT* namingAuthorityId);
\& const ASN1_IA5STRING *NAMING_AUTHORITY_get0_authorityURL(
\& const NAMING_AUTHORITY *n);
\& void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY *n,
\& ASN1_IA5STRING* namingAuthorityUrl);
\& const ASN1_STRING *NAMING_AUTHORITY_get0_authorityText(
\& const NAMING_AUTHORITY *n);
\& void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY *n,
\& ASN1_STRING* namingAuthorityText);
\&
\& const GENERAL_NAME *ADMISSION_SYNTAX_get0_admissionAuthority(
\& const ADMISSION_SYNTAX *as);
\& void ADMISSION_SYNTAX_set0_admissionAuthority(
\& ADMISSION_SYNTAX *as, GENERAL_NAME *aa);
\& const STACK_OF(ADMISSIONS) *ADMISSION_SYNTAX_get0_contentsOfAdmissions(
\& const ADMISSION_SYNTAX *as);
\& void ADMISSION_SYNTAX_set0_contentsOfAdmissions(
\& ADMISSION_SYNTAX *as, STACK_OF(ADMISSIONS) *a);
\&
\& const GENERAL_NAME *ADMISSIONS_get0_admissionAuthority(const ADMISSIONS *a);
\& void ADMISSIONS_set0_admissionAuthority(ADMISSIONS *a, GENERAL_NAME *aa);
\& const NAMING_AUTHORITY *ADMISSIONS_get0_namingAuthority(const ADMISSIONS *a);
\& void ADMISSIONS_set0_namingAuthority(ADMISSIONS *a, NAMING_AUTHORITY *na);
\& const PROFESSION_INFOS *ADMISSIONS_get0_professionInfos(const ADMISSIONS *a);
\& void ADMISSIONS_set0_professionInfos(ADMISSIONS *a, PROFESSION_INFOS *pi);
\&
\& const ASN1_OCTET_STRING *PROFESSION_INFO_get0_addProfessionInfo(
\& const PROFESSION_INFO *pi);
\& void PROFESSION_INFO_set0_addProfessionInfo(
\& PROFESSION_INFO *pi, ASN1_OCTET_STRING *aos);
\& const NAMING_AUTHORITY *PROFESSION_INFO_get0_namingAuthority(
\& const PROFESSION_INFO *pi);
\& void PROFESSION_INFO_set0_namingAuthority(
\& PROFESSION_INFO *pi, NAMING_AUTHORITY *na);
\& const STACK_OF(ASN1_STRING) *PROFESSION_INFO_get0_professionItems(
\& const PROFESSION_INFO *pi);
\& void PROFESSION_INFO_set0_professionItems(
\& PROFESSION_INFO *pi, STACK_OF(ASN1_STRING) *as);
\& const STACK_OF(ASN1_OBJECT) *PROFESSION_INFO_get0_professionOIDs(
\& const PROFESSION_INFO *pi);
\& void PROFESSION_INFO_set0_professionOIDs(
\& PROFESSION_INFO *pi, STACK_OF(ASN1_OBJECT) *po);
\& const ASN1_PRINTABLESTRING *PROFESSION_INFO_get0_registrationNumber(
\& const PROFESSION_INFO *pi);
\& void PROFESSION_INFO_set0_registrationNumber(
\& PROFESSION_INFO *pi, ASN1_PRINTABLESTRING *rn);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1PROFESSION_INFOS\s0\fR, \fB\s-1ADMISSION_SYNTAX\s0\fR, \fB\s-1ADMISSIONS\s0\fR, and
\&\fB\s-1PROFESSION_INFO\s0\fR types are opaque structures representing the
analogous types defined in the Common \s-1PKI\s0 Specification published
by <https://www.t7ev.org>.
Knowledge of those structures and their semantics is assumed.
.PP
The conventional routines to convert between \s-1DER\s0 and the local format
are described in \fBd2i_X509\fR\|(3).
The conventional routines to allocate and free the types are defined
in \fBX509_dup\fR\|(3).
.PP
The \fB\s-1PROFESSION_INFOS\s0\fR type is a stack of \fB\s-1PROFESSION_INFO\s0\fR; see
\&\s-1\fBDEFINE_STACK_OF\s0\fR\|(3) for details.
.PP
The \fB\s-1NAMING_AUTHORITY\s0\fR type has an authority \s-1ID\s0 and \s-1URL,\s0 and text fields.
The \fBNAMING_AUTHORITY_get0_authorityId()\fR,
\&\fBNAMING_AUTHORITY_get0_get0_authorityURL()\fR, and
\&\fBNAMING_AUTHORITY_get0_get0_authorityText()\fR, functions return pointers
to those values within the object.
The \fBNAMING_AUTHORITY_set0_authorityId()\fR,
\&\fBNAMING_AUTHORITY_set0_get0_authorityURL()\fR, and
\&\fBNAMING_AUTHORITY_set0_get0_authorityText()\fR,
functions free any existing value and set the pointer to the specified value.
.PP
The \fB\s-1ADMISSION_SYNTAX\s0\fR type has an authority name and a stack of
\&\fB\s-1ADMISSION\s0\fR objects.
The \fBADMISSION_SYNTAX_get0_admissionAuthority()\fR
and \fBADMISSION_SYNTAX_get0_contentsOfAdmissions()\fR functions return pointers
to those values within the object.
The
\&\fBADMISSION_SYNTAX_set0_admissionAuthority()\fR and
\&\fBADMISSION_SYNTAX_set0_contentsOfAdmissions()\fR
functions free any existing value and set the pointer to the specified value.
.PP
The \fB\s-1ADMISSION\s0\fR type has an authority name, authority object, and a
stack of \fB\s-1PROFESSION_INFO\s0\fR items.
The \fBADMISSIONS_get0_admissionAuthority()\fR, \fBADMISSIONS_get0_namingAuthority()\fR,
and \fBADMISSIONS_get0_professionInfos()\fR
functions return pointers to those values within the object.
The
\&\fBADMISSIONS_set0_admissionAuthority()\fR,
\&\fBADMISSIONS_set0_namingAuthority()\fR, and
\&\fBADMISSIONS_set0_professionInfos()\fR
functions free any existing value and set the pointer to the specified value.
.PP
The \fB\s-1PROFESSION_INFO\s0\fR type has a name authority, stacks of
profession Items and OIDs, a registration number, and additional
profession info.
The functions \fBPROFESSION_INFO_get0_addProfessionInfo()\fR,
\&\fBPROFESSION_INFO_get0_namingAuthority()\fR, \fBPROFESSION_INFO_get0_professionItems()\fR,
\&\fBPROFESSION_INFO_get0_professionOIDs()\fR, and
\&\fBPROFESSION_INFO_get0_registrationNumber()\fR
functions return pointers to those values within the object.
The
\&\fBPROFESSION_INFO_set0_addProfessionInfo()\fR,
\&\fBPROFESSION_INFO_set0_namingAuthority()\fR,
\&\fBPROFESSION_INFO_set0_professionItems()\fR,
\&\fBPROFESSION_INFO_set0_professionOIDs()\fR, and
\&\fBPROFESSION_INFO_set0_registrationNumber()\fR
functions free any existing value and set the pointer to the specified value.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Described above.
Note that all of the \fIget0\fR functions return a pointer to the internal data
structure and must not be freed.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_dup\fR\|(3),
\&\fBd2i_X509\fR\|(3),
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3 b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3
index 5266b5bffa4a..f175e3a6142f 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_INTEGER_get_int64.3
@@ -1,260 +1,260 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASN1_INTEGER_GET_INT64 3"
-.TH ASN1_INTEGER_GET_INT64 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASN1_INTEGER_GET_INT64 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASN1_INTEGER_get_uint64, ASN1_INTEGER_set_uint64, ASN1_INTEGER_get_int64, ASN1_INTEGER_get, ASN1_INTEGER_set_int64, ASN1_INTEGER_set, BN_to_ASN1_INTEGER, ASN1_INTEGER_to_BN, ASN1_ENUMERATED_get_int64, ASN1_ENUMERATED_get, ASN1_ENUMERATED_set_int64, ASN1_ENUMERATED_set, BN_to_ASN1_ENUMERATED, ASN1_ENUMERATED_to_BN \&\- ASN.1 INTEGER and ENUMERATED utilities
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/asn1.h>
\&
\& int ASN1_INTEGER_get_int64(int64_t *pr, const ASN1_INTEGER *a);
\& long ASN1_INTEGER_get(const ASN1_INTEGER *a);
\&
\& int ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t r);
\& int ASN1_INTEGER_set(const ASN1_INTEGER *a, long v);
\&
\& int ASN1_INTEGER_get_uint64(uint64_t *pr, const ASN1_INTEGER *a);
\& int ASN1_INTEGER_set_uint64(ASN1_INTEGER *a, uint64_t r);
\&
\& ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai);
\& BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn);
\&
\& int ASN1_ENUMERATED_get_int64(int64_t *pr, const ASN1_ENUMERATED *a);
\& long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a);
\&
\& int ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *a, int64_t r);
\& int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v);
\&
\& ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai);
\& BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions convert to and from \fB\s-1ASN1_INTEGER\s0\fR and \fB\s-1ASN1_ENUMERATED\s0\fR
structures.
.PP
\&\fBASN1_INTEGER_get_int64()\fR converts an \fB\s-1ASN1_INTEGER\s0\fR into an \fBint64_t\fR type
If successful it returns 1 and sets \fB*pr\fR to the value of \fBa\fR. If it fails
(due to invalid type or the value being too big to fit into an \fBint64_t\fR type)
it returns 0.
.PP
\&\fBASN1_INTEGER_get_uint64()\fR is similar to \fBASN1_INTEGER_get_int64_t()\fR except it
converts to a \fBuint64_t\fR type and an error is returned if the passed integer
is negative.
.PP
\&\fBASN1_INTEGER_get()\fR also returns the value of \fBa\fR but it returns 0 if \fBa\fR is
\&\s-1NULL\s0 and \-1 on error (which is ambiguous because \-1 is a legitimate value for
an \fB\s-1ASN1_INTEGER\s0\fR). New applications should use \fBASN1_INTEGER_get_int64()\fR
instead.
.PP
\&\fBASN1_INTEGER_set_int64()\fR sets the value of \fB\s-1ASN1_INTEGER\s0\fR \fBa\fR to the
\&\fBint64_t\fR value \fBr\fR.
.PP
\&\fBASN1_INTEGER_set_uint64()\fR sets the value of \fB\s-1ASN1_INTEGER\s0\fR \fBa\fR to the
\&\fBuint64_t\fR value \fBr\fR.
.PP
\&\fBASN1_INTEGER_set()\fR sets the value of \fB\s-1ASN1_INTEGER\s0\fR \fBa\fR to the \fBlong\fR value
\&\fBv\fR.
.PP
\&\fBBN_to_ASN1_INTEGER()\fR converts \fB\s-1BIGNUM\s0\fR \fBbn\fR to an \fB\s-1ASN1_INTEGER\s0\fR. If \fBai\fR
is \s-1NULL\s0 a new \fB\s-1ASN1_INTEGER\s0\fR structure is returned. If \fBai\fR is not \s-1NULL\s0 then
the existing structure will be used instead.
.PP
\&\fBASN1_INTEGER_to_BN()\fR converts \s-1ASN1_INTEGER\s0 \fBai\fR into a \fB\s-1BIGNUM\s0\fR. If \fBbn\fR is
\&\s-1NULL\s0 a new \fB\s-1BIGNUM\s0\fR structure is returned. If \fBbn\fR is not \s-1NULL\s0 then the
existing structure will be used instead.
.PP
\&\fBASN1_ENUMERATED_get_int64()\fR, \fBASN1_ENUMERATED_set_int64()\fR,
\&\fBASN1_ENUMERATED_set()\fR, \fBBN_to_ASN1_ENUMERATED()\fR and \fBASN1_ENUMERATED_to_BN()\fR
behave in an identical way to their \s-1ASN1_INTEGER\s0 counterparts except they
operate on an \fB\s-1ASN1_ENUMERATED\s0\fR value.
.PP
\&\fBASN1_ENUMERATED_get()\fR returns the value of \fBa\fR in a similar way to
\&\fBASN1_INTEGER_get()\fR but it returns \fB0xffffffffL\fR if the value of \fBa\fR will not
fit in a long type. New applications should use \fBASN1_ENUMERATED_get_int64()\fR
instead.
.SH "NOTES"
.IX Header "NOTES"
In general an \fB\s-1ASN1_INTEGER\s0\fR or \fB\s-1ASN1_ENUMERATED\s0\fR type can contain an
integer of almost arbitrary size and so cannot always be represented by a C
\&\fBint64_t\fR type. However, in many cases (for example version numbers) they
represent small integers which can be more easily manipulated if converted to
an appropriate C integer type.
.SH "BUGS"
.IX Header "BUGS"
The ambiguous return values of \fBASN1_INTEGER_get()\fR and \fBASN1_ENUMERATED_get()\fR
mean these functions should be avoided if possible. They are retained for
compatibility. Normally the ambiguous return values are not legitimate
values for the fields they represent.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBASN1_INTEGER_set_int64()\fR, \fBASN1_INTEGER_set()\fR, \fBASN1_ENUMERATED_set_int64()\fR and
\&\fBASN1_ENUMERATED_set()\fR return 1 for success and 0 for failure. They will only
fail if a memory allocation error occurs.
.PP
\&\fBASN1_INTEGER_get_int64()\fR and \fBASN1_ENUMERATED_get_int64()\fR return 1 for success
and 0 for failure. They will fail if the passed type is incorrect (this will
only happen if there is a programming error) or if the value exceeds the range
of an \fBint64_t\fR type.
.PP
\&\fBBN_to_ASN1_INTEGER()\fR and \fBBN_to_ASN1_ENUMERATED()\fR return an \fB\s-1ASN1_INTEGER\s0\fR or
\&\fB\s-1ASN1_ENUMERATED\s0\fR structure respectively or \s-1NULL\s0 if an error occurs. They will
only fail due to a memory allocation error.
.PP
\&\fBASN1_INTEGER_to_BN()\fR and \fBASN1_ENUMERATED_to_BN()\fR return a \fB\s-1BIGNUM\s0\fR structure
of \s-1NULL\s0 if an error occurs. They can fail if the passed type is incorrect
(due to programming error) or due to a memory allocation failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBASN1_INTEGER_set_int64()\fR, \fBASN1_INTEGER_get_int64()\fR,
\&\fBASN1_ENUMERATED_set_int64()\fR and \fBASN1_ENUMERATED_get_int64()\fR
were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3 b/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3
index 43232322317a..17a01120ca6d 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_ITEM_lookup.3
@@ -1,171 +1,171 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASN1_ITEM_LOOKUP 3"
-.TH ASN1_ITEM_LOOKUP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASN1_ITEM_LOOKUP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASN1_ITEM_lookup, ASN1_ITEM_get \- lookup ASN.1 structures
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/asn1.h>
\&
\& const ASN1_ITEM *ASN1_ITEM_lookup(const char *name);
\& const ASN1_ITEM *ASN1_ITEM_get(size_t i);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBASN1_ITEM_lookup()\fR returns the \fB\s-1ASN1_ITEM\s0 name\fR.
.PP
\&\fBASN1_ITEM_get()\fR returns the \fB\s-1ASN1_ITEM\s0\fR with index \fBi\fR. This function
returns \fB\s-1NULL\s0\fR if the index \fBi\fR is out of range.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBASN1_ITEM_lookup()\fR and \fBASN1_ITEM_get()\fR return a valid \fB\s-1ASN1_ITEM\s0\fR structure
or \fB\s-1NULL\s0\fR if an error occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3 b/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3
index 83490697b30a..b1315935c54c 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_OBJECT_new.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASN1_OBJECT_NEW 3"
-.TH ASN1_OBJECT_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASN1_OBJECT_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASN1_OBJECT_new, ASN1_OBJECT_free \- object allocation functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/asn1.h>
\&
\& ASN1_OBJECT *ASN1_OBJECT_new(void);
\& void ASN1_OBJECT_free(ASN1_OBJECT *a);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1ASN1_OBJECT\s0 allocation routines, allocate and free an
\&\s-1ASN1_OBJECT\s0 structure, which represents an \s-1ASN1 OBJECT IDENTIFIER.\s0
.PP
\&\fBASN1_OBJECT_new()\fR allocates and initializes an \s-1ASN1_OBJECT\s0 structure.
.PP
\&\fBASN1_OBJECT_free()\fR frees up the \fB\s-1ASN1_OBJECT\s0\fR structure \fBa\fR.
If \fBa\fR is \s-1NULL,\s0 nothing is done.
.SH "NOTES"
.IX Header "NOTES"
Although \fBASN1_OBJECT_new()\fR allocates a new \s-1ASN1_OBJECT\s0 structure it
is almost never used in applications. The \s-1ASN1\s0 object utility functions
such as \fBOBJ_nid2obj()\fR are used instead.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
If the allocation fails, \fBASN1_OBJECT_new()\fR returns \fB\s-1NULL\s0\fR and sets an error
code that can be obtained by \fBERR_get_error\fR\|(3).
Otherwise it returns a pointer to the newly allocated structure.
.PP
\&\fBASN1_OBJECT_free()\fR returns no value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBd2i_ASN1_OBJECT\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3
index 4835eb1671ce..64f66fa9708a 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_TABLE_add.3
@@ -1,195 +1,195 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASN1_STRING_TABLE_ADD 3"
-.TH ASN1_STRING_TABLE_ADD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASN1_STRING_TABLE_ADD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASN1_STRING_TABLE, ASN1_STRING_TABLE_add, ASN1_STRING_TABLE_get, ASN1_STRING_TABLE_cleanup \- ASN1_STRING_TABLE manipulation functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/asn1.h>
\&
\& typedef struct asn1_string_table_st ASN1_STRING_TABLE;
\&
\& int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize,
\& unsigned long mask, unsigned long flags);
\& ASN1_STRING_TABLE * ASN1_STRING_TABLE_get(int nid);
\& void ASN1_STRING_TABLE_cleanup(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
.SS "Types"
.IX Subsection "Types"
\&\fB\s-1ASN1_STRING_TABLE\s0\fR is a table which holds string information
(basically minimum size, maximum size, type and etc) for a \s-1NID\s0 object.
.SS "Functions"
.IX Subsection "Functions"
\&\fBASN1_STRING_TABLE_add()\fR adds a new \fB\s-1ASN1_STRING_TABLE\s0\fR item into the
local \s-1ASN1\s0 string table based on the \fBnid\fR along with other parameters.
.PP
If the item is already in the table, fields of \fB\s-1ASN1_STRING_TABLE\s0\fR are
updated (depending on the values of those parameters, e.g., \fBminsize\fR
and \fBmaxsize\fR >= 0, \fBmask\fR and \fBflags\fR != 0). If the \fBnid\fR is standard,
a copy of the standard \fB\s-1ASN1_STRING_TABLE\s0\fR is created and updated with
other parameters.
.PP
\&\fBASN1_STRING_TABLE_get()\fR searches for an \fB\s-1ASN1_STRING_TABLE\s0\fR item based
on \fBnid\fR. It will search the local table first, then the standard one.
.PP
\&\fBASN1_STRING_TABLE_cleanup()\fR frees all \fB\s-1ASN1_STRING_TABLE\s0\fR items added
by \fBASN1_STRING_TABLE_add()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBASN1_STRING_TABLE_add()\fR returns 1 on success, 0 if an error occurred.
.PP
\&\fBASN1_STRING_TABLE_get()\fR returns a valid \fB\s-1ASN1_STRING_TABLE\s0\fR structure
or \fB\s-1NULL\s0\fR if nothing is found.
.PP
\&\fBASN1_STRING_TABLE_cleanup()\fR does not return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3
index afbd496b3339..ecf899719e86 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_length.3
@@ -1,242 +1,242 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASN1_STRING_LENGTH 3"
-.TH ASN1_STRING_LENGTH 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASN1_STRING_LENGTH 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASN1_STRING_dup, ASN1_STRING_cmp, ASN1_STRING_set, ASN1_STRING_length, ASN1_STRING_type, ASN1_STRING_get0_data, ASN1_STRING_data, ASN1_STRING_to_UTF8 \- ASN1_STRING utility functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/asn1.h>
\&
\& int ASN1_STRING_length(ASN1_STRING *x);
\& const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x);
\& unsigned char * ASN1_STRING_data(ASN1_STRING *x);
\&
\& ASN1_STRING * ASN1_STRING_dup(ASN1_STRING *a);
\&
\& int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b);
\&
\& int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len);
\&
\& int ASN1_STRING_type(const ASN1_STRING *x);
\&
\& int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions allow an \fB\s-1ASN1_STRING\s0\fR structure to be manipulated.
.PP
\&\fBASN1_STRING_length()\fR returns the length of the content of \fBx\fR.
.PP
\&\fBASN1_STRING_get0_data()\fR returns an internal pointer to the data of \fBx\fR.
Since this is an internal pointer it should \fBnot\fR be freed or
modified in any way.
.PP
\&\fBASN1_STRING_data()\fR is similar to \fBASN1_STRING_get0_data()\fR except the
returned value is not constant. This function is deprecated:
applications should use \fBASN1_STRING_get0_data()\fR instead.
.PP
\&\fBASN1_STRING_dup()\fR returns a copy of the structure \fBa\fR.
.PP
\&\fBASN1_STRING_cmp()\fR compares \fBa\fR and \fBb\fR returning 0 if the two
are identical. The string types and content are compared.
.PP
\&\fBASN1_STRING_set()\fR sets the data of string \fBstr\fR to the buffer
\&\fBdata\fR or length \fBlen\fR. The supplied data is copied. If \fBlen\fR
is \-1 then the length is determined by strlen(data).
.PP
\&\fBASN1_STRING_type()\fR returns the type of \fBx\fR, using standard constants
such as \fBV_ASN1_OCTET_STRING\fR.
.PP
\&\fBASN1_STRING_to_UTF8()\fR converts the string \fBin\fR to \s-1UTF8\s0 format, the
converted data is allocated in a buffer in \fB*out\fR. The length of
\&\fBout\fR is returned or a negative error code. The buffer \fB*out\fR
should be freed using \fBOPENSSL_free()\fR.
.SH "NOTES"
.IX Header "NOTES"
Almost all \s-1ASN1\s0 types in OpenSSL are represented as an \fB\s-1ASN1_STRING\s0\fR
structure. Other types such as \fB\s-1ASN1_OCTET_STRING\s0\fR are simply typedef'ed
to \fB\s-1ASN1_STRING\s0\fR and the functions call the \fB\s-1ASN1_STRING\s0\fR equivalents.
\&\fB\s-1ASN1_STRING\s0\fR is also used for some \fB\s-1CHOICE\s0\fR types which consist
entirely of primitive string types such as \fBDirectoryString\fR and
\&\fBTime\fR.
.PP
These functions should \fBnot\fR be used to examine or modify \fB\s-1ASN1_INTEGER\s0\fR
or \fB\s-1ASN1_ENUMERATED\s0\fR types: the relevant \fB\s-1INTEGER\s0\fR or \fB\s-1ENUMERATED\s0\fR
utility functions should be used instead.
.PP
In general it cannot be assumed that the data returned by \fBASN1_STRING_data()\fR
is null terminated or does not contain embedded nulls. The actual format
of the data will depend on the actual string type itself: for example
for an IA5String the data will be \s-1ASCII,\s0 for a BMPString two bytes per
character in big endian format, and for a UTF8String it will be in \s-1UTF8\s0 format.
.PP
Similar care should be take to ensure the data is in the correct format
when calling \fBASN1_STRING_set()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBASN1_STRING_length()\fR returns the length of the content of \fBx\fR.
.PP
\&\fBASN1_STRING_get0_data()\fR and \fBASN1_STRING_data()\fR return an internal pointer to
the data of \fBx\fR.
.PP
\&\fBASN1_STRING_dup()\fR returns a valid \fB\s-1ASN1_STRING\s0\fR structure or \fB\s-1NULL\s0\fR if an
error occurred.
.PP
\&\fBASN1_STRING_cmp()\fR returns an integer greater than, equal to, or less than 0,
according to whether \fBa\fR is greater than, equal to, or less than \fBb\fR.
.PP
\&\fBASN1_STRING_set()\fR returns 1 on success or 0 on error.
.PP
\&\fBASN1_STRING_type()\fR returns the type of \fBx\fR.
.PP
\&\fBASN1_STRING_to_UTF8()\fR returns the number of bytes in output string \fBout\fR or a
negative value if an error occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3
index affaedc8c31e..4b2ae52efe84 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_new.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASN1_STRING_NEW 3"
-.TH ASN1_STRING_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASN1_STRING_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASN1_STRING_new, ASN1_STRING_type_new, ASN1_STRING_free \- ASN1_STRING allocation functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/asn1.h>
\&
\& ASN1_STRING * ASN1_STRING_new(void);
\& ASN1_STRING * ASN1_STRING_type_new(int type);
\& void ASN1_STRING_free(ASN1_STRING *a);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBASN1_STRING_new()\fR returns an allocated \fB\s-1ASN1_STRING\s0\fR structure. Its type
is undefined.
.PP
\&\fBASN1_STRING_type_new()\fR returns an allocated \fB\s-1ASN1_STRING\s0\fR structure of
type \fBtype\fR.
.PP
\&\fBASN1_STRING_free()\fR frees up \fBa\fR.
If \fBa\fR is \s-1NULL\s0 nothing is done.
.SH "NOTES"
.IX Header "NOTES"
Other string types call the \fB\s-1ASN1_STRING\s0\fR functions. For example
\&\fBASN1_OCTET_STRING_new()\fR calls ASN1_STRING_type(V_ASN1_OCTET_STRING).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBASN1_STRING_new()\fR and \fBASN1_STRING_type_new()\fR return a valid
\&\s-1ASN1_STRING\s0 structure or \fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBASN1_STRING_free()\fR does not return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3 b/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3
index 22f59a06536d..53db5a957759 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_STRING_print_ex.3
@@ -1,245 +1,245 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASN1_STRING_PRINT_EX 3"
-.TH ASN1_STRING_PRINT_EX 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASN1_STRING_PRINT_EX 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASN1_tag2str, ASN1_STRING_print_ex, ASN1_STRING_print_ex_fp, ASN1_STRING_print \&\- ASN1_STRING output routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/asn1.h>
\&
\& int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long flags);
\& int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long flags);
\& int ASN1_STRING_print(BIO *out, const ASN1_STRING *str);
\&
\& const char *ASN1_tag2str(int tag);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions output an \fB\s-1ASN1_STRING\s0\fR structure. \fB\s-1ASN1_STRING\s0\fR is used to
represent all the \s-1ASN1\s0 string types.
.PP
\&\fBASN1_STRING_print_ex()\fR outputs \fBstr\fR to \fBout\fR, the format is determined by
the options \fBflags\fR. \fBASN1_STRING_print_ex_fp()\fR is identical except it outputs
to \fBfp\fR instead.
.PP
\&\fBASN1_STRING_print()\fR prints \fBstr\fR to \fBout\fR but using a different format to
\&\fBASN1_STRING_print_ex()\fR. It replaces unprintable characters (other than \s-1CR, LF\s0)
with '.'.
.PP
\&\fBASN1_tag2str()\fR returns a human-readable name of the specified \s-1ASN.1\s0 \fBtag\fR.
.SH "NOTES"
.IX Header "NOTES"
\&\fBASN1_STRING_print()\fR is a deprecated function which should be avoided; use
\&\fBASN1_STRING_print_ex()\fR instead.
.PP
Although there are a large number of options frequently \fB\s-1ASN1_STRFLGS_RFC2253\s0\fR is
suitable, or on \s-1UTF8\s0 terminals \fB\s-1ASN1_STRFLGS_RFC2253 &\s0 ~ASN1_STRFLGS_ESC_MSB\fR.
.PP
The complete set of supported options for \fBflags\fR is listed below.
.PP
Various characters can be escaped. If \fB\s-1ASN1_STRFLGS_ESC_2253\s0\fR is set the characters
determined by \s-1RFC2253\s0 are escaped. If \fB\s-1ASN1_STRFLGS_ESC_CTRL\s0\fR is set control
characters are escaped. If \fB\s-1ASN1_STRFLGS_ESC_MSB\s0\fR is set characters with the
\&\s-1MSB\s0 set are escaped: this option should \fBnot\fR be used if the terminal correctly
interprets \s-1UTF8\s0 sequences.
.PP
Escaping takes several forms.
.PP
If the character being escaped is a 16 bit character then the form \*(L"\eUXXXX\*(R" is used
using exactly four characters for the hex representation. If it is 32 bits then
\&\*(L"\eWXXXXXXXX\*(R" is used using eight characters of its hex representation. These forms
will only be used if \s-1UTF8\s0 conversion is not set (see below).
.PP
Printable characters are normally escaped using the backslash '\e' character. If
\&\fB\s-1ASN1_STRFLGS_ESC_QUOTE\s0\fR is set then the whole string is instead surrounded by
double quote characters: this is arguably more readable than the backslash
notation. Other characters use the \*(L"\eXX\*(R" using exactly two characters of the hex
representation.
.PP
If \fB\s-1ASN1_STRFLGS_UTF8_CONVERT\s0\fR is set then characters are converted to \s-1UTF8\s0
format first. If the terminal supports the display of \s-1UTF8\s0 sequences then this
option will correctly display multi byte characters.
.PP
If \fB\s-1ASN1_STRFLGS_IGNORE_TYPE\s0\fR is set then the string type is not interpreted at
all: everything is assumed to be one byte per character. This is primarily for
debugging purposes and can result in confusing output in multi character strings.
.PP
If \fB\s-1ASN1_STRFLGS_SHOW_TYPE\s0\fR is set then the string type itself is printed out
before its value (for example \*(L"\s-1BMPSTRING\*(R"\s0), this actually uses \fBASN1_tag2str()\fR.
.PP
The content of a string instead of being interpreted can be \*(L"dumped\*(R": this just
outputs the value of the string using the form #XXXX using hex format for each
octet.
.PP
If \fB\s-1ASN1_STRFLGS_DUMP_ALL\s0\fR is set then any type is dumped.
.PP
Normally non character string types (such as \s-1OCTET STRING\s0) are assumed to be
one byte per character, if \fB\s-1ASN1_STRFLGS_DUMP_UNKNOWN\s0\fR is set then they will
be dumped instead.
.PP
When a type is dumped normally just the content octets are printed, if
\&\fB\s-1ASN1_STRFLGS_DUMP_DER\s0\fR is set then the complete encoding is dumped
instead (including tag and length octets).
.PP
\&\fB\s-1ASN1_STRFLGS_RFC2253\s0\fR includes all the flags required by \s-1RFC2253.\s0 It is
equivalent to:
\s-1ASN1_STRFLGS_ESC_2253\s0 | \s-1ASN1_STRFLGS_ESC_CTRL\s0 | \s-1ASN1_STRFLGS_ESC_MSB\s0 |
\s-1ASN1_STRFLGS_UTF8_CONVERT\s0 | \s-1ASN1_STRFLGS_DUMP_UNKNOWN ASN1_STRFLGS_DUMP_DER\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBASN1_STRING_print_ex()\fR and \fBASN1_STRING_print_ex_fp()\fR return the number of
characters written or \-1 if an error occurred.
.PP
\&\fBASN1_STRING_print()\fR returns 1 on success or 0 on error.
.PP
\&\fBASN1_tag2str()\fR returns a human-readable name of the specified \s-1ASN.1\s0 \fBtag\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBASN1_tag2str\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3 b/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3
index bd61421b4214..e64e757eb2a6 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_TIME_set.3
@@ -1,380 +1,380 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASN1_TIME_SET 3"
-.TH ASN1_TIME_SET 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASN1_TIME_SET 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASN1_TIME_set, ASN1_UTCTIME_set, ASN1_GENERALIZEDTIME_set, ASN1_TIME_adj, ASN1_UTCTIME_adj, ASN1_GENERALIZEDTIME_adj, ASN1_TIME_check, ASN1_UTCTIME_check, ASN1_GENERALIZEDTIME_check, ASN1_TIME_set_string, ASN1_UTCTIME_set_string, ASN1_GENERALIZEDTIME_set_string, ASN1_TIME_set_string_X509, ASN1_TIME_normalize, ASN1_TIME_to_tm, ASN1_TIME_print, ASN1_UTCTIME_print, ASN1_GENERALIZEDTIME_print, ASN1_TIME_diff, ASN1_TIME_cmp_time_t, ASN1_UTCTIME_cmp_time_t, ASN1_TIME_compare, ASN1_TIME_to_generalizedtime \- ASN.1 Time functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 4
\& ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t);
\& ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t);
\& ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
\& time_t t);
\&
\& ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t, int offset_day,
\& long offset_sec);
\& ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
\& int offset_day, long offset_sec);
\& ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,
\& time_t t, int offset_day,
\& long offset_sec);
\&
\& int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);
\& int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str);
\& int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str);
\& int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s,
\& const char *str);
\&
\& int ASN1_TIME_normalize(ASN1_TIME *s);
\&
\& int ASN1_TIME_check(const ASN1_TIME *t);
\& int ASN1_UTCTIME_check(const ASN1_UTCTIME *t);
\& int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *t);
\&
\& int ASN1_TIME_print(BIO *b, const ASN1_TIME *s);
\& int ASN1_UTCTIME_print(BIO *b, const ASN1_UTCTIME *s);
\& int ASN1_GENERALIZEDTIME_print(BIO *b, const ASN1_GENERALIZEDTIME *s);
\&
\& int ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm);
\& int ASN1_TIME_diff(int *pday, int *psec, const ASN1_TIME *from,
\& const ASN1_TIME *to);
\&
\& int ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t);
\& int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t);
\&
\& int ASN1_TIME_compare(const ASN1_TIME *a, const ASN1_TIME *b);
\&
\& ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t,
\& ASN1_GENERALIZEDTIME **out);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBASN1_TIME_set()\fR, \fBASN1_UTCTIME_set()\fR and \fBASN1_GENERALIZEDTIME_set()\fR
functions set the structure \fBs\fR to the time represented by the time_t
value \fBt\fR. If \fBs\fR is \s-1NULL\s0 a new time structure is allocated and returned.
.PP
The \fBASN1_TIME_adj()\fR, \fBASN1_UTCTIME_adj()\fR and \fBASN1_GENERALIZEDTIME_adj()\fR
functions set the time structure \fBs\fR to the time represented
by the time \fBoffset_day\fR and \fBoffset_sec\fR after the time_t value \fBt\fR.
The values of \fBoffset_day\fR or \fBoffset_sec\fR can be negative to set a
time before \fBt\fR. The \fBoffset_sec\fR value can also exceed the number of
seconds in a day. If \fBs\fR is \s-1NULL\s0 a new structure is allocated
and returned.
.PP
The \fBASN1_TIME_set_string()\fR, \fBASN1_UTCTIME_set_string()\fR and
\&\fBASN1_GENERALIZEDTIME_set_string()\fR functions set the time structure \fBs\fR
to the time represented by string \fBstr\fR which must be in appropriate \s-1ASN.1\s0
time format (for example \s-1YYMMDDHHMMSSZ\s0 or \s-1YYYYMMDDHHMMSSZ\s0). If \fBs\fR is \s-1NULL\s0
this function performs a format check on \fBstr\fR only. The string \fBstr\fR
is copied into \fBs\fR.
.PP
\&\fBASN1_TIME_set_string_X509()\fR sets \s-1ASN1_TIME\s0 structure \fBs\fR to the time
represented by string \fBstr\fR which must be in appropriate time format
that \s-1RFC 5280\s0 requires, which means it only allows \s-1YYMMDDHHMMSSZ\s0 and
\&\s-1YYYYMMDDHHMMSSZ\s0 (leap second is rejected), all other \s-1ASN.1\s0 time format
are not allowed. If \fBs\fR is \s-1NULL\s0 this function performs a format check
on \fBstr\fR only.
.PP
The \fBASN1_TIME_normalize()\fR function converts an \s-1ASN1_GENERALIZEDTIME\s0 or
\&\s-1ASN1_UTCTIME\s0 into a time value that can be used in a certificate. It
should be used after the \fBASN1_TIME_set_string()\fR functions and before
\&\fBASN1_TIME_print()\fR functions to get consistent (i.e. \s-1GMT\s0) results.
.PP
The \fBASN1_TIME_check()\fR, \fBASN1_UTCTIME_check()\fR and \fBASN1_GENERALIZEDTIME_check()\fR
functions check the syntax of the time structure \fBs\fR.
.PP
The \fBASN1_TIME_print()\fR, \fBASN1_UTCTIME_print()\fR and \fBASN1_GENERALIZEDTIME_print()\fR
functions print the time structure \fBs\fR to \s-1BIO\s0 \fBb\fR in human readable
format. It will be of the format \s-1MMM DD HH:MM:SS YYYY\s0 [\s-1GMT\s0], for example
\&\*(L"Feb 3 00:55:52 2015 \s-1GMT\*(R"\s0 it does not include a newline. If the time
structure has invalid format it prints out \*(L"Bad time value\*(R" and returns
an error. The output for generalized time may include a fractional part
following the second.
.PP
\&\fBASN1_TIME_to_tm()\fR converts the time \fBs\fR to the standard \fBtm\fR structure.
If \fBs\fR is \s-1NULL,\s0 then the current time is converted. The output time is \s-1GMT.\s0
The \fBtm_sec\fR, \fBtm_min\fR, \fBtm_hour\fR, \fBtm_mday\fR, \fBtm_wday\fR, \fBtm_yday\fR,
\&\fBtm_mon\fR and \fBtm_year\fR fields of \fBtm\fR structure are set to proper values,
whereas all other fields are set to 0. If \fBtm\fR is \s-1NULL\s0 this function performs
a format check on \fBs\fR only. If \fBs\fR is in Generalized format with fractional
seconds, e.g. \s-1YYYYMMDDHHMMSS.SSSZ,\s0 the fractional seconds will be lost while
converting \fBs\fR to \fBtm\fR structure.
.PP
\&\fBASN1_TIME_diff()\fR sets \fB*pday\fR and \fB*psec\fR to the time difference between
\&\fBfrom\fR and \fBto\fR. If \fBto\fR represents a time later than \fBfrom\fR then
one or both (depending on the time difference) of \fB*pday\fR and \fB*psec\fR
will be positive. If \fBto\fR represents a time earlier than \fBfrom\fR then
one or both of \fB*pday\fR and \fB*psec\fR will be negative. If \fBto\fR and \fBfrom\fR
represent the same time then \fB*pday\fR and \fB*psec\fR will both be zero.
If both \fB*pday\fR and \fB*psec\fR are nonzero they will always have the same
sign. The value of \fB*psec\fR will always be less than the number of seconds
in a day. If \fBfrom\fR or \fBto\fR is \s-1NULL\s0 the current time is used.
.PP
The \fBASN1_TIME_cmp_time_t()\fR and \fBASN1_UTCTIME_cmp_time_t()\fR functions compare
the two times represented by the time structure \fBs\fR and the time_t \fBt\fR.
.PP
The \fBASN1_TIME_compare()\fR function compares the two times represented by the
time structures \fBa\fR and \fBb\fR.
.PP
The \fBASN1_TIME_to_generalizedtime()\fR function converts an \s-1ASN1_TIME\s0 to an
\&\s-1ASN1_GENERALIZEDTIME,\s0 regardless of year. If either \fBout\fR or
\&\fB*out\fR are \s-1NULL,\s0 then a new object is allocated and must be freed after use.
.SH "NOTES"
.IX Header "NOTES"
The \s-1ASN1_TIME\s0 structure corresponds to the \s-1ASN.1\s0 structure \fBTime\fR
defined in \s-1RFC5280\s0 et al. The time setting functions obey the rules outlined
in \s-1RFC5280:\s0 if the date can be represented by UTCTime it is used, else
GeneralizedTime is used.
.PP
The \s-1ASN1_TIME, ASN1_UTCTIME\s0 and \s-1ASN1_GENERALIZEDTIME\s0 structures are represented
as an \s-1ASN1_STRING\s0 internally and can be freed up using \fBASN1_STRING_free()\fR.
.PP
The \s-1ASN1_TIME\s0 structure can represent years from 0000 to 9999 but no attempt
is made to correct ancient calendar changes (for example from Julian to
Gregorian calendars).
.PP
\&\s-1ASN1_UTCTIME\s0 is limited to a year range of 1950 through 2049.
.PP
Some applications add offset times directly to a time_t value and pass the
results to \fBASN1_TIME_set()\fR (or equivalent). This can cause problems as the
time_t value can overflow on some systems resulting in unexpected results.
New applications should use \fBASN1_TIME_adj()\fR instead and pass the offset value
in the \fBoffset_sec\fR and \fBoffset_day\fR parameters instead of directly
manipulating a time_t value.
.PP
\&\fBASN1_TIME_adj()\fR may change the type from \s-1ASN1_GENERALIZEDTIME\s0 to \s-1ASN1_UTCTIME,\s0
or vice versa, based on the resulting year. The \fBASN1_GENERALIZEDTIME_adj()\fR and
\&\fBASN1_UTCTIME_adj()\fR functions will not modify the type of the return structure.
.PP
It is recommended that functions starting with \s-1ASN1_TIME\s0 be used instead of
those starting with \s-1ASN1_UTCTIME\s0 or \s-1ASN1_GENERALIZEDTIME.\s0 The functions
starting with \s-1ASN1_UTCTIME\s0 and \s-1ASN1_GENERALIZEDTIME\s0 act only on that specific
time format. The functions starting with \s-1ASN1_TIME\s0 will operate on either
format.
.SH "BUGS"
.IX Header "BUGS"
\&\fBASN1_TIME_print()\fR, \fBASN1_UTCTIME_print()\fR and \fBASN1_GENERALIZEDTIME_print()\fR
do not print out the timezone: it either prints out \*(L"\s-1GMT\*(R"\s0 or nothing. But all
certificates complying with \s-1RFC5280\s0 et al use \s-1GMT\s0 anyway.
.PP
Use the \fBASN1_TIME_normalize()\fR function to normalize the time value before
printing to get \s-1GMT\s0 results.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBASN1_TIME_set()\fR, \fBASN1_UTCTIME_set()\fR, \fBASN1_GENERALIZEDTIME_set()\fR, \fBASN1_TIME_adj()\fR,
ASN1_UTCTIME_adj and ASN1_GENERALIZEDTIME_set return a pointer to a time structure
or \s-1NULL\s0 if an error occurred.
.PP
\&\fBASN1_TIME_set_string()\fR, \fBASN1_UTCTIME_set_string()\fR, \fBASN1_GENERALIZEDTIME_set_string()\fR
\&\fBASN1_TIME_set_string_X509()\fR return 1 if the time value is successfully set and 0 otherwise.
.PP
\&\fBASN1_TIME_normalize()\fR returns 1 on success, and 0 on error.
.PP
\&\fBASN1_TIME_check()\fR, ASN1_UTCTIME_check and \fBASN1_GENERALIZEDTIME_check()\fR return 1
if the structure is syntactically correct and 0 otherwise.
.PP
\&\fBASN1_TIME_print()\fR, \fBASN1_UTCTIME_print()\fR and \fBASN1_GENERALIZEDTIME_print()\fR return 1
if the time is successfully printed out and 0 if an error occurred (I/O error or
invalid time format).
.PP
\&\fBASN1_TIME_to_tm()\fR returns 1 if the time is successfully parsed and 0 if an
error occurred (invalid time format).
.PP
\&\fBASN1_TIME_diff()\fR returns 1 for success and 0 for failure. It can fail if the
passed-in time structure has invalid syntax, for example.
.PP
\&\fBASN1_TIME_cmp_time_t()\fR and \fBASN1_UTCTIME_cmp_time_t()\fR return \-1 if \fBs\fR is
before \fBt\fR, 0 if \fBs\fR equals \fBt\fR, or 1 if \fBs\fR is after \fBt\fR. \-2 is returned
on error.
.PP
\&\fBASN1_TIME_compare()\fR returns \-1 if \fBa\fR is before \fBb\fR, 0 if \fBa\fR equals \fBb\fR, or 1 if \fBa\fR is after \fBb\fR. \-2 is returned on error.
.PP
\&\fBASN1_TIME_to_generalizedtime()\fR returns a pointer to
the appropriate time structure on success or \s-1NULL\s0 if an error occurred.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Set a time structure to one hour after the current time and print it out:
.PP
.Vb 2
\& #include <time.h>
\& #include <openssl/asn1.h>
\&
\& ASN1_TIME *tm;
\& time_t t;
\& BIO *b;
\&
\& t = time(NULL);
\& tm = ASN1_TIME_adj(NULL, t, 0, 60 * 60);
\& b = BIO_new_fp(stdout, BIO_NOCLOSE);
\& ASN1_TIME_print(b, tm);
\& ASN1_STRING_free(tm);
\& BIO_free(b);
.Ve
.PP
Determine if one time is later or sooner than the current time:
.PP
.Vb 1
\& int day, sec;
\&
\& if (!ASN1_TIME_diff(&day, &sec, NULL, to))
\& /* Invalid time format */
\&
\& if (day > 0 || sec > 0)
\& printf("Later\en");
\& else if (day < 0 || sec < 0)
\& printf("Sooner\en");
\& else
\& printf("Same\en");
.Ve
.SH "HISTORY"
.IX Header "HISTORY"
The \fBASN1_TIME_to_tm()\fR function was added in OpenSSL 1.1.1.
The \fBASN1_TIME_set_string_X509()\fR function was added in OpenSSL 1.1.1.
The \fBASN1_TIME_normalize()\fR function was added in OpenSSL 1.1.1.
The \fBASN1_TIME_cmp_time_t()\fR function was added in OpenSSL 1.1.1.
The \fBASN1_TIME_compare()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3 b/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3
index 7f21ba11e81d..a054126bdf55 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_TYPE_get.3
@@ -1,231 +1,231 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASN1_TYPE_GET 3"
-.TH ASN1_TYPE_GET 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASN1_TYPE_GET 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASN1_TYPE_get, ASN1_TYPE_set, ASN1_TYPE_set1, ASN1_TYPE_cmp, ASN1_TYPE_unpack_sequence, ASN1_TYPE_pack_sequence \- ASN1_TYPE utility functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/asn1.h>
\&
\& int ASN1_TYPE_get(const ASN1_TYPE *a);
\& void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
\& int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);
\& int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);
\&
\& void *ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t);
\& ASN1_TYPE *ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s,
\& ASN1_TYPE **t);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions allow an \s-1ASN1_TYPE\s0 structure to be manipulated. The
\&\s-1ASN1_TYPE\s0 structure can contain any \s-1ASN.1\s0 type or constructed type
such as a \s-1SEQUENCE:\s0 it is effectively equivalent to the \s-1ASN.1 ANY\s0 type.
.PP
\&\fBASN1_TYPE_get()\fR returns the type of \fBa\fR.
.PP
\&\fBASN1_TYPE_set()\fR sets the value of \fBa\fR to \fBtype\fR and \fBvalue\fR. This
function uses the pointer \fBvalue\fR internally so it must \fBnot\fR be freed
up after the call.
.PP
\&\fBASN1_TYPE_set1()\fR sets the value of \fBa\fR to \fBtype\fR a copy of \fBvalue\fR.
.PP
\&\fBASN1_TYPE_cmp()\fR compares \s-1ASN.1\s0 types \fBa\fR and \fBb\fR and returns 0 if
they are identical and nonzero otherwise.
.PP
\&\fBASN1_TYPE_unpack_sequence()\fR attempts to parse the \s-1SEQUENCE\s0 present in
\&\fBt\fR using the \s-1ASN.1\s0 structure \fBit\fR. If successful it returns a pointer
to the \s-1ASN.1\s0 structure corresponding to \fBit\fR which must be freed by the
caller. If it fails it return \s-1NULL.\s0
.PP
\&\fBASN1_TYPE_pack_sequence()\fR attempts to encode the \s-1ASN.1\s0 structure \fBs\fR
corresponding to \fBit\fR into an \s-1ASN1_TYPE.\s0 If successful the encoded
\&\s-1ASN1_TYPE\s0 is returned. If \fBt\fR and \fB*t\fR are not \s-1NULL\s0 the encoded type
is written to \fBt\fR overwriting any existing data. If \fBt\fR is not \s-1NULL\s0
but \fB*t\fR is \s-1NULL\s0 the returned \s-1ASN1_TYPE\s0 is written to \fB*t\fR.
.SH "NOTES"
.IX Header "NOTES"
The type and meaning of the \fBvalue\fR parameter for \fBASN1_TYPE_set()\fR and
\&\fBASN1_TYPE_set1()\fR is determined by the \fBtype\fR parameter.
If \fBtype\fR is V_ASN1_NULL \fBvalue\fR is ignored. If \fBtype\fR is V_ASN1_BOOLEAN
then the boolean is set to \s-1TRUE\s0 if \fBvalue\fR is not \s-1NULL.\s0 If \fBtype\fR is
V_ASN1_OBJECT then value is an \s-1ASN1_OBJECT\s0 structure. Otherwise \fBtype\fR
is and \s-1ASN1_STRING\s0 structure. If \fBtype\fR corresponds to a primitive type
(or a string type) then the contents of the \s-1ASN1_STRING\s0 contain the content
octets of the type. If \fBtype\fR corresponds to a constructed type or
a tagged type (V_ASN1_SEQUENCE, V_ASN1_SET or V_ASN1_OTHER) then the
\&\s-1ASN1_STRING\s0 contains the entire \s-1ASN.1\s0 encoding verbatim (including tag and
length octets).
.PP
\&\fBASN1_TYPE_cmp()\fR may not return zero if two types are equivalent but have
different encodings. For example the single content octet of the boolean \s-1TRUE\s0
value under \s-1BER\s0 can have any nonzero encoding but \fBASN1_TYPE_cmp()\fR will
only return zero if the values are the same.
.PP
If either or both of the parameters passed to \fBASN1_TYPE_cmp()\fR is \s-1NULL\s0 the
return value is nonzero. Technically if both parameters are \s-1NULL\s0 the two
types could be absent \s-1OPTIONAL\s0 fields and so should match, however, passing
\&\s-1NULL\s0 values could also indicate a programming error (for example an
unparsable type which returns \s-1NULL\s0) for types which do \fBnot\fR match. So
applications should handle the case of two absent values separately.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBASN1_TYPE_get()\fR returns the type of the \s-1ASN1_TYPE\s0 argument.
.PP
\&\fBASN1_TYPE_set()\fR does not return a value.
.PP
\&\fBASN1_TYPE_set1()\fR returns 1 for success and 0 for failure.
.PP
\&\fBASN1_TYPE_cmp()\fR returns 0 if the types are identical and nonzero otherwise.
.PP
\&\fBASN1_TYPE_unpack_sequence()\fR returns a pointer to an \s-1ASN.1\s0 structure or
\&\s-1NULL\s0 on failure.
.PP
\&\fBASN1_TYPE_pack_sequence()\fR return an \s-1ASN1_TYPE\s0 structure if it succeeds or
\&\s-1NULL\s0 on failure.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3 b/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3
index cbc2ab8dd291..6b2b3276ec8f 100644
--- a/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3
+++ b/secure/lib/libcrypto/man/man3/ASN1_generate_nconf.3
@@ -1,381 +1,381 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASN1_GENERATE_NCONF 3"
-.TH ASN1_GENERATE_NCONF 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASN1_GENERATE_NCONF 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASN1_generate_nconf, ASN1_generate_v3 \- ASN1 generation functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/asn1.h>
\&
\& ASN1_TYPE *ASN1_generate_nconf(const char *str, CONF *nconf);
\& ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions generate the \s-1ASN1\s0 encoding of a string
in an \fB\s-1ASN1_TYPE\s0\fR structure.
.PP
\&\fBstr\fR contains the string to encode \fBnconf\fR or \fBcnf\fR contains
the optional configuration information where additional strings
will be read from. \fBnconf\fR will typically come from a config
file whereas \fBcnf\fR is obtained from an \fBX509V3_CTX\fR structure
which will typically be used by X509 v3 certificate extension
functions. \fBcnf\fR or \fBnconf\fR can be set to \fB\s-1NULL\s0\fR if no additional
configuration will be used.
.SH "GENERATION STRING FORMAT"
.IX Header "GENERATION STRING FORMAT"
The actual data encoded is determined by the string \fBstr\fR and
the configuration information. The general format of the string
is:
.IP "\fB[modifier,]type[:value]\fR" 4
.IX Item "[modifier,]type[:value]"
.PP
That is zero or more comma separated modifiers followed by a type
followed by an optional colon and a value. The formats of \fBtype\fR,
\&\fBvalue\fR and \fBmodifier\fR are explained below.
.SS "Supported Types"
.IX Subsection "Supported Types"
The supported types are listed below. Unless otherwise specified
only the \fB\s-1ASCII\s0\fR format is permissible.
.IP "\fB\s-1BOOLEAN\s0\fR, \fB\s-1BOOL\s0\fR" 4
.IX Item "BOOLEAN, BOOL"
This encodes a boolean type. The \fBvalue\fR string is mandatory and
should be \fB\s-1TRUE\s0\fR or \fB\s-1FALSE\s0\fR. Additionally \fB\s-1TRUE\s0\fR, \fBtrue\fR, \fBY\fR,
\&\fBy\fR, \fB\s-1YES\s0\fR, \fByes\fR, \fB\s-1FALSE\s0\fR, \fBfalse\fR, \fBN\fR, \fBn\fR, \fB\s-1NO\s0\fR and \fBno\fR
are acceptable.
.IP "\fB\s-1NULL\s0\fR" 4
.IX Item "NULL"
Encode the \fB\s-1NULL\s0\fR type, the \fBvalue\fR string must not be present.
.IP "\fB\s-1INTEGER\s0\fR, \fB\s-1INT\s0\fR" 4
.IX Item "INTEGER, INT"
Encodes an \s-1ASN1\s0 \fB\s-1INTEGER\s0\fR type. The \fBvalue\fR string represents
the value of the integer, it can be prefaced by a minus sign and
is normally interpreted as a decimal value unless the prefix \fB0x\fR
is included.
.IP "\fB\s-1ENUMERATED\s0\fR, \fB\s-1ENUM\s0\fR" 4
.IX Item "ENUMERATED, ENUM"
Encodes the \s-1ASN1\s0 \fB\s-1ENUMERATED\s0\fR type, it is otherwise identical to
\&\fB\s-1INTEGER\s0\fR.
.IP "\fB\s-1OBJECT\s0\fR, \fB\s-1OID\s0\fR" 4
.IX Item "OBJECT, OID"
Encodes an \s-1ASN1\s0 \fB\s-1OBJECT IDENTIFIER\s0\fR, the \fBvalue\fR string can be
a short name, a long name or numerical format.
.IP "\fB\s-1UTCTIME\s0\fR, \fB\s-1UTC\s0\fR" 4
.IX Item "UTCTIME, UTC"
Encodes an \s-1ASN1\s0 \fBUTCTime\fR structure, the value should be in
the format \fB\s-1YYMMDDHHMMSSZ\s0\fR.
.IP "\fB\s-1GENERALIZEDTIME\s0\fR, \fB\s-1GENTIME\s0\fR" 4
.IX Item "GENERALIZEDTIME, GENTIME"
Encodes an \s-1ASN1\s0 \fBGeneralizedTime\fR structure, the value should be in
the format \fB\s-1YYYYMMDDHHMMSSZ\s0\fR.
.IP "\fB\s-1OCTETSTRING\s0\fR, \fB\s-1OCT\s0\fR" 4
.IX Item "OCTETSTRING, OCT"
Encodes an \s-1ASN1\s0 \fB\s-1OCTET STRING\s0\fR. \fBvalue\fR represents the contents
of this structure, the format strings \fB\s-1ASCII\s0\fR and \fB\s-1HEX\s0\fR can be
used to specify the format of \fBvalue\fR.
.IP "\fB\s-1BITSTRING\s0\fR, \fB\s-1BITSTR\s0\fR" 4
.IX Item "BITSTRING, BITSTR"
Encodes an \s-1ASN1\s0 \fB\s-1BIT STRING\s0\fR. \fBvalue\fR represents the contents
of this structure, the format strings \fB\s-1ASCII\s0\fR, \fB\s-1HEX\s0\fR and \fB\s-1BITLIST\s0\fR
can be used to specify the format of \fBvalue\fR.
.Sp
If the format is anything other than \fB\s-1BITLIST\s0\fR the number of unused
bits is set to zero.
.IP "\fB\s-1UNIVERSALSTRING\s0\fR, \fB\s-1UNIV\s0\fR, \fB\s-1IA5\s0\fR, \fB\s-1IA5STRING\s0\fR, \fB\s-1UTF8\s0\fR, \fBUTF8String\fR, \fB\s-1BMP\s0\fR, \fB\s-1BMPSTRING\s0\fR, \fB\s-1VISIBLESTRING\s0\fR, \fB\s-1VISIBLE\s0\fR, \fB\s-1PRINTABLESTRING\s0\fR, \fB\s-1PRINTABLE\s0\fR, \fBT61\fR, \fBT61STRING\fR, \fB\s-1TELETEXSTRING\s0\fR, \fBGeneralString\fR, \fB\s-1NUMERICSTRING\s0\fR, \fB\s-1NUMERIC\s0\fR" 4
.IX Item "UNIVERSALSTRING, UNIV, IA5, IA5STRING, UTF8, UTF8String, BMP, BMPSTRING, VISIBLESTRING, VISIBLE, PRINTABLESTRING, PRINTABLE, T61, T61STRING, TELETEXSTRING, GeneralString, NUMERICSTRING, NUMERIC"
These encode the corresponding string types. \fBvalue\fR represents the
contents of this structure. The format can be \fB\s-1ASCII\s0\fR or \fB\s-1UTF8\s0\fR.
.IP "\fB\s-1SEQUENCE\s0\fR, \fB\s-1SEQ\s0\fR, \fB\s-1SET\s0\fR" 4
.IX Item "SEQUENCE, SEQ, SET"
Formats the result as an \s-1ASN1\s0 \fB\s-1SEQUENCE\s0\fR or \fB\s-1SET\s0\fR type. \fBvalue\fR
should be a section name which will contain the contents. The
field names in the section are ignored and the values are in the
generated string format. If \fBvalue\fR is absent then an empty \s-1SEQUENCE\s0
will be encoded.
.SS "Modifiers"
.IX Subsection "Modifiers"
Modifiers affect the following structure, they can be used to
add \s-1EXPLICIT\s0 or \s-1IMPLICIT\s0 tagging, add wrappers or to change
the string format of the final type and value. The supported
formats are documented below.
.IP "\fB\s-1EXPLICIT\s0\fR, \fB\s-1EXP\s0\fR" 4
.IX Item "EXPLICIT, EXP"
Add an explicit tag to the following structure. This string
should be followed by a colon and the tag value to use as a
decimal value.
.Sp
By following the number with \fBU\fR, \fBA\fR, \fBP\fR or \fBC\fR \s-1UNIVERSAL,
APPLICATION, PRIVATE\s0 or \s-1CONTEXT SPECIFIC\s0 tagging can be used,
the default is \s-1CONTEXT SPECIFIC.\s0
.IP "\fB\s-1IMPLICIT\s0\fR, \fB\s-1IMP\s0\fR" 4
.IX Item "IMPLICIT, IMP"
This is the same as \fB\s-1EXPLICIT\s0\fR except \s-1IMPLICIT\s0 tagging is used
instead.
.IP "\fB\s-1OCTWRAP\s0\fR, \fB\s-1SEQWRAP\s0\fR, \fB\s-1SETWRAP\s0\fR, \fB\s-1BITWRAP\s0\fR" 4
.IX Item "OCTWRAP, SEQWRAP, SETWRAP, BITWRAP"
The following structure is surrounded by an \s-1OCTET STRING,\s0 a \s-1SEQUENCE,\s0
a \s-1SET\s0 or a \s-1BIT STRING\s0 respectively. For a \s-1BIT STRING\s0 the number of unused
bits is set to zero.
.IP "\fB\s-1FORMAT\s0\fR" 4
.IX Item "FORMAT"
This specifies the format of the ultimate value. It should be followed
by a colon and one of the strings \fB\s-1ASCII\s0\fR, \fB\s-1UTF8\s0\fR, \fB\s-1HEX\s0\fR or \fB\s-1BITLIST\s0\fR.
.Sp
If no format specifier is included then \fB\s-1ASCII\s0\fR is used. If \fB\s-1UTF8\s0\fR is
specified then the value string must be a valid \fB\s-1UTF8\s0\fR string. For \fB\s-1HEX\s0\fR the
output must be a set of hex digits. \fB\s-1BITLIST\s0\fR (which is only valid for a \s-1BIT
STRING\s0) is a comma separated list of the indices of the set bits, all other
bits are zero.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBASN1_generate_nconf()\fR and \fBASN1_generate_v3()\fR return the encoded
data as an \fB\s-1ASN1_TYPE\s0\fR structure or \fB\s-1NULL\s0\fR if an error occurred.
.PP
The error codes that can be obtained by \fBERR_get_error\fR\|(3).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
A simple IA5String:
.PP
.Vb 1
\& IA5STRING:Hello World
.Ve
.PP
An IA5String explicitly tagged:
.PP
.Vb 1
\& EXPLICIT:0,IA5STRING:Hello World
.Ve
.PP
An IA5String explicitly tagged using \s-1APPLICATION\s0 tagging:
.PP
.Vb 1
\& EXPLICIT:0A,IA5STRING:Hello World
.Ve
.PP
A \s-1BITSTRING\s0 with bits 1 and 5 set and all others zero:
.PP
.Vb 1
\& FORMAT:BITLIST,BITSTRING:1,5
.Ve
.PP
A more complex example using a config file to produce a
\&\s-1SEQUENCE\s0 consisting of a \s-1BOOL\s0 an \s-1OID\s0 and a UTF8String:
.PP
.Vb 1
\& asn1 = SEQUENCE:seq_section
\&
\& [seq_section]
\&
\& field1 = BOOLEAN:TRUE
\& field2 = OID:commonName
\& field3 = UTF8:Third field
.Ve
.PP
This example produces an RSAPrivateKey structure, this is the
key contained in the file client.pem in all OpenSSL distributions
(note: the field names such as 'coeff' are ignored and are present just
for clarity):
.PP
.Vb 3
\& asn1=SEQUENCE:private_key
\& [private_key]
\& version=INTEGER:0
\&
\& n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\e
\& D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
\&
\& e=INTEGER:0x010001
\&
\& d=INTEGER:0x6F05EAD2F27FFAEC84BEC360C4B928FD5F3A9865D0FCAAD291E2A52F4A\e
\& F810DC6373278C006A0ABBA27DC8C63BF97F7E666E27C5284D7D3B1FFFE16B7A87B51D
\&
\& p=INTEGER:0xF3929B9435608F8A22C208D86795271D54EBDFB09DDEF539AB083DA912\e
\& D4BD57
\&
\& q=INTEGER:0xC50016F89DFF2561347ED1186A46E150E28BF2D0F539A1594BBD7FE467\e
\& 46EC4F
\&
\& exp1=INTEGER:0x9E7D4326C924AFC1DEA40B45650134966D6F9DFA3A7F9D698CD4ABEA\e
\& 9C0A39B9
\&
\& exp2=INTEGER:0xBA84003BB95355AFB7C50DF140C60513D0BA51D637272E355E397779\e
\& E7B2458F
\&
\& coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\e
\& 628657053A
.Ve
.PP
This example is the corresponding public key in a SubjectPublicKeyInfo
structure:
.PP
.Vb 2
\& # Start with a SEQUENCE
\& asn1=SEQUENCE:pubkeyinfo
\&
\& # pubkeyinfo contains an algorithm identifier and the public key wrapped
\& # in a BIT STRING
\& [pubkeyinfo]
\& algorithm=SEQUENCE:rsa_alg
\& pubkey=BITWRAP,SEQUENCE:rsapubkey
\&
\& # algorithm ID for RSA is just an OID and a NULL
\& [rsa_alg]
\& algorithm=OID:rsaEncryption
\& parameter=NULL
\&
\& # Actual public key: modulus and exponent
\& [rsapubkey]
\& n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\e
\& D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
\&
\& e=INTEGER:0x010001
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3 b/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3
index 31ac4ed8c4a7..3a5c6fa814e4 100644
--- a/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/ASYNC_WAIT_CTX_new.3
@@ -1,270 +1,270 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASYNC_WAIT_CTX_NEW 3"
-.TH ASYNC_WAIT_CTX_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASYNC_WAIT_CTX_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASYNC_WAIT_CTX_new, ASYNC_WAIT_CTX_free, ASYNC_WAIT_CTX_set_wait_fd, ASYNC_WAIT_CTX_get_fd, ASYNC_WAIT_CTX_get_all_fds, ASYNC_WAIT_CTX_get_changed_fds, ASYNC_WAIT_CTX_clear_fd \- functions to manage waiting for asynchronous jobs to complete
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/async.h>
\&
\& ASYNC_WAIT_CTX *ASYNC_WAIT_CTX_new(void);
\& void ASYNC_WAIT_CTX_free(ASYNC_WAIT_CTX *ctx);
\& int ASYNC_WAIT_CTX_set_wait_fd(ASYNC_WAIT_CTX *ctx, const void *key,
\& OSSL_ASYNC_FD fd,
\& void *custom_data,
\& void (*cleanup)(ASYNC_WAIT_CTX *, const void *,
\& OSSL_ASYNC_FD, void *));
\& int ASYNC_WAIT_CTX_get_fd(ASYNC_WAIT_CTX *ctx, const void *key,
\& OSSL_ASYNC_FD *fd, void **custom_data);
\& int ASYNC_WAIT_CTX_get_all_fds(ASYNC_WAIT_CTX *ctx, OSSL_ASYNC_FD *fd,
\& size_t *numfds);
\& int ASYNC_WAIT_CTX_get_changed_fds(ASYNC_WAIT_CTX *ctx, OSSL_ASYNC_FD *addfd,
\& size_t *numaddfds, OSSL_ASYNC_FD *delfd,
\& size_t *numdelfds);
\& int ASYNC_WAIT_CTX_clear_fd(ASYNC_WAIT_CTX *ctx, const void *key);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
For an overview of how asynchronous operations are implemented in OpenSSL see
\&\fBASYNC_start_job\fR\|(3). An \s-1ASYNC_WAIT_CTX\s0 object represents an asynchronous
\&\*(L"session\*(R", i.e. a related set of crypto operations. For example in \s-1SSL\s0 terms
this would have a one-to-one correspondence with an \s-1SSL\s0 connection.
.PP
Application code must create an \s-1ASYNC_WAIT_CTX\s0 using the \fBASYNC_WAIT_CTX_new()\fR
function prior to calling \fBASYNC_start_job()\fR (see \fBASYNC_start_job\fR\|(3)). When
the job is started it is associated with the \s-1ASYNC_WAIT_CTX\s0 for the duration of
that job. An \s-1ASYNC_WAIT_CTX\s0 should only be used for one \s-1ASYNC_JOB\s0 at any one
time, but can be reused after an \s-1ASYNC_JOB\s0 has finished for a subsequent
\&\s-1ASYNC_JOB.\s0 When the session is complete (e.g. the \s-1SSL\s0 connection is closed),
application code cleans up with \fBASYNC_WAIT_CTX_free()\fR.
.PP
ASYNC_WAIT_CTXs can have \*(L"wait\*(R" file descriptors associated with them. Calling
\&\fBASYNC_WAIT_CTX_get_all_fds()\fR and passing in a pointer to an \s-1ASYNC_WAIT_CTX\s0 in
the \fBctx\fR parameter will return the wait file descriptors associated with that
job in \fB*fd\fR. The number of file descriptors returned will be stored in
\&\fB*numfds\fR. It is the caller's responsibility to ensure that sufficient memory
has been allocated in \fB*fd\fR to receive all the file descriptors. Calling
\&\fBASYNC_WAIT_CTX_get_all_fds()\fR with a \s-1NULL\s0 \fBfd\fR value will return no file
descriptors but will still populate \fB*numfds\fR. Therefore, application code is
typically expected to call this function twice: once to get the number of fds,
and then again when sufficient memory has been allocated. If only one
asynchronous engine is being used then normally this call will only ever return
one fd. If multiple asynchronous engines are being used then more could be
returned.
.PP
The function \fBASYNC_WAIT_CTX_get_changed_fds()\fR can be used to detect if any fds
have changed since the last call time \fBASYNC_start_job()\fR returned an \s-1ASYNC_PAUSE\s0
result (or since the \s-1ASYNC_WAIT_CTX\s0 was created if no \s-1ASYNC_PAUSE\s0 result has
been received). The \fBnumaddfds\fR and \fBnumdelfds\fR parameters will be populated
with the number of fds added or deleted respectively. \fB*addfd\fR and \fB*delfd\fR
will be populated with the list of added and deleted fds respectively. Similarly
to \fBASYNC_WAIT_CTX_get_all_fds()\fR either of these can be \s-1NULL,\s0 but if they are not
\&\s-1NULL\s0 then the caller is responsible for ensuring sufficient memory is allocated.
.PP
Implementors of async aware code (e.g. engines) are encouraged to return a
stable fd for the lifetime of the \s-1ASYNC_WAIT_CTX\s0 in order to reduce the \*(L"churn\*(R"
of regularly changing fds \- although no guarantees of this are provided to
applications.
.PP
Applications can wait for the file descriptor to be ready for \*(L"read\*(R" using a
system function call such as select or poll (being ready for \*(L"read\*(R" indicates
that the job should be resumed). If no file descriptor is made available then an
application will have to periodically \*(L"poll\*(R" the job by attempting to restart it
to see if it is ready to continue.
.PP
Async aware code (e.g. engines) can get the current \s-1ASYNC_WAIT_CTX\s0 from the job
via \fBASYNC_get_wait_ctx\fR\|(3) and provide a file descriptor to use for waiting
on by calling \fBASYNC_WAIT_CTX_set_wait_fd()\fR. Typically this would be done by an
engine immediately prior to calling \fBASYNC_pause_job()\fR and not by end user code.
An existing association with a file descriptor can be obtained using
\&\fBASYNC_WAIT_CTX_get_fd()\fR and cleared using \fBASYNC_WAIT_CTX_clear_fd()\fR. Both of
these functions requires a \fBkey\fR value which is unique to the async aware
code. This could be any unique value but a good candidate might be the
\&\fB\s-1ENGINE\s0 *\fR for the engine. The \fBcustom_data\fR parameter can be any value, and
will be returned in a subsequent call to \fBASYNC_WAIT_CTX_get_fd()\fR. The
\&\fBASYNC_WAIT_CTX_set_wait_fd()\fR function also expects a pointer to a \*(L"cleanup\*(R"
routine. This can be \s-1NULL\s0 but if provided will automatically get called when
the \s-1ASYNC_WAIT_CTX\s0 is freed, and gives the engine the opportunity to close the
fd or any other resources. Note: The \*(L"cleanup\*(R" routine does not get called if
the fd is cleared directly via a call to \fBASYNC_WAIT_CTX_clear_fd()\fR.
.PP
An example of typical usage might be an async capable engine. User code would
initiate cryptographic operations. The engine would initiate those operations
asynchronously and then call \fBASYNC_WAIT_CTX_set_wait_fd()\fR followed by
\&\fBASYNC_pause_job()\fR to return control to the user code. The user code can then
perform other tasks or wait for the job to be ready by calling \*(L"select\*(R" or other
similar function on the wait file descriptor. The engine can signal to the user
code that the job should be resumed by making the wait file descriptor
\&\*(L"readable\*(R". Once resumed the engine should clear the wake signal on the wait
file descriptor.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBASYNC_WAIT_CTX_new()\fR returns a pointer to the newly allocated \s-1ASYNC_WAIT_CTX\s0 or
\&\s-1NULL\s0 on error.
.PP
ASYNC_WAIT_CTX_set_wait_fd, ASYNC_WAIT_CTX_get_fd, ASYNC_WAIT_CTX_get_all_fds,
ASYNC_WAIT_CTX_get_changed_fds and ASYNC_WAIT_CTX_clear_fd all return 1 on
success or 0 on error.
.SH "NOTES"
.IX Header "NOTES"
On Windows platforms the openssl/async.h header is dependent on some
of the types customarily made available by including windows.h. The
application developer is likely to require control over when the latter
is included, commonly as one of the first included headers. Therefore,
it is defined as an application developer's responsibility to include
windows.h prior to async.h.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7), \fBASYNC_start_job\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBASYNC_WAIT_CTX_new()\fR, \fBASYNC_WAIT_CTX_free()\fR, \fBASYNC_WAIT_CTX_set_wait_fd()\fR,
\&\fBASYNC_WAIT_CTX_get_fd()\fR, \fBASYNC_WAIT_CTX_get_all_fds()\fR,
\&\fBASYNC_WAIT_CTX_get_changed_fds()\fR and \fBASYNC_WAIT_CTX_clear_fd()\fR
were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ASYNC_start_job.3 b/secure/lib/libcrypto/man/man3/ASYNC_start_job.3
index f4519daf8782..917e9a700077 100644
--- a/secure/lib/libcrypto/man/man3/ASYNC_start_job.3
+++ b/secure/lib/libcrypto/man/man3/ASYNC_start_job.3
@@ -1,453 +1,453 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASYNC_START_JOB 3"
-.TH ASYNC_START_JOB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASYNC_START_JOB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ASYNC_get_wait_ctx, ASYNC_init_thread, ASYNC_cleanup_thread, ASYNC_start_job, ASYNC_pause_job, ASYNC_get_current_job, ASYNC_block_pause, ASYNC_unblock_pause, ASYNC_is_capable \&\- asynchronous job management functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/async.h>
\&
\& int ASYNC_init_thread(size_t max_size, size_t init_size);
\& void ASYNC_cleanup_thread(void);
\&
\& int ASYNC_start_job(ASYNC_JOB **job, ASYNC_WAIT_CTX *ctx, int *ret,
\& int (*func)(void *), void *args, size_t size);
\& int ASYNC_pause_job(void);
\&
\& ASYNC_JOB *ASYNC_get_current_job(void);
\& ASYNC_WAIT_CTX *ASYNC_get_wait_ctx(ASYNC_JOB *job);
\& void ASYNC_block_pause(void);
\& void ASYNC_unblock_pause(void);
\&
\& int ASYNC_is_capable(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
OpenSSL implements asynchronous capabilities through an \s-1ASYNC_JOB.\s0 This
represents code that can be started and executes until some event occurs. At
that point the code can be paused and control returns to user code until some
subsequent event indicates that the job can be resumed.
.PP
The creation of an \s-1ASYNC_JOB\s0 is a relatively expensive operation. Therefore, for
efficiency reasons, jobs can be created up front and reused many times. They are
held in a pool until they are needed, at which point they are removed from the
pool, used, and then returned to the pool when the job completes. If the user
application is multi-threaded, then \fBASYNC_init_thread()\fR may be called for each
thread that will initiate asynchronous jobs. Before
user code exits per-thread resources need to be cleaned up. This will normally
occur automatically (see \fBOPENSSL_init_crypto\fR\|(3)) but may be explicitly
initiated by using \fBASYNC_cleanup_thread()\fR. No asynchronous jobs must be
outstanding for the thread when \fBASYNC_cleanup_thread()\fR is called. Failing to
ensure this will result in memory leaks.
.PP
The \fBmax_size\fR argument limits the number of ASYNC_JOBs that will be held in
the pool. If \fBmax_size\fR is set to 0 then no upper limit is set. When an
\&\s-1ASYNC_JOB\s0 is needed but there are none available in the pool already then one
will be automatically created, as long as the total of ASYNC_JOBs managed by the
pool does not exceed \fBmax_size\fR. When the pool is first initialised
\&\fBinit_size\fR ASYNC_JOBs will be created immediately. If \fBASYNC_init_thread()\fR is
not called before the pool is first used then it will be called automatically
with a \fBmax_size\fR of 0 (no upper limit) and an \fBinit_size\fR of 0 (no ASYNC_JOBs
created up front).
.PP
An asynchronous job is started by calling the \fBASYNC_start_job()\fR function.
Initially \fB*job\fR should be \s-1NULL.\s0 \fBctx\fR should point to an \s-1ASYNC_WAIT_CTX\s0
object created through the \fBASYNC_WAIT_CTX_new\fR\|(3) function. \fBret\fR should
point to a location where the return value of the asynchronous function should
be stored on completion of the job. \fBfunc\fR represents the function that should
be started asynchronously. The data pointed to by \fBargs\fR and of size \fBsize\fR
will be copied and then passed as an argument to \fBfunc\fR when the job starts.
ASYNC_start_job will return one of the following values:
.IP "\fB\s-1ASYNC_ERR\s0\fR" 4
.IX Item "ASYNC_ERR"
An error occurred trying to start the job. Check the OpenSSL error queue (e.g.
see \fBERR_print_errors\fR\|(3)) for more details.
.IP "\fB\s-1ASYNC_NO_JOBS\s0\fR" 4
.IX Item "ASYNC_NO_JOBS"
There are no jobs currently available in the pool. This call can be retried
again at a later time.
.IP "\fB\s-1ASYNC_PAUSE\s0\fR" 4
.IX Item "ASYNC_PAUSE"
The job was successfully started but was \*(L"paused\*(R" before it completed (see
\&\fBASYNC_pause_job()\fR below). A handle to the job is placed in \fB*job\fR. Other work
can be performed (if desired) and the job restarted at a later time. To restart
a job call \fBASYNC_start_job()\fR again passing the job handle in \fB*job\fR. The
\&\fBfunc\fR, \fBargs\fR and \fBsize\fR parameters will be ignored when restarting a job.
When restarting a job \fBASYNC_start_job()\fR \fBmust\fR be called from the same thread
that the job was originally started from.
.IP "\fB\s-1ASYNC_FINISH\s0\fR" 4
.IX Item "ASYNC_FINISH"
The job completed. \fB*job\fR will be \s-1NULL\s0 and the return value from \fBfunc\fR will
be placed in \fB*ret\fR.
.PP
At any one time there can be a maximum of one job actively running per thread
(you can have many that are paused). \fBASYNC_get_current_job()\fR can be used to get
a pointer to the currently executing \s-1ASYNC_JOB.\s0 If no job is currently executing
then this will return \s-1NULL.\s0
.PP
If executing within the context of a job (i.e. having been called directly or
indirectly by the function \*(L"func\*(R" passed as an argument to \fBASYNC_start_job()\fR)
then \fBASYNC_pause_job()\fR will immediately return control to the calling
application with \s-1ASYNC_PAUSE\s0 returned from the \fBASYNC_start_job()\fR call. A
subsequent call to ASYNC_start_job passing in the relevant \s-1ASYNC_JOB\s0 in the
\&\fB*job\fR parameter will resume execution from the \fBASYNC_pause_job()\fR call. If
\&\fBASYNC_pause_job()\fR is called whilst not within the context of a job then no
action is taken and \fBASYNC_pause_job()\fR returns immediately.
.PP
\&\fBASYNC_get_wait_ctx()\fR can be used to get a pointer to the \s-1ASYNC_WAIT_CTX\s0
for the \fBjob\fR. ASYNC_WAIT_CTXs can have a \*(L"wait\*(R" file descriptor associated
with them. Applications can wait for the file descriptor to be ready for \*(L"read\*(R"
using a system function call such as select or poll (being ready for \*(L"read\*(R"
indicates that the job should be resumed). If no file descriptor is made
available then an application will have to periodically \*(L"poll\*(R" the job by
attempting to restart it to see if it is ready to continue.
.PP
An example of typical usage might be an async capable engine. User code would
initiate cryptographic operations. The engine would initiate those operations
asynchronously and then call \fBASYNC_WAIT_CTX_set_wait_fd\fR\|(3) followed by
\&\fBASYNC_pause_job()\fR to return control to the user code. The user code can then
perform other tasks or wait for the job to be ready by calling \*(L"select\*(R" or other
similar function on the wait file descriptor. The engine can signal to the user
code that the job should be resumed by making the wait file descriptor
\&\*(L"readable\*(R". Once resumed the engine should clear the wake signal on the wait
file descriptor.
.PP
The \fBASYNC_block_pause()\fR function will prevent the currently active job from
pausing. The block will remain in place until a subsequent call to
\&\fBASYNC_unblock_pause()\fR. These functions can be nested, e.g. if you call
\&\fBASYNC_block_pause()\fR twice then you must call \fBASYNC_unblock_pause()\fR twice in
order to re-enable pausing. If these functions are called while there is no
currently active job then they have no effect. This functionality can be useful
to avoid deadlock scenarios. For example during the execution of an \s-1ASYNC_JOB\s0 an
application acquires a lock. It then calls some cryptographic function which
invokes \fBASYNC_pause_job()\fR. This returns control back to the code that created
the \s-1ASYNC_JOB.\s0 If that code then attempts to acquire the same lock before
resuming the original job then a deadlock can occur. By calling
\&\fBASYNC_block_pause()\fR immediately after acquiring the lock and
\&\fBASYNC_unblock_pause()\fR immediately before releasing it then this situation cannot
occur.
.PP
Some platforms cannot support async operations. The \fBASYNC_is_capable()\fR function
can be used to detect whether the current platform is async capable or not.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
ASYNC_init_thread returns 1 on success or 0 otherwise.
.PP
ASYNC_start_job returns one of \s-1ASYNC_ERR, ASYNC_NO_JOBS, ASYNC_PAUSE\s0 or
\&\s-1ASYNC_FINISH\s0 as described above.
.PP
ASYNC_pause_job returns 0 if an error occurred or 1 on success. If called when
not within the context of an \s-1ASYNC_JOB\s0 then this is counted as success so 1 is
returned.
.PP
ASYNC_get_current_job returns a pointer to the currently executing \s-1ASYNC_JOB\s0 or
\&\s-1NULL\s0 if not within the context of a job.
.PP
\&\fBASYNC_get_wait_ctx()\fR returns a pointer to the \s-1ASYNC_WAIT_CTX\s0 for the job.
.PP
\&\fBASYNC_is_capable()\fR returns 1 if the current platform is async capable or 0
otherwise.
.SH "NOTES"
.IX Header "NOTES"
On Windows platforms the openssl/async.h header is dependent on some
of the types customarily made available by including windows.h. The
application developer is likely to require control over when the latter
is included, commonly as one of the first included headers. Therefore,
it is defined as an application developer's responsibility to include
windows.h prior to async.h.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The following example demonstrates how to use most of the core async APIs:
.PP
.Vb 7
\& #ifdef _WIN32
\& # include <windows.h>
\& #endif
\& #include <stdio.h>
\& #include <unistd.h>
\& #include <openssl/async.h>
\& #include <openssl/crypto.h>
\&
\& int unique = 0;
\&
\& void cleanup(ASYNC_WAIT_CTX *ctx, const void *key, OSSL_ASYNC_FD r, void *vw)
\& {
\& OSSL_ASYNC_FD *w = (OSSL_ASYNC_FD *)vw;
\&
\& close(r);
\& close(*w);
\& OPENSSL_free(w);
\& }
\&
\& int jobfunc(void *arg)
\& {
\& ASYNC_JOB *currjob;
\& unsigned char *msg;
\& int pipefds[2] = {0, 0};
\& OSSL_ASYNC_FD *wptr;
\& char buf = \*(AqX\*(Aq;
\&
\& currjob = ASYNC_get_current_job();
\& if (currjob != NULL) {
\& printf("Executing within a job\en");
\& } else {
\& printf("Not executing within a job \- should not happen\en");
\& return 0;
\& }
\&
\& msg = (unsigned char *)arg;
\& printf("Passed in message is: %s\en", msg);
\&
\& if (pipe(pipefds) != 0) {
\& printf("Failed to create pipe\en");
\& return 0;
\& }
\& wptr = OPENSSL_malloc(sizeof(OSSL_ASYNC_FD));
\& if (wptr == NULL) {
\& printf("Failed to malloc\en");
\& return 0;
\& }
\& *wptr = pipefds[1];
\& ASYNC_WAIT_CTX_set_wait_fd(ASYNC_get_wait_ctx(currjob), &unique,
\& pipefds[0], wptr, cleanup);
\&
\& /*
\& * Normally some external event would cause this to happen at some
\& * later point \- but we do it here for demo purposes, i.e.
\& * immediately signalling that the job is ready to be woken up after
\& * we return to main via ASYNC_pause_job().
\& */
\& write(pipefds[1], &buf, 1);
\&
\& /* Return control back to main */
\& ASYNC_pause_job();
\&
\& /* Clear the wake signal */
\& read(pipefds[0], &buf, 1);
\&
\& printf ("Resumed the job after a pause\en");
\&
\& return 1;
\& }
\&
\& int main(void)
\& {
\& ASYNC_JOB *job = NULL;
\& ASYNC_WAIT_CTX *ctx = NULL;
\& int ret;
\& OSSL_ASYNC_FD waitfd;
\& fd_set waitfdset;
\& size_t numfds;
\& unsigned char msg[13] = "Hello world!";
\&
\& printf("Starting...\en");
\&
\& ctx = ASYNC_WAIT_CTX_new();
\& if (ctx == NULL) {
\& printf("Failed to create ASYNC_WAIT_CTX\en");
\& abort();
\& }
\&
\& for (;;) {
\& switch (ASYNC_start_job(&job, ctx, &ret, jobfunc, msg, sizeof(msg))) {
\& case ASYNC_ERR:
\& case ASYNC_NO_JOBS:
\& printf("An error occurred\en");
\& goto end;
\& case ASYNC_PAUSE:
\& printf("Job was paused\en");
\& break;
\& case ASYNC_FINISH:
\& printf("Job finished with return value %d\en", ret);
\& goto end;
\& }
\&
\& /* Wait for the job to be woken */
\& printf("Waiting for the job to be woken up\en");
\&
\& if (!ASYNC_WAIT_CTX_get_all_fds(ctx, NULL, &numfds)
\& || numfds > 1) {
\& printf("Unexpected number of fds\en");
\& abort();
\& }
\& ASYNC_WAIT_CTX_get_all_fds(ctx, &waitfd, &numfds);
\& FD_ZERO(&waitfdset);
\& FD_SET(waitfd, &waitfdset);
\& select(waitfd + 1, &waitfdset, NULL, NULL, NULL);
\& }
\&
\& end:
\& ASYNC_WAIT_CTX_free(ctx);
\& printf("Finishing\en");
\&
\& return 0;
\& }
.Ve
.PP
The expected output from executing the above example program is:
.PP
.Vb 8
\& Starting...
\& Executing within a job
\& Passed in message is: Hello world!
\& Job was paused
\& Waiting for the job to be woken up
\& Resumed the job after a pause
\& Job finished with return value 1
\& Finishing
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7), \fBERR_print_errors\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
ASYNC_init_thread, ASYNC_cleanup_thread,
ASYNC_start_job, ASYNC_pause_job, ASYNC_get_current_job, \fBASYNC_get_wait_ctx()\fR,
\&\fBASYNC_block_pause()\fR, \fBASYNC_unblock_pause()\fR and \fBASYNC_is_capable()\fR were first
added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BF_encrypt.3 b/secure/lib/libcrypto/man/man3/BF_encrypt.3
index 92f752fe487d..9acb8add8f00 100644
--- a/secure/lib/libcrypto/man/man3/BF_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/BF_encrypt.3
@@ -1,249 +1,249 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BF_ENCRYPT 3"
-.TH BF_ENCRYPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BF_ENCRYPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BF_set_key, BF_encrypt, BF_decrypt, BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options \- Blowfish encryption
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/blowfish.h>
\&
\& void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
\&
\& void BF_ecb_encrypt(const unsigned char *in, unsigned char *out,
\& BF_KEY *key, int enc);
\& void BF_cbc_encrypt(const unsigned char *in, unsigned char *out,
\& long length, BF_KEY *schedule,
\& unsigned char *ivec, int enc);
\& void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out,
\& long length, BF_KEY *schedule,
\& unsigned char *ivec, int *num, int enc);
\& void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out,
\& long length, BF_KEY *schedule,
\& unsigned char *ivec, int *num);
\& const char *BF_options(void);
\&
\& void BF_encrypt(BF_LONG *data, const BF_KEY *key);
\& void BF_decrypt(BF_LONG *data, const BF_KEY *key);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This library implements the Blowfish cipher, which was invented and described
by Counterpane (see http://www.counterpane.com/blowfish.html ).
.PP
Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data.
It uses a variable size key, but typically, 128 bit (16 byte) keys are
considered good for strong encryption. Blowfish can be used in the same
modes as \s-1DES\s0 (see \fBdes_modes\fR\|(7)). Blowfish is currently one
of the faster block ciphers. It is quite a bit faster than \s-1DES,\s0 and much
faster than \s-1IDEA\s0 or \s-1RC2.\s0
.PP
Blowfish consists of a key setup phase and the actual encryption or decryption
phase.
.PP
\&\fBBF_set_key()\fR sets up the \fB\s-1BF_KEY\s0\fR \fBkey\fR using the \fBlen\fR bytes long key
at \fBdata\fR.
.PP
\&\fBBF_ecb_encrypt()\fR is the basic Blowfish encryption and decryption function.
It encrypts or decrypts the first 64 bits of \fBin\fR using the key \fBkey\fR,
putting the result in \fBout\fR. \fBenc\fR decides if encryption (\fB\s-1BF_ENCRYPT\s0\fR)
or decryption (\fB\s-1BF_DECRYPT\s0\fR) shall be performed. The vector pointed at by
\&\fBin\fR and \fBout\fR must be 64 bits in length, no less. If they are larger,
everything after the first 64 bits is ignored.
.PP
The mode functions \fBBF_cbc_encrypt()\fR, \fBBF_cfb64_encrypt()\fR and \fBBF_ofb64_encrypt()\fR
all operate on variable length data. They all take an initialization vector
\&\fBivec\fR which needs to be passed along into the next call of the same function
for the same message. \fBivec\fR may be initialized with anything, but the
recipient needs to know what it was initialized with, or it won't be able
to decrypt. Some programs and protocols simplify this, like \s-1SSH,\s0 where
\&\fBivec\fR is simply initialized to zero.
\&\fBBF_cbc_encrypt()\fR operates on data that is a multiple of 8 bytes long, while
\&\fBBF_cfb64_encrypt()\fR and \fBBF_ofb64_encrypt()\fR are used to encrypt a variable
number of bytes (the amount does not have to be an exact multiple of 8). The
purpose of the latter two is to simulate stream ciphers, and therefore, they
need the parameter \fBnum\fR, which is a pointer to an integer where the current
offset in \fBivec\fR is stored between calls. This integer must be initialized
to zero when \fBivec\fR is initialized.
.PP
\&\fBBF_cbc_encrypt()\fR is the Cipher Block Chaining function for Blowfish. It
encrypts or decrypts the 64 bits chunks of \fBin\fR using the key \fBschedule\fR,
putting the result in \fBout\fR. \fBenc\fR decides if encryption (\s-1BF_ENCRYPT\s0) or
decryption (\s-1BF_DECRYPT\s0) shall be performed. \fBivec\fR must point at an 8 byte
long initialization vector.
.PP
\&\fBBF_cfb64_encrypt()\fR is the \s-1CFB\s0 mode for Blowfish with 64 bit feedback.
It encrypts or decrypts the bytes in \fBin\fR using the key \fBschedule\fR,
putting the result in \fBout\fR. \fBenc\fR decides if encryption (\fB\s-1BF_ENCRYPT\s0\fR)
or decryption (\fB\s-1BF_DECRYPT\s0\fR) shall be performed. \fBivec\fR must point at an
8 byte long initialization vector. \fBnum\fR must point at an integer which must
be initially zero.
.PP
\&\fBBF_ofb64_encrypt()\fR is the \s-1OFB\s0 mode for Blowfish with 64 bit feedback.
It uses the same parameters as \fBBF_cfb64_encrypt()\fR, which must be initialized
the same way.
.PP
\&\fBBF_encrypt()\fR and \fBBF_decrypt()\fR are the lowest level functions for Blowfish
encryption. They encrypt/decrypt the first 64 bits of the vector pointed by
\&\fBdata\fR, using the key \fBkey\fR. These functions should not be used unless you
implement 'modes' of Blowfish. The alternative is to use \fBBF_ecb_encrypt()\fR.
If you still want to use these functions, you should be aware that they take
each 32\-bit chunk in host-byte order, which is little-endian on little-endian
platforms and big-endian on big-endian ones.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
None of the functions presented here return any value.
.SH "NOTE"
.IX Header "NOTE"
Applications should use the higher level functions
\&\fBEVP_EncryptInit\fR\|(3) etc. instead of calling these
functions directly.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBdes_modes\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_ADDR.3 b/secure/lib/libcrypto/man/man3/BIO_ADDR.3
index b5a0f42e5a2f..addc18602608 100644
--- a/secure/lib/libcrypto/man/man3/BIO_ADDR.3
+++ b/secure/lib/libcrypto/man/man3/BIO_ADDR.3
@@ -1,253 +1,253 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_ADDR 3"
-.TH BIO_ADDR 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_ADDR 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_ADDR, BIO_ADDR_new, BIO_ADDR_clear, BIO_ADDR_free, BIO_ADDR_rawmake, BIO_ADDR_family, BIO_ADDR_rawaddress, BIO_ADDR_rawport, BIO_ADDR_hostname_string, BIO_ADDR_service_string, BIO_ADDR_path_string \- BIO_ADDR routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 2
\& #include <sys/types.h>
\& #include <openssl/bio.h>
\&
\& typedef union bio_addr_st BIO_ADDR;
\&
\& BIO_ADDR *BIO_ADDR_new(void);
\& void BIO_ADDR_free(BIO_ADDR *);
\& void BIO_ADDR_clear(BIO_ADDR *ap);
\& int BIO_ADDR_rawmake(BIO_ADDR *ap, int family,
\& const void *where, size_t wherelen, unsigned short port);
\& int BIO_ADDR_family(const BIO_ADDR *ap);
\& int BIO_ADDR_rawaddress(const BIO_ADDR *ap, void *p, size_t *l);
\& unsigned short BIO_ADDR_rawport(const BIO_ADDR *ap);
\& char *BIO_ADDR_hostname_string(const BIO_ADDR *ap, int numeric);
\& char *BIO_ADDR_service_string(const BIO_ADDR *ap, int numeric);
\& char *BIO_ADDR_path_string(const BIO_ADDR *ap);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1BIO_ADDR\s0\fR type is a wrapper around all types of socket
addresses that OpenSSL deals with, currently transparently
supporting \s-1AF_INET, AF_INET6\s0 and \s-1AF_UNIX\s0 according to what's
available on the platform at hand.
.PP
\&\fBBIO_ADDR_new()\fR creates a new unfilled \fB\s-1BIO_ADDR\s0\fR, to be used
with routines that will fill it with information, such as
\&\fBBIO_accept_ex()\fR.
.PP
\&\fBBIO_ADDR_free()\fR frees a \fB\s-1BIO_ADDR\s0\fR created with \fBBIO_ADDR_new()\fR.
.PP
\&\fBBIO_ADDR_clear()\fR clears any data held within the provided \fB\s-1BIO_ADDR\s0\fR and sets
it back to an uninitialised state.
.PP
\&\fBBIO_ADDR_rawmake()\fR takes a protocol \fBfamily\fR, a byte array of
size \fBwherelen\fR with an address in network byte order pointed at
by \fBwhere\fR and a port number in network byte order in \fBport\fR (except
for the \fB\s-1AF_UNIX\s0\fR protocol family, where \fBport\fR is meaningless and
therefore ignored) and populates the given \fB\s-1BIO_ADDR\s0\fR with them.
In case this creates a \fB\s-1AF_UNIX\s0\fR \fB\s-1BIO_ADDR\s0\fR, \fBwherelen\fR is expected
to be the length of the path string (not including the terminating
\&\s-1NUL,\s0 such as the result of a call to \fBstrlen()\fR).
\&\fIRead on about the addresses in \*(L"\s-1RAW ADDRESSES\*(R"\s0 below\fR.
.PP
\&\fBBIO_ADDR_family()\fR returns the protocol family of the given
\&\fB\s-1BIO_ADDR\s0\fR. The possible non-error results are one of the
constants \s-1AF_INET, AF_INET6\s0 and \s-1AF_UNIX.\s0 It will also return \s-1AF_UNSPEC\s0 if the
\&\s-1BIO_ADDR\s0 has not been initialised.
.PP
\&\fBBIO_ADDR_rawaddress()\fR will write the raw address of the given
\&\fB\s-1BIO_ADDR\s0\fR in the area pointed at by \fBp\fR if \fBp\fR is non-NULL,
and will set \fB*l\fR to be the amount of bytes the raw address
takes up if \fBl\fR is non-NULL.
A technique to only find out the size of the address is a call
with \fBp\fR set to \fB\s-1NULL\s0\fR. The raw address will be in network byte
order, most significant byte first.
In case this is a \fB\s-1AF_UNIX\s0\fR \fB\s-1BIO_ADDR\s0\fR, \fBl\fR gets the length of the
path string (not including the terminating \s-1NUL,\s0 such as the result of
a call to \fBstrlen()\fR).
\&\fIRead on about the addresses in \*(L"\s-1RAW ADDRESSES\*(R"\s0 below\fR.
.PP
\&\fBBIO_ADDR_rawport()\fR returns the raw port of the given \fB\s-1BIO_ADDR\s0\fR.
The raw port will be in network byte order.
.PP
\&\fBBIO_ADDR_hostname_string()\fR returns a character string with the
hostname of the given \fB\s-1BIO_ADDR\s0\fR. If \fBnumeric\fR is 1, the string
will contain the numerical form of the address. This only works for
\&\fB\s-1BIO_ADDR\s0\fR of the protocol families \s-1AF_INET\s0 and \s-1AF_INET6.\s0 The
returned string has been allocated on the heap and must be freed
with \fBOPENSSL_free()\fR.
.PP
\&\fBBIO_ADDR_service_string()\fR returns a character string with the
service name of the port of the given \fB\s-1BIO_ADDR\s0\fR. If \fBnumeric\fR
is 1, the string will contain the port number. This only works
for \fB\s-1BIO_ADDR\s0\fR of the protocol families \s-1AF_INET\s0 and \s-1AF_INET6.\s0 The
returned string has been allocated on the heap and must be freed
with \fBOPENSSL_free()\fR.
.PP
\&\fBBIO_ADDR_path_string()\fR returns a character string with the path
of the given \fB\s-1BIO_ADDR\s0\fR. This only works for \fB\s-1BIO_ADDR\s0\fR of the
protocol family \s-1AF_UNIX.\s0 The returned string has been allocated
on the heap and must be freed with \fBOPENSSL_free()\fR.
.SH "RAW ADDRESSES"
.IX Header "RAW ADDRESSES"
Both \fBBIO_ADDR_rawmake()\fR and \fBBIO_ADDR_rawaddress()\fR take a pointer to a
network byte order address of a specific site. Internally, those are
treated as a pointer to \fBstruct in_addr\fR (for \fB\s-1AF_INET\s0\fR), \fBstruct
in6_addr\fR (for \fB\s-1AF_INET6\s0\fR) or \fBchar *\fR (for \fB\s-1AF_UNIX\s0\fR), all
depending on the protocol family the address is for.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The string producing functions \fBBIO_ADDR_hostname_string()\fR,
\&\fBBIO_ADDR_service_string()\fR and \fBBIO_ADDR_path_string()\fR will
return \fB\s-1NULL\s0\fR on error and leave an error indication on the
OpenSSL error stack.
.PP
All other functions described here return 0 or \fB\s-1NULL\s0\fR when the
information they should return isn't available.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBIO_connect\fR\|(3), \fBBIO_s_connect\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3 b/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3
index 92abe779a68e..86813107510b 100644
--- a/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3
+++ b/secure/lib/libcrypto/man/man3/BIO_ADDRINFO.3
@@ -1,239 +1,239 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_ADDRINFO 3"
-.TH BIO_ADDRINFO 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_ADDRINFO 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_lookup_type, BIO_ADDRINFO, BIO_ADDRINFO_next, BIO_ADDRINFO_free, BIO_ADDRINFO_family, BIO_ADDRINFO_socktype, BIO_ADDRINFO_protocol, BIO_ADDRINFO_address, BIO_lookup_ex, BIO_lookup \&\- BIO_ADDRINFO type and routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 2
\& #include <sys/types.h>
\& #include <openssl/bio.h>
\&
\& typedef union bio_addrinfo_st BIO_ADDRINFO;
\&
\& enum BIO_lookup_type {
\& BIO_LOOKUP_CLIENT, BIO_LOOKUP_SERVER
\& };
\&
\& int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
\& int family, int socktype, int protocol, BIO_ADDRINFO **res);
\& int BIO_lookup(const char *node, const char *service,
\& enum BIO_lookup_type lookup_type,
\& int family, int socktype, BIO_ADDRINFO **res);
\&
\& const BIO_ADDRINFO *BIO_ADDRINFO_next(const BIO_ADDRINFO *bai);
\& int BIO_ADDRINFO_family(const BIO_ADDRINFO *bai);
\& int BIO_ADDRINFO_socktype(const BIO_ADDRINFO *bai);
\& int BIO_ADDRINFO_protocol(const BIO_ADDRINFO *bai);
\& const BIO_ADDR *BIO_ADDRINFO_address(const BIO_ADDRINFO *bai);
\& void BIO_ADDRINFO_free(BIO_ADDRINFO *bai);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1BIO_ADDRINFO\s0\fR type is a wrapper for address information
types provided on your platform.
.PP
\&\fB\s-1BIO_ADDRINFO\s0\fR normally forms a chain of several that can be
picked at one by one.
.PP
\&\fBBIO_lookup_ex()\fR looks up a specified \fBhost\fR and \fBservice\fR, and
uses \fBlookup_type\fR to determine what the default address should
be if \fBhost\fR is \fB\s-1NULL\s0\fR. \fBfamily\fR, \fBsocktype\fR and \fBprotocol\fR are used to
determine what protocol family, socket type and protocol should be used for
the lookup. \fBfamily\fR can be any of \s-1AF_INET, AF_INET6, AF_UNIX\s0 and
\&\s-1AF_UNSPEC.\s0 \fBsocktype\fR can be \s-1SOCK_STREAM, SOCK_DGRAM\s0 or 0. Specifying 0
indicates that any type can be used. \fBprotocol\fR specifies a protocol such as
\&\s-1IPPROTO_TCP, IPPROTO_UDP\s0 or \s-1IPPORTO_SCTP.\s0 If set to 0 than any protocol can be
used. \fBres\fR points at a pointer to hold the start of a \fB\s-1BIO_ADDRINFO\s0\fR
chain.
.PP
For the family \fB\s-1AF_UNIX\s0\fR, \fBBIO_lookup_ex()\fR will ignore the \fBservice\fR
parameter and expects the \fBnode\fR parameter to hold the path to the
socket file.
.PP
\&\fBBIO_lookup()\fR does the same as \fBBIO_lookup_ex()\fR but does not provide the ability
to select based on the protocol (any protocol may be returned).
.PP
\&\fBBIO_ADDRINFO_family()\fR returns the family of the given
\&\fB\s-1BIO_ADDRINFO\s0\fR. The result will be one of the constants
\&\s-1AF_INET, AF_INET6\s0 and \s-1AF_UNIX.\s0
.PP
\&\fBBIO_ADDRINFO_socktype()\fR returns the socket type of the given
\&\fB\s-1BIO_ADDRINFO\s0\fR. The result will be one of the constants
\&\s-1SOCK_STREAM\s0 and \s-1SOCK_DGRAM.\s0
.PP
\&\fBBIO_ADDRINFO_protocol()\fR returns the protocol id of the given
\&\fB\s-1BIO_ADDRINFO\s0\fR. The result will be one of the constants
\&\s-1IPPROTO_TCP\s0 and \s-1IPPROTO_UDP.\s0
.PP
\&\fBBIO_ADDRINFO_address()\fR returns the underlying \fB\s-1BIO_ADDR\s0\fR
of the given \fB\s-1BIO_ADDRINFO\s0\fR.
.PP
\&\fBBIO_ADDRINFO_next()\fR returns the next \fB\s-1BIO_ADDRINFO\s0\fR in the chain
from the given one.
.PP
\&\fBBIO_ADDRINFO_free()\fR frees the chain of \fB\s-1BIO_ADDRINFO\s0\fR starting
with the given one.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_lookup_ex()\fR and \fBBIO_lookup()\fR return 1 on success and 0 when an error
occurred, and will leave an error indication on the OpenSSL error stack in that
case.
.PP
All other functions described here return 0 or \fB\s-1NULL\s0\fR when the
information they should return isn't available.
.SH "NOTES"
.IX Header "NOTES"
The \fBBIO_lookup_ex()\fR implementation uses the platform provided \fBgetaddrinfo()\fR
function. On Linux it is known that specifying 0 for the protocol will not
return any \s-1SCTP\s0 based addresses when calling \fBgetaddrinfo()\fR. Therefore, if an \s-1SCTP\s0
address is required then the \fBprotocol\fR parameter to \fBBIO_lookup_ex()\fR should be
explicitly set to \s-1IPPROTO_SCTP.\s0 The same may be true on other platforms.
.SH "HISTORY"
.IX Header "HISTORY"
The \fBBIO_lookup_ex()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_connect.3 b/secure/lib/libcrypto/man/man3/BIO_connect.3
index c3f084d68305..6b32dcb79124 100644
--- a/secure/lib/libcrypto/man/man3/BIO_connect.3
+++ b/secure/lib/libcrypto/man/man3/BIO_connect.3
@@ -1,240 +1,240 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_CONNECT 3"
-.TH BIO_CONNECT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_CONNECT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_socket, BIO_bind, BIO_connect, BIO_listen, BIO_accept_ex, BIO_closesocket \- BIO socket communication setup routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& int BIO_socket(int domain, int socktype, int protocol, int options);
\& int BIO_bind(int sock, const BIO_ADDR *addr, int options);
\& int BIO_connect(int sock, const BIO_ADDR *addr, int options);
\& int BIO_listen(int sock, const BIO_ADDR *addr, int options);
\& int BIO_accept_ex(int accept_sock, BIO_ADDR *peer, int options);
\& int BIO_closesocket(int sock);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_socket()\fR creates a socket in the domain \fBdomain\fR, of type
\&\fBsocktype\fR and \fBprotocol\fR. Socket \fBoptions\fR are currently unused,
but is present for future use.
.PP
\&\fBBIO_bind()\fR binds the source address and service to a socket and
may be useful before calling \fBBIO_connect()\fR. The options may include
\&\fB\s-1BIO_SOCK_REUSEADDR\s0\fR, which is described in \*(L"\s-1FLAGS\*(R"\s0 below.
.PP
\&\fBBIO_connect()\fR connects \fBsock\fR to the address and service given by
\&\fBaddr\fR. Connection \fBoptions\fR may be zero or any combination of
\&\fB\s-1BIO_SOCK_KEEPALIVE\s0\fR, \fB\s-1BIO_SOCK_NONBLOCK\s0\fR and \fB\s-1BIO_SOCK_NODELAY\s0\fR.
The flags are described in \*(L"\s-1FLAGS\*(R"\s0 below.
.PP
\&\fBBIO_listen()\fR has \fBsock\fR start listening on the address and service
given by \fBaddr\fR. Connection \fBoptions\fR may be zero or any
combination of \fB\s-1BIO_SOCK_KEEPALIVE\s0\fR, \fB\s-1BIO_SOCK_NONBLOCK\s0\fR,
\&\fB\s-1BIO_SOCK_NODELAY\s0\fR, \fB\s-1BIO_SOCK_REUSEADDR\s0\fR and \fB\s-1BIO_SOCK_V6_ONLY\s0\fR.
The flags are described in \*(L"\s-1FLAGS\*(R"\s0 below.
.PP
\&\fBBIO_accept_ex()\fR waits for an incoming connections on the given
socket \fBaccept_sock\fR. When it gets a connection, the address and
port of the peer gets stored in \fBpeer\fR if that one is non-NULL.
Accept \fBoptions\fR may be zero or \fB\s-1BIO_SOCK_NONBLOCK\s0\fR, and is applied
on the accepted socket. The flags are described in \*(L"\s-1FLAGS\*(R"\s0 below.
.PP
\&\fBBIO_closesocket()\fR closes \fBsock\fR.
.SH "FLAGS"
.IX Header "FLAGS"
.IP "\s-1BIO_SOCK_KEEPALIVE\s0" 4
.IX Item "BIO_SOCK_KEEPALIVE"
Enables regular sending of keep-alive messages.
.IP "\s-1BIO_SOCK_NONBLOCK\s0" 4
.IX Item "BIO_SOCK_NONBLOCK"
Sets the socket to nonblocking mode.
.IP "\s-1BIO_SOCK_NODELAY\s0" 4
.IX Item "BIO_SOCK_NODELAY"
Corresponds to \fB\s-1TCP_NODELAY\s0\fR, and disables the Nagle algorithm. With
this set, any data will be sent as soon as possible instead of being
buffered until there's enough for the socket to send out in one go.
.IP "\s-1BIO_SOCK_REUSEADDR\s0" 4
.IX Item "BIO_SOCK_REUSEADDR"
Try to reuse the address and port combination for a recently closed
port.
.IP "\s-1BIO_SOCK_V6_ONLY\s0" 4
.IX Item "BIO_SOCK_V6_ONLY"
When creating an IPv6 socket, make it only listen for IPv6 addresses
and not IPv4 addresses mapped to IPv6.
.PP
These flags are bit flags, so they are to be combined with the
\&\f(CW\*(C`|\*(C'\fR operator, for example:
.PP
.Vb 1
\& BIO_connect(sock, addr, BIO_SOCK_KEEPALIVE | BIO_SOCK_NONBLOCK);
.Ve
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_socket()\fR returns the socket number on success or \fB\s-1INVALID_SOCKET\s0\fR
(\-1) on error. When an error has occurred, the OpenSSL error stack
will hold the error data and errno has the system error.
.PP
\&\fBBIO_bind()\fR, \fBBIO_connect()\fR and \fBBIO_listen()\fR return 1 on success or 0 on error.
When an error has occurred, the OpenSSL error stack will hold the error
data and errno has the system error.
.PP
\&\fBBIO_accept_ex()\fR returns the accepted socket on success or
\&\fB\s-1INVALID_SOCKET\s0\fR (\-1) on error. When an error has occurred, the
OpenSSL error stack will hold the error data and errno has the system
error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\s-1\fBBIO_ADDR\s0\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBBIO_gethostname()\fR, \fBBIO_get_port()\fR, \fBBIO_get_host_ip()\fR,
\&\fBBIO_get_accept_socket()\fR and \fBBIO_accept()\fR were deprecated in OpenSSL 1.1.0.
Use the functions described above instead.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_ctrl.3 b/secure/lib/libcrypto/man/man3/BIO_ctrl.3
index b0fdc865b990..b0b7ca8535e8 100644
--- a/secure/lib/libcrypto/man/man3/BIO_ctrl.3
+++ b/secure/lib/libcrypto/man/man3/BIO_ctrl.3
@@ -1,280 +1,280 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_CTRL 3"
-.TH BIO_CTRL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_CTRL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_ctrl, BIO_callback_ctrl, BIO_ptr_ctrl, BIO_int_ctrl, BIO_reset, BIO_seek, BIO_tell, BIO_flush, BIO_eof, BIO_set_close, BIO_get_close, BIO_pending, BIO_wpending, BIO_ctrl_pending, BIO_ctrl_wpending, BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb, BIO_get_ktls_send, BIO_get_ktls_recv \&\- BIO control operations
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& typedef int BIO_info_cb(BIO *b, int state, int res);
\&
\& long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg);
\& long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb);
-\& char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
+\& void *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);
\& long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg);
\&
\& int BIO_reset(BIO *b);
\& int BIO_seek(BIO *b, int ofs);
\& int BIO_tell(BIO *b);
\& int BIO_flush(BIO *b);
\& int BIO_eof(BIO *b);
\& int BIO_set_close(BIO *b, long flag);
\& int BIO_get_close(BIO *b);
\& int BIO_pending(BIO *b);
\& int BIO_wpending(BIO *b);
\& size_t BIO_ctrl_pending(BIO *b);
\& size_t BIO_ctrl_wpending(BIO *b);
\&
\& int BIO_get_info_callback(BIO *b, BIO_info_cb **cbp);
\& int BIO_set_info_callback(BIO *b, BIO_info_cb *cb);
\&
\& int BIO_get_ktls_send(BIO *b);
\& int BIO_get_ktls_recv(BIO *b);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_ctrl()\fR, \fBBIO_callback_ctrl()\fR, \fBBIO_ptr_ctrl()\fR and \fBBIO_int_ctrl()\fR
are \s-1BIO\s0 \*(L"control\*(R" operations taking arguments of various types.
These functions are not normally called directly, various macros
are used instead. The standard macros are described below, macros
specific to a particular type of \s-1BIO\s0 are described in the specific
BIOs manual page as well as any special features of the standard
calls.
.PP
\&\fBBIO_reset()\fR typically resets a \s-1BIO\s0 to some initial state, in the case
of file related BIOs for example it rewinds the file pointer to the
start of the file.
.PP
\&\fBBIO_seek()\fR resets a file related \s-1BIO\s0's (that is file descriptor and
\&\s-1FILE\s0 BIOs) file position pointer to \fBofs\fR bytes from start of file.
.PP
\&\fBBIO_tell()\fR returns the current file position of a file related \s-1BIO.\s0
.PP
\&\fBBIO_flush()\fR normally writes out any internally buffered data, in some
cases it is used to signal \s-1EOF\s0 and that no more data will be written.
.PP
\&\fBBIO_eof()\fR returns 1 if the \s-1BIO\s0 has read \s-1EOF,\s0 the precise meaning of
\&\*(L"\s-1EOF\*(R"\s0 varies according to the \s-1BIO\s0 type.
.PP
\&\fBBIO_set_close()\fR sets the \s-1BIO\s0 \fBb\fR close flag to \fBflag\fR. \fBflag\fR can
take the value \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE.\s0 Typically \s-1BIO_CLOSE\s0 is used
in a source/sink \s-1BIO\s0 to indicate that the underlying I/O stream should
be closed when the \s-1BIO\s0 is freed.
.PP
\&\fBBIO_get_close()\fR returns the BIOs close flag.
.PP
\&\fBBIO_pending()\fR, \fBBIO_ctrl_pending()\fR, \fBBIO_wpending()\fR and \fBBIO_ctrl_wpending()\fR
return the number of pending characters in the BIOs read and write buffers.
Not all BIOs support these calls. \fBBIO_ctrl_pending()\fR and \fBBIO_ctrl_wpending()\fR
return a size_t type and are functions, \fBBIO_pending()\fR and \fBBIO_wpending()\fR are
macros which call \fBBIO_ctrl()\fR.
.PP
\&\fBBIO_get_ktls_send()\fR returns 1 if the \s-1BIO\s0 is using the Kernel \s-1TLS\s0 data-path for
sending. Otherwise, it returns zero.
\&\fBBIO_get_ktls_recv()\fR returns 1 if the \s-1BIO\s0 is using the Kernel \s-1TLS\s0 data-path for
receiving. Otherwise, it returns zero.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_reset()\fR normally returns 1 for success and 0 or \-1 for failure. File
BIOs are an exception, they return 0 for success and \-1 for failure.
.PP
\&\fBBIO_seek()\fR and \fBBIO_tell()\fR both return the current file position on success
and \-1 for failure, except file BIOs which for \fBBIO_seek()\fR always return 0
for success and \-1 for failure.
.PP
\&\fBBIO_flush()\fR returns 1 for success and 0 or \-1 for failure.
.PP
\&\fBBIO_eof()\fR returns 1 if \s-1EOF\s0 has been reached 0 otherwise.
.PP
\&\fBBIO_set_close()\fR always returns 1.
.PP
\&\fBBIO_get_close()\fR returns the close flag value: \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE.\s0
.PP
\&\fBBIO_pending()\fR, \fBBIO_ctrl_pending()\fR, \fBBIO_wpending()\fR and \fBBIO_ctrl_wpending()\fR
return the amount of pending data.
.PP
\&\fBBIO_get_ktls_send()\fR returns 1 if the \s-1BIO\s0 is using the Kernel \s-1TLS\s0 data-path for
sending. Otherwise, it returns zero.
\&\fBBIO_get_ktls_recv()\fR returns 1 if the \s-1BIO\s0 is using the Kernel \s-1TLS\s0 data-path for
receiving. Otherwise, it returns zero.
.SH "NOTES"
.IX Header "NOTES"
\&\fBBIO_flush()\fR, because it can write data may return 0 or \-1 indicating
that the call should be retried later in a similar manner to \fBBIO_write_ex()\fR.
The \fBBIO_should_retry()\fR call should be used and appropriate action taken
is the call fails.
.PP
The return values of \fBBIO_pending()\fR and \fBBIO_wpending()\fR may not reliably
determine the amount of pending data in all cases. For example in the
case of a file \s-1BIO\s0 some data may be available in the \s-1FILE\s0 structures
internal buffers but it is not possible to determine this in a
portably way. For other types of \s-1BIO\s0 they may not be supported.
.PP
Filter BIOs if they do not internally handle a particular \fBBIO_ctrl()\fR
operation usually pass the operation to the next \s-1BIO\s0 in the chain.
This often means there is no need to locate the required \s-1BIO\s0 for
a particular operation, it can be called on a chain and it will
be automatically passed to the relevant \s-1BIO.\s0 However, this can cause
unexpected results: for example no current filter BIOs implement
\&\fBBIO_seek()\fR, but this may still succeed if the chain ends in a \s-1FILE\s0
or file descriptor \s-1BIO.\s0
.PP
Source/sink BIOs return an 0 if they do not recognize the \fBBIO_ctrl()\fR
operation.
.SH "BUGS"
.IX Header "BUGS"
Some of the return values are ambiguous and care should be taken. In
particular a return value of 0 can be returned if an operation is not
supported, if an error occurred, if \s-1EOF\s0 has not been reached and in
the case of \fBBIO_seek()\fR on a file \s-1BIO\s0 for a successful operation.
.SH "HISTORY"
.IX Header "HISTORY"
The \fBBIO_get_ktls_send()\fR and \fBBIO_get_ktls_recv()\fR functions were added in
OpenSSL 3.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
-Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_base64.3 b/secure/lib/libcrypto/man/man3/BIO_f_base64.3
index f5b28d8421bb..d473aaad0bbd 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_base64.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_base64.3
@@ -1,223 +1,236 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_F_BASE64 3"
-.TH BIO_F_BASE64 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_F_BASE64 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_f_base64 \- base64 BIO filter
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 2
\& #include <openssl/bio.h>
\& #include <openssl/evp.h>
\&
\& const BIO_METHOD *BIO_f_base64(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_f_base64()\fR returns the base64 \s-1BIO\s0 method. This is a filter
\&\s-1BIO\s0 that base64 encodes any data written through it and decodes
any data read through it.
.PP
Base64 BIOs do not support \fBBIO_gets()\fR or \fBBIO_puts()\fR.
.PP
+For writing, output is by default divided to lines of length 64
+characters and there is always a newline at the end of output.
+.PP
+For reading, first line should be at most 1024
+characters long. If it is longer then it is ignored completely.
+Other input lines can be of any length. There must be a newline
+at the end of input.
+.PP
+This behavior can be changed with \s-1BIO_FLAGS_BASE64_NO_NL\s0 flag.
+.PP
\&\fBBIO_flush()\fR on a base64 \s-1BIO\s0 that is being written through is
used to signal that no more data is to be encoded: this is used
to flush the final block through the \s-1BIO.\s0
.PP
-The flag \s-1BIO_FLAGS_BASE64_NO_NL\s0 can be set with \fBBIO_set_flags()\fR
-to encode the data all on one line or expect the data to be all
-on one line.
+The flag \s-1BIO_FLAGS_BASE64_NO_NL\s0 can be set with \fBBIO_set_flags()\fR.
+For writing, it causes all data to be written on one line without
+newline at the end.
+For reading, it forces the decoder to process the data regardless
+of newlines. All newlines are ignored and the input does not need
+to contain any newline at all.
.SH "NOTES"
.IX Header "NOTES"
Because of the format of base64 encoding the end of the encoded
block cannot always be reliably determined.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_f_base64()\fR returns the base64 \s-1BIO\s0 method.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Base64 encode the string \*(L"Hello World\en\*(R" and write the result
to standard output:
.PP
.Vb 2
\& BIO *bio, *b64;
\& char message[] = "Hello World \en";
\&
\& b64 = BIO_new(BIO_f_base64());
\& bio = BIO_new_fp(stdout, BIO_NOCLOSE);
\& BIO_push(b64, bio);
\& BIO_write(b64, message, strlen(message));
\& BIO_flush(b64);
\&
\& BIO_free_all(b64);
.Ve
.PP
Read Base64 encoded data from standard input and write the decoded
data to standard output:
.PP
.Vb 3
\& BIO *bio, *b64, *bio_out;
\& char inbuf[512];
\& int inlen;
\&
\& b64 = BIO_new(BIO_f_base64());
\& bio = BIO_new_fp(stdin, BIO_NOCLOSE);
\& bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
\& BIO_push(b64, bio);
\& while ((inlen = BIO_read(b64, inbuf, 512)) > 0)
\& BIO_write(bio_out, inbuf, inlen);
\&
\& BIO_flush(bio_out);
\& BIO_free_all(b64);
.Ve
.SH "BUGS"
.IX Header "BUGS"
The ambiguity of \s-1EOF\s0 in base64 encoded data can cause additional
data following the base64 encoded block to be misinterpreted.
.PP
There should be some way of specifying a test that the \s-1BIO\s0 can perform
to reliably determine \s-1EOF\s0 (for example a \s-1MIME\s0 boundary).
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
-Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_buffer.3 b/secure/lib/libcrypto/man/man3/BIO_f_buffer.3
index 58dc2084e9c3..fd208838c352 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_buffer.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_buffer.3
@@ -1,227 +1,227 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_F_BUFFER 3"
-.TH BIO_F_BUFFER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_F_BUFFER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_get_buffer_num_lines, BIO_set_read_buffer_size, BIO_set_write_buffer_size, BIO_set_buffer_size, BIO_set_buffer_read_data, BIO_f_buffer \&\- buffering BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& const BIO_METHOD *BIO_f_buffer(void);
\&
\& long BIO_get_buffer_num_lines(BIO *b);
\& long BIO_set_read_buffer_size(BIO *b, long size);
\& long BIO_set_write_buffer_size(BIO *b, long size);
\& long BIO_set_buffer_size(BIO *b, long size);
\& long BIO_set_buffer_read_data(BIO *b, void *buf, long num);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_f_buffer()\fR returns the buffering \s-1BIO\s0 method.
.PP
Data written to a buffering \s-1BIO\s0 is buffered and periodically written
to the next \s-1BIO\s0 in the chain. Data read from a buffering \s-1BIO\s0 comes from
an internal buffer which is filled from the next \s-1BIO\s0 in the chain.
Both \fBBIO_gets()\fR and \fBBIO_puts()\fR are supported.
.PP
Calling \fBBIO_reset()\fR on a buffering \s-1BIO\s0 clears any buffered data.
.PP
\&\fBBIO_get_buffer_num_lines()\fR returns the number of lines currently buffered.
.PP
\&\fBBIO_set_read_buffer_size()\fR, \fBBIO_set_write_buffer_size()\fR and \fBBIO_set_buffer_size()\fR
set the read, write or both read and write buffer sizes to \fBsize\fR. The initial
buffer size is \s-1DEFAULT_BUFFER_SIZE,\s0 currently 4096. Any attempt to reduce the
buffer size below \s-1DEFAULT_BUFFER_SIZE\s0 is ignored. Any buffered data is cleared
when the buffer is resized.
.PP
\&\fBBIO_set_buffer_read_data()\fR clears the read buffer and fills it with \fBnum\fR
bytes of \fBbuf\fR. If \fBnum\fR is larger than the current buffer size the buffer
is expanded.
.SH "NOTES"
.IX Header "NOTES"
These functions, other than \fBBIO_f_buffer()\fR, are implemented as macros.
.PP
Buffering BIOs implement \fBBIO_read_ex()\fR and \fBBIO_gets()\fR by using
\&\fBBIO_read_ex()\fR operations on the next \s-1BIO\s0 in the chain and storing the
result in an internal buffer, from which bytes are given back to the
caller as appropriate for the call; a \fBBIO_gets()\fR is guaranteed to give
the caller a whole line, and \fBBIO_read_ex()\fR is guaranteed to give the
caller the number of bytes it asks for, unless there's an error or end
of communication is reached in the next \s-1BIO.\s0 By prepending a
buffering \s-1BIO\s0 to a chain it is therefore possible to provide
\&\fBBIO_gets()\fR or exact size \fBBIO_read_ex()\fR functionality if the following
BIOs do not support it.
.PP
Do not add more than one \fBBIO_f_buffer()\fR to a \s-1BIO\s0 chain. The result of
doing so will force a full read of the size of the internal buffer of
the top \fBBIO_f_buffer()\fR, which is 4 KiB at a minimum.
.PP
Data is only written to the next \s-1BIO\s0 in the chain when the write buffer fills
or when \fBBIO_flush()\fR is called. It is therefore important to call \fBBIO_flush()\fR
whenever any pending data should be written such as when removing a buffering
\&\s-1BIO\s0 using \fBBIO_pop()\fR. \fBBIO_flush()\fR may need to be retried if the ultimate
source/sink \s-1BIO\s0 is non blocking.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_f_buffer()\fR returns the buffering \s-1BIO\s0 method.
.PP
\&\fBBIO_get_buffer_num_lines()\fR returns the number of lines buffered (may be 0).
.PP
\&\fBBIO_set_read_buffer_size()\fR, \fBBIO_set_write_buffer_size()\fR and \fBBIO_set_buffer_size()\fR
return 1 if the buffer was successfully resized or 0 for failure.
.PP
\&\fBBIO_set_buffer_read_data()\fR returns 1 if the data was set correctly or 0 if
there was an error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBbio\fR\|(7),
\&\fBBIO_reset\fR\|(3),
\&\fBBIO_flush\fR\|(3),
\&\fBBIO_pop\fR\|(3),
\&\fBBIO_ctrl\fR\|(3).
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_cipher.3 b/secure/lib/libcrypto/man/man3/BIO_f_cipher.3
index c5d57ec206a5..f1acd403fd18 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_cipher.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_cipher.3
@@ -1,211 +1,211 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_F_CIPHER 3"
-.TH BIO_F_CIPHER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_F_CIPHER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx \- cipher BIO filter
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 2
\& #include <openssl/bio.h>
\& #include <openssl/evp.h>
\&
\& const BIO_METHOD *BIO_f_cipher(void);
\& void BIO_set_cipher(BIO *b, const EVP_CIPHER *cipher,
\& unsigned char *key, unsigned char *iv, int enc);
\& int BIO_get_cipher_status(BIO *b)
\& int BIO_get_cipher_ctx(BIO *b, EVP_CIPHER_CTX **pctx)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_f_cipher()\fR returns the cipher \s-1BIO\s0 method. This is a filter
\&\s-1BIO\s0 that encrypts any data written through it, and decrypts any data
read from it. It is a \s-1BIO\s0 wrapper for the cipher routines
\&\fBEVP_CipherInit()\fR, \fBEVP_CipherUpdate()\fR and \fBEVP_CipherFinal()\fR.
.PP
Cipher BIOs do not support \fBBIO_gets()\fR or \fBBIO_puts()\fR.
.PP
\&\fBBIO_flush()\fR on an encryption \s-1BIO\s0 that is being written through is
used to signal that no more data is to be encrypted: this is used
to flush and possibly pad the final block through the \s-1BIO.\s0
.PP
\&\fBBIO_set_cipher()\fR sets the cipher of \s-1BIO\s0 \fBb\fR to \fBcipher\fR using key \fBkey\fR
and \s-1IV\s0 \fBiv\fR. \fBenc\fR should be set to 1 for encryption and zero for
decryption.
.PP
When reading from an encryption \s-1BIO\s0 the final block is automatically
decrypted and checked when \s-1EOF\s0 is detected. \fBBIO_get_cipher_status()\fR
is a \fBBIO_ctrl()\fR macro which can be called to determine whether the
decryption operation was successful.
.PP
\&\fBBIO_get_cipher_ctx()\fR is a \fBBIO_ctrl()\fR macro which retrieves the internal
\&\s-1BIO\s0 cipher context. The retrieved context can be used in conjunction
with the standard cipher routines to set it up. This is useful when
\&\fBBIO_set_cipher()\fR is not flexible enough for the applications needs.
.SH "NOTES"
.IX Header "NOTES"
When encrypting \fBBIO_flush()\fR \fBmust\fR be called to flush the final block
through the \s-1BIO.\s0 If it is not then the final block will fail a subsequent
decrypt.
.PP
When decrypting an error on the final block is signaled by a zero
return value from the read operation. A successful decrypt followed
by \s-1EOF\s0 will also return zero for the final read. \fBBIO_get_cipher_status()\fR
should be called to determine if the decrypt was successful.
.PP
As always, if \fBBIO_gets()\fR or \fBBIO_puts()\fR support is needed then it can
be achieved by preceding the cipher \s-1BIO\s0 with a buffering \s-1BIO.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_f_cipher()\fR returns the cipher \s-1BIO\s0 method.
.PP
\&\fBBIO_set_cipher()\fR does not return a value.
.PP
\&\fBBIO_get_cipher_status()\fR returns 1 for a successful decrypt and 0
for failure.
.PP
\&\fBBIO_get_cipher_ctx()\fR currently always returns 1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_md.3 b/secure/lib/libcrypto/man/man3/BIO_f_md.3
index 26327b8a21d8..a1c364e5f44f 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_md.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_md.3
@@ -1,295 +1,295 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_F_MD 3"
-.TH BIO_F_MD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_F_MD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_f_md, BIO_set_md, BIO_get_md, BIO_get_md_ctx \- message digest BIO filter
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 2
\& #include <openssl/bio.h>
\& #include <openssl/evp.h>
\&
\& const BIO_METHOD *BIO_f_md(void);
\& int BIO_set_md(BIO *b, EVP_MD *md);
\& int BIO_get_md(BIO *b, EVP_MD **mdp);
\& int BIO_get_md_ctx(BIO *b, EVP_MD_CTX **mdcp);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_f_md()\fR returns the message digest \s-1BIO\s0 method. This is a filter
\&\s-1BIO\s0 that digests any data passed through it, it is a \s-1BIO\s0 wrapper
for the digest routines \fBEVP_DigestInit()\fR, \fBEVP_DigestUpdate()\fR
and \fBEVP_DigestFinal()\fR.
.PP
Any data written or read through a digest \s-1BIO\s0 using \fBBIO_read_ex()\fR and
\&\fBBIO_write_ex()\fR is digested.
.PP
\&\fBBIO_gets()\fR, if its \fBsize\fR parameter is large enough finishes the
digest calculation and returns the digest value. \fBBIO_puts()\fR is
not supported.
.PP
\&\fBBIO_reset()\fR reinitialises a digest \s-1BIO.\s0
.PP
\&\fBBIO_set_md()\fR sets the message digest of \s-1BIO\s0 \fBb\fR to \fBmd\fR: this
must be called to initialize a digest \s-1BIO\s0 before any data is
passed through it. It is a \fBBIO_ctrl()\fR macro.
.PP
\&\fBBIO_get_md()\fR places the a pointer to the digest BIOs digest method
in \fBmdp\fR, it is a \fBBIO_ctrl()\fR macro.
.PP
\&\fBBIO_get_md_ctx()\fR returns the digest BIOs context into \fBmdcp\fR.
.SH "NOTES"
.IX Header "NOTES"
The context returned by \fBBIO_get_md_ctx()\fR can be used in calls
to \fBEVP_DigestFinal()\fR and also the signature routines \fBEVP_SignFinal()\fR
and \fBEVP_VerifyFinal()\fR.
.PP
The context returned by \fBBIO_get_md_ctx()\fR is an internal context
structure. Changes made to this context will affect the digest
\&\s-1BIO\s0 itself and the context pointer will become invalid when the digest
\&\s-1BIO\s0 is freed.
.PP
After the digest has been retrieved from a digest \s-1BIO\s0 it must be
reinitialized by calling \fBBIO_reset()\fR, or \fBBIO_set_md()\fR before any more
data is passed through it.
.PP
If an application needs to call \fBBIO_gets()\fR or \fBBIO_puts()\fR through
a chain containing digest BIOs then this can be done by prepending
a buffering \s-1BIO.\s0
.PP
Calling \fBBIO_get_md_ctx()\fR will return the context and initialize the \s-1BIO\s0
state. This allows applications to initialize the context externally
if the standard calls such as \fBBIO_set_md()\fR are not sufficiently flexible.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_f_md()\fR returns the digest \s-1BIO\s0 method.
.PP
\&\fBBIO_set_md()\fR, \fBBIO_get_md()\fR and \fBBIO_md_ctx()\fR return 1 for success and
0 for failure.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The following example creates a \s-1BIO\s0 chain containing an \s-1SHA1\s0 and \s-1MD5\s0
digest \s-1BIO\s0 and passes the string \*(L"Hello World\*(R" through it. Error
checking has been omitted for clarity.
.PP
.Vb 2
\& BIO *bio, *mdtmp;
\& char message[] = "Hello World";
\&
\& bio = BIO_new(BIO_s_null());
\& mdtmp = BIO_new(BIO_f_md());
\& BIO_set_md(mdtmp, EVP_sha1());
\& /*
\& * For BIO_push() we want to append the sink BIO and keep a note of
\& * the start of the chain.
\& */
\& bio = BIO_push(mdtmp, bio);
\& mdtmp = BIO_new(BIO_f_md());
\& BIO_set_md(mdtmp, EVP_md5());
\& bio = BIO_push(mdtmp, bio);
\& /* Note: mdtmp can now be discarded */
\& BIO_write(bio, message, strlen(message));
.Ve
.PP
The next example digests data by reading through a chain instead:
.PP
.Vb 3
\& BIO *bio, *mdtmp;
\& char buf[1024];
\& int rdlen;
\&
\& bio = BIO_new_file(file, "rb");
\& mdtmp = BIO_new(BIO_f_md());
\& BIO_set_md(mdtmp, EVP_sha1());
\& bio = BIO_push(mdtmp, bio);
\& mdtmp = BIO_new(BIO_f_md());
\& BIO_set_md(mdtmp, EVP_md5());
\& bio = BIO_push(mdtmp, bio);
\& do {
\& rdlen = BIO_read(bio, buf, sizeof(buf));
\& /* Might want to do something with the data here */
\& } while (rdlen > 0);
.Ve
.PP
This next example retrieves the message digests from a \s-1BIO\s0 chain and
outputs them. This could be used with the examples above.
.PP
.Vb 4
\& BIO *mdtmp;
\& unsigned char mdbuf[EVP_MAX_MD_SIZE];
\& int mdlen;
\& int i;
\&
\& mdtmp = bio; /* Assume bio has previously been set up */
\& do {
\& EVP_MD *md;
\&
\& mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD);
\& if (!mdtmp)
\& break;
\& BIO_get_md(mdtmp, &md);
\& printf("%s digest", OBJ_nid2sn(EVP_MD_type(md)));
\& mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE);
\& for (i = 0; i < mdlen; i++) printf(":%02X", mdbuf[i]);
\& printf("\en");
\& mdtmp = BIO_next(mdtmp);
\& } while (mdtmp);
\&
\& BIO_free_all(bio);
.Ve
.SH "BUGS"
.IX Header "BUGS"
The lack of support for \fBBIO_puts()\fR and the non standard behaviour of
\&\fBBIO_gets()\fR could be regarded as anomalous. It could be argued that \fBBIO_gets()\fR
and \fBBIO_puts()\fR should be passed to the next \s-1BIO\s0 in the chain and digest
the data passed through and that digests should be retrieved using a
separate \fBBIO_ctrl()\fR call.
.SH "HISTORY"
.IX Header "HISTORY"
Before OpenSSL 1.0.0., the call to \fBBIO_get_md_ctx()\fR would only work if the
\&\s-1BIO\s0 was initialized first.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_null.3 b/secure/lib/libcrypto/man/man3/BIO_f_null.3
index aaa013ef3cc6..80c282b3a55f 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_null.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_null.3
@@ -1,171 +1,171 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_F_NULL 3"
-.TH BIO_F_NULL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_F_NULL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_f_null \- null filter
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& const BIO_METHOD *BIO_f_null(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_f_null()\fR returns the null filter \s-1BIO\s0 method. This is a filter \s-1BIO\s0
that does nothing.
.PP
All requests to a null filter \s-1BIO\s0 are passed through to the next \s-1BIO\s0 in
the chain: this means that a \s-1BIO\s0 chain containing a null filter \s-1BIO\s0
behaves just as though the \s-1BIO\s0 was not there.
.SH "NOTES"
.IX Header "NOTES"
As may be apparent a null filter \s-1BIO\s0 is not particularly useful.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_f_null()\fR returns the null filter \s-1BIO\s0 method.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_f_ssl.3 b/secure/lib/libcrypto/man/man3/BIO_f_ssl.3
index 7bcea1459971..81399a452724 100644
--- a/secure/lib/libcrypto/man/man3/BIO_f_ssl.3
+++ b/secure/lib/libcrypto/man/man3/BIO_f_ssl.3
@@ -1,429 +1,429 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_F_SSL 3"
-.TH BIO_F_SSL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_F_SSL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_do_handshake, BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode, BIO_set_ssl_renegotiate_bytes, BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl, BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id, BIO_ssl_shutdown \- SSL BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 2
\& #include <openssl/bio.h>
\& #include <openssl/ssl.h>
\&
\& const BIO_METHOD *BIO_f_ssl(void);
\&
\& long BIO_set_ssl(BIO *b, SSL *ssl, long c);
\& long BIO_get_ssl(BIO *b, SSL **sslp);
\& long BIO_set_ssl_mode(BIO *b, long client);
\& long BIO_set_ssl_renegotiate_bytes(BIO *b, long num);
\& long BIO_set_ssl_renegotiate_timeout(BIO *b, long seconds);
\& long BIO_get_num_renegotiates(BIO *b);
\&
\& BIO *BIO_new_ssl(SSL_CTX *ctx, int client);
\& BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
\& BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
\& int BIO_ssl_copy_session_id(BIO *to, BIO *from);
\& void BIO_ssl_shutdown(BIO *bio);
\&
\& long BIO_do_handshake(BIO *b);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_f_ssl()\fR returns the \s-1SSL BIO\s0 method. This is a filter \s-1BIO\s0 which
is a wrapper round the OpenSSL \s-1SSL\s0 routines adding a \s-1BIO\s0 \*(L"flavour\*(R" to
\&\s-1SSL I/O.\s0
.PP
I/O performed on an \s-1SSL BIO\s0 communicates using the \s-1SSL\s0 protocol with
the SSLs read and write BIOs. If an \s-1SSL\s0 connection is not established
then an attempt is made to establish one on the first I/O call.
.PP
If a \s-1BIO\s0 is appended to an \s-1SSL BIO\s0 using \fBBIO_push()\fR it is automatically
used as the \s-1SSL\s0 BIOs read and write BIOs.
.PP
Calling \fBBIO_reset()\fR on an \s-1SSL BIO\s0 closes down any current \s-1SSL\s0 connection
by calling \fBSSL_shutdown()\fR. \fBBIO_reset()\fR is then sent to the next \s-1BIO\s0 in
the chain: this will typically disconnect the underlying transport.
The \s-1SSL BIO\s0 is then reset to the initial accept or connect state.
.PP
If the close flag is set when an \s-1SSL BIO\s0 is freed then the internal
\&\s-1SSL\s0 structure is also freed using \fBSSL_free()\fR.
.PP
\&\fBBIO_set_ssl()\fR sets the internal \s-1SSL\s0 pointer of \s-1SSL BIO\s0 \fBb\fR to \fBssl\fR using
the close flag \fBc\fR.
.PP
\&\fBBIO_get_ssl()\fR retrieves the \s-1SSL\s0 pointer of \s-1SSL BIO\s0 \fBb\fR, it can then be
manipulated using the standard \s-1SSL\s0 library functions.
.PP
\&\fBBIO_set_ssl_mode()\fR sets the \s-1SSL BIO\s0 mode to \fBclient\fR. If \fBclient\fR
is 1 client mode is set. If \fBclient\fR is 0 server mode is set.
.PP
\&\fBBIO_set_ssl_renegotiate_bytes()\fR sets the renegotiate byte count of \s-1SSL BIO\s0 \fBb\fR
to \fBnum\fR. When set after every \fBnum\fR bytes of I/O (read and write)
the \s-1SSL\s0 session is automatically renegotiated. \fBnum\fR must be at
least 512 bytes.
.PP
\&\fBBIO_set_ssl_renegotiate_timeout()\fR sets the renegotiate timeout of \s-1SSL BIO\s0 \fBb\fR
to \fBseconds\fR.
When the renegotiate timeout elapses the session is automatically renegotiated.
.PP
\&\fBBIO_get_num_renegotiates()\fR returns the total number of session
renegotiations due to I/O or timeout of \s-1SSL BIO\s0 \fBb\fR.
.PP
\&\fBBIO_new_ssl()\fR allocates an \s-1SSL BIO\s0 using \s-1SSL_CTX\s0 \fBctx\fR and using
client mode if \fBclient\fR is non zero.
.PP
\&\fBBIO_new_ssl_connect()\fR creates a new \s-1BIO\s0 chain consisting of an
\&\s-1SSL BIO\s0 (using \fBctx\fR) followed by a connect \s-1BIO.\s0
.PP
\&\fBBIO_new_buffer_ssl_connect()\fR creates a new \s-1BIO\s0 chain consisting
of a buffering \s-1BIO,\s0 an \s-1SSL BIO\s0 (using \fBctx\fR), and a connect \s-1BIO.\s0
.PP
\&\fBBIO_ssl_copy_session_id()\fR copies an \s-1SSL\s0 session id between
\&\s-1BIO\s0 chains \fBfrom\fR and \fBto\fR. It does this by locating the
\&\s-1SSL\s0 BIOs in each chain and calling \fBSSL_copy_session_id()\fR on
the internal \s-1SSL\s0 pointer.
.PP
\&\fBBIO_ssl_shutdown()\fR closes down an \s-1SSL\s0 connection on \s-1BIO\s0
chain \fBbio\fR. It does this by locating the \s-1SSL BIO\s0 in the
chain and calling \fBSSL_shutdown()\fR on its internal \s-1SSL\s0
pointer.
.PP
\&\fBBIO_do_handshake()\fR attempts to complete an \s-1SSL\s0 handshake on the
supplied \s-1BIO\s0 and establish the \s-1SSL\s0 connection. It returns 1
if the connection was established successfully. A zero or negative
value is returned if the connection could not be established, the
call \fBBIO_should_retry()\fR should be used for non blocking connect BIOs
to determine if the call should be retried. If an \s-1SSL\s0 connection has
already been established this call has no effect.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1SSL\s0 BIOs are exceptional in that if the underlying transport
is non blocking they can still request a retry in exceptional
circumstances. Specifically this will happen if a session
renegotiation takes place during a \fBBIO_read_ex()\fR operation, one
case where this happens is when step up occurs.
.PP
The \s-1SSL\s0 flag \s-1SSL_AUTO_RETRY\s0 can be
set to disable this behaviour. That is when this flag is set
an \s-1SSL BIO\s0 using a blocking transport will never request a
retry.
.PP
Since unknown \fBBIO_ctrl()\fR operations are sent through filter
BIOs the servers name and port can be set using \fBBIO_set_host()\fR
on the \s-1BIO\s0 returned by \fBBIO_new_ssl_connect()\fR without having
to locate the connect \s-1BIO\s0 first.
.PP
Applications do not have to call \fBBIO_do_handshake()\fR but may wish
to do so to separate the handshake process from other I/O
processing.
.PP
\&\fBBIO_set_ssl()\fR, \fBBIO_get_ssl()\fR, \fBBIO_set_ssl_mode()\fR,
\&\fBBIO_set_ssl_renegotiate_bytes()\fR, \fBBIO_set_ssl_renegotiate_timeout()\fR,
\&\fBBIO_get_num_renegotiates()\fR, and \fBBIO_do_handshake()\fR are implemented as macros.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_f_ssl()\fR returns the \s-1SSL\s0 \fB\s-1BIO_METHOD\s0\fR structure.
.PP
\&\fBBIO_set_ssl()\fR, \fBBIO_get_ssl()\fR, \fBBIO_set_ssl_mode()\fR, \fBBIO_set_ssl_renegotiate_bytes()\fR,
\&\fBBIO_set_ssl_renegotiate_timeout()\fR and \fBBIO_get_num_renegotiates()\fR return 1 on
success or a value which is less than or equal to 0 if an error occurred.
.PP
\&\fBBIO_new_ssl()\fR, \fBBIO_new_ssl_connect()\fR and \fBBIO_new_buffer_ssl_connect()\fR return
a valid \fB\s-1BIO\s0\fR structure on success or \fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBBIO_ssl_copy_session_id()\fR returns 1 on success or 0 on error.
.PP
\&\fBBIO_do_handshake()\fR returns 1 if the connection was established successfully.
A zero or negative value is returned if the connection could not be established.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This \s-1SSL/TLS\s0 client example attempts to retrieve a page from an
\&\s-1SSL/TLS\s0 web server. The I/O routines are identical to those of the
unencrypted example in \fBBIO_s_connect\fR\|(3).
.PP
.Vb 5
\& BIO *sbio, *out;
\& int len;
\& char tmpbuf[1024];
\& SSL_CTX *ctx;
\& SSL *ssl;
\&
\& /* XXX Seed the PRNG if needed. */
\&
\& ctx = SSL_CTX_new(TLS_client_method());
\&
\& /* XXX Set verify paths and mode here. */
\&
\& sbio = BIO_new_ssl_connect(ctx);
\& BIO_get_ssl(sbio, &ssl);
\& if (ssl == NULL) {
\& fprintf(stderr, "Can\*(Aqt locate SSL pointer\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
\&
\& /* Don\*(Aqt want any retries */
\& SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
\&
\& /* XXX We might want to do other things with ssl here */
\&
\& /* An empty host part means the loopback address */
\& BIO_set_conn_hostname(sbio, ":https");
\&
\& out = BIO_new_fp(stdout, BIO_NOCLOSE);
\& if (BIO_do_connect(sbio) <= 0) {
\& fprintf(stderr, "Error connecting to server\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
\&
\& /* XXX Could examine ssl here to get connection info */
\&
\& BIO_puts(sbio, "GET / HTTP/1.0\en\en");
\& for (;;) {
\& len = BIO_read(sbio, tmpbuf, 1024);
\& if (len <= 0)
\& break;
\& BIO_write(out, tmpbuf, len);
\& }
\& BIO_free_all(sbio);
\& BIO_free(out);
.Ve
.PP
Here is a simple server example. It makes use of a buffering
\&\s-1BIO\s0 to allow lines to be read from the \s-1SSL BIO\s0 using BIO_gets.
It creates a pseudo web page containing the actual request from
a client and also echoes the request to standard output.
.PP
.Vb 5
\& BIO *sbio, *bbio, *acpt, *out;
\& int len;
\& char tmpbuf[1024];
\& SSL_CTX *ctx;
\& SSL *ssl;
\&
\& /* XXX Seed the PRNG if needed. */
\&
\& ctx = SSL_CTX_new(TLS_server_method());
\& if (!SSL_CTX_use_certificate_file(ctx, "server.pem", SSL_FILETYPE_PEM)
\& || !SSL_CTX_use_PrivateKey_file(ctx, "server.pem", SSL_FILETYPE_PEM)
\& || !SSL_CTX_check_private_key(ctx)) {
\& fprintf(stderr, "Error setting up SSL_CTX\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
\&
\& /* XXX Other things like set verify locations, EDH temp callbacks. */
\&
\& /* New SSL BIO setup as server */
\& sbio = BIO_new_ssl(ctx, 0);
\& BIO_get_ssl(sbio, &ssl);
\& if (ssl == NULL) {
\& fprintf(stderr, "Can\*(Aqt locate SSL pointer\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
\&
\& SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
\& bbio = BIO_new(BIO_f_buffer());
\& sbio = BIO_push(bbio, sbio);
\& acpt = BIO_new_accept("4433");
\&
\& /*
\& * By doing this when a new connection is established
\& * we automatically have sbio inserted into it. The
\& * BIO chain is now \*(Aqswallowed\*(Aq by the accept BIO and
\& * will be freed when the accept BIO is freed.
\& */
\& BIO_set_accept_bios(acpt, sbio);
\& out = BIO_new_fp(stdout, BIO_NOCLOSE);
\&
\& /* Setup accept BIO */
\& if (BIO_do_accept(acpt) <= 0) {
\& fprintf(stderr, "Error setting up accept BIO\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
\&
\& /* We only want one connection so remove and free accept BIO */
\& sbio = BIO_pop(acpt);
\& BIO_free_all(acpt);
\&
\& if (BIO_do_handshake(sbio) <= 0) {
\& fprintf(stderr, "Error in SSL handshake\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
\&
\& BIO_puts(sbio, "HTTP/1.0 200 OK\er\enContent\-type: text/plain\er\en\er\en");
\& BIO_puts(sbio, "\er\enConnection Established\er\enRequest headers:\er\en");
\& BIO_puts(sbio, "\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\er\en");
\&
\& for (;;) {
\& len = BIO_gets(sbio, tmpbuf, 1024);
\& if (len <= 0)
\& break;
\& BIO_write(sbio, tmpbuf, len);
\& BIO_write(out, tmpbuf, len);
\& /* Look for blank line signifying end of headers*/
\& if (tmpbuf[0] == \*(Aq\er\*(Aq || tmpbuf[0] == \*(Aq\en\*(Aq)
\& break;
\& }
\&
\& BIO_puts(sbio, "\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\er\en");
\& BIO_puts(sbio, "\er\en");
\& BIO_flush(sbio);
\& BIO_free_all(sbio);
.Ve
.SH "HISTORY"
.IX Header "HISTORY"
In OpenSSL before 1.0.0 the \fBBIO_pop()\fR call was handled incorrectly,
the I/O \s-1BIO\s0 reference count was incorrectly incremented (instead of
decremented) and dissociated with the \s-1SSL BIO\s0 even if the \s-1SSL BIO\s0 was not
explicitly being popped (e.g. a pop higher up the chain). Applications which
included workarounds for this bug (e.g. freeing BIOs more than once) should
be modified to handle this fix or they may free up an already freed \s-1BIO.\s0
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_find_type.3 b/secure/lib/libcrypto/man/man3/BIO_find_type.3
index 1e6f6ca5fa42..20050a8e3024 100644
--- a/secure/lib/libcrypto/man/man3/BIO_find_type.3
+++ b/secure/lib/libcrypto/man/man3/BIO_find_type.3
@@ -1,203 +1,203 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_FIND_TYPE 3"
-.TH BIO_FIND_TYPE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_FIND_TYPE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_find_type, BIO_next, BIO_method_type \- BIO chain traversal
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& BIO *BIO_find_type(BIO *b, int bio_type);
\& BIO *BIO_next(BIO *b);
\& int BIO_method_type(const BIO *b);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBBIO_find_type()\fR searches for a \s-1BIO\s0 of a given type in a chain, starting
at \s-1BIO\s0 \fBb\fR. If \fBtype\fR is a specific type (such as \fB\s-1BIO_TYPE_MEM\s0\fR) then a search
is made for a \s-1BIO\s0 of that type. If \fBtype\fR is a general type (such as
\&\fB\s-1BIO_TYPE_SOURCE_SINK\s0\fR) then the next matching \s-1BIO\s0 of the given general type is
searched for. \fBBIO_find_type()\fR returns the next matching \s-1BIO\s0 or \s-1NULL\s0 if none is
found.
.PP
The following general types are defined:
\&\fB\s-1BIO_TYPE_DESCRIPTOR\s0\fR, \fB\s-1BIO_TYPE_FILTER\s0\fR, and \fB\s-1BIO_TYPE_SOURCE_SINK\s0\fR.
.PP
For a list of the specific types, see the \fBopenssl/bio.h\fR header file.
.PP
\&\fBBIO_next()\fR returns the next \s-1BIO\s0 in a chain. It can be used to traverse all BIOs
in a chain or used in conjunction with \fBBIO_find_type()\fR to find all BIOs of a
certain type.
.PP
\&\fBBIO_method_type()\fR returns the type of a \s-1BIO.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_find_type()\fR returns a matching \s-1BIO\s0 or \s-1NULL\s0 for no match.
.PP
\&\fBBIO_next()\fR returns the next \s-1BIO\s0 in a chain.
.PP
\&\fBBIO_method_type()\fR returns the type of the \s-1BIO\s0 \fBb\fR.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Traverse a chain looking for digest BIOs:
.PP
.Vb 1
\& BIO *btmp;
\&
\& btmp = in_bio; /* in_bio is chain to search through */
\& do {
\& btmp = BIO_find_type(btmp, BIO_TYPE_MD);
\& if (btmp == NULL)
\& break; /* Not found */
\& /* btmp is a digest BIO, do something with it ...*/
\& ...
\&
\& btmp = BIO_next(btmp);
\& } while (btmp);
.Ve
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_get_data.3 b/secure/lib/libcrypto/man/man3/BIO_get_data.3
index 0b31fb767515..8fef702fb0bc 100644
--- a/secure/lib/libcrypto/man/man3/BIO_get_data.3
+++ b/secure/lib/libcrypto/man/man3/BIO_get_data.3
@@ -1,195 +1,195 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_GET_DATA 3"
-.TH BIO_GET_DATA 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_GET_DATA 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_set_data, BIO_get_data, BIO_set_init, BIO_get_init, BIO_set_shutdown, BIO_get_shutdown \- functions for managing BIO state information
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& void BIO_set_data(BIO *a, void *ptr);
\& void *BIO_get_data(BIO *a);
\& void BIO_set_init(BIO *a, int init);
\& int BIO_get_init(BIO *a);
\& void BIO_set_shutdown(BIO *a, int shut);
\& int BIO_get_shutdown(BIO *a);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions are mainly useful when implementing a custom \s-1BIO.\s0
.PP
The \fBBIO_set_data()\fR function associates the custom data pointed to by \fBptr\fR with
the \s-1BIO.\s0 This data can subsequently be retrieved via a call to \fBBIO_get_data()\fR.
This can be used by custom BIOs for storing implementation specific information.
.PP
The \fBBIO_set_init()\fR function sets the value of the \s-1BIO\s0's \*(L"init\*(R" flag to indicate
whether initialisation has been completed for this \s-1BIO\s0 or not. A nonzero value
indicates that initialisation is complete, whilst zero indicates that it is not.
Often initialisation will complete during initial construction of the \s-1BIO.\s0 For
some BIOs however, initialisation may not complete until after additional steps
have occurred (for example through calling custom ctrls). The \fBBIO_get_init()\fR
function returns the value of the \*(L"init\*(R" flag.
.PP
The \fBBIO_set_shutdown()\fR and \fBBIO_get_shutdown()\fR functions set and get the state of
this \s-1BIO\s0's shutdown (i.e. \s-1BIO_CLOSE\s0) flag. If set then the underlying resource
is also closed when the \s-1BIO\s0 is freed.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_get_data()\fR returns a pointer to the implementation specific custom data
associated with this \s-1BIO,\s0 or \s-1NULL\s0 if none has been set.
.PP
\&\fBBIO_get_init()\fR returns the state of the \s-1BIO\s0's init flag.
.PP
\&\fBBIO_get_shutdown()\fR returns the stat of the \s-1BIO\s0's shutdown (i.e. \s-1BIO_CLOSE\s0) flag.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
bio, BIO_meth_new
.SH "HISTORY"
.IX Header "HISTORY"
The functions described here were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3 b/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3
index d5c0a54f0e35..d90717a659a1 100644
--- a/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3
+++ b/secure/lib/libcrypto/man/man3/BIO_get_ex_new_index.3
@@ -1,191 +1,191 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_GET_EX_NEW_INDEX 3"
-.TH BIO_GET_EX_NEW_INDEX 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_GET_EX_NEW_INDEX 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_get_ex_new_index, BIO_set_ex_data, BIO_get_ex_data, ENGINE_get_ex_new_index, ENGINE_set_ex_data, ENGINE_get_ex_data, UI_get_ex_new_index, UI_set_ex_data, UI_get_ex_data, X509_get_ex_new_index, X509_set_ex_data, X509_get_ex_data, X509_STORE_get_ex_new_index, X509_STORE_set_ex_data, X509_STORE_get_ex_data, X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data, X509_STORE_CTX_get_ex_data, DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data, DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data, ECDH_get_ex_new_index, ECDH_set_ex_data, ECDH_get_ex_data, EC_KEY_get_ex_new_index, EC_KEY_set_ex_data, EC_KEY_get_ex_data, RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data \&\- application\-specific data
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int TYPE_get_ex_new_index(long argl, void *argp,
\& CRYPTO_EX_new *new_func,
\& CRYPTO_EX_dup *dup_func,
\& CRYPTO_EX_free *free_func);
\&
\& int TYPE_set_ex_data(TYPE *d, int idx, void *arg);
\&
\& void *TYPE_get_ex_data(TYPE *d, int idx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In the description here, \fI\s-1TYPE\s0\fR is used a placeholder
for any of the OpenSSL datatypes listed in
\&\fBCRYPTO_get_ex_new_index\fR\|(3).
.PP
These functions handle application-specific data for OpenSSL data
structures.
.PP
\&\fBTYPE_get_ex_new_index()\fR is a macro that calls \fBCRYPTO_get_ex_new_index()\fR
with the correct \fBindex\fR value.
.PP
\&\fBTYPE_set_ex_data()\fR is a function that calls \fBCRYPTO_set_ex_data()\fR with
an offset into the opaque exdata part of the \s-1TYPE\s0 object.
.PP
\&\fBTYPE_get_ex_data()\fR is a function that calls \fBCRYPTO_get_ex_data()\fR with
an offset into the opaque exdata part of the \s-1TYPE\s0 object.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBTYPE_get_ex_new_index()\fR returns a new index on success or \-1 on error.
.PP
\&\fBTYPE_set_ex_data()\fR returns 1 on success or 0 on error.
.PP
\&\fBTYPE_get_ex_data()\fR returns the application data or \s-1NULL\s0 if an error occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBCRYPTO_get_ex_new_index\fR\|(3).
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_meth_new.3 b/secure/lib/libcrypto/man/man3/BIO_meth_new.3
index e8c5c605a81b..81e13b5bd73e 100644
--- a/secure/lib/libcrypto/man/man3/BIO_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/BIO_meth_new.3
@@ -1,288 +1,288 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_METH_NEW 3"
-.TH BIO_METH_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_METH_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_get_new_index, BIO_meth_new, BIO_meth_free, BIO_meth_get_read_ex, BIO_meth_set_read_ex, BIO_meth_get_write_ex, BIO_meth_set_write_ex, BIO_meth_get_write, BIO_meth_set_write, BIO_meth_get_read, BIO_meth_set_read, BIO_meth_get_puts, BIO_meth_set_puts, BIO_meth_get_gets, BIO_meth_set_gets, BIO_meth_get_ctrl, BIO_meth_set_ctrl, BIO_meth_get_create, BIO_meth_set_create, BIO_meth_get_destroy, BIO_meth_set_destroy, BIO_meth_get_callback_ctrl, BIO_meth_set_callback_ctrl \- Routines to build up BIO methods
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& int BIO_get_new_index(void);
\&
\& BIO_METHOD *BIO_meth_new(int type, const char *name);
\&
\& void BIO_meth_free(BIO_METHOD *biom);
\&
\& int (*BIO_meth_get_write_ex(const BIO_METHOD *biom))(BIO *, const char *, size_t,
\& size_t *);
\& int (*BIO_meth_get_write(const BIO_METHOD *biom))(BIO *, const char *, int);
\& int BIO_meth_set_write_ex(BIO_METHOD *biom,
\& int (*bwrite)(BIO *, const char *, size_t, size_t *));
\& int BIO_meth_set_write(BIO_METHOD *biom,
\& int (*write)(BIO *, const char *, int));
\&
\& int (*BIO_meth_get_read_ex(const BIO_METHOD *biom))(BIO *, char *, size_t, size_t *);
\& int (*BIO_meth_get_read(const BIO_METHOD *biom))(BIO *, char *, int);
\& int BIO_meth_set_read_ex(BIO_METHOD *biom,
\& int (*bread)(BIO *, char *, size_t, size_t *));
\& int BIO_meth_set_read(BIO_METHOD *biom, int (*read)(BIO *, char *, int));
\&
\& int (*BIO_meth_get_puts(const BIO_METHOD *biom))(BIO *, const char *);
\& int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts)(BIO *, const char *));
\&
\& int (*BIO_meth_get_gets(const BIO_METHOD *biom))(BIO *, char *, int);
\& int BIO_meth_set_gets(BIO_METHOD *biom,
\& int (*gets)(BIO *, char *, int));
\&
\& long (*BIO_meth_get_ctrl(const BIO_METHOD *biom))(BIO *, int, long, void *);
\& int BIO_meth_set_ctrl(BIO_METHOD *biom,
\& long (*ctrl)(BIO *, int, long, void *));
\&
\& int (*BIO_meth_get_create(const BIO_METHOD *bion))(BIO *);
\& int BIO_meth_set_create(BIO_METHOD *biom, int (*create)(BIO *));
\&
\& int (*BIO_meth_get_destroy(const BIO_METHOD *biom))(BIO *);
\& int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy)(BIO *));
\&
\& long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom))(BIO *, int, BIO_info_cb *);
\& int BIO_meth_set_callback_ctrl(BIO_METHOD *biom,
\& long (*callback_ctrl)(BIO *, int, BIO_info_cb *));
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1BIO_METHOD\s0\fR type is a structure used for the implementation of new \s-1BIO\s0
types. It provides a set of functions used by OpenSSL for the implementation
of the various \s-1BIO\s0 capabilities. See the bio page for more information.
.PP
\&\fBBIO_meth_new()\fR creates a new \fB\s-1BIO_METHOD\s0\fR structure. It should be given a
unique integer \fBtype\fR and a string that represents its \fBname\fR.
Use \fBBIO_get_new_index()\fR to get the value for \fBtype\fR.
.PP
The set of
standard OpenSSL provided \s-1BIO\s0 types is provided in \fBbio.h\fR. Some examples
include \fB\s-1BIO_TYPE_BUFFER\s0\fR and \fB\s-1BIO_TYPE_CIPHER\s0\fR. Filter BIOs should have a
type which have the \*(L"filter\*(R" bit set (\fB\s-1BIO_TYPE_FILTER\s0\fR). Source/sink BIOs
should have the \*(L"source/sink\*(R" bit set (\fB\s-1BIO_TYPE_SOURCE_SINK\s0\fR). File descriptor
based BIOs (e.g. socket, fd, connect, accept etc) should additionally have the
\&\*(L"descriptor\*(R" bit set (\fB\s-1BIO_TYPE_DESCRIPTOR\s0\fR). See the BIO_find_type page for
more information.
.PP
\&\fBBIO_meth_free()\fR destroys a \fB\s-1BIO_METHOD\s0\fR structure and frees up any memory
associated with it.
.PP
\&\fBBIO_meth_get_write_ex()\fR and \fBBIO_meth_set_write_ex()\fR get and set the function
used for writing arbitrary length data to the \s-1BIO\s0 respectively. This function
will be called in response to the application calling \fBBIO_write_ex()\fR or
\&\fBBIO_write()\fR. The parameters for the function have the same meaning as for
\&\fBBIO_write_ex()\fR. Older code may call \fBBIO_meth_get_write()\fR and
\&\fBBIO_meth_set_write()\fR instead. Applications should not call both
\&\fBBIO_meth_set_write_ex()\fR and \fBBIO_meth_set_write()\fR or call \fBBIO_meth_get_write()\fR
when the function was set with \fBBIO_meth_set_write_ex()\fR.
.PP
\&\fBBIO_meth_get_read_ex()\fR and \fBBIO_meth_set_read_ex()\fR get and set the function used
for reading arbitrary length data from the \s-1BIO\s0 respectively. This function will
be called in response to the application calling \fBBIO_read_ex()\fR or \fBBIO_read()\fR.
The parameters for the function have the same meaning as for \fBBIO_read_ex()\fR.
Older code may call \fBBIO_meth_get_read()\fR and \fBBIO_meth_set_read()\fR instead.
Applications should not call both \fBBIO_meth_set_read_ex()\fR and \fBBIO_meth_set_read()\fR
or call \fBBIO_meth_get_read()\fR when the function was set with
\&\fBBIO_meth_set_read_ex()\fR.
.PP
\&\fBBIO_meth_get_puts()\fR and \fBBIO_meth_set_puts()\fR get and set the function used for
writing a \s-1NULL\s0 terminated string to the \s-1BIO\s0 respectively. This function will be
called in response to the application calling \fBBIO_puts()\fR. The parameters for
the function have the same meaning as for \fBBIO_puts()\fR.
.PP
\&\fBBIO_meth_get_gets()\fR and \fBBIO_meth_set_gets()\fR get and set the function typically
used for reading a line of data from the \s-1BIO\s0 respectively (see the \fBBIO_gets\fR\|(3)
page for more information). This function will be called in response to the
application calling \fBBIO_gets()\fR. The parameters for the function have the same
meaning as for \fBBIO_gets()\fR.
.PP
\&\fBBIO_meth_get_ctrl()\fR and \fBBIO_meth_set_ctrl()\fR get and set the function used for
processing ctrl messages in the \s-1BIO\s0 respectively. See the BIO_ctrl page for
more information. This function will be called in response to the application
calling \fBBIO_ctrl()\fR. The parameters for the function have the same meaning as for
\&\fBBIO_ctrl()\fR.
.PP
\&\fBBIO_meth_get_create()\fR and \fBBIO_meth_set_create()\fR get and set the function used
for creating a new instance of the \s-1BIO\s0 respectively. This function will be
called in response to the application calling \fBBIO_new()\fR and passing
in a pointer to the current \s-1BIO_METHOD.\s0 The \fBBIO_new()\fR function will allocate the
memory for the new \s-1BIO,\s0 and a pointer to this newly allocated structure will
be passed as a parameter to the function.
.PP
\&\fBBIO_meth_get_destroy()\fR and \fBBIO_meth_set_destroy()\fR get and set the function used
for destroying an instance of a \s-1BIO\s0 respectively. This function will be
called in response to the application calling \fBBIO_free()\fR. A pointer to the \s-1BIO\s0
to be destroyed is passed as a parameter. The destroy function should be used
for \s-1BIO\s0 specific clean up. The memory for the \s-1BIO\s0 itself should not be freed by
this function.
.PP
\&\fBBIO_meth_get_callback_ctrl()\fR and \fBBIO_meth_set_callback_ctrl()\fR get and set the
function used for processing callback ctrl messages in the \s-1BIO\s0 respectively. See
the \fBBIO_callback_ctrl\fR\|(3) page for more information. This function will be called
in response to the application calling \fBBIO_callback_ctrl()\fR. The parameters for
the function have the same meaning as for \fBBIO_callback_ctrl()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_get_new_index()\fR returns the new \s-1BIO\s0 type value or \-1 if an error occurred.
.PP
BIO_meth_new(int type, const char *name) returns a valid \fB\s-1BIO_METHOD\s0\fR or \s-1NULL\s0
if an error occurred.
.PP
The \fBBIO_meth_set\fR functions return 1 on success or 0 on error.
.PP
The \fBBIO_meth_get\fR functions return the corresponding function pointers.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
bio, BIO_find_type, BIO_ctrl, BIO_read_ex, BIO_new
.SH "HISTORY"
.IX Header "HISTORY"
The functions described here were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_new.3 b/secure/lib/libcrypto/man/man3/BIO_new.3
index 187b5d764153..b15aa78f8e15 100644
--- a/secure/lib/libcrypto/man/man3/BIO_new.3
+++ b/secure/lib/libcrypto/man/man3/BIO_new.3
@@ -1,202 +1,202 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_NEW 3"
-.TH BIO_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_new, BIO_up_ref, BIO_free, BIO_vfree, BIO_free_all \&\- BIO allocation and freeing functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& BIO * BIO_new(const BIO_METHOD *type);
\& int BIO_up_ref(BIO *a);
\& int BIO_free(BIO *a);
\& void BIO_vfree(BIO *a);
\& void BIO_free_all(BIO *a);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBBIO_new()\fR function returns a new \s-1BIO\s0 using method \fBtype\fR.
.PP
\&\fBBIO_up_ref()\fR increments the reference count associated with the \s-1BIO\s0 object.
.PP
\&\fBBIO_free()\fR frees up a single \s-1BIO,\s0 \fBBIO_vfree()\fR also frees up a single \s-1BIO\s0
but it does not return a value.
If \fBa\fR is \s-1NULL\s0 nothing is done.
Calling \fBBIO_free()\fR may also have some effect
on the underlying I/O structure, for example it may close the file being
referred to under certain circumstances. For more details see the individual
\&\s-1BIO_METHOD\s0 descriptions.
.PP
\&\fBBIO_free_all()\fR frees up an entire \s-1BIO\s0 chain, it does not halt if an error
occurs freeing up an individual \s-1BIO\s0 in the chain.
If \fBa\fR is \s-1NULL\s0 nothing is done.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_new()\fR returns a newly created \s-1BIO\s0 or \s-1NULL\s0 if the call fails.
.PP
\&\fBBIO_up_ref()\fR and \fBBIO_free()\fR return 1 for success and 0 for failure.
.PP
\&\fBBIO_free_all()\fR and \fBBIO_vfree()\fR do not return values.
.SH "NOTES"
.IX Header "NOTES"
If \fBBIO_free()\fR is called on a \s-1BIO\s0 chain it will only free one \s-1BIO\s0 resulting
in a memory leak.
.PP
Calling \fBBIO_free_all()\fR on a single \s-1BIO\s0 has the same effect as calling \fBBIO_free()\fR
on it other than the discarded return value.
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBBIO_set()\fR was removed in OpenSSL 1.1.0 as \s-1BIO\s0 type is now opaque.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create a memory \s-1BIO:\s0
.PP
.Vb 1
\& BIO *mem = BIO_new(BIO_s_mem());
.Ve
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_new_CMS.3 b/secure/lib/libcrypto/man/man3/BIO_new_CMS.3
index f4e069c53c2e..48d670b410d4 100644
--- a/secure/lib/libcrypto/man/man3/BIO_new_CMS.3
+++ b/secure/lib/libcrypto/man/man3/BIO_new_CMS.3
@@ -1,204 +1,204 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_NEW_CMS 3"
-.TH BIO_NEW_CMS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_NEW_CMS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_new_CMS \- CMS streaming filter BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& BIO *BIO_new_CMS(BIO *out, CMS_ContentInfo *cms);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_new_CMS()\fR returns a streaming filter \s-1BIO\s0 chain based on \fBcms\fR. The output
of the filter is written to \fBout\fR. Any data written to the chain is
automatically translated to a \s-1BER\s0 format \s-1CMS\s0 structure of the appropriate type.
.SH "NOTES"
.IX Header "NOTES"
The chain returned by this function behaves like a standard filter \s-1BIO.\s0 It
supports non blocking I/O. Content is processed and streamed on the fly and not
all held in memory at once: so it is possible to encode very large structures.
After all content has been written through the chain \fBBIO_flush()\fR must be called
to finalise the structure.
.PP
The \fB\s-1CMS_STREAM\s0\fR flag must be included in the corresponding \fBflags\fR
parameter of the \fBcms\fR creation function.
.PP
If an application wishes to write additional data to \fBout\fR BIOs should be
removed from the chain using \fBBIO_pop()\fR and freed with \fBBIO_free()\fR until \fBout\fR
is reached. If no additional data needs to be written \fBBIO_free_all()\fR can be
called to free up the whole chain.
.PP
Any content written through the filter is used verbatim: no canonical
translation is performed.
.PP
It is possible to chain multiple BIOs to, for example, create a triple wrapped
signed, enveloped, signed structure. In this case it is the applications
responsibility to set the inner content type of any outer CMS_ContentInfo
structures.
.PP
Large numbers of small writes through the chain should be avoided as this will
produce an output consisting of lots of \s-1OCTET STRING\s0 structures. Prepending
a \fBBIO_f_buffer()\fR buffering \s-1BIO\s0 will prevent this.
.SH "BUGS"
.IX Header "BUGS"
There is currently no corresponding inverse \s-1BIO:\s0 i.e. one which can decode
a \s-1CMS\s0 structure on the fly.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_new_CMS()\fR returns a \s-1BIO\s0 chain when successful or \s-1NULL\s0 if an error
occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
\&\fBCMS_encrypt\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBBIO_new_CMS()\fR function was added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3 b/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3
index 4a3e3463651a..816ebb8eaa82 100644
--- a/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3
+++ b/secure/lib/libcrypto/man/man3/BIO_parse_hostserv.3
@@ -1,212 +1,212 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_PARSE_HOSTSERV 3"
-.TH BIO_PARSE_HOSTSERV 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_PARSE_HOSTSERV 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_hostserv_priorities, BIO_parse_hostserv \&\- utility routines to parse a standard host and service string
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& enum BIO_hostserv_priorities {
\& BIO_PARSE_PRIO_HOST, BIO_PARSE_PRIO_SERV
\& };
\& int BIO_parse_hostserv(const char *hostserv, char **host, char **service,
\& enum BIO_hostserv_priorities hostserv_prio);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_parse_hostserv()\fR will parse the information given in \fBhostserv\fR,
create strings with the hostname and service name and give those
back via \fBhost\fR and \fBservice\fR. Those will need to be freed after
they are used. \fBhostserv_prio\fR helps determine if \fBhostserv\fR shall
be interpreted primarily as a hostname or a service name in ambiguous
cases.
.PP
The syntax the \fBBIO_parse_hostserv()\fR recognises is:
.PP
.Vb 7
\& host + \*(Aq:\*(Aq + service
\& host + \*(Aq:\*(Aq + \*(Aq*\*(Aq
\& host + \*(Aq:\*(Aq
\& \*(Aq:\*(Aq + service
\& \*(Aq*\*(Aq + \*(Aq:\*(Aq + service
\& host
\& service
.Ve
.PP
The host part can be a name or an \s-1IP\s0 address. If it's a IPv6
address, it \s-1MUST\s0 be enclosed in brackets, such as '[::1]'.
.PP
The service part can be a service name or its port number.
.PP
The returned values will depend on the given \fBhostserv\fR string
and \fBhostserv_prio\fR, as follows:
.PP
.Vb 5
\& host + \*(Aq:\*(Aq + service => *host = "host", *service = "service"
\& host + \*(Aq:\*(Aq + \*(Aq*\*(Aq => *host = "host", *service = NULL
\& host + \*(Aq:\*(Aq => *host = "host", *service = NULL
\& \*(Aq:\*(Aq + service => *host = NULL, *service = "service"
\& \*(Aq*\*(Aq + \*(Aq:\*(Aq + service => *host = NULL, *service = "service"
\&
\& in case no \*(Aq:\*(Aq is present in the string, the result depends on
\& hostserv_prio, as follows:
\&
\& when hostserv_prio == BIO_PARSE_PRIO_HOST
\& host => *host = "host", *service untouched
\&
\& when hostserv_prio == BIO_PARSE_PRIO_SERV
\& service => *host untouched, *service = "service"
.Ve
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_parse_hostserv()\fR returns 1 on success or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\s-1\fBBIO_ADDRINFO\s0\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_printf.3 b/secure/lib/libcrypto/man/man3/BIO_printf.3
index 70700fc046f2..4fd175cccc11 100644
--- a/secure/lib/libcrypto/man/man3/BIO_printf.3
+++ b/secure/lib/libcrypto/man/man3/BIO_printf.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_PRINTF 3"
-.TH BIO_PRINTF 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_PRINTF 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_printf, BIO_vprintf, BIO_snprintf, BIO_vsnprintf \&\- formatted output to a BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& int BIO_printf(BIO *bio, const char *format, ...)
\& int BIO_vprintf(BIO *bio, const char *format, va_list args)
\&
\& int BIO_snprintf(char *buf, size_t n, const char *format, ...)
\& int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_printf()\fR is similar to the standard C \fBprintf()\fR function, except that
the output is sent to the specified \s-1BIO,\s0 \fBbio\fR, rather than standard
output. All common format specifiers are supported.
.PP
\&\fBBIO_vprintf()\fR is similar to the \fBvprintf()\fR function found on many platforms,
the output is sent to the specified \s-1BIO,\s0 \fBbio\fR, rather than standard
output. All common format specifiers are supported. The argument
list \fBargs\fR is a stdarg argument list.
.PP
\&\fBBIO_snprintf()\fR is for platforms that do not have the common \fBsnprintf()\fR
function. It is like \fBsprintf()\fR except that the size parameter, \fBn\fR,
specifies the size of the output buffer.
.PP
\&\fBBIO_vsnprintf()\fR is to \fBBIO_snprintf()\fR as \fBBIO_vprintf()\fR is to \fBBIO_printf()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All functions return the number of bytes written, or \-1 on error.
For \fBBIO_snprintf()\fR and \fBBIO_vsnprintf()\fR this includes when the output
buffer is too small.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_push.3 b/secure/lib/libcrypto/man/man3/BIO_push.3
index e3bd1391177b..9cd047c80338 100644
--- a/secure/lib/libcrypto/man/man3/BIO_push.3
+++ b/secure/lib/libcrypto/man/man3/BIO_push.3
@@ -1,233 +1,233 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_PUSH 3"
-.TH BIO_PUSH 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_PUSH 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_push, BIO_pop, BIO_set_next \- add and remove BIOs from a chain
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& BIO *BIO_push(BIO *b, BIO *next);
\& BIO *BIO_pop(BIO *b);
\& void BIO_set_next(BIO *b, BIO *next);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_push()\fR pushes \fIb\fR on \fInext\fR.
If \fIb\fR is \s-1NULL\s0 the function does nothing and returns \fInext\fR.
Otherwise it prepends \fIb\fR, which may be a single \s-1BIO\s0 or a chain of BIOs,
to \fInext\fR (unless \fInext\fR is \s-1NULL\s0).
It then makes a control call on \fIb\fR and returns \fIb\fR.
.PP
\&\fBBIO_pop()\fR removes the \s-1BIO\s0 \fIb\fR from any chain is is part of.
If \fIb\fR is \s-1NULL\s0 the function does nothing and returns \s-1NULL.\s0
Otherwise it makes a control call on \fIb\fR and
returns the next \s-1BIO\s0 in the chain, or \s-1NULL\s0 if there is no next \s-1BIO.\s0
The removed \s-1BIO\s0 becomes a single \s-1BIO\s0 with no association with
the original chain, it can thus be freed or be made part of a different chain.
.PP
\&\fBBIO_set_next()\fR replaces the existing next \s-1BIO\s0 in a chain with the \s-1BIO\s0 pointed to
by \fInext\fR. The new chain may include some of the same BIOs from the old chain
or it may be completely different.
.SH "NOTES"
.IX Header "NOTES"
The names of these functions are perhaps a little misleading. \fBBIO_push()\fR
joins two \s-1BIO\s0 chains whereas \fBBIO_pop()\fR deletes a single \s-1BIO\s0 from a chain,
the deleted \s-1BIO\s0 does not need to be at the end of a chain.
.PP
The process of calling \fBBIO_push()\fR and \fBBIO_pop()\fR on a \s-1BIO\s0 may have additional
consequences (a control call is made to the affected BIOs).
Any effects will be noted in the descriptions of individual BIOs.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_push()\fR returns the head of the chain,
which usually is \fIb\fR, or \fInext\fR if \fIb\fR is \s-1NULL.\s0
.PP
\&\fBBIO_pop()\fR returns the next \s-1BIO\s0 in the chain,
or \s-1NULL\s0 if there is no next \s-1BIO.\s0
.SH "EXAMPLES"
.IX Header "EXAMPLES"
For these examples suppose \fImd1\fR and \fImd2\fR are digest BIOs,
\&\fIb64\fR is a base64 \s-1BIO\s0 and \fIf\fR is a file \s-1BIO.\s0
.PP
If the call:
.PP
.Vb 1
\& BIO_push(b64, f);
.Ve
.PP
is made then the new chain will be \fIb64\-f\fR. After making the calls
.PP
.Vb 2
\& BIO_push(md2, b64);
\& BIO_push(md1, md2);
.Ve
.PP
the new chain is \fImd1\-md2\-b64\-f\fR. Data written to \fImd1\fR will be digested
by \fImd1\fR and \fImd2\fR, base64 encoded, and finally written to \fIf\fR.
.PP
It should be noted that reading causes data to pass in the reverse
direction, that is data is read from \fIf\fR, base64 decoded,
and digested by \fImd2\fR and then \fImd1\fR.
.PP
The call:
.PP
.Vb 1
\& BIO_pop(md2);
.Ve
.PP
will return \fIb64\fR and the new chain will be \fImd1\-b64\-f\fR.
Data can be written to and read from \fImd1\fR as before,
except that \fImd2\fR will no more be applied.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
bio
.SH "HISTORY"
.IX Header "HISTORY"
The \fBBIO_set_next()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_read.3 b/secure/lib/libcrypto/man/man3/BIO_read.3
index 9ab1e3457b46..e01f80e30e82 100644
--- a/secure/lib/libcrypto/man/man3/BIO_read.3
+++ b/secure/lib/libcrypto/man/man3/BIO_read.3
@@ -1,226 +1,226 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_READ 3"
-.TH BIO_READ 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_READ 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_read_ex, BIO_write_ex, BIO_read, BIO_write, BIO_gets, BIO_puts \&\- BIO I/O functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& int BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes);
\& int BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written);
\&
\& int BIO_read(BIO *b, void *data, int dlen);
\& int BIO_gets(BIO *b, char *buf, int size);
\& int BIO_write(BIO *b, const void *data, int dlen);
\& int BIO_puts(BIO *b, const char *buf);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_read_ex()\fR attempts to read \fBdlen\fR bytes from \s-1BIO\s0 \fBb\fR and places the data
in \fBdata\fR. If any bytes were successfully read then the number of bytes read is
stored in \fB*readbytes\fR.
.PP
\&\fBBIO_write_ex()\fR attempts to write \fBdlen\fR bytes from \fBdata\fR to \s-1BIO\s0 \fBb\fR. If
successful then the number of bytes written is stored in \fB*written\fR.
.PP
\&\fBBIO_read()\fR attempts to read \fBlen\fR bytes from \s-1BIO\s0 \fBb\fR and places
the data in \fBbuf\fR.
.PP
\&\fBBIO_gets()\fR performs the BIOs \*(L"gets\*(R" operation and places the data
in \fBbuf\fR. Usually this operation will attempt to read a line of data
from the \s-1BIO\s0 of maximum length \fBsize\-1\fR. There are exceptions to this,
however; for example, \fBBIO_gets()\fR on a digest \s-1BIO\s0 will calculate and
return the digest and other BIOs may not support \fBBIO_gets()\fR at all.
The returned string is always NUL-terminated and the '\en' is preserved
if present in the input data.
.PP
\&\fBBIO_write()\fR attempts to write \fBlen\fR bytes from \fBbuf\fR to \s-1BIO\s0 \fBb\fR.
.PP
\&\fBBIO_puts()\fR attempts to write a NUL-terminated string \fBbuf\fR to \s-1BIO\s0 \fBb\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_read_ex()\fR and \fBBIO_write_ex()\fR return 1 if data was successfully read or
written, and 0 otherwise.
.PP
All other functions return either the amount of data successfully read or
written (if the return value is positive) or that no data was successfully
read or written if the result is 0 or \-1. If the return value is \-2 then
the operation is not implemented in the specific \s-1BIO\s0 type. The trailing
\&\s-1NUL\s0 is not included in the length returned by \fBBIO_gets()\fR.
.SH "NOTES"
.IX Header "NOTES"
A 0 or \-1 return is not necessarily an indication of an error. In
particular when the source/sink is nonblocking or of a certain type
it may merely be an indication that no data is currently available and that
the application should retry the operation later.
.PP
One technique sometimes used with blocking sockets is to use a system call
(such as \fBselect()\fR, \fBpoll()\fR or equivalent) to determine when data is available
and then call \fBread()\fR to read the data. The equivalent with BIOs (that is call
\&\fBselect()\fR on the underlying I/O structure and then call \fBBIO_read()\fR to
read the data) should \fBnot\fR be used because a single call to \fBBIO_read()\fR
can cause several reads (and writes in the case of \s-1SSL\s0 BIOs) on the underlying
I/O structure and may block as a result. Instead \fBselect()\fR (or equivalent)
should be combined with non blocking I/O so successive reads will request
a retry instead of blocking.
.PP
See \fBBIO_should_retry\fR\|(3) for details of how to
determine the cause of a retry and other I/O issues.
.PP
If the \fBBIO_gets()\fR function is not supported by a \s-1BIO\s0 then it possible to
work around this by adding a buffering \s-1BIO\s0 \fBBIO_f_buffer\fR\|(3)
to the chain.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBIO_should_retry\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBBIO_gets()\fR on 1.1.0 and older when called on \fBBIO_fd()\fR based \s-1BIO\s0 does not
keep the '\en' at the end of the line in the buffer.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_accept.3 b/secure/lib/libcrypto/man/man3/BIO_s_accept.3
index 8aaf11f7ce23..8cb42dd379e6 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_accept.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_accept.3
@@ -1,365 +1,365 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_S_ACCEPT 3"
-.TH BIO_S_ACCEPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_S_ACCEPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_s_accept, BIO_set_accept_name, BIO_set_accept_port, BIO_get_accept_name, BIO_get_accept_port, BIO_new_accept, BIO_set_nbio_accept, BIO_set_accept_bios, BIO_get_peer_name, BIO_get_peer_port, BIO_get_accept_ip_family, BIO_set_accept_ip_family, BIO_set_bind_mode, BIO_get_bind_mode, BIO_do_accept \- accept BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& const BIO_METHOD *BIO_s_accept(void);
\&
\& long BIO_set_accept_name(BIO *b, char *name);
\& char *BIO_get_accept_name(BIO *b);
\&
\& long BIO_set_accept_port(BIO *b, char *port);
\& char *BIO_get_accept_port(BIO *b);
\&
\& BIO *BIO_new_accept(char *host_port);
\&
\& long BIO_set_nbio_accept(BIO *b, int n);
\& long BIO_set_accept_bios(BIO *b, char *bio);
\&
\& char *BIO_get_peer_name(BIO *b);
\& char *BIO_get_peer_port(BIO *b);
\& long BIO_get_accept_ip_family(BIO *b);
\& long BIO_set_accept_ip_family(BIO *b, long family);
\&
\& long BIO_set_bind_mode(BIO *b, long mode);
\& long BIO_get_bind_mode(BIO *b);
\&
\& int BIO_do_accept(BIO *b);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_s_accept()\fR returns the accept \s-1BIO\s0 method. This is a wrapper
round the platform's \s-1TCP/IP\s0 socket accept routines.
.PP
Using accept BIOs, \s-1TCP/IP\s0 connections can be accepted and data
transferred using only \s-1BIO\s0 routines. In this way any platform
specific operations are hidden by the \s-1BIO\s0 abstraction.
.PP
Read and write operations on an accept \s-1BIO\s0 will perform I/O
on the underlying connection. If no connection is established
and the port (see below) is set up properly then the \s-1BIO\s0
waits for an incoming connection.
.PP
Accept BIOs support \fBBIO_puts()\fR but not \fBBIO_gets()\fR.
.PP
If the close flag is set on an accept \s-1BIO\s0 then any active
connection on that chain is shutdown and the socket closed when
the \s-1BIO\s0 is freed.
.PP
Calling \fBBIO_reset()\fR on an accept \s-1BIO\s0 will close any active
connection and reset the \s-1BIO\s0 into a state where it awaits another
incoming connection.
.PP
\&\fBBIO_get_fd()\fR and \fBBIO_set_fd()\fR can be called to retrieve or set
the accept socket. See \fBBIO_s_fd\fR\|(3)
.PP
\&\fBBIO_set_accept_name()\fR uses the string \fBname\fR to set the accept
name. The name is represented as a string of the form \*(L"host:port\*(R",
where \*(L"host\*(R" is the interface to use and \*(L"port\*(R" is the port.
The host can be \*(L"*\*(R" or empty which is interpreted as meaning
any interface. If the host is an IPv6 address, it has to be
enclosed in brackets, for example \*(L"[::1]:https\*(R". \*(L"port\*(R" has the
same syntax as the port specified in \fBBIO_set_conn_port()\fR for
connect BIOs, that is it can be a numerical port string or a
string to lookup using \fBgetservbyname()\fR and a string table.
.PP
\&\fBBIO_set_accept_port()\fR uses the string \fBport\fR to set the accept
port. \*(L"port\*(R" has the same syntax as the port specified in
\&\fBBIO_set_conn_port()\fR for connect BIOs, that is it can be a numerical
port string or a string to lookup using \fBgetservbyname()\fR and a string
table.
.PP
\&\fBBIO_new_accept()\fR combines \fBBIO_new()\fR and \fBBIO_set_accept_name()\fR into
a single call: that is it creates a new accept \s-1BIO\s0 with port
\&\fBhost_port\fR.
.PP
\&\fBBIO_set_nbio_accept()\fR sets the accept socket to blocking mode
(the default) if \fBn\fR is 0 or non blocking mode if \fBn\fR is 1.
.PP
\&\fBBIO_set_accept_bios()\fR can be used to set a chain of BIOs which
will be duplicated and prepended to the chain when an incoming
connection is received. This is useful if, for example, a
buffering or \s-1SSL BIO\s0 is required for each connection. The
chain of BIOs must not be freed after this call, they will
be automatically freed when the accept \s-1BIO\s0 is freed.
.PP
\&\fBBIO_set_bind_mode()\fR and \fBBIO_get_bind_mode()\fR set and retrieve
the current bind mode. If \fB\s-1BIO_BIND_NORMAL\s0\fR (the default) is set
then another socket cannot be bound to the same port. If
\&\fB\s-1BIO_BIND_REUSEADDR\s0\fR is set then other sockets can bind to the
same port. If \fB\s-1BIO_BIND_REUSEADDR_IF_UNUSED\s0\fR is set then and
attempt is first made to use \s-1BIO_BIN_NORMAL,\s0 if this fails
and the port is not in use then a second attempt is made
using \fB\s-1BIO_BIND_REUSEADDR\s0\fR.
.PP
\&\fBBIO_do_accept()\fR serves two functions. When it is first
called, after the accept \s-1BIO\s0 has been setup, it will attempt
to create the accept socket and bind an address to it. Second
and subsequent calls to \fBBIO_do_accept()\fR will await an incoming
connection, or request a retry in non blocking mode.
.SH "NOTES"
.IX Header "NOTES"
When an accept \s-1BIO\s0 is at the end of a chain it will await an
incoming connection before processing I/O calls. When an accept
\&\s-1BIO\s0 is not at then end of a chain it passes I/O calls to the next
\&\s-1BIO\s0 in the chain.
.PP
When a connection is established a new socket \s-1BIO\s0 is created for
the connection and appended to the chain. That is the chain is now
accept\->socket. This effectively means that attempting I/O on
an initial accept socket will await an incoming connection then
perform I/O on it.
.PP
If any additional BIOs have been set using \fBBIO_set_accept_bios()\fR
then they are placed between the socket and the accept \s-1BIO,\s0
that is the chain will be accept\->otherbios\->socket.
.PP
If a server wishes to process multiple connections (as is normally
the case) then the accept \s-1BIO\s0 must be made available for further
incoming connections. This can be done by waiting for a connection and
then calling:
.PP
.Vb 1
\& connection = BIO_pop(accept);
.Ve
.PP
After this call \fBconnection\fR will contain a \s-1BIO\s0 for the recently
established connection and \fBaccept\fR will now be a single \s-1BIO\s0
again which can be used to await further incoming connections.
If no further connections will be accepted the \fBaccept\fR can
be freed using \fBBIO_free()\fR.
.PP
If only a single connection will be processed it is possible to
perform I/O using the accept \s-1BIO\s0 itself. This is often undesirable
however because the accept \s-1BIO\s0 will still accept additional incoming
connections. This can be resolved by using \fBBIO_pop()\fR (see above)
and freeing up the accept \s-1BIO\s0 after the initial connection.
.PP
If the underlying accept socket is nonblocking and \fBBIO_do_accept()\fR is
called to await an incoming connection it is possible for
\&\fBBIO_should_io_special()\fR with the reason \s-1BIO_RR_ACCEPT.\s0 If this happens
then it is an indication that an accept attempt would block: the application
should take appropriate action to wait until the underlying socket has
accepted a connection and retry the call.
.PP
\&\fBBIO_set_accept_name()\fR, \fBBIO_get_accept_name()\fR, \fBBIO_set_accept_port()\fR,
\&\fBBIO_get_accept_port()\fR, \fBBIO_set_nbio_accept()\fR, \fBBIO_set_accept_bios()\fR,
\&\fBBIO_get_peer_name()\fR, \fBBIO_get_peer_port()\fR,
\&\fBBIO_get_accept_ip_family()\fR, \fBBIO_set_accept_ip_family()\fR,
\&\fBBIO_set_bind_mode()\fR, \fBBIO_get_bind_mode()\fR and \fBBIO_do_accept()\fR are macros.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_do_accept()\fR,
\&\fBBIO_set_accept_name()\fR, \fBBIO_set_accept_port()\fR, \fBBIO_set_nbio_accept()\fR,
\&\fBBIO_set_accept_bios()\fR, \fBBIO_set_accept_ip_family()\fR, and \fBBIO_set_bind_mode()\fR
return 1 for success and 0 or \-1 for failure.
.PP
\&\fBBIO_get_accept_name()\fR returns the accept name or \s-1NULL\s0 on error.
\&\fBBIO_get_peer_name()\fR returns the peer name or \s-1NULL\s0 on error.
.PP
\&\fBBIO_get_accept_port()\fR returns the accept port as a string or \s-1NULL\s0 on error.
\&\fBBIO_get_peer_port()\fR returns the peer port as a string or \s-1NULL\s0 on error.
\&\fBBIO_get_accept_ip_family()\fR returns the \s-1IP\s0 family or \-1 on error.
.PP
\&\fBBIO_get_bind_mode()\fR returns the set of \fB\s-1BIO_BIND\s0\fR flags, or \-1 on failure.
.PP
\&\fBBIO_new_accept()\fR returns a \s-1BIO\s0 or \s-1NULL\s0 on error.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This example accepts two connections on port 4444, sends messages
down each and finally closes both down.
.PP
.Vb 1
\& BIO *abio, *cbio, *cbio2;
\&
\& /* First call to BIO_accept() sets up accept BIO */
\& abio = BIO_new_accept("4444");
\& if (BIO_do_accept(abio) <= 0) {
\& fprintf(stderr, "Error setting up accept\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
\&
\& /* Wait for incoming connection */
\& if (BIO_do_accept(abio) <= 0) {
\& fprintf(stderr, "Error accepting connection\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
\& fprintf(stderr, "Connection 1 established\en");
\&
\& /* Retrieve BIO for connection */
\& cbio = BIO_pop(abio);
\& BIO_puts(cbio, "Connection 1: Sending out Data on initial connection\en");
\& fprintf(stderr, "Sent out data on connection 1\en");
\&
\& /* Wait for another connection */
\& if (BIO_do_accept(abio) <= 0) {
\& fprintf(stderr, "Error accepting connection\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
\& fprintf(stderr, "Connection 2 established\en");
\&
\& /* Close accept BIO to refuse further connections */
\& cbio2 = BIO_pop(abio);
\& BIO_free(abio);
\& BIO_puts(cbio2, "Connection 2: Sending out Data on second\en");
\& fprintf(stderr, "Sent out data on connection 2\en");
\&
\& BIO_puts(cbio, "Connection 1: Second connection established\en");
\&
\& /* Close the two established connections */
\& BIO_free(cbio);
\& BIO_free(cbio2);
.Ve
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_bio.3 b/secure/lib/libcrypto/man/man3/BIO_s_bio.3
index be93a17f9363..79b59d1a59b1 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_bio.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_bio.3
@@ -1,329 +1,329 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_S_BIO 3"
-.TH BIO_S_BIO 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_S_BIO 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_s_bio, BIO_make_bio_pair, BIO_destroy_bio_pair, BIO_shutdown_wr, BIO_set_write_buf_size, BIO_get_write_buf_size, BIO_new_bio_pair, BIO_get_write_guarantee, BIO_ctrl_get_write_guarantee, BIO_get_read_request, BIO_ctrl_get_read_request, BIO_ctrl_reset_read_request \- BIO pair BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& const BIO_METHOD *BIO_s_bio(void);
\&
\& int BIO_make_bio_pair(BIO *b1, BIO *b2);
\& int BIO_destroy_bio_pair(BIO *b);
\& int BIO_shutdown_wr(BIO *b);
\&
\& int BIO_set_write_buf_size(BIO *b, long size);
\& size_t BIO_get_write_buf_size(BIO *b, long size);
\&
\& int BIO_new_bio_pair(BIO **bio1, size_t writebuf1, BIO **bio2, size_t writebuf2);
\&
\& int BIO_get_write_guarantee(BIO *b);
\& size_t BIO_ctrl_get_write_guarantee(BIO *b);
\& int BIO_get_read_request(BIO *b);
\& size_t BIO_ctrl_get_read_request(BIO *b);
\& int BIO_ctrl_reset_read_request(BIO *b);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_s_bio()\fR returns the method for a \s-1BIO\s0 pair. A \s-1BIO\s0 pair is a pair of source/sink
BIOs where data written to either half of the pair is buffered and can be read from
the other half. Both halves must usually by handled by the same application thread
since no locking is done on the internal data structures.
.PP
Since \s-1BIO\s0 chains typically end in a source/sink \s-1BIO\s0 it is possible to make this
one half of a \s-1BIO\s0 pair and have all the data processed by the chain under application
control.
.PP
One typical use of \s-1BIO\s0 pairs is to place \s-1TLS/SSL I/O\s0 under application control, this
can be used when the application wishes to use a non standard transport for
\&\s-1TLS/SSL\s0 or the normal socket routines are inappropriate.
.PP
Calls to \fBBIO_read_ex()\fR will read data from the buffer or request a retry if no
data is available.
.PP
Calls to \fBBIO_write_ex()\fR will place data in the buffer or request a retry if the
buffer is full.
.PP
The standard calls \fBBIO_ctrl_pending()\fR and \fBBIO_ctrl_wpending()\fR can be used to
determine the amount of pending data in the read or write buffer.
.PP
\&\fBBIO_reset()\fR clears any data in the write buffer.
.PP
\&\fBBIO_make_bio_pair()\fR joins two separate BIOs into a connected pair.
.PP
\&\fBBIO_destroy_pair()\fR destroys the association between two connected BIOs. Freeing
up any half of the pair will automatically destroy the association.
.PP
\&\fBBIO_shutdown_wr()\fR is used to close down a \s-1BIO\s0 \fBb\fR. After this call no further
writes on \s-1BIO\s0 \fBb\fR are allowed (they will return an error). Reads on the other
half of the pair will return any pending data or \s-1EOF\s0 when all pending data has
been read.
.PP
\&\fBBIO_set_write_buf_size()\fR sets the write buffer size of \s-1BIO\s0 \fBb\fR to \fBsize\fR.
If the size is not initialized a default value is used. This is currently
17K, sufficient for a maximum size \s-1TLS\s0 record.
.PP
\&\fBBIO_get_write_buf_size()\fR returns the size of the write buffer.
.PP
\&\fBBIO_new_bio_pair()\fR combines the calls to \fBBIO_new()\fR, \fBBIO_make_bio_pair()\fR and
\&\fBBIO_set_write_buf_size()\fR to create a connected pair of BIOs \fBbio1\fR, \fBbio2\fR
with write buffer sizes \fBwritebuf1\fR and \fBwritebuf2\fR. If either size is
zero then the default size is used. \fBBIO_new_bio_pair()\fR does not check whether
\&\fBbio1\fR or \fBbio2\fR do point to some other \s-1BIO,\s0 the values are overwritten,
\&\fBBIO_free()\fR is not called.
.PP
\&\fBBIO_get_write_guarantee()\fR and \fBBIO_ctrl_get_write_guarantee()\fR return the maximum
length of data that can be currently written to the \s-1BIO.\s0 Writes larger than this
value will return a value from \fBBIO_write_ex()\fR less than the amount requested or
if the buffer is full request a retry. \fBBIO_ctrl_get_write_guarantee()\fR is a
function whereas \fBBIO_get_write_guarantee()\fR is a macro.
.PP
\&\fBBIO_get_read_request()\fR and \fBBIO_ctrl_get_read_request()\fR return the
amount of data requested, or the buffer size if it is less, if the
last read attempt at the other half of the \s-1BIO\s0 pair failed due to an
empty buffer. This can be used to determine how much data should be
written to the \s-1BIO\s0 so the next read will succeed: this is most useful
in \s-1TLS/SSL\s0 applications where the amount of data read is usually
meaningful rather than just a buffer size. After a successful read
this call will return zero. It also will return zero once new data
has been written satisfying the read request or part of it.
Note that \fBBIO_get_read_request()\fR never returns an amount larger
than that returned by \fBBIO_get_write_guarantee()\fR.
.PP
\&\fBBIO_ctrl_reset_read_request()\fR can also be used to reset the value returned by
\&\fBBIO_get_read_request()\fR to zero.
.SH "NOTES"
.IX Header "NOTES"
Both halves of a \s-1BIO\s0 pair should be freed. That is even if one half is implicit
freed due to a \fBBIO_free_all()\fR or \fBSSL_free()\fR call the other half needs to be freed.
.PP
When used in bidirectional applications (such as \s-1TLS/SSL\s0) care should be taken to
flush any data in the write buffer. This can be done by calling \fBBIO_pending()\fR
on the other half of the pair and, if any data is pending, reading it and sending
it to the underlying transport. This must be done before any normal processing
(such as calling \fBselect()\fR ) due to a request and \fBBIO_should_read()\fR being true.
.PP
To see why this is important consider a case where a request is sent using
\&\fBBIO_write_ex()\fR and a response read with \fBBIO_read_ex()\fR, this can occur during an
\&\s-1TLS/SSL\s0 handshake for example. \fBBIO_write_ex()\fR will succeed and place data in the
write buffer. \fBBIO_read_ex()\fR will initially fail and \fBBIO_should_read()\fR will be
true. If the application then waits for data to be available on the underlying
transport before flushing the write buffer it will never succeed because the
request was never sent!
.PP
\&\fBBIO_eof()\fR is true if no data is in the peer \s-1BIO\s0 and the peer \s-1BIO\s0 has been
shutdown.
.PP
\&\fBBIO_make_bio_pair()\fR, \fBBIO_destroy_bio_pair()\fR, \fBBIO_shutdown_wr()\fR,
\&\fBBIO_set_write_buf_size()\fR, \fBBIO_get_write_buf_size()\fR,
\&\fBBIO_get_write_guarantee()\fR, and \fBBIO_get_read_request()\fR are implemented
as macros.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_new_bio_pair()\fR returns 1 on success, with the new BIOs available in
\&\fBbio1\fR and \fBbio2\fR, or 0 on failure, with \s-1NULL\s0 pointers stored into the
locations for \fBbio1\fR and \fBbio2\fR. Check the error stack for more information.
.PP
[\s-1XXXXX:\s0 More return values need to be added here]
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The \s-1BIO\s0 pair can be used to have full control over the network access of an
application. The application can call \fBselect()\fR on the socket as required
without having to go through the SSL-interface.
.PP
.Vb 1
\& BIO *internal_bio, *network_bio;
\&
\& ...
\& BIO_new_bio_pair(&internal_bio, 0, &network_bio, 0);
\& SSL_set_bio(ssl, internal_bio, internal_bio);
\& SSL_operations(); /* e.g. SSL_read and SSL_write */
\& ...
\&
\& application | TLS\-engine
\& | |
\& +\-\-\-\-\-\-\-\-\-\-> SSL_operations()
\& | /\e ||
\& | || \e/
\& | BIO\-pair (internal_bio)
\& | BIO\-pair (network_bio)
\& | || /\e
\& | \e/ ||
\& +\-\-\-\-\-\-\-\-\-\-\-< BIO_operations()
\& | |
\& | |
\& socket
\&
\& ...
\& SSL_free(ssl); /* implicitly frees internal_bio */
\& BIO_free(network_bio);
\& ...
.Ve
.PP
As the \s-1BIO\s0 pair will only buffer the data and never directly access the
connection, it behaves nonblocking and will return as soon as the write
buffer is full or the read buffer is drained. Then the application has to
flush the write buffer and/or fill the read buffer.
.PP
Use the \fBBIO_ctrl_pending()\fR, to find out whether data is buffered in the \s-1BIO\s0
and must be transferred to the network. Use \fBBIO_ctrl_get_read_request()\fR to
find out, how many bytes must be written into the buffer before the
\&\fBSSL_operation()\fR can successfully be continued.
.SH "WARNINGS"
.IX Header "WARNINGS"
As the data is buffered, \fBSSL_operation()\fR may return with an \s-1ERROR_SSL_WANT_READ\s0
condition, but there is still data in the write buffer. An application must
not rely on the error value of \fBSSL_operation()\fR but must assure that the
write buffer is always flushed first. Otherwise a deadlock may occur as
the peer might be waiting for the data before being able to continue.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_set_bio\fR\|(3), \fBssl\fR\|(7), \fBbio\fR\|(7),
\&\fBBIO_should_retry\fR\|(3), \fBBIO_read_ex\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_connect.3 b/secure/lib/libcrypto/man/man3/BIO_s_connect.3
index cec561ac8c13..d86cc3bab7f0 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_connect.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_connect.3
@@ -1,338 +1,338 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_S_CONNECT 3"
-.TH BIO_S_CONNECT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_S_CONNECT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_set_conn_address, BIO_get_conn_address, BIO_s_connect, BIO_new_connect, BIO_set_conn_hostname, BIO_set_conn_port, BIO_set_conn_ip_family, BIO_get_conn_ip_family, BIO_get_conn_hostname, BIO_get_conn_port, BIO_set_nbio, BIO_do_connect \- connect BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& const BIO_METHOD * BIO_s_connect(void);
\&
\& BIO *BIO_new_connect(char *name);
\&
\& long BIO_set_conn_hostname(BIO *b, char *name);
\& long BIO_set_conn_port(BIO *b, char *port);
\& long BIO_set_conn_address(BIO *b, BIO_ADDR *addr);
\& long BIO_set_conn_ip_family(BIO *b, long family);
\& const char *BIO_get_conn_hostname(BIO *b);
\& const char *BIO_get_conn_port(BIO *b);
\& const BIO_ADDR *BIO_get_conn_address(BIO *b);
\& const long BIO_get_conn_ip_family(BIO *b);
\&
\& long BIO_set_nbio(BIO *b, long n);
\&
\& int BIO_do_connect(BIO *b);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_s_connect()\fR returns the connect \s-1BIO\s0 method. This is a wrapper
round the platform's \s-1TCP/IP\s0 socket connection routines.
.PP
Using connect BIOs, \s-1TCP/IP\s0 connections can be made and data
transferred using only \s-1BIO\s0 routines. In this way any platform
specific operations are hidden by the \s-1BIO\s0 abstraction.
.PP
Read and write operations on a connect \s-1BIO\s0 will perform I/O
on the underlying connection. If no connection is established
and the port and hostname (see below) is set up properly then
a connection is established first.
.PP
Connect BIOs support \fBBIO_puts()\fR but not \fBBIO_gets()\fR.
.PP
If the close flag is set on a connect \s-1BIO\s0 then any active
connection is shutdown and the socket closed when the \s-1BIO\s0
is freed.
.PP
Calling \fBBIO_reset()\fR on a connect \s-1BIO\s0 will close any active
connection and reset the \s-1BIO\s0 into a state where it can connect
to the same host again.
.PP
\&\fBBIO_get_fd()\fR places the underlying socket in \fBc\fR if it is not \s-1NULL,\s0
it also returns the socket . If \fBc\fR is not \s-1NULL\s0 it should be of
type (int *).
.PP
\&\fBBIO_set_conn_hostname()\fR uses the string \fBname\fR to set the hostname.
The hostname can be an \s-1IP\s0 address; if the address is an IPv6 one, it
must be enclosed with brackets. The hostname can also include the
port in the form hostname:port.
.PP
\&\fBBIO_set_conn_port()\fR sets the port to \fBport\fR. \fBport\fR can be the
numerical form or a string such as \*(L"http\*(R". A string will be looked
up first using \fBgetservbyname()\fR on the host platform but if that
fails a standard table of port names will be used. This internal
list is http, telnet, socks, https, ssl, ftp, and gopher.
.PP
\&\fBBIO_set_conn_address()\fR sets the address and port information using
a \s-1\fBBIO_ADDR\s0\fR\|(3ssl).
.PP
\&\fBBIO_set_conn_ip_family()\fR sets the \s-1IP\s0 family.
.PP
\&\fBBIO_get_conn_hostname()\fR returns the hostname of the connect \s-1BIO\s0 or
\&\s-1NULL\s0 if the \s-1BIO\s0 is initialized but no hostname is set.
This return value is an internal pointer which should not be modified.
.PP
\&\fBBIO_get_conn_port()\fR returns the port as a string.
This return value is an internal pointer which should not be modified.
.PP
\&\fBBIO_get_conn_address()\fR returns the address information as a \s-1BIO_ADDR.\s0
This return value is an internal pointer which should not be modified.
.PP
\&\fBBIO_get_conn_ip_family()\fR returns the \s-1IP\s0 family of the connect \s-1BIO.\s0
.PP
\&\fBBIO_set_nbio()\fR sets the non blocking I/O flag to \fBn\fR. If \fBn\fR is
zero then blocking I/O is set. If \fBn\fR is 1 then non blocking I/O
is set. Blocking I/O is the default. The call to \fBBIO_set_nbio()\fR
should be made before the connection is established because
non blocking I/O is set during the connect process.
.PP
\&\fBBIO_new_connect()\fR combines \fBBIO_new()\fR and \fBBIO_set_conn_hostname()\fR into
a single call: that is it creates a new connect \s-1BIO\s0 with \fBname\fR.
.PP
\&\fBBIO_do_connect()\fR attempts to connect the supplied \s-1BIO.\s0 It returns 1
if the connection was established successfully. A zero or negative
value is returned if the connection could not be established, the
call \fBBIO_should_retry()\fR should be used for non blocking connect BIOs
to determine if the call should be retried.
.SH "NOTES"
.IX Header "NOTES"
If blocking I/O is set then a non positive return value from any
I/O call is caused by an error condition, although a zero return
will normally mean that the connection was closed.
.PP
If the port name is supplied as part of the hostname then this will
override any value set with \fBBIO_set_conn_port()\fR. This may be undesirable
if the application does not wish to allow connection to arbitrary
ports. This can be avoided by checking for the presence of the ':'
character in the passed hostname and either indicating an error or
truncating the string at that point.
.PP
The values returned by \fBBIO_get_conn_hostname()\fR, \fBBIO_get_conn_address()\fR,
and \fBBIO_get_conn_port()\fR are updated when a connection attempt is made.
Before any connection attempt the values returned are those set by the
application itself.
.PP
Applications do not have to call \fBBIO_do_connect()\fR but may wish to do
so to separate the connection process from other I/O processing.
.PP
If non blocking I/O is set then retries will be requested as appropriate.
.PP
It addition to \fBBIO_should_read()\fR and \fBBIO_should_write()\fR it is also
possible for \fBBIO_should_io_special()\fR to be true during the initial
connection process with the reason \s-1BIO_RR_CONNECT.\s0 If this is returned
then this is an indication that a connection attempt would block,
the application should then take appropriate action to wait until
the underlying socket has connected and retry the call.
.PP
\&\fBBIO_set_conn_hostname()\fR, \fBBIO_set_conn_port()\fR, \fBBIO_get_conn_hostname()\fR,
\&\fBBIO_set_conn_address()\fR, \fBBIO_get_conn_port()\fR, \fBBIO_get_conn_address()\fR,
\&\fBBIO_set_conn_ip_family()\fR, \fBBIO_get_conn_ip_family()\fR,
\&\fBBIO_set_nbio()\fR, and \fBBIO_do_connect()\fR are macros.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_s_connect()\fR returns the connect \s-1BIO\s0 method.
.PP
\&\fBBIO_get_fd()\fR returns the socket or \-1 if the \s-1BIO\s0 has not
been initialized.
.PP
\&\fBBIO_set_conn_address()\fR, \fBBIO_set_conn_port()\fR, and \fBBIO_set_conn_ip_family()\fR
always return 1.
.PP
\&\fBBIO_set_conn_hostname()\fR returns 1 on success and 0 on failure.
.PP
\&\fBBIO_get_conn_address()\fR returns the address information or \s-1NULL\s0 if none
was set.
.PP
\&\fBBIO_get_conn_hostname()\fR returns the connected hostname or \s-1NULL\s0 if
none was set.
.PP
\&\fBBIO_get_conn_ip_family()\fR returns the address family or \-1 if none was set.
.PP
\&\fBBIO_get_conn_port()\fR returns a string representing the connected
port or \s-1NULL\s0 if not set.
.PP
\&\fBBIO_set_nbio()\fR always returns 1.
.PP
\&\fBBIO_do_connect()\fR returns 1 if the connection was successfully
established and 0 or \-1 if the connection failed.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This is example connects to a webserver on the local host and attempts
to retrieve a page and copy the result to standard output.
.PP
.Vb 3
\& BIO *cbio, *out;
\& int len;
\& char tmpbuf[1024];
\&
\& cbio = BIO_new_connect("localhost:http");
\& out = BIO_new_fp(stdout, BIO_NOCLOSE);
\& if (BIO_do_connect(cbio) <= 0) {
\& fprintf(stderr, "Error connecting to server\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
\& BIO_puts(cbio, "GET / HTTP/1.0\en\en");
\& for (;;) {
\& len = BIO_read(cbio, tmpbuf, 1024);
\& if (len <= 0)
\& break;
\& BIO_write(out, tmpbuf, len);
\& }
\& BIO_free(cbio);
\& BIO_free(out);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\s-1\fBBIO_ADDR\s0\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBBIO_set_conn_int_port()\fR, \fBBIO_get_conn_int_port()\fR, \fBBIO_set_conn_ip()\fR, and \fBBIO_get_conn_ip()\fR
were removed in OpenSSL 1.1.0.
Use \fBBIO_set_conn_address()\fR and \fBBIO_get_conn_address()\fR instead.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_fd.3 b/secure/lib/libcrypto/man/man3/BIO_s_fd.3
index 41346d15c8b6..c469da00b616 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_fd.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_fd.3
@@ -1,230 +1,230 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_S_FD 3"
-.TH BIO_S_FD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_S_FD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_s_fd, BIO_set_fd, BIO_get_fd, BIO_new_fd \- file descriptor BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& const BIO_METHOD *BIO_s_fd(void);
\&
\& int BIO_set_fd(BIO *b, int fd, int c);
\& int BIO_get_fd(BIO *b, int *c);
\&
\& BIO *BIO_new_fd(int fd, int close_flag);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_s_fd()\fR returns the file descriptor \s-1BIO\s0 method. This is a wrapper
round the platforms file descriptor routines such as \fBread()\fR and \fBwrite()\fR.
.PP
\&\fBBIO_read_ex()\fR and \fBBIO_write_ex()\fR read or write the underlying descriptor.
\&\fBBIO_puts()\fR is supported but \fBBIO_gets()\fR is not.
.PP
If the close flag is set then \fBclose()\fR is called on the underlying
file descriptor when the \s-1BIO\s0 is freed.
.PP
\&\fBBIO_reset()\fR attempts to change the file pointer to the start of file
such as by using \fBlseek(fd, 0, 0)\fR.
.PP
\&\fBBIO_seek()\fR sets the file pointer to position \fBofs\fR from start of file
such as by using \fBlseek(fd, ofs, 0)\fR.
.PP
\&\fBBIO_tell()\fR returns the current file position such as by calling
\&\fBlseek(fd, 0, 1)\fR.
.PP
\&\fBBIO_set_fd()\fR sets the file descriptor of \s-1BIO\s0 \fBb\fR to \fBfd\fR and the close
flag to \fBc\fR.
.PP
\&\fBBIO_get_fd()\fR places the file descriptor in \fBc\fR if it is not \s-1NULL,\s0 it also
returns the file descriptor.
.PP
\&\fBBIO_new_fd()\fR returns a file descriptor \s-1BIO\s0 using \fBfd\fR and \fBclose_flag\fR.
.SH "NOTES"
.IX Header "NOTES"
The behaviour of \fBBIO_read_ex()\fR and \fBBIO_write_ex()\fR depends on the behavior of the
platforms \fBread()\fR and \fBwrite()\fR calls on the descriptor. If the underlying
file descriptor is in a non blocking mode then the \s-1BIO\s0 will behave in the
manner described in the \fBBIO_read_ex\fR\|(3) and \fBBIO_should_retry\fR\|(3)
manual pages.
.PP
File descriptor BIOs should not be used for socket I/O. Use socket BIOs
instead.
.PP
\&\fBBIO_set_fd()\fR and \fBBIO_get_fd()\fR are implemented as macros.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_s_fd()\fR returns the file descriptor \s-1BIO\s0 method.
.PP
\&\fBBIO_set_fd()\fR always returns 1.
.PP
\&\fBBIO_get_fd()\fR returns the file descriptor or \-1 if the \s-1BIO\s0 has not
been initialized.
.PP
\&\fBBIO_new_fd()\fR returns the newly allocated \s-1BIO\s0 or \s-1NULL\s0 is an error
occurred.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This is a file descriptor \s-1BIO\s0 version of \*(L"Hello World\*(R":
.PP
.Vb 1
\& BIO *out;
\&
\& out = BIO_new_fd(fileno(stdout), BIO_NOCLOSE);
\& BIO_printf(out, "Hello World\en");
\& BIO_free(out);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBIO_seek\fR\|(3), \fBBIO_tell\fR\|(3),
\&\fBBIO_reset\fR\|(3), \fBBIO_read_ex\fR\|(3),
\&\fBBIO_write_ex\fR\|(3), \fBBIO_puts\fR\|(3),
\&\fBBIO_gets\fR\|(3), \fBBIO_printf\fR\|(3),
\&\fBBIO_set_close\fR\|(3), \fBBIO_get_close\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_file.3 b/secure/lib/libcrypto/man/man3/BIO_s_file.3
index 9e6ff641b368..23c5ea5154a1 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_file.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_file.3
@@ -1,303 +1,303 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_S_FILE 3"
-.TH BIO_S_FILE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_S_FILE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_s_file, BIO_new_file, BIO_new_fp, BIO_set_fp, BIO_get_fp, BIO_read_filename, BIO_write_filename, BIO_append_filename, BIO_rw_filename \- FILE bio
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& const BIO_METHOD *BIO_s_file(void);
\& BIO *BIO_new_file(const char *filename, const char *mode);
\& BIO *BIO_new_fp(FILE *stream, int flags);
\&
\& BIO_set_fp(BIO *b, FILE *fp, int flags);
\& BIO_get_fp(BIO *b, FILE **fpp);
\&
\& int BIO_read_filename(BIO *b, char *name)
\& int BIO_write_filename(BIO *b, char *name)
\& int BIO_append_filename(BIO *b, char *name)
\& int BIO_rw_filename(BIO *b, char *name)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_s_file()\fR returns the \s-1BIO\s0 file method. As its name implies it
is a wrapper round the stdio \s-1FILE\s0 structure and it is a
source/sink \s-1BIO.\s0
.PP
Calls to \fBBIO_read_ex()\fR and \fBBIO_write_ex()\fR read and write data to the
underlying stream. \fBBIO_gets()\fR and \fBBIO_puts()\fR are supported on file BIOs.
.PP
\&\fBBIO_flush()\fR on a file \s-1BIO\s0 calls the \fBfflush()\fR function on the wrapped
stream.
.PP
\&\fBBIO_reset()\fR attempts to change the file pointer to the start of file
using fseek(stream, 0, 0).
.PP
\&\fBBIO_seek()\fR sets the file pointer to position \fBofs\fR from start of file
using fseek(stream, ofs, 0).
.PP
\&\fBBIO_eof()\fR calls \fBfeof()\fR.
.PP
Setting the \s-1BIO_CLOSE\s0 flag calls \fBfclose()\fR on the stream when the \s-1BIO\s0
is freed.
.PP
\&\fBBIO_new_file()\fR creates a new file \s-1BIO\s0 with mode \fBmode\fR the meaning
of \fBmode\fR is the same as the stdio function \fBfopen()\fR. The \s-1BIO_CLOSE\s0
flag is set on the returned \s-1BIO.\s0
.PP
\&\fBBIO_new_fp()\fR creates a file \s-1BIO\s0 wrapping \fBstream\fR. Flags can be:
\&\s-1BIO_CLOSE, BIO_NOCLOSE\s0 (the close flag) \s-1BIO_FP_TEXT\s0 (sets the underlying
stream to text mode, default is binary: this only has any effect under
Win32).
.PP
\&\fBBIO_set_fp()\fR sets the fp of a file \s-1BIO\s0 to \fBfp\fR. \fBflags\fR has the same
meaning as in \fBBIO_new_fp()\fR, it is a macro.
.PP
\&\fBBIO_get_fp()\fR retrieves the fp of a file \s-1BIO,\s0 it is a macro.
.PP
\&\fBBIO_seek()\fR is a macro that sets the position pointer to \fBoffset\fR bytes
from the start of file.
.PP
\&\fBBIO_tell()\fR returns the value of the position pointer.
.PP
\&\fBBIO_read_filename()\fR, \fBBIO_write_filename()\fR, \fBBIO_append_filename()\fR and
\&\fBBIO_rw_filename()\fR set the file \s-1BIO\s0 \fBb\fR to use file \fBname\fR for
reading, writing, append or read write respectively.
.SH "NOTES"
.IX Header "NOTES"
When wrapping stdout, stdin or stderr the underlying stream should not
normally be closed so the \s-1BIO_NOCLOSE\s0 flag should be set.
.PP
Because the file \s-1BIO\s0 calls the underlying stdio functions any quirks
in stdio behaviour will be mirrored by the corresponding \s-1BIO.\s0
.PP
On Windows BIO_new_files reserves for the filename argument to be
\&\s-1UTF\-8\s0 encoded. In other words if you have to make it work in multi\-
lingual environment, encode filenames in \s-1UTF\-8.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_s_file()\fR returns the file \s-1BIO\s0 method.
.PP
\&\fBBIO_new_file()\fR and \fBBIO_new_fp()\fR return a file \s-1BIO\s0 or \s-1NULL\s0 if an error
occurred.
.PP
\&\fBBIO_set_fp()\fR and \fBBIO_get_fp()\fR return 1 for success or 0 for failure
(although the current implementation never return 0).
.PP
\&\fBBIO_seek()\fR returns the same value as the underlying \fBfseek()\fR function:
0 for success or \-1 for failure.
.PP
\&\fBBIO_tell()\fR returns the current file position.
.PP
\&\fBBIO_read_filename()\fR, \fBBIO_write_filename()\fR, \fBBIO_append_filename()\fR and
\&\fBBIO_rw_filename()\fR return 1 for success or 0 for failure.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
File \s-1BIO\s0 \*(L"hello world\*(R":
.PP
.Vb 1
\& BIO *bio_out;
\&
\& bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
\& BIO_printf(bio_out, "Hello World\en");
.Ve
.PP
Alternative technique:
.PP
.Vb 1
\& BIO *bio_out;
\&
\& bio_out = BIO_new(BIO_s_file());
\& if (bio_out == NULL)
\& /* Error */
\& if (!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE))
\& /* Error */
\& BIO_printf(bio_out, "Hello World\en");
.Ve
.PP
Write to a file:
.PP
.Vb 1
\& BIO *out;
\&
\& out = BIO_new_file("filename.txt", "w");
\& if (!out)
\& /* Error */
\& BIO_printf(out, "Hello World\en");
\& BIO_free(out);
.Ve
.PP
Alternative technique:
.PP
.Vb 1
\& BIO *out;
\&
\& out = BIO_new(BIO_s_file());
\& if (out == NULL)
\& /* Error */
\& if (!BIO_write_filename(out, "filename.txt"))
\& /* Error */
\& BIO_printf(out, "Hello World\en");
\& BIO_free(out);
.Ve
.SH "BUGS"
.IX Header "BUGS"
\&\fBBIO_reset()\fR and \fBBIO_seek()\fR are implemented using \fBfseek()\fR on the underlying
stream. The return value for \fBfseek()\fR is 0 for success or \-1 if an error
occurred this differs from other types of \s-1BIO\s0 which will typically return
1 for success and a non positive value if an error occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBIO_seek\fR\|(3), \fBBIO_tell\fR\|(3),
\&\fBBIO_reset\fR\|(3), \fBBIO_flush\fR\|(3),
\&\fBBIO_read_ex\fR\|(3),
\&\fBBIO_write_ex\fR\|(3), \fBBIO_puts\fR\|(3),
\&\fBBIO_gets\fR\|(3), \fBBIO_printf\fR\|(3),
\&\fBBIO_set_close\fR\|(3), \fBBIO_get_close\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_mem.3 b/secure/lib/libcrypto/man/man3/BIO_s_mem.3
index 66dbfab95834..41b04790f3b0 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_mem.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_mem.3
@@ -1,297 +1,297 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_S_MEM 3"
-.TH BIO_S_MEM 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_S_MEM 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_s_secmem, BIO_s_mem, BIO_set_mem_eof_return, BIO_get_mem_data, BIO_set_mem_buf, BIO_get_mem_ptr, BIO_new_mem_buf \- memory BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& const BIO_METHOD *BIO_s_mem(void);
\& const BIO_METHOD *BIO_s_secmem(void);
\&
\& BIO_set_mem_eof_return(BIO *b, int v)
\& long BIO_get_mem_data(BIO *b, char **pp)
\& BIO_set_mem_buf(BIO *b, BUF_MEM *bm, int c)
\& BIO_get_mem_ptr(BIO *b, BUF_MEM **pp)
\&
\& BIO *BIO_new_mem_buf(const void *buf, int len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_s_mem()\fR returns the memory \s-1BIO\s0 method function.
.PP
A memory \s-1BIO\s0 is a source/sink \s-1BIO\s0 which uses memory for its I/O. Data
written to a memory \s-1BIO\s0 is stored in a \s-1BUF_MEM\s0 structure which is extended
as appropriate to accommodate the stored data.
.PP
\&\fBBIO_s_secmem()\fR is like \fBBIO_s_mem()\fR except that the secure heap is used
for buffer storage.
.PP
Any data written to a memory \s-1BIO\s0 can be recalled by reading from it.
Unless the memory \s-1BIO\s0 is read only any data read from it is deleted from
the \s-1BIO.\s0
.PP
Memory BIOs support \fBBIO_gets()\fR and \fBBIO_puts()\fR.
.PP
If the \s-1BIO_CLOSE\s0 flag is set when a memory \s-1BIO\s0 is freed then the underlying
\&\s-1BUF_MEM\s0 structure is also freed.
.PP
Calling \fBBIO_reset()\fR on a read write memory \s-1BIO\s0 clears any data in it if the
flag \s-1BIO_FLAGS_NONCLEAR_RST\s0 is not set, otherwise it just restores the read
pointer to the state it was just after the last write was performed and the
data can be read again. On a read only \s-1BIO\s0 it similarly restores the \s-1BIO\s0 to
its original state and the read only data can be read again.
.PP
\&\fBBIO_eof()\fR is true if no data is in the \s-1BIO.\s0
.PP
\&\fBBIO_ctrl_pending()\fR returns the number of bytes currently stored.
.PP
\&\fBBIO_set_mem_eof_return()\fR sets the behaviour of memory \s-1BIO\s0 \fBb\fR when it is
empty. If the \fBv\fR is zero then an empty memory \s-1BIO\s0 will return \s-1EOF\s0 (that is
it will return zero and BIO_should_retry(b) will be false. If \fBv\fR is non
zero then it will return \fBv\fR when it is empty and it will set the read retry
flag (that is BIO_read_retry(b) is true). To avoid ambiguity with a normal
positive return value \fBv\fR should be set to a negative value, typically \-1.
.PP
\&\fBBIO_get_mem_data()\fR sets *\fBpp\fR to a pointer to the start of the memory BIOs data
and returns the total amount of data available. It is implemented as a macro.
.PP
\&\fBBIO_set_mem_buf()\fR sets the internal \s-1BUF_MEM\s0 structure to \fBbm\fR and sets the
close flag to \fBc\fR, that is \fBc\fR should be either \s-1BIO_CLOSE\s0 or \s-1BIO_NOCLOSE.\s0
It is a macro.
.PP
\&\fBBIO_get_mem_ptr()\fR places the underlying \s-1BUF_MEM\s0 structure in *\fBpp\fR. It is
a macro.
.PP
\&\fBBIO_new_mem_buf()\fR creates a memory \s-1BIO\s0 using \fBlen\fR bytes of data at \fBbuf\fR,
if \fBlen\fR is \-1 then the \fBbuf\fR is assumed to be nul terminated and its
length is determined by \fBstrlen\fR. The \s-1BIO\s0 is set to a read only state and
as a result cannot be written to. This is useful when some data needs to be
made available from a static area of memory in the form of a \s-1BIO.\s0 The
supplied data is read directly from the supplied buffer: it is \fBnot\fR copied
first, so the supplied area of memory must be unchanged until the \s-1BIO\s0 is freed.
.SH "NOTES"
.IX Header "NOTES"
Writes to memory BIOs will always succeed if memory is available: that is
their size can grow indefinitely.
.PP
Every write after partial read (not all data in the memory buffer was read)
to a read write memory \s-1BIO\s0 will have to move the unread data with an internal
copy operation, if a \s-1BIO\s0 contains a lot of data and it is read in small
chunks intertwined with writes the operation can be very slow. Adding
a buffering \s-1BIO\s0 to the chain can speed up the process.
.PP
Calling \fBBIO_set_mem_buf()\fR on a \s-1BIO\s0 created with \fBBIO_new_secmem()\fR will
give undefined results, including perhaps a program crash.
.PP
Switching the memory \s-1BIO\s0 from read write to read only is not supported and
can give undefined results including a program crash. There are two notable
exceptions to the rule. The first one is to assign a static memory buffer
immediately after \s-1BIO\s0 creation and set the \s-1BIO\s0 as read only.
.PP
The other supported sequence is to start with read write \s-1BIO\s0 then temporarily
switch it to read only and call \fBBIO_reset()\fR on the read only \s-1BIO\s0 immediately
before switching it back to read write. Before the \s-1BIO\s0 is freed it must be
switched back to the read write mode.
.PP
Calling \fBBIO_get_mem_ptr()\fR on read only \s-1BIO\s0 will return a \s-1BUF_MEM\s0 that
contains only the remaining data to be read. If the close status of the
\&\s-1BIO\s0 is set to \s-1BIO_NOCLOSE,\s0 before freeing the \s-1BUF_MEM\s0 the data pointer
in it must be set to \s-1NULL\s0 as the data pointer does not point to an
allocated memory.
.PP
Calling \fBBIO_reset()\fR on a read write memory \s-1BIO\s0 with \s-1BIO_FLAGS_NONCLEAR_RST\s0
flag set can have unexpected outcome when the reads and writes to the
\&\s-1BIO\s0 are intertwined. As documented above the \s-1BIO\s0 will be reset to the
state after the last completed write operation. The effects of reads
preceding that write operation cannot be undone.
.PP
Calling \fBBIO_get_mem_ptr()\fR prior to a \fBBIO_reset()\fR call with
\&\s-1BIO_FLAGS_NONCLEAR_RST\s0 set has the same effect as a write operation.
.SH "BUGS"
.IX Header "BUGS"
There should be an option to set the maximum size of a memory \s-1BIO.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_s_mem()\fR and \fBBIO_s_secmem()\fR return a valid memory \fB\s-1BIO_METHOD\s0\fR structure.
.PP
\&\fBBIO_set_mem_eof_return()\fR, \fBBIO_set_mem_buf()\fR and \fBBIO_get_mem_ptr()\fR
return 1 on success or a value which is less than or equal to 0 if an error occurred.
.PP
\&\fBBIO_get_mem_data()\fR returns the total number of bytes available on success,
0 if b is \s-1NULL,\s0 or a negative value in case of other errors.
.PP
\&\fBBIO_new_mem_buf()\fR returns a valid \fB\s-1BIO\s0\fR structure on success or \s-1NULL\s0 on error.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create a memory \s-1BIO\s0 and write some data to it:
.PP
.Vb 1
\& BIO *mem = BIO_new(BIO_s_mem());
\&
\& BIO_puts(mem, "Hello World\en");
.Ve
.PP
Create a read only memory \s-1BIO:\s0
.PP
.Vb 2
\& char data[] = "Hello World";
\& BIO *mem = BIO_new_mem_buf(data, \-1);
.Ve
.PP
Extract the \s-1BUF_MEM\s0 structure from a memory \s-1BIO\s0 and then free up the \s-1BIO:\s0
.PP
.Vb 1
\& BUF_MEM *bptr;
\&
\& BIO_get_mem_ptr(mem, &bptr);
\& BIO_set_close(mem, BIO_NOCLOSE); /* So BIO_free() leaves BUF_MEM alone */
\& BIO_free(mem);
.Ve
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_null.3 b/secure/lib/libcrypto/man/man3/BIO_s_null.3
index 9ebe208915ed..2651a1c80a9f 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_null.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_null.3
@@ -1,176 +1,176 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_S_NULL 3"
-.TH BIO_S_NULL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_S_NULL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_s_null \- null data sink
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& const BIO_METHOD *BIO_s_null(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_s_null()\fR returns the null sink \s-1BIO\s0 method. Data written to
the null sink is discarded, reads return \s-1EOF.\s0
.SH "NOTES"
.IX Header "NOTES"
A null sink \s-1BIO\s0 behaves in a similar manner to the Unix /dev/null
device.
.PP
A null bio can be placed on the end of a chain to discard any data
passed through it.
.PP
A null sink is useful if, for example, an application wishes to digest some
data by writing through a digest bio but not send the digested data anywhere.
Since a \s-1BIO\s0 chain must normally include a source/sink \s-1BIO\s0 this can be achieved
by adding a null sink \s-1BIO\s0 to the end of the chain
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_s_null()\fR returns the null sink \s-1BIO\s0 method.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_s_socket.3 b/secure/lib/libcrypto/man/man3/BIO_s_socket.3
index 65a8cb2d2624..c1f2be911bfb 100644
--- a/secure/lib/libcrypto/man/man3/BIO_s_socket.3
+++ b/secure/lib/libcrypto/man/man3/BIO_s_socket.3
@@ -1,186 +1,186 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_S_SOCKET 3"
-.TH BIO_S_SOCKET 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_S_SOCKET 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_s_socket, BIO_new_socket \- socket BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& const BIO_METHOD *BIO_s_socket(void);
\&
\& BIO *BIO_new_socket(int sock, int close_flag);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_s_socket()\fR returns the socket \s-1BIO\s0 method. This is a wrapper
round the platform's socket routines.
.PP
\&\fBBIO_read_ex()\fR and \fBBIO_write_ex()\fR read or write the underlying socket.
\&\fBBIO_puts()\fR is supported but \fBBIO_gets()\fR is not.
.PP
If the close flag is set then the socket is shut down and closed
when the \s-1BIO\s0 is freed.
.PP
\&\fBBIO_new_socket()\fR returns a socket \s-1BIO\s0 using \fBsock\fR and \fBclose_flag\fR.
.SH "NOTES"
.IX Header "NOTES"
Socket BIOs also support any relevant functionality of file descriptor
BIOs.
.PP
The reason for having separate file descriptor and socket BIOs is that on some
platforms sockets are not file descriptors and use distinct I/O routines,
Windows is one such platform. Any code mixing the two will not work on
all platforms.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_s_socket()\fR returns the socket \s-1BIO\s0 method.
.PP
\&\fBBIO_new_socket()\fR returns the newly allocated \s-1BIO\s0 or \s-1NULL\s0 is an error
occurred.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_set_callback.3 b/secure/lib/libcrypto/man/man3/BIO_set_callback.3
index 38b46ce671f9..2f29cef4051d 100644
--- a/secure/lib/libcrypto/man/man3/BIO_set_callback.3
+++ b/secure/lib/libcrypto/man/man3/BIO_set_callback.3
@@ -1,392 +1,392 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_SET_CALLBACK 3"
-.TH BIO_SET_CALLBACK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_SET_CALLBACK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_set_callback_ex, BIO_get_callback_ex, BIO_set_callback, BIO_get_callback, BIO_set_callback_arg, BIO_get_callback_arg, BIO_debug_callback, BIO_callback_fn_ex, BIO_callback_fn \&\- BIO callback functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& typedef long (*BIO_callback_fn_ex)(BIO *b, int oper, const char *argp,
\& size_t len, int argi,
\& long argl, int ret, size_t *processed);
\& typedef long (*BIO_callback_fn)(BIO *b, int oper, const char *argp, int argi,
\& long argl, long ret);
\&
\& void BIO_set_callback_ex(BIO *b, BIO_callback_fn_ex callback);
\& BIO_callback_fn_ex BIO_get_callback_ex(const BIO *b);
\&
\& void BIO_set_callback(BIO *b, BIO_callback_fn cb);
\& BIO_callback_fn BIO_get_callback(BIO *b);
\& void BIO_set_callback_arg(BIO *b, char *arg);
\& char *BIO_get_callback_arg(const BIO *b);
\&
\& long BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi,
\& long argl, long ret);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBIO_set_callback_ex()\fR and \fBBIO_get_callback_ex()\fR set and retrieve the \s-1BIO\s0
callback. The callback is called during most high-level \s-1BIO\s0 operations. It can
be used for debugging purposes to trace operations on a \s-1BIO\s0 or to modify its
operation.
.PP
\&\fBBIO_set_callback()\fR and \fBBIO_get_callback()\fR set and retrieve the old format \s-1BIO\s0
callback. New code should not use these functions, but they are retained for
backwards compatibility. Any callback set via \fBBIO_set_callback_ex()\fR will get
called in preference to any set by \fBBIO_set_callback()\fR.
.PP
\&\fBBIO_set_callback_arg()\fR and \fBBIO_get_callback_arg()\fR are macros which can be
used to set and retrieve an argument for use in the callback.
.PP
\&\fBBIO_debug_callback()\fR is a standard debugging callback which prints
out information relating to each \s-1BIO\s0 operation. If the callback
argument is set it is interpreted as a \s-1BIO\s0 to send the information
to, otherwise stderr is used.
.PP
\&\fBBIO_callback_fn_ex()\fR is the type of the callback function and \fBBIO_callback_fn()\fR
is the type of the old format callback function. The meaning of each argument
is described below:
.IP "\fBb\fR" 4
.IX Item "b"
The \s-1BIO\s0 the callback is attached to is passed in \fBb\fR.
.IP "\fBoper\fR" 4
.IX Item "oper"
\&\fBoper\fR is set to the operation being performed. For some operations
the callback is called twice, once before and once after the actual
operation, the latter case has \fBoper\fR or'ed with \s-1BIO_CB_RETURN.\s0
.IP "\fBlen\fR" 4
.IX Item "len"
The length of the data requested to be read or written. This is only useful if
\&\fBoper\fR is \s-1BIO_CB_READ, BIO_CB_WRITE\s0 or \s-1BIO_CB_GETS.\s0
.IP "\fBargp\fR \fBargi\fR \fBargl\fR" 4
.IX Item "argp argi argl"
The meaning of the arguments \fBargp\fR, \fBargi\fR and \fBargl\fR depends on
the value of \fBoper\fR, that is the operation being performed.
.IP "\fBprocessed\fR" 4
.IX Item "processed"
\&\fBprocessed\fR is a pointer to a location which will be updated with the amount of
data that was actually read or written. Only used for \s-1BIO_CB_READ, BIO_CB_WRITE,
BIO_CB_GETS\s0 and \s-1BIO_CB_PUTS.\s0
.IP "\fBret\fR" 4
.IX Item "ret"
\&\fBret\fR is the return value that would be returned to the
application if no callback were present. The actual value returned
is the return value of the callback itself. In the case of callbacks
called before the actual \s-1BIO\s0 operation 1 is placed in \fBret\fR, if
the return value is not positive it will be immediately returned to
the application and the \s-1BIO\s0 operation will not be performed.
.PP
The callback should normally simply return \fBret\fR when it has
finished processing, unless it specifically wishes to modify the
value returned to the application.
.SH "CALLBACK OPERATIONS"
.IX Header "CALLBACK OPERATIONS"
In the notes below, \fBcallback\fR defers to the actual callback
function that is called.
.IP "\fBBIO_free(b)\fR" 4
.IX Item "BIO_free(b)"
.Vb 1
\& callback_ex(b, BIO_CB_FREE, NULL, 0, 0, 0L, 1L, NULL)
.Ve
.Sp
or
.Sp
.Vb 1
\& callback(b, BIO_CB_FREE, NULL, 0L, 0L, 1L)
.Ve
.Sp
is called before the free operation.
.IP "\fBBIO_read_ex(b, data, dlen, readbytes)\fR" 4
.IX Item "BIO_read_ex(b, data, dlen, readbytes)"
.Vb 1
\& callback_ex(b, BIO_CB_READ, data, dlen, 0, 0L, 1L, NULL)
.Ve
.Sp
or
.Sp
.Vb 1
\& callback(b, BIO_CB_READ, data, dlen, 0L, 1L)
.Ve
.Sp
is called before the read and
.Sp
.Vb 2
\& callback_ex(b, BIO_CB_READ | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue,
\& &readbytes)
.Ve
.Sp
or
.Sp
.Vb 1
\& callback(b, BIO_CB_READ|BIO_CB_RETURN, data, dlen, 0L, retvalue)
.Ve
.Sp
after.
.IP "\fBBIO_write(b, data, dlen, written)\fR" 4
.IX Item "BIO_write(b, data, dlen, written)"
.Vb 1
\& callback_ex(b, BIO_CB_WRITE, data, dlen, 0, 0L, 1L, NULL)
.Ve
.Sp
or
.Sp
.Vb 1
\& callback(b, BIO_CB_WRITE, datat, dlen, 0L, 1L)
.Ve
.Sp
is called before the write and
.Sp
.Vb 2
\& callback_ex(b, BIO_CB_WRITE | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue,
\& &written)
.Ve
.Sp
or
.Sp
.Vb 1
\& callback(b, BIO_CB_WRITE|BIO_CB_RETURN, data, dlen, 0L, retvalue)
.Ve
.Sp
after.
.IP "\fBBIO_gets(b, buf, size)\fR" 4
.IX Item "BIO_gets(b, buf, size)"
.Vb 1
\& callback_ex(b, BIO_CB_GETS, buf, size, 0, 0L, 1, NULL, NULL)
.Ve
.Sp
or
.Sp
.Vb 1
\& callback(b, BIO_CB_GETS, buf, size, 0L, 1L)
.Ve
.Sp
is called before the operation and
.Sp
.Vb 2
\& callback_ex(b, BIO_CB_GETS | BIO_CB_RETURN, buf, size, 0, 0L, retvalue,
\& &readbytes)
.Ve
.Sp
or
.Sp
.Vb 1
\& callback(b, BIO_CB_GETS|BIO_CB_RETURN, buf, size, 0L, retvalue)
.Ve
.Sp
after.
.IP "\fBBIO_puts(b, buf)\fR" 4
.IX Item "BIO_puts(b, buf)"
.Vb 1
\& callback_ex(b, BIO_CB_PUTS, buf, 0, 0, 0L, 1L, NULL);
.Ve
.Sp
or
.Sp
.Vb 1
\& callback(b, BIO_CB_PUTS, buf, 0, 0L, 1L)
.Ve
.Sp
is called before the operation and
.Sp
.Vb 1
\& callback_ex(b, BIO_CB_PUTS | BIO_CB_RETURN, buf, 0, 0, 0L, retvalue, &written)
.Ve
.Sp
or
.Sp
.Vb 1
\& callback(b, BIO_CB_PUTS|BIO_CB_RETURN, buf, 0, 0L, retvalue)
.Ve
.Sp
after.
.IP "\fBBIO_ctrl(\s-1BIO\s0 *b, int cmd, long larg, void *parg)\fR" 4
.IX Item "BIO_ctrl(BIO *b, int cmd, long larg, void *parg)"
.Vb 1
\& callback_ex(b, BIO_CB_CTRL, parg, 0, cmd, larg, 1L, NULL)
.Ve
.Sp
or
.Sp
.Vb 1
\& callback(b, BIO_CB_CTRL, parg, cmd, larg, 1L)
.Ve
.Sp
is called before the call and
.Sp
.Vb 1
\& callback_ex(b, BIO_CB_CTRL | BIO_CB_RETURN, parg, 0, cmd, larg, ret, NULL)
.Ve
.Sp
or
.Sp
.Vb 1
\& callback(b, BIO_CB_CTRL|BIO_CB_RETURN, parg, cmd, larg, ret)
.Ve
.Sp
after.
.Sp
Note: \fBcmd\fR == \fB\s-1BIO_CTRL_SET_CALLBACK\s0\fR is special, because \fBparg\fR is not the
argument of type \fBBIO_info_cb\fR itself. In this case \fBparg\fR is a pointer to
the actual call parameter, see \fBBIO_callback_ctrl\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_get_callback_ex()\fR and \fBBIO_get_callback()\fR return the callback function
previously set by a call to \fBBIO_set_callback_ex()\fR and \fBBIO_set_callback()\fR
respectively.
.PP
\&\fBBIO_get_callback_arg()\fR returns a \fBchar\fR pointer to the value previously set
via a call to \fBBIO_set_callback_arg()\fR.
.PP
\&\fBBIO_debug_callback()\fR returns 1 or \fBret\fR if it's called after specific \s-1BIO\s0
operations.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The \fBBIO_debug_callback()\fR function is a good example, its source is
in crypto/bio/bio_cb.c
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BIO_should_retry.3 b/secure/lib/libcrypto/man/man3/BIO_should_retry.3
index fb570646a0a4..f47bb67cca6d 100644
--- a/secure/lib/libcrypto/man/man3/BIO_should_retry.3
+++ b/secure/lib/libcrypto/man/man3/BIO_should_retry.3
@@ -1,273 +1,273 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO_SHOULD_RETRY 3"
-.TH BIO_SHOULD_RETRY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO_SHOULD_RETRY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BIO_should_read, BIO_should_write, BIO_should_io_special, BIO_retry_type, BIO_should_retry, BIO_get_retry_BIO, BIO_get_retry_reason, BIO_set_retry_reason \- BIO retry functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
\&
\& int BIO_should_read(BIO *b);
\& int BIO_should_write(BIO *b);
\& int BIO_should_io_special(iBIO *b);
\& int BIO_retry_type(BIO *b);
\& int BIO_should_retry(BIO *b);
\&
\& BIO *BIO_get_retry_BIO(BIO *bio, int *reason);
\& int BIO_get_retry_reason(BIO *bio);
\& void BIO_set_retry_reason(BIO *bio, int reason);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions determine why a \s-1BIO\s0 is not able to read or write data.
They will typically be called after a failed \fBBIO_read_ex()\fR or \fBBIO_write_ex()\fR
call.
.PP
\&\fBBIO_should_retry()\fR is true if the call that produced this condition
should then be retried at a later time.
.PP
If \fBBIO_should_retry()\fR is false then the cause is an error condition.
.PP
\&\fBBIO_should_read()\fR is true if the cause of the condition is that the \s-1BIO\s0
has insufficient data to return. Check for readability and/or retry the
last operation.
.PP
\&\fBBIO_should_write()\fR is true if the cause of the condition is that the \s-1BIO\s0
has pending data to write. Check for writability and/or retry the
last operation.
.PP
\&\fBBIO_should_io_special()\fR is true if some \*(L"special\*(R" condition, that is a
reason other than reading or writing is the cause of the condition.
.PP
\&\fBBIO_retry_type()\fR returns a mask of the cause of a retry condition
consisting of the values \fB\s-1BIO_FLAGS_READ\s0\fR, \fB\s-1BIO_FLAGS_WRITE\s0\fR,
\&\fB\s-1BIO_FLAGS_IO_SPECIAL\s0\fR though current \s-1BIO\s0 types will only set one of
these.
.PP
\&\fBBIO_get_retry_BIO()\fR determines the precise reason for the special
condition, it returns the \s-1BIO\s0 that caused this condition and if
\&\fBreason\fR is not \s-1NULL\s0 it contains the reason code. The meaning of
the reason code and the action that should be taken depends on
the type of \s-1BIO\s0 that resulted in this condition.
.PP
\&\fBBIO_get_retry_reason()\fR returns the reason for a special condition if
passed the relevant \s-1BIO,\s0 for example as returned by \fBBIO_get_retry_BIO()\fR.
.PP
\&\fBBIO_set_retry_reason()\fR sets the retry reason for a special condition for a given
\&\s-1BIO.\s0 This would usually only be called by \s-1BIO\s0 implementations.
.SH "NOTES"
.IX Header "NOTES"
\&\fBBIO_should_read()\fR, \fBBIO_should_write()\fR, \fBBIO_should_io_special()\fR,
\&\fBBIO_retry_type()\fR, and \fBBIO_should_retry()\fR, are implemented as macros.
.PP
If \fBBIO_should_retry()\fR returns false then the precise \*(L"error condition\*(R"
depends on the \s-1BIO\s0 type that caused it and the return code of the \s-1BIO\s0
operation. For example if a call to \fBBIO_read_ex()\fR on a socket \s-1BIO\s0 returns
0 and \fBBIO_should_retry()\fR is false then the cause will be that the
connection closed. A similar condition on a file \s-1BIO\s0 will mean that it
has reached \s-1EOF.\s0 Some \s-1BIO\s0 types may place additional information on
the error queue. For more details see the individual \s-1BIO\s0 type manual
pages.
.PP
If the underlying I/O structure is in a blocking mode almost all current
\&\s-1BIO\s0 types will not request a retry, because the underlying I/O
calls will not. If the application knows that the \s-1BIO\s0 type will never
signal a retry then it need not call \fBBIO_should_retry()\fR after a failed
\&\s-1BIO I/O\s0 call. This is typically done with file BIOs.
.PP
\&\s-1SSL\s0 BIOs are the only current exception to this rule: they can request a
retry even if the underlying I/O structure is blocking, if a handshake
occurs during a call to \fBBIO_read()\fR. An application can retry the failed
call immediately or avoid this situation by setting \s-1SSL_MODE_AUTO_RETRY\s0
on the underlying \s-1SSL\s0 structure.
.PP
While an application may retry a failed non blocking call immediately
this is likely to be very inefficient because the call will fail
repeatedly until data can be processed or is available. An application
will normally wait until the necessary condition is satisfied. How
this is done depends on the underlying I/O structure.
.PP
For example if the cause is ultimately a socket and \fBBIO_should_read()\fR
is true then a call to \fBselect()\fR may be made to wait until data is
available and then retry the \s-1BIO\s0 operation. By combining the retry
conditions of several non blocking BIOs in a single \fBselect()\fR call
it is possible to service several BIOs in a single thread, though
the performance may be poor if \s-1SSL\s0 BIOs are present because long delays
can occur during the initial handshake process.
.PP
It is possible for a \s-1BIO\s0 to block indefinitely if the underlying I/O
structure cannot process or return any data. This depends on the behaviour of
the platforms I/O functions. This is often not desirable: one solution
is to use non blocking I/O and use a timeout on the \fBselect()\fR (or
equivalent) call.
.SH "BUGS"
.IX Header "BUGS"
The OpenSSL \s-1ASN1\s0 functions cannot gracefully deal with non blocking I/O:
that is they cannot retry after a partial read or write. This is usually
worked around by only passing the relevant data to \s-1ASN1\s0 functions when
the entire structure can be read or written.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBIO_should_read()\fR, \fBBIO_should_write()\fR, \fBBIO_should_io_special()\fR, and
\&\fBBIO_should_retry()\fR return either 1 or 0 based on the actual conditions
of the \fB\s-1BIO\s0\fR.
.PP
\&\fBBIO_retry_type()\fR returns a flag combination presenting the cause of a retry
condition or false if there is no retry condition.
.PP
\&\fBBIO_get_retry_BIO()\fR returns a valid \fB\s-1BIO\s0\fR structure.
.PP
\&\fBBIO_get_retry_reason()\fR returns the reason for a special condition.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
bio
.SH "HISTORY"
.IX Header "HISTORY"
The \fBBIO_get_retry_reason()\fR and \fBBIO_set_retry_reason()\fR functions were added in
OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3 b/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3
index d7728180d005..0e7b9aacb13d 100644
--- a/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3
+++ b/secure/lib/libcrypto/man/man3/BN_BLINDING_new.3
@@ -1,254 +1,254 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_BLINDING_NEW 3"
-.TH BN_BLINDING_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_BLINDING_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert, BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex, BN_BLINDING_is_current_thread, BN_BLINDING_set_current_thread, BN_BLINDING_lock, BN_BLINDING_unlock, BN_BLINDING_get_flags, BN_BLINDING_set_flags, BN_BLINDING_create_param \- blinding related BIGNUM functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai,
\& BIGNUM *mod);
\& void BN_BLINDING_free(BN_BLINDING *b);
\& int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx);
\& int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
\& int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
\& int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b,
\& BN_CTX *ctx);
\& int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
\& BN_CTX *ctx);
\& int BN_BLINDING_is_current_thread(BN_BLINDING *b);
\& void BN_BLINDING_set_current_thread(BN_BLINDING *b);
\& int BN_BLINDING_lock(BN_BLINDING *b);
\& int BN_BLINDING_unlock(BN_BLINDING *b);
\& unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
\& void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
\& BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
\& const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
\& int (*bn_mod_exp)(BIGNUM *r,
\& const BIGNUM *a,
\& const BIGNUM *p,
\& const BIGNUM *m,
\& BN_CTX *ctx,
\& BN_MONT_CTX *m_ctx),
\& BN_MONT_CTX *m_ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_BLINDING_new()\fR allocates a new \fB\s-1BN_BLINDING\s0\fR structure and copies
the \fBA\fR and \fBAi\fR values into the newly created \fB\s-1BN_BLINDING\s0\fR object.
.PP
\&\fBBN_BLINDING_free()\fR frees the \fB\s-1BN_BLINDING\s0\fR structure.
If \fBb\fR is \s-1NULL,\s0 nothing is done.
.PP
\&\fBBN_BLINDING_update()\fR updates the \fB\s-1BN_BLINDING\s0\fR parameters by squaring
the \fBA\fR and \fBAi\fR or, after specific number of uses and if the
necessary parameters are set, by re-creating the blinding parameters.
.PP
\&\fBBN_BLINDING_convert_ex()\fR multiplies \fBn\fR with the blinding factor \fBA\fR.
If \fBr\fR is not \s-1NULL\s0 a copy the inverse blinding factor \fBAi\fR will be
returned in \fBr\fR (this is useful if a \fB\s-1RSA\s0\fR object is shared among
several threads). \fBBN_BLINDING_invert_ex()\fR multiplies \fBn\fR with the
inverse blinding factor \fBAi\fR. If \fBr\fR is not \s-1NULL\s0 it will be used as
the inverse blinding.
.PP
\&\fBBN_BLINDING_convert()\fR and \fBBN_BLINDING_invert()\fR are wrapper
functions for \fBBN_BLINDING_convert_ex()\fR and \fBBN_BLINDING_invert_ex()\fR
with \fBr\fR set to \s-1NULL.\s0
.PP
\&\fBBN_BLINDING_is_current_thread()\fR returns whether the \fB\s-1BN_BLINDING\s0\fR
structure is owned by the current thread. This is to help users
provide proper locking if needed for multi-threaded use.
.PP
\&\fBBN_BLINDING_set_current_thread()\fR sets the current thread as the
owner of the \fB\s-1BN_BLINDING\s0\fR structure.
.PP
\&\fBBN_BLINDING_lock()\fR locks the \fB\s-1BN_BLINDING\s0\fR structure.
.PP
\&\fBBN_BLINDING_unlock()\fR unlocks the \fB\s-1BN_BLINDING\s0\fR structure.
.PP
\&\fBBN_BLINDING_get_flags()\fR returns the \s-1BN_BLINDING\s0 flags. Currently
there are two supported flags: \fB\s-1BN_BLINDING_NO_UPDATE\s0\fR and
\&\fB\s-1BN_BLINDING_NO_RECREATE\s0\fR. \fB\s-1BN_BLINDING_NO_UPDATE\s0\fR inhibits the
automatic update of the \fB\s-1BN_BLINDING\s0\fR parameters after each use
and \fB\s-1BN_BLINDING_NO_RECREATE\s0\fR inhibits the automatic re-creation
of the \fB\s-1BN_BLINDING\s0\fR parameters after a fixed number of uses (currently
32). In newly allocated \fB\s-1BN_BLINDING\s0\fR objects no flags are set.
\&\fBBN_BLINDING_set_flags()\fR sets the \fB\s-1BN_BLINDING\s0\fR parameters flags.
.PP
\&\fBBN_BLINDING_create_param()\fR creates new \fB\s-1BN_BLINDING\s0\fR parameters
using the exponent \fBe\fR and the modulus \fBm\fR. \fBbn_mod_exp\fR and
\&\fBm_ctx\fR can be used to pass special functions for exponentiation
(normally \fBBN_mod_exp_mont()\fR and \fB\s-1BN_MONT_CTX\s0\fR).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_BLINDING_new()\fR returns the newly allocated \fB\s-1BN_BLINDING\s0\fR structure
or \s-1NULL\s0 in case of an error.
.PP
\&\fBBN_BLINDING_update()\fR, \fBBN_BLINDING_convert()\fR, \fBBN_BLINDING_invert()\fR,
\&\fBBN_BLINDING_convert_ex()\fR and \fBBN_BLINDING_invert_ex()\fR return 1 on
success and 0 if an error occurred.
.PP
\&\fBBN_BLINDING_is_current_thread()\fR returns 1 if the current thread owns
the \fB\s-1BN_BLINDING\s0\fR object, 0 otherwise.
.PP
\&\fBBN_BLINDING_set_current_thread()\fR doesn't return anything.
.PP
\&\fBBN_BLINDING_lock()\fR, \fBBN_BLINDING_unlock()\fR return 1 if the operation
succeeded or 0 on error.
.PP
\&\fBBN_BLINDING_get_flags()\fR returns the currently set \fB\s-1BN_BLINDING\s0\fR flags
(a \fBunsigned long\fR value).
.PP
\&\fBBN_BLINDING_create_param()\fR returns the newly created \fB\s-1BN_BLINDING\s0\fR
parameters or \s-1NULL\s0 on error.
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBBN_BLINDING_thread_id()\fR was first introduced in OpenSSL 1.0.0, and it
deprecates \fBBN_BLINDING_set_thread_id()\fR and \fBBN_BLINDING_get_thread_id()\fR.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2005\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_CTX_new.3 b/secure/lib/libcrypto/man/man3/BN_CTX_new.3
index 85a4e8712f35..e5cab85637b7 100644
--- a/secure/lib/libcrypto/man/man3/BN_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/BN_CTX_new.3
@@ -1,213 +1,213 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_CTX_NEW 3"
-.TH BN_CTX_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_CTX_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_CTX_new, BN_CTX_secure_new, BN_CTX_free \- allocate and free BN_CTX structures
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& BN_CTX *BN_CTX_new(void);
\&
\& BN_CTX *BN_CTX_secure_new(void);
\&
\& void BN_CTX_free(BN_CTX *c);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A \fB\s-1BN_CTX\s0\fR is a structure that holds \fB\s-1BIGNUM\s0\fR temporary variables used by
library functions. Since dynamic memory allocation to create \fB\s-1BIGNUM\s0\fRs
is rather expensive when used in conjunction with repeated subroutine
calls, the \fB\s-1BN_CTX\s0\fR structure is used.
.PP
\&\fBBN_CTX_new()\fR allocates and initializes a \fB\s-1BN_CTX\s0\fR structure.
\&\fBBN_CTX_secure_new()\fR allocates and initializes a \fB\s-1BN_CTX\s0\fR structure
but uses the secure heap (see \fBCRYPTO_secure_malloc\fR\|(3)) to hold the
\&\fB\s-1BIGNUM\s0\fRs.
.PP
\&\fBBN_CTX_free()\fR frees the components of the \fB\s-1BN_CTX\s0\fR and the structure itself.
Since \fBBN_CTX_start()\fR is required in order to obtain \fB\s-1BIGNUM\s0\fRs from the
\&\fB\s-1BN_CTX\s0\fR, in most cases \fBBN_CTX_end()\fR must be called before the \fB\s-1BN_CTX\s0\fR may
be freed by \fBBN_CTX_free()\fR. If \fBc\fR is \s-1NULL,\s0 nothing is done.
.PP
A given \fB\s-1BN_CTX\s0\fR must only be used by a single thread of execution. No
locking is performed, and the internal pool allocator will not properly handle
multiple threads of execution.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_CTX_new()\fR and \fBBN_CTX_secure_new()\fR return a pointer to the \fB\s-1BN_CTX\s0\fR.
If the allocation fails,
they return \fB\s-1NULL\s0\fR and sets an error code that can be obtained by
\&\fBERR_get_error\fR\|(3).
.PP
\&\fBBN_CTX_free()\fR has no return values.
.SH "REMOVED FUNCTIONALITY"
.IX Header "REMOVED FUNCTIONALITY"
.Vb 1
\& void BN_CTX_init(BN_CTX *c);
.Ve
.PP
\&\fBBN_CTX_init()\fR is no longer available as of OpenSSL 1.1.0. Applications should
replace use of BN_CTX_init with BN_CTX_new instead:
.PP
.Vb 6
\& BN_CTX *ctx;
\& ctx = BN_CTX_new();
\& if (!ctx)
\& /* error */
\& ...
\& BN_CTX_free(ctx);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBBN_add\fR\|(3),
\&\fBBN_CTX_start\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBBN_CTX_init()\fR was removed in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_CTX_start.3 b/secure/lib/libcrypto/man/man3/BN_CTX_start.3
index 1aefb320b1a2..32cd016a88c5 100644
--- a/secure/lib/libcrypto/man/man3/BN_CTX_start.3
+++ b/secure/lib/libcrypto/man/man3/BN_CTX_start.3
@@ -1,189 +1,189 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_CTX_START 3"
-.TH BN_CTX_START 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_CTX_START 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_CTX_start, BN_CTX_get, BN_CTX_end \- use temporary BIGNUM variables
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& void BN_CTX_start(BN_CTX *ctx);
\&
\& BIGNUM *BN_CTX_get(BN_CTX *ctx);
\&
\& void BN_CTX_end(BN_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions are used to obtain temporary \fB\s-1BIGNUM\s0\fR variables from
a \fB\s-1BN_CTX\s0\fR (which can been created by using \fBBN_CTX_new\fR\|(3))
in order to save the overhead of repeatedly creating and
freeing \fB\s-1BIGNUM\s0\fRs in functions that are called from inside a loop.
.PP
A function must call \fBBN_CTX_start()\fR first. Then, \fBBN_CTX_get()\fR may be
called repeatedly to obtain temporary \fB\s-1BIGNUM\s0\fRs. All \fBBN_CTX_get()\fR
calls must be made before calling any other functions that use the
\&\fBctx\fR as an argument.
.PP
Finally, \fBBN_CTX_end()\fR must be called before returning from the function.
If \fBctx\fR is \s-1NULL,\s0 nothing is done.
When \fBBN_CTX_end()\fR is called, the \fB\s-1BIGNUM\s0\fR pointers obtained from
\&\fBBN_CTX_get()\fR become invalid.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_CTX_start()\fR and \fBBN_CTX_end()\fR return no values.
.PP
\&\fBBN_CTX_get()\fR returns a pointer to the \fB\s-1BIGNUM\s0\fR, or \fB\s-1NULL\s0\fR on error.
Once \fBBN_CTX_get()\fR has failed, the subsequent calls will return \fB\s-1NULL\s0\fR
as well, so it is sufficient to check the return value of the last
\&\fBBN_CTX_get()\fR call. In case of an error, an error code is set, which
can be obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBN_CTX_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_add.3 b/secure/lib/libcrypto/man/man3/BN_add.3
index db0bbbc6f569..68b5e1d251e4 100644
--- a/secure/lib/libcrypto/man/man3/BN_add.3
+++ b/secure/lib/libcrypto/man/man3/BN_add.3
@@ -1,259 +1,270 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_ADD 3"
-.TH BN_ADD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_ADD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
-BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add, BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd \- arithmetic operations on BIGNUMs
+BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add, BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd \- arithmetic operations on BIGNUMs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
\&
\& int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
\&
\& int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
\&
\& int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
\&
\& int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
\& BN_CTX *ctx);
\&
\& int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
\&
\& int BN_nnmod(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
\&
\& int BN_mod_add(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
\& BN_CTX *ctx);
\&
\& int BN_mod_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
\& BN_CTX *ctx);
\&
\& int BN_mod_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
\& BN_CTX *ctx);
\&
\& int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
\&
+\& BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+\&
\& int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
\&
\& int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
\& const BIGNUM *m, BN_CTX *ctx);
\&
\& int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_add()\fR adds \fIa\fR and \fIb\fR and places the result in \fIr\fR (\f(CW\*(C`r=a+b\*(C'\fR).
\&\fIr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or \fIb\fR.
.PP
\&\fBBN_sub()\fR subtracts \fIb\fR from \fIa\fR and places the result in \fIr\fR (\f(CW\*(C`r=a\-b\*(C'\fR).
\&\fIr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or \fIb\fR.
.PP
\&\fBBN_mul()\fR multiplies \fIa\fR and \fIb\fR and places the result in \fIr\fR (\f(CW\*(C`r=a*b\*(C'\fR).
\&\fIr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or \fIb\fR.
For multiplication by powers of 2, use \fBBN_lshift\fR\|(3).
.PP
\&\fBBN_sqr()\fR takes the square of \fIa\fR and places the result in \fIr\fR
(\f(CW\*(C`r=a^2\*(C'\fR). \fIr\fR and \fIa\fR may be the same \fB\s-1BIGNUM\s0\fR.
This function is faster than BN_mul(r,a,a).
.PP
\&\fBBN_div()\fR divides \fIa\fR by \fId\fR and places the result in \fIdv\fR and the
remainder in \fIrem\fR (\f(CW\*(C`dv=a/d, rem=a%d\*(C'\fR). Either of \fIdv\fR and \fIrem\fR may
be \fB\s-1NULL\s0\fR, in which case the respective value is not returned.
The result is rounded towards zero; thus if \fIa\fR is negative, the
remainder will be zero or negative.
For division by powers of 2, use \fBBN_rshift\fR\|(3).
.PP
\&\fBBN_mod()\fR corresponds to \fBBN_div()\fR with \fIdv\fR set to \fB\s-1NULL\s0\fR.
.PP
\&\fBBN_nnmod()\fR reduces \fIa\fR modulo \fIm\fR and places the nonnegative
remainder in \fIr\fR.
.PP
\&\fBBN_mod_add()\fR adds \fIa\fR to \fIb\fR modulo \fIm\fR and places the nonnegative
result in \fIr\fR.
.PP
\&\fBBN_mod_sub()\fR subtracts \fIb\fR from \fIa\fR modulo \fIm\fR and places the
nonnegative result in \fIr\fR.
.PP
\&\fBBN_mod_mul()\fR multiplies \fIa\fR by \fIb\fR and finds the nonnegative
remainder respective to modulus \fIm\fR (\f(CW\*(C`r=(a*b) mod m\*(C'\fR). \fIr\fR may be
the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or \fIb\fR. For more efficient algorithms for
repeated computations using the same modulus, see
\&\fBBN_mod_mul_montgomery\fR\|(3) and
\&\fBBN_mod_mul_reciprocal\fR\|(3).
.PP
\&\fBBN_mod_sqr()\fR takes the square of \fIa\fR modulo \fBm\fR and places the
result in \fIr\fR.
.PP
+\&\fBBN_mod_sqrt()\fR returns the modular square root of \fIa\fR such that
+\&\f(CW\*(C`in^2 = a (mod p)\*(C'\fR. The modulus \fIp\fR must be a
+prime, otherwise an error or an incorrect \*(L"result\*(R" will be returned.
+The result is stored into \fIin\fR which can be \s-1NULL.\s0 The result will be
+newly allocated in that case.
+.PP
\&\fBBN_exp()\fR raises \fIa\fR to the \fIp\fR\-th power and places the result in \fIr\fR
(\f(CW\*(C`r=a^p\*(C'\fR). This function is faster than repeated applications of
\&\fBBN_mul()\fR.
.PP
\&\fBBN_mod_exp()\fR computes \fIa\fR to the \fIp\fR\-th power modulo \fIm\fR (\f(CW\*(C`r=a^p %
m\*(C'\fR). This function uses less time and space than \fBBN_exp()\fR. Do not call this
function when \fBm\fR is even and any of the parameters have the
\&\fB\s-1BN_FLG_CONSTTIME\s0\fR flag set.
.PP
\&\fBBN_gcd()\fR computes the greatest common divisor of \fIa\fR and \fIb\fR and
places the result in \fIr\fR. \fIr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or
\&\fIb\fR.
.PP
For all functions, \fIctx\fR is a previously allocated \fB\s-1BN_CTX\s0\fR used for
temporary variables; see \fBBN_CTX_new\fR\|(3).
.PP
Unless noted otherwise, the result \fB\s-1BIGNUM\s0\fR must be different from
the arguments.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
-For all functions, 1 is returned for success, 0 on error. The return
+The \fBBN_mod_sqrt()\fR returns the result (possibly incorrect if \fIp\fR is
+not a prime), or \s-1NULL.\s0
+.PP
+For all remaining functions, 1 is returned for success, 0 on error. The return
value should always be checked (e.g., \f(CW\*(C`if (!BN_add(r,a,b)) goto err;\*(C'\fR).
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBBN_CTX_new\fR\|(3),
\&\fBBN_add_word\fR\|(3), \fBBN_set_bit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
-Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000\-2022 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_add_word.3 b/secure/lib/libcrypto/man/man3/BN_add_word.3
index 56df90050f9d..e9131100074e 100644
--- a/secure/lib/libcrypto/man/man3/BN_add_word.3
+++ b/secure/lib/libcrypto/man/man3/BN_add_word.3
@@ -1,192 +1,192 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_ADD_WORD 3"
-.TH BN_ADD_WORD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_ADD_WORD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_add_word, BN_sub_word, BN_mul_word, BN_div_word, BN_mod_word \- arithmetic functions on BIGNUMs with integers
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& int BN_add_word(BIGNUM *a, BN_ULONG w);
\&
\& int BN_sub_word(BIGNUM *a, BN_ULONG w);
\&
\& int BN_mul_word(BIGNUM *a, BN_ULONG w);
\&
\& BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w);
\&
\& BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions perform arithmetic operations on BIGNUMs with unsigned
integers. They are much more efficient than the normal \s-1BIGNUM\s0
arithmetic operations.
.PP
\&\fBBN_add_word()\fR adds \fBw\fR to \fBa\fR (\f(CW\*(C`a+=w\*(C'\fR).
.PP
\&\fBBN_sub_word()\fR subtracts \fBw\fR from \fBa\fR (\f(CW\*(C`a\-=w\*(C'\fR).
.PP
\&\fBBN_mul_word()\fR multiplies \fBa\fR and \fBw\fR (\f(CW\*(C`a*=w\*(C'\fR).
.PP
\&\fBBN_div_word()\fR divides \fBa\fR by \fBw\fR (\f(CW\*(C`a/=w\*(C'\fR) and returns the remainder.
.PP
\&\fBBN_mod_word()\fR returns the remainder of \fBa\fR divided by \fBw\fR (\f(CW\*(C`a%w\*(C'\fR).
.PP
For \fBBN_div_word()\fR and \fBBN_mod_word()\fR, \fBw\fR must not be 0.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_add_word()\fR, \fBBN_sub_word()\fR and \fBBN_mul_word()\fR return 1 for success, 0
on error. The error codes can be obtained by \fBERR_get_error\fR\|(3).
.PP
\&\fBBN_mod_word()\fR and \fBBN_div_word()\fR return \fBa\fR%\fBw\fR on success and
\&\fB(\s-1BN_ULONG\s0)\-1\fR if an error occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBBN_add\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_bn2bin.3 b/secure/lib/libcrypto/man/man3/BN_bn2bin.3
index 07fb4f55e4f6..29b102f6c5a0 100644
--- a/secure/lib/libcrypto/man/man3/BN_bn2bin.3
+++ b/secure/lib/libcrypto/man/man3/BN_bn2bin.3
@@ -1,245 +1,245 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_BN2BIN 3"
-.TH BN_BN2BIN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_BN2BIN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_bn2binpad, BN_bn2bin, BN_bin2bn, BN_bn2lebinpad, BN_lebin2bn, BN_bn2hex, BN_bn2dec, BN_hex2bn, BN_dec2bn, BN_print, BN_print_fp, BN_bn2mpi, BN_mpi2bn \- format conversions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& int BN_bn2bin(const BIGNUM *a, unsigned char *to);
\& int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen);
\& BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
\&
\& int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen);
\& BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret);
\&
\& char *BN_bn2hex(const BIGNUM *a);
\& char *BN_bn2dec(const BIGNUM *a);
\& int BN_hex2bn(BIGNUM **a, const char *str);
\& int BN_dec2bn(BIGNUM **a, const char *str);
\&
\& int BN_print(BIO *fp, const BIGNUM *a);
\& int BN_print_fp(FILE *fp, const BIGNUM *a);
\&
\& int BN_bn2mpi(const BIGNUM *a, unsigned char *to);
\& BIGNUM *BN_mpi2bn(unsigned char *s, int len, BIGNUM *ret);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_bn2bin()\fR converts the absolute value of \fBa\fR into big-endian form
and stores it at \fBto\fR. \fBto\fR must point to BN_num_bytes(\fBa\fR) bytes of
memory.
.PP
\&\fBBN_bn2binpad()\fR also converts the absolute value of \fBa\fR into big-endian form
and stores it at \fBto\fR. \fBtolen\fR indicates the length of the output buffer
\&\fBto\fR. The result is padded with zeros if necessary. If \fBtolen\fR is less than
BN_num_bytes(\fBa\fR) an error is returned.
.PP
\&\fBBN_bin2bn()\fR converts the positive integer in big-endian form of length
\&\fBlen\fR at \fBs\fR into a \fB\s-1BIGNUM\s0\fR and places it in \fBret\fR. If \fBret\fR is
\&\s-1NULL,\s0 a new \fB\s-1BIGNUM\s0\fR is created.
.PP
\&\fBBN_bn2lebinpad()\fR and \fBBN_lebin2bn()\fR are identical to \fBBN_bn2binpad()\fR and
\&\fBBN_bin2bn()\fR except the buffer is in little-endian format.
.PP
\&\fBBN_bn2hex()\fR and \fBBN_bn2dec()\fR return printable strings containing the
hexadecimal and decimal encoding of \fBa\fR respectively. For negative
numbers, the string is prefaced with a leading '\-'. The string must be
freed later using \fBOPENSSL_free()\fR.
.PP
\&\fBBN_hex2bn()\fR takes as many characters as possible from the string \fBstr\fR,
including the leading character '\-' which means negative, to form a valid
hexadecimal number representation and converts them to a \fB\s-1BIGNUM\s0\fR and
stores it in **\fBa\fR. If *\fBa\fR is \s-1NULL,\s0 a new \fB\s-1BIGNUM\s0\fR is created. If
\&\fBa\fR is \s-1NULL,\s0 it only computes the length of valid representation.
A \*(L"negative zero\*(R" is converted to zero.
\&\fBBN_dec2bn()\fR is the same using the decimal system.
.PP
\&\fBBN_print()\fR and \fBBN_print_fp()\fR write the hexadecimal encoding of \fBa\fR,
with a leading '\-' for negative numbers, to the \fB\s-1BIO\s0\fR or \fB\s-1FILE\s0\fR
\&\fBfp\fR.
.PP
\&\fBBN_bn2mpi()\fR and \fBBN_mpi2bn()\fR convert \fB\s-1BIGNUM\s0\fRs from and to a format
that consists of the number's length in bytes represented as a 4\-byte
big-endian number, and the number itself in big-endian format, where
the most significant bit signals a negative number (the representation
of numbers with the \s-1MSB\s0 set is prefixed with null byte).
.PP
\&\fBBN_bn2mpi()\fR stores the representation of \fBa\fR at \fBto\fR, where \fBto\fR
must be large enough to hold the result. The size can be determined by
calling BN_bn2mpi(\fBa\fR, \s-1NULL\s0).
.PP
\&\fBBN_mpi2bn()\fR converts the \fBlen\fR bytes long representation at \fBs\fR to
a \fB\s-1BIGNUM\s0\fR and stores it at \fBret\fR, or in a newly allocated \fB\s-1BIGNUM\s0\fR
if \fBret\fR is \s-1NULL.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_bn2bin()\fR returns the length of the big-endian number placed at \fBto\fR.
\&\fBBN_bin2bn()\fR returns the \fB\s-1BIGNUM\s0\fR, \s-1NULL\s0 on error.
.PP
\&\fBBN_bn2binpad()\fR returns the number of bytes written or \-1 if the supplied
buffer is too small.
.PP
\&\fBBN_bn2hex()\fR and \fBBN_bn2dec()\fR return a null-terminated string, or \s-1NULL\s0
on error. \fBBN_hex2bn()\fR and \fBBN_dec2bn()\fR return the number of characters
used in parsing, or 0 on error, in which
case no new \fB\s-1BIGNUM\s0\fR will be created.
.PP
\&\fBBN_print_fp()\fR and \fBBN_print()\fR return 1 on success, 0 on write errors.
.PP
\&\fBBN_bn2mpi()\fR returns the length of the representation. \fBBN_mpi2bn()\fR
returns the \fB\s-1BIGNUM\s0\fR, and \s-1NULL\s0 on error.
.PP
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBBN_zero\fR\|(3),
\&\fBASN1_INTEGER_to_BN\fR\|(3),
\&\fBBN_num_bytes\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_cmp.3 b/secure/lib/libcrypto/man/man3/BN_cmp.3
index 230be8993500..93c351d0d221 100644
--- a/secure/lib/libcrypto/man/man3/BN_cmp.3
+++ b/secure/lib/libcrypto/man/man3/BN_cmp.3
@@ -1,184 +1,184 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_CMP 3"
-.TH BN_CMP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_CMP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_cmp, BN_ucmp, BN_is_zero, BN_is_one, BN_is_word, BN_abs_is_word, BN_is_odd \- BIGNUM comparison and test functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& int BN_cmp(const BIGNUM *a, const BIGNUM *b);
\& int BN_ucmp(const BIGNUM *a, const BIGNUM *b);
\&
\& int BN_is_zero(const BIGNUM *a);
\& int BN_is_one(const BIGNUM *a);
\& int BN_is_word(const BIGNUM *a, const BN_ULONG w);
\& int BN_abs_is_word(const BIGNUM *a, const BN_ULONG w);
\& int BN_is_odd(const BIGNUM *a);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_cmp()\fR compares the numbers \fIa\fR and \fIb\fR. \fBBN_ucmp()\fR compares their
absolute values.
.PP
\&\fBBN_is_zero()\fR, \fBBN_is_one()\fR, \fBBN_is_word()\fR and \fBBN_abs_is_word()\fR test if
\&\fIa\fR equals 0, 1, \fIw\fR, or |\fIw\fR| respectively.
\&\fBBN_is_odd()\fR tests if \fIa\fR is odd.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_cmp()\fR returns \-1 if \fIa\fR < \fIb\fR, 0 if \fIa\fR == \fIb\fR and 1 if
\&\fIa\fR > \fIb\fR. \fBBN_ucmp()\fR is the same using the absolute values
of \fIa\fR and \fIb\fR.
.PP
\&\fBBN_is_zero()\fR, \fBBN_is_one()\fR \fBBN_is_word()\fR, \fBBN_abs_is_word()\fR and
\&\fBBN_is_odd()\fR return 1 if the condition is true, 0 otherwise.
.SH "HISTORY"
.IX Header "HISTORY"
Prior to OpenSSL 1.1.0, \fBBN_is_zero()\fR, \fBBN_is_one()\fR, \fBBN_is_word()\fR,
\&\fBBN_abs_is_word()\fR and \fBBN_is_odd()\fR were macros.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_copy.3 b/secure/lib/libcrypto/man/man3/BN_copy.3
index c3d1d9d94179..b3a21bd321d9 100644
--- a/secure/lib/libcrypto/man/man3/BN_copy.3
+++ b/secure/lib/libcrypto/man/man3/BN_copy.3
@@ -1,191 +1,191 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_COPY 3"
-.TH BN_COPY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_COPY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_copy, BN_dup, BN_with_flags \- copy BIGNUMs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& BIGNUM *BN_copy(BIGNUM *to, const BIGNUM *from);
\&
\& BIGNUM *BN_dup(const BIGNUM *from);
\&
\& void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_copy()\fR copies \fBfrom\fR to \fBto\fR. \fBBN_dup()\fR creates a new \fB\s-1BIGNUM\s0\fR
containing the value \fBfrom\fR.
.PP
BN_with_flags creates a \fBtemporary\fR shallow copy of \fBb\fR in \fBdest\fR. It places
significant restrictions on the copied data. Applications that do no adhere to
these restrictions may encounter unexpected side effects or crashes. For that
reason use of this function is discouraged. Any flags provided in \fBflags\fR will
be set in \fBdest\fR in addition to any flags already set in \fBb\fR. For example this
might commonly be used to create a temporary copy of a \s-1BIGNUM\s0 with the
\&\fB\s-1BN_FLG_CONSTTIME\s0\fR flag set for constant time operations. The temporary copy in
\&\fBdest\fR will share some internal state with \fBb\fR. For this reason the following
restrictions apply to the use of \fBdest\fR:
.IP "\(bu" 2
\&\fBdest\fR should be a newly allocated \s-1BIGNUM\s0 obtained via a call to \fBBN_new()\fR. It
should not have been used for other purposes or initialised in any way.
.IP "\(bu" 2
\&\fBdest\fR must only be used in \*(L"read-only\*(R" operations, i.e. typically those
functions where the relevant parameter is declared \*(L"const\*(R".
.IP "\(bu" 2
\&\fBdest\fR must be used and freed before any further subsequent use of \fBb\fR
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_copy()\fR returns \fBto\fR on success, \s-1NULL\s0 on error. \fBBN_dup()\fR returns
the new \fB\s-1BIGNUM\s0\fR, and \s-1NULL\s0 on error. The error codes can be obtained
by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_generate_prime.3 b/secure/lib/libcrypto/man/man3/BN_generate_prime.3
index eb9f0ec4b7d8..54462cdc28e0 100644
--- a/secure/lib/libcrypto/man/man3/BN_generate_prime.3
+++ b/secure/lib/libcrypto/man/man3/BN_generate_prime.3
@@ -1,341 +1,341 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_GENERATE_PRIME 3"
-.TH BN_GENERATE_PRIME 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_GENERATE_PRIME 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_generate_prime_ex, BN_is_prime_ex, BN_is_prime_fasttest_ex, BN_GENCB_call, BN_GENCB_new, BN_GENCB_free, BN_GENCB_set_old, BN_GENCB_set, BN_GENCB_get_arg, BN_generate_prime, BN_is_prime, BN_is_prime_fasttest \- generate primes and test for primality
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,
\& const BIGNUM *rem, BN_GENCB *cb);
\&
\& int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb);
\&
\& int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx,
\& int do_trial_division, BN_GENCB *cb);
\&
\& int BN_GENCB_call(BN_GENCB *cb, int a, int b);
\&
\& BN_GENCB *BN_GENCB_new(void);
\&
\& void BN_GENCB_free(BN_GENCB *cb);
\&
\& void BN_GENCB_set_old(BN_GENCB *gencb,
\& void (*callback)(int, int, void *), void *cb_arg);
\&
\& void BN_GENCB_set(BN_GENCB *gencb,
\& int (*callback)(int, int, BN_GENCB *), void *cb_arg);
\&
\& void *BN_GENCB_get_arg(BN_GENCB *cb);
.Ve
.PP
Deprecated:
.PP
.Vb 4
\& #if OPENSSL_API_COMPAT < 0x00908000L
\& BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add,
\& BIGNUM *rem, void (*callback)(int, int, void *),
\& void *cb_arg);
\&
\& int BN_is_prime(const BIGNUM *a, int checks,
\& void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg);
\&
\& int BN_is_prime_fasttest(const BIGNUM *a, int checks,
\& void (*callback)(int, int, void *), BN_CTX *ctx,
\& void *cb_arg, int do_trial_division);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_generate_prime_ex()\fR generates a pseudo-random prime number of
at least bit length \fBbits\fR. The returned number is probably prime
with a negligible error. If \fBadd\fR is \fB\s-1NULL\s0\fR the returned prime
number will have exact bit length \fBbits\fR with the top most two
bits set.
.PP
If \fBret\fR is not \fB\s-1NULL\s0\fR, it will be used to store the number.
.PP
If \fBcb\fR is not \fB\s-1NULL\s0\fR, it is used as follows:
.IP "\(bu" 2
\&\fBBN_GENCB_call(cb, 0, i)\fR is called after generating the i\-th
potential prime number.
.IP "\(bu" 2
While the number is being tested for primality,
\&\fBBN_GENCB_call(cb, 1, j)\fR is called as described below.
.IP "\(bu" 2
When a prime has been found, \fBBN_GENCB_call(cb, 2, i)\fR is called.
.IP "\(bu" 2
The callers of \fBBN_generate_prime_ex()\fR may call \fBBN_GENCB_call(cb, i, j)\fR with
other values as described in their respective man pages; see \*(L"\s-1SEE ALSO\*(R"\s0.
.PP
The prime may have to fulfill additional requirements for use in
Diffie-Hellman key exchange:
.PP
If \fBadd\fR is not \fB\s-1NULL\s0\fR, the prime will fulfill the condition p % \fBadd\fR
== \fBrem\fR (p % \fBadd\fR == 1 if \fBrem\fR == \fB\s-1NULL\s0\fR) in order to suit a given
generator.
.PP
If \fBsafe\fR is true, it will be a safe prime (i.e. a prime p so
that (p\-1)/2 is also prime). If \fBsafe\fR is true, and \fBrem\fR == \fB\s-1NULL\s0\fR
the condition will be p % \fBadd\fR == 3.
It is recommended that \fBadd\fR is a multiple of 4.
.PP
The random generator must be seeded prior to calling \fBBN_generate_prime_ex()\fR.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
.PP
\&\fBBN_is_prime_ex()\fR and \fBBN_is_prime_fasttest_ex()\fR test if the number \fBp\fR is
prime. The following tests are performed until one of them shows that
\&\fBp\fR is composite; if \fBp\fR passes all these tests, it is considered
prime.
.PP
\&\fBBN_is_prime_fasttest_ex()\fR, when called with \fBdo_trial_division == 1\fR,
first attempts trial division by a number of small primes;
if no divisors are found by this test and \fBcb\fR is not \fB\s-1NULL\s0\fR,
\&\fBBN_GENCB_call(cb, 1, \-1)\fR is called.
If \fBdo_trial_division == 0\fR, this test is skipped.
.PP
Both \fBBN_is_prime_ex()\fR and \fBBN_is_prime_fasttest_ex()\fR perform a Miller-Rabin
probabilistic primality test with \fBnchecks\fR iterations. If
\&\fBnchecks == BN_prime_checks\fR, a number of iterations is used that
yields a false positive rate of at most 2^\-64 for random input.
The error rate depends on the size of the prime and goes down for bigger primes.
The rate is 2^\-80 starting at 308 bits, 2^\-112 at 852 bits, 2^\-128 at 1080 bits,
2^\-192 at 3747 bits and 2^\-256 at 6394 bits.
.PP
When the source of the prime is not random or not trusted, the number
of checks needs to be much higher to reach the same level of assurance:
It should equal half of the targeted security level in bits (rounded up to the
next integer if necessary).
For instance, to reach the 128 bit security level, \fBnchecks\fR should be set to
64.
.PP
If \fBcb\fR is not \fB\s-1NULL\s0\fR, \fBBN_GENCB_call(cb, 1, j)\fR is called
after the j\-th iteration (j = 0, 1, ...). \fBctx\fR is a
preallocated \fB\s-1BN_CTX\s0\fR (to save the overhead of allocating and
freeing the structure in a loop), or \fB\s-1NULL\s0\fR.
.PP
\&\fBBN_GENCB_call()\fR calls the callback function held in the \fB\s-1BN_GENCB\s0\fR structure
and passes the ints \fBa\fR and \fBb\fR as arguments. There are two types of
\&\fB\s-1BN_GENCB\s0\fR structure that are supported: \*(L"new\*(R" style and \*(L"old\*(R" style. New
programs should prefer the \*(L"new\*(R" style, whilst the \*(L"old\*(R" style is provided
for backwards compatibility purposes.
.PP
A \fB\s-1BN_GENCB\s0\fR structure should be created through a call to \fBBN_GENCB_new()\fR,
and freed through a call to \fBBN_GENCB_free()\fR.
.PP
For \*(L"new\*(R" style callbacks a \s-1BN_GENCB\s0 structure should be initialised with a
call to \fBBN_GENCB_set()\fR, where \fBgencb\fR is a \fB\s-1BN_GENCB\s0 *\fR, \fBcallback\fR is of
type \fBint (*callback)(int, int, \s-1BN_GENCB\s0 *)\fR and \fBcb_arg\fR is a \fBvoid *\fR.
\&\*(L"Old\*(R" style callbacks are the same except they are initialised with a call
to \fBBN_GENCB_set_old()\fR and \fBcallback\fR is of type
\&\fBvoid (*callback)(int, int, void *)\fR.
.PP
A callback is invoked through a call to \fBBN_GENCB_call\fR. This will check
the type of the callback and will invoke \fBcallback(a, b, gencb)\fR for new
style callbacks or \fBcallback(a, b, cb_arg)\fR for old style.
.PP
It is possible to obtain the argument associated with a \s-1BN_GENCB\s0 structure
(set via a call to BN_GENCB_set or BN_GENCB_set_old) using BN_GENCB_get_arg.
.PP
\&\fBBN_generate_prime()\fR (deprecated) works in the same way as
\&\fBBN_generate_prime_ex()\fR but expects an old-style callback function
directly in the \fBcallback\fR parameter, and an argument to pass to it in
the \fBcb_arg\fR. \fBBN_is_prime()\fR and \fBBN_is_prime_fasttest()\fR
can similarly be compared to \fBBN_is_prime_ex()\fR and
\&\fBBN_is_prime_fasttest_ex()\fR, respectively.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_generate_prime_ex()\fR return 1 on success or 0 on error.
.PP
\&\fBBN_is_prime_ex()\fR, \fBBN_is_prime_fasttest_ex()\fR, \fBBN_is_prime()\fR and
\&\fBBN_is_prime_fasttest()\fR return 0 if the number is composite, 1 if it is
prime with an error probability of less than 0.25^\fBnchecks\fR, and
\&\-1 on error.
.PP
\&\fBBN_generate_prime()\fR returns the prime number on success, \fB\s-1NULL\s0\fR otherwise.
.PP
BN_GENCB_new returns a pointer to a \s-1BN_GENCB\s0 structure on success, or \fB\s-1NULL\s0\fR
otherwise.
.PP
BN_GENCB_get_arg returns the argument previously associated with a \s-1BN_GENCB\s0
structure.
.PP
Callback functions should return 1 on success or 0 on error.
.PP
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "REMOVED FUNCTIONALITY"
.IX Header "REMOVED FUNCTIONALITY"
As of OpenSSL 1.1.0 it is no longer possible to create a \s-1BN_GENCB\s0 structure
directly, as in:
.PP
.Vb 1
\& BN_GENCB callback;
.Ve
.PP
Instead applications should create a \s-1BN_GENCB\s0 structure using BN_GENCB_new:
.PP
.Vb 6
\& BN_GENCB *callback;
\& callback = BN_GENCB_new();
\& if (!callback)
\& /* error */
\& ...
\& BN_GENCB_free(callback);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_generate_parameters\fR\|(3), \fBDSA_generate_parameters\fR\|(3),
\&\fBRSA_generate_key\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBBN_GENCB_new()\fR, \fBBN_GENCB_free()\fR,
and \fBBN_GENCB_get_arg()\fR functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_mod_inverse.3 b/secure/lib/libcrypto/man/man3/BN_mod_inverse.3
index e10bd4064d8b..3da342e18a2c 100644
--- a/secure/lib/libcrypto/man/man3/BN_mod_inverse.3
+++ b/secure/lib/libcrypto/man/man3/BN_mod_inverse.3
@@ -1,173 +1,173 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_MOD_INVERSE 3"
-.TH BN_MOD_INVERSE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_MOD_INVERSE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_mod_inverse \- compute inverse modulo n
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& BIGNUM *BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n,
\& BN_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_mod_inverse()\fR computes the inverse of \fBa\fR modulo \fBn\fR
places the result in \fBr\fR (\f(CW\*(C`(a*r)%n==1\*(C'\fR). If \fBr\fR is \s-1NULL,\s0
a new \fB\s-1BIGNUM\s0\fR is created.
.PP
\&\fBctx\fR is a previously allocated \fB\s-1BN_CTX\s0\fR used for temporary
variables. \fBr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fBa\fR or \fBn\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_mod_inverse()\fR returns the \fB\s-1BIGNUM\s0\fR containing the inverse, and
\&\s-1NULL\s0 on error. The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBBN_add\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3 b/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3
index ccdeef963a59..e7d5dab8d9a6 100644
--- a/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3
+++ b/secure/lib/libcrypto/man/man3/BN_mod_mul_montgomery.3
@@ -1,218 +1,218 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_MOD_MUL_MONTGOMERY 3"
-.TH BN_MOD_MUL_MONTGOMERY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_MOD_MUL_MONTGOMERY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_mod_mul_montgomery, BN_MONT_CTX_new, BN_MONT_CTX_free, BN_MONT_CTX_set, BN_MONT_CTX_copy, BN_from_montgomery, BN_to_montgomery \- Montgomery multiplication
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& BN_MONT_CTX *BN_MONT_CTX_new(void);
\& void BN_MONT_CTX_free(BN_MONT_CTX *mont);
\&
\& int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *m, BN_CTX *ctx);
\& BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from);
\&
\& int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b,
\& BN_MONT_CTX *mont, BN_CTX *ctx);
\&
\& int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
\& BN_CTX *ctx);
\&
\& int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont,
\& BN_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions implement Montgomery multiplication. They are used
automatically when \fBBN_mod_exp\fR\|(3) is called with suitable input,
but they may be useful when several operations are to be performed
using the same modulus.
.PP
\&\fBBN_MONT_CTX_new()\fR allocates and initializes a \fB\s-1BN_MONT_CTX\s0\fR structure.
.PP
\&\fBBN_MONT_CTX_set()\fR sets up the \fImont\fR structure from the modulus \fIm\fR
by precomputing its inverse and a value R.
.PP
\&\fBBN_MONT_CTX_copy()\fR copies the \fB\s-1BN_MONT_CTX\s0\fR \fIfrom\fR to \fIto\fR.
.PP
\&\fBBN_MONT_CTX_free()\fR frees the components of the \fB\s-1BN_MONT_CTX\s0\fR, and, if
it was created by \fBBN_MONT_CTX_new()\fR, also the structure itself.
If \fBmont\fR is \s-1NULL,\s0 nothing is done.
.PP
\&\fBBN_mod_mul_montgomery()\fR computes Mont(\fIa\fR,\fIb\fR):=\fIa\fR*\fIb\fR*R^\-1 and places
the result in \fIr\fR.
.PP
\&\fBBN_from_montgomery()\fR performs the Montgomery reduction \fIr\fR = \fIa\fR*R^\-1.
.PP
\&\fBBN_to_montgomery()\fR computes Mont(\fIa\fR,R^2), i.e. \fIa\fR*R.
Note that \fIa\fR must be nonnegative and smaller than the modulus.
.PP
For all functions, \fIctx\fR is a previously allocated \fB\s-1BN_CTX\s0\fR used for
temporary variables.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_MONT_CTX_new()\fR returns the newly allocated \fB\s-1BN_MONT_CTX\s0\fR, and \s-1NULL\s0
on error.
.PP
\&\fBBN_MONT_CTX_free()\fR has no return value.
.PP
For the other functions, 1 is returned for success, 0 on error.
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "WARNINGS"
.IX Header "WARNINGS"
The inputs must be reduced modulo \fBm\fR, otherwise the result will be
outside the expected range.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBBN_add\fR\|(3),
\&\fBBN_CTX_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBBN_MONT_CTX_init()\fR was removed in OpenSSL 1.1.0
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3 b/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3
index 73a783bd748e..949bb12de611 100644
--- a/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3
+++ b/secure/lib/libcrypto/man/man3/BN_mod_mul_reciprocal.3
@@ -1,205 +1,205 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_MOD_MUL_RECIPROCAL 3"
-.TH BN_MOD_MUL_RECIPROCAL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_MOD_MUL_RECIPROCAL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_mod_mul_reciprocal, BN_div_recp, BN_RECP_CTX_new, BN_RECP_CTX_free, BN_RECP_CTX_set \- modular multiplication using reciprocal
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& BN_RECP_CTX *BN_RECP_CTX_new(void);
\& void BN_RECP_CTX_free(BN_RECP_CTX *recp);
\&
\& int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *m, BN_CTX *ctx);
\&
\& int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *a, BN_RECP_CTX *recp,
\& BN_CTX *ctx);
\&
\& int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *a, BIGNUM *b,
\& BN_RECP_CTX *recp, BN_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_mod_mul_reciprocal()\fR can be used to perform an efficient
\&\fBBN_mod_mul\fR\|(3) operation when the operation will be performed
repeatedly with the same modulus. It computes \fBr\fR=(\fBa\fR*\fBb\fR)%\fBm\fR
using \fBrecp\fR=1/\fBm\fR, which is set as described below. \fBctx\fR is a
previously allocated \fB\s-1BN_CTX\s0\fR used for temporary variables.
.PP
\&\fBBN_RECP_CTX_new()\fR allocates and initializes a \fB\s-1BN_RECP\s0\fR structure.
.PP
\&\fBBN_RECP_CTX_free()\fR frees the components of the \fB\s-1BN_RECP\s0\fR, and, if it
was created by \fBBN_RECP_CTX_new()\fR, also the structure itself.
If \fBrecp\fR is \s-1NULL,\s0 nothing is done.
.PP
\&\fBBN_RECP_CTX_set()\fR stores \fBm\fR in \fBrecp\fR and sets it up for computing
1/\fBm\fR and shifting it left by BN_num_bits(\fBm\fR)+1 to make it an
integer. The result and the number of bits it was shifted left will
later be stored in \fBrecp\fR.
.PP
\&\fBBN_div_recp()\fR divides \fBa\fR by \fBm\fR using \fBrecp\fR. It places the quotient
in \fBdv\fR and the remainder in \fBrem\fR.
.PP
The \fB\s-1BN_RECP_CTX\s0\fR structure cannot be shared between threads.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_RECP_CTX_new()\fR returns the newly allocated \fB\s-1BN_RECP_CTX\s0\fR, and \s-1NULL\s0
on error.
.PP
\&\fBBN_RECP_CTX_free()\fR has no return value.
.PP
For the other functions, 1 is returned for success, 0 on error.
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBBN_add\fR\|(3),
\&\fBBN_CTX_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBBN_RECP_CTX_init()\fR was removed in OpenSSL 1.1.0
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_new.3 b/secure/lib/libcrypto/man/man3/BN_new.3
index 8ddc93065176..464c25907b02 100644
--- a/secure/lib/libcrypto/man/man3/BN_new.3
+++ b/secure/lib/libcrypto/man/man3/BN_new.3
@@ -1,195 +1,195 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_NEW 3"
-.TH BN_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_new, BN_secure_new, BN_clear, BN_free, BN_clear_free \- allocate and free BIGNUMs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& BIGNUM *BN_new(void);
\&
\& BIGNUM *BN_secure_new(void);
\&
\& void BN_clear(BIGNUM *a);
\&
\& void BN_free(BIGNUM *a);
\&
\& void BN_clear_free(BIGNUM *a);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_new()\fR allocates and initializes a \fB\s-1BIGNUM\s0\fR structure.
\&\fBBN_secure_new()\fR does the same except that the secure heap
\&\fBOPENSSL_secure_malloc\fR\|(3) is used to store the value.
.PP
\&\fBBN_clear()\fR is used to destroy sensitive data such as keys when they
are no longer needed. It erases the memory used by \fBa\fR and sets it
to the value 0.
If \fBa\fR is \s-1NULL,\s0 nothing is done.
.PP
\&\fBBN_free()\fR frees the components of the \fB\s-1BIGNUM\s0\fR, and if it was created
by \fBBN_new()\fR, also the structure itself. \fBBN_clear_free()\fR additionally
overwrites the data before the memory is returned to the system.
If \fBa\fR is \s-1NULL,\s0 nothing is done.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_new()\fR and \fBBN_secure_new()\fR
return a pointer to the \fB\s-1BIGNUM\s0\fR initialised to the value 0.
If the allocation fails,
they return \fB\s-1NULL\s0\fR and set an error code that can be obtained
by \fBERR_get_error\fR\|(3).
.PP
\&\fBBN_clear()\fR, \fBBN_free()\fR and \fBBN_clear_free()\fR have no return values.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBOPENSSL_secure_malloc\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBBN_init()\fR was removed in OpenSSL 1.1.0; use \fBBN_new()\fR instead.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_num_bytes.3 b/secure/lib/libcrypto/man/man3/BN_num_bytes.3
index 0f85ef0fe5d6..09c2eb973afc 100644
--- a/secure/lib/libcrypto/man/man3/BN_num_bytes.3
+++ b/secure/lib/libcrypto/man/man3/BN_num_bytes.3
@@ -1,192 +1,192 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_NUM_BYTES 3"
-.TH BN_NUM_BYTES 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_NUM_BYTES 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_num_bits, BN_num_bytes, BN_num_bits_word \- get BIGNUM size
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& int BN_num_bytes(const BIGNUM *a);
\&
\& int BN_num_bits(const BIGNUM *a);
\&
\& int BN_num_bits_word(BN_ULONG w);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_num_bytes()\fR returns the size of a \fB\s-1BIGNUM\s0\fR in bytes.
.PP
\&\fBBN_num_bits_word()\fR returns the number of significant bits in a word.
If we take 0x00000432 as an example, it returns 11, not 16, not 32.
Basically, except for a zero, it returns \fIfloor(log2(w))+1\fR.
.PP
\&\fBBN_num_bits()\fR returns the number of significant bits in a \fB\s-1BIGNUM\s0\fR,
following the same principle as \fBBN_num_bits_word()\fR.
.PP
\&\fBBN_num_bytes()\fR is a macro.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The size.
.SH "NOTES"
.IX Header "NOTES"
Some have tried using \fBBN_num_bits()\fR on individual numbers in \s-1RSA\s0 keys,
\&\s-1DH\s0 keys and \s-1DSA\s0 keys, and found that they don't always come up with
the number of bits they expected (something like 512, 1024, 2048,
\&...). This is because generating a number with some specific number
of bits doesn't always set the highest bits, thereby making the number
of \fIsignificant\fR bits a little lower. If you want to know the \*(L"key
size\*(R" of such a key, either use functions like \fBRSA_size()\fR, \fBDH_size()\fR
and \fBDSA_size()\fR, or use \fBBN_num_bytes()\fR and multiply with 8 (although
there's no real guarantee that will match the \*(L"key size\*(R", just a lot
more probability).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_size\fR\|(3), \fBDSA_size\fR\|(3),
\&\fBRSA_size\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_rand.3 b/secure/lib/libcrypto/man/man3/BN_rand.3
index efaf7d2b192c..a775da60f1de 100644
--- a/secure/lib/libcrypto/man/man3/BN_rand.3
+++ b/secure/lib/libcrypto/man/man3/BN_rand.3
@@ -1,220 +1,220 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_RAND 3"
-.TH BN_RAND 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_RAND 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_rand, BN_priv_rand, BN_pseudo_rand, BN_rand_range, BN_priv_rand_range, BN_pseudo_rand_range \&\- generate pseudo\-random number
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
\&
\& int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom);
\&
\& int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
\&
\& int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
\&
\& int BN_priv_rand_range(BIGNUM *rnd, BIGNUM *range);
\&
\& int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_rand()\fR generates a cryptographically strong pseudo-random number of
\&\fBbits\fR in length and stores it in \fBrnd\fR.
If \fBbits\fR is less than zero, or too small to
accommodate the requirements specified by the \fBtop\fR and \fBbottom\fR
parameters, an error is returned.
The \fBtop\fR parameters specifies
requirements on the most significant bit of the generated number.
If it is \fB\s-1BN_RAND_TOP_ANY\s0\fR, there is no constraint.
If it is \fB\s-1BN_RAND_TOP_ONE\s0\fR, the top bit must be one.
If it is \fB\s-1BN_RAND_TOP_TWO\s0\fR, the two most significant bits of
the number will be set to 1, so that the product of two such random
numbers will always have 2*\fBbits\fR length.
If \fBbottom\fR is \fB\s-1BN_RAND_BOTTOM_ODD\s0\fR, the number will be odd; if it
is \fB\s-1BN_RAND_BOTTOM_ANY\s0\fR it can be odd or even.
If \fBbits\fR is 1 then \fBtop\fR cannot also be \fB\s-1BN_RAND_TOP_TWO\s0\fR.
.PP
\&\fBBN_rand_range()\fR generates a cryptographically strong pseudo-random
number \fBrnd\fR in the range 0 <= \fBrnd\fR < \fBrange\fR.
.PP
\&\fBBN_priv_rand()\fR and \fBBN_priv_rand_range()\fR have the same semantics as
\&\fBBN_rand()\fR and \fBBN_rand_range()\fR respectively. They are intended to be
used for generating values that should remain private, and mirror the
same difference between \fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3).
.SH "NOTES"
.IX Header "NOTES"
Always check the error return value of these functions and do not take
randomness for granted: an error occurs if the \s-1CSPRNG\s0 has not been
seeded with enough randomness to ensure an unpredictable byte sequence.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The functions return 1 on success, 0 on error.
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3),
\&\fBRAND_add\fR\|(3),
\&\fBRAND_bytes\fR\|(3),
\&\fBRAND_priv_bytes\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7),
\&\s-1\fBRAND_DRBG\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
.IP "\(bu" 2
Starting with OpenSSL release 1.1.0, \fBBN_pseudo_rand()\fR has been identical
to \fBBN_rand()\fR and \fBBN_pseudo_rand_range()\fR has been identical to
\&\fBBN_rand_range()\fR.
The \*(L"pseudo\*(R" functions should not be used and may be deprecated in
a future release.
.IP "\(bu" 2
The
\&\fBBN_priv_rand()\fR and \fBBN_priv_rand_range()\fR functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_security_bits.3 b/secure/lib/libcrypto/man/man3/BN_security_bits.3
index be6475a1d753..00b05253cb75 100644
--- a/secure/lib/libcrypto/man/man3/BN_security_bits.3
+++ b/secure/lib/libcrypto/man/man3/BN_security_bits.3
@@ -1,181 +1,181 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_SECURITY_BITS 3"
-.TH BN_SECURITY_BITS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_SECURITY_BITS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_security_bits \- returns bits of security based on given numbers
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& int BN_security_bits(int L, int N);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_security_bits()\fR returns the number of bits of security provided by a
specific algorithm and a particular key size. The bits of security is
defined in \s-1NIST SP800\-57.\s0 Currently, \fBBN_security_bits()\fR support two types
of asymmetric algorithms: the \s-1FFC\s0 (Finite Field Cryptography) and \s-1IFC\s0
(Integer Factorization Cryptography). For \s-1FFC,\s0 e.g., \s-1DSA\s0 and \s-1DH,\s0 both
parameters \fBL\fR and \fBN\fR are used to decide the bits of security, where
\&\fBL\fR is the size of the public key and \fBN\fR is the size of the private
key. For \s-1IFC,\s0 e.g., \s-1RSA,\s0 only \fBL\fR is used and it's commonly considered
to be the key size (modulus).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Number of security bits.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1ECC\s0 (Elliptic Curve Cryptography) is not covered by the \fBBN_security_bits()\fR
function. The symmetric algorithms are not covered neither.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_security_bits\fR\|(3), \fBDSA_security_bits\fR\|(3), \fBRSA_security_bits\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBBN_security_bits()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_set_bit.3 b/secure/lib/libcrypto/man/man3/BN_set_bit.3
index 0c170af88516..4deb10d003c3 100644
--- a/secure/lib/libcrypto/man/man3/BN_set_bit.3
+++ b/secure/lib/libcrypto/man/man3/BN_set_bit.3
@@ -1,200 +1,200 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_SET_BIT 3"
-.TH BN_SET_BIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_SET_BIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_set_bit, BN_clear_bit, BN_is_bit_set, BN_mask_bits, BN_lshift, BN_lshift1, BN_rshift, BN_rshift1 \- bit operations on BIGNUMs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& int BN_set_bit(BIGNUM *a, int n);
\& int BN_clear_bit(BIGNUM *a, int n);
\&
\& int BN_is_bit_set(const BIGNUM *a, int n);
\&
\& int BN_mask_bits(BIGNUM *a, int n);
\&
\& int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);
\& int BN_lshift1(BIGNUM *r, BIGNUM *a);
\&
\& int BN_rshift(BIGNUM *r, BIGNUM *a, int n);
\& int BN_rshift1(BIGNUM *r, BIGNUM *a);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_set_bit()\fR sets bit \fBn\fR in \fBa\fR to 1 (\f(CW\*(C`a|=(1<<n)\*(C'\fR). The
number is expanded if necessary.
.PP
\&\fBBN_clear_bit()\fR sets bit \fBn\fR in \fBa\fR to 0 (\f(CW\*(C`a&=~(1<<n)\*(C'\fR). An
error occurs if \fBa\fR is shorter than \fBn\fR bits.
.PP
\&\fBBN_is_bit_set()\fR tests if bit \fBn\fR in \fBa\fR is set.
.PP
\&\fBBN_mask_bits()\fR truncates \fBa\fR to an \fBn\fR bit number
(\f(CW\*(C`a&=~((~0)<<n)\*(C'\fR). An error occurs if \fBa\fR already is
shorter than \fBn\fR bits.
.PP
\&\fBBN_lshift()\fR shifts \fBa\fR left by \fBn\fR bits and places the result in
\&\fBr\fR (\f(CW\*(C`r=a*2^n\*(C'\fR). Note that \fBn\fR must be nonnegative. \fBBN_lshift1()\fR shifts
\&\fBa\fR left by one and places the result in \fBr\fR (\f(CW\*(C`r=2*a\*(C'\fR).
.PP
\&\fBBN_rshift()\fR shifts \fBa\fR right by \fBn\fR bits and places the result in
\&\fBr\fR (\f(CW\*(C`r=a/2^n\*(C'\fR). Note that \fBn\fR must be nonnegative. \fBBN_rshift1()\fR shifts
\&\fBa\fR right by one and places the result in \fBr\fR (\f(CW\*(C`r=a/2\*(C'\fR).
.PP
For the shift functions, \fBr\fR and \fBa\fR may be the same variable.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_is_bit_set()\fR returns 1 if the bit is set, 0 otherwise.
.PP
All other functions return 1 for success, 0 on error. The error codes
can be obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBN_num_bytes\fR\|(3), \fBBN_add\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_swap.3 b/secure/lib/libcrypto/man/man3/BN_swap.3
index 96e1f05003cf..c66f974d6596 100644
--- a/secure/lib/libcrypto/man/man3/BN_swap.3
+++ b/secure/lib/libcrypto/man/man3/BN_swap.3
@@ -1,163 +1,163 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_SWAP 3"
-.TH BN_SWAP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_SWAP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_swap \- exchange BIGNUMs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& void BN_swap(BIGNUM *a, BIGNUM *b);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBBN_swap()\fR exchanges the values of \fIa\fR and \fIb\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_swap()\fR does not return a value.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BN_zero.3 b/secure/lib/libcrypto/man/man3/BN_zero.3
index 0bdd8f1e27ad..da9b382cdf08 100644
--- a/secure/lib/libcrypto/man/man3/BN_zero.3
+++ b/secure/lib/libcrypto/man/man3/BN_zero.3
@@ -1,197 +1,197 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BN_ZERO 3"
-.TH BN_ZERO 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BN_ZERO 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BN_zero, BN_one, BN_value_one, BN_set_word, BN_get_word \- BIGNUM assignment operations
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bn.h>
\&
\& void BN_zero(BIGNUM *a);
\& int BN_one(BIGNUM *a);
\&
\& const BIGNUM *BN_value_one(void);
\&
\& int BN_set_word(BIGNUM *a, BN_ULONG w);
\& unsigned BN_ULONG BN_get_word(BIGNUM *a);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fB\s-1BN_ULONG\s0\fR is a macro that will be an unsigned integral type optimized
for the most efficient implementation on the local platform.
.PP
\&\fBBN_zero()\fR, \fBBN_one()\fR and \fBBN_set_word()\fR set \fBa\fR to the values 0, 1 and
\&\fBw\fR respectively. \fBBN_zero()\fR and \fBBN_one()\fR are macros.
.PP
\&\fBBN_value_one()\fR returns a \fB\s-1BIGNUM\s0\fR constant of value 1. This constant
is useful for use in comparisons and assignment.
.PP
\&\fBBN_get_word()\fR returns \fBa\fR, if it can be represented as a \fB\s-1BN_ULONG\s0\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBN_get_word()\fR returns the value \fBa\fR, or all-bits-set if \fBa\fR cannot
be represented as a single integer.
.PP
\&\fBBN_one()\fR and \fBBN_set_word()\fR return 1 on success, 0 otherwise.
\&\fBBN_value_one()\fR returns the constant.
\&\fBBN_zero()\fR never fails and returns no value.
.SH "BUGS"
.IX Header "BUGS"
If a \fB\s-1BIGNUM\s0\fR is equal to the value of all-bits-set, it will collide
with the error condition returned by \fBBN_get_word()\fR which uses that
as an error value.
.PP
\&\fB\s-1BN_ULONG\s0\fR should probably be a typedef.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBN_bn2bin\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
In OpenSSL 0.9.8, \fBBN_zero()\fR was changed to not return a value; previous
versions returned an int.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/BUF_MEM_new.3 b/secure/lib/libcrypto/man/man3/BUF_MEM_new.3
index fa98d6d5df5c..28e6a7af32aa 100644
--- a/secure/lib/libcrypto/man/man3/BUF_MEM_new.3
+++ b/secure/lib/libcrypto/man/man3/BUF_MEM_new.3
@@ -1,204 +1,204 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BUF_MEM_NEW 3"
-.TH BUF_MEM_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BUF_MEM_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
BUF_MEM_new, BUF_MEM_new_ex, BUF_MEM_free, BUF_MEM_grow, BUF_MEM_grow_clean, BUF_reverse \&\- simple character array structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/buffer.h>
\&
\& BUF_MEM *BUF_MEM_new(void);
\&
\& BUF_MEM *BUF_MEM_new_ex(unsigned long flags);
\&
\& void BUF_MEM_free(BUF_MEM *a);
\&
\& int BUF_MEM_grow(BUF_MEM *str, int len);
\& size_t BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
\&
\& void BUF_reverse(unsigned char *out, const unsigned char *in, size_t size);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The buffer library handles simple character arrays. Buffers are used for
various purposes in the library, most notably memory BIOs.
.PP
\&\fBBUF_MEM_new()\fR allocates a new buffer of zero size.
.PP
\&\fBBUF_MEM_new_ex()\fR allocates a buffer with the specified flags.
The flag \fB\s-1BUF_MEM_FLAG_SECURE\s0\fR specifies that the \fBdata\fR pointer
should be allocated on the secure heap; see \fBCRYPTO_secure_malloc\fR\|(3).
.PP
\&\fBBUF_MEM_free()\fR frees up an already existing buffer. The data is zeroed
before freeing up in case the buffer contains sensitive data.
.PP
\&\fBBUF_MEM_grow()\fR changes the size of an already existing buffer to
\&\fBlen\fR. Any data already in the buffer is preserved if it increases in
size.
.PP
\&\fBBUF_MEM_grow_clean()\fR is similar to \fBBUF_MEM_grow()\fR but it sets any free'd
or additionally-allocated memory to zero.
.PP
\&\fBBUF_reverse()\fR reverses \fBsize\fR bytes at \fBin\fR into \fBout\fR. If \fBin\fR
is \s-1NULL,\s0 the array is reversed in-place.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBBUF_MEM_new()\fR returns the buffer or \s-1NULL\s0 on error.
.PP
\&\fBBUF_MEM_free()\fR has no return value.
.PP
\&\fBBUF_MEM_grow()\fR and \fBBUF_MEM_grow_clean()\fR return
zero on error or the new size (i.e., \fBlen\fR).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBbio\fR\|(7),
\&\fBCRYPTO_secure_malloc\fR\|(3).
.SH "HISTORY"
.IX Header "HISTORY"
The \fBBUF_MEM_new_ex()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_add0_cert.3 b/secure/lib/libcrypto/man/man3/CMS_add0_cert.3
index ac14b30d865f..298acf3fa351 100644
--- a/secure/lib/libcrypto/man/man3/CMS_add0_cert.3
+++ b/secure/lib/libcrypto/man/man3/CMS_add0_cert.3
@@ -1,200 +1,200 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_ADD0_CERT 3"
-.TH CMS_ADD0_CERT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_ADD0_CERT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_add1_crl, CMS_get1_crls \&\- CMS certificate and CRL utility functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert);
\& int CMS_add1_cert(CMS_ContentInfo *cms, X509 *cert);
\& STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms);
\&
\& int CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl);
\& int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl);
\& STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_add0_cert()\fR and \fBCMS_add1_cert()\fR add certificate \fBcert\fR to \fBcms\fR.
must be of type signed data or enveloped data.
.PP
\&\fBCMS_get1_certs()\fR returns all certificates in \fBcms\fR.
.PP
\&\fBCMS_add0_crl()\fR and \fBCMS_add1_crl()\fR add \s-1CRL\s0 \fBcrl\fR to \fBcms\fR. \fBCMS_get1_crls()\fR
returns any CRLs in \fBcms\fR.
.SH "NOTES"
.IX Header "NOTES"
The CMS_ContentInfo structure \fBcms\fR must be of type signed data or enveloped
data or an error will be returned.
.PP
For signed data certificates and CRLs are added to the \fBcertificates\fR and
\&\fBcrls\fR fields of SignedData structure. For enveloped data they are added to
\&\fBOriginatorInfo\fR.
.PP
As the \fB0\fR implies \fBCMS_add0_cert()\fR adds \fBcert\fR internally to \fBcms\fR and it
must not be freed up after the call as opposed to \fBCMS_add1_cert()\fR where \fBcert\fR
must be freed up.
.PP
The same certificate or \s-1CRL\s0 must not be added to the same cms structure more
than once.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_add0_cert()\fR, \fBCMS_add1_cert()\fR and \fBCMS_add0_crl()\fR and \fBCMS_add1_crl()\fR return
1 for success and 0 for failure.
.PP
\&\fBCMS_get1_certs()\fR and \fBCMS_get1_crls()\fR return the \s-1STACK\s0 of certificates or CRLs
or \s-1NULL\s0 if there are none or an error occurs. The only error which will occur
in practice is if the \fBcms\fR type is invalid.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3),
\&\fBCMS_sign\fR\|(3),
\&\fBCMS_encrypt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3 b/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3
index 01ec3703774e..25c81704b877 100644
--- a/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3
+++ b/secure/lib/libcrypto/man/man3/CMS_add1_recipient_cert.3
@@ -1,203 +1,203 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_ADD1_RECIPIENT_CERT 3"
-.TH CMS_ADD1_RECIPIENT_CERT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_ADD1_RECIPIENT_CERT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_add1_recipient_cert, CMS_add0_recipient_key \- add recipients to a CMS enveloped data structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
\& X509 *recip, unsigned int flags);
\&
\& CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid,
\& unsigned char *key, size_t keylen,
\& unsigned char *id, size_t idlen,
\& ASN1_GENERALIZEDTIME *date,
\& ASN1_OBJECT *otherTypeId,
\& ASN1_TYPE *otherType);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_add1_recipient_cert()\fR adds recipient \fBrecip\fR to CMS_ContentInfo enveloped
data structure \fBcms\fR as a KeyTransRecipientInfo structure.
.PP
\&\fBCMS_add0_recipient_key()\fR adds symmetric key \fBkey\fR of length \fBkeylen\fR using
wrapping algorithm \fBnid\fR, identifier \fBid\fR of length \fBidlen\fR and optional
values \fBdate\fR, \fBotherTypeId\fR and \fBotherType\fR to CMS_ContentInfo enveloped
data structure \fBcms\fR as a KEKRecipientInfo structure.
.PP
The CMS_ContentInfo structure should be obtained from an initial call to
\&\fBCMS_encrypt()\fR with the flag \fB\s-1CMS_PARTIAL\s0\fR set.
.SH "NOTES"
.IX Header "NOTES"
The main purpose of this function is to provide finer control over a \s-1CMS\s0
enveloped data structure where the simpler \fBCMS_encrypt()\fR function defaults are
not appropriate. For example if one or more KEKRecipientInfo structures
need to be added. New attributes can also be added using the returned
CMS_RecipientInfo structure and the \s-1CMS\s0 attribute utility functions.
.PP
OpenSSL will by default identify recipient certificates using issuer name
and serial number. If \fB\s-1CMS_USE_KEYID\s0\fR is set it will use the subject key
identifier value instead. An error occurs if all recipient certificates do not
have a subject key identifier extension.
.PP
Currently only \s-1AES\s0 based key wrapping algorithms are supported for \fBnid\fR,
specifically: NID_id_aes128_wrap, NID_id_aes192_wrap and NID_id_aes256_wrap.
If \fBnid\fR is set to \fBNID_undef\fR then an \s-1AES\s0 wrap algorithm will be used
consistent with \fBkeylen\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_add1_recipient_cert()\fR and \fBCMS_add0_recipient_key()\fR return an internal
pointer to the CMS_RecipientInfo structure just added or \s-1NULL\s0 if an error
occurs.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_decrypt\fR\|(3),
\&\fBCMS_final\fR\|(3),
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_add1_signer.3 b/secure/lib/libcrypto/man/man3/CMS_add1_signer.3
index af6bbfde4202..891907e278b9 100644
--- a/secure/lib/libcrypto/man/man3/CMS_add1_signer.3
+++ b/secure/lib/libcrypto/man/man3/CMS_add1_signer.3
@@ -1,238 +1,238 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_ADD1_SIGNER 3"
-.TH CMS_ADD1_SIGNER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_ADD1_SIGNER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_add1_signer, CMS_SignerInfo_sign \- add a signer to a CMS_ContentInfo signed data structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, X509 *signcert,
\& EVP_PKEY *pkey, const EVP_MD *md,
\& unsigned int flags);
\&
\& int CMS_SignerInfo_sign(CMS_SignerInfo *si);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_add1_signer()\fR adds a signer with certificate \fBsigncert\fR and private
key \fBpkey\fR using message digest \fBmd\fR to CMS_ContentInfo SignedData
structure \fBcms\fR.
.PP
The CMS_ContentInfo structure should be obtained from an initial call to
\&\fBCMS_sign()\fR with the flag \fB\s-1CMS_PARTIAL\s0\fR set or in the case or re-signing a
valid CMS_ContentInfo SignedData structure.
.PP
If the \fBmd\fR parameter is \fB\s-1NULL\s0\fR then the default digest for the public
key algorithm will be used.
.PP
Unless the \fB\s-1CMS_REUSE_DIGEST\s0\fR flag is set the returned CMS_ContentInfo
structure is not complete and must be finalized either by streaming (if
applicable) or a call to \fBCMS_final()\fR.
.PP
The \fBCMS_SignerInfo_sign()\fR function will explicitly sign a CMS_SignerInfo
structure, its main use is when \fB\s-1CMS_REUSE_DIGEST\s0\fR and \fB\s-1CMS_PARTIAL\s0\fR flags
are both set.
.SH "NOTES"
.IX Header "NOTES"
The main purpose of \fBCMS_add1_signer()\fR is to provide finer control
over a \s-1CMS\s0 signed data structure where the simpler \fBCMS_sign()\fR function defaults
are not appropriate. For example if multiple signers or non default digest
algorithms are needed. New attributes can also be added using the returned
CMS_SignerInfo structure and the \s-1CMS\s0 attribute utility functions or the
\&\s-1CMS\s0 signed receipt request functions.
.PP
Any of the following flags (ored together) can be passed in the \fBflags\fR
parameter.
.PP
If \fB\s-1CMS_REUSE_DIGEST\s0\fR is set then an attempt is made to copy the content
digest value from the CMS_ContentInfo structure: to add a signer to an existing
structure. An error occurs if a matching digest value cannot be found to copy.
The returned CMS_ContentInfo structure will be valid and finalized when this
flag is set.
.PP
If \fB\s-1CMS_PARTIAL\s0\fR is set in addition to \fB\s-1CMS_REUSE_DIGEST\s0\fR then the
CMS_SignerInfo structure will not be finalized so additional attributes
can be added. In this case an explicit call to \fBCMS_SignerInfo_sign()\fR is
needed to finalize it.
.PP
If \fB\s-1CMS_NOCERTS\s0\fR is set the signer's certificate will not be included in the
CMS_ContentInfo structure, the signer's certificate must still be supplied in
the \fBsigncert\fR parameter though. This can reduce the size of the signature if
the signers certificate can be obtained by other means: for example a
previously signed message.
.PP
The SignedData structure includes several \s-1CMS\s0 signedAttributes including the
signing time, the \s-1CMS\s0 content type and the supported list of ciphers in an
SMIMECapabilities attribute. If \fB\s-1CMS_NOATTR\s0\fR is set then no signedAttributes
will be used. If \fB\s-1CMS_NOSMIMECAP\s0\fR is set then just the SMIMECapabilities are
omitted.
.PP
OpenSSL will by default identify signing certificates using issuer name
and serial number. If \fB\s-1CMS_USE_KEYID\s0\fR is set it will use the subject key
identifier value instead. An error occurs if the signing certificate does not
have a subject key identifier extension.
.PP
If present the SMIMECapabilities attribute indicates support for the following
algorithms in preference order: 256 bit \s-1AES,\s0 Gost R3411\-94, Gost 28147\-89, 192
bit \s-1AES, 128\s0 bit \s-1AES,\s0 triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0
If any of these algorithms is not available then it will not be included: for example the \s-1GOST\s0 algorithms will not be included if the \s-1GOST ENGINE\s0 is
not loaded.
.PP
\&\fBCMS_add1_signer()\fR returns an internal pointer to the CMS_SignerInfo
structure just added, this can be used to set additional attributes
before it is finalized.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_add1_signer()\fR returns an internal pointer to the CMS_SignerInfo
structure just added or \s-1NULL\s0 if an error occurs.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
\&\fBCMS_final\fR\|(3),
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2014\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_compress.3 b/secure/lib/libcrypto/man/man3/CMS_compress.3
index 31ffa60d5e00..2c1e01bf246f 100644
--- a/secure/lib/libcrypto/man/man3/CMS_compress.3
+++ b/secure/lib/libcrypto/man/man3/CMS_compress.3
@@ -1,210 +1,210 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_COMPRESS 3"
-.TH CMS_COMPRESS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_COMPRESS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_compress \- create a CMS CompressedData structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& CMS_ContentInfo *CMS_compress(BIO *in, int comp_nid, unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_compress()\fR creates and returns a \s-1CMS\s0 CompressedData structure. \fBcomp_nid\fR
is the compression algorithm to use or \fBNID_undef\fR to use the default
algorithm (zlib compression). \fBin\fR is the content to be compressed.
\&\fBflags\fR is an optional set of flags.
.SH "NOTES"
.IX Header "NOTES"
The only currently supported compression algorithm is zlib using the \s-1NID\s0
NID_zlib_compression.
.PP
If zlib support is not compiled into OpenSSL then \fBCMS_compress()\fR will return
an error.
.PP
If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are
prepended to the data.
.PP
Normally the supplied content is translated into \s-1MIME\s0 canonical format (as
required by the S/MIME specifications) if \fB\s-1CMS_BINARY\s0\fR is set no translation
occurs. This option should be used if the supplied data is in binary format
otherwise the translation will corrupt it. If \fB\s-1CMS_BINARY\s0\fR is set then
\&\fB\s-1CMS_TEXT\s0\fR is ignored.
.PP
If the \fB\s-1CMS_STREAM\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
returned suitable for streaming I/O: no data is read from the \s-1BIO\s0 \fBin\fR.
.PP
The compressed data is included in the CMS_ContentInfo structure, unless
\&\fB\s-1CMS_DETACHED\s0\fR is set in which case it is omitted. This is rarely used in
practice and is not supported by \fBSMIME_write_CMS()\fR.
.SH "NOTES"
.IX Header "NOTES"
If the flag \fB\s-1CMS_STREAM\s0\fR is set the returned \fBCMS_ContentInfo\fR structure is
\&\fBnot\fR complete and outputting its contents via a function that does not
properly finalize the \fBCMS_ContentInfo\fR structure will give unpredictable
results.
.PP
Several functions including \fBSMIME_write_CMS()\fR, \fBi2d_CMS_bio_stream()\fR,
\&\fBPEM_write_bio_CMS_stream()\fR finalize the structure. Alternatively finalization
can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
\&\fBBIO_new_CMS()\fR.
.PP
Additional compression parameters such as the zlib compression level cannot
currently be set.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_compress()\fR returns either a CMS_ContentInfo structure or \s-1NULL\s0 if an error
occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_uncompress\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\s-1CMS_STREAM\s0\fR flag was added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_decrypt.3 b/secure/lib/libcrypto/man/man3/CMS_decrypt.3
index a7232b70f977..3497124c4aad 100644
--- a/secure/lib/libcrypto/man/man3/CMS_decrypt.3
+++ b/secure/lib/libcrypto/man/man3/CMS_decrypt.3
@@ -1,212 +1,212 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_DECRYPT 3"
-.TH CMS_DECRYPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_DECRYPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_decrypt \- decrypt content from a CMS envelopedData structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert,
\& BIO *dcont, BIO *out, unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_decrypt()\fR extracts and decrypts the content from a \s-1CMS\s0 EnvelopedData
structure. \fBpkey\fR is the private key of the recipient, \fBcert\fR is the
recipient's certificate, \fBout\fR is a \s-1BIO\s0 to write the content to and
\&\fBflags\fR is an optional set of flags.
.PP
The \fBdcont\fR parameter is used in the rare case where the encrypted content
is detached. It will normally be set to \s-1NULL.\s0
.SH "NOTES"
.IX Header "NOTES"
Although the recipients certificate is not needed to decrypt the data it is
needed to locate the appropriate (of possible several) recipients in the \s-1CMS\s0
structure.
.PP
If \fBcert\fR is set to \s-1NULL\s0 all possible recipients are tried. This case however
is problematic. To thwart the \s-1MMA\s0 attack (Bleichenbacher's attack on
\&\s-1PKCS\s0 #1 v1.5 \s-1RSA\s0 padding) all recipients are tried whether they succeed or
not. If no recipient succeeds then a random symmetric key is used to decrypt
the content: this will typically output garbage and may (but is not guaranteed
to) ultimately return a padding error only. If \fBCMS_decrypt()\fR just returned an
error when all recipient encrypted keys failed to decrypt an attacker could
use this in a timing attack. If the special flag \fB\s-1CMS_DEBUG_DECRYPT\s0\fR is set
then the above behaviour is modified and an error \fBis\fR returned if no
recipient encrypted key can be decrypted \fBwithout\fR generating a random
content encryption key. Applications should use this flag with
\&\fBextreme caution\fR especially in automated gateways as it can leave them
open to attack.
.PP
It is possible to determine the correct recipient key by other means (for
example looking them up in a database) and setting them in the \s-1CMS\s0 structure
in advance using the \s-1CMS\s0 utility functions such as \fBCMS_set1_pkey()\fR. In this
case both \fBcert\fR and \fBpkey\fR should be set to \s-1NULL.\s0
.PP
To process KEKRecipientInfo types \fBCMS_set1_key()\fR or \fBCMS_RecipientInfo_set0_key()\fR
and \fBCMS_RecipientInfo_decrypt()\fR should be called before \fBCMS_decrypt()\fR and
\&\fBcert\fR and \fBpkey\fR set to \s-1NULL.\s0
.PP
The following flags can be passed in the \fBflags\fR parameter.
.PP
If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are deleted
from the content. If the content is not of type \fBtext/plain\fR then an error is
returned.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_decrypt()\fR returns either 1 for success or 0 for failure.
The error can be obtained from \fBERR_get_error\fR\|(3)
.SH "BUGS"
.IX Header "BUGS"
The lack of single pass processing and the need to hold all data in memory as
mentioned in \fBCMS_verify()\fR also applies to \fBCMS_decrypt()\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_encrypt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_encrypt.3 b/secure/lib/libcrypto/man/man3/CMS_encrypt.3
index 2041397dd860..648326bf1c91 100644
--- a/secure/lib/libcrypto/man/man3/CMS_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/CMS_encrypt.3
@@ -1,233 +1,233 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_ENCRYPT 3"
-.TH CMS_ENCRYPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_ENCRYPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_encrypt \- create a CMS envelopedData structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in,
\& const EVP_CIPHER *cipher, unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_encrypt()\fR creates and returns a \s-1CMS\s0 EnvelopedData structure. \fBcerts\fR
is a list of recipient certificates. \fBin\fR is the content to be encrypted.
\&\fBcipher\fR is the symmetric cipher to use. \fBflags\fR is an optional set of flags.
.SH "NOTES"
.IX Header "NOTES"
Only certificates carrying \s-1RSA,\s0 Diffie-Hellman or \s-1EC\s0 keys are supported by this
function.
.PP
\&\fBEVP_des_ede3_cbc()\fR (triple \s-1DES\s0) is the algorithm of choice for S/MIME use
because most clients will support it.
.PP
The algorithm passed in the \fBcipher\fR parameter must support \s-1ASN1\s0 encoding of
its parameters.
.PP
Many browsers implement a \*(L"sign and encrypt\*(R" option which is simply an S/MIME
envelopedData containing an S/MIME signed message. This can be readily produced
by storing the S/MIME signed message in a memory \s-1BIO\s0 and passing it to
\&\fBCMS_encrypt()\fR.
.PP
The following flags can be passed in the \fBflags\fR parameter.
.PP
If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are
prepended to the data.
.PP
Normally the supplied content is translated into \s-1MIME\s0 canonical format (as
required by the S/MIME specifications) if \fB\s-1CMS_BINARY\s0\fR is set no translation
occurs. This option should be used if the supplied data is in binary format
otherwise the translation will corrupt it. If \fB\s-1CMS_BINARY\s0\fR is set then
\&\fB\s-1CMS_TEXT\s0\fR is ignored.
.PP
OpenSSL will by default identify recipient certificates using issuer name
and serial number. If \fB\s-1CMS_USE_KEYID\s0\fR is set it will use the subject key
identifier value instead. An error occurs if all recipient certificates do not
have a subject key identifier extension.
.PP
If the \fB\s-1CMS_STREAM\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
returned suitable for streaming I/O: no data is read from the \s-1BIO\s0 \fBin\fR.
.PP
If the \fB\s-1CMS_PARTIAL\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
returned to which additional recipients and attributes can be added before
finalization.
.PP
The data being encrypted is included in the CMS_ContentInfo structure, unless
\&\fB\s-1CMS_DETACHED\s0\fR is set in which case it is omitted. This is rarely used in
practice and is not supported by \fBSMIME_write_CMS()\fR.
.SH "NOTES"
.IX Header "NOTES"
If the flag \fB\s-1CMS_STREAM\s0\fR is set the returned \fBCMS_ContentInfo\fR structure is
\&\fBnot\fR complete and outputting its contents via a function that does not
properly finalize the \fBCMS_ContentInfo\fR structure will give unpredictable
results.
.PP
Several functions including \fBSMIME_write_CMS()\fR, \fBi2d_CMS_bio_stream()\fR,
\&\fBPEM_write_bio_CMS_stream()\fR finalize the structure. Alternatively finalization
can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
\&\fBBIO_new_CMS()\fR.
.PP
The recipients specified in \fBcerts\fR use a \s-1CMS\s0 KeyTransRecipientInfo info
structure. KEKRecipientInfo is also supported using the flag \fB\s-1CMS_PARTIAL\s0\fR
and \fBCMS_add0_recipient_key()\fR.
.PP
The parameter \fBcerts\fR may be \s-1NULL\s0 if \fB\s-1CMS_PARTIAL\s0\fR is set and recipients
added later using \fBCMS_add1_recipient_cert()\fR or \fBCMS_add0_recipient_key()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_encrypt()\fR returns either a CMS_ContentInfo structure or \s-1NULL\s0 if an error
occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_decrypt\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\s-1CMS_STREAM\s0\fR flag was first supported in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_final.3 b/secure/lib/libcrypto/man/man3/CMS_final.3
index 4ed03b99a74b..f6a47c21b6b7 100644
--- a/secure/lib/libcrypto/man/man3/CMS_final.3
+++ b/secure/lib/libcrypto/man/man3/CMS_final.3
@@ -1,177 +1,177 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_FINAL 3"
-.TH CMS_FINAL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_FINAL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_final \- finalise a CMS_ContentInfo structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_final()\fR finalises the structure \fBcms\fR. Its purpose is to perform any
operations necessary on \fBcms\fR (digest computation for example) and set the
appropriate fields. The parameter \fBdata\fR contains the content to be
processed. The \fBdcont\fR parameter contains a \s-1BIO\s0 to write content to after
processing: this is only used with detached data and will usually be set to
\&\s-1NULL.\s0
.SH "NOTES"
.IX Header "NOTES"
This function will normally be called when the \fB\s-1CMS_PARTIAL\s0\fR flag is used. It
should only be used when streaming is not performed because the streaming
I/O functions perform finalisation operations internally.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_final()\fR returns 1 for success or 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
\&\fBCMS_encrypt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3 b/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3
index 4da545a75fd6..b74e9a9d5f25 100644
--- a/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3
+++ b/secure/lib/libcrypto/man/man3/CMS_get0_RecipientInfos.3
@@ -1,265 +1,265 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_GET0_RECIPIENTINFOS 3"
-.TH CMS_GET0_RECIPIENTINFOS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_GET0_RECIPIENTINFOS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_get0_RecipientInfos, CMS_RecipientInfo_type, CMS_RecipientInfo_ktri_get0_signer_id, CMS_RecipientInfo_ktri_cert_cmp, CMS_RecipientInfo_set0_pkey, CMS_RecipientInfo_kekri_get0_id, CMS_RecipientInfo_kekri_id_cmp, CMS_RecipientInfo_set0_key, CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt \&\- CMS envelopedData RecipientInfo routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms);
\& int CMS_RecipientInfo_type(CMS_RecipientInfo *ri);
\&
\& int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri,
\& ASN1_OCTET_STRING **keyid,
\& X509_NAME **issuer,
\& ASN1_INTEGER **sno);
\& int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert);
\& int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey);
\&
\& int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg,
\& ASN1_OCTET_STRING **pid,
\& ASN1_GENERALIZEDTIME **pdate,
\& ASN1_OBJECT **potherid,
\& ASN1_TYPE **pothertype);
\& int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri,
\& const unsigned char *id, size_t idlen);
\& int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri,
\& unsigned char *key, size_t keylen);
\&
\& int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
\& int CMS_RecipientInfo_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBCMS_get0_RecipientInfos()\fR returns all the CMS_RecipientInfo
structures associated with a \s-1CMS\s0 EnvelopedData structure.
.PP
\&\fBCMS_RecipientInfo_type()\fR returns the type of CMS_RecipientInfo structure \fBri\fR.
It will currently return \s-1CMS_RECIPINFO_TRANS, CMS_RECIPINFO_AGREE,
CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS,\s0 or \s-1CMS_RECIPINFO_OTHER.\s0
.PP
\&\fBCMS_RecipientInfo_ktri_get0_signer_id()\fR retrieves the certificate recipient
identifier associated with a specific CMS_RecipientInfo structure \fBri\fR, which
must be of type \s-1CMS_RECIPINFO_TRANS.\s0 Either the keyidentifier will be set in
\&\fBkeyid\fR or \fBboth\fR issuer name and serial number in \fBissuer\fR and \fBsno\fR.
.PP
\&\fBCMS_RecipientInfo_ktri_cert_cmp()\fR compares the certificate \fBcert\fR against the
CMS_RecipientInfo structure \fBri\fR, which must be of type \s-1CMS_RECIPINFO_TRANS.\s0
It returns zero if the comparison is successful and non zero if not.
.PP
\&\fBCMS_RecipientInfo_set0_pkey()\fR associates the private key \fBpkey\fR with
the CMS_RecipientInfo structure \fBri\fR, which must be of type
\&\s-1CMS_RECIPINFO_TRANS.\s0
.PP
\&\fBCMS_RecipientInfo_kekri_get0_id()\fR retrieves the key information from the
CMS_RecipientInfo structure \fBri\fR which must be of type \s-1CMS_RECIPINFO_KEK.\s0 Any
of the remaining parameters can be \s-1NULL\s0 if the application is not interested in
the value of a field. Where a field is optional and absent \s-1NULL\s0 will be written
to the corresponding parameter. The keyEncryptionAlgorithm field is written to
\&\fBpalg\fR, the \fBkeyIdentifier\fR field is written to \fBpid\fR, the \fBdate\fR field if
present is written to \fBpdate\fR, if the \fBother\fR field is present the components
\&\fBkeyAttrId\fR and \fBkeyAttr\fR are written to parameters \fBpotherid\fR and
\&\fBpothertype\fR.
.PP
\&\fBCMS_RecipientInfo_kekri_id_cmp()\fR compares the \s-1ID\s0 in the \fBid\fR and \fBidlen\fR
parameters against the \fBkeyIdentifier\fR CMS_RecipientInfo structure \fBri\fR,
which must be of type \s-1CMS_RECIPINFO_KEK.\s0 It returns zero if the comparison is
successful and non zero if not.
.PP
\&\fBCMS_RecipientInfo_set0_key()\fR associates the symmetric key \fBkey\fR of length
\&\fBkeylen\fR with the CMS_RecipientInfo structure \fBri\fR, which must be of type
\&\s-1CMS_RECIPINFO_KEK.\s0
.PP
\&\fBCMS_RecipientInfo_decrypt()\fR attempts to decrypt CMS_RecipientInfo structure
\&\fBri\fR in structure \fBcms\fR. A key must have been associated with the structure
first.
.PP
\&\fBCMS_RecipientInfo_encrypt()\fR attempts to encrypt CMS_RecipientInfo structure
\&\fBri\fR in structure \fBcms\fR. A key must have been associated with the structure
first and the content encryption key must be available: for example by a
previous call to \fBCMS_RecipientInfo_decrypt()\fR.
.SH "NOTES"
.IX Header "NOTES"
The main purpose of these functions is to enable an application to lookup
recipient keys using any appropriate technique when the simpler method
of \fBCMS_decrypt()\fR is not appropriate.
.PP
In typical usage and application will retrieve all CMS_RecipientInfo structures
using \fBCMS_get0_RecipientInfos()\fR and check the type of each using
\&\fBCMS_RecipientInfo_type()\fR. Depending on the type the CMS_RecipientInfo structure
can be ignored or its key identifier data retrieved using an appropriate
function. Then if the corresponding secret or private key can be obtained by
any appropriate means it can then associated with the structure and
\&\fBCMS_RecipientInfo_decrypt()\fR called. If successful \fBCMS_decrypt()\fR can be called
with a \s-1NULL\s0 key to decrypt the enveloped content.
.PP
The \fBCMS_RecipientInfo_encrypt()\fR can be used to add a new recipient to an
existing enveloped data structure. Typically an application will first decrypt
an appropriate CMS_RecipientInfo structure to make the content encrypt key
available, it will then add a new recipient using a function such as
\&\fBCMS_add1_recipient_cert()\fR and finally encrypt the content encryption key
using \fBCMS_RecipientInfo_encrypt()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_get0_RecipientInfos()\fR returns all CMS_RecipientInfo structures, or \s-1NULL\s0 if
an error occurs.
.PP
\&\fBCMS_RecipientInfo_ktri_get0_signer_id()\fR, \fBCMS_RecipientInfo_set0_pkey()\fR,
\&\fBCMS_RecipientInfo_kekri_get0_id()\fR, \fBCMS_RecipientInfo_set0_key()\fR and
\&\fBCMS_RecipientInfo_decrypt()\fR return 1 for success or 0 if an error occurs.
\&\fBCMS_RecipientInfo_encrypt()\fR return 1 for success or 0 if an error occurs.
.PP
\&\fBCMS_RecipientInfo_ktri_cert_cmp()\fR and \fBCMS_RecipientInfo_kekri_cmp()\fR return 0
for a successful comparison and non zero otherwise.
.PP
Any error can be obtained from \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_decrypt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3 b/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3
index ea1680e42e05..7c1cd35073c0 100644
--- a/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3
+++ b/secure/lib/libcrypto/man/man3/CMS_get0_SignerInfos.3
@@ -1,218 +1,218 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_GET0_SIGNERINFOS 3"
-.TH CMS_GET0_SIGNERINFOS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_GET0_SIGNERINFOS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_SignerInfo_set1_signer_cert, CMS_get0_SignerInfos, CMS_SignerInfo_get0_signer_id, CMS_SignerInfo_get0_signature, CMS_SignerInfo_cert_cmp \&\- CMS signedData signer functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& STACK_OF(CMS_SignerInfo) *CMS_get0_SignerInfos(CMS_ContentInfo *cms);
\&
\& int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, ASN1_OCTET_STRING **keyid,
\& X509_NAME **issuer, ASN1_INTEGER **sno);
\& ASN1_OCTET_STRING *CMS_SignerInfo_get0_signature(CMS_SignerInfo *si);
\& int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert);
\& void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBCMS_get0_SignerInfos()\fR returns all the CMS_SignerInfo structures
associated with a \s-1CMS\s0 signedData structure.
.PP
\&\fBCMS_SignerInfo_get0_signer_id()\fR retrieves the certificate signer identifier
associated with a specific CMS_SignerInfo structure \fBsi\fR. Either the
keyidentifier will be set in \fBkeyid\fR or \fBboth\fR issuer name and serial number
in \fBissuer\fR and \fBsno\fR.
.PP
\&\fBCMS_SignerInfo_get0_signature()\fR retrieves the signature associated with
\&\fBsi\fR in a pointer to an \s-1ASN1_OCTET_STRING\s0 structure. This pointer returned
corresponds to the internal signature value if \fBsi\fR so it may be read or
modified.
.PP
\&\fBCMS_SignerInfo_cert_cmp()\fR compares the certificate \fBcert\fR against the signer
identifier \fBsi\fR. It returns zero if the comparison is successful and non zero
if not.
.PP
\&\fBCMS_SignerInfo_set1_signer_cert()\fR sets the signers certificate of \fBsi\fR to
\&\fBsigner\fR.
.SH "NOTES"
.IX Header "NOTES"
The main purpose of these functions is to enable an application to lookup
signers certificates using any appropriate technique when the simpler method
of \fBCMS_verify()\fR is not appropriate.
.PP
In typical usage and application will retrieve all CMS_SignerInfo structures
using \fBCMS_get0_SignerInfo()\fR and retrieve the identifier information using
\&\s-1CMS.\s0 It will then obtain the signer certificate by some unspecified means
(or return and error if it cannot be found) and set it using
\&\fBCMS_SignerInfo_set1_signer_cert()\fR.
.PP
Once all signer certificates have been set \fBCMS_verify()\fR can be used.
.PP
Although \fBCMS_get0_SignerInfos()\fR can return \s-1NULL\s0 if an error occurs \fBor\fR if
there are no signers this is not a problem in practice because the only
error which can occur is if the \fBcms\fR structure is not of type signedData
due to application error.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_get0_SignerInfos()\fR returns all CMS_SignerInfo structures, or \s-1NULL\s0 there
are no signers or an error occurs.
.PP
\&\fBCMS_SignerInfo_get0_signer_id()\fR returns 1 for success and 0 for failure.
.PP
\&\fBCMS_SignerInfo_cert_cmp()\fR returns 0 for a successful comparison and non
zero otherwise.
.PP
\&\fBCMS_SignerInfo_set1_signer_cert()\fR does not return a value.
.PP
Any error can be obtained from \fBERR_get_error\fR\|(3)
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_verify\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_get0_type.3 b/secure/lib/libcrypto/man/man3/CMS_get0_type.3
index eb214e64650b..2f198ee3236d 100644
--- a/secure/lib/libcrypto/man/man3/CMS_get0_type.3
+++ b/secure/lib/libcrypto/man/man3/CMS_get0_type.3
@@ -1,217 +1,217 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_GET0_TYPE 3"
-.TH CMS_GET0_TYPE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_GET0_TYPE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_get0_type, CMS_set1_eContentType, CMS_get0_eContentType, CMS_get0_content \- get and set CMS content types and content
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms);
\& int CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid);
\& const ASN1_OBJECT *CMS_get0_eContentType(CMS_ContentInfo *cms);
\& ASN1_OCTET_STRING **CMS_get0_content(CMS_ContentInfo *cms);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_get0_type()\fR returns the content type of a CMS_ContentInfo structure as
an \s-1ASN1_OBJECT\s0 pointer. An application can then decide how to process the
CMS_ContentInfo structure based on this value.
.PP
\&\fBCMS_set1_eContentType()\fR sets the embedded content type of a CMS_ContentInfo
structure. It should be called with \s-1CMS\s0 functions (such as CMS_sign, CMS_encrypt)
with the \fB\s-1CMS_PARTIAL\s0\fR
flag and \fBbefore\fR the structure is finalised, otherwise the results are
undefined.
.PP
\&\s-1ASN1_OBJECT\s0 *\fBCMS_get0_eContentType()\fR returns a pointer to the embedded
content type.
.PP
\&\fBCMS_get0_content()\fR returns a pointer to the \fB\s-1ASN1_OCTET_STRING\s0\fR pointer
containing the embedded content.
.SH "NOTES"
.IX Header "NOTES"
As the \fB0\fR implies \fBCMS_get0_type()\fR, \fBCMS_get0_eContentType()\fR and
\&\fBCMS_get0_content()\fR return internal pointers which should \fBnot\fR be freed up.
\&\fBCMS_set1_eContentType()\fR copies the supplied \s-1OID\s0 and it \fBshould\fR be freed up
after use.
.PP
The \fB\s-1ASN1_OBJECT\s0\fR values returned can be converted to an integer \fB\s-1NID\s0\fR value
using \fBOBJ_obj2nid()\fR. For the currently supported content types the following
values are returned:
.PP
.Vb 6
\& NID_pkcs7_data
\& NID_pkcs7_signed
\& NID_pkcs7_digest
\& NID_id_smime_ct_compressedData:
\& NID_pkcs7_encrypted
\& NID_pkcs7_enveloped
.Ve
.PP
The return value of \fBCMS_get0_content()\fR is a pointer to the \fB\s-1ASN1_OCTET_STRING\s0\fR
content pointer. That means that for example:
.PP
.Vb 1
\& ASN1_OCTET_STRING **pconf = CMS_get0_content(cms);
.Ve
.PP
\&\fB*pconf\fR could be \s-1NULL\s0 if there is no embedded content. Applications can
access, modify or create the embedded content in a \fBCMS_ContentInfo\fR structure
using this function. Applications usually will not need to modify the
embedded content as it is normally set by higher level functions.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_get0_type()\fR and \fBCMS_get0_eContentType()\fR return an \s-1ASN1_OBJECT\s0 structure.
.PP
\&\fBCMS_set1_eContentType()\fR returns 1 for success or 0 if an error occurred. The
error can be obtained from \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3 b/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3
index 07fe5d7d1d9a..7b6b0fa6beaa 100644
--- a/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3
+++ b/secure/lib/libcrypto/man/man3/CMS_get1_ReceiptRequest.3
@@ -1,209 +1,209 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_GET1_RECEIPTREQUEST 3"
-.TH CMS_GET1_RECEIPTREQUEST 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_GET1_RECEIPTREQUEST 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_ReceiptRequest_create0, CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest, CMS_ReceiptRequest_get0_values \- CMS signed receipt request functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen,
\& int allorfirst,
\& STACK_OF(GENERAL_NAMES) *receiptList,
\& STACK_OF(GENERAL_NAMES) *receiptsTo);
\& int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr);
\& int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr);
\& void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, ASN1_STRING **pcid,
\& int *pallorfirst,
\& STACK_OF(GENERAL_NAMES) **plist,
\& STACK_OF(GENERAL_NAMES) **prto);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_ReceiptRequest_create0()\fR creates a signed receipt request structure. The
\&\fBsignedContentIdentifier\fR field is set using \fBid\fR and \fBidlen\fR, or it is set
to 32 bytes of pseudo random data if \fBid\fR is \s-1NULL.\s0 If \fBreceiptList\fR is \s-1NULL\s0
the allOrFirstTier option in \fBreceiptsFrom\fR is used and set to the value of
the \fBallorfirst\fR parameter. If \fBreceiptList\fR is not \s-1NULL\s0 the \fBreceiptList\fR
option in \fBreceiptsFrom\fR is used. The \fBreceiptsTo\fR parameter specifies the
\&\fBreceiptsTo\fR field value.
.PP
The \fBCMS_add1_ReceiptRequest()\fR function adds a signed receipt request \fBrr\fR
to SignerInfo structure \fBsi\fR.
.PP
int \fBCMS_get1_ReceiptRequest()\fR looks for a signed receipt request in \fBsi\fR, if
any is found it is decoded and written to \fBprr\fR.
.PP
\&\fBCMS_ReceiptRequest_get0_values()\fR retrieves the values of a receipt request.
The signedContentIdentifier is copied to \fBpcid\fR. If the \fBallOrFirstTier\fR
option of \fBreceiptsFrom\fR is used its value is copied to \fBpallorfirst\fR
otherwise the \fBreceiptList\fR field is copied to \fBplist\fR. The \fBreceiptsTo\fR
parameter is copied to \fBprto\fR.
.SH "NOTES"
.IX Header "NOTES"
For more details of the meaning of the fields see \s-1RFC2634.\s0
.PP
The contents of a signed receipt should only be considered meaningful if the
corresponding CMS_ContentInfo structure can be successfully verified using
\&\fBCMS_verify()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_ReceiptRequest_create0()\fR returns a signed receipt request structure or
\&\s-1NULL\s0 if an error occurred.
.PP
\&\fBCMS_add1_ReceiptRequest()\fR returns 1 for success or 0 if an error occurred.
.PP
\&\fBCMS_get1_ReceiptRequest()\fR returns 1 is a signed receipt request is found and
decoded. It returns 0 if a signed receipt request is not present and \-1 if
it is present but malformed.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
\&\fBCMS_sign_receipt\fR\|(3), \fBCMS_verify\fR\|(3)
\&\fBCMS_verify_receipt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_sign.3 b/secure/lib/libcrypto/man/man3/CMS_sign.3
index 8bf015e6c8bc..013978bc33fb 100644
--- a/secure/lib/libcrypto/man/man3/CMS_sign.3
+++ b/secure/lib/libcrypto/man/man3/CMS_sign.3
@@ -1,258 +1,258 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_SIGN 3"
-.TH CMS_SIGN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_SIGN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_sign \- create a CMS SignedData structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
\& BIO *data, unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_sign()\fR creates and returns a \s-1CMS\s0 SignedData structure. \fBsigncert\fR is
the certificate to sign with, \fBpkey\fR is the corresponding private key.
\&\fBcerts\fR is an optional additional set of certificates to include in the \s-1CMS\s0
structure (for example any intermediate CAs in the chain). Any or all of
these parameters can be \fB\s-1NULL\s0\fR, see \fB\s-1NOTES\s0\fR below.
.PP
The data to be signed is read from \s-1BIO\s0 \fBdata\fR.
.PP
\&\fBflags\fR is an optional set of flags.
.SH "NOTES"
.IX Header "NOTES"
Any of the following flags (ored together) can be passed in the \fBflags\fR
parameter.
.PP
Many S/MIME clients expect the signed content to include valid \s-1MIME\s0 headers. If
the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are prepended
to the data.
.PP
If \fB\s-1CMS_NOCERTS\s0\fR is set the signer's certificate will not be included in the
CMS_ContentInfo structure, the signer's certificate must still be supplied in
the \fBsigncert\fR parameter though. This can reduce the size of the signature if
the signers certificate can be obtained by other means: for example a
previously signed message.
.PP
The data being signed is included in the CMS_ContentInfo structure, unless
\&\fB\s-1CMS_DETACHED\s0\fR is set in which case it is omitted. This is used for
CMS_ContentInfo detached signatures which are used in S/MIME plaintext signed
messages for example.
.PP
Normally the supplied content is translated into \s-1MIME\s0 canonical format (as
required by the S/MIME specifications) if \fB\s-1CMS_BINARY\s0\fR is set no translation
occurs. This option should be used if the supplied data is in binary format
otherwise the translation will corrupt it.
.PP
The SignedData structure includes several \s-1CMS\s0 signedAttributes including the
signing time, the \s-1CMS\s0 content type and the supported list of ciphers in an
SMIMECapabilities attribute. If \fB\s-1CMS_NOATTR\s0\fR is set then no signedAttributes
will be used. If \fB\s-1CMS_NOSMIMECAP\s0\fR is set then just the SMIMECapabilities are
omitted.
.PP
If present the SMIMECapabilities attribute indicates support for the following
algorithms in preference order: 256 bit \s-1AES,\s0 Gost R3411\-94, Gost 28147\-89, 192
bit \s-1AES, 128\s0 bit \s-1AES,\s0 triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0
If any of these algorithms is not available then it will not be included: for example the \s-1GOST\s0 algorithms will not be included if the \s-1GOST ENGINE\s0 is
not loaded.
.PP
OpenSSL will by default identify signing certificates using issuer name
and serial number. If \fB\s-1CMS_USE_KEYID\s0\fR is set it will use the subject key
identifier value instead. An error occurs if the signing certificate does not
have a subject key identifier extension.
.PP
If the flags \fB\s-1CMS_STREAM\s0\fR is set then the returned \fBCMS_ContentInfo\fR
structure is just initialized ready to perform the signing operation. The
signing is however \fBnot\fR performed and the data to be signed is not read from
the \fBdata\fR parameter. Signing is deferred until after the data has been
written. In this way data can be signed in a single pass.
.PP
If the \fB\s-1CMS_PARTIAL\s0\fR flag is set a partial \fBCMS_ContentInfo\fR structure is
output to which additional signers and capabilities can be added before
finalization.
.PP
If the flag \fB\s-1CMS_STREAM\s0\fR is set the returned \fBCMS_ContentInfo\fR structure is
\&\fBnot\fR complete and outputting its contents via a function that does not
properly finalize the \fBCMS_ContentInfo\fR structure will give unpredictable
results.
.PP
Several functions including \fBSMIME_write_CMS()\fR, \fBi2d_CMS_bio_stream()\fR,
\&\fBPEM_write_bio_CMS_stream()\fR finalize the structure. Alternatively finalization
can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
\&\fBBIO_new_CMS()\fR.
.PP
If a signer is specified it will use the default digest for the signing
algorithm. This is \fB\s-1SHA1\s0\fR for both \s-1RSA\s0 and \s-1DSA\s0 keys.
.PP
If \fBsigncert\fR and \fBpkey\fR are \s-1NULL\s0 then a certificates only \s-1CMS\s0 structure is
output.
.PP
The function \fBCMS_sign()\fR is a basic \s-1CMS\s0 signing function whose output will be
suitable for many purposes. For finer control of the output format the
\&\fBcerts\fR, \fBsigncert\fR and \fBpkey\fR parameters can all be \fB\s-1NULL\s0\fR and the
\&\fB\s-1CMS_PARTIAL\s0\fR flag set. Then one or more signers can be added using the
function \fBCMS_sign_add1_signer()\fR, non default digests can be used and custom
attributes added. \fBCMS_final()\fR must then be called to finalize the
structure if streaming is not enabled.
.SH "BUGS"
.IX Header "BUGS"
Some attributes such as counter signatures are not supported.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_sign()\fR returns either a valid CMS_ContentInfo structure or \s-1NULL\s0 if an error
occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_verify\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\s-1CMS_STREAM\s0\fR flag is only supported for detached data in OpenSSL 0.9.8,
it is supported for embedded data in OpenSSL 1.0.0 and later.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3 b/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3
index ec6a02b41fa3..ccffab1847ba 100644
--- a/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3
+++ b/secure/lib/libcrypto/man/man3/CMS_sign_receipt.3
@@ -1,183 +1,183 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_SIGN_RECEIPT 3"
-.TH CMS_SIGN_RECEIPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_SIGN_RECEIPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_sign_receipt \- create a CMS signed receipt
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert,
\& EVP_PKEY *pkey, STACK_OF(X509) *certs,
\& unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_sign_receipt()\fR creates and returns a \s-1CMS\s0 signed receipt structure. \fBsi\fR is
the \fBCMS_SignerInfo\fR structure containing the signed receipt request.
\&\fBsigncert\fR is the certificate to sign with, \fBpkey\fR is the corresponding
private key. \fBcerts\fR is an optional additional set of certificates to include
in the \s-1CMS\s0 structure (for example any intermediate CAs in the chain).
.PP
\&\fBflags\fR is an optional set of flags.
.SH "NOTES"
.IX Header "NOTES"
This functions behaves in a similar way to \fBCMS_sign()\fR except the flag values
\&\fB\s-1CMS_DETACHED\s0\fR, \fB\s-1CMS_BINARY\s0\fR, \fB\s-1CMS_NOATTR\s0\fR, \fB\s-1CMS_TEXT\s0\fR and \fB\s-1CMS_STREAM\s0\fR
are not supported since they do not make sense in the context of signed
receipts.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_sign_receipt()\fR returns either a valid CMS_ContentInfo structure or \s-1NULL\s0 if
an error occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3),
\&\fBCMS_verify_receipt\fR\|(3),
\&\fBCMS_sign\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_uncompress.3 b/secure/lib/libcrypto/man/man3/CMS_uncompress.3
index 54a5c488e831..f434aae8e5fe 100644
--- a/secure/lib/libcrypto/man/man3/CMS_uncompress.3
+++ b/secure/lib/libcrypto/man/man3/CMS_uncompress.3
@@ -1,189 +1,189 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_UNCOMPRESS 3"
-.TH CMS_UNCOMPRESS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_UNCOMPRESS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_uncompress \- uncompress a CMS CompressedData structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& int CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out, unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_uncompress()\fR extracts and uncompresses the content from a \s-1CMS\s0
CompressedData structure \fBcms\fR. \fBdata\fR is a \s-1BIO\s0 to write the content to and
\&\fBflags\fR is an optional set of flags.
.PP
The \fBdcont\fR parameter is used in the rare case where the compressed content
is detached. It will normally be set to \s-1NULL.\s0
.SH "NOTES"
.IX Header "NOTES"
The only currently supported compression algorithm is zlib: if the structure
indicates the use of any other algorithm an error is returned.
.PP
If zlib support is not compiled into OpenSSL then \fBCMS_uncompress()\fR will always
return an error.
.PP
The following flags can be passed in the \fBflags\fR parameter.
.PP
If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are deleted
from the content. If the content is not of type \fBtext/plain\fR then an error is
returned.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_uncompress()\fR returns either 1 for success or 0 for failure. The error can
be obtained from \fBERR_get_error\fR\|(3)
.SH "BUGS"
.IX Header "BUGS"
The lack of single pass processing and the need to hold all data in memory as
mentioned in \fBCMS_verify()\fR also applies to \fBCMS_decompress()\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_compress\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_verify.3 b/secure/lib/libcrypto/man/man3/CMS_verify.3
index a8f4bc2791ff..e614ec532c4b 100644
--- a/secure/lib/libcrypto/man/man3/CMS_verify.3
+++ b/secure/lib/libcrypto/man/man3/CMS_verify.3
@@ -1,261 +1,261 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_VERIFY 3"
-.TH CMS_VERIFY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_VERIFY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_verify, CMS_get0_signers \- verify a CMS SignedData structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store,
\& BIO *indata, BIO *out, unsigned int flags);
\&
\& STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_verify()\fR verifies a \s-1CMS\s0 SignedData structure. \fBcms\fR is the CMS_ContentInfo
structure to verify. \fBcerts\fR is a set of certificates in which to search for
the signing certificate(s). \fBstore\fR is a trusted certificate store used for
chain verification. \fBindata\fR is the detached content if the content is not
present in \fBcms\fR. The content is written to \fBout\fR if it is not \s-1NULL.\s0
.PP
\&\fBflags\fR is an optional set of flags, which can be used to modify the verify
operation.
.PP
\&\fBCMS_get0_signers()\fR retrieves the signing certificate(s) from \fBcms\fR, it may only
be called after a successful \fBCMS_verify()\fR operation.
.SH "VERIFY PROCESS"
.IX Header "VERIFY PROCESS"
Normally the verify process proceeds as follows.
.PP
Initially some sanity checks are performed on \fBcms\fR. The type of \fBcms\fR must
be SignedData. There must be at least one signature on the data and if
the content is detached \fBindata\fR cannot be \fB\s-1NULL\s0\fR.
.PP
An attempt is made to locate all the signing certificate(s), first looking in
the \fBcerts\fR parameter (if it is not \s-1NULL\s0) and then looking in any
certificates contained in the \fBcms\fR structure itself. If any signing
certificate cannot be located the operation fails.
.PP
Each signing certificate is chain verified using the \fBsmimesign\fR purpose and
the supplied trusted certificate store. Any internal certificates in the message
are used as untrusted CAs. If \s-1CRL\s0 checking is enabled in \fBstore\fR any internal
CRLs are used in addition to attempting to look them up in \fBstore\fR. If any
chain verify fails an error code is returned.
.PP
Finally the signed content is read (and written to \fBout\fR if it is not \s-1NULL\s0)
and the signature's checked.
.PP
If all signature's verify correctly then the function is successful.
.PP
Any of the following flags (ored together) can be passed in the \fBflags\fR
parameter to change the default verify behaviour.
.PP
If \fB\s-1CMS_NOINTERN\s0\fR is set the certificates in the message itself are not
searched when locating the signing certificate(s). This means that all the
signing certificates must be in the \fBcerts\fR parameter.
.PP
If \fB\s-1CMS_NOCRL\s0\fR is set and \s-1CRL\s0 checking is enabled in \fBstore\fR then any
CRLs in the message itself are ignored.
.PP
If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are deleted
from the content. If the content is not of type \fBtext/plain\fR then an error is
returned.
.PP
If \fB\s-1CMS_NO_SIGNER_CERT_VERIFY\s0\fR is set the signing certificates are not
verified.
.PP
If \fB\s-1CMS_NO_ATTR_VERIFY\s0\fR is set the signed attributes signature is not
verified.
.PP
If \fB\s-1CMS_NO_CONTENT_VERIFY\s0\fR is set then the content digest is not checked.
.SH "NOTES"
.IX Header "NOTES"
One application of \fB\s-1CMS_NOINTERN\s0\fR is to only accept messages signed by
a small number of certificates. The acceptable certificates would be passed
in the \fBcerts\fR parameter. In this case if the signer is not one of the
certificates supplied in \fBcerts\fR then the verify will fail because the
signer cannot be found.
.PP
In some cases the standard techniques for looking up and validating
certificates are not appropriate: for example an application may wish to
lookup certificates in a database or perform customised verification. This
can be achieved by setting and verifying the signers certificates manually
using the signed data utility functions.
.PP
Care should be taken when modifying the default verify behaviour, for example
setting \fB\s-1CMS_NO_CONTENT_VERIFY\s0\fR will totally disable all content verification
and any modified content will be considered valid. This combination is however
useful if one merely wishes to write the content to \fBout\fR and its validity
is not considered important.
.PP
Chain verification should arguably be performed using the signing time rather
than the current time. However, since the signing time is supplied by the
signer it cannot be trusted without additional evidence (such as a trusted
timestamp).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_verify()\fR returns 1 for a successful verification and zero if an error
occurred.
.PP
\&\fBCMS_get0_signers()\fR returns all signers or \s-1NULL\s0 if an error occurred.
.PP
The error can be obtained from \fBERR_get_error\fR\|(3)
.SH "BUGS"
.IX Header "BUGS"
The trusted certificate store is not searched for the signing certificate,
this is primarily due to the inadequacies of the current \fBX509_STORE\fR
functionality.
.PP
The lack of single pass processing means that the signed content must all
be held in memory if it is not detached.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3 b/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3
index 5b87ab36fbb3..17c1e2c78ac4 100644
--- a/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3
+++ b/secure/lib/libcrypto/man/man3/CMS_verify_receipt.3
@@ -1,185 +1,185 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS_VERIFY_RECEIPT 3"
-.TH CMS_VERIFY_RECEIPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS_VERIFY_RECEIPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CMS_verify_receipt \- verify a CMS signed receipt
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms,
\& STACK_OF(X509) *certs, X509_STORE *store,
\& unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCMS_verify_receipt()\fR verifies a \s-1CMS\s0 signed receipt. \fBrcms\fR is the signed
receipt to verify. \fBocms\fR is the original SignedData structure containing the
receipt request. \fBcerts\fR is a set of certificates in which to search for the
signing certificate. \fBstore\fR is a trusted certificate store (used for chain
verification).
.PP
\&\fBflags\fR is an optional set of flags, which can be used to modify the verify
operation.
.SH "NOTES"
.IX Header "NOTES"
This functions behaves in a similar way to \fBCMS_verify()\fR except the flag values
\&\fB\s-1CMS_DETACHED\s0\fR, \fB\s-1CMS_BINARY\s0\fR, \fB\s-1CMS_TEXT\s0\fR and \fB\s-1CMS_STREAM\s0\fR are not
supported since they do not make sense in the context of signed receipts.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCMS_verify_receipt()\fR returns 1 for a successful verification and zero if an
error occurred.
.PP
The error can be obtained from \fBERR_get_error\fR\|(3)
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3),
\&\fBCMS_sign_receipt\fR\|(3),
\&\fBCMS_verify\fR\|(3),
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CONF_modules_free.3 b/secure/lib/libcrypto/man/man3/CONF_modules_free.3
index 832ede0b4e32..b9bce82e06a5 100644
--- a/secure/lib/libcrypto/man/man3/CONF_modules_free.3
+++ b/secure/lib/libcrypto/man/man3/CONF_modules_free.3
@@ -1,190 +1,190 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CONF_MODULES_FREE 3"
-.TH CONF_MODULES_FREE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CONF_MODULES_FREE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CONF_modules_free, CONF_modules_finish, CONF_modules_unload \- OpenSSL configuration cleanup functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/conf.h>
\&
\& void CONF_modules_finish(void);
\& void CONF_modules_unload(int all);
.Ve
.PP
Deprecated:
.PP
.Vb 3
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& void CONF_modules_free(void)
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCONF_modules_free()\fR closes down and frees up all memory allocated by all
configuration modules. Normally, in versions of OpenSSL prior to 1.1.0,
applications called
\&\fBCONF_modules_free()\fR at exit to tidy up any configuration performed.
.PP
\&\fBCONF_modules_finish()\fR calls each configuration modules \fBfinish\fR handler
to free up any configuration that module may have performed.
.PP
\&\fBCONF_modules_unload()\fR finishes and unloads configuration modules. If
\&\fBall\fR is set to \fB0\fR only modules loaded from DSOs will be unloads. If
\&\fBall\fR is \fB1\fR all modules, including builtin modules will be unloaded.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
None of the functions return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBconfig\fR\|(5), \fBOPENSSL_config\fR\|(3),
\&\fBCONF_modules_load_file\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBCONF_modules_free()\fR was deprecated in OpenSSL 1.1.0; do not use it.
For more information see \fBOPENSSL_init_crypto\fR\|(3).
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3 b/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3
index 6538999aca30..9b3e19b0902a 100644
--- a/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3
+++ b/secure/lib/libcrypto/man/man3/CONF_modules_load_file.3
@@ -1,282 +1,282 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CONF_MODULES_LOAD_FILE 3"
-.TH CONF_MODULES_LOAD_FILE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CONF_MODULES_LOAD_FILE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CONF_modules_load_file, CONF_modules_load \- OpenSSL configuration functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/conf.h>
\&
\& int CONF_modules_load_file(const char *filename, const char *appname,
\& unsigned long flags);
\& int CONF_modules_load(const CONF *cnf, const char *appname,
\& unsigned long flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBCONF_modules_load_file()\fR configures OpenSSL using file
\&\fBfilename\fR and application name \fBappname\fR. If \fBfilename\fR is \s-1NULL\s0
the standard OpenSSL configuration file is used. If \fBappname\fR is
\&\s-1NULL\s0 the standard OpenSSL application name \fBopenssl_conf\fR is used.
The behaviour can be customized using \fBflags\fR.
.PP
\&\fBCONF_modules_load()\fR is identical to \fBCONF_modules_load_file()\fR except it
reads configuration information from \fBcnf\fR.
.SH "NOTES"
.IX Header "NOTES"
The following \fBflags\fR are currently recognized:
.PP
If \fB\s-1CONF_MFLAGS_IGNORE_ERRORS\s0\fR is set errors returned by individual
configuration modules are ignored. If not set the first module error is
considered fatal and no further modules are loaded.
.PP
Normally any modules errors will add error information to the error queue. If
\&\fB\s-1CONF_MFLAGS_SILENT\s0\fR is set no error information is added.
.PP
If \fB\s-1CONF_MFLAGS_IGNORE_RETURN_CODES\s0\fR is set the function unconditionally
returns success.
This is used by default in \fBOPENSSL_init_crypto\fR\|(3) to ignore any errors in
the default system-wide configuration file, as having all OpenSSL applications
fail to start when there are potentially minor issues in the file is too risky.
Applications calling \fBCONF_modules_load_file\fR explicitly should not generally
set this flag.
.PP
If \fB\s-1CONF_MFLAGS_NO_DSO\s0\fR is set configuration module loading from DSOs is
disabled.
.PP
\&\fB\s-1CONF_MFLAGS_IGNORE_MISSING_FILE\s0\fR if set will make \fBCONF_load_modules_file()\fR
ignore missing configuration files. Normally a missing configuration file
return an error.
.PP
\&\fB\s-1CONF_MFLAGS_DEFAULT_SECTION\s0\fR if set and \fBappname\fR is not \s-1NULL\s0 will use the
default section pointed to by \fBopenssl_conf\fR if \fBappname\fR does not exist.
.PP
By using \fBCONF_modules_load_file()\fR with appropriate flags an application can
customise application configuration to best suit its needs. In some cases the
use of a configuration file is optional and its absence is not an error: in
this case \fB\s-1CONF_MFLAGS_IGNORE_MISSING_FILE\s0\fR would be set.
.PP
Errors during configuration may also be handled differently by different
applications. For example in some cases an error may simply print out a warning
message and the application continue. In other cases an application might
consider a configuration file error as fatal and exit immediately.
.PP
Applications can use the \fBCONF_modules_load()\fR function if they wish to load a
configuration file themselves and have finer control over how errors are
treated.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return 1 for success and a zero or negative value for
failure. If module errors are not ignored the return code will reflect the
return value of the failing module (this will always be zero or negative).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Load a configuration file and print out any errors and exit (missing file
considered fatal):
.PP
.Vb 5
\& if (CONF_modules_load_file(NULL, NULL, 0) <= 0) {
\& fprintf(stderr, "FATAL: error loading configuration file\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
.Ve
.PP
Load default configuration file using the section indicated by \*(L"myapp\*(R",
tolerate missing files, but exit on other errors:
.PP
.Vb 6
\& if (CONF_modules_load_file(NULL, "myapp",
\& CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
\& fprintf(stderr, "FATAL: error loading configuration file\en");
\& ERR_print_errors_fp(stderr);
\& exit(1);
\& }
.Ve
.PP
Load custom configuration file and section, only print warnings on error,
missing configuration file ignored:
.PP
.Vb 5
\& if (CONF_modules_load_file("/something/app.cnf", "myapp",
\& CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
\& fprintf(stderr, "WARNING: error loading configuration file\en");
\& ERR_print_errors_fp(stderr);
\& }
.Ve
.PP
Load and parse configuration file manually, custom error handling:
.PP
.Vb 3
\& FILE *fp;
\& CONF *cnf = NULL;
\& long eline;
\&
\& fp = fopen("/somepath/app.cnf", "r");
\& if (fp == NULL) {
\& fprintf(stderr, "Error opening configuration file\en");
\& /* Other missing configuration file behaviour */
\& } else {
\& cnf = NCONF_new(NULL);
\& if (NCONF_load_fp(cnf, fp, &eline) == 0) {
\& fprintf(stderr, "Error on line %ld of configuration file\en", eline);
\& ERR_print_errors_fp(stderr);
\& /* Other malformed configuration file behaviour */
\& } else if (CONF_modules_load(cnf, "appname", 0) <= 0) {
\& fprintf(stderr, "Error configuring application\en");
\& ERR_print_errors_fp(stderr);
\& /* Other configuration error behaviour */
\& }
\& fclose(fp);
\& NCONF_free(cnf);
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBconfig\fR\|(5), \fBOPENSSL_config\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3 b/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3
index cce771c58497..684820fd1d2b 100644
--- a/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3
+++ b/secure/lib/libcrypto/man/man3/CRYPTO_THREAD_run_once.3
@@ -1,283 +1,283 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CRYPTO_THREAD_RUN_ONCE 3"
-.TH CRYPTO_THREAD_RUN_ONCE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CRYPTO_THREAD_RUN_ONCE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CRYPTO_THREAD_run_once, CRYPTO_THREAD_lock_new, CRYPTO_THREAD_read_lock, CRYPTO_THREAD_write_lock, CRYPTO_THREAD_unlock, CRYPTO_THREAD_lock_free, CRYPTO_atomic_add \- OpenSSL thread support
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/crypto.h>
\&
\& CRYPTO_ONCE CRYPTO_ONCE_STATIC_INIT;
\& int CRYPTO_THREAD_run_once(CRYPTO_ONCE *once, void (*init)(void));
\&
\& CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void);
\& int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *lock);
\& int CRYPTO_THREAD_write_lock(CRYPTO_RWLOCK *lock);
\& int CRYPTO_THREAD_unlock(CRYPTO_RWLOCK *lock);
\& void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock);
\&
\& int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
OpenSSL can be safely used in multi-threaded applications provided that
support for the underlying \s-1OS\s0 threading \s-1API\s0 is built-in. Currently, OpenSSL
supports the pthread and Windows APIs. OpenSSL can also be built without
any multi-threading support, for example on platforms that don't provide
any threading support or that provide a threading \s-1API\s0 that is not yet
supported by OpenSSL.
.PP
The following multi-threading function are provided:
.IP "\(bu" 2
\&\fBCRYPTO_THREAD_run_once()\fR can be used to perform one-time initialization.
The \fBonce\fR argument must be a pointer to a static object of type
\&\fB\s-1CRYPTO_ONCE\s0\fR that was statically initialized to the value
\&\fB\s-1CRYPTO_ONCE_STATIC_INIT\s0\fR.
The \fBinit\fR argument is a pointer to a function that performs the desired
exactly once initialization.
In particular, this can be used to allocate locks in a thread-safe manner,
which can then be used with the locking functions below.
.IP "\(bu" 2
\&\fBCRYPTO_THREAD_lock_new()\fR allocates, initializes and returns a new read/write
lock.
.IP "\(bu" 2
\&\fBCRYPTO_THREAD_read_lock()\fR locks the provided \fBlock\fR for reading.
.IP "\(bu" 2
\&\fBCRYPTO_THREAD_write_lock()\fR locks the provided \fBlock\fR for writing.
.IP "\(bu" 2
\&\fBCRYPTO_THREAD_unlock()\fR unlocks the previously locked \fBlock\fR.
.IP "\(bu" 2
\&\fBCRYPTO_THREAD_lock_free()\fR frees the provided \fBlock\fR.
.IP "\(bu" 2
\&\fBCRYPTO_atomic_add()\fR atomically adds \fBamount\fR to \fBval\fR and returns the
result of the operation in \fBret\fR. \fBlock\fR will be locked, unless atomic
operations are supported on the specific platform. Because of this, if a
variable is modified by \fBCRYPTO_atomic_add()\fR then \fBCRYPTO_atomic_add()\fR must
be the only way that the variable is modified.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCRYPTO_THREAD_run_once()\fR returns 1 on success, or 0 on error.
.PP
\&\fBCRYPTO_THREAD_lock_new()\fR returns the allocated lock, or \s-1NULL\s0 on error.
.PP
\&\fBCRYPTO_THREAD_lock_free()\fR returns no value.
.PP
The other functions return 1 on success, or 0 on error.
.SH "NOTES"
.IX Header "NOTES"
On Windows platforms the CRYPTO_THREAD_* types and functions in the
openssl/crypto.h header are dependent on some of the types customarily
made available by including windows.h. The application developer is
likely to require control over when the latter is included, commonly as
one of the first included headers. Therefore, it is defined as an
application developer's responsibility to include windows.h prior to
crypto.h where use of CRYPTO_THREAD_* types and functions is required.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This example safely initializes and uses a lock.
.PP
.Vb 4
\& #ifdef _WIN32
\& # include <windows.h>
\& #endif
\& #include <openssl/crypto.h>
\&
\& static CRYPTO_ONCE once = CRYPTO_ONCE_STATIC_INIT;
\& static CRYPTO_RWLOCK *lock;
\&
\& static void myinit(void)
\& {
\& lock = CRYPTO_THREAD_lock_new();
\& }
\&
\& static int mylock(void)
\& {
\& if (!CRYPTO_THREAD_run_once(&once, void init) || lock == NULL)
\& return 0;
\& return CRYPTO_THREAD_write_lock(lock);
\& }
\&
\& static int myunlock(void)
\& {
\& return CRYPTO_THREAD_unlock(lock);
\& }
\&
\& int serialized(void)
\& {
\& int ret = 0;
\&
\& if (mylock()) {
\& /* Your code here, do not return without releasing the lock! */
\& ret = ... ;
\& }
\& myunlock();
\& return ret;
\& }
.Ve
.PP
Finalization of locks is an advanced topic, not covered in this example.
This can only be done at process exit or when a dynamically loaded library is
no longer in use and is unloaded.
The simplest solution is to just \*(L"leak\*(R" the lock in applications and not
repeatedly load/unload shared libraries that allocate locks.
.SH "NOTES"
.IX Header "NOTES"
You can find out if OpenSSL was configured with thread support:
.PP
.Vb 6
\& #include <openssl/opensslconf.h>
\& #if defined(OPENSSL_THREADS)
\& /* thread support enabled */
\& #else
\& /* no thread support */
\& #endif
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3 b/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3
index 264f9a7a10e8..d05b2dbc923b 100644
--- a/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3
+++ b/secure/lib/libcrypto/man/man3/CRYPTO_get_ex_new_index.3
@@ -1,298 +1,298 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CRYPTO_GET_EX_NEW_INDEX 3"
-.TH CRYPTO_GET_EX_NEW_INDEX 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CRYPTO_GET_EX_NEW_INDEX 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CRYPTO_EX_new, CRYPTO_EX_free, CRYPTO_EX_dup, CRYPTO_free_ex_index, CRYPTO_get_ex_new_index, CRYPTO_set_ex_data, CRYPTO_get_ex_data, CRYPTO_free_ex_data, CRYPTO_new_ex_data \&\- functions supporting application\-specific data
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/crypto.h>
\&
\& int CRYPTO_get_ex_new_index(int class_index,
\& long argl, void *argp,
\& CRYPTO_EX_new *new_func,
\& CRYPTO_EX_dup *dup_func,
\& CRYPTO_EX_free *free_func);
\&
\& typedef void CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
\& int idx, long argl, void *argp);
\& typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
\& int idx, long argl, void *argp);
\& typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
\& void *from_d, int idx, long argl, void *argp);
\&
\& int CRYPTO_new_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
\&
\& int CRYPTO_set_ex_data(CRYPTO_EX_DATA *r, int idx, void *arg);
\&
\& void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *r, int idx);
\&
\& void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *r);
\&
\& int CRYPTO_free_ex_index(int class_index, int idx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Several OpenSSL structures can have application-specific data attached to them,
known as \*(L"exdata.\*(R"
The specific structures are:
.PP
.Vb 10
\& APP
\& BIO
\& DH
\& DRBG
\& DSA
\& EC_KEY
\& ENGINE
\& RSA
\& SSL
\& SSL_CTX
\& SSL_SESSION
\& UI
\& UI_METHOD
\& X509
\& X509_STORE
\& X509_STORE_CTX
.Ve
.PP
Each is identified by an \fBCRYPTO_EX_INDEX_xxx\fR define in the \fBcrypto.h\fR
header file. In addition, \fB\s-1CRYPTO_EX_INDEX_APP\s0\fR is reserved for
applications to use this facility for their own structures.
.PP
The \s-1API\s0 described here is used by OpenSSL to manipulate exdata for specific
structures. Since the application data can be anything at all it is passed
and retrieved as a \fBvoid *\fR type.
.PP
The \fB\s-1CRYPTO_EX_DATA\s0\fR type is opaque. To initialize the exdata part of
a structure, call \fBCRYPTO_new_ex_data()\fR. This is only necessary for
\&\fB\s-1CRYPTO_EX_INDEX_APP\s0\fR objects.
.PP
Exdata types are identified by an \fBindex\fR, an integer guaranteed to be
unique within structures for the lifetime of the program. Applications
using exdata typically call \fBCRYPTO_get_ex_new_index\fR at startup, and
store the result in a global variable, or write a wrapper function to
provide lazy evaluation. The \fBclass_index\fR should be one of the
\&\fBCRYPTO_EX_INDEX_xxx\fR values. The \fBargl\fR and \fBargp\fR parameters are saved
to be passed to the callbacks but are otherwise not used. In order to
transparently manipulate exdata, three callbacks must be provided. The
semantics of those callbacks are described below.
.PP
When copying or releasing objects with exdata, the callback functions
are called in increasing order of their \fBindex\fR value.
.PP
If a dynamic library can be unloaded, it should call \fBCRYPTO_free_ex_index()\fR
when this is done.
This will replace the callbacks with no-ops
so that applications don't crash. Any existing exdata will be leaked.
.PP
To set or get the exdata on an object, the appropriate type-specific
routine must be used. This is because the containing structure is opaque
and the \fB\s-1CRYPTO_EX_DATA\s0\fR field is not accessible. In both \s-1API\s0's, the
\&\fBidx\fR parameter should be an already-created index value.
.PP
When setting exdata, the pointer specified with a particular index is saved,
and returned on a subsequent \*(L"get\*(R" call. If the application is going to
release the data, it must make sure to set a \fB\s-1NULL\s0\fR value at the index,
to avoid likely double-free crashes.
.PP
The function \fBCRYPTO_free_ex_data\fR is used to free all exdata attached
to a structure. The appropriate type-specific routine must be used.
The \fBclass_index\fR identifies the structure type, the \fBobj\fR is
a pointer to the actual structure, and \fBr\fR is a pointer to the
structure's exdata field.
.SS "Callback Functions"
.IX Subsection "Callback Functions"
This section describes how the callback functions are used. Applications
that are defining their own exdata using \fB\s-1CYPRTO_EX_INDEX_APP\s0\fR must
call them as described here.
.PP
When a structure is initially allocated (such as \fBRSA_new()\fR) then the
\&\fBnew_func()\fR is called for every defined index. There is no requirement
that the entire parent, or containing, structure has been set up.
The \fBnew_func()\fR is typically used only to allocate memory to store the
exdata, and perhaps an \*(L"initialized\*(R" flag within that memory.
The exdata value should be set by calling \fBCRYPTO_set_ex_data()\fR.
.PP
When a structure is free'd (such as \fBSSL_CTX_free()\fR) then the
\&\fBfree_func()\fR is called for every defined index. Again, the state of the
parent structure is not guaranteed. The \fBfree_func()\fR may be called with a
\&\s-1NULL\s0 pointer.
.PP
Both \fBnew_func()\fR and \fBfree_func()\fR take the same parameters.
The \fBparent\fR is the pointer to the structure that contains the exdata.
The \fBptr\fR is the current exdata item; for \fBnew_func()\fR this will typically
be \s-1NULL.\s0 The \fBr\fR parameter is a pointer to the exdata field of the object.
The \fBidx\fR is the index and is the value returned when the callbacks were
initially registered via \fBCRYPTO_get_ex_new_index()\fR and can be used if
the same callback handles different types of exdata.
.PP
\&\fBdup_func()\fR is called when a structure is being copied. This is only done
for \fB\s-1SSL\s0\fR, \fB\s-1SSL_SESSION\s0\fR, \fB\s-1EC_KEY\s0\fR objects and \fB\s-1BIO\s0\fR chains via
\&\fBBIO_dup_chain()\fR. The \fBto\fR and \fBfrom\fR parameters
are pointers to the destination and source \fB\s-1CRYPTO_EX_DATA\s0\fR structures,
respectively. The \fBfrom_d\fR parameter needs to be cast to a \fBvoid **pptr\fR
as the \s-1API\s0 has currently the wrong signature; that will be changed in a
future version. The \fB*pptr\fR is a pointer to the source exdata.
When the \fBdup_func()\fR returns, the value in \fB*pptr\fR is copied to the
destination ex_data. If the pointer contained in \fB*pptr\fR is not modified
by the \fBdup_func()\fR, then both \fBto\fR and \fBfrom\fR will point to the same data.
The \fBidx\fR, \fBargl\fR and \fBargp\fR parameters are as described for the other
two callbacks. If the \fBdup_func()\fR returns \fB0\fR the whole \fBCRYPTO_dup_ex_data()\fR
will fail.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCRYPTO_get_ex_new_index()\fR returns a new index or \-1 on failure.
.PP
\&\fBCRYPTO_free_ex_index()\fR and
\&\fBCRYPTO_set_ex_data()\fR return 1 on success or 0 on failure.
.PP
\&\fBCRYPTO_get_ex_data()\fR returns the application data or \s-1NULL\s0 on failure;
note that \s-1NULL\s0 may be a valid value.
.PP
\&\fBdup_func()\fR should return 0 for failure and 1 for success.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3 b/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3
index 934e385ebf51..9c1c645d5bee 100644
--- a/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3
+++ b/secure/lib/libcrypto/man/man3/CRYPTO_memcmp.3
@@ -1,171 +1,171 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CRYPTO_MEMCMP 3"
-.TH CRYPTO_MEMCMP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CRYPTO_MEMCMP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CRYPTO_memcmp \- Constant time memory comparison
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/crypto.h>
\&
\& int CRYPTO_memcmp(const void *a, const void *b, size_t len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The CRYPTO_memcmp function compares the \fBlen\fR bytes pointed to by \fBa\fR and \fBb\fR
for equality.
It takes an amount of time dependent on \fBlen\fR, but independent of the
contents of the memory regions pointed to by \fBa\fR and \fBb\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCRYPTO_memcmp()\fR returns 0 if the memory regions are equal and nonzero
otherwise.
.SH "NOTES"
.IX Header "NOTES"
Unlike \fBmemcmp\fR\|(2), this function cannot be used to order the two memory regions
as the return value when they differ is undefined, other than being nonzero.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2019\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3 b/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3
index 0fe036055029..330fbac53c36 100644
--- a/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3
+++ b/secure/lib/libcrypto/man/man3/CTLOG_STORE_get0_log_by_id.3
@@ -1,179 +1,179 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CTLOG_STORE_GET0_LOG_BY_ID 3"
-.TH CTLOG_STORE_GET0_LOG_BY_ID 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CTLOG_STORE_GET0_LOG_BY_ID 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CTLOG_STORE_get0_log_by_id \- Get a Certificate Transparency log from a CTLOG_STORE
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ct.h>
\&
\& const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store,
\& const uint8_t *log_id,
\& size_t log_id_len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A Signed Certificate Timestamp (\s-1SCT\s0) identifies the Certificate Transparency
(\s-1CT\s0) log that issued it using the log's LogID (see \s-1RFC 6962,\s0 Section 3.2).
Therefore, it is useful to be able to look up more information about a log
(e.g. its public key) using this LogID.
.PP
\&\fBCTLOG_STORE_get0_log_by_id()\fR provides a way to do this. It will find a \s-1CTLOG\s0
in a \s-1CTLOG_STORE\s0 that has a given LogID.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCTLOG_STORE_get0_log_by_id\fR returns a \s-1CTLOG\s0 with the given LogID, if it
exists in the given \s-1CTLOG_STORE,\s0 otherwise it returns \s-1NULL.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBct\fR\|(7),
\&\fBCTLOG_STORE_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBCTLOG_STORE_get0_log_by_id()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3 b/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3
index ab9a9c13e8cb..fa134eebe637 100644
--- a/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3
+++ b/secure/lib/libcrypto/man/man3/CTLOG_STORE_new.3
@@ -1,209 +1,209 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CTLOG_STORE_NEW 3"
-.TH CTLOG_STORE_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CTLOG_STORE_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CTLOG_STORE_new, CTLOG_STORE_free, CTLOG_STORE_load_default_file, CTLOG_STORE_load_file \- Create and populate a Certificate Transparency log list
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ct.h>
\&
\& CTLOG_STORE *CTLOG_STORE_new(void);
\& void CTLOG_STORE_free(CTLOG_STORE *store);
\&
\& int CTLOG_STORE_load_default_file(CTLOG_STORE *store);
\& int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A \s-1CTLOG_STORE\s0 is a container for a list of CTLOGs (Certificate Transparency
logs). The list can be loaded from one or more files and then searched by LogID
(see \s-1RFC 6962,\s0 Section 3.2, for the definition of a LogID).
.PP
\&\fBCTLOG_STORE_new()\fR creates an empty list of \s-1CT\s0 logs. This is then populated
by \fBCTLOG_STORE_load_default_file()\fR or \fBCTLOG_STORE_load_file()\fR.
\&\fBCTLOG_STORE_load_default_file()\fR loads from the default file, which is named
\&\*(L"ct_log_list.cnf\*(R" in \s-1OPENSSLDIR\s0 (see the output of version). This can be
overridden using an environment variable named \*(L"\s-1CTLOG_FILE\*(R".\s0
\&\fBCTLOG_STORE_load_file()\fR loads from a caller-specified file path instead.
Both of these functions append any loaded \s-1CT\s0 logs to the \s-1CTLOG_STORE.\s0
.PP
The expected format of the file is:
.PP
.Vb 1
\& enabled_logs=foo,bar
\&
\& [foo]
\& description = Log 1
\& key = <base64\-encoded DER SubjectPublicKeyInfo here>
\&
\& [bar]
\& description = Log 2
\& key = <base64\-encoded DER SubjectPublicKeyInfo here>
.Ve
.PP
Once a \s-1CTLOG_STORE\s0 is no longer required, it should be passed to
\&\fBCTLOG_STORE_free()\fR. This will delete all of the CTLOGs stored within, along
with the \s-1CTLOG_STORE\s0 itself.
.SH "NOTES"
.IX Header "NOTES"
If there are any invalid \s-1CT\s0 logs in a file, they are skipped and the remaining
valid logs will still be added to the \s-1CTLOG_STORE. A CT\s0 log will be considered
invalid if it is missing a \*(L"key\*(R" or \*(L"description\*(R" field.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Both \fBCTLOG_STORE_load_default_file\fR and \fBCTLOG_STORE_load_file\fR return 1 if
all \s-1CT\s0 logs in the file are successfully parsed and loaded, 0 otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBct\fR\|(7),
\&\fBCTLOG_STORE_get0_log_by_id\fR\|(3),
\&\fBSSL_CTX_set_ctlog_list_file\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CTLOG_new.3 b/secure/lib/libcrypto/man/man3/CTLOG_new.3
index b63e22704250..f8a675386b35 100644
--- a/secure/lib/libcrypto/man/man3/CTLOG_new.3
+++ b/secure/lib/libcrypto/man/man3/CTLOG_new.3
@@ -1,201 +1,201 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CTLOG_NEW 3"
-.TH CTLOG_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CTLOG_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CTLOG_new, CTLOG_new_from_base64, CTLOG_free, CTLOG_get0_name, CTLOG_get0_log_id, CTLOG_get0_public_key \- encapsulates information about a Certificate Transparency log
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ct.h>
\&
\& CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name);
\& int CTLOG_new_from_base64(CTLOG ** ct_log,
\& const char *pkey_base64, const char *name);
\& void CTLOG_free(CTLOG *log);
\& const char *CTLOG_get0_name(const CTLOG *log);
\& void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id,
\& size_t *log_id_len);
\& EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBCTLOG_new()\fR returns a new \s-1CTLOG\s0 that represents the Certificate Transparency
(\s-1CT\s0) log with the given public key. A name must also be provided that can be
used to help users identify this log. Ownership of the public key is
transferred.
.PP
\&\fBCTLOG_new_from_base64()\fR also creates a new \s-1CTLOG,\s0 but takes the public key in
base64\-encoded \s-1DER\s0 form and sets the ct_log pointer to point to the new \s-1CTLOG.\s0
The base64 will be decoded and the public key parsed.
.PP
Regardless of whether \fBCTLOG_new()\fR or \fBCTLOG_new_from_base64()\fR is used, it is the
caller's responsibility to pass the \s-1CTLOG\s0 to \fBCTLOG_free()\fR once it is no longer
needed. This will delete it and, if created by \fBCTLOG_new()\fR, the \s-1EVP_PKEY\s0 that
was passed to it.
.PP
\&\fBCTLOG_get0_name()\fR returns the name of the log, as provided when the \s-1CTLOG\s0 was
created. Ownership of the string remains with the \s-1CTLOG.\s0
.PP
\&\fBCTLOG_get0_log_id()\fR sets *log_id to point to a string containing that log's
LogID (see \s-1RFC 6962\s0). It sets *log_id_len to the length of that LogID. For a
v1 \s-1CT\s0 log, the LogID will be a \s-1SHA\-256\s0 hash (i.e. 32 bytes long). Ownership of
the string remains with the \s-1CTLOG.\s0
.PP
\&\fBCTLOG_get0_public_key()\fR returns the public key of the \s-1CT\s0 log. Ownership of the
\&\s-1EVP_PKEY\s0 remains with the \s-1CTLOG.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCTLOG_new()\fR will return \s-1NULL\s0 if an error occurs.
.PP
\&\fBCTLOG_new_from_base64()\fR will return 1 on success, 0 otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBct\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3 b/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3
index 1c766b04cac4..16c2b94cab22 100644
--- a/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/CT_POLICY_EVAL_CTX_new.3
@@ -1,229 +1,229 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CT_POLICY_EVAL_CTX_NEW 3"
-.TH CT_POLICY_EVAL_CTX_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CT_POLICY_EVAL_CTX_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CT_POLICY_EVAL_CTX_new, CT_POLICY_EVAL_CTX_free, CT_POLICY_EVAL_CTX_get0_cert, CT_POLICY_EVAL_CTX_set1_cert, CT_POLICY_EVAL_CTX_get0_issuer, CT_POLICY_EVAL_CTX_set1_issuer, CT_POLICY_EVAL_CTX_get0_log_store, CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE, CT_POLICY_EVAL_CTX_get_time, CT_POLICY_EVAL_CTX_set_time \- Encapsulates the data required to evaluate whether SCTs meet a Certificate Transparency policy
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ct.h>
\&
\& CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void);
\& void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx);
\& X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx);
\& int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert);
\& X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx);
\& int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer);
\& const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx);
\& void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx,
\& CTLOG_STORE *log_store);
\& uint64_t CT_POLICY_EVAL_CTX_get_time(const CT_POLICY_EVAL_CTX *ctx);
\& void CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A \fB\s-1CT_POLICY_EVAL_CTX\s0\fR is used by functions that evaluate whether Signed
Certificate Timestamps (SCTs) fulfil a Certificate Transparency (\s-1CT\s0) policy.
This policy may be, for example, that at least one valid \s-1SCT\s0 is available. To
determine this, an \s-1SCT\s0's timestamp and signature must be verified.
This requires:
.IP "\(bu" 2
the public key of the log that issued the \s-1SCT\s0
.IP "\(bu" 2
the certificate that the \s-1SCT\s0 was issued for
.IP "\(bu" 2
the issuer certificate (if the \s-1SCT\s0 was issued for a pre-certificate)
.IP "\(bu" 2
the current time
.PP
The above requirements are met using the setters described below.
.PP
\&\fBCT_POLICY_EVAL_CTX_new()\fR creates an empty policy evaluation context. This
should then be populated using:
.IP "\(bu" 2
\&\fBCT_POLICY_EVAL_CTX_set1_cert()\fR to provide the certificate the SCTs were issued for
.Sp
Increments the reference count of the certificate.
.IP "\(bu" 2
\&\fBCT_POLICY_EVAL_CTX_set1_issuer()\fR to provide the issuer certificate
.Sp
Increments the reference count of the certificate.
.IP "\(bu" 2
\&\fBCT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE()\fR to provide a list of logs that are trusted as sources of SCTs
.Sp
Holds a pointer to the \s-1CTLOG_STORE,\s0 so the \s-1CTLOG_STORE\s0 must outlive the
\&\s-1CT_POLICY_EVAL_CTX.\s0
.IP "\(bu" 2
\&\fBCT_POLICY_EVAL_CTX_set_time()\fR to set the time SCTs should be compared with to determine if they are valid
.Sp
The \s-1SCT\s0 timestamp will be compared to this time to check whether the \s-1SCT\s0 was
issued in the future. \s-1RFC6962\s0 states that \*(L"\s-1TLS\s0 clients \s-1MUST\s0 reject SCTs whose
timestamp is in the future\*(R". By default, this will be set to 5 minutes in the
future (e.g. (\fBtime()\fR + 300) * 1000), to allow for clock drift.
.Sp
The time should be in milliseconds since the Unix epoch.
.PP
Each setter has a matching getter for accessing the current value.
.PP
When no longer required, the \fB\s-1CT_POLICY_EVAL_CTX\s0\fR should be passed to
\&\fBCT_POLICY_EVAL_CTX_free()\fR to delete it.
.SH "NOTES"
.IX Header "NOTES"
The issuer certificate only needs to be provided if at least one of the SCTs
was issued for a pre-certificate. This will be the case for SCTs embedded in a
certificate (i.e. those in an X.509 extension), but may not be the case for SCTs
found in the \s-1TLS SCT\s0 extension or \s-1OCSP\s0 response.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCT_POLICY_EVAL_CTX_new()\fR will return \s-1NULL\s0 if malloc fails.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBct\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3 b/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3
index 5c0b45f52e3d..0489c8bf719e 100644
--- a/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3
+++ b/secure/lib/libcrypto/man/man3/DEFINE_STACK_OF.3
@@ -1,404 +1,405 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DEFINE_STACK_OF 3"
-.TH DEFINE_STACK_OF 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DEFINE_STACK_OF 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DEFINE_STACK_OF, DEFINE_STACK_OF_CONST, DEFINE_SPECIAL_STACK_OF, DEFINE_SPECIAL_STACK_OF_CONST, sk_TYPE_num, sk_TYPE_value, sk_TYPE_new, sk_TYPE_new_null, sk_TYPE_reserve, sk_TYPE_free, sk_TYPE_zero, sk_TYPE_delete, sk_TYPE_delete_ptr, sk_TYPE_push, sk_TYPE_unshift, sk_TYPE_pop, sk_TYPE_shift, sk_TYPE_pop_free, sk_TYPE_insert, sk_TYPE_set, sk_TYPE_find, sk_TYPE_find_ex, sk_TYPE_sort, sk_TYPE_is_sorted, sk_TYPE_dup, sk_TYPE_deep_copy, sk_TYPE_set_cmp_func, sk_TYPE_new_reserve \&\- stack container
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/safestack.h>
\&
\& STACK_OF(TYPE)
\& DEFINE_STACK_OF(TYPE)
\& DEFINE_STACK_OF_CONST(TYPE)
\& DEFINE_SPECIAL_STACK_OF(FUNCTYPE, TYPE)
\& DEFINE_SPECIAL_STACK_OF_CONST(FUNCTYPE, TYPE)
\&
\& typedef int (*sk_TYPE_compfunc)(const TYPE *const *a, const TYPE *const *b);
\& typedef TYPE * (*sk_TYPE_copyfunc)(const TYPE *a);
\& typedef void (*sk_TYPE_freefunc)(TYPE *a);
\&
\& int sk_TYPE_num(const STACK_OF(TYPE) *sk);
\& TYPE *sk_TYPE_value(const STACK_OF(TYPE) *sk, int idx);
\& STACK_OF(TYPE) *sk_TYPE_new(sk_TYPE_compfunc compare);
\& STACK_OF(TYPE) *sk_TYPE_new_null(void);
\& int sk_TYPE_reserve(STACK_OF(TYPE) *sk, int n);
\& void sk_TYPE_free(const STACK_OF(TYPE) *sk);
\& void sk_TYPE_zero(const STACK_OF(TYPE) *sk);
\& TYPE *sk_TYPE_delete(STACK_OF(TYPE) *sk, int i);
\& TYPE *sk_TYPE_delete_ptr(STACK_OF(TYPE) *sk, TYPE *ptr);
\& int sk_TYPE_push(STACK_OF(TYPE) *sk, const TYPE *ptr);
\& int sk_TYPE_unshift(STACK_OF(TYPE) *sk, const TYPE *ptr);
\& TYPE *sk_TYPE_pop(STACK_OF(TYPE) *sk);
\& TYPE *sk_TYPE_shift(STACK_OF(TYPE) *sk);
\& void sk_TYPE_pop_free(STACK_OF(TYPE) *sk, sk_TYPE_freefunc freefunc);
\& int sk_TYPE_insert(STACK_OF(TYPE) *sk, TYPE *ptr, int idx);
\& TYPE *sk_TYPE_set(STACK_OF(TYPE) *sk, int idx, const TYPE *ptr);
\& int sk_TYPE_find(STACK_OF(TYPE) *sk, TYPE *ptr);
\& int sk_TYPE_find_ex(STACK_OF(TYPE) *sk, TYPE *ptr);
\& void sk_TYPE_sort(const STACK_OF(TYPE) *sk);
\& int sk_TYPE_is_sorted(const STACK_OF(TYPE) *sk);
\& STACK_OF(TYPE) *sk_TYPE_dup(const STACK_OF(TYPE) *sk);
\& STACK_OF(TYPE) *sk_TYPE_deep_copy(const STACK_OF(TYPE) *sk,
\& sk_TYPE_copyfunc copyfunc,
\& sk_TYPE_freefunc freefunc);
\& sk_TYPE_compfunc (*sk_TYPE_set_cmp_func(STACK_OF(TYPE) *sk,
\& sk_TYPE_compfunc compare));
\& STACK_OF(TYPE) *sk_TYPE_new_reserve(sk_TYPE_compfunc compare, int n);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Applications can create and use their own stacks by placing any of the macros
described below in a header file. These macros define typesafe inline
functions that wrap around the utility \fBOPENSSL_sk_\fR \s-1API.\s0
In the description here, \fI\s-1TYPE\s0\fR is used
as a placeholder for any of the OpenSSL datatypes, such as \fIX509\fR.
.PP
\&\s-1\fBSTACK_OF\s0()\fR returns the name for a stack of the specified \fB\s-1TYPE\s0\fR.
\&\s-1\fBDEFINE_STACK_OF\s0()\fR creates set of functions for a stack of \fB\s-1TYPE\s0\fR. This
will mean that type \fB\s-1TYPE\s0\fR is stored in each stack, the type is referenced by
\&\s-1STACK_OF\s0(\s-1TYPE\s0) and each function name begins with \fIsk_TYPE_\fR. For example:
.PP
.Vb 1
\& TYPE *sk_TYPE_value(STACK_OF(TYPE) *sk, int idx);
.Ve
.PP
\&\s-1\fBDEFINE_STACK_OF_CONST\s0()\fR is identical to \s-1\fBDEFINE_STACK_OF\s0()\fR except
each element is constant. For example:
.PP
.Vb 1
\& const TYPE *sk_TYPE_value(STACK_OF(TYPE) *sk, int idx);
.Ve
.PP
\&\s-1\fBDEFINE_SPECIAL_STACK_OF\s0()\fR defines a stack of \fB\s-1TYPE\s0\fR but
each function uses \fB\s-1FUNCNAME\s0\fR in the function name. For example:
.PP
.Vb 1
\& TYPE *sk_FUNCNAME_value(STACK_OF(TYPE) *sk, int idx);
.Ve
.PP
\&\s-1\fBDEFINE_SPECIAL_STACK_OF_CONST\s0()\fR is similar except that each element is
constant:
.PP
.Vb 1
\& const TYPE *sk_FUNCNAME_value(STACK_OF(TYPE) *sk, int idx);
.Ve
.PP
\&\fBsk_TYPE_num()\fR returns the number of elements in \fBsk\fR or \-1 if \fBsk\fR is
\&\fB\s-1NULL\s0\fR.
.PP
\&\fBsk_TYPE_value()\fR returns element \fBidx\fR in \fBsk\fR, where \fBidx\fR starts at
zero. If \fBidx\fR is out of range then \fB\s-1NULL\s0\fR is returned.
.PP
\&\fBsk_TYPE_new()\fR allocates a new empty stack using comparison function \fBcompare\fR.
If \fBcompare\fR is \fB\s-1NULL\s0\fR then no comparison function is used. This function is
equivalent to sk_TYPE_new_reserve(compare, 0).
.PP
\&\fBsk_TYPE_new_null()\fR allocates a new empty stack with no comparison function. This
function is equivalent to sk_TYPE_new_reserve(\s-1NULL, 0\s0).
.PP
\&\fBsk_TYPE_reserve()\fR allocates additional memory in the \fBsk\fR structure
such that the next \fBn\fR calls to \fBsk_TYPE_insert()\fR, \fBsk_TYPE_push()\fR
or \fBsk_TYPE_unshift()\fR will not fail or cause memory to be allocated
or reallocated. If \fBn\fR is zero, any excess space allocated in the
\&\fBsk\fR structure is freed. On error \fBsk\fR is unchanged.
.PP
\&\fBsk_TYPE_new_reserve()\fR allocates a new stack. The new stack will have additional
memory allocated to hold \fBn\fR elements if \fBn\fR is positive. The next \fBn\fR calls
to \fBsk_TYPE_insert()\fR, \fBsk_TYPE_push()\fR or \fBsk_TYPE_unshift()\fR will not fail or cause
memory to be allocated or reallocated. If \fBn\fR is zero or less than zero, no
memory is allocated. \fBsk_TYPE_new_reserve()\fR also sets the comparison function
\&\fBcompare\fR to the newly created stack. If \fBcompare\fR is \fB\s-1NULL\s0\fR then no
comparison function is used.
.PP
\&\fBsk_TYPE_set_cmp_func()\fR sets the comparison function of \fBsk\fR to \fBcompare\fR.
The previous comparison function is returned or \fB\s-1NULL\s0\fR if there was
no previous comparison function.
.PP
\&\fBsk_TYPE_free()\fR frees up the \fBsk\fR structure. It does \fBnot\fR free up any
elements of \fBsk\fR. After this call \fBsk\fR is no longer valid.
.PP
\&\fBsk_TYPE_zero()\fR sets the number of elements in \fBsk\fR to zero. It does not free
\&\fBsk\fR so after this call \fBsk\fR is still valid.
.PP
\&\fBsk_TYPE_pop_free()\fR frees up all elements of \fBsk\fR and \fBsk\fR itself. The
free function \fBfreefunc()\fR is called on each element to free it.
.PP
\&\fBsk_TYPE_delete()\fR deletes element \fBi\fR from \fBsk\fR. It returns the deleted
element or \fB\s-1NULL\s0\fR if \fBi\fR is out of range.
.PP
\&\fBsk_TYPE_delete_ptr()\fR deletes element matching \fBptr\fR from \fBsk\fR. It returns
the deleted element or \fB\s-1NULL\s0\fR if no element matching \fBptr\fR was found.
.PP
\&\fBsk_TYPE_insert()\fR inserts \fBptr\fR into \fBsk\fR at position \fBidx\fR. Any existing
elements at or after \fBidx\fR are moved downwards. If \fBidx\fR is out of range
the new element is appended to \fBsk\fR. \fBsk_TYPE_insert()\fR either returns the
number of elements in \fBsk\fR after the new element is inserted or zero if
an error (such as memory allocation failure) occurred.
.PP
\&\fBsk_TYPE_push()\fR appends \fBptr\fR to \fBsk\fR it is equivalent to:
.PP
.Vb 1
\& sk_TYPE_insert(sk, ptr, \-1);
.Ve
.PP
\&\fBsk_TYPE_unshift()\fR inserts \fBptr\fR at the start of \fBsk\fR it is equivalent to:
.PP
.Vb 1
\& sk_TYPE_insert(sk, ptr, 0);
.Ve
.PP
\&\fBsk_TYPE_pop()\fR returns and removes the last element from \fBsk\fR.
.PP
\&\fBsk_TYPE_shift()\fR returns and removes the first element from \fBsk\fR.
.PP
\&\fBsk_TYPE_set()\fR sets element \fBidx\fR of \fBsk\fR to \fBptr\fR replacing the current
element. The new element value is returned or \fB\s-1NULL\s0\fR if an error occurred:
this will only happen if \fBsk\fR is \fB\s-1NULL\s0\fR or \fBidx\fR is out of range.
.PP
\&\fBsk_TYPE_find()\fR searches \fBsk\fR for the element \fBptr\fR. In the case
where no comparison function has been specified, the function performs
a linear search for a pointer equal to \fBptr\fR. The index of the first
matching element is returned or \fB\-1\fR if there is no match. In the case
where a comparison function has been specified, \fBsk\fR is sorted then
\&\fBsk_TYPE_find()\fR returns the index of a matching element or \fB\-1\fR if there
is no match. Note that, in this case, the matching element returned is
not guaranteed to be the first; the comparison function will usually
compare the values pointed to rather than the pointers themselves and
the order of elements in \fBsk\fR could change.
.PP
\&\fBsk_TYPE_find_ex()\fR operates like \fBsk_TYPE_find()\fR except when a comparison
function has been specified and no matching element is found. Instead
of returning \fB\-1\fR, \fBsk_TYPE_find_ex()\fR returns the index of the element
either before or after the location where \fBptr\fR would be if it were
present in \fBsk\fR.
.PP
\&\fBsk_TYPE_sort()\fR sorts \fBsk\fR using the supplied comparison function.
.PP
\&\fBsk_TYPE_is_sorted()\fR returns \fB1\fR if \fBsk\fR is sorted and \fB0\fR otherwise.
.PP
\&\fBsk_TYPE_dup()\fR returns a copy of \fBsk\fR. Note the pointers in the copy
are identical to the original.
.PP
\&\fBsk_TYPE_deep_copy()\fR returns a new stack where each element has been copied.
Copying is performed by the supplied \fBcopyfunc()\fR and freeing by \fBfreefunc()\fR. The
function \fBfreefunc()\fR is only called if an error occurs.
.SH "NOTES"
.IX Header "NOTES"
Care should be taken when accessing stacks in multi-threaded environments.
Any operation which increases the size of a stack such as \fBsk_TYPE_insert()\fR or
\&\fBsk_push()\fR can \*(L"grow\*(R" the size of an internal array and cause race conditions
if the same stack is accessed in a different thread. Operations such as
\&\fBsk_find()\fR and \fBsk_sort()\fR can also reorder the stack.
.PP
Any comparison function supplied should use a metric suitable
for use in a binary search operation. That is it should return zero, a
positive or negative value if \fBa\fR is equal to, greater than
or less than \fBb\fR respectively.
.PP
Care should be taken when checking the return values of the functions
\&\fBsk_TYPE_find()\fR and \fBsk_TYPE_find_ex()\fR. They return an index to the
matching element. In particular \fB0\fR indicates a matching first element.
A failed search is indicated by a \fB\-1\fR return value.
.PP
\&\s-1\fBSTACK_OF\s0()\fR, \s-1\fBDEFINE_STACK_OF\s0()\fR, \s-1\fBDEFINE_STACK_OF_CONST\s0()\fR, and
\&\s-1\fBDEFINE_SPECIAL_STACK_OF\s0()\fR are implemented as macros.
.PP
The underlying utility \fBOPENSSL_sk_\fR \s-1API\s0 should not be used directly.
It defines these functions: \fBOPENSSL_sk_deep_copy()\fR,
\&\fBOPENSSL_sk_delete()\fR, \fBOPENSSL_sk_delete_ptr()\fR, \fBOPENSSL_sk_dup()\fR,
\&\fBOPENSSL_sk_find()\fR, \fBOPENSSL_sk_find_ex()\fR, \fBOPENSSL_sk_free()\fR,
\&\fBOPENSSL_sk_insert()\fR, \fBOPENSSL_sk_is_sorted()\fR, \fBOPENSSL_sk_new()\fR,
\&\fBOPENSSL_sk_new_null()\fR, \fBOPENSSL_sk_num()\fR, \fBOPENSSL_sk_pop()\fR,
\&\fBOPENSSL_sk_pop_free()\fR, \fBOPENSSL_sk_push()\fR, \fBOPENSSL_sk_reserve()\fR,
\&\fBOPENSSL_sk_set()\fR, \fBOPENSSL_sk_set_cmp_func()\fR, \fBOPENSSL_sk_shift()\fR,
\&\fBOPENSSL_sk_sort()\fR, \fBOPENSSL_sk_unshift()\fR, \fBOPENSSL_sk_value()\fR,
\&\fBOPENSSL_sk_zero()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBsk_TYPE_num()\fR returns the number of elements in the stack or \fB\-1\fR if the
passed stack is \fB\s-1NULL\s0\fR.
.PP
\&\fBsk_TYPE_value()\fR returns a pointer to a stack element or \fB\s-1NULL\s0\fR if the
index is out of range.
.PP
\&\fBsk_TYPE_new()\fR, \fBsk_TYPE_new_null()\fR and \fBsk_TYPE_new_reserve()\fR return an empty
stack or \fB\s-1NULL\s0\fR if an error occurs.
.PP
\&\fBsk_TYPE_reserve()\fR returns \fB1\fR on successful allocation of the required memory
or \fB0\fR on error.
.PP
\&\fBsk_TYPE_set_cmp_func()\fR returns the old comparison function or \fB\s-1NULL\s0\fR if
there was no old comparison function.
.PP
\&\fBsk_TYPE_free()\fR, \fBsk_TYPE_zero()\fR, \fBsk_TYPE_pop_free()\fR and \fBsk_TYPE_sort()\fR do
not return values.
.PP
\&\fBsk_TYPE_pop()\fR, \fBsk_TYPE_shift()\fR, \fBsk_TYPE_delete()\fR and \fBsk_TYPE_delete_ptr()\fR
return a pointer to the deleted element or \fB\s-1NULL\s0\fR on error.
.PP
\&\fBsk_TYPE_insert()\fR, \fBsk_TYPE_push()\fR and \fBsk_TYPE_unshift()\fR return the total
-number of elements in the stack and 0 if an error occurred.
+number of elements in the stack and 0 if an error occurred. \fBsk_TYPE_push()\fR
+further returns \-1 if \fBsk\fR is \fB\s-1NULL\s0\fR.
.PP
\&\fBsk_TYPE_set()\fR returns a pointer to the replacement element or \fB\s-1NULL\s0\fR on
error.
.PP
\&\fBsk_TYPE_find()\fR and \fBsk_TYPE_find_ex()\fR return an index to the found element
or \fB\-1\fR on error.
.PP
\&\fBsk_TYPE_is_sorted()\fR returns \fB1\fR if the stack is sorted and \fB0\fR if it is
not.
.PP
\&\fBsk_TYPE_dup()\fR and \fBsk_TYPE_deep_copy()\fR return a pointer to the copy of the
stack.
.SH "HISTORY"
.IX Header "HISTORY"
Before OpenSSL 1.1.0, this was implemented via macros and not inline functions
and was not a public \s-1API.\s0
.PP
\&\fBsk_TYPE_reserve()\fR and \fBsk_TYPE_new_reserve()\fR were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DES_random_key.3 b/secure/lib/libcrypto/man/man3/DES_random_key.3
index 9df87f6b839d..ae284c109afe 100644
--- a/secure/lib/libcrypto/man/man3/DES_random_key.3
+++ b/secure/lib/libcrypto/man/man3/DES_random_key.3
@@ -1,444 +1,444 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DES_RANDOM_KEY 3"
-.TH DES_RANDOM_KEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DES_RANDOM_KEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DES_random_key, DES_set_key, DES_key_sched, DES_set_key_checked, DES_set_key_unchecked, DES_set_odd_parity, DES_is_weak_key, DES_ecb_encrypt, DES_ecb2_encrypt, DES_ecb3_encrypt, DES_ncbc_encrypt, DES_cfb_encrypt, DES_ofb_encrypt, DES_pcbc_encrypt, DES_cfb64_encrypt, DES_ofb64_encrypt, DES_xcbc_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt, DES_ede2_ofb64_encrypt, DES_ede3_cbc_encrypt, DES_ede3_cfb64_encrypt, DES_ede3_ofb64_encrypt, DES_cbc_cksum, DES_quad_cksum, DES_string_to_key, DES_string_to_2keys, DES_fcrypt, DES_crypt \- DES encryption
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/des.h>
\&
\& void DES_random_key(DES_cblock *ret);
\&
\& int DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule);
\& int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule);
\& int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule);
\& void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule);
\&
\& void DES_set_odd_parity(DES_cblock *key);
\& int DES_is_weak_key(const_DES_cblock *key);
\&
\& void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
\& DES_key_schedule *ks, int enc);
\& void DES_ecb2_encrypt(const_DES_cblock *input, DES_cblock *output,
\& DES_key_schedule *ks1, DES_key_schedule *ks2, int enc);
\& void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
\& DES_key_schedule *ks1, DES_key_schedule *ks2,
\& DES_key_schedule *ks3, int enc);
\&
\& void DES_ncbc_encrypt(const unsigned char *input, unsigned char *output,
\& long length, DES_key_schedule *schedule, DES_cblock *ivec,
\& int enc);
\& void DES_cfb_encrypt(const unsigned char *in, unsigned char *out,
\& int numbits, long length, DES_key_schedule *schedule,
\& DES_cblock *ivec, int enc);
\& void DES_ofb_encrypt(const unsigned char *in, unsigned char *out,
\& int numbits, long length, DES_key_schedule *schedule,
\& DES_cblock *ivec);
\& void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output,
\& long length, DES_key_schedule *schedule, DES_cblock *ivec,
\& int enc);
\& void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out,
\& long length, DES_key_schedule *schedule, DES_cblock *ivec,
\& int *num, int enc);
\& void DES_ofb64_encrypt(const unsigned char *in, unsigned char *out,
\& long length, DES_key_schedule *schedule, DES_cblock *ivec,
\& int *num);
\&
\& void DES_xcbc_encrypt(const unsigned char *input, unsigned char *output,
\& long length, DES_key_schedule *schedule, DES_cblock *ivec,
\& const_DES_cblock *inw, const_DES_cblock *outw, int enc);
\&
\& void DES_ede2_cbc_encrypt(const unsigned char *input, unsigned char *output,
\& long length, DES_key_schedule *ks1,
\& DES_key_schedule *ks2, DES_cblock *ivec, int enc);
\& void DES_ede2_cfb64_encrypt(const unsigned char *in, unsigned char *out,
\& long length, DES_key_schedule *ks1,
\& DES_key_schedule *ks2, DES_cblock *ivec,
\& int *num, int enc);
\& void DES_ede2_ofb64_encrypt(const unsigned char *in, unsigned char *out,
\& long length, DES_key_schedule *ks1,
\& DES_key_schedule *ks2, DES_cblock *ivec, int *num);
\&
\& void DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
\& long length, DES_key_schedule *ks1,
\& DES_key_schedule *ks2, DES_key_schedule *ks3,
\& DES_cblock *ivec, int enc);
\& void DES_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out,
\& long length, DES_key_schedule *ks1,
\& DES_key_schedule *ks2, DES_key_schedule *ks3,
\& DES_cblock *ivec, int *num, int enc);
\& void DES_ede3_ofb64_encrypt(const unsigned char *in, unsigned char *out,
\& long length, DES_key_schedule *ks1,
\& DES_key_schedule *ks2, DES_key_schedule *ks3,
\& DES_cblock *ivec, int *num);
\&
\& DES_LONG DES_cbc_cksum(const unsigned char *input, DES_cblock *output,
\& long length, DES_key_schedule *schedule,
\& const_DES_cblock *ivec);
\& DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[],
\& long length, int out_count, DES_cblock *seed);
\& void DES_string_to_key(const char *str, DES_cblock *key);
\& void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2);
\&
\& char *DES_fcrypt(const char *buf, const char *salt, char *ret);
\& char *DES_crypt(const char *buf, const char *salt);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This library contains a fast implementation of the \s-1DES\s0 encryption
algorithm.
.PP
There are two phases to the use of \s-1DES\s0 encryption. The first is the
generation of a \fIDES_key_schedule\fR from a key, the second is the
actual encryption. A \s-1DES\s0 key is of type \fIDES_cblock\fR. This type
consists of 8 bytes with odd parity. The least significant bit in
each byte is the parity bit. The key schedule is an expanded form of
the key; it is used to speed the encryption process.
.PP
\&\fBDES_random_key()\fR generates a random key. The random generator must be
seeded when calling this function.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
If the function fails, 0 is returned.
.PP
Before a \s-1DES\s0 key can be used, it must be converted into the
architecture dependent \fIDES_key_schedule\fR via the
\&\fBDES_set_key_checked()\fR or \fBDES_set_key_unchecked()\fR function.
.PP
\&\fBDES_set_key_checked()\fR will check that the key passed is of odd parity
and is not a weak or semi-weak key. If the parity is wrong, then \-1
is returned. If the key is a weak key, then \-2 is returned. If an
error is returned, the key schedule is not generated.
.PP
\&\fBDES_set_key()\fR works like
\&\fBDES_set_key_checked()\fR if the \fIDES_check_key\fR flag is nonzero,
otherwise like \fBDES_set_key_unchecked()\fR. These functions are available
for compatibility; it is recommended to use a function that does not
depend on a global variable.
.PP
\&\fBDES_set_odd_parity()\fR sets the parity of the passed \fIkey\fR to odd.
.PP
\&\fBDES_is_weak_key()\fR returns 1 if the passed key is a weak key, 0 if it
is ok.
.PP
The following routines mostly operate on an input and output stream of
\&\fIDES_cblock\fRs.
.PP
\&\fBDES_ecb_encrypt()\fR is the basic \s-1DES\s0 encryption routine that encrypts or
decrypts a single 8\-byte \fIDES_cblock\fR in \fIelectronic code book\fR
(\s-1ECB\s0) mode. It always transforms the input data, pointed to by
\&\fIinput\fR, into the output data, pointed to by the \fIoutput\fR argument.
If the \fIencrypt\fR argument is nonzero (\s-1DES_ENCRYPT\s0), the \fIinput\fR
(cleartext) is encrypted in to the \fIoutput\fR (ciphertext) using the
key_schedule specified by the \fIschedule\fR argument, previously set via
\&\fIDES_set_key\fR. If \fIencrypt\fR is zero (\s-1DES_DECRYPT\s0), the \fIinput\fR (now
ciphertext) is decrypted into the \fIoutput\fR (now cleartext). Input
and output may overlap. \fBDES_ecb_encrypt()\fR does not return a value.
.PP
\&\fBDES_ecb3_encrypt()\fR encrypts/decrypts the \fIinput\fR block by using
three-key Triple-DES encryption in \s-1ECB\s0 mode. This involves encrypting
the input with \fIks1\fR, decrypting with the key schedule \fIks2\fR, and
then encrypting with \fIks3\fR. This routine greatly reduces the chances
of brute force breaking of \s-1DES\s0 and has the advantage of if \fIks1\fR,
\&\fIks2\fR and \fIks3\fR are the same, it is equivalent to just encryption
using \s-1ECB\s0 mode and \fIks1\fR as the key.
.PP
The macro \fBDES_ecb2_encrypt()\fR is provided to perform two-key Triple-DES
encryption by using \fIks1\fR for the final encryption.
.PP
\&\fBDES_ncbc_encrypt()\fR encrypts/decrypts using the \fIcipher-block-chaining\fR
(\s-1CBC\s0) mode of \s-1DES.\s0 If the \fIencrypt\fR argument is nonzero, the
routine cipher-block-chain encrypts the cleartext data pointed to by
the \fIinput\fR argument into the ciphertext pointed to by the \fIoutput\fR
argument, using the key schedule provided by the \fIschedule\fR argument,
and initialization vector provided by the \fIivec\fR argument. If the
\&\fIlength\fR argument is not an integral multiple of eight bytes, the
last block is copied to a temporary area and zero filled. The output
is always an integral multiple of eight bytes.
.PP
\&\fBDES_xcbc_encrypt()\fR is \s-1RSA\s0's \s-1DESX\s0 mode of \s-1DES.\s0 It uses \fIinw\fR and
\&\fIoutw\fR to 'whiten' the encryption. \fIinw\fR and \fIoutw\fR are secret
(unlike the iv) and are as such, part of the key. So the key is sort
of 24 bytes. This is much better than \s-1CBC DES.\s0
.PP
\&\fBDES_ede3_cbc_encrypt()\fR implements outer triple \s-1CBC DES\s0 encryption with
three keys. This means that each \s-1DES\s0 operation inside the \s-1CBC\s0 mode is
\&\f(CW\*(C`C=E(ks3,D(ks2,E(ks1,M)))\*(C'\fR. This mode is used by \s-1SSL.\s0
.PP
The \fBDES_ede2_cbc_encrypt()\fR macro implements two-key Triple-DES by
reusing \fIks1\fR for the final encryption. \f(CW\*(C`C=E(ks1,D(ks2,E(ks1,M)))\*(C'\fR.
This form of Triple-DES is used by the \s-1RSAREF\s0 library.
.PP
\&\fBDES_pcbc_encrypt()\fR encrypts/decrypts using the propagating cipher block
chaining mode used by Kerberos v4. Its parameters are the same as
\&\fBDES_ncbc_encrypt()\fR.
.PP
\&\fBDES_cfb_encrypt()\fR encrypts/decrypts using cipher feedback mode. This
method takes an array of characters as input and outputs an array of
characters. It does not require any padding to 8 character groups.
Note: the \fIivec\fR variable is changed and the new changed value needs to
be passed to the next call to this function. Since this function runs
a complete \s-1DES ECB\s0 encryption per \fInumbits\fR, this function is only
suggested for use when sending a small number of characters.
.PP
\&\fBDES_cfb64_encrypt()\fR
implements \s-1CFB\s0 mode of \s-1DES\s0 with 64\-bit feedback. Why is this
useful you ask? Because this routine will allow you to encrypt an
arbitrary number of bytes, without 8 byte padding. Each call to this
routine will encrypt the input bytes to output and then update ivec
and num. num contains 'how far' we are though ivec. If this does
not make much sense, read more about \s-1CFB\s0 mode of \s-1DES.\s0
.PP
\&\fBDES_ede3_cfb64_encrypt()\fR and \fBDES_ede2_cfb64_encrypt()\fR is the same as
\&\fBDES_cfb64_encrypt()\fR except that Triple-DES is used.
.PP
\&\fBDES_ofb_encrypt()\fR encrypts using output feedback mode. This method
takes an array of characters as input and outputs an array of
characters. It does not require any padding to 8 character groups.
Note: the \fIivec\fR variable is changed and the new changed value needs to
be passed to the next call to this function. Since this function runs
a complete \s-1DES ECB\s0 encryption per \fInumbits\fR, this function is only
suggested for use when sending a small number of characters.
.PP
\&\fBDES_ofb64_encrypt()\fR is the same as \fBDES_cfb64_encrypt()\fR using Output
Feed Back mode.
.PP
\&\fBDES_ede3_ofb64_encrypt()\fR and \fBDES_ede2_ofb64_encrypt()\fR is the same as
\&\fBDES_ofb64_encrypt()\fR, using Triple-DES.
.PP
The following functions are included in the \s-1DES\s0 library for
compatibility with the \s-1MIT\s0 Kerberos library.
.PP
\&\fBDES_cbc_cksum()\fR produces an 8 byte checksum based on the input stream
(via \s-1CBC\s0 encryption). The last 4 bytes of the checksum are returned
and the complete 8 bytes are placed in \fIoutput\fR. This function is
used by Kerberos v4. Other applications should use
\&\fBEVP_DigestInit\fR\|(3) etc. instead.
.PP
\&\fBDES_quad_cksum()\fR is a Kerberos v4 function. It returns a 4 byte
checksum from the input bytes. The algorithm can be iterated over the
input, depending on \fIout_count\fR, 1, 2, 3 or 4 times. If \fIoutput\fR is
non-NULL, the 8 bytes generated by each pass are written into
\&\fIoutput\fR.
.PP
The following are DES-based transformations:
.PP
\&\fBDES_fcrypt()\fR is a fast version of the Unix \fBcrypt\fR\|(3) function. This
version takes only a small amount of space relative to other fast
\&\fBcrypt()\fR implementations. This is different to the normal \fBcrypt()\fR in
that the third parameter is the buffer that the return value is
written into. It needs to be at least 14 bytes long. This function
is thread safe, unlike the normal \fBcrypt()\fR.
.PP
\&\fBDES_crypt()\fR is a faster replacement for the normal system \fBcrypt()\fR.
This function calls \fBDES_fcrypt()\fR with a static array passed as the
third parameter. This mostly emulates the normal non-thread-safe semantics
of \fBcrypt\fR\|(3).
The \fBsalt\fR must be two \s-1ASCII\s0 characters.
.PP
The values returned by \fBDES_fcrypt()\fR and \fBDES_crypt()\fR are terminated by \s-1NUL\s0
character.
.PP
\&\fBDES_enc_write()\fR writes \fIlen\fR bytes to file descriptor \fIfd\fR from
buffer \fIbuf\fR. The data is encrypted via \fIpcbc_encrypt\fR (default)
using \fIsched\fR for the key and \fIiv\fR as a starting vector. The actual
data send down \fIfd\fR consists of 4 bytes (in network byte order)
containing the length of the following encrypted data. The encrypted
data then follows, padded with random data out to a multiple of 8
bytes.
.SH "BUGS"
.IX Header "BUGS"
\&\fBDES_cbc_encrypt()\fR does not modify \fBivec\fR; use \fBDES_ncbc_encrypt()\fR
instead.
.PP
\&\fBDES_cfb_encrypt()\fR and \fBDES_ofb_encrypt()\fR operates on input of 8 bits.
What this means is that if you set numbits to 12, and length to 2, the
first 12 bits will come from the 1st input byte and the low half of
the second input byte. The second 12 bits will have the low 8 bits
taken from the 3rd input byte and the top 4 bits taken from the 4th
input byte. The same holds for output. This function has been
implemented this way because most people will be using a multiple of 8
and because once you get into pulling bytes input bytes apart things
get ugly!
.PP
\&\fBDES_string_to_key()\fR is available for backward compatibility with the
\&\s-1MIT\s0 library. New applications should use a cryptographic hash function.
The same applies for \fBDES_string_to_2key()\fR.
.SH "NOTES"
.IX Header "NOTES"
The \fBdes\fR library was written to be source code compatible with
the \s-1MIT\s0 Kerberos library.
.PP
Applications should use the higher level functions
\&\fBEVP_EncryptInit\fR\|(3) etc. instead of calling these
functions directly.
.PP
Single-key \s-1DES\s0 is insecure due to its short key size. \s-1ECB\s0 mode is
not suitable for most applications; see \fBdes_modes\fR\|(7).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDES_set_key()\fR, \fBDES_key_sched()\fR, \fBDES_set_key_checked()\fR and \fBDES_is_weak_key()\fR
return 0 on success or negative values on error.
.PP
\&\fBDES_cbc_cksum()\fR and \fBDES_quad_cksum()\fR return 4\-byte integer representing the
last 4 bytes of the checksum of the input.
.PP
\&\fBDES_fcrypt()\fR returns a pointer to the caller-provided buffer and \fBDES_crypt()\fR \-
to a static buffer on success; otherwise they return \s-1NULL.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBdes_modes\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The requirement that the \fBsalt\fR parameter to \fBDES_crypt()\fR and \fBDES_fcrypt()\fR
be two \s-1ASCII\s0 characters was first enforced in
OpenSSL 1.1.0. Previous versions tried to use the letter uppercase \fBA\fR
if both character were not present, and could crash when given non-ASCII
on some platforms.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_generate_key.3 b/secure/lib/libcrypto/man/man3/DH_generate_key.3
index f037cc2e4051..f5ae89b37d74 100644
--- a/secure/lib/libcrypto/man/man3/DH_generate_key.3
+++ b/secure/lib/libcrypto/man/man3/DH_generate_key.3
@@ -1,201 +1,201 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DH_GENERATE_KEY 3"
-.TH DH_GENERATE_KEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DH_GENERATE_KEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DH_generate_key, DH_compute_key, DH_compute_key_padded \- perform Diffie\-Hellman key exchange
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dh.h>
\&
\& int DH_generate_key(DH *dh);
\&
\& int DH_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
\&
\& int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDH_generate_key()\fR performs the first step of a Diffie-Hellman key
exchange by generating private and public \s-1DH\s0 values. By calling
\&\fBDH_compute_key()\fR or \fBDH_compute_key_padded()\fR, these are combined with
the other party's public value to compute the shared key.
.PP
\&\fBDH_generate_key()\fR expects \fBdh\fR to contain the shared parameters
\&\fBdh\->p\fR and \fBdh\->g\fR. It generates a random private \s-1DH\s0 value
unless \fBdh\->priv_key\fR is already set, and computes the
corresponding public value \fBdh\->pub_key\fR, which can then be
published.
.PP
\&\fBDH_compute_key()\fR computes the shared secret from the private \s-1DH\s0 value
in \fBdh\fR and the other party's public value in \fBpub_key\fR and stores
it in \fBkey\fR. \fBkey\fR must point to \fBDH_size(dh)\fR bytes of memory.
The padding style is \s-1RFC 5246\s0 (8.1.2) that strips leading zero bytes.
It is not constant time due to the leading zero bytes being stripped.
The return value should be considered public.
.PP
\&\fBDH_compute_key_padded()\fR is similar but stores a fixed number of bytes.
The padding style is \s-1NIST SP 800\-56A\s0 (C.1) that retains leading zero bytes.
It is constant time due to the leading zero bytes being retained.
The return value should be considered public.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDH_generate_key()\fR returns 1 on success, 0 otherwise.
.PP
\&\fBDH_compute_key()\fR returns the size of the shared secret on success, \-1
on error.
.PP
\&\fBDH_compute_key_padded()\fR returns \fBDH_size(dh)\fR on success, \-1 on error.
.PP
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3), \fBDH_size\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBDH_compute_key_padded()\fR was added in OpenSSL 1.0.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_generate_parameters.3 b/secure/lib/libcrypto/man/man3/DH_generate_parameters.3
index d198f80e937d..3927b9db0279 100644
--- a/secure/lib/libcrypto/man/man3/DH_generate_parameters.3
+++ b/secure/lib/libcrypto/man/man3/DH_generate_parameters.3
@@ -1,263 +1,263 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DH_GENERATE_PARAMETERS 3"
-.TH DH_GENERATE_PARAMETERS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DH_GENERATE_PARAMETERS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DH_generate_parameters_ex, DH_generate_parameters, DH_check, DH_check_params, DH_check_ex, DH_check_params_ex, DH_check_pub_key_ex \&\- generate and check Diffie\-Hellman parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dh.h>
\&
\& int DH_generate_parameters_ex(DH *dh, int prime_len, int generator, BN_GENCB *cb);
\&
\& int DH_check(DH *dh, int *codes);
\& int DH_check_params(DH *dh, int *codes);
\&
\& int DH_check_ex(const DH *dh);
\& int DH_check_params_ex(const DH *dh);
\& int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key);
.Ve
.PP
Deprecated:
.PP
.Vb 4
\& #if OPENSSL_API_COMPAT < 0x00908000L
\& DH *DH_generate_parameters(int prime_len, int generator,
\& void (*callback)(int, int, void *), void *cb_arg);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDH_generate_parameters_ex()\fR generates Diffie-Hellman parameters that can
be shared among a group of users, and stores them in the provided \fB\s-1DH\s0\fR
structure. The pseudo-random number generator must be
seeded before calling it.
The parameters generated by \fBDH_generate_parameters_ex()\fR should not be used in
signature schemes.
.PP
\&\fBprime_len\fR is the length in bits of the safe prime to be generated.
\&\fBgenerator\fR is a small number > 1, typically 2 or 5.
.PP
A callback function may be used to provide feedback about the progress
of the key generation. If \fBcb\fR is not \fB\s-1NULL\s0\fR, it will be
called as described in \fBBN_generate_prime\fR\|(3) while a random prime
number is generated, and when a prime has been found, \fBBN_GENCB_call(cb, 3, 0)\fR
is called. See \fBBN_generate_prime_ex\fR\|(3) for information on
the \fBBN_GENCB_call()\fR function.
.PP
\&\fBDH_generate_parameters()\fR is similar to \fBDH_generate_prime_ex()\fR but
expects an old-style callback function; see
\&\fBBN_generate_prime\fR\|(3) for information on the old-style callback.
.PP
\&\fBDH_check_params()\fR confirms that the \fBp\fR and \fBg\fR are likely enough to
be valid.
This is a lightweight check, if a more thorough check is needed, use
\&\fBDH_check()\fR.
The value of \fB*codes\fR is updated with any problems found.
If \fB*codes\fR is zero then no problems were found, otherwise the
following bits may be set:
.IP "\s-1DH_CHECK_P_NOT_PRIME\s0" 4
.IX Item "DH_CHECK_P_NOT_PRIME"
The parameter \fBp\fR has been determined to not being an odd prime.
Note that the lack of this bit doesn't guarantee that \fBp\fR is a
prime.
.IP "\s-1DH_NOT_SUITABLE_GENERATOR\s0" 4
.IX Item "DH_NOT_SUITABLE_GENERATOR"
The generator \fBg\fR is not suitable.
Note that the lack of this bit doesn't guarantee that \fBg\fR is
suitable, unless \fBp\fR is known to be a strong prime.
.PP
\&\fBDH_check()\fR confirms that the Diffie-Hellman parameters \fBdh\fR are valid. The
value of \fB*codes\fR is updated with any problems found. If \fB*codes\fR is zero then
no problems were found, otherwise the following bits may be set:
.IP "\s-1DH_CHECK_P_NOT_PRIME\s0" 4
.IX Item "DH_CHECK_P_NOT_PRIME"
The parameter \fBp\fR is not prime.
.IP "\s-1DH_CHECK_P_NOT_SAFE_PRIME\s0" 4
.IX Item "DH_CHECK_P_NOT_SAFE_PRIME"
The parameter \fBp\fR is not a safe prime and no \fBq\fR value is present.
.IP "\s-1DH_UNABLE_TO_CHECK_GENERATOR\s0" 4
.IX Item "DH_UNABLE_TO_CHECK_GENERATOR"
The generator \fBg\fR cannot be checked for suitability.
.IP "\s-1DH_NOT_SUITABLE_GENERATOR\s0" 4
.IX Item "DH_NOT_SUITABLE_GENERATOR"
The generator \fBg\fR is not suitable.
.IP "\s-1DH_CHECK_Q_NOT_PRIME\s0" 4
.IX Item "DH_CHECK_Q_NOT_PRIME"
The parameter \fBq\fR is not prime.
.IP "\s-1DH_CHECK_INVALID_Q_VALUE\s0" 4
.IX Item "DH_CHECK_INVALID_Q_VALUE"
The parameter \fBq\fR is invalid.
.IP "\s-1DH_CHECK_INVALID_J_VALUE\s0" 4
.IX Item "DH_CHECK_INVALID_J_VALUE"
The parameter \fBj\fR is invalid.
.PP
\&\fBDH_check_ex()\fR, \fBDH_check_params()\fR and \fBDH_check_pub_key_ex()\fR are similar to
\&\fBDH_check()\fR and \fBDH_check_params()\fR respectively, but the error reasons are added
to the thread's error queue instead of provided as return values from the
function.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDH_generate_parameters_ex()\fR, \fBDH_check()\fR and \fBDH_check_params()\fR return 1
if the check could be performed, 0 otherwise.
.PP
\&\fBDH_generate_parameters()\fR returns a pointer to the \s-1DH\s0 structure or \s-1NULL\s0 if
the parameter generation fails.
.PP
\&\fBDH_check_ex()\fR, \fBDH_check_params()\fR and \fBDH_check_pub_key_ex()\fR return 1 if the
check is successful, 0 for failed.
.PP
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
\&\fBDH_free\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBDH_generate_parameters()\fR was deprecated in OpenSSL 0.9.8; use
\&\fBDH_generate_parameters_ex()\fR instead.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_get0_pqg.3 b/secure/lib/libcrypto/man/man3/DH_get0_pqg.3
index 7476da3bdfb1..bb283260b4ca 100644
--- a/secure/lib/libcrypto/man/man3/DH_get0_pqg.3
+++ b/secure/lib/libcrypto/man/man3/DH_get0_pqg.3
@@ -1,254 +1,254 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DH_GET0_PQG 3"
-.TH DH_GET0_PQG 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DH_GET0_PQG 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DH_get0_pqg, DH_set0_pqg, DH_get0_key, DH_set0_key, DH_get0_p, DH_get0_q, DH_get0_g, DH_get0_priv_key, DH_get0_pub_key, DH_clear_flags, DH_test_flags, DH_set_flags, DH_get0_engine, DH_get_length, DH_set_length \- Routines for getting and setting data in a DH object
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dh.h>
\&
\& void DH_get0_pqg(const DH *dh,
\& const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
\& int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
\& void DH_get0_key(const DH *dh,
\& const BIGNUM **pub_key, const BIGNUM **priv_key);
\& int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
\& const BIGNUM *DH_get0_p(const DH *dh);
\& const BIGNUM *DH_get0_q(const DH *dh);
\& const BIGNUM *DH_get0_g(const DH *dh);
\& const BIGNUM *DH_get0_priv_key(const DH *dh);
\& const BIGNUM *DH_get0_pub_key(const DH *dh);
\& void DH_clear_flags(DH *dh, int flags);
\& int DH_test_flags(const DH *dh, int flags);
\& void DH_set_flags(DH *dh, int flags);
\& ENGINE *DH_get0_engine(DH *d);
\& long DH_get_length(const DH *dh);
\& int DH_set_length(DH *dh, long length);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A \s-1DH\s0 object contains the parameters \fBp\fR, \fBq\fR and \fBg\fR. Note that the \fBq\fR
parameter is optional. It also contains a public key (\fBpub_key\fR) and
(optionally) a private key (\fBpriv_key\fR).
.PP
The \fBp\fR, \fBq\fR and \fBg\fR parameters can be obtained by calling \fBDH_get0_pqg()\fR.
If the parameters have not yet been set then \fB*p\fR, \fB*q\fR and \fB*g\fR will be set
to \s-1NULL.\s0 Otherwise they are set to pointers to their respective values. These
point directly to the internal representations of the values and therefore
should not be freed directly.
Any of the out parameters \fBp\fR, \fBq\fR, and \fBg\fR can be \s-1NULL,\s0 in which case no
value will be returned for that parameter.
.PP
The \fBp\fR, \fBq\fR and \fBg\fR values can be set by calling \fBDH_set0_pqg()\fR and passing
the new values for \fBp\fR, \fBq\fR and \fBg\fR as parameters to the function. Calling
this function transfers the memory management of the values to the \s-1DH\s0 object,
and therefore the values that have been passed in should not be freed directly
after this function has been called. The \fBq\fR parameter may be \s-1NULL.\s0
.PP
To get the public and private key values use the \fBDH_get0_key()\fR function. A
pointer to the public key will be stored in \fB*pub_key\fR, and a pointer to the
private key will be stored in \fB*priv_key\fR. Either may be \s-1NULL\s0 if they have not
been set yet, although if the private key has been set then the public key must
be. The values point to the internal representation of the public key and
private key values. This memory should not be freed directly.
Any of the out parameters \fBpub_key\fR and \fBpriv_key\fR can be \s-1NULL,\s0 in which case
no value will be returned for that parameter.
.PP
The public and private key values can be set using \fBDH_set0_key()\fR. Either
parameter may be \s-1NULL,\s0 which means the corresponding \s-1DH\s0 field is left
untouched. As with \fBDH_set0_pqg()\fR this function transfers the memory management
of the key values to the \s-1DH\s0 object, and therefore they should not be freed
directly after this function has been called.
.PP
Any of the values \fBp\fR, \fBq\fR, \fBg\fR, \fBpriv_key\fR, and \fBpub_key\fR can also be
retrieved separately by the corresponding function \fBDH_get0_p()\fR, \fBDH_get0_q()\fR,
\&\fBDH_get0_g()\fR, \fBDH_get0_priv_key()\fR, and \fBDH_get0_pub_key()\fR, respectively.
.PP
\&\fBDH_set_flags()\fR sets the flags in the \fBflags\fR parameter on the \s-1DH\s0 object.
Multiple flags can be passed in one go (bitwise ORed together). Any flags that
are already set are left set. \fBDH_test_flags()\fR tests to see whether the flags
passed in the \fBflags\fR parameter are currently set in the \s-1DH\s0 object. Multiple
flags can be tested in one go. All flags that are currently set are returned, or
zero if none of the flags are set. \fBDH_clear_flags()\fR clears the specified flags
within the \s-1DH\s0 object.
.PP
\&\fBDH_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for this \s-1DH\s0
object, or \s-1NULL\s0 if no such \s-1ENGINE\s0 has been set.
.PP
The \fBDH_get_length()\fR and \fBDH_set_length()\fR functions get and set the optional
length parameter associated with this \s-1DH\s0 object. If the length is nonzero then
it is used, otherwise it is ignored. The \fBlength\fR parameter indicates the
length of the secret exponent (private key) in bits.
.SH "NOTES"
.IX Header "NOTES"
Values retrieved with \fBDH_get0_key()\fR are owned by the \s-1DH\s0 object used
in the call and may therefore \fInot\fR be passed to \fBDH_set0_key()\fR. If
needed, duplicate the received value using \fBBN_dup()\fR and pass the
duplicate. The same applies to \fBDH_get0_pqg()\fR and \fBDH_set0_pqg()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDH_set0_pqg()\fR and \fBDH_set0_key()\fR return 1 on success or 0 on failure.
.PP
\&\fBDH_get0_p()\fR, \fBDH_get0_q()\fR, \fBDH_get0_g()\fR, \fBDH_get0_priv_key()\fR, and \fBDH_get0_pub_key()\fR
return the respective value, or \s-1NULL\s0 if it is unset.
.PP
\&\fBDH_test_flags()\fR returns the current state of the flags in the \s-1DH\s0 object.
.PP
\&\fBDH_get0_engine()\fR returns the \s-1ENGINE\s0 set for the \s-1DH\s0 object or \s-1NULL\s0 if no \s-1ENGINE\s0
has been set.
.PP
\&\fBDH_get_length()\fR returns the length of the secret exponent (private key) in bits,
or zero if no such length has been explicitly set.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_new\fR\|(3), \fBDH_new\fR\|(3), \fBDH_generate_parameters\fR\|(3), \fBDH_generate_key\fR\|(3),
\&\fBDH_set_method\fR\|(3), \fBDH_size\fR\|(3), \fBDH_meth_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The functions described here were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_get_1024_160.3 b/secure/lib/libcrypto/man/man3/DH_get_1024_160.3
index 633ff896e996..9a02596f6285 100644
--- a/secure/lib/libcrypto/man/man3/DH_get_1024_160.3
+++ b/secure/lib/libcrypto/man/man3/DH_get_1024_160.3
@@ -1,191 +1,191 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DH_GET_1024_160 3"
-.TH DH_GET_1024_160 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DH_GET_1024_160 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DH_get_1024_160, DH_get_2048_224, DH_get_2048_256, BN_get0_nist_prime_192, BN_get0_nist_prime_224, BN_get0_nist_prime_256, BN_get0_nist_prime_384, BN_get0_nist_prime_521, BN_get_rfc2409_prime_768, BN_get_rfc2409_prime_1024, BN_get_rfc3526_prime_1536, BN_get_rfc3526_prime_2048, BN_get_rfc3526_prime_3072, BN_get_rfc3526_prime_4096, BN_get_rfc3526_prime_6144, BN_get_rfc3526_prime_8192 \&\- Create standardized public primes or DH pairs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 4
\& #include <openssl/dh.h>
\& DH *DH_get_1024_160(void)
\& DH *DH_get_2048_224(void)
\& DH *DH_get_2048_256(void)
\&
\& const BIGNUM *BN_get0_nist_prime_192(void)
\& const BIGNUM *BN_get0_nist_prime_224(void)
\& const BIGNUM *BN_get0_nist_prime_256(void)
\& const BIGNUM *BN_get0_nist_prime_384(void)
\& const BIGNUM *BN_get0_nist_prime_521(void)
\&
\& BIGNUM *BN_get_rfc2409_prime_768(BIGNUM *bn)
\& BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM *bn)
\& BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn)
\& BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn)
\& BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn)
\& BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn)
\& BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn)
\& BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDH_get_1024_160()\fR, \fBDH_get_2048_224()\fR, and \fBDH_get_2048_256()\fR each return
a \s-1DH\s0 object for the \s-1IETF RFC 5114\s0 value.
.PP
\&\fBBN_get0_nist_prime_192()\fR, \fBBN_get0_nist_prime_224()\fR, \fBBN_get0_nist_prime_256()\fR,
\&\fBBN_get0_nist_prime_384()\fR, and \fBBN_get0_nist_prime_521()\fR functions return
a \s-1BIGNUM\s0 for the specific \s-1NIST\s0 prime curve (e.g., P\-256).
.PP
\&\fBBN_get_rfc2409_prime_768()\fR, \fBBN_get_rfc2409_prime_1024()\fR,
\&\fBBN_get_rfc3526_prime_1536()\fR, \fBBN_get_rfc3526_prime_2048()\fR,
\&\fBBN_get_rfc3526_prime_3072()\fR, \fBBN_get_rfc3526_prime_4096()\fR,
\&\fBBN_get_rfc3526_prime_6144()\fR, and \fBBN_get_rfc3526_prime_8192()\fR functions
return a \s-1BIGNUM\s0 for the specified size from \s-1IETF RFC 2409.\s0 If \fBbn\fR
is not \s-1NULL,\s0 the \s-1BIGNUM\s0 will be set into that location as well.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Defined above.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_meth_new.3 b/secure/lib/libcrypto/man/man3/DH_meth_new.3
index 9264d7dc9e47..9e418a611435 100644
--- a/secure/lib/libcrypto/man/man3/DH_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/DH_meth_new.3
@@ -1,294 +1,294 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DH_METH_NEW 3"
-.TH DH_METH_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DH_METH_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DH_meth_new, DH_meth_free, DH_meth_dup, DH_meth_get0_name, DH_meth_set1_name, DH_meth_get_flags, DH_meth_set_flags, DH_meth_get0_app_data, DH_meth_set0_app_data, DH_meth_get_generate_key, DH_meth_set_generate_key, DH_meth_get_compute_key, DH_meth_set_compute_key, DH_meth_get_bn_mod_exp, DH_meth_set_bn_mod_exp, DH_meth_get_init, DH_meth_set_init, DH_meth_get_finish, DH_meth_set_finish, DH_meth_get_generate_params, DH_meth_set_generate_params \- Routines to build up DH methods
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dh.h>
\&
\& DH_METHOD *DH_meth_new(const char *name, int flags);
\&
\& void DH_meth_free(DH_METHOD *dhm);
\&
\& DH_METHOD *DH_meth_dup(const DH_METHOD *dhm);
\&
\& const char *DH_meth_get0_name(const DH_METHOD *dhm);
\& int DH_meth_set1_name(DH_METHOD *dhm, const char *name);
\&
\& int DH_meth_get_flags(const DH_METHOD *dhm);
\& int DH_meth_set_flags(DH_METHOD *dhm, int flags);
\&
\& void *DH_meth_get0_app_data(const DH_METHOD *dhm);
\& int DH_meth_set0_app_data(DH_METHOD *dhm, void *app_data);
\&
\& int (*DH_meth_get_generate_key(const DH_METHOD *dhm))(DH *);
\& int DH_meth_set_generate_key(DH_METHOD *dhm, int (*generate_key)(DH *));
\&
\& int (*DH_meth_get_compute_key(const DH_METHOD *dhm))
\& (unsigned char *key, const BIGNUM *pub_key, DH *dh);
\& int DH_meth_set_compute_key(DH_METHOD *dhm,
\& int (*compute_key)(unsigned char *key, const BIGNUM *pub_key, DH *dh));
\&
\& int (*DH_meth_get_bn_mod_exp(const DH_METHOD *dhm))
\& (const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
\& const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
\& int DH_meth_set_bn_mod_exp(DH_METHOD *dhm,
\& int (*bn_mod_exp)(const DH *dh, BIGNUM *r, const BIGNUM *a,
\& const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
\& BN_MONT_CTX *m_ctx));
\&
\& int (*DH_meth_get_init(const DH_METHOD *dhm))(DH *);
\& int DH_meth_set_init(DH_METHOD *dhm, int (*init)(DH *));
\&
\& int (*DH_meth_get_finish(const DH_METHOD *dhm))(DH *);
\& int DH_meth_set_finish(DH_METHOD *dhm, int (*finish)(DH *));
\&
\& int (*DH_meth_get_generate_params(const DH_METHOD *dhm))
\& (DH *, int, int, BN_GENCB *);
\& int DH_meth_set_generate_params(DH_METHOD *dhm,
\& int (*generate_params)(DH *, int, int, BN_GENCB *));
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1DH_METHOD\s0\fR type is a structure used for the provision of custom \s-1DH\s0
implementations. It provides a set of functions used by OpenSSL for the
implementation of the various \s-1DH\s0 capabilities.
.PP
\&\fBDH_meth_new()\fR creates a new \fB\s-1DH_METHOD\s0\fR structure. It should be given a
unique \fBname\fR and a set of \fBflags\fR. The \fBname\fR should be a \s-1NULL\s0 terminated
string, which will be duplicated and stored in the \fB\s-1DH_METHOD\s0\fR object. It is
the callers responsibility to free the original string. The flags will be used
during the construction of a new \fB\s-1DH\s0\fR object based on this \fB\s-1DH_METHOD\s0\fR. Any
new \fB\s-1DH\s0\fR object will have those flags set by default.
.PP
\&\fBDH_meth_dup()\fR creates a duplicate copy of the \fB\s-1DH_METHOD\s0\fR object passed as a
parameter. This might be useful for creating a new \fB\s-1DH_METHOD\s0\fR based on an
existing one, but with some differences.
.PP
\&\fBDH_meth_free()\fR destroys a \fB\s-1DH_METHOD\s0\fR structure and frees up any memory
associated with it.
.PP
\&\fBDH_meth_get0_name()\fR will return a pointer to the name of this \s-1DH_METHOD.\s0 This
is a pointer to the internal name string and so should not be freed by the
caller. \fBDH_meth_set1_name()\fR sets the name of the \s-1DH_METHOD\s0 to \fBname\fR. The
string is duplicated and the copy is stored in the \s-1DH_METHOD\s0 structure, so the
caller remains responsible for freeing the memory associated with the name.
.PP
\&\fBDH_meth_get_flags()\fR returns the current value of the flags associated with this
\&\s-1DH_METHOD.\s0 \fBDH_meth_set_flags()\fR provides the ability to set these flags.
.PP
The functions \fBDH_meth_get0_app_data()\fR and \fBDH_meth_set0_app_data()\fR provide the
ability to associate implementation specific data with the \s-1DH_METHOD.\s0 It is
the application's responsibility to free this data before the \s-1DH_METHOD\s0 is
freed via a call to \fBDH_meth_free()\fR.
.PP
\&\fBDH_meth_get_generate_key()\fR and \fBDH_meth_set_generate_key()\fR get and set the
function used for generating a new \s-1DH\s0 key pair respectively. This function will
be called in response to the application calling \fBDH_generate_key()\fR. The
parameter for the function has the same meaning as for \fBDH_generate_key()\fR.
.PP
\&\fBDH_meth_get_compute_key()\fR and \fBDH_meth_set_compute_key()\fR get and set the
function used for computing a new \s-1DH\s0 shared secret respectively. This function
will be called in response to the application calling \fBDH_compute_key()\fR. The
parameters for the function have the same meaning as for \fBDH_compute_key()\fR.
.PP
\&\fBDH_meth_get_bn_mod_exp()\fR and \fBDH_meth_set_bn_mod_exp()\fR get and set the function
used for computing the following value:
.PP
.Vb 1
\& r = a ^ p mod m
.Ve
.PP
This function will be called by the default OpenSSL function for
\&\fBDH_generate_key()\fR. The result is stored in the \fBr\fR parameter. This function
may be \s-1NULL\s0 unless using the default generate key function, in which case it
must be present.
.PP
\&\fBDH_meth_get_init()\fR and \fBDH_meth_set_init()\fR get and set the function used
for creating a new \s-1DH\s0 instance respectively. This function will be
called in response to the application calling \fBDH_new()\fR (if the current default
\&\s-1DH_METHOD\s0 is this one) or \fBDH_new_method()\fR. The \fBDH_new()\fR and \fBDH_new_method()\fR
functions will allocate the memory for the new \s-1DH\s0 object, and a pointer to this
newly allocated structure will be passed as a parameter to the function. This
function may be \s-1NULL.\s0
.PP
\&\fBDH_meth_get_finish()\fR and \fBDH_meth_set_finish()\fR get and set the function used
for destroying an instance of a \s-1DH\s0 object respectively. This function will be
called in response to the application calling \fBDH_free()\fR. A pointer to the \s-1DH\s0
to be destroyed is passed as a parameter. The destroy function should be used
for \s-1DH\s0 implementation specific clean up. The memory for the \s-1DH\s0 itself should
not be freed by this function. This function may be \s-1NULL.\s0
.PP
\&\fBDH_meth_get_generate_params()\fR and \fBDH_meth_set_generate_params()\fR get and set the
function used for generating \s-1DH\s0 parameters respectively. This function will be
called in response to the application calling \fBDH_generate_parameters_ex()\fR (or
\&\fBDH_generate_parameters()\fR). The parameters for the function have the same
meaning as for \fBDH_generate_parameters_ex()\fR. This function may be \s-1NULL.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDH_meth_new()\fR and \fBDH_meth_dup()\fR return the newly allocated \s-1DH_METHOD\s0 object
or \s-1NULL\s0 on failure.
.PP
\&\fBDH_meth_get0_name()\fR and \fBDH_meth_get_flags()\fR return the name and flags
associated with the \s-1DH_METHOD\s0 respectively.
.PP
All other DH_meth_get_*() functions return the appropriate function pointer
that has been set in the \s-1DH_METHOD,\s0 or \s-1NULL\s0 if no such pointer has yet been
set.
.PP
\&\fBDH_meth_set1_name()\fR and all DH_meth_set_*() functions return 1 on success or
0 on failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_new\fR\|(3), \fBDH_new\fR\|(3), \fBDH_generate_parameters\fR\|(3), \fBDH_generate_key\fR\|(3),
\&\fBDH_set_method\fR\|(3), \fBDH_size\fR\|(3), \fBDH_get0_pqg\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The functions described here were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_new.3 b/secure/lib/libcrypto/man/man3/DH_new.3
index cff4dbee3641..d3ed8df91c0c 100644
--- a/secure/lib/libcrypto/man/man3/DH_new.3
+++ b/secure/lib/libcrypto/man/man3/DH_new.3
@@ -1,178 +1,178 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DH_NEW 3"
-.TH DH_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DH_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DH_new, DH_free \- allocate and free DH objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dh.h>
\&
\& DH* DH_new(void);
\&
\& void DH_free(DH *dh);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDH_new()\fR allocates and initializes a \fB\s-1DH\s0\fR structure.
.PP
\&\fBDH_free()\fR frees the \fB\s-1DH\s0\fR structure and its components. The values are
erased before the memory is returned to the system.
If \fBdh\fR is \s-1NULL\s0 nothing is done.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
If the allocation fails, \fBDH_new()\fR returns \fB\s-1NULL\s0\fR and sets an error
code that can be obtained by \fBERR_get_error\fR\|(3). Otherwise it returns
a pointer to the newly allocated structure.
.PP
\&\fBDH_free()\fR returns no value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_new\fR\|(3), \fBERR_get_error\fR\|(3),
\&\fBDH_generate_parameters\fR\|(3),
\&\fBDH_generate_key\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_new_by_nid.3 b/secure/lib/libcrypto/man/man3/DH_new_by_nid.3
index 7d16536e255f..7c3276c990d9 100644
--- a/secure/lib/libcrypto/man/man3/DH_new_by_nid.3
+++ b/secure/lib/libcrypto/man/man3/DH_new_by_nid.3
@@ -1,172 +1,172 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DH_NEW_BY_NID 3"
-.TH DH_NEW_BY_NID 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DH_NEW_BY_NID 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DH_new_by_nid, DH_get_nid \- get or find DH named parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 3
\& #include <openssl/dh.h>
\& DH *DH_new_by_nid(int nid);
\& int *DH_get_nid(const DH *dh);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDH_new_by_nid()\fR creates and returns a \s-1DH\s0 structure containing named parameters
\&\fBnid\fR. Currently \fBnid\fR must be \fBNID_ffdhe2048\fR, \fBNID_ffdhe3072\fR,
\&\fBNID_ffdhe4096\fR, \fBNID_ffdhe6144\fR or \fBNID_ffdhe8192\fR.
.PP
\&\fBDH_get_nid()\fR determines if the parameters contained in \fBdh\fR match
any named set. It returns the \s-1NID\s0 corresponding to the matching parameters or
\&\fBNID_undef\fR if there is no match.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDH_new_by_nid()\fR returns a set of \s-1DH\s0 parameters or \fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBDH_get_nid()\fR returns the \s-1NID\s0 of the matching set of parameters or
\&\fBNID_undef\fR if there is no match.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_set_method.3 b/secure/lib/libcrypto/man/man3/DH_set_method.3
index 2348b443244a..6df51d8d6574 100644
--- a/secure/lib/libcrypto/man/man3/DH_set_method.3
+++ b/secure/lib/libcrypto/man/man3/DH_set_method.3
@@ -1,219 +1,219 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DH_SET_METHOD 3"
-.TH DH_SET_METHOD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DH_SET_METHOD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DH_set_default_method, DH_get_default_method, DH_set_method, DH_new_method, DH_OpenSSL \- select DH method
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dh.h>
\&
\& void DH_set_default_method(const DH_METHOD *meth);
\&
\& const DH_METHOD *DH_get_default_method(void);
\&
\& int DH_set_method(DH *dh, const DH_METHOD *meth);
\&
\& DH *DH_new_method(ENGINE *engine);
\&
\& const DH_METHOD *DH_OpenSSL(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A \fB\s-1DH_METHOD\s0\fR specifies the functions that OpenSSL uses for Diffie-Hellman
operations. By modifying the method, alternative implementations
such as hardware accelerators may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for
important information about how these \s-1DH API\s0 functions are affected by the use
of \fB\s-1ENGINE\s0\fR \s-1API\s0 calls.
.PP
Initially, the default \s-1DH_METHOD\s0 is the OpenSSL internal implementation, as
returned by \fBDH_OpenSSL()\fR.
.PP
\&\fBDH_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1DH\s0
structures created later.
\&\fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has been set
as a default for \s-1DH,\s0 so this function is no longer recommended.
This function is not thread-safe and should not be called at the same time
as other OpenSSL functions.
.PP
\&\fBDH_get_default_method()\fR returns a pointer to the current default \s-1DH_METHOD.\s0
However, the meaningfulness of this result is dependent on whether the \s-1ENGINE
API\s0 is being used, so this function is no longer recommended.
.PP
\&\fBDH_set_method()\fR selects \fBmeth\fR to perform all operations using the key \fBdh\fR.
This will replace the \s-1DH_METHOD\s0 used by the \s-1DH\s0 key and if the previous method
was supplied by an \s-1ENGINE,\s0 the handle to that \s-1ENGINE\s0 will be released during the
change. It is possible to have \s-1DH\s0 keys that only work with certain \s-1DH_METHOD\s0
implementations (e.g. from an \s-1ENGINE\s0 module that supports embedded
hardware-protected keys), and in such cases attempting to change the \s-1DH_METHOD\s0
for the key can have unexpected results.
.PP
\&\fBDH_new_method()\fR allocates and initializes a \s-1DH\s0 structure so that \fBengine\fR will
be used for the \s-1DH\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the default \s-1ENGINE\s0 for \s-1DH\s0
operations is used, and if no default \s-1ENGINE\s0 is set, the \s-1DH_METHOD\s0 controlled by
\&\fBDH_set_default_method()\fR is used.
.PP
A new \s-1DH_METHOD\s0 object may be constructed using \fBDH_meth_new()\fR (see
\&\fBDH_meth_new\fR\|(3)).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDH_OpenSSL()\fR and \fBDH_get_default_method()\fR return pointers to the respective
\&\fB\s-1DH_METHOD\s0\fRs.
.PP
\&\fBDH_set_default_method()\fR returns no value.
.PP
\&\fBDH_set_method()\fR returns nonzero if the provided \fBmeth\fR was successfully set as
the method for \fBdh\fR (including unloading the \s-1ENGINE\s0 handle if the previous
method was supplied by an \s-1ENGINE\s0).
.PP
\&\fBDH_new_method()\fR returns \s-1NULL\s0 and sets an error code that can be obtained by
\&\fBERR_get_error\fR\|(3) if the allocation fails. Otherwise it
returns a pointer to the newly allocated structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_new\fR\|(3), \fBDH_new\fR\|(3), \fBDH_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DH_size.3 b/secure/lib/libcrypto/man/man3/DH_size.3
index f615ff21fb16..3c3114f0c9b0 100644
--- a/secure/lib/libcrypto/man/man3/DH_size.3
+++ b/secure/lib/libcrypto/man/man3/DH_size.3
@@ -1,187 +1,187 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DH_SIZE 3"
-.TH DH_SIZE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DH_SIZE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DH_size, DH_bits, DH_security_bits \- get Diffie\-Hellman prime size and security bits
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dh.h>
\&
\& int DH_size(const DH *dh);
\&
\& int DH_bits(const DH *dh);
\&
\& int DH_security_bits(const DH *dh);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDH_size()\fR returns the Diffie-Hellman prime size in bytes. It can be used
to determine how much memory must be allocated for the shared secret
computed by \fBDH_compute_key\fR\|(3).
.PP
\&\fBDH_bits()\fR returns the number of significant bits.
.PP
\&\fBdh\fR and \fBdh\->p\fR must not be \fB\s-1NULL\s0\fR.
.PP
\&\fBDH_security_bits()\fR returns the number of security bits of the given \fBdh\fR
key. See \fBBN_security_bits\fR\|(3).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDH_size()\fR returns the prime size of Diffie-Hellman in bytes.
.PP
\&\fBDH_bits()\fR returns the number of bits in the key.
.PP
\&\fBDH_security_bits()\fR returns the number of security bits.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_new\fR\|(3), \fBDH_generate_key\fR\|(3),
\&\fBBN_num_bits\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBDH_bits()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_SIG_new.3 b/secure/lib/libcrypto/man/man3/DSA_SIG_new.3
index 31e5017a2f7a..639b5eecf3c1 100644
--- a/secure/lib/libcrypto/man/man3/DSA_SIG_new.3
+++ b/secure/lib/libcrypto/man/man3/DSA_SIG_new.3
@@ -1,189 +1,189 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA_SIG_NEW 3"
-.TH DSA_SIG_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA_SIG_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DSA_SIG_get0, DSA_SIG_set0, DSA_SIG_new, DSA_SIG_free \- allocate and free DSA signature objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dsa.h>
\&
\& DSA_SIG *DSA_SIG_new(void);
\& void DSA_SIG_free(DSA_SIG *a);
\& void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
\& int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDSA_SIG_new()\fR allocates an empty \fB\s-1DSA_SIG\s0\fR structure.
.PP
\&\fBDSA_SIG_free()\fR frees the \fB\s-1DSA_SIG\s0\fR structure and its components. The
values are erased before the memory is returned to the system.
.PP
\&\fBDSA_SIG_get0()\fR returns internal pointers to the \fBr\fR and \fBs\fR values contained
in \fBsig\fR.
.PP
The \fBr\fR and \fBs\fR values can be set by calling \fBDSA_SIG_set0()\fR and passing the
new values for \fBr\fR and \fBs\fR as parameters to the function. Calling this
function transfers the memory management of the values to the \s-1DSA_SIG\s0 object,
and therefore the values that have been passed in should not be freed directly
after this function has been called.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
If the allocation fails, \fBDSA_SIG_new()\fR returns \fB\s-1NULL\s0\fR and sets an
error code that can be obtained by
\&\fBERR_get_error\fR\|(3). Otherwise it returns a pointer
to the newly allocated structure.
.PP
\&\fBDSA_SIG_free()\fR returns no value.
.PP
\&\fBDSA_SIG_set0()\fR returns 1 on success or 0 on failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3),
\&\fBDSA_do_sign\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_do_sign.3 b/secure/lib/libcrypto/man/man3/DSA_do_sign.3
index a15e63e1120f..cb06e4816861 100644
--- a/secure/lib/libcrypto/man/man3/DSA_do_sign.3
+++ b/secure/lib/libcrypto/man/man3/DSA_do_sign.3
@@ -1,184 +1,184 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA_DO_SIGN 3"
-.TH DSA_DO_SIGN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA_DO_SIGN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DSA_do_sign, DSA_do_verify \- raw DSA signature operations
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dsa.h>
\&
\& DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
\&
\& int DSA_do_verify(const unsigned char *dgst, int dgst_len,
\& DSA_SIG *sig, DSA *dsa);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDSA_do_sign()\fR computes a digital signature on the \fBlen\fR byte message
digest \fBdgst\fR using the private key \fBdsa\fR and returns it in a
newly allocated \fB\s-1DSA_SIG\s0\fR structure.
.PP
\&\fBDSA_sign_setup\fR\|(3) may be used to precompute part
of the signing operation in case signature generation is
time-critical.
.PP
\&\fBDSA_do_verify()\fR verifies that the signature \fBsig\fR matches a given
message digest \fBdgst\fR of size \fBlen\fR. \fBdsa\fR is the signer's public
key.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDSA_do_sign()\fR returns the signature, \s-1NULL\s0 on error. \fBDSA_do_verify()\fR
returns 1 for a valid signature, 0 for an incorrect signature and \-1
on error. The error codes can be obtained by
\&\fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
\&\fBDSA_SIG_new\fR\|(3),
\&\fBDSA_sign\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_dup_DH.3 b/secure/lib/libcrypto/man/man3/DSA_dup_DH.3
index ebfff8ef7474..c1aed678fa9e 100644
--- a/secure/lib/libcrypto/man/man3/DSA_dup_DH.3
+++ b/secure/lib/libcrypto/man/man3/DSA_dup_DH.3
@@ -1,172 +1,172 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA_DUP_DH 3"
-.TH DSA_DUP_DH 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA_DUP_DH 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DSA_dup_DH \- create a DH structure out of DSA structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dsa.h>
\&
\& DH *DSA_dup_DH(const DSA *r);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDSA_dup_DH()\fR duplicates \s-1DSA\s0 parameters/keys as \s-1DH\s0 parameters/keys. q
is lost during that conversion, but the resulting \s-1DH\s0 parameters
contain its length.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDSA_dup_DH()\fR returns the new \fB\s-1DH\s0\fR structure, and \s-1NULL\s0 on error. The
error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "NOTE"
.IX Header "NOTE"
Be careful to avoid small subgroup attacks when using this.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDH_new\fR\|(3), \fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_generate_key.3 b/secure/lib/libcrypto/man/man3/DSA_generate_key.3
index 70977313dabf..35db6f042bfb 100644
--- a/secure/lib/libcrypto/man/man3/DSA_generate_key.3
+++ b/secure/lib/libcrypto/man/man3/DSA_generate_key.3
@@ -1,173 +1,173 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA_GENERATE_KEY 3"
-.TH DSA_GENERATE_KEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA_GENERATE_KEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DSA_generate_key \- generate DSA key pair
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dsa.h>
\&
\& int DSA_generate_key(DSA *a);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDSA_generate_key()\fR expects \fBa\fR to contain \s-1DSA\s0 parameters. It generates
a new key pair and stores it in \fBa\->pub_key\fR and \fBa\->priv_key\fR.
.PP
The random generator must be seeded prior to calling \fBDSA_generate_key()\fR.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDSA_generate_key()\fR returns 1 on success, 0 otherwise.
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
\&\fBDSA_generate_parameters_ex\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3 b/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3
index 7323e9c343d3..27404c631b61 100644
--- a/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3
+++ b/secure/lib/libcrypto/man/man3/DSA_generate_parameters.3
@@ -1,240 +1,240 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA_GENERATE_PARAMETERS 3"
-.TH DSA_GENERATE_PARAMETERS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA_GENERATE_PARAMETERS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DSA_generate_parameters_ex, DSA_generate_parameters \- generate DSA parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dsa.h>
\&
\& int DSA_generate_parameters_ex(DSA *dsa, int bits,
\& const unsigned char *seed, int seed_len,
\& int *counter_ret, unsigned long *h_ret,
\& BN_GENCB *cb);
.Ve
.PP
Deprecated:
.PP
.Vb 5
\& #if OPENSSL_API_COMPAT < 0x00908000L
\& DSA *DSA_generate_parameters(int bits, unsigned char *seed, int seed_len,
\& int *counter_ret, unsigned long *h_ret,
\& void (*callback)(int, int, void *), void *cb_arg);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDSA_generate_parameters_ex()\fR generates primes p and q and a generator g
for use in the \s-1DSA\s0 and stores the result in \fBdsa\fR.
.PP
\&\fBbits\fR is the length of the prime p to be generated.
For lengths under 2048 bits, the length of q is 160 bits; for lengths
greater than or equal to 2048 bits, the length of q is set to 256 bits.
.PP
If \fBseed\fR is \s-1NULL,\s0 the primes will be generated at random.
If \fBseed_len\fR is less than the length of q, an error is returned.
.PP
\&\fBDSA_generate_parameters_ex()\fR places the iteration count in
*\fBcounter_ret\fR and a counter used for finding a generator in
*\fBh_ret\fR, unless these are \fB\s-1NULL\s0\fR.
.PP
A callback function may be used to provide feedback about the progress
of the key generation. If \fBcb\fR is not \fB\s-1NULL\s0\fR, it will be
called as shown below. For information on the \s-1BN_GENCB\s0 structure and the
BN_GENCB_call function discussed below, refer to
\&\fBBN_generate_prime\fR\|(3).
.PP
\&\fBDSA_generate_prime()\fR is similar to \fBDSA_generate_prime_ex()\fR but
expects an old-style callback function; see
\&\fBBN_generate_prime\fR\|(3) for information on the old-style callback.
.IP "\(bu" 2
When a candidate for q is generated, \fBBN_GENCB_call(cb, 0, m++)\fR is called
(m is 0 for the first candidate).
.IP "\(bu" 2
When a candidate for q has passed a test by trial division,
\&\fBBN_GENCB_call(cb, 1, \-1)\fR is called.
While a candidate for q is tested by Miller-Rabin primality tests,
\&\fBBN_GENCB_call(cb, 1, i)\fR is called in the outer loop
(once for each witness that confirms that the candidate may be prime);
i is the loop counter (starting at 0).
.IP "\(bu" 2
When a prime q has been found, \fBBN_GENCB_call(cb, 2, 0)\fR and
\&\fBBN_GENCB_call(cb, 3, 0)\fR are called.
.IP "\(bu" 2
Before a candidate for p (other than the first) is generated and tested,
\&\fBBN_GENCB_call(cb, 0, counter)\fR is called.
.IP "\(bu" 2
When a candidate for p has passed the test by trial division,
\&\fBBN_GENCB_call(cb, 1, \-1)\fR is called.
While it is tested by the Miller-Rabin primality test,
\&\fBBN_GENCB_call(cb, 1, i)\fR is called in the outer loop
(once for each witness that confirms that the candidate may be prime).
i is the loop counter (starting at 0).
.IP "\(bu" 2
When p has been found, \fBBN_GENCB_call(cb, 2, 1)\fR is called.
.IP "\(bu" 2
When the generator has been found, \fBBN_GENCB_call(cb, 3, 1)\fR is called.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDSA_generate_parameters_ex()\fR returns a 1 on success, or 0 otherwise.
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.PP
\&\fBDSA_generate_parameters()\fR returns a pointer to the \s-1DSA\s0 structure or
\&\fB\s-1NULL\s0\fR if the parameter generation fails.
.SH "BUGS"
.IX Header "BUGS"
Seed lengths greater than 20 are not supported.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
\&\fBDSA_free\fR\|(3), \fBBN_generate_prime\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBDSA_generate_parameters()\fR was deprecated in OpenSSL 0.9.8; use
\&\fBDSA_generate_parameters_ex()\fR instead.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3 b/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3
index 332fe0f3dd97..20e2852cc838 100644
--- a/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3
+++ b/secure/lib/libcrypto/man/man3/DSA_get0_pqg.3
@@ -1,239 +1,239 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA_GET0_PQG 3"
-.TH DSA_GET0_PQG 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA_GET0_PQG 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DSA_get0_pqg, DSA_set0_pqg, DSA_get0_key, DSA_set0_key, DSA_get0_p, DSA_get0_q, DSA_get0_g, DSA_get0_pub_key, DSA_get0_priv_key, DSA_clear_flags, DSA_test_flags, DSA_set_flags, DSA_get0_engine \- Routines for getting and setting data in a DSA object
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dsa.h>
\&
\& void DSA_get0_pqg(const DSA *d,
\& const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
\& int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
\& void DSA_get0_key(const DSA *d,
\& const BIGNUM **pub_key, const BIGNUM **priv_key);
\& int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
\& const BIGNUM *DSA_get0_p(const DSA *d);
\& const BIGNUM *DSA_get0_q(const DSA *d);
\& const BIGNUM *DSA_get0_g(const DSA *d);
\& const BIGNUM *DSA_get0_pub_key(const DSA *d);
\& const BIGNUM *DSA_get0_priv_key(const DSA *d);
\& void DSA_clear_flags(DSA *d, int flags);
\& int DSA_test_flags(const DSA *d, int flags);
\& void DSA_set_flags(DSA *d, int flags);
\& ENGINE *DSA_get0_engine(DSA *d);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A \s-1DSA\s0 object contains the parameters \fBp\fR, \fBq\fR and \fBg\fR. It also contains a
public key (\fBpub_key\fR) and (optionally) a private key (\fBpriv_key\fR).
.PP
The \fBp\fR, \fBq\fR and \fBg\fR parameters can be obtained by calling \fBDSA_get0_pqg()\fR.
If the parameters have not yet been set then \fB*p\fR, \fB*q\fR and \fB*g\fR will be set
to \s-1NULL.\s0 Otherwise they are set to pointers to their respective values. These
point directly to the internal representations of the values and therefore
should not be freed directly.
.PP
The \fBp\fR, \fBq\fR and \fBg\fR values can be set by calling \fBDSA_set0_pqg()\fR and passing
the new values for \fBp\fR, \fBq\fR and \fBg\fR as parameters to the function. Calling
this function transfers the memory management of the values to the \s-1DSA\s0 object,
and therefore the values that have been passed in should not be freed directly
after this function has been called.
.PP
To get the public and private key values use the \fBDSA_get0_key()\fR function. A
pointer to the public key will be stored in \fB*pub_key\fR, and a pointer to the
private key will be stored in \fB*priv_key\fR. Either may be \s-1NULL\s0 if they have not
been set yet, although if the private key has been set then the public key must
be. The values point to the internal representation of the public key and
private key values. This memory should not be freed directly.
.PP
The public and private key values can be set using \fBDSA_set0_key()\fR. The public
key must be non-NULL the first time this function is called on a given \s-1DSA\s0
object. The private key may be \s-1NULL.\s0 On subsequent calls, either may be \s-1NULL,\s0
which means the corresponding \s-1DSA\s0 field is left untouched. As for \fBDSA_set0_pqg()\fR
this function transfers the memory management of the key values to the \s-1DSA\s0
object, and therefore they should not be freed directly after this function has
been called.
.PP
Any of the values \fBp\fR, \fBq\fR, \fBg\fR, \fBpriv_key\fR, and \fBpub_key\fR can also be
retrieved separately by the corresponding function \fBDSA_get0_p()\fR, \fBDSA_get0_q()\fR,
\&\fBDSA_get0_g()\fR, \fBDSA_get0_priv_key()\fR, and \fBDSA_get0_pub_key()\fR, respectively.
.PP
\&\fBDSA_set_flags()\fR sets the flags in the \fBflags\fR parameter on the \s-1DSA\s0 object.
Multiple flags can be passed in one go (bitwise ORed together). Any flags that
are already set are left set. \fBDSA_test_flags()\fR tests to see whether the flags
passed in the \fBflags\fR parameter are currently set in the \s-1DSA\s0 object. Multiple
flags can be tested in one go. All flags that are currently set are returned, or
zero if none of the flags are set. \fBDSA_clear_flags()\fR clears the specified flags
within the \s-1DSA\s0 object.
.PP
\&\fBDSA_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for this \s-1DSA\s0
object, or \s-1NULL\s0 if no such \s-1ENGINE\s0 has been set.
.SH "NOTES"
.IX Header "NOTES"
Values retrieved with \fBDSA_get0_key()\fR are owned by the \s-1DSA\s0 object used
in the call and may therefore \fInot\fR be passed to \fBDSA_set0_key()\fR. If
needed, duplicate the received value using \fBBN_dup()\fR and pass the
duplicate. The same applies to \fBDSA_get0_pqg()\fR and \fBDSA_set0_pqg()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDSA_set0_pqg()\fR and \fBDSA_set0_key()\fR return 1 on success or 0 on failure.
.PP
\&\fBDSA_test_flags()\fR returns the current state of the flags in the \s-1DSA\s0 object.
.PP
\&\fBDSA_get0_engine()\fR returns the \s-1ENGINE\s0 set for the \s-1DSA\s0 object or \s-1NULL\s0 if no \s-1ENGINE\s0
has been set.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDSA_new\fR\|(3), \fBDSA_new\fR\|(3), \fBDSA_generate_parameters\fR\|(3), \fBDSA_generate_key\fR\|(3),
\&\fBDSA_dup_DH\fR\|(3), \fBDSA_do_sign\fR\|(3), \fBDSA_set_method\fR\|(3), \fBDSA_SIG_new\fR\|(3),
\&\fBDSA_sign\fR\|(3), \fBDSA_size\fR\|(3), \fBDSA_meth_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The functions described here were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_meth_new.3 b/secure/lib/libcrypto/man/man3/DSA_meth_new.3
index de7d98e1162d..bfc51a5650e4 100644
--- a/secure/lib/libcrypto/man/man3/DSA_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/DSA_meth_new.3
@@ -1,342 +1,342 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA_METH_NEW 3"
-.TH DSA_METH_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA_METH_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DSA_meth_new, DSA_meth_free, DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name, DSA_meth_get_flags, DSA_meth_set_flags, DSA_meth_get0_app_data, DSA_meth_set0_app_data, DSA_meth_get_sign, DSA_meth_set_sign, DSA_meth_get_sign_setup, DSA_meth_set_sign_setup, DSA_meth_get_verify, DSA_meth_set_verify, DSA_meth_get_mod_exp, DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp, DSA_meth_set_bn_mod_exp, DSA_meth_get_init, DSA_meth_set_init, DSA_meth_get_finish, DSA_meth_set_finish, DSA_meth_get_paramgen, DSA_meth_set_paramgen, DSA_meth_get_keygen, DSA_meth_set_keygen \- Routines to build up DSA methods
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dsa.h>
\&
\& DSA_METHOD *DSA_meth_new(const char *name, int flags);
\&
\& void DSA_meth_free(DSA_METHOD *dsam);
\&
\& DSA_METHOD *DSA_meth_dup(const DSA_METHOD *meth);
\&
\& const char *DSA_meth_get0_name(const DSA_METHOD *dsam);
\& int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name);
\&
\& int DSA_meth_get_flags(const DSA_METHOD *dsam);
\& int DSA_meth_set_flags(DSA_METHOD *dsam, int flags);
\&
\& void *DSA_meth_get0_app_data(const DSA_METHOD *dsam);
\& int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data);
\&
\& DSA_SIG *(*DSA_meth_get_sign(const DSA_METHOD *dsam))(const unsigned char *,
\& int, DSA *);
\& int DSA_meth_set_sign(DSA_METHOD *dsam, DSA_SIG *(*sign)(const unsigned char *,
\& int, DSA *));
\&
\& int (*DSA_meth_get_sign_setup(const DSA_METHOD *dsam))(DSA *, BN_CTX *,$
\& BIGNUM **, BIGNUM **);
\& int DSA_meth_set_sign_setup(DSA_METHOD *dsam, int (*sign_setup)(DSA *, BN_CTX *,
\& BIGNUM **, BIGNUM **));
\&
\& int (*DSA_meth_get_verify(const DSA_METHOD *dsam))(const unsigned char *,
\& int, DSA_SIG *, DSA *);
\& int DSA_meth_set_verify(DSA_METHOD *dsam, int (*verify)(const unsigned char *,
\& int, DSA_SIG *, DSA *));
\&
\& int (*DSA_meth_get_mod_exp(const DSA_METHOD *dsam))(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
\& BIGNUM *p1, BIGNUM *a2, BIGNUM *p2,
\& BIGNUM *m, BN_CTX *ctx,
\& BN_MONT_CTX *in_mont);
\& int DSA_meth_set_mod_exp(DSA_METHOD *dsam, int (*mod_exp)(DSA *dsa, BIGNUM *rr,
\& BIGNUM *a1, BIGNUM *p1,
\& BIGNUM *a2, BIGNUM *p2,
\& BIGNUM *m, BN_CTX *ctx,
\& BN_MONT_CTX *mont));
\&
\& int (*DSA_meth_get_bn_mod_exp(const DSA_METHOD *dsam))(DSA *dsa, BIGNUM *r, BIGNUM *a,
\& const BIGNUM *p, const BIGNUM *m,
\& BN_CTX *ctx, BN_MONT_CTX *mont);
\& int DSA_meth_set_bn_mod_exp(DSA_METHOD *dsam, int (*bn_mod_exp)(DSA *dsa,
\& BIGNUM *r,
\& BIGNUM *a,
\& const BIGNUM *p,
\& const BIGNUM *m,
\& BN_CTX *ctx,
\& BN_MONT_CTX *mont));
\&
\& int (*DSA_meth_get_init(const DSA_METHOD *dsam))(DSA *);
\& int DSA_meth_set_init(DSA_METHOD *dsam, int (*init)(DSA *));
\&
\& int (*DSA_meth_get_finish(const DSA_METHOD *dsam))(DSA *);
\& int DSA_meth_set_finish(DSA_METHOD *dsam, int (*finish)(DSA *));
\&
\& int (*DSA_meth_get_paramgen(const DSA_METHOD *dsam))(DSA *, int,
\& const unsigned char *,
\& int, int *, unsigned long *,
\& BN_GENCB *);
\& int DSA_meth_set_paramgen(DSA_METHOD *dsam,
\& int (*paramgen)(DSA *, int, const unsigned char *,
\& int, int *, unsigned long *, BN_GENCB *));
\&
\& int (*DSA_meth_get_keygen(const DSA_METHOD *dsam))(DSA *);
\& int DSA_meth_set_keygen(DSA_METHOD *dsam, int (*keygen)(DSA *));
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1DSA_METHOD\s0\fR type is a structure used for the provision of custom \s-1DSA\s0
implementations. It provides a set of functions used by OpenSSL for the
implementation of the various \s-1DSA\s0 capabilities. See the dsa page for more
information.
.PP
\&\fBDSA_meth_new()\fR creates a new \fB\s-1DSA_METHOD\s0\fR structure. It should be given a
unique \fBname\fR and a set of \fBflags\fR. The \fBname\fR should be a \s-1NULL\s0 terminated
string, which will be duplicated and stored in the \fB\s-1DSA_METHOD\s0\fR object. It is
the callers responsibility to free the original string. The flags will be used
during the construction of a new \fB\s-1DSA\s0\fR object based on this \fB\s-1DSA_METHOD\s0\fR. Any
new \fB\s-1DSA\s0\fR object will have those flags set by default.
.PP
\&\fBDSA_meth_dup()\fR creates a duplicate copy of the \fB\s-1DSA_METHOD\s0\fR object passed as a
parameter. This might be useful for creating a new \fB\s-1DSA_METHOD\s0\fR based on an
existing one, but with some differences.
.PP
\&\fBDSA_meth_free()\fR destroys a \fB\s-1DSA_METHOD\s0\fR structure and frees up any memory
associated with it.
.PP
\&\fBDSA_meth_get0_name()\fR will return a pointer to the name of this \s-1DSA_METHOD.\s0 This
is a pointer to the internal name string and so should not be freed by the
caller. \fBDSA_meth_set1_name()\fR sets the name of the \s-1DSA_METHOD\s0 to \fBname\fR. The
string is duplicated and the copy is stored in the \s-1DSA_METHOD\s0 structure, so the
caller remains responsible for freeing the memory associated with the name.
.PP
\&\fBDSA_meth_get_flags()\fR returns the current value of the flags associated with this
\&\s-1DSA_METHOD.\s0 \fBDSA_meth_set_flags()\fR provides the ability to set these flags.
.PP
The functions \fBDSA_meth_get0_app_data()\fR and \fBDSA_meth_set0_app_data()\fR provide the
ability to associate implementation specific data with the \s-1DSA_METHOD.\s0 It is
the application's responsibility to free this data before the \s-1DSA_METHOD\s0 is
freed via a call to \fBDSA_meth_free()\fR.
.PP
\&\fBDSA_meth_get_sign()\fR and \fBDSA_meth_set_sign()\fR get and set the function used for
creating a \s-1DSA\s0 signature respectively. This function will be
called in response to the application calling \fBDSA_do_sign()\fR (or \fBDSA_sign()\fR). The
parameters for the function have the same meaning as for \fBDSA_do_sign()\fR.
.PP
\&\fBDSA_meth_get_sign_setup()\fR and \fBDSA_meth_set_sign_setup()\fR get and set the function
used for precalculating the \s-1DSA\s0 signature values \fBk^\-1\fR and \fBr\fR. This function
will be called in response to the application calling \fBDSA_sign_setup()\fR. The
parameters for the function have the same meaning as for \fBDSA_sign_setup()\fR.
.PP
\&\fBDSA_meth_get_verify()\fR and \fBDSA_meth_set_verify()\fR get and set the function used
for verifying a \s-1DSA\s0 signature respectively. This function will be called in
response to the application calling \fBDSA_do_verify()\fR (or \fBDSA_verify()\fR). The
parameters for the function have the same meaning as for \fBDSA_do_verify()\fR.
.PP
\&\fBDSA_meth_get_mod_exp()\fR and \fBDSA_meth_set_mod_exp()\fR get and set the function used
for computing the following value:
.PP
.Vb 1
\& rr = a1^p1 * a2^p2 mod m
.Ve
.PP
This function will be called by the default OpenSSL method during verification
of a \s-1DSA\s0 signature. The result is stored in the \fBrr\fR parameter. This function
may be \s-1NULL.\s0
.PP
\&\fBDSA_meth_get_bn_mod_exp()\fR and \fBDSA_meth_set_bn_mod_exp()\fR get and set the function
used for computing the following value:
.PP
.Vb 1
\& r = a ^ p mod m
.Ve
.PP
This function will be called by the default OpenSSL function for
\&\fBDSA_sign_setup()\fR. The result is stored in the \fBr\fR parameter. This function
may be \s-1NULL.\s0
.PP
\&\fBDSA_meth_get_init()\fR and \fBDSA_meth_set_init()\fR get and set the function used
for creating a new \s-1DSA\s0 instance respectively. This function will be
called in response to the application calling \fBDSA_new()\fR (if the current default
\&\s-1DSA_METHOD\s0 is this one) or \fBDSA_new_method()\fR. The \fBDSA_new()\fR and \fBDSA_new_method()\fR
functions will allocate the memory for the new \s-1DSA\s0 object, and a pointer to this
newly allocated structure will be passed as a parameter to the function. This
function may be \s-1NULL.\s0
.PP
\&\fBDSA_meth_get_finish()\fR and \fBDSA_meth_set_finish()\fR get and set the function used
for destroying an instance of a \s-1DSA\s0 object respectively. This function will be
called in response to the application calling \fBDSA_free()\fR. A pointer to the \s-1DSA\s0
to be destroyed is passed as a parameter. The destroy function should be used
for \s-1DSA\s0 implementation specific clean up. The memory for the \s-1DSA\s0 itself should
not be freed by this function. This function may be \s-1NULL.\s0
.PP
\&\fBDSA_meth_get_paramgen()\fR and \fBDSA_meth_set_paramgen()\fR get and set the function
used for generating \s-1DSA\s0 parameters respectively. This function will be called in
response to the application calling \fBDSA_generate_parameters_ex()\fR (or
\&\fBDSA_generate_parameters()\fR). The parameters for the function have the same
meaning as for \fBDSA_generate_parameters_ex()\fR.
.PP
\&\fBDSA_meth_get_keygen()\fR and \fBDSA_meth_set_keygen()\fR get and set the function
used for generating a new \s-1DSA\s0 key pair respectively. This function will be
called in response to the application calling \fBDSA_generate_key()\fR. The parameter
for the function has the same meaning as for \fBDSA_generate_key()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDSA_meth_new()\fR and \fBDSA_meth_dup()\fR return the newly allocated \s-1DSA_METHOD\s0 object
or \s-1NULL\s0 on failure.
.PP
\&\fBDSA_meth_get0_name()\fR and \fBDSA_meth_get_flags()\fR return the name and flags
associated with the \s-1DSA_METHOD\s0 respectively.
.PP
All other DSA_meth_get_*() functions return the appropriate function pointer
that has been set in the \s-1DSA_METHOD,\s0 or \s-1NULL\s0 if no such pointer has yet been
set.
.PP
\&\fBDSA_meth_set1_name()\fR and all DSA_meth_set_*() functions return 1 on success or
0 on failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDSA_new\fR\|(3), \fBDSA_new\fR\|(3), \fBDSA_generate_parameters\fR\|(3), \fBDSA_generate_key\fR\|(3),
\&\fBDSA_dup_DH\fR\|(3), \fBDSA_do_sign\fR\|(3), \fBDSA_set_method\fR\|(3), \fBDSA_SIG_new\fR\|(3),
\&\fBDSA_sign\fR\|(3), \fBDSA_size\fR\|(3), \fBDSA_get0_pqg\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The functions described here were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_new.3 b/secure/lib/libcrypto/man/man3/DSA_new.3
index 1fbdb72fbe2f..46d44512b415 100644
--- a/secure/lib/libcrypto/man/man3/DSA_new.3
+++ b/secure/lib/libcrypto/man/man3/DSA_new.3
@@ -1,180 +1,180 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA_NEW 3"
-.TH DSA_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DSA_new, DSA_free \- allocate and free DSA objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dsa.h>
\&
\& DSA* DSA_new(void);
\&
\& void DSA_free(DSA *dsa);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDSA_new()\fR allocates and initializes a \fB\s-1DSA\s0\fR structure. It is equivalent to
calling DSA_new_method(\s-1NULL\s0).
.PP
\&\fBDSA_free()\fR frees the \fB\s-1DSA\s0\fR structure and its components. The values are
erased before the memory is returned to the system.
If \fBdsa\fR is \s-1NULL\s0 nothing is done.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
If the allocation fails, \fBDSA_new()\fR returns \fB\s-1NULL\s0\fR and sets an error
code that can be obtained by
\&\fBERR_get_error\fR\|(3). Otherwise it returns a pointer
to the newly allocated structure.
.PP
\&\fBDSA_free()\fR returns no value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3),
\&\fBDSA_generate_parameters\fR\|(3),
\&\fBDSA_generate_key\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_set_method.3 b/secure/lib/libcrypto/man/man3/DSA_set_method.3
index 61dada570e54..c755b2cdf24e 100644
--- a/secure/lib/libcrypto/man/man3/DSA_set_method.3
+++ b/secure/lib/libcrypto/man/man3/DSA_set_method.3
@@ -1,219 +1,219 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA_SET_METHOD 3"
-.TH DSA_SET_METHOD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA_SET_METHOD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DSA_set_default_method, DSA_get_default_method, DSA_set_method, DSA_new_method, DSA_OpenSSL \- select DSA method
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dsa.h>
\&
\& void DSA_set_default_method(const DSA_METHOD *meth);
\&
\& const DSA_METHOD *DSA_get_default_method(void);
\&
\& int DSA_set_method(DSA *dsa, const DSA_METHOD *meth);
\&
\& DSA *DSA_new_method(ENGINE *engine);
\&
\& DSA_METHOD *DSA_OpenSSL(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A \fB\s-1DSA_METHOD\s0\fR specifies the functions that OpenSSL uses for \s-1DSA\s0
operations. By modifying the method, alternative implementations
such as hardware accelerators may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for
important information about how these \s-1DSA API\s0 functions are affected by the use
of \fB\s-1ENGINE\s0\fR \s-1API\s0 calls.
.PP
Initially, the default \s-1DSA_METHOD\s0 is the OpenSSL internal implementation,
as returned by \fBDSA_OpenSSL()\fR.
.PP
\&\fBDSA_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1DSA\s0
structures created later.
\&\fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has
been set as a default for \s-1DSA,\s0 so this function is no longer recommended.
This function is not thread-safe and should not be called at the same time
as other OpenSSL functions.
.PP
\&\fBDSA_get_default_method()\fR returns a pointer to the current default
\&\s-1DSA_METHOD.\s0 However, the meaningfulness of this result is dependent on
whether the \s-1ENGINE API\s0 is being used, so this function is no longer
recommended.
.PP
\&\fBDSA_set_method()\fR selects \fBmeth\fR to perform all operations using the key
\&\fBrsa\fR. This will replace the \s-1DSA_METHOD\s0 used by the \s-1DSA\s0 key and if the
previous method was supplied by an \s-1ENGINE,\s0 the handle to that \s-1ENGINE\s0 will
be released during the change. It is possible to have \s-1DSA\s0 keys that only
work with certain \s-1DSA_METHOD\s0 implementations (e.g. from an \s-1ENGINE\s0 module
that supports embedded hardware-protected keys), and in such cases
attempting to change the \s-1DSA_METHOD\s0 for the key can have unexpected
results. See DSA_meth_new for information on constructing custom \s-1DSA_METHOD\s0
objects;
.PP
\&\fBDSA_new_method()\fR allocates and initializes a \s-1DSA\s0 structure so that \fBengine\fR
will be used for the \s-1DSA\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the default engine
for \s-1DSA\s0 operations is used, and if no default \s-1ENGINE\s0 is set, the \s-1DSA_METHOD\s0
controlled by \fBDSA_set_default_method()\fR is used.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDSA_OpenSSL()\fR and \fBDSA_get_default_method()\fR return pointers to the respective
\&\fB\s-1DSA_METHOD\s0\fRs.
.PP
\&\fBDSA_set_default_method()\fR returns no value.
.PP
\&\fBDSA_set_method()\fR returns nonzero if the provided \fBmeth\fR was successfully set as
the method for \fBdsa\fR (including unloading the \s-1ENGINE\s0 handle if the previous
method was supplied by an \s-1ENGINE\s0).
.PP
\&\fBDSA_new_method()\fR returns \s-1NULL\s0 and sets an error code that can be
obtained by \fBERR_get_error\fR\|(3) if the allocation
fails. Otherwise it returns a pointer to the newly allocated structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDSA_new\fR\|(3), \fBDSA_new\fR\|(3), \fBDSA_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_sign.3 b/secure/lib/libcrypto/man/man3/DSA_sign.3
index fa6675537f7d..b83ab130f114 100644
--- a/secure/lib/libcrypto/man/man3/DSA_sign.3
+++ b/secure/lib/libcrypto/man/man3/DSA_sign.3
@@ -1,202 +1,202 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA_SIGN 3"
-.TH DSA_SIGN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA_SIGN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DSA_sign, DSA_sign_setup, DSA_verify \- DSA signatures
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dsa.h>
\&
\& int DSA_sign(int type, const unsigned char *dgst, int len,
\& unsigned char *sigret, unsigned int *siglen, DSA *dsa);
\&
\& int DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp, BIGNUM **rp);
\&
\& int DSA_verify(int type, const unsigned char *dgst, int len,
\& unsigned char *sigbuf, int siglen, DSA *dsa);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDSA_sign()\fR computes a digital signature on the \fBlen\fR byte message
digest \fBdgst\fR using the private key \fBdsa\fR and places its \s-1ASN.1 DER\s0
encoding at \fBsigret\fR. The length of the signature is places in
*\fBsiglen\fR. \fBsigret\fR must point to DSA_size(\fBdsa\fR) bytes of memory.
.PP
\&\fBDSA_sign_setup()\fR is defined only for backward binary compatibility and
should not be used.
Since OpenSSL 1.1.0 the \s-1DSA\s0 type is opaque and the output of
\&\fBDSA_sign_setup()\fR cannot be used anyway: calling this function will only
cause overhead, and does not affect the actual signature
(pre\-)computation.
.PP
\&\fBDSA_verify()\fR verifies that the signature \fBsigbuf\fR of size \fBsiglen\fR
matches a given message digest \fBdgst\fR of size \fBlen\fR.
\&\fBdsa\fR is the signer's public key.
.PP
The \fBtype\fR parameter is ignored.
.PP
The random generator must be seeded when \fBDSA_sign()\fR (or \fBDSA_sign_setup()\fR)
is called.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDSA_sign()\fR and \fBDSA_sign_setup()\fR return 1 on success, 0 on error.
\&\fBDSA_verify()\fR returns 1 for a valid signature, 0 for an incorrect
signature and \-1 on error. The error codes can be obtained by
\&\fBERR_get_error\fR\|(3).
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1US\s0 Federal Information Processing Standard \s-1FIPS 186\s0 (Digital Signature
Standard, \s-1DSS\s0), \s-1ANSI X9.30\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDSA_new\fR\|(3), \fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
\&\fBDSA_do_sign\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DSA_size.3 b/secure/lib/libcrypto/man/man3/DSA_size.3
index f024e8712832..cfb173524dd4 100644
--- a/secure/lib/libcrypto/man/man3/DSA_size.3
+++ b/secure/lib/libcrypto/man/man3/DSA_size.3
@@ -1,180 +1,180 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA_SIZE 3"
-.TH DSA_SIZE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA_SIZE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DSA_size, DSA_bits, DSA_security_bits \- get DSA signature size, key bits or security bits
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dsa.h>
\&
\& int DSA_size(const DSA *dsa);
\& int DSA_bits(const DSA *dsa);
\& int DSA_security_bits(const DSA *dsa);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBDSA_size()\fR returns the maximum size of an \s-1ASN.1\s0 encoded \s-1DSA\s0 signature
for key \fBdsa\fR in bytes. It can be used to determine how much memory must
be allocated for a \s-1DSA\s0 signature.
.PP
\&\fBdsa\->q\fR must not be \fB\s-1NULL\s0\fR.
.PP
\&\fBDSA_bits()\fR returns the number of bits in key \fBdsa\fR: this is the number
of bits in the \fBp\fR parameter.
.PP
\&\fBDSA_security_bits()\fR returns the number of security bits of the given \fBdsa\fR
key. See \fBBN_security_bits\fR\|(3).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBDSA_size()\fR returns the signature size in bytes.
.PP
\&\fBDSA_bits()\fR returns the number of bits in the key.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBDSA_new\fR\|(3), \fBDSA_sign\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3 b/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3
index e2ba7d8406f8..a9a1cbfa61ac 100644
--- a/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3
+++ b/secure/lib/libcrypto/man/man3/DTLS_get_data_mtu.3
@@ -1,168 +1,168 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DTLS_GET_DATA_MTU 3"
-.TH DTLS_GET_DATA_MTU 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DTLS_GET_DATA_MTU 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DTLS_get_data_mtu \- Get maximum data payload size
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& size_t DTLS_get_data_mtu(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This function obtains the maximum data payload size for the established
\&\s-1DTLS\s0 connection \fBssl\fR, based on the \s-1DTLS\s0 record \s-1MTU\s0 and the overhead
of the \s-1DTLS\s0 record header, encryption and authentication currently in use.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Returns the maximum data payload size on success, or 0 on failure.
.SH "HISTORY"
.IX Header "HISTORY"
The \fBDTLS_get_data_mtu()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3 b/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3
index c4e176087bcd..a2add319e9e1 100644
--- a/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3
+++ b/secure/lib/libcrypto/man/man3/DTLS_set_timer_cb.3
@@ -1,170 +1,170 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DTLS_SET_TIMER_CB 3"
-.TH DTLS_SET_TIMER_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DTLS_SET_TIMER_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DTLS_timer_cb, DTLS_set_timer_cb \&\- Set callback for controlling DTLS timer duration
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& typedef unsigned int (*DTLS_timer_cb)(SSL *s, unsigned int timer_us);
\&
\& void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This function sets an optional callback function for controlling the
timeout interval on the \s-1DTLS\s0 protocol. The callback function will be
called by \s-1DTLS\s0 for every new \s-1DTLS\s0 packet that is sent.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Returns void.
.SH "HISTORY"
.IX Header "HISTORY"
The \fBDTLS_set_timer_cb()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/DTLSv1_listen.3 b/secure/lib/libcrypto/man/man3/DTLSv1_listen.3
index 7a0f0e2f33b8..116d622a7073 100644
--- a/secure/lib/libcrypto/man/man3/DTLSv1_listen.3
+++ b/secure/lib/libcrypto/man/man3/DTLSv1_listen.3
@@ -1,264 +1,264 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DTLSV1_LISTEN 3"
-.TH DTLSV1_LISTEN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DTLSV1_LISTEN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_stateless, DTLSv1_listen \&\- Statelessly listen for incoming connections
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_stateless(SSL *s);
\& int DTLSv1_listen(SSL *ssl, BIO_ADDR *peer);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_stateless()\fR statelessly listens for new incoming TLSv1.3 connections.
\&\fBDTLSv1_listen()\fR statelessly listens for new incoming \s-1DTLS\s0 connections. If a
ClientHello is received that does not contain a cookie, then they respond with a
request for a new ClientHello that does contain a cookie. If a ClientHello is
received with a cookie that is verified then the function returns in order to
enable the handshake to be completed (for example by using \fBSSL_accept()\fR).
.SH "NOTES"
.IX Header "NOTES"
Some transport protocols (such as \s-1UDP\s0) can be susceptible to amplification
attacks. Unlike \s-1TCP\s0 there is no initial connection setup in \s-1UDP\s0 that
validates that the client can actually receive messages on its advertised source
address. An attacker could forge its source \s-1IP\s0 address and then send handshake
initiation messages to the server. The server would then send its response to
the forged source \s-1IP.\s0 If the response messages are larger than the original
message then the amplification attack has succeeded.
.PP
If \s-1DTLS\s0 is used over \s-1UDP\s0 (or any datagram based protocol that does not validate
the source \s-1IP\s0) then it is susceptible to this type of attack. TLSv1.3 is
designed to operate over a stream-based transport protocol (such as \s-1TCP\s0).
If \s-1TCP\s0 is being used then there is no need to use \fBSSL_stateless()\fR. However, some
stream-based transport protocols (e.g. \s-1QUIC\s0) may not validate the source
address. In this case a TLSv1.3 application would be susceptible to this attack.
.PP
As a countermeasure to this issue TLSv1.3 and \s-1DTLS\s0 include a stateless cookie
mechanism. The idea is that when a client attempts to connect to a server it
sends a ClientHello message. The server responds with a HelloRetryRequest (in
TLSv1.3) or a HelloVerifyRequest (in \s-1DTLS\s0) which contains a unique cookie. The
client then resends the ClientHello, but this time includes the cookie in the
message thus proving that the client is capable of receiving messages sent to
that address. All of this can be done by the server without allocating any
state, and thus without consuming expensive resources.
.PP
OpenSSL implements this capability via the \fBSSL_stateless()\fR and \fBDTLSv1_listen()\fR
functions. The \fBssl\fR parameter should be a newly allocated \s-1SSL\s0 object with its
read and write BIOs set, in the same way as might be done for a call to
\&\fBSSL_accept()\fR. Typically, for \s-1DTLS,\s0 the read \s-1BIO\s0 will be in an \*(L"unconnected\*(R"
state and thus capable of receiving messages from any peer.
.PP
When a ClientHello is received that contains a cookie that has been verified,
then these functions will return with the \fBssl\fR parameter updated into a state
where the handshake can be continued by a call to (for example) \fBSSL_accept()\fR.
Additionally, for \fBDTLSv1_listen()\fR, the \fB\s-1BIO_ADDR\s0\fR pointed to by \fBpeer\fR will be
filled in with details of the peer that sent the ClientHello. If the underlying
\&\s-1BIO\s0 is unable to obtain the \fB\s-1BIO_ADDR\s0\fR of the peer (for example because the \s-1BIO\s0
does not support this), then \fB*peer\fR will be cleared and the family set to
\&\s-1AF_UNSPEC.\s0 Typically user code is expected to \*(L"connect\*(R" the underlying socket to
the peer and continue the handshake in a connected state.
.PP
Prior to calling \fBDTLSv1_listen()\fR user code must ensure that cookie generation
and verification callbacks have been set up using
\&\fBSSL_CTX_set_cookie_generate_cb\fR\|(3) and \fBSSL_CTX_set_cookie_verify_cb\fR\|(3)
respectively. For \fBSSL_stateless()\fR, \fBSSL_CTX_set_stateless_cookie_generate_cb\fR\|(3)
and \fBSSL_CTX_set_stateless_cookie_verify_cb\fR\|(3) must be used instead.
.PP
Since \fBDTLSv1_listen()\fR operates entirely statelessly whilst processing incoming
ClientHellos it is unable to process fragmented messages (since this would
require the allocation of state). An implication of this is that \fBDTLSv1_listen()\fR
\&\fBonly\fR supports ClientHellos that fit inside a single datagram.
.PP
For \fBSSL_stateless()\fR if an entire ClientHello message cannot be read without the
\&\*(L"read\*(R" \s-1BIO\s0 becoming empty then the \fBSSL_stateless()\fR call will fail. It is the
application's responsibility to ensure that data read from the \*(L"read\*(R" \s-1BIO\s0 during
a single \fBSSL_stateless()\fR call is all from the same peer.
.PP
\&\fBSSL_stateless()\fR will fail (with a 0 return value) if some \s-1TLS\s0 version less than
TLSv1.3 is used.
.PP
Both \fBSSL_stateless()\fR and \fBDTLSv1_listen()\fR will clear the error queue when they
start.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
For \fBSSL_stateless()\fR a return value of 1 indicates success and the \fBssl\fR object
will be set up ready to continue the handshake. A return value of 0 or \-1
indicates failure. If the value is 0 then a HelloRetryRequest was sent. A value
of \-1 indicates any other error. User code may retry the \fBSSL_stateless()\fR call.
.PP
For \fBDTLSv1_listen()\fR a return value of >= 1 indicates success. The \fBssl\fR object
will be set up ready to continue the handshake. the \fBpeer\fR value will also be
filled in.
.PP
A return value of 0 indicates a non-fatal error. This could (for
example) be because of nonblocking \s-1IO,\s0 or some invalid message having been
received from a peer. Errors may be placed on the OpenSSL error queue with
further information if appropriate. Typically user code is expected to retry the
call to \fBDTLSv1_listen()\fR in the event of a non-fatal error.
.PP
A return value of <0 indicates a fatal error. This could (for example) be
because of a failure to allocate sufficient memory for the operation.
.PP
For \fBDTLSv1_listen()\fR, prior to OpenSSL 1.1.0, fatal and non-fatal errors both
produce return codes <= 0 (in typical implementations user code treats all
errors as non-fatal), whilst return codes >0 indicate success.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_set_cookie_generate_cb\fR\|(3), \fBSSL_CTX_set_cookie_verify_cb\fR\|(3),
\&\fBSSL_CTX_set_stateless_cookie_generate_cb\fR\|(3),
\&\fBSSL_CTX_set_stateless_cookie_verify_cb\fR\|(3), \fBSSL_get_error\fR\|(3),
\&\fBSSL_accept\fR\|(3), \fBssl\fR\|(7), \fBbio\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_stateless()\fR function was added in OpenSSL 1.1.1.
.PP
The \fBDTLSv1_listen()\fR return codes were clarified in OpenSSL 1.1.0.
The type of \*(L"peer\*(R" also changed in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3 b/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3
index cffed36c5917..5c71afe8dbc1 100644
--- a/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3
+++ b/secure/lib/libcrypto/man/man3/ECDSA_SIG_new.3
@@ -1,347 +1,347 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ECDSA_SIG_NEW 3"
-.TH ECDSA_SIG_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ECDSA_SIG_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0, ECDSA_SIG_new, ECDSA_SIG_free, ECDSA_size, ECDSA_sign, ECDSA_do_sign, ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, ECDSA_sign_ex, ECDSA_do_sign_ex \- low\-level elliptic curve digital signature algorithm (ECDSA) functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ecdsa.h>
\&
\& ECDSA_SIG *ECDSA_SIG_new(void);
\& void ECDSA_SIG_free(ECDSA_SIG *sig);
\& void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
\& const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig);
\& const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig);
\& int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
\& int ECDSA_size(const EC_KEY *eckey);
\&
\& int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen,
\& unsigned char *sig, unsigned int *siglen, EC_KEY *eckey);
\& ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len,
\& EC_KEY *eckey);
\&
\& int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen,
\& const unsigned char *sig, int siglen, EC_KEY *eckey);
\& int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
\& const ECDSA_SIG *sig, EC_KEY* eckey);
\&
\& ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen,
\& const BIGNUM *kinv, const BIGNUM *rp,
\& EC_KEY *eckey);
\& int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **rp);
\& int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen,
\& unsigned char *sig, unsigned int *siglen,
\& const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Note: these functions provide a low-level interface to \s-1ECDSA.\s0 Most
applications should use the higher level \fB\s-1EVP\s0\fR interface such as
\&\fBEVP_DigestSignInit\fR\|(3) or \fBEVP_DigestVerifyInit\fR\|(3) instead.
.PP
\&\fB\s-1ECDSA_SIG\s0\fR is an opaque structure consisting of two BIGNUMs for the
\&\fBr\fR and \fBs\fR value of an \s-1ECDSA\s0 signature (see X9.62 or \s-1FIPS 186\-2\s0).
.PP
\&\fBECDSA_SIG_new()\fR allocates an empty \fB\s-1ECDSA_SIG\s0\fR structure. Note: before
OpenSSL 1.1.0 the: the \fBr\fR and \fBs\fR components were initialised.
.PP
\&\fBECDSA_SIG_free()\fR frees the \fB\s-1ECDSA_SIG\s0\fR structure \fBsig\fR.
.PP
\&\fBECDSA_SIG_get0()\fR returns internal pointers the \fBr\fR and \fBs\fR values contained
in \fBsig\fR and stores them in \fB*pr\fR and \fB*ps\fR, respectively.
The pointer \fBpr\fR or \fBps\fR can be \s-1NULL,\s0 in which case the corresponding value
is not returned.
.PP
The values \fBr\fR, \fBs\fR can also be retrieved separately by the corresponding
function \fBECDSA_SIG_get0_r()\fR and \fBECDSA_SIG_get0_s()\fR, respectively.
.PP
The \fBr\fR and \fBs\fR values can be set by calling \fBECDSA_SIG_set0()\fR and passing the
new values for \fBr\fR and \fBs\fR as parameters to the function. Calling this
function transfers the memory management of the values to the \s-1ECDSA_SIG\s0 object,
and therefore the values that have been passed in should not be freed directly
after this function has been called.
.PP
See \fBi2d_ECDSA_SIG\fR\|(3) and \fBd2i_ECDSA_SIG\fR\|(3) for information about encoding
and decoding \s-1ECDSA\s0 signatures to/from \s-1DER.\s0
.PP
\&\fBECDSA_size()\fR returns the maximum length of a \s-1DER\s0 encoded \s-1ECDSA\s0 signature
created with the private \s-1EC\s0 key \fBeckey\fR.
.PP
\&\fBECDSA_sign()\fR computes a digital signature of the \fBdgstlen\fR bytes hash value
\&\fBdgst\fR using the private \s-1EC\s0 key \fBeckey\fR. The \s-1DER\s0 encoded signatures is
stored in \fBsig\fR and its length is returned in \fBsig_len\fR. Note: \fBsig\fR must
point to ECDSA_size(eckey) bytes of memory. The parameter \fBtype\fR is currently
ignored. \fBECDSA_sign()\fR is wrapper function for \fBECDSA_sign_ex()\fR with \fBkinv\fR
and \fBrp\fR set to \s-1NULL.\s0
.PP
\&\fBECDSA_do_sign()\fR is similar to \fBECDSA_sign()\fR except the signature is returned
as a newly allocated \fB\s-1ECDSA_SIG\s0\fR structure (or \s-1NULL\s0 on error). \fBECDSA_do_sign()\fR
is a wrapper function for \fBECDSA_do_sign_ex()\fR with \fBkinv\fR and \fBrp\fR set to
\&\s-1NULL.\s0
.PP
\&\fBECDSA_verify()\fR verifies that the signature in \fBsig\fR of size \fBsiglen\fR is a
valid \s-1ECDSA\s0 signature of the hash value \fBdgst\fR of size \fBdgstlen\fR using the
public key \fBeckey\fR. The parameter \fBtype\fR is ignored.
.PP
\&\fBECDSA_do_verify()\fR is similar to \fBECDSA_verify()\fR except the signature is
presented in the form of a pointer to an \fB\s-1ECDSA_SIG\s0\fR structure.
.PP
The remaining functions utilise the internal \fBkinv\fR and \fBr\fR values used
during signature computation. Most applications will never need to call these
and some external \s-1ECDSA ENGINE\s0 implementations may not support them at all if
either \fBkinv\fR or \fBr\fR is not \fB\s-1NULL\s0\fR.
.PP
\&\fBECDSA_sign_setup()\fR may be used to precompute parts of the signing operation.
\&\fBeckey\fR is the private \s-1EC\s0 key and \fBctx\fR is a pointer to \fB\s-1BN_CTX\s0\fR structure
(or \s-1NULL\s0). The precomputed values or returned in \fBkinv\fR and \fBrp\fR and can be
used in a later call to \fBECDSA_sign_ex()\fR or \fBECDSA_do_sign_ex()\fR.
.PP
\&\fBECDSA_sign_ex()\fR computes a digital signature of the \fBdgstlen\fR bytes hash value
\&\fBdgst\fR using the private \s-1EC\s0 key \fBeckey\fR and the optional pre-computed values
\&\fBkinv\fR and \fBrp\fR. The \s-1DER\s0 encoded signature is stored in \fBsig\fR and its
length is returned in \fBsig_len\fR. Note: \fBsig\fR must point to ECDSA_size(eckey)
bytes of memory. The parameter \fBtype\fR is ignored.
.PP
\&\fBECDSA_do_sign_ex()\fR is similar to \fBECDSA_sign_ex()\fR except the signature is
returned as a newly allocated \fB\s-1ECDSA_SIG\s0\fR structure (or \s-1NULL\s0 on error).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBECDSA_SIG_new()\fR returns \s-1NULL\s0 if the allocation fails.
.PP
\&\fBECDSA_SIG_set0()\fR returns 1 on success or 0 on failure.
.PP
\&\fBECDSA_SIG_get0_r()\fR and \fBECDSA_SIG_get0_s()\fR return the corresponding value,
or \s-1NULL\s0 if it is unset.
.PP
\&\fBECDSA_size()\fR returns the maximum length signature or 0 on error.
.PP
\&\fBECDSA_sign()\fR, \fBECDSA_sign_ex()\fR and \fBECDSA_sign_setup()\fR return 1 if successful
or 0 on error.
.PP
\&\fBECDSA_do_sign()\fR and \fBECDSA_do_sign_ex()\fR return a pointer to an allocated
\&\fB\s-1ECDSA_SIG\s0\fR structure or \s-1NULL\s0 on error.
.PP
\&\fBECDSA_verify()\fR and \fBECDSA_do_verify()\fR return 1 for a valid
signature, 0 for an invalid signature and \-1 on error.
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Creating an \s-1ECDSA\s0 signature of a given \s-1SHA\-256\s0 hash value using the
named curve prime256v1 (aka P\-256).
.PP
First step: create an \s-1EC_KEY\s0 object (note: this part is \fBnot\fR \s-1ECDSA\s0
specific)
.PP
.Vb 3
\& int ret;
\& ECDSA_SIG *sig;
\& EC_KEY *eckey;
\&
\& eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
\& if (eckey == NULL)
\& /* error */
\& if (EC_KEY_generate_key(eckey) == 0)
\& /* error */
.Ve
.PP
Second step: compute the \s-1ECDSA\s0 signature of a \s-1SHA\-256\s0 hash value
using \fBECDSA_do_sign()\fR:
.PP
.Vb 3
\& sig = ECDSA_do_sign(digest, 32, eckey);
\& if (sig == NULL)
\& /* error */
.Ve
.PP
or using \fBECDSA_sign()\fR:
.PP
.Vb 2
\& unsigned char *buffer, *pp;
\& int buf_len;
\&
\& buf_len = ECDSA_size(eckey);
\& buffer = OPENSSL_malloc(buf_len);
\& pp = buffer;
\& if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0)
\& /* error */
.Ve
.PP
Third step: verify the created \s-1ECDSA\s0 signature using \fBECDSA_do_verify()\fR:
.PP
.Vb 1
\& ret = ECDSA_do_verify(digest, 32, sig, eckey);
.Ve
.PP
or using \fBECDSA_verify()\fR:
.PP
.Vb 1
\& ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey);
.Ve
.PP
and finally evaluate the return value:
.PP
.Vb 6
\& if (ret == 1)
\& /* signature ok */
\& else if (ret == 0)
\& /* incorrect signature */
\& else
\& /* error */
.Ve
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1ANSI X9.62, US\s0 Federal Information Processing Standard \s-1FIPS 186\-2\s0
(Digital Signature Standard, \s-1DSS\s0)
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEC_KEY_new\fR\|(3),
\&\fBEVP_DigestSignInit\fR\|(3),
\&\fBEVP_DigestVerifyInit\fR\|(3),
\&\fBi2d_ECDSA_SIG\fR\|(3),
\&\fBd2i_ECDSA_SIG\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ECPKParameters_print.3 b/secure/lib/libcrypto/man/man3/ECPKParameters_print.3
index 8325a4659ce7..04a6c1bcf121 100644
--- a/secure/lib/libcrypto/man/man3/ECPKParameters_print.3
+++ b/secure/lib/libcrypto/man/man3/ECPKParameters_print.3
@@ -1,175 +1,175 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ECPKPARAMETERS_PRINT 3"
-.TH ECPKPARAMETERS_PRINT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ECPKPARAMETERS_PRINT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ECPKParameters_print, ECPKParameters_print_fp \- Functions for decoding and encoding ASN1 representations of elliptic curve entities
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ec.h>
\&
\& int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off);
\& int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The ECPKParameters represent the public parameters for an
\&\fB\s-1EC_GROUP\s0\fR structure, which represents a curve.
.PP
The \fBECPKParameters_print()\fR and \fBECPKParameters_print_fp()\fR functions print
a human-readable output of the public parameters of the \s-1EC_GROUP\s0 to \fBbp\fR
or \fBfp\fR. The output lines are indented by \fBoff\fR spaces.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBECPKParameters_print()\fR and \fBECPKParameters_print_fp()\fR
return 1 for success and 0 if an error occurs.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3), \fBEC_GROUP_copy\fR\|(3),
\&\fBEC_POINT_new\fR\|(3), \fBEC_POINT_add\fR\|(3), \fBEC_KEY_new\fR\|(3),
\&\fBEC_GFp_simple_method\fR\|(3),
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3 b/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3
index 956f050a3063..834c19c2bbe3 100644
--- a/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3
+++ b/secure/lib/libcrypto/man/man3/EC_GFp_simple_method.3
@@ -1,201 +1,201 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EC_GFP_SIMPLE_METHOD 3"
-.TH EC_GFP_SIMPLE_METHOD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EC_GFP_SIMPLE_METHOD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EC_GFp_simple_method, EC_GFp_mont_method, EC_GFp_nist_method, EC_GFp_nistp224_method, EC_GFp_nistp256_method, EC_GFp_nistp521_method, EC_GF2m_simple_method, EC_METHOD_get_field_type \- Functions for obtaining EC_METHOD objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ec.h>
\&
\& const EC_METHOD *EC_GFp_simple_method(void);
\& const EC_METHOD *EC_GFp_mont_method(void);
\& const EC_METHOD *EC_GFp_nist_method(void);
\& const EC_METHOD *EC_GFp_nistp224_method(void);
\& const EC_METHOD *EC_GFp_nistp256_method(void);
\& const EC_METHOD *EC_GFp_nistp521_method(void);
\&
\& const EC_METHOD *EC_GF2m_simple_method(void);
\&
\& int EC_METHOD_get_field_type(const EC_METHOD *meth);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The Elliptic Curve library provides a number of different implementations through a single common interface.
When constructing a curve using EC_GROUP_new (see \fBEC_GROUP_new\fR\|(3)) an
implementation method must be provided. The functions described here all return a const pointer to an
\&\fB\s-1EC_METHOD\s0\fR structure that can be passed to \s-1EC_GROUP_NEW.\s0 It is important that the correct implementation
type for the form of curve selected is used.
.PP
For F2^m curves there is only one implementation choice, i.e. EC_GF2_simple_method.
.PP
For Fp curves the lowest common denominator implementation is the EC_GFp_simple_method implementation. All
other implementations are based on this one. EC_GFp_mont_method builds on EC_GFp_simple_method but adds the
use of montgomery multiplication (see \fBBN_mod_mul_montgomery\fR\|(3)). EC_GFp_nist_method
offers an implementation optimised for use with \s-1NIST\s0 recommended curves (\s-1NIST\s0 curves are available through
EC_GROUP_new_by_curve_name as described in \fBEC_GROUP_new\fR\|(3)).
.PP
The functions EC_GFp_nistp224_method, EC_GFp_nistp256_method and EC_GFp_nistp521_method offer 64 bit
optimised implementations for the \s-1NIST P224, P256\s0 and P521 curves respectively. Note, however, that these
implementations are not available on all platforms.
.PP
EC_METHOD_get_field_type identifies what type of field the \s-1EC_METHOD\s0 structure supports, which will be either
F2^m or Fp. If the field type is Fp then the value \fBNID_X9_62_prime_field\fR is returned. If the field type is
F2^m then the value \fBNID_X9_62_characteristic_two_field\fR is returned. These values are defined in the
obj_mac.h header file.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All EC_GFp* functions and EC_GF2m_simple_method always return a const pointer to an \s-1EC_METHOD\s0 structure.
.PP
EC_METHOD_get_field_type returns an integer that identifies the type of field the \s-1EC_METHOD\s0 structure supports.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3), \fBEC_GROUP_copy\fR\|(3),
\&\fBEC_POINT_new\fR\|(3), \fBEC_POINT_add\fR\|(3), \fBEC_KEY_new\fR\|(3),
\&\fBd2i_ECPKParameters\fR\|(3),
\&\fBBN_mod_mul_montgomery\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3 b/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3
index b97e943ed837..6a02c7ed7dd4 100644
--- a/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3
+++ b/secure/lib/libcrypto/man/man3/EC_GROUP_copy.3
@@ -1,345 +1,345 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EC_GROUP_COPY 3"
-.TH EC_GROUP_COPY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EC_GROUP_COPY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EC_GROUP_get0_order, EC_GROUP_order_bits, EC_GROUP_get0_cofactor, EC_GROUP_copy, EC_GROUP_dup, EC_GROUP_method_of, EC_GROUP_set_generator, EC_GROUP_get0_generator, EC_GROUP_get_order, EC_GROUP_get_cofactor, EC_GROUP_set_curve_name, EC_GROUP_get_curve_name, EC_GROUP_set_asn1_flag, EC_GROUP_get_asn1_flag, EC_GROUP_set_point_conversion_form, EC_GROUP_get_point_conversion_form, EC_GROUP_get0_seed, EC_GROUP_get_seed_len, EC_GROUP_set_seed, EC_GROUP_get_degree, EC_GROUP_check, EC_GROUP_check_discriminant, EC_GROUP_cmp, EC_GROUP_get_basis_type, EC_GROUP_get_trinomial_basis, EC_GROUP_get_pentanomial_basis \&\- Functions for manipulating EC_GROUP objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ec.h>
\&
\& int EC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src);
\& EC_GROUP *EC_GROUP_dup(const EC_GROUP *src);
\&
\& const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group);
\&
\& int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,
\& const BIGNUM *order, const BIGNUM *cofactor);
\& const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group);
\&
\& int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx);
\& const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group);
\& int EC_GROUP_order_bits(const EC_GROUP *group);
\& int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx);
\& const BIGNUM *EC_GROUP_get0_cofactor(const EC_GROUP *group);
\&
\& void EC_GROUP_set_curve_name(EC_GROUP *group, int nid);
\& int EC_GROUP_get_curve_name(const EC_GROUP *group);
\&
\& void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
\& int EC_GROUP_get_asn1_flag(const EC_GROUP *group);
\&
\& void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form);
\& point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *group);
\&
\& unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);
\& size_t EC_GROUP_get_seed_len(const EC_GROUP *);
\& size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
\&
\& int EC_GROUP_get_degree(const EC_GROUP *group);
\&
\& int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx);
\&
\& int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx);
\&
\& int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx);
\&
\& int EC_GROUP_get_basis_type(const EC_GROUP *);
\& int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k);
\& int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1,
\& unsigned int *k2, unsigned int *k3);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBEC_GROUP_copy()\fR copies the curve \fBsrc\fR into \fBdst\fR. Both \fBsrc\fR and \fBdst\fR must use the same \s-1EC_METHOD.\s0
.PP
\&\fBEC_GROUP_dup()\fR creates a new \s-1EC_GROUP\s0 object and copies the content from \fBsrc\fR to the newly created
\&\s-1EC_GROUP\s0 object.
.PP
\&\fBEC_GROUP_method_of()\fR obtains the \s-1EC_METHOD\s0 of \fBgroup\fR.
.PP
\&\fBEC_GROUP_set_generator()\fR sets curve parameters that must be agreed by all participants using the curve. These
parameters include the \fBgenerator\fR, the \fBorder\fR and the \fBcofactor\fR. The \fBgenerator\fR is a well defined point on the
curve chosen for cryptographic operations. Integers used for point multiplications will be between 0 and
n\-1 where n is the \fBorder\fR. The \fBorder\fR multiplied by the \fBcofactor\fR gives the number of points on the curve.
.PP
\&\fBEC_GROUP_get0_generator()\fR returns the generator for the identified \fBgroup\fR.
.PP
\&\fBEC_GROUP_get_order()\fR retrieves the order of \fBgroup\fR and copies its value into
\&\fBorder\fR. It fails in case \fBgroup\fR is not fully initialized (i.e., its order
is not set or set to zero).
.PP
\&\fBEC_GROUP_get_cofactor()\fR retrieves the cofactor of \fBgroup\fR and copies its value
into \fBcofactor\fR. It fails in case \fBgroup\fR is not fully initialized or if the
cofactor is not set (or set to zero).
.PP
The functions \fBEC_GROUP_set_curve_name()\fR and \fBEC_GROUP_get_curve_name()\fR, set and get the \s-1NID\s0 for the curve respectively
(see \fBEC_GROUP_new\fR\|(3)). If a curve does not have a \s-1NID\s0 associated with it, then EC_GROUP_get_curve_name
will return NID_undef.
.PP
The asn1_flag value is used to determine whether the curve encoding uses
explicit parameters or a named curve using an \s-1ASN1 OID:\s0 many applications only
support the latter form. If asn1_flag is \fB\s-1OPENSSL_EC_NAMED_CURVE\s0\fR then the
named curve form is used and the parameters must have a corresponding
named curve \s-1NID\s0 set. If asn1_flags is \fB\s-1OPENSSL_EC_EXPLICIT_CURVE\s0\fR the
parameters are explicitly encoded. The functions \fBEC_GROUP_get_asn1_flag()\fR and
\&\fBEC_GROUP_set_asn1_flag()\fR get and set the status of the asn1_flag for the curve.
Note: \fB\s-1OPENSSL_EC_EXPLICIT_CURVE\s0\fR was added in OpenSSL 1.1.0, for
previous versions of OpenSSL the value 0 must be used instead. Before OpenSSL
1.1.0 the default form was to use explicit parameters (meaning that
applications would have to explicitly set the named curve form) in OpenSSL
1.1.0 and later the named curve form is the default.
.PP
The point_conversion_form for a curve controls how \s-1EC_POINT\s0 data is encoded as \s-1ASN1\s0 as defined in X9.62 (\s-1ECDSA\s0).
point_conversion_form_t is an enum defined as follows:
.PP
.Vb 10
\& typedef enum {
\& /** the point is encoded as z||x, where the octet z specifies
\& * which solution of the quadratic equation y is */
\& POINT_CONVERSION_COMPRESSED = 2,
\& /** the point is encoded as z||x||y, where z is the octet 0x04 */
\& POINT_CONVERSION_UNCOMPRESSED = 4,
\& /** the point is encoded as z||x||y, where the octet z specifies
\& * which solution of the quadratic equation y is */
\& POINT_CONVERSION_HYBRID = 6
\& } point_conversion_form_t;
.Ve
.PP
For \s-1POINT_CONVERSION_UNCOMPRESSED\s0 the point is encoded as an octet signifying the \s-1UNCOMPRESSED\s0 form has been used followed by
the octets for x, followed by the octets for y.
.PP
For any given x co-ordinate for a point on a curve it is possible to derive two possible y values. For
\&\s-1POINT_CONVERSION_COMPRESSED\s0 the point is encoded as an octet signifying that the \s-1COMPRESSED\s0 form has been used \s-1AND\s0 which of
the two possible solutions for y has been used, followed by the octets for x.
.PP
For \s-1POINT_CONVERSION_HYBRID\s0 the point is encoded as an octet signifying the \s-1HYBRID\s0 form has been used \s-1AND\s0 which of the two
possible solutions for y has been used, followed by the octets for x, followed by the octets for y.
.PP
The functions \fBEC_GROUP_set_point_conversion_form()\fR and \fBEC_GROUP_get_point_conversion_form()\fR, set and get the point_conversion_form
for the curve respectively.
.PP
\&\s-1ANSI X9.62\s0 (\s-1ECDSA\s0 standard) defines a method of generating the curve parameter b from a random number. This provides advantages
in that a parameter obtained in this way is highly unlikely to be susceptible to special purpose attacks, or have any trapdoors in it.
If the seed is present for a curve then the b parameter was generated in a verifiable fashion using that seed. The OpenSSL \s-1EC\s0 library
does not use this seed value but does enable you to inspect it using \fBEC_GROUP_get0_seed()\fR. This returns a pointer to a memory block
containing the seed that was used. The length of the memory block can be obtained using \fBEC_GROUP_get_seed_len()\fR. A number of the
built-in curves within the library provide seed values that can be obtained. It is also possible to set a custom seed using
\&\fBEC_GROUP_set_seed()\fR and passing a pointer to a memory block, along with the length of the seed. Again, the \s-1EC\s0 library will not use
this seed value, although it will be preserved in any \s-1ASN1\s0 based communications.
.PP
\&\fBEC_GROUP_get_degree()\fR gets the degree of the field. For Fp fields this will be the number of bits in p. For F2^m fields this will be
the value m.
.PP
The function \fBEC_GROUP_check_discriminant()\fR calculates the discriminant for the curve and verifies that it is valid.
For a curve defined over Fp the discriminant is given by the formula 4*a^3 + 27*b^2 whilst for F2^m curves the discriminant is
simply b. In either case for the curve to be valid the discriminant must be non zero.
.PP
The function \fBEC_GROUP_check()\fR performs a number of checks on a curve to verify that it is valid. Checks performed include
verifying that the discriminant is non zero; that a generator has been defined; that the generator is on the curve and has
the correct order.
.PP
\&\fBEC_GROUP_cmp()\fR compares \fBa\fR and \fBb\fR to determine whether they represent the same curve or not.
.PP
The functions \fBEC_GROUP_get_basis_type()\fR, \fBEC_GROUP_get_trinomial_basis()\fR and \fBEC_GROUP_get_pentanomial_basis()\fR should only be called for curves
defined over an F2^m field. Addition and multiplication operations within an F2^m field are performed using an irreducible polynomial
function f(x). This function is either a trinomial of the form:
.PP
f(x) = x^m + x^k + 1 with m > k >= 1
.PP
or a pentanomial of the form:
.PP
f(x) = x^m + x^k3 + x^k2 + x^k1 + 1 with m > k3 > k2 > k1 >= 1
.PP
The function \fBEC_GROUP_get_basis_type()\fR returns a \s-1NID\s0 identifying whether a trinomial or pentanomial is in use for the field. The
function \fBEC_GROUP_get_trinomial_basis()\fR must only be called where f(x) is of the trinomial form, and returns the value of \fBk\fR. Similarly
the function \fBEC_GROUP_get_pentanomial_basis()\fR must only be called where f(x) is of the pentanomial form, and returns the values of \fBk1\fR,
\&\fBk2\fR and \fBk3\fR respectively.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following functions return 1 on success or 0 on error: \fBEC_GROUP_copy()\fR, \fBEC_GROUP_set_generator()\fR, \fBEC_GROUP_check()\fR,
\&\fBEC_GROUP_check_discriminant()\fR, \fBEC_GROUP_get_trinomial_basis()\fR and \fBEC_GROUP_get_pentanomial_basis()\fR.
.PP
\&\fBEC_GROUP_dup()\fR returns a pointer to the duplicated curve, or \s-1NULL\s0 on error.
.PP
\&\fBEC_GROUP_method_of()\fR returns the \s-1EC_METHOD\s0 implementation in use for the given curve or \s-1NULL\s0 on error.
.PP
\&\fBEC_GROUP_get0_generator()\fR returns the generator for the given curve or \s-1NULL\s0 on error.
.PP
\&\fBEC_GROUP_get_order()\fR returns 0 if the order is not set (or set to zero) for
\&\fBgroup\fR or if copying into \fBorder\fR fails, 1 otherwise.
.PP
\&\fBEC_GROUP_get_cofactor()\fR returns 0 if the cofactor is not set (or is set to zero) for \fBgroup\fR or if copying into \fBcofactor\fR fails, 1 otherwise.
.PP
\&\fBEC_GROUP_get_curve_name()\fR returns the curve name (\s-1NID\s0) for \fBgroup\fR or will return NID_undef if no curve name is associated.
.PP
\&\fBEC_GROUP_get_asn1_flag()\fR returns the \s-1ASN1\s0 flag for the specified \fBgroup\fR .
.PP
\&\fBEC_GROUP_get_point_conversion_form()\fR returns the point_conversion_form for \fBgroup\fR.
.PP
\&\fBEC_GROUP_get_degree()\fR returns the degree for \fBgroup\fR or 0 if the operation is not supported by the underlying group implementation.
.PP
\&\fBEC_GROUP_get0_order()\fR returns an internal pointer to the group order.
\&\fBEC_GROUP_order_bits()\fR returns the number of bits in the group order.
\&\fBEC_GROUP_get0_cofactor()\fR returns an internal pointer to the group cofactor.
.PP
\&\fBEC_GROUP_get0_seed()\fR returns a pointer to the seed that was used to generate the parameter b, or \s-1NULL\s0 if the seed is not
specified. \fBEC_GROUP_get_seed_len()\fR returns the length of the seed or 0 if the seed is not specified.
.PP
\&\fBEC_GROUP_set_seed()\fR returns the length of the seed that has been set. If the supplied seed is \s-1NULL,\s0 or the supplied seed length is
0, the return value will be 1. On error 0 is returned.
.PP
\&\fBEC_GROUP_cmp()\fR returns 0 if the curves are equal, 1 if they are not equal, or \-1 on error.
.PP
\&\fBEC_GROUP_get_basis_type()\fR returns the values NID_X9_62_tpBasis or NID_X9_62_ppBasis (as defined in <openssl/obj_mac.h>) for a
trinomial or pentanomial respectively. Alternatively in the event of an error a 0 is returned.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3),
\&\fBEC_POINT_new\fR\|(3), \fBEC_POINT_add\fR\|(3), \fBEC_KEY_new\fR\|(3),
\&\fBEC_GFp_simple_method\fR\|(3), \fBd2i_ECPKParameters\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_GROUP_new.3 b/secure/lib/libcrypto/man/man3/EC_GROUP_new.3
index 8171ea5e8260..acb1b4794a4f 100644
--- a/secure/lib/libcrypto/man/man3/EC_GROUP_new.3
+++ b/secure/lib/libcrypto/man/man3/EC_GROUP_new.3
@@ -1,279 +1,279 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EC_GROUP_NEW 3"
-.TH EC_GROUP_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EC_GROUP_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EC_GROUP_get_ecparameters, EC_GROUP_get_ecpkparameters, EC_GROUP_new, EC_GROUP_new_from_ecparameters, EC_GROUP_new_from_ecpkparameters, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_new_curve_GFp, EC_GROUP_new_curve_GF2m, EC_GROUP_new_by_curve_name, EC_GROUP_set_curve, EC_GROUP_get_curve, EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, EC_GROUP_set_curve_GF2m, EC_GROUP_get_curve_GF2m, EC_get_builtin_curves \- Functions for creating and destroying EC_GROUP objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ec.h>
\&
\& EC_GROUP *EC_GROUP_new(const EC_METHOD *meth);
\& EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params)
\& EC_GROUP *EC_GROUP_new_from_ecpkparameters(const ECPKPARAMETERS *params)
\& void EC_GROUP_free(EC_GROUP *group);
\& void EC_GROUP_clear_free(EC_GROUP *group);
\&
\& EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,
\& const BIGNUM *b, BN_CTX *ctx);
\& EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a,
\& const BIGNUM *b, BN_CTX *ctx);
\& EC_GROUP *EC_GROUP_new_by_curve_name(int nid);
\&
\& int EC_GROUP_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
\& const BIGNUM *b, BN_CTX *ctx);
\& int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
\& BN_CTX *ctx);
\& int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p,
\& const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
\& int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p,
\& BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
\& int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p,
\& const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
\& int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p,
\& BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
\&
\& ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, ECPARAMETERS *params)
\& ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group, ECPKPARAMETERS *params)
\&
\& size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Within the library there are two forms of elliptic curve that are of interest.
The first form is those defined over the prime field Fp. The elements of Fp are
the integers 0 to p\-1, where p is a prime number. This gives us a revised
elliptic curve equation as follows:
.PP
y^2 mod p = x^3 +ax + b mod p
.PP
The second form is those defined over a binary field F2^m where the elements of
the field are integers of length at most m bits. For this form the elliptic
curve equation is modified to:
.PP
y^2 + xy = x^3 + ax^2 + b (where b != 0)
.PP
Operations in a binary field are performed relative to an \fBirreducible
polynomial\fR. All such curves with OpenSSL use a trinomial or a pentanomial for
this parameter.
.PP
A new curve can be constructed by calling \fBEC_GROUP_new()\fR, using the
implementation provided by \fBmeth\fR (see \fBEC_GFp_simple_method\fR\|(3)). It is then
necessary to call \fBEC_GROUP_set_curve()\fR to set the curve parameters.
\&\fBEC_GROUP_new_from_ecparameters()\fR will create a group from the specified
\&\fBparams\fR and \fBEC_GROUP_new_from_ecpkparameters()\fR will create a group from the
specific \s-1PK\s0 \fBparams\fR.
.PP
\&\fBEC_GROUP_set_curve()\fR sets the curve parameters \fBp\fR, \fBa\fR and \fBb\fR. For a curve
over Fp \fBp\fR is the prime for the field. For a curve over F2^m \fBp\fR represents
the irreducible polynomial \- each bit represents a term in the polynomial.
Therefore, there will either be three or five bits set dependent on whether the
polynomial is a trinomial or a pentanomial.
In either case, \fBa\fR and \fBb\fR represents the coefficients a and b from the
relevant equation introduced above.
.PP
\&\fBEC_group_get_curve()\fR obtains the previously set curve parameters.
.PP
\&\fBEC_GROUP_set_curve_GFp()\fR and \fBEC_GROUP_set_curve_GF2m()\fR are synonyms for
\&\fBEC_GROUP_set_curve()\fR. They are defined for backwards compatibility only and
should not be used.
.PP
\&\fBEC_GROUP_get_curve_GFp()\fR and \fBEC_GROUP_get_curve_GF2m()\fR are synonyms for
\&\fBEC_GROUP_get_curve()\fR. They are defined for backwards compatibility only and
should not be used.
.PP
The functions \fBEC_GROUP_new_curve_GFp()\fR and \fBEC_GROUP_new_curve_GF2m()\fR are
shortcuts for calling \fBEC_GROUP_new()\fR and then the \fBEC_GROUP_set_curve()\fR function.
An appropriate default implementation method will be used.
.PP
Whilst the library can be used to create any curve using the functions described
above, there are also a number of predefined curves that are available. In order
to obtain a list of all of the predefined curves, call the function
\&\fBEC_get_builtin_curves()\fR. The parameter \fBr\fR should be an array of
EC_builtin_curve structures of size \fBnitems\fR. The function will populate the
\&\fBr\fR array with information about the builtin curves. If \fBnitems\fR is less than
the total number of curves available, then the first \fBnitems\fR curves will be
returned. Otherwise the total number of curves will be provided. The return
value is the total number of curves available (whether that number has been
populated in \fBr\fR or not). Passing a \s-1NULL\s0 \fBr\fR, or setting \fBnitems\fR to 0 will
do nothing other than return the total number of curves available.
The EC_builtin_curve structure is defined as follows:
.PP
.Vb 4
\& typedef struct {
\& int nid;
\& const char *comment;
\& } EC_builtin_curve;
.Ve
.PP
Each EC_builtin_curve item has a unique integer id (\fBnid\fR), and a human
readable comment string describing the curve.
.PP
In order to construct a builtin curve use the function
\&\fBEC_GROUP_new_by_curve_name()\fR and provide the \fBnid\fR of the curve to
be constructed.
.PP
\&\fBEC_GROUP_free()\fR frees the memory associated with the \s-1EC_GROUP.\s0
If \fBgroup\fR is \s-1NULL\s0 nothing is done.
.PP
\&\fBEC_GROUP_clear_free()\fR destroys any sensitive data held within the \s-1EC_GROUP\s0 and
then frees its memory. If \fBgroup\fR is \s-1NULL\s0 nothing is done.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All EC_GROUP_new* functions return a pointer to the newly constructed group, or
\&\s-1NULL\s0 on error.
.PP
\&\fBEC_get_builtin_curves()\fR returns the number of builtin curves that are available.
.PP
\&\fBEC_GROUP_set_curve_GFp()\fR, \fBEC_GROUP_get_curve_GFp()\fR, \fBEC_GROUP_set_curve_GF2m()\fR,
\&\fBEC_GROUP_get_curve_GF2m()\fR return 1 on success or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7), \fBEC_GROUP_copy\fR\|(3),
\&\fBEC_POINT_new\fR\|(3), \fBEC_POINT_add\fR\|(3), \fBEC_KEY_new\fR\|(3),
\&\fBEC_GFp_simple_method\fR\|(3), \fBd2i_ECPKParameters\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3 b/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3
index 1d744cc92f05..b0b2d323ae8a 100644
--- a/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3
+++ b/secure/lib/libcrypto/man/man3/EC_KEY_get_enc_flags.3
@@ -1,190 +1,190 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EC_KEY_GET_ENC_FLAGS 3"
-.TH EC_KEY_GET_ENC_FLAGS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EC_KEY_GET_ENC_FLAGS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EC_KEY_get_enc_flags, EC_KEY_set_enc_flags \&\- Get and set flags for encoding EC_KEY structures
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ec.h>
\&
\& unsigned int EC_KEY_get_enc_flags(const EC_KEY *key);
\& void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The format of the external representation of the public key written by
\&\fBi2d_ECPrivateKey()\fR (such as whether it is stored in a compressed form or not) is
described by the point_conversion_form. See \fBEC_GROUP_copy\fR\|(3)
for a description of point_conversion_form.
.PP
When reading a private key encoded without an associated public key (e.g. if
\&\s-1EC_PKEY_NO_PUBKEY\s0 has been used \- see below), then \fBd2i_ECPrivateKey()\fR generates
the missing public key automatically. Private keys encoded without parameters
(e.g. if \s-1EC_PKEY_NO_PARAMETERS\s0 has been used \- see below) cannot be loaded using
\&\fBd2i_ECPrivateKey()\fR.
.PP
The functions \fBEC_KEY_get_enc_flags()\fR and \fBEC_KEY_set_enc_flags()\fR get and set the
value of the encoding flags for the \fBkey\fR. There are two encoding flags
currently defined \- \s-1EC_PKEY_NO_PARAMETERS\s0 and \s-1EC_PKEY_NO_PUBKEY.\s0 These flags
define the behaviour of how the \fBkey\fR is converted into \s-1ASN1\s0 in a call to
\&\fBi2d_ECPrivateKey()\fR. If \s-1EC_PKEY_NO_PARAMETERS\s0 is set then the public parameters for
the curve are not encoded along with the private key. If \s-1EC_PKEY_NO_PUBKEY\s0 is
set then the public key is not encoded along with the private key.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEC_KEY_get_enc_flags()\fR returns the value of the current encoding flags for the
\&\s-1EC_KEY.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3),
\&\fBEC_GROUP_copy\fR\|(3), \fBEC_POINT_new\fR\|(3),
\&\fBEC_POINT_add\fR\|(3),
\&\fBEC_GFp_simple_method\fR\|(3),
\&\fBd2i_ECPKParameters\fR\|(3),
\&\fBd2i_ECPrivateKey\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_KEY_new.3 b/secure/lib/libcrypto/man/man3/EC_KEY_new.3
index f2806909df04..314d7e7a7e99 100644
--- a/secure/lib/libcrypto/man/man3/EC_KEY_new.3
+++ b/secure/lib/libcrypto/man/man3/EC_KEY_new.3
@@ -1,314 +1,314 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EC_KEY_NEW 3"
-.TH EC_KEY_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EC_KEY_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EC_KEY_get_method, EC_KEY_set_method, EC_KEY_new, EC_KEY_get_flags, EC_KEY_set_flags, EC_KEY_clear_flags, EC_KEY_new_by_curve_name, EC_KEY_free, EC_KEY_copy, EC_KEY_dup, EC_KEY_up_ref, EC_KEY_get0_engine, EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key, EC_KEY_set_private_key, EC_KEY_get0_public_key, EC_KEY_set_public_key, EC_KEY_get_conv_form, EC_KEY_set_conv_form, EC_KEY_set_asn1_flag, EC_KEY_decoded_from_explicit_params, EC_KEY_precompute_mult, EC_KEY_generate_key, EC_KEY_check_key, EC_KEY_set_public_key_affine_coordinates, EC_KEY_oct2key, EC_KEY_key2buf, EC_KEY_oct2priv, EC_KEY_priv2oct, EC_KEY_priv2buf \- Functions for creating, destroying and manipulating EC_KEY objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ec.h>
\&
\& EC_KEY *EC_KEY_new(void);
\& int EC_KEY_get_flags(const EC_KEY *key);
\& void EC_KEY_set_flags(EC_KEY *key, int flags);
\& void EC_KEY_clear_flags(EC_KEY *key, int flags);
\& EC_KEY *EC_KEY_new_by_curve_name(int nid);
\& void EC_KEY_free(EC_KEY *key);
\& EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
\& EC_KEY *EC_KEY_dup(const EC_KEY *src);
\& int EC_KEY_up_ref(EC_KEY *key);
\& ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey);
\& const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
\& int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);
\& const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
\& int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *prv);
\& const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
\& int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
\& point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
\& void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
\& void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
\& int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
\& int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);
\& int EC_KEY_generate_key(EC_KEY *key);
\& int EC_KEY_check_key(const EC_KEY *key);
\& int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y);
\& const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *key);
\& int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth);
\&
\& int EC_KEY_oct2key(EC_KEY *eckey, const unsigned char *buf, size_t len, BN_CTX *ctx);
\& size_t EC_KEY_key2buf(const EC_KEY *eckey, point_conversion_form_t form,
\& unsigned char **pbuf, BN_CTX *ctx);
\&
\& int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len);
\& size_t EC_KEY_priv2oct(const EC_KEY *eckey, unsigned char *buf, size_t len);
\&
\& size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
An \s-1EC_KEY\s0 represents a public key and, optionally, the associated private
key. A new \s-1EC_KEY\s0 with no associated curve can be constructed by calling
\&\fBEC_KEY_new()\fR. The reference count for the newly created \s-1EC_KEY\s0 is initially
set to 1. A curve can be associated with the \s-1EC_KEY\s0 by calling
\&\fBEC_KEY_set_group()\fR.
.PP
Alternatively a new \s-1EC_KEY\s0 can be constructed by calling
\&\fBEC_KEY_new_by_curve_name()\fR and supplying the nid of the associated curve. See
\&\fBEC_GROUP_new\fR\|(3) for a description of curve names. This function simply
wraps calls to \fBEC_KEY_new()\fR and \fBEC_GROUP_new_by_curve_name()\fR.
.PP
Calling \fBEC_KEY_free()\fR decrements the reference count for the \s-1EC_KEY\s0 object,
and if it has dropped to zero then frees the memory associated with it. If
\&\fBkey\fR is \s-1NULL\s0 nothing is done.
.PP
\&\fBEC_KEY_copy()\fR copies the contents of the \s-1EC_KEY\s0 in \fBsrc\fR into \fBdest\fR.
.PP
\&\fBEC_KEY_dup()\fR creates a new \s-1EC_KEY\s0 object and copies \fBec_key\fR into it.
.PP
\&\fBEC_KEY_up_ref()\fR increments the reference count associated with the \s-1EC_KEY\s0
object.
.PP
\&\fBEC_KEY_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for
this \s-1EC_KEY\s0 object.
.PP
\&\fBEC_KEY_generate_key()\fR generates a new public and private key for the supplied
\&\fBeckey\fR object. \fBeckey\fR must have an \s-1EC_GROUP\s0 object associated with it
before calling this function. The private key is a random integer (0 < priv_key
< order, where \fIorder\fR is the order of the \s-1EC_GROUP\s0 object). The public key is
an \s-1EC_POINT\s0 on the curve calculated by multiplying the generator for the
curve by the private key.
.PP
\&\fBEC_KEY_check_key()\fR performs various sanity checks on the \s-1EC_KEY\s0 object to
confirm that it is valid.
.PP
\&\fBEC_KEY_set_public_key_affine_coordinates()\fR sets the public key for \fBkey\fR based
on its affine co-ordinates; i.e., it constructs an \s-1EC_POINT\s0 object based on
the supplied \fBx\fR and \fBy\fR values and sets the public key to be this
\&\s-1EC_POINT.\s0 It also performs certain sanity checks on the key to confirm
that it is valid.
.PP
The functions \fBEC_KEY_get0_group()\fR, \fBEC_KEY_set_group()\fR,
\&\fBEC_KEY_get0_private_key()\fR, \fBEC_KEY_set_private_key()\fR, \fBEC_KEY_get0_public_key()\fR,
and \fBEC_KEY_set_public_key()\fR get and set the \s-1EC_GROUP\s0 object, the private key,
and the \s-1EC_POINT\s0 public key for the \fBkey\fR respectively.
.PP
The functions \fBEC_KEY_get_conv_form()\fR and \fBEC_KEY_set_conv_form()\fR get and set the
point_conversion_form for the \fBkey\fR. For a description of
point_conversion_forms please see \fBEC_POINT_new\fR\|(3).
.PP
\&\fBEC_KEY_set_flags()\fR sets the flags in the \fBflags\fR parameter on the \s-1EC_KEY\s0
object. Any flags that are already set are left set. The flags currently
defined are \s-1EC_FLAG_NON_FIPS_ALLOW\s0 and \s-1EC_FLAG_FIPS_CHECKED.\s0 In
addition there is the flag \s-1EC_FLAG_COFACTOR_ECDH\s0 which is specific to \s-1ECDH.\s0
\&\fBEC_KEY_get_flags()\fR returns the current flags that are set for this \s-1EC_KEY.\s0
\&\fBEC_KEY_clear_flags()\fR clears the flags indicated by the \fBflags\fR parameter; all
other flags are left in their existing state.
.PP
\&\fBEC_KEY_set_asn1_flag()\fR sets the asn1_flag on the underlying \s-1EC_GROUP\s0 object
(if set). Refer to \fBEC_GROUP_copy\fR\|(3) for further information on the
asn1_flag.
.PP
\&\fBEC_KEY_decoded_from_explicit_params()\fR returns 1 if the group of the \fIkey\fR was
decoded from data with explicitly encoded group parameters, \-1 if the \fIkey\fR
is \s-1NULL\s0 or the group parameters are missing, and 0 otherwise.
.PP
\&\fBEC_KEY_precompute_mult()\fR stores multiples of the underlying \s-1EC_GROUP\s0 generator
for faster point multiplication. See also \fBEC_POINT_add\fR\|(3).
.PP
\&\fBEC_KEY_oct2key()\fR and \fBEC_KEY_key2buf()\fR are identical to the functions
\&\fBEC_POINT_oct2point()\fR and \fBEC_POINT_point2buf()\fR except they use the public key
\&\s-1EC_POINT\s0 in \fBeckey\fR.
.PP
\&\fBEC_KEY_oct2priv()\fR and \fBEC_KEY_priv2oct()\fR convert between the private key
component of \fBeckey\fR and octet form. The octet form consists of the content
octets of the \fBprivateKey\fR \s-1OCTET STRING\s0 in an \fBECPrivateKey\fR \s-1ASN.1\s0 structure.
.PP
The function \fBEC_KEY_priv2oct()\fR must be supplied with a buffer long enough to
store the octet form. The return value provides the number of octets stored.
Calling the function with a \s-1NULL\s0 buffer will not perform the conversion but
will just return the required buffer length.
.PP
The function \fBEC_KEY_priv2buf()\fR allocates a buffer of suitable length and writes
an \s-1EC_KEY\s0 to it in octet format. The allocated buffer is written to \fB*pbuf\fR
and its length is returned. The caller must free up the allocated buffer with a
call to \fBOPENSSL_free()\fR. Since the allocated buffer value is written to \fB*pbuf\fR
the \fBpbuf\fR parameter \fB\s-1MUST NOT\s0\fR be \fB\s-1NULL\s0\fR.
.PP
\&\fBEC_KEY_priv2buf()\fR converts an \s-1EC_KEY\s0 private key into an allocated buffer.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEC_KEY_new()\fR, \fBEC_KEY_new_by_curve_name()\fR and \fBEC_KEY_dup()\fR return a pointer to
the newly created \s-1EC_KEY\s0 object, or \s-1NULL\s0 on error.
.PP
\&\fBEC_KEY_get_flags()\fR returns the flags associated with the \s-1EC_KEY\s0 object as an
integer.
.PP
\&\fBEC_KEY_copy()\fR returns a pointer to the destination key, or \s-1NULL\s0 on error.
.PP
\&\fBEC_KEY_get0_engine()\fR returns a pointer to an \s-1ENGINE,\s0 or \s-1NULL\s0 if it wasn't set.
.PP
\&\fBEC_KEY_up_ref()\fR, \fBEC_KEY_set_group()\fR, \fBEC_KEY_set_private_key()\fR,
\&\fBEC_KEY_set_public_key()\fR, \fBEC_KEY_precompute_mult()\fR, \fBEC_KEY_generate_key()\fR,
\&\fBEC_KEY_check_key()\fR, \fBEC_KEY_set_public_key_affine_coordinates()\fR,
\&\fBEC_KEY_oct2key()\fR and \fBEC_KEY_oct2priv()\fR return 1 on success or 0 on error.
.PP
\&\fBEC_KEY_get0_group()\fR returns the \s-1EC_GROUP\s0 associated with the \s-1EC_KEY.\s0
.PP
\&\fBEC_KEY_get0_private_key()\fR returns the private key associated with the \s-1EC_KEY.\s0
.PP
\&\fBEC_KEY_get_conv_form()\fR return the point_conversion_form for the \s-1EC_KEY.\s0
.PP
\&\fBEC_KEY_key2buf()\fR, \fBEC_KEY_priv2oct()\fR and \fBEC_KEY_priv2buf()\fR return the length
of the buffer or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3),
\&\fBEC_GROUP_copy\fR\|(3), \fBEC_POINT_new\fR\|(3),
\&\fBEC_POINT_add\fR\|(3),
\&\fBEC_GFp_simple_method\fR\|(3),
\&\fBd2i_ECPKParameters\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_POINT_add.3 b/secure/lib/libcrypto/man/man3/EC_POINT_add.3
index 209a51d19df5..4067a0e5b165 100644
--- a/secure/lib/libcrypto/man/man3/EC_POINT_add.3
+++ b/secure/lib/libcrypto/man/man3/EC_POINT_add.3
@@ -1,216 +1,216 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EC_POINT_ADD 3"
-.TH EC_POINT_ADD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EC_POINT_ADD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EC_POINT_add, EC_POINT_dbl, EC_POINT_invert, EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp, EC_POINT_make_affine, EC_POINTs_make_affine, EC_POINTs_mul, EC_POINT_mul, EC_GROUP_precompute_mult, EC_GROUP_have_precompute_mult \- Functions for performing mathematical operations and tests on EC_POINT objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ec.h>
\&
\& int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
\& const EC_POINT *b, BN_CTX *ctx);
\& int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx);
\& int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx);
\& int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *p);
\& int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx);
\& int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
\& int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);
\& int EC_POINTs_make_affine(const EC_GROUP *group, size_t num,
\& EC_POINT *points[], BN_CTX *ctx);
\& int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, size_t num,
\& const EC_POINT *p[], const BIGNUM *m[], BN_CTX *ctx);
\& int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n,
\& const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx);
\& int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
\& int EC_GROUP_have_precompute_mult(const EC_GROUP *group);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
EC_POINT_add adds the two points \fBa\fR and \fBb\fR and places the result in \fBr\fR. Similarly EC_POINT_dbl doubles the point \fBa\fR and places the
result in \fBr\fR. In both cases it is valid for \fBr\fR to be one of \fBa\fR or \fBb\fR.
.PP
EC_POINT_invert calculates the inverse of the supplied point \fBa\fR. The result is placed back in \fBa\fR.
.PP
The function EC_POINT_is_at_infinity tests whether the supplied point is at infinity or not.
.PP
EC_POINT_is_on_curve tests whether the supplied point is on the curve or not.
.PP
EC_POINT_cmp compares the two supplied points and tests whether or not they are equal.
.PP
The functions EC_POINT_make_affine and EC_POINTs_make_affine force the internal representation of the \s-1EC_POINT\s0(s) into the affine
co-ordinate system. In the case of EC_POINTs_make_affine the value \fBnum\fR provides the number of points in the array \fBpoints\fR to be
forced.
.PP
EC_POINT_mul is a convenient interface to EC_POINTs_mul: it calculates the value generator * \fBn\fR + \fBq\fR * \fBm\fR and stores the result in \fBr\fR.
The value \fBn\fR may be \s-1NULL\s0 in which case the result is just \fBq\fR * \fBm\fR (variable point multiplication). Alternatively, both \fBq\fR and \fBm\fR may be \s-1NULL,\s0 and \fBn\fR non-NULL, in which case the result is just generator * \fBn\fR (fixed point multiplication).
When performing a single fixed or variable point multiplication, the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm\fR) is in the range [0, ec_group_order).
.PP
EC_POINTs_mul calculates the value generator * \fBn\fR + \fBq[0]\fR * \fBm[0]\fR + ... + \fBq[num\-1]\fR * \fBm[num\-1]\fR. As for EC_POINT_mul the value \fBn\fR may be \s-1NULL\s0 or \fBnum\fR may be zero.
When performing a fixed point multiplication (\fBn\fR is non-NULL and \fBnum\fR is 0) or a variable point multiplication (\fBn\fR is \s-1NULL\s0 and \fBnum\fR is 1), the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm[0]\fR) is in the range [0, ec_group_order).
.PP
The function EC_GROUP_precompute_mult stores multiples of the generator for faster point multiplication, whilst
EC_GROUP_have_precompute_mult tests whether precomputation has already been done. See \fBEC_GROUP_copy\fR\|(3) for information
about the generator.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following functions return 1 on success or 0 on error: EC_POINT_add, EC_POINT_dbl, EC_POINT_invert, EC_POINT_make_affine,
EC_POINTs_make_affine, EC_POINTs_make_affine, EC_POINT_mul, EC_POINTs_mul and EC_GROUP_precompute_mult.
.PP
EC_POINT_is_at_infinity returns 1 if the point is at infinity, or 0 otherwise.
.PP
EC_POINT_is_on_curve returns 1 if the point is on the curve, 0 if not, or \-1 on error.
.PP
EC_POINT_cmp returns 1 if the points are not equal, 0 if they are, or \-1 on error.
.PP
EC_GROUP_have_precompute_mult return 1 if a precomputation has been done, or 0 if not.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3), \fBEC_GROUP_copy\fR\|(3),
\&\fBEC_POINT_new\fR\|(3), \fBEC_KEY_new\fR\|(3),
\&\fBEC_GFp_simple_method\fR\|(3), \fBd2i_ECPKParameters\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EC_POINT_new.3 b/secure/lib/libcrypto/man/man3/EC_POINT_new.3
index 548981af6686..a9043ac4200d 100644
--- a/secure/lib/libcrypto/man/man3/EC_POINT_new.3
+++ b/secure/lib/libcrypto/man/man3/EC_POINT_new.3
@@ -1,359 +1,359 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EC_POINT_NEW 3"
-.TH EC_POINT_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EC_POINT_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EC_POINT_set_Jprojective_coordinates_GFp, EC_POINT_point2buf, EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy, EC_POINT_dup, EC_POINT_method_of, EC_POINT_set_to_infinity, EC_POINT_get_Jprojective_coordinates_GFp, EC_POINT_set_affine_coordinates, EC_POINT_get_affine_coordinates, EC_POINT_set_compressed_coordinates, EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp, EC_POINT_set_compressed_coordinates_GFp, EC_POINT_set_affine_coordinates_GF2m, EC_POINT_get_affine_coordinates_GF2m, EC_POINT_set_compressed_coordinates_GF2m, EC_POINT_point2oct, EC_POINT_oct2point, EC_POINT_point2bn, EC_POINT_bn2point, EC_POINT_point2hex, EC_POINT_hex2point \&\- Functions for creating, destroying and manipulating EC_POINT objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ec.h>
\&
\& EC_POINT *EC_POINT_new(const EC_GROUP *group);
\& void EC_POINT_free(EC_POINT *point);
\& void EC_POINT_clear_free(EC_POINT *point);
\& int EC_POINT_copy(EC_POINT *dst, const EC_POINT *src);
\& EC_POINT *EC_POINT_dup(const EC_POINT *src, const EC_GROUP *group);
\& const EC_METHOD *EC_POINT_method_of(const EC_POINT *point);
\& int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point);
\& int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group,
\& EC_POINT *p,
\& const BIGNUM *x, const BIGNUM *y,
\& const BIGNUM *z, BN_CTX *ctx);
\& int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
\& const EC_POINT *p,
\& BIGNUM *x, BIGNUM *y, BIGNUM *z,
\& BN_CTX *ctx);
\& int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *p,
\& const BIGNUM *x, const BIGNUM *y,
\& BN_CTX *ctx);
\& int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p,
\& BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
\& int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *p,
\& const BIGNUM *x, int y_bit,
\& BN_CTX *ctx);
\& int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *p,
\& const BIGNUM *x, const BIGNUM *y,
\& BN_CTX *ctx);
\& int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
\& const EC_POINT *p,
\& BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
\& int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group,
\& EC_POINT *p,
\& const BIGNUM *x, int y_bit,
\& BN_CTX *ctx);
\& int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p,
\& const BIGNUM *x, const BIGNUM *y,
\& BN_CTX *ctx);
\& int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
\& const EC_POINT *p,
\& BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
\& int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group,
\& EC_POINT *p,
\& const BIGNUM *x, int y_bit,
\& BN_CTX *ctx);
\& size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p,
\& point_conversion_form_t form,
\& unsigned char *buf, size_t len, BN_CTX *ctx);
\& size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,
\& point_conversion_form_t form,
\& unsigned char **pbuf, BN_CTX *ctx);
\& int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *p,
\& const unsigned char *buf, size_t len, BN_CTX *ctx);
\& BIGNUM *EC_POINT_point2bn(const EC_GROUP *group, const EC_POINT *p,
\& point_conversion_form_t form, BIGNUM *bn,
\& BN_CTX *ctx);
\& EC_POINT *EC_POINT_bn2point(const EC_GROUP *group, const BIGNUM *bn,
\& EC_POINT *p, BN_CTX *ctx);
\& char *EC_POINT_point2hex(const EC_GROUP *group, const EC_POINT *p,
\& point_conversion_form_t form, BN_CTX *ctx);
\& EC_POINT *EC_POINT_hex2point(const EC_GROUP *group, const char *hex,
\& EC_POINT *p, BN_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
An \fB\s-1EC_POINT\s0\fR structure represents a point on a curve. A new point is
constructed by calling the function \fBEC_POINT_new()\fR and providing the
\&\fBgroup\fR object that the point relates to.
.PP
\&\fBEC_POINT_free()\fR frees the memory associated with the \fB\s-1EC_POINT\s0\fR.
if \fBpoint\fR is \s-1NULL\s0 nothing is done.
.PP
\&\fBEC_POINT_clear_free()\fR destroys any sensitive data held within the \s-1EC_POINT\s0 and
then frees its memory. If \fBpoint\fR is \s-1NULL\s0 nothing is done.
.PP
\&\fBEC_POINT_copy()\fR copies the point \fBsrc\fR into \fBdst\fR. Both \fBsrc\fR and \fBdst\fR
must use the same \fB\s-1EC_METHOD\s0\fR.
.PP
\&\fBEC_POINT_dup()\fR creates a new \fB\s-1EC_POINT\s0\fR object and copies the content from
\&\fBsrc\fR to the newly created \fB\s-1EC_POINT\s0\fR object.
.PP
\&\fBEC_POINT_method_of()\fR obtains the \fB\s-1EC_METHOD\s0\fR associated with \fBpoint\fR.
.PP
A valid point on a curve is the special point at infinity. A point is set to
be at infinity by calling \fBEC_POINT_set_to_infinity()\fR.
.PP
The affine co-ordinates for a point describe a point in terms of its x and y
position. The function \fBEC_POINT_set_affine_coordinates()\fR sets the \fBx\fR and \fBy\fR
co-ordinates for the point \fBp\fR defined over the curve given in \fBgroup\fR. The
function \fBEC_POINT_get_affine_coordinates()\fR sets \fBx\fR and \fBy\fR, either of which
may be \s-1NULL,\s0 to the corresponding coordinates of \fBp\fR.
.PP
The functions \fBEC_POINT_set_affine_coordinates_GFp()\fR and
\&\fBEC_POINT_set_affine_coordinates_GF2m()\fR are synonyms for
\&\fBEC_POINT_set_affine_coordinates()\fR. They are defined for backwards compatibility
only and should not be used.
.PP
The functions \fBEC_POINT_get_affine_coordinates_GFp()\fR and
\&\fBEC_POINT_get_affine_coordinates_GF2m()\fR are synonyms for
\&\fBEC_POINT_get_affine_coordinates()\fR. They are defined for backwards compatibility
only and should not be used.
.PP
As well as the affine co-ordinates, a point can alternatively be described in
terms of its Jacobian projective co-ordinates (for Fp curves only). Jacobian
projective co-ordinates are expressed as three values x, y and z. Working in
this co-ordinate system provides more efficient point multiplication
operations. A mapping exists between Jacobian projective co-ordinates and
affine co-ordinates. A Jacobian projective co-ordinate (x, y, z) can be written
as an affine co-ordinate as (x/(z^2), y/(z^3)). Conversion to Jacobian
projective from affine co-ordinates is simple. The co-ordinate (x, y) is mapped
to (x, y, 1). To set or get the projective co-ordinates use
\&\fBEC_POINT_set_Jprojective_coordinates_GFp()\fR and
\&\fBEC_POINT_get_Jprojective_coordinates_GFp()\fR respectively.
.PP
Points can also be described in terms of their compressed co-ordinates. For a
point (x, y), for any given value for x such that the point is on the curve
there will only ever be two possible values for y. Therefore, a point can be set
using the \fBEC_POINT_set_compressed_coordinates()\fR function where \fBx\fR is the x
co-ordinate and \fBy_bit\fR is a value 0 or 1 to identify which of the two
possible values for y should be used.
.PP
The functions \fBEC_POINT_set_compressed_coordinates_GFp()\fR and
\&\fBEC_POINT_set_compressed_coordinates_GF2m()\fR are synonyms for
\&\fBEC_POINT_set_compressed_coordinates()\fR. They are defined for backwards
compatibility only and should not be used.
.PP
In addition \fB\s-1EC_POINT\s0\fR can be converted to and from various external
representations. The octet form is the binary encoding of the \fBECPoint\fR
structure (as defined in \s-1RFC5480\s0 and used in certificates and \s-1TLS\s0 records):
only the content octets are present, the \fB\s-1OCTET STRING\s0\fR tag and length are
not included. \fB\s-1BIGNUM\s0\fR form is the octet form interpreted as a big endian
integer converted to a \fB\s-1BIGNUM\s0\fR structure. Hexadecimal form is the octet
form converted to a \s-1NULL\s0 terminated character string where each character
is one of the printable values 0\-9 or A\-F (or a\-f).
.PP
The functions \fBEC_POINT_point2oct()\fR, \fBEC_POINT_oct2point()\fR, \fBEC_POINT_point2bn()\fR,
\&\fBEC_POINT_bn2point()\fR, \fBEC_POINT_point2hex()\fR and \fBEC_POINT_hex2point()\fR convert from
and to EC_POINTs for the formats: octet, \s-1BIGNUM\s0 and hexadecimal respectively.
.PP
The function \fBEC_POINT_point2oct()\fR encodes the given curve point \fBp\fR as an
octet string into the buffer \fBbuf\fR of size \fBlen\fR, using the specified
conversion form \fBform\fR.
The encoding conforms with Sec. 2.3.3 of the \s-1SECG SEC 1\s0 (\*(L"Elliptic Curve
Cryptography\*(R") standard.
Similarly the function \fBEC_POINT_oct2point()\fR decodes a curve point into \fBp\fR from
the octet string contained in the given buffer \fBbuf\fR of size \fBlen\fR, conforming
to Sec. 2.3.4 of the \s-1SECG SEC 1\s0 (\*(L"Elliptic Curve Cryptography\*(R") standard.
.PP
The functions \fBEC_POINT_point2hex()\fR and \fBEC_POINT_point2bn()\fR convert a point \fBp\fR,
respectively, to the hexadecimal or \s-1BIGNUM\s0 representation of the same
encoding of the function \fBEC_POINT_point2oct()\fR.
Vice versa, similarly to the function \fBEC_POINT_oct2point()\fR, the functions
\&\fBEC_POINT_hex2point()\fR and \fBEC_POINT_point2bn()\fR decode the hexadecimal or
\&\s-1BIGNUM\s0 representation into the \s-1EC_POINT\s0 \fBp\fR.
.PP
Notice that, according to the standard, the octet string encoding of the point
at infinity for a given curve is fixed to a single octet of value zero and that,
vice versa, a single octet of size zero is decoded as the point at infinity.
.PP
The function \fBEC_POINT_point2oct()\fR must be supplied with a buffer long enough to
store the octet form. The return value provides the number of octets stored.
Calling the function with a \s-1NULL\s0 buffer will not perform the conversion but
will still return the required buffer length.
.PP
The function \fBEC_POINT_point2buf()\fR allocates a buffer of suitable length and
writes an \s-1EC_POINT\s0 to it in octet format. The allocated buffer is written to
\&\fB*pbuf\fR and its length is returned. The caller must free up the allocated
buffer with a call to \fBOPENSSL_free()\fR. Since the allocated buffer value is
written to \fB*pbuf\fR the \fBpbuf\fR parameter \fB\s-1MUST NOT\s0\fR be \fB\s-1NULL\s0\fR.
.PP
The function \fBEC_POINT_point2hex()\fR will allocate sufficient memory to store the
hexadecimal string. It is the caller's responsibility to free this memory with
a subsequent call to \fBOPENSSL_free()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEC_POINT_new()\fR and \fBEC_POINT_dup()\fR return the newly allocated \s-1EC_POINT\s0 or \s-1NULL\s0
on error.
.PP
The following functions return 1 on success or 0 on error: \fBEC_POINT_copy()\fR,
\&\fBEC_POINT_set_to_infinity()\fR, \fBEC_POINT_set_Jprojective_coordinates_GFp()\fR,
\&\fBEC_POINT_get_Jprojective_coordinates_GFp()\fR,
\&\fBEC_POINT_set_affine_coordinates_GFp()\fR, \fBEC_POINT_get_affine_coordinates_GFp()\fR,
\&\fBEC_POINT_set_compressed_coordinates_GFp()\fR,
\&\fBEC_POINT_set_affine_coordinates_GF2m()\fR, \fBEC_POINT_get_affine_coordinates_GF2m()\fR,
\&\fBEC_POINT_set_compressed_coordinates_GF2m()\fR and \fBEC_POINT_oct2point()\fR.
.PP
EC_POINT_method_of returns the \s-1EC_METHOD\s0 associated with the supplied \s-1EC_POINT.\s0
.PP
\&\fBEC_POINT_point2oct()\fR and \fBEC_POINT_point2buf()\fR return the length of the required
buffer or 0 on error.
.PP
\&\fBEC_POINT_point2bn()\fR returns the pointer to the \s-1BIGNUM\s0 supplied, or \s-1NULL\s0 on
error.
.PP
\&\fBEC_POINT_bn2point()\fR returns the pointer to the \s-1EC_POINT\s0 supplied, or \s-1NULL\s0 on
error.
.PP
\&\fBEC_POINT_point2hex()\fR returns a pointer to the hex string, or \s-1NULL\s0 on error.
.PP
\&\fBEC_POINT_hex2point()\fR returns the pointer to the \s-1EC_POINT\s0 supplied, or \s-1NULL\s0 on
error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7), \fBEC_GROUP_new\fR\|(3), \fBEC_GROUP_copy\fR\|(3),
\&\fBEC_POINT_add\fR\|(3), \fBEC_KEY_new\fR\|(3),
\&\fBEC_GFp_simple_method\fR\|(3), \fBd2i_ECPKParameters\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ENGINE_add.3 b/secure/lib/libcrypto/man/man3/ENGINE_add.3
index 380c0744e92e..45e0246989b0 100644
--- a/secure/lib/libcrypto/man/man3/ENGINE_add.3
+++ b/secure/lib/libcrypto/man/man3/ENGINE_add.3
@@ -1,766 +1,766 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ENGINE_ADD 3"
-.TH ENGINE_ADD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ENGINE_ADD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ENGINE_get_DH, ENGINE_get_DSA, ENGINE_by_id, ENGINE_get_cipher_engine, ENGINE_get_default_DH, ENGINE_get_default_DSA, ENGINE_get_default_RAND, ENGINE_get_default_RSA, ENGINE_get_digest_engine, ENGINE_get_first, ENGINE_get_last, ENGINE_get_next, ENGINE_get_prev, ENGINE_new, ENGINE_get_ciphers, ENGINE_get_ctrl_function, ENGINE_get_digests, ENGINE_get_destroy_function, ENGINE_get_finish_function, ENGINE_get_init_function, ENGINE_get_load_privkey_function, ENGINE_get_load_pubkey_function, ENGINE_load_private_key, ENGINE_load_public_key, ENGINE_get_RAND, ENGINE_get_RSA, ENGINE_get_id, ENGINE_get_name, ENGINE_get_cmd_defns, ENGINE_get_cipher, ENGINE_get_digest, ENGINE_add, ENGINE_cmd_is_executable, ENGINE_ctrl, ENGINE_ctrl_cmd, ENGINE_ctrl_cmd_string, ENGINE_finish, ENGINE_free, ENGINE_get_flags, ENGINE_init, ENGINE_register_DH, ENGINE_register_DSA, ENGINE_register_RAND, ENGINE_register_RSA, ENGINE_register_all_complete, ENGINE_register_ciphers, ENGINE_register_complete, ENGINE_register_digests, ENGINE_remove, ENGINE_set_DH, ENGINE_set_DSA, ENGINE_set_RAND, ENGINE_set_RSA, ENGINE_set_ciphers, ENGINE_set_cmd_defns, ENGINE_set_ctrl_function, ENGINE_set_default, ENGINE_set_default_DH, ENGINE_set_default_DSA, ENGINE_set_default_RAND, ENGINE_set_default_RSA, ENGINE_set_default_ciphers, ENGINE_set_default_digests, ENGINE_set_default_string, ENGINE_set_destroy_function, ENGINE_set_digests, ENGINE_set_finish_function, ENGINE_set_flags, ENGINE_set_id, ENGINE_set_init_function, ENGINE_set_load_privkey_function, ENGINE_set_load_pubkey_function, ENGINE_set_name, ENGINE_up_ref, ENGINE_get_table_flags, ENGINE_cleanup, ENGINE_load_builtin_engines, ENGINE_register_all_DH, ENGINE_register_all_DSA, ENGINE_register_all_RAND, ENGINE_register_all_RSA, ENGINE_register_all_ciphers, ENGINE_register_all_digests, ENGINE_set_table_flags, ENGINE_unregister_DH, ENGINE_unregister_DSA, ENGINE_unregister_RAND, ENGINE_unregister_RSA, ENGINE_unregister_ciphers, ENGINE_unregister_digests \&\- ENGINE cryptographic module support
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/engine.h>
\&
\& ENGINE *ENGINE_get_first(void);
\& ENGINE *ENGINE_get_last(void);
\& ENGINE *ENGINE_get_next(ENGINE *e);
\& ENGINE *ENGINE_get_prev(ENGINE *e);
\&
\& int ENGINE_add(ENGINE *e);
\& int ENGINE_remove(ENGINE *e);
\&
\& ENGINE *ENGINE_by_id(const char *id);
\&
\& int ENGINE_init(ENGINE *e);
\& int ENGINE_finish(ENGINE *e);
\&
\& void ENGINE_load_builtin_engines(void);
\&
\& ENGINE *ENGINE_get_default_RSA(void);
\& ENGINE *ENGINE_get_default_DSA(void);
\& ENGINE *ENGINE_get_default_DH(void);
\& ENGINE *ENGINE_get_default_RAND(void);
\& ENGINE *ENGINE_get_cipher_engine(int nid);
\& ENGINE *ENGINE_get_digest_engine(int nid);
\&
\& int ENGINE_set_default_RSA(ENGINE *e);
\& int ENGINE_set_default_DSA(ENGINE *e);
\& int ENGINE_set_default_DH(ENGINE *e);
\& int ENGINE_set_default_RAND(ENGINE *e);
\& int ENGINE_set_default_ciphers(ENGINE *e);
\& int ENGINE_set_default_digests(ENGINE *e);
\& int ENGINE_set_default_string(ENGINE *e, const char *list);
\&
\& int ENGINE_set_default(ENGINE *e, unsigned int flags);
\&
\& unsigned int ENGINE_get_table_flags(void);
\& void ENGINE_set_table_flags(unsigned int flags);
\&
\& int ENGINE_register_RSA(ENGINE *e);
\& void ENGINE_unregister_RSA(ENGINE *e);
\& void ENGINE_register_all_RSA(void);
\& int ENGINE_register_DSA(ENGINE *e);
\& void ENGINE_unregister_DSA(ENGINE *e);
\& void ENGINE_register_all_DSA(void);
\& int ENGINE_register_DH(ENGINE *e);
\& void ENGINE_unregister_DH(ENGINE *e);
\& void ENGINE_register_all_DH(void);
\& int ENGINE_register_RAND(ENGINE *e);
\& void ENGINE_unregister_RAND(ENGINE *e);
\& void ENGINE_register_all_RAND(void);
\& int ENGINE_register_ciphers(ENGINE *e);
\& void ENGINE_unregister_ciphers(ENGINE *e);
\& void ENGINE_register_all_ciphers(void);
\& int ENGINE_register_digests(ENGINE *e);
\& void ENGINE_unregister_digests(ENGINE *e);
\& void ENGINE_register_all_digests(void);
\& int ENGINE_register_complete(ENGINE *e);
\& int ENGINE_register_all_complete(void);
\&
\& int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
\& int ENGINE_cmd_is_executable(ENGINE *e, int cmd);
\& int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
\& long i, void *p, void (*f)(void), int cmd_optional);
\& int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
\& int cmd_optional);
\&
\& ENGINE *ENGINE_new(void);
\& int ENGINE_free(ENGINE *e);
\& int ENGINE_up_ref(ENGINE *e);
\&
\& int ENGINE_set_id(ENGINE *e, const char *id);
\& int ENGINE_set_name(ENGINE *e, const char *name);
\& int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth);
\& int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth);
\& int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth);
\& int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth);
\& int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f);
\& int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f);
\& int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
\& int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f);
\& int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f);
\& int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f);
\& int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f);
\& int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f);
\& int ENGINE_set_flags(ENGINE *e, int flags);
\& int ENGINE_set_cmd_defns(ENGINE *e, const ENGINE_CMD_DEFN *defns);
\&
\& const char *ENGINE_get_id(const ENGINE *e);
\& const char *ENGINE_get_name(const ENGINE *e);
\& const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e);
\& const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e);
\& const DH_METHOD *ENGINE_get_DH(const ENGINE *e);
\& const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e);
\& ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e);
\& ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e);
\& ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e);
\& ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e);
\& ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e);
\& ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e);
\& ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e);
\& ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e);
\& const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid);
\& const EVP_MD *ENGINE_get_digest(ENGINE *e, int nid);
\& int ENGINE_get_flags(const ENGINE *e);
\& const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *e);
\&
\& EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
\& UI_METHOD *ui_method, void *callback_data);
\& EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
\& UI_METHOD *ui_method, void *callback_data);
.Ve
.PP
Deprecated:
.PP
.Vb 3
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& void ENGINE_cleanup(void)
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions create, manipulate, and use cryptographic modules in the
form of \fB\s-1ENGINE\s0\fR objects. These objects act as containers for
implementations of cryptographic algorithms, and support a
reference-counted mechanism to allow them to be dynamically loaded in and
out of the running application.
.PP
The cryptographic functionality that can be provided by an \fB\s-1ENGINE\s0\fR
implementation includes the following abstractions;
.PP
.Vb 6
\& RSA_METHOD \- for providing alternative RSA implementations
\& DSA_METHOD, DH_METHOD, RAND_METHOD, ECDH_METHOD, ECDSA_METHOD,
\& \- similarly for other OpenSSL APIs
\& EVP_CIPHER \- potentially multiple cipher algorithms (indexed by \*(Aqnid\*(Aq)
\& EVP_DIGEST \- potentially multiple hash algorithms (indexed by \*(Aqnid\*(Aq)
\& key\-loading \- loading public and/or private EVP_PKEY keys
.Ve
.SS "Reference counting and handles"
.IX Subsection "Reference counting and handles"
Due to the modular nature of the \s-1ENGINE API,\s0 pointers to ENGINEs need to be
treated as handles \- i.e. not only as pointers, but also as references to
the underlying \s-1ENGINE\s0 object. Ie. one should obtain a new reference when
making copies of an \s-1ENGINE\s0 pointer if the copies will be used (and
released) independently.
.PP
\&\s-1ENGINE\s0 objects have two levels of reference-counting to match the way in
which the objects are used. At the most basic level, each \s-1ENGINE\s0 pointer is
inherently a \fBstructural\fR reference \- a structural reference is required
to use the pointer value at all, as this kind of reference is a guarantee
that the structure can not be deallocated until the reference is released.
.PP
However, a structural reference provides no guarantee that the \s-1ENGINE\s0 is
initialised and able to use any of its cryptographic
implementations. Indeed it's quite possible that most ENGINEs will not
initialise at all in typical environments, as ENGINEs are typically used to
support specialised hardware. To use an \s-1ENGINE\s0's functionality, you need a
\&\fBfunctional\fR reference. This kind of reference can be considered a
specialised form of structural reference, because each functional reference
implicitly contains a structural reference as well \- however to avoid
difficult-to-find programming bugs, it is recommended to treat the two
kinds of reference independently. If you have a functional reference to an
\&\s-1ENGINE,\s0 you have a guarantee that the \s-1ENGINE\s0 has been initialised and
is ready to perform cryptographic operations, and will remain initialised
until after you have released your reference.
.PP
\&\fIStructural references\fR
.PP
This basic type of reference is used for instantiating new ENGINEs,
iterating across OpenSSL's internal linked-list of loaded
ENGINEs, reading information about an \s-1ENGINE,\s0 etc. Essentially a structural
reference is sufficient if you only need to query or manipulate the data of
an \s-1ENGINE\s0 implementation rather than use its functionality.
.PP
The \fBENGINE_new()\fR function returns a structural reference to a new (empty)
\&\s-1ENGINE\s0 object. There are other \s-1ENGINE API\s0 functions that return structural
references such as; \fBENGINE_by_id()\fR, \fBENGINE_get_first()\fR, \fBENGINE_get_last()\fR,
\&\fBENGINE_get_next()\fR, \fBENGINE_get_prev()\fR. All structural references should be
released by a corresponding to call to the \fBENGINE_free()\fR function \- the
\&\s-1ENGINE\s0 object itself will only actually be cleaned up and deallocated when
the last structural reference is released.
.PP
It should also be noted that many \s-1ENGINE API\s0 function calls that accept a
structural reference will internally obtain another reference \- typically
this happens whenever the supplied \s-1ENGINE\s0 will be needed by OpenSSL after
the function has returned. Eg. the function to add a new \s-1ENGINE\s0 to
OpenSSL's internal list is \fBENGINE_add()\fR \- if this function returns success,
then OpenSSL will have stored a new structural reference internally so the
caller is still responsible for freeing their own reference with
\&\fBENGINE_free()\fR when they are finished with it. In a similar way, some
functions will automatically release the structural reference passed to it
if part of the function's job is to do so. Eg. the \fBENGINE_get_next()\fR and
\&\fBENGINE_get_prev()\fR functions are used for iterating across the internal
\&\s-1ENGINE\s0 list \- they will return a new structural reference to the next (or
previous) \s-1ENGINE\s0 in the list or \s-1NULL\s0 if at the end (or beginning) of the
list, but in either case the structural reference passed to the function is
released on behalf of the caller.
.PP
To clarify a particular function's handling of references, one should
always consult that function's documentation \*(L"man\*(R" page, or failing that
the openssl/engine.h header file includes some hints.
.PP
\&\fIFunctional references\fR
.PP
As mentioned, functional references exist when the cryptographic
functionality of an \s-1ENGINE\s0 is required to be available. A functional
reference can be obtained in one of two ways; from an existing structural
reference to the required \s-1ENGINE,\s0 or by asking OpenSSL for the default
operational \s-1ENGINE\s0 for a given cryptographic purpose.
.PP
To obtain a functional reference from an existing structural reference,
call the \fBENGINE_init()\fR function. This returns zero if the \s-1ENGINE\s0 was not
already operational and couldn't be successfully initialised (e.g. lack of
system drivers, no special hardware attached, etc), otherwise it will
return nonzero to indicate that the \s-1ENGINE\s0 is now operational and will
have allocated a new \fBfunctional\fR reference to the \s-1ENGINE.\s0 All functional
references are released by calling \fBENGINE_finish()\fR (which removes the
implicit structural reference as well).
.PP
The second way to get a functional reference is by asking OpenSSL for a
default implementation for a given task, e.g. by \fBENGINE_get_default_RSA()\fR,
\&\fBENGINE_get_default_cipher_engine()\fR, etc. These are discussed in the next
section, though they are not usually required by application programmers as
they are used automatically when creating and using the relevant
algorithm-specific types in OpenSSL, such as \s-1RSA, DSA, EVP_CIPHER_CTX,\s0 etc.
.SS "Default implementations"
.IX Subsection "Default implementations"
For each supported abstraction, the \s-1ENGINE\s0 code maintains an internal table
of state to control which implementations are available for a given
abstraction and which should be used by default. These implementations are
registered in the tables and indexed by an 'nid' value, because
abstractions like \s-1EVP_CIPHER\s0 and \s-1EVP_DIGEST\s0 support many distinct
algorithms and modes, and ENGINEs can support arbitrarily many of them.
In the case of other abstractions like \s-1RSA, DSA,\s0 etc, there is only one
\&\*(L"algorithm\*(R" so all implementations implicitly register using the same 'nid'
index.
.PP
When a default \s-1ENGINE\s0 is requested for a given abstraction/algorithm/mode, (e.g.
when calling RSA_new_method(\s-1NULL\s0)), a \*(L"get_default\*(R" call will be made to the
\&\s-1ENGINE\s0 subsystem to process the corresponding state table and return a
functional reference to an initialised \s-1ENGINE\s0 whose implementation should be
used. If no \s-1ENGINE\s0 should (or can) be used, it will return \s-1NULL\s0 and the caller
will operate with a \s-1NULL ENGINE\s0 handle \- this usually equates to using the
conventional software implementation. In the latter case, OpenSSL will from
then on behave the way it used to before the \s-1ENGINE API\s0 existed.
.PP
Each state table has a flag to note whether it has processed this
\&\*(L"get_default\*(R" query since the table was last modified, because to process
this question it must iterate across all the registered ENGINEs in the
table trying to initialise each of them in turn, in case one of them is
operational. If it returns a functional reference to an \s-1ENGINE,\s0 it will
also cache another reference to speed up processing future queries (without
needing to iterate across the table). Likewise, it will cache a \s-1NULL\s0
response if no \s-1ENGINE\s0 was available so that future queries won't repeat the
same iteration unless the state table changes. This behaviour can also be
changed; if the \s-1ENGINE_TABLE_FLAG_NOINIT\s0 flag is set (using
\&\fBENGINE_set_table_flags()\fR), no attempted initialisations will take place,
instead the only way for the state table to return a non-NULL \s-1ENGINE\s0 to the
\&\*(L"get_default\*(R" query will be if one is expressly set in the table. Eg.
\&\fBENGINE_set_default_RSA()\fR does the same job as \fBENGINE_register_RSA()\fR except
that it also sets the state table's cached response for the \*(L"get_default\*(R"
query. In the case of abstractions like \s-1EVP_CIPHER,\s0 where implementations are
indexed by 'nid', these flags and cached-responses are distinct for each 'nid'
value.
.SS "Application requirements"
.IX Subsection "Application requirements"
This section will explain the basic things an application programmer should
support to make the most useful elements of the \s-1ENGINE\s0 functionality
available to the user. The first thing to consider is whether the
programmer wishes to make alternative \s-1ENGINE\s0 modules available to the
application and user. OpenSSL maintains an internal linked list of
\&\*(L"visible\*(R" ENGINEs from which it has to operate \- at start-up, this list is
empty and in fact if an application does not call any \s-1ENGINE API\s0 calls and
it uses static linking against openssl, then the resulting application
binary will not contain any alternative \s-1ENGINE\s0 code at all. So the first
consideration is whether any/all available \s-1ENGINE\s0 implementations should be
made visible to OpenSSL \- this is controlled by calling the various \*(L"load\*(R"
functions.
.PP
The fact that ENGINEs are made visible to OpenSSL (and thus are linked into
the program and loaded into memory at run-time) does not mean they are
\&\*(L"registered\*(R" or called into use by OpenSSL automatically \- that behaviour
is something for the application to control. Some applications
will want to allow the user to specify exactly which \s-1ENGINE\s0 they want used
if any is to be used at all. Others may prefer to load all support and have
OpenSSL automatically use at run-time any \s-1ENGINE\s0 that is able to
successfully initialise \- i.e. to assume that this corresponds to
acceleration hardware attached to the machine or some such thing. There are
probably numerous other ways in which applications may prefer to handle
things, so we will simply illustrate the consequences as they apply to a
couple of simple cases and leave developers to consider these and the
source code to openssl's builtin utilities as guides.
.PP
If no \s-1ENGINE API\s0 functions are called within an application, then OpenSSL
will not allocate any internal resources. Prior to OpenSSL 1.1.0, however,
if any ENGINEs are loaded, even if not registered or used, it was necessary to
call \fBENGINE_cleanup()\fR before the program exits.
.PP
\&\fIUsing a specific \s-1ENGINE\s0 implementation\fR
.PP
Here we'll assume an application has been configured by its user or admin
to want to use the \*(L"\s-1ACME\*(R" ENGINE\s0 if it is available in the version of
OpenSSL the application was compiled with. If it is available, it should be
used by default for all \s-1RSA, DSA,\s0 and symmetric cipher operations, otherwise
OpenSSL should use its builtin software as per usual. The following code
illustrates how to approach this;
.PP
.Vb 10
\& ENGINE *e;
\& const char *engine_id = "ACME";
\& ENGINE_load_builtin_engines();
\& e = ENGINE_by_id(engine_id);
\& if (!e)
\& /* the engine isn\*(Aqt available */
\& return;
\& if (!ENGINE_init(e)) {
\& /* the engine couldn\*(Aqt initialise, release \*(Aqe\*(Aq */
\& ENGINE_free(e);
\& return;
\& }
\& if (!ENGINE_set_default_RSA(e))
\& /*
\& * This should only happen when \*(Aqe\*(Aq can\*(Aqt initialise, but the previous
\& * statement suggests it did.
\& */
\& abort();
\& ENGINE_set_default_DSA(e);
\& ENGINE_set_default_ciphers(e);
\& /* Release the functional reference from ENGINE_init() */
\& ENGINE_finish(e);
\& /* Release the structural reference from ENGINE_by_id() */
\& ENGINE_free(e);
.Ve
.PP
\&\fIAutomatically using builtin \s-1ENGINE\s0 implementations\fR
.PP
Here we'll assume we want to load and register all \s-1ENGINE\s0 implementations
bundled with OpenSSL, such that for any cryptographic algorithm required by
OpenSSL \- if there is an \s-1ENGINE\s0 that implements it and can be initialised,
it should be used. The following code illustrates how this can work;
.PP
.Vb 4
\& /* Load all bundled ENGINEs into memory and make them visible */
\& ENGINE_load_builtin_engines();
\& /* Register all of them for every algorithm they collectively implement */
\& ENGINE_register_all_complete();
.Ve
.PP
That's all that's required. Eg. the next time OpenSSL tries to set up an
\&\s-1RSA\s0 key, any bundled ENGINEs that implement \s-1RSA_METHOD\s0 will be passed to
\&\fBENGINE_init()\fR and if any of those succeed, that \s-1ENGINE\s0 will be set as the
default for \s-1RSA\s0 use from then on.
.SS "Advanced configuration support"
.IX Subsection "Advanced configuration support"
There is a mechanism supported by the \s-1ENGINE\s0 framework that allows each
\&\s-1ENGINE\s0 implementation to define an arbitrary set of configuration
\&\*(L"commands\*(R" and expose them to OpenSSL and any applications based on
OpenSSL. This mechanism is entirely based on the use of name-value pairs
and assumes \s-1ASCII\s0 input (no unicode or \s-1UTF\s0 for now!), so it is ideal if
applications want to provide a transparent way for users to provide
arbitrary configuration \*(L"directives\*(R" directly to such ENGINEs. It is also
possible for the application to dynamically interrogate the loaded \s-1ENGINE\s0
implementations for the names, descriptions, and input flags of their
available \*(L"control commands\*(R", providing a more flexible configuration
scheme. However, if the user is expected to know which \s-1ENGINE\s0 device he/she
is using (in the case of specialised hardware, this goes without saying)
then applications may not need to concern themselves with discovering the
supported control commands and simply prefer to pass settings into ENGINEs
exactly as they are provided by the user.
.PP
Before illustrating how control commands work, it is worth mentioning what
they are typically used for. Broadly speaking there are two uses for
control commands; the first is to provide the necessary details to the
implementation (which may know nothing at all specific to the host system)
so that it can be initialised for use. This could include the path to any
driver or config files it needs to load, required network addresses,
smart-card identifiers, passwords to initialise protected devices,
logging information, etc etc. This class of commands typically needs to be
passed to an \s-1ENGINE\s0 \fBbefore\fR attempting to initialise it, i.e. before
calling \fBENGINE_init()\fR. The other class of commands consist of settings or
operations that tweak certain behaviour or cause certain operations to take
place, and these commands may work either before or after \fBENGINE_init()\fR, or
in some cases both. \s-1ENGINE\s0 implementations should provide indications of
this in the descriptions attached to builtin control commands and/or in
external product documentation.
.PP
\&\fIIssuing control commands to an \s-1ENGINE\s0\fR
.PP
Let's illustrate by example; a function for which the caller supplies the
name of the \s-1ENGINE\s0 it wishes to use, a table of string-pairs for use before
initialisation, and another table for use after initialisation. Note that
the string-pairs used for control commands consist of a command \*(L"name\*(R"
followed by the command \*(L"parameter\*(R" \- the parameter could be \s-1NULL\s0 in some
cases but the name can not. This function should initialise the \s-1ENGINE\s0
(issuing the \*(L"pre\*(R" commands beforehand and the \*(L"post\*(R" commands afterwards)
and set it as the default for everything except \s-1RAND\s0 and then return a
boolean success or failure.
.PP
.Vb 10
\& int generic_load_engine_fn(const char *engine_id,
\& const char **pre_cmds, int pre_num,
\& const char **post_cmds, int post_num)
\& {
\& ENGINE *e = ENGINE_by_id(engine_id);
\& if (!e) return 0;
\& while (pre_num\-\-) {
\& if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) {
\& fprintf(stderr, "Failed command (%s \- %s:%s)\en", engine_id,
\& pre_cmds[0], pre_cmds[1] ? pre_cmds[1] : "(NULL)");
\& ENGINE_free(e);
\& return 0;
\& }
\& pre_cmds += 2;
\& }
\& if (!ENGINE_init(e)) {
\& fprintf(stderr, "Failed initialisation\en");
\& ENGINE_free(e);
\& return 0;
\& }
\& /*
\& * ENGINE_init() returned a functional reference, so free the structural
\& * reference from ENGINE_by_id().
\& */
\& ENGINE_free(e);
\& while (post_num\-\-) {
\& if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) {
\& fprintf(stderr, "Failed command (%s \- %s:%s)\en", engine_id,
\& post_cmds[0], post_cmds[1] ? post_cmds[1] : "(NULL)");
\& ENGINE_finish(e);
\& return 0;
\& }
\& post_cmds += 2;
\& }
\& ENGINE_set_default(e, ENGINE_METHOD_ALL & ~ENGINE_METHOD_RAND);
\& /* Success */
\& return 1;
\& }
.Ve
.PP
Note that \fBENGINE_ctrl_cmd_string()\fR accepts a boolean argument that can
relax the semantics of the function \- if set nonzero it will only return
failure if the \s-1ENGINE\s0 supported the given command name but failed while
executing it, if the \s-1ENGINE\s0 doesn't support the command name it will simply
return success without doing anything. In this case we assume the user is
only supplying commands specific to the given \s-1ENGINE\s0 so we set this to
\&\s-1FALSE.\s0
.PP
\&\fIDiscovering supported control commands\fR
.PP
It is possible to discover at run-time the names, numerical-ids, descriptions
and input parameters of the control commands supported by an \s-1ENGINE\s0 using a
structural reference. Note that some control commands are defined by OpenSSL
itself and it will intercept and handle these control commands on behalf of the
\&\s-1ENGINE,\s0 i.e. the \s-1ENGINE\s0's \fBctrl()\fR handler is not used for the control command.
openssl/engine.h defines an index, \s-1ENGINE_CMD_BASE,\s0 that all control commands
implemented by ENGINEs should be numbered from. Any command value lower than
this symbol is considered a \*(L"generic\*(R" command is handled directly by the
OpenSSL core routines.
.PP
It is using these \*(L"core\*(R" control commands that one can discover the control
commands implemented by a given \s-1ENGINE,\s0 specifically the commands:
.PP
.Vb 9
\& ENGINE_HAS_CTRL_FUNCTION
\& ENGINE_CTRL_GET_FIRST_CMD_TYPE
\& ENGINE_CTRL_GET_NEXT_CMD_TYPE
\& ENGINE_CTRL_GET_CMD_FROM_NAME
\& ENGINE_CTRL_GET_NAME_LEN_FROM_CMD
\& ENGINE_CTRL_GET_NAME_FROM_CMD
\& ENGINE_CTRL_GET_DESC_LEN_FROM_CMD
\& ENGINE_CTRL_GET_DESC_FROM_CMD
\& ENGINE_CTRL_GET_CMD_FLAGS
.Ve
.PP
Whilst these commands are automatically processed by the OpenSSL framework code,
they use various properties exposed by each \s-1ENGINE\s0 to process these
queries. An \s-1ENGINE\s0 has 3 properties it exposes that can affect how this behaves;
it can supply a \fBctrl()\fR handler, it can specify \s-1ENGINE_FLAGS_MANUAL_CMD_CTRL\s0 in
the \s-1ENGINE\s0's flags, and it can expose an array of control command descriptions.
If an \s-1ENGINE\s0 specifies the \s-1ENGINE_FLAGS_MANUAL_CMD_CTRL\s0 flag, then it will
simply pass all these \*(L"core\*(R" control commands directly to the \s-1ENGINE\s0's \fBctrl()\fR
handler (and thus, it must have supplied one), so it is up to the \s-1ENGINE\s0 to
reply to these \*(L"discovery\*(R" commands itself. If that flag is not set, then the
OpenSSL framework code will work with the following rules:
.PP
.Vb 9
\& if no ctrl() handler supplied;
\& ENGINE_HAS_CTRL_FUNCTION returns FALSE (zero),
\& all other commands fail.
\& if a ctrl() handler was supplied but no array of control commands;
\& ENGINE_HAS_CTRL_FUNCTION returns TRUE,
\& all other commands fail.
\& if a ctrl() handler and array of control commands was supplied;
\& ENGINE_HAS_CTRL_FUNCTION returns TRUE,
\& all other commands proceed processing ...
.Ve
.PP
If the \s-1ENGINE\s0's array of control commands is empty then all other commands will
fail, otherwise; \s-1ENGINE_CTRL_GET_FIRST_CMD_TYPE\s0 returns the identifier of
the first command supported by the \s-1ENGINE, ENGINE_GET_NEXT_CMD_TYPE\s0 takes the
identifier of a command supported by the \s-1ENGINE\s0 and returns the next command
identifier or fails if there are no more, \s-1ENGINE_CMD_FROM_NAME\s0 takes a string
name for a command and returns the corresponding identifier or fails if no such
command name exists, and the remaining commands take a command identifier and
return properties of the corresponding commands. All except
\&\s-1ENGINE_CTRL_GET_FLAGS\s0 return the string length of a command name or description,
or populate a supplied character buffer with a copy of the command name or
description. \s-1ENGINE_CTRL_GET_FLAGS\s0 returns a bitwise-OR'd mask of the following
possible values:
.PP
.Vb 4
\& ENGINE_CMD_FLAG_NUMERIC
\& ENGINE_CMD_FLAG_STRING
\& ENGINE_CMD_FLAG_NO_INPUT
\& ENGINE_CMD_FLAG_INTERNAL
.Ve
.PP
If the \s-1ENGINE_CMD_FLAG_INTERNAL\s0 flag is set, then any other flags are purely
informational to the caller \- this flag will prevent the command being usable
for any higher-level \s-1ENGINE\s0 functions such as \fBENGINE_ctrl_cmd_string()\fR.
\&\*(L"\s-1INTERNAL\*(R"\s0 commands are not intended to be exposed to text-based configuration
by applications, administrations, users, etc. These can support arbitrary
operations via \fBENGINE_ctrl()\fR, including passing to and/or from the control
commands data of any arbitrary type. These commands are supported in the
discovery mechanisms simply to allow applications to determine if an \s-1ENGINE\s0
supports certain specific commands it might want to use (e.g. application \*(L"foo\*(R"
might query various ENGINEs to see if they implement \*(L"\s-1FOO_GET_VENDOR_LOGO_GIF\*(R"\s0 \-
and \s-1ENGINE\s0 could therefore decide whether or not to support this \*(L"foo\*(R"\-specific
extension).
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
.IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4
.IX Item "OPENSSL_ENGINES"
The path to the engines directory.
Ignored in set-user-ID and set-group-ID programs.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBENGINE_get_first()\fR, \fBENGINE_get_last()\fR, \fBENGINE_get_next()\fR and \fBENGINE_get_prev()\fR
return a valid \fB\s-1ENGINE\s0\fR structure or \s-1NULL\s0 if an error occurred.
.PP
\&\fBENGINE_add()\fR and \fBENGINE_remove()\fR return 1 on success or 0 on error.
.PP
\&\fBENGINE_by_id()\fR returns a valid \fB\s-1ENGINE\s0\fR structure or \s-1NULL\s0 if an error occurred.
.PP
\&\fBENGINE_init()\fR and \fBENGINE_finish()\fR return 1 on success or 0 on error.
.PP
All \fBENGINE_get_default_TYPE()\fR functions, \fBENGINE_get_cipher_engine()\fR and
\&\fBENGINE_get_digest_engine()\fR return a valid \fB\s-1ENGINE\s0\fR structure on success or \s-1NULL\s0
if an error occurred.
.PP
All \fBENGINE_set_default_TYPE()\fR functions return 1 on success or 0 on error.
.PP
\&\fBENGINE_set_default()\fR returns 1 on success or 0 on error.
.PP
\&\fBENGINE_get_table_flags()\fR returns an unsigned integer value representing the
global table flags which are used to control the registration behaviour of
\&\fB\s-1ENGINE\s0\fR implementations.
.PP
All \fBENGINE_register_TYPE()\fR functions return 1 on success or 0 on error.
.PP
\&\fBENGINE_register_complete()\fR and \fBENGINE_register_all_complete()\fR always return 1.
.PP
\&\fBENGINE_ctrl()\fR returns a positive value on success or others on error.
.PP
\&\fBENGINE_cmd_is_executable()\fR returns 1 if \fBcmd\fR is executable or 0 otherwise.
.PP
\&\fBENGINE_ctrl_cmd()\fR and \fBENGINE_ctrl_cmd_string()\fR return 1 on success or 0 on error.
.PP
\&\fBENGINE_new()\fR returns a valid \fB\s-1ENGINE\s0\fR structure on success or \s-1NULL\s0 if an error
occurred.
.PP
\&\fBENGINE_free()\fR always returns 1.
.PP
\&\fBENGINE_up_ref()\fR returns 1 on success or 0 on error.
.PP
\&\fBENGINE_set_id()\fR and \fBENGINE_set_name()\fR return 1 on success or 0 on error.
.PP
All other \fBENGINE_set_*\fR functions return 1 on success or 0 on error.
.PP
\&\fBENGINE_get_id()\fR and \fBENGINE_get_name()\fR return a string representing the identifier
and the name of the \s-1ENGINE\s0 \fBe\fR respectively.
.PP
\&\fBENGINE_get_RSA()\fR, \fBENGINE_get_DSA()\fR, \fBENGINE_get_DH()\fR and \fBENGINE_get_RAND()\fR
return corresponding method structures for each algorithms.
.PP
\&\fBENGINE_get_destroy_function()\fR, \fBENGINE_get_init_function()\fR,
\&\fBENGINE_get_finish_function()\fR, \fBENGINE_get_ctrl_function()\fR,
\&\fBENGINE_get_load_privkey_function()\fR, \fBENGINE_get_load_pubkey_function()\fR,
\&\fBENGINE_get_ciphers()\fR and \fBENGINE_get_digests()\fR return corresponding function
pointers of the callbacks.
.PP
\&\fBENGINE_get_cipher()\fR returns a valid \fB\s-1EVP_CIPHER\s0\fR structure on success or \s-1NULL\s0
if an error occurred.
.PP
\&\fBENGINE_get_digest()\fR returns a valid \fB\s-1EVP_MD\s0\fR structure on success or \s-1NULL\s0 if an
error occurred.
.PP
\&\fBENGINE_get_flags()\fR returns an integer representing the \s-1ENGINE\s0 flags which are
used to control various behaviours of an \s-1ENGINE.\s0
.PP
\&\fBENGINE_get_cmd_defns()\fR returns an \fB\s-1ENGINE_CMD_DEFN\s0\fR structure or \s-1NULL\s0 if it's
not set.
.PP
\&\fBENGINE_load_private_key()\fR and \fBENGINE_load_public_key()\fR return a valid \fB\s-1EVP_PKEY\s0\fR
structure on success or \s-1NULL\s0 if an error occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBOPENSSL_init_crypto\fR\|(3), \fBRSA_new_method\fR\|(3), \fBDSA_new\fR\|(3), \fBDH_new\fR\|(3),
\&\fBRAND_bytes\fR\|(3), \fBconfig\fR\|(5)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBENGINE_cleanup()\fR was deprecated in OpenSSL 1.1.0 by the automatic cleanup
done by \fBOPENSSL_cleanup()\fR
and should not be used.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3 b/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3
index 3755c282070c..51c2e944fd87 100644
--- a/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3
+++ b/secure/lib/libcrypto/man/man3/ERR_GET_LIB.3
@@ -1,196 +1,196 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ERR_GET_LIB 3"
-.TH ERR_GET_LIB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ERR_GET_LIB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ERR_GET_LIB, ERR_GET_FUNC, ERR_GET_REASON, ERR_FATAL_ERROR \&\- get information from error codes
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/err.h>
\&
\& int ERR_GET_LIB(unsigned long e);
\&
\& int ERR_GET_FUNC(unsigned long e);
\&
\& int ERR_GET_REASON(unsigned long e);
\&
\& int ERR_FATAL_ERROR(unsigned long e);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The error code returned by \fBERR_get_error()\fR consists of a library
number, function code and reason code. \s-1\fBERR_GET_LIB\s0()\fR, \s-1\fBERR_GET_FUNC\s0()\fR
and \s-1\fBERR_GET_REASON\s0()\fR can be used to extract these.
.PP
\&\s-1\fBERR_FATAL_ERROR\s0()\fR indicates whether a given error code is a fatal error.
.PP
The library number and function code describe where the error
occurred, the reason code is the information about what went wrong.
.PP
Each sub-library of OpenSSL has a unique library number; function and
reason codes are unique within each sub-library. Note that different
libraries may use the same value to signal different functions and
reasons.
.PP
\&\fB\s-1ERR_R_...\s0\fR reason codes such as \fB\s-1ERR_R_MALLOC_FAILURE\s0\fR are globally
unique. However, when checking for sub-library specific reason codes,
be sure to also compare the library number.
.PP
\&\s-1\fBERR_GET_LIB\s0()\fR, \s-1\fBERR_GET_FUNC\s0()\fR, \s-1\fBERR_GET_REASON\s0()\fR, and \s-1\fBERR_FATAL_ERROR\s0()\fR
are macros.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The library number, function code, reason code, and whether the error
is fatal, respectively.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\s-1\fBERR_GET_LIB\s0()\fR, \s-1\fBERR_GET_FUNC\s0()\fR and \s-1\fBERR_GET_REASON\s0()\fR are available in
all versions of OpenSSL.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_clear_error.3 b/secure/lib/libcrypto/man/man3/ERR_clear_error.3
index 97e18a2ba054..241dfbf60c0c 100644
--- a/secure/lib/libcrypto/man/man3/ERR_clear_error.3
+++ b/secure/lib/libcrypto/man/man3/ERR_clear_error.3
@@ -1,166 +1,166 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ERR_CLEAR_ERROR 3"
-.TH ERR_CLEAR_ERROR 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ERR_CLEAR_ERROR 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ERR_clear_error \- clear the error queue
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/err.h>
\&
\& void ERR_clear_error(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBERR_clear_error()\fR empties the current thread's error queue.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBERR_clear_error()\fR has no return value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_error_string.3 b/secure/lib/libcrypto/man/man3/ERR_error_string.3
index 76a734715836..17abaf7814b0 100644
--- a/secure/lib/libcrypto/man/man3/ERR_error_string.3
+++ b/secure/lib/libcrypto/man/man3/ERR_error_string.3
@@ -1,206 +1,206 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ERR_ERROR_STRING 3"
-.TH ERR_ERROR_STRING 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ERR_ERROR_STRING 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ERR_error_string, ERR_error_string_n, ERR_lib_error_string, ERR_func_error_string, ERR_reason_error_string \- obtain human\-readable error message
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/err.h>
\&
\& char *ERR_error_string(unsigned long e, char *buf);
\& void ERR_error_string_n(unsigned long e, char *buf, size_t len);
\&
\& const char *ERR_lib_error_string(unsigned long e);
\& const char *ERR_func_error_string(unsigned long e);
\& const char *ERR_reason_error_string(unsigned long e);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBERR_error_string()\fR generates a human-readable string representing the
error code \fIe\fR, and places it at \fIbuf\fR. \fIbuf\fR must be at least 256
bytes long. If \fIbuf\fR is \fB\s-1NULL\s0\fR, the error string is placed in a
static buffer.
Note that this function is not thread-safe and does no checks on the size
of the buffer; use \fBERR_error_string_n()\fR instead.
.PP
\&\fBERR_error_string_n()\fR is a variant of \fBERR_error_string()\fR that writes
at most \fIlen\fR characters (including the terminating 0)
and truncates the string if necessary.
For \fBERR_error_string_n()\fR, \fIbuf\fR may not be \fB\s-1NULL\s0\fR.
.PP
The string will have the following format:
.PP
.Vb 1
\& error:[error code]:[library name]:[function name]:[reason string]
.Ve
.PP
\&\fIerror code\fR is an 8 digit hexadecimal number, \fIlibrary name\fR,
\&\fIfunction name\fR and \fIreason string\fR are \s-1ASCII\s0 text.
.PP
\&\fBERR_lib_error_string()\fR, \fBERR_func_error_string()\fR and
\&\fBERR_reason_error_string()\fR return the library name, function
name and reason string respectively.
.PP
If there is no text string registered for the given error code,
the error string will contain the numeric code.
.PP
\&\fBERR_print_errors\fR\|(3) can be used to print
all error codes currently in the queue.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBERR_error_string()\fR returns a pointer to a static buffer containing the
string if \fIbuf\fR \fB== \s-1NULL\s0\fR, \fIbuf\fR otherwise.
.PP
\&\fBERR_lib_error_string()\fR, \fBERR_func_error_string()\fR and
\&\fBERR_reason_error_string()\fR return the strings, and \fB\s-1NULL\s0\fR if
none is registered for the error code.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3),
\&\fBERR_print_errors\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_get_error.3 b/secure/lib/libcrypto/man/man3/ERR_get_error.3
index 599d4b9c78ae..4e8e5440b9db 100644
--- a/secure/lib/libcrypto/man/man3/ERR_get_error.3
+++ b/secure/lib/libcrypto/man/man3/ERR_get_error.3
@@ -1,208 +1,208 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ERR_GET_ERROR 3"
-.TH ERR_GET_ERROR 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ERR_GET_ERROR 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ERR_get_error, ERR_peek_error, ERR_peek_last_error, ERR_get_error_line, ERR_peek_error_line, ERR_peek_last_error_line, ERR_get_error_line_data, ERR_peek_error_line_data, ERR_peek_last_error_line_data \- obtain error code and data
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/err.h>
\&
\& unsigned long ERR_get_error(void);
\& unsigned long ERR_peek_error(void);
\& unsigned long ERR_peek_last_error(void);
\&
\& unsigned long ERR_get_error_line(const char **file, int *line);
\& unsigned long ERR_peek_error_line(const char **file, int *line);
\& unsigned long ERR_peek_last_error_line(const char **file, int *line);
\&
\& unsigned long ERR_get_error_line_data(const char **file, int *line,
\& const char **data, int *flags);
\& unsigned long ERR_peek_error_line_data(const char **file, int *line,
\& const char **data, int *flags);
\& unsigned long ERR_peek_last_error_line_data(const char **file, int *line,
\& const char **data, int *flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBERR_get_error()\fR returns the earliest error code from the thread's error
queue and removes the entry. This function can be called repeatedly
until there are no more error codes to return.
.PP
\&\fBERR_peek_error()\fR returns the earliest error code from the thread's
error queue without modifying it.
.PP
\&\fBERR_peek_last_error()\fR returns the latest error code from the thread's
error queue without modifying it.
.PP
See \s-1\fBERR_GET_LIB\s0\fR\|(3) for obtaining information about
location and reason of the error, and
\&\fBERR_error_string\fR\|(3) for human-readable error
messages.
.PP
\&\fBERR_get_error_line()\fR, \fBERR_peek_error_line()\fR and
\&\fBERR_peek_last_error_line()\fR are the same as the above, but they
additionally store the filename and line number where
the error occurred in *\fBfile\fR and *\fBline\fR, unless these are \fB\s-1NULL\s0\fR.
.PP
\&\fBERR_get_error_line_data()\fR, \fBERR_peek_error_line_data()\fR and
\&\fBERR_peek_last_error_line_data()\fR store additional data and flags
associated with the error code in *\fBdata\fR
and *\fBflags\fR, unless these are \fB\s-1NULL\s0\fR. *\fBdata\fR contains a string
if *\fBflags\fR&\fB\s-1ERR_TXT_STRING\s0\fR is true.
.PP
An application \fB\s-1MUST NOT\s0\fR free the *\fBdata\fR pointer (or any other pointers
returned by these functions) with \fBOPENSSL_free()\fR as freeing is handled
automatically by the error library.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The error code, or 0 if there is no error in the queue.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_error_string\fR\|(3),
\&\s-1\fBERR_GET_LIB\s0\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3 b/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3
index 55e025d867d6..d62879a156f2 100644
--- a/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3
+++ b/secure/lib/libcrypto/man/man3/ERR_load_crypto_strings.3
@@ -1,188 +1,188 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ERR_LOAD_CRYPTO_STRINGS 3"
-.TH ERR_LOAD_CRYPTO_STRINGS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ERR_LOAD_CRYPTO_STRINGS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ERR_load_crypto_strings, SSL_load_error_strings, ERR_free_strings \- load and free error strings
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Deprecated:
.PP
.Vb 1
\& #include <openssl/err.h>
\&
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& void ERR_load_crypto_strings(void);
\& void ERR_free_strings(void);
\& #endif
\&
\& #include <openssl/ssl.h>
\&
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& void SSL_load_error_strings(void);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBERR_load_crypto_strings()\fR registers the error strings for all
\&\fBlibcrypto\fR functions. \fBSSL_load_error_strings()\fR does the same,
but also registers the \fBlibssl\fR error strings.
.PP
In versions prior to OpenSSL 1.1.0,
\&\fBERR_free_strings()\fR releases any resources created by the above functions.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBERR_load_crypto_strings()\fR, \fBSSL_load_error_strings()\fR and
\&\fBERR_free_strings()\fR return no values.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_error_string\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBERR_load_crypto_strings()\fR, \fBSSL_load_error_strings()\fR, and
\&\fBERR_free_strings()\fR functions were deprecated in OpenSSL 1.1.0 by
\&\fBOPENSSL_init_crypto()\fR and \fBOPENSSL_init_ssl()\fR and should not be used.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_load_strings.3 b/secure/lib/libcrypto/man/man3/ERR_load_strings.3
index 6ec45d26fe7b..37e8c4c48d86 100644
--- a/secure/lib/libcrypto/man/man3/ERR_load_strings.3
+++ b/secure/lib/libcrypto/man/man3/ERR_load_strings.3
@@ -1,191 +1,191 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ERR_LOAD_STRINGS 3"
-.TH ERR_LOAD_STRINGS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ERR_LOAD_STRINGS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ERR_load_strings, ERR_PACK, ERR_get_next_error_library \- load arbitrary error strings
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/err.h>
\&
\& int ERR_load_strings(int lib, ERR_STRING_DATA *str);
\&
\& int ERR_get_next_error_library(void);
\&
\& unsigned long ERR_PACK(int lib, int func, int reason);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBERR_load_strings()\fR registers error strings for library number \fBlib\fR.
.PP
\&\fBstr\fR is an array of error string data:
.PP
.Vb 5
\& typedef struct ERR_string_data_st
\& {
\& unsigned long error;
\& char *string;
\& } ERR_STRING_DATA;
.Ve
.PP
The error code is generated from the library number and a function and
reason code: \fBerror\fR = \s-1ERR_PACK\s0(\fBlib\fR, \fBfunc\fR, \fBreason\fR).
\&\s-1\fBERR_PACK\s0()\fR is a macro.
.PP
The last entry in the array is {0,0}.
.PP
\&\fBERR_get_next_error_library()\fR can be used to assign library numbers
to user libraries at runtime.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBERR_load_strings()\fR returns 1 for success and 0 for failure. \s-1\fBERR_PACK\s0()\fR returns the error code.
\&\fBERR_get_next_error_library()\fR returns zero on failure, otherwise a new
library number.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_load_strings\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_print_errors.3 b/secure/lib/libcrypto/man/man3/ERR_print_errors.3
index 44b6f8b073dd..39326b9df56f 100644
--- a/secure/lib/libcrypto/man/man3/ERR_print_errors.3
+++ b/secure/lib/libcrypto/man/man3/ERR_print_errors.3
@@ -1,191 +1,191 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ERR_PRINT_ERRORS 3"
-.TH ERR_PRINT_ERRORS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ERR_PRINT_ERRORS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ERR_print_errors, ERR_print_errors_fp, ERR_print_errors_cb \&\- print error messages
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/err.h>
\&
\& void ERR_print_errors(BIO *bp);
\& void ERR_print_errors_fp(FILE *fp);
\& void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u), void *u)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBERR_print_errors()\fR is a convenience function that prints the error
strings for all errors that OpenSSL has recorded to \fBbp\fR, thus
emptying the error queue.
.PP
\&\fBERR_print_errors_fp()\fR is the same, except that the output goes to a
\&\fB\s-1FILE\s0\fR.
.PP
\&\fBERR_print_errors_cb()\fR is the same, except that the callback function,
\&\fBcb\fR, is called for each error line with the string, length, and userdata
\&\fBu\fR as the callback parameters.
.PP
The error strings will have the following format:
.PP
.Vb 1
\& [pid]:error:[error code]:[library name]:[function name]:[reason string]:[filename]:[line]:[optional text message]
.Ve
.PP
\&\fIerror code\fR is an 8 digit hexadecimal number. \fIlibrary name\fR,
\&\fIfunction name\fR and \fIreason string\fR are \s-1ASCII\s0 text, as is \fIoptional
text message\fR if one was set for the respective error code.
.PP
If there is no text string registered for the given error code,
the error string will contain the numeric code.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBERR_print_errors()\fR and \fBERR_print_errors_fp()\fR return no values.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_error_string\fR\|(3),
\&\fBERR_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_put_error.3 b/secure/lib/libcrypto/man/man3/ERR_put_error.3
index fe81f2378b69..37eaea141947 100644
--- a/secure/lib/libcrypto/man/man3/ERR_put_error.3
+++ b/secure/lib/libcrypto/man/man3/ERR_put_error.3
@@ -1,207 +1,207 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ERR_PUT_ERROR 3"
-.TH ERR_PUT_ERROR 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ERR_PUT_ERROR 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ERR_put_error, ERR_add_error_data, ERR_add_error_vdata \- record an error
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/err.h>
\&
\& void ERR_put_error(int lib, int func, int reason, const char *file, int line);
\&
\& void ERR_add_error_data(int num, ...);
\& void ERR_add_error_vdata(int num, va_list arg);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBERR_put_error()\fR adds an error code to the thread's error queue. It
signals that the error of reason code \fBreason\fR occurred in function
\&\fBfunc\fR of library \fBlib\fR, in line number \fBline\fR of \fBfile\fR.
This function is usually called by a macro.
.PP
\&\fBERR_add_error_data()\fR associates the concatenation of its \fBnum\fR string
arguments with the error code added last.
\&\fBERR_add_error_vdata()\fR is similar except the argument is a \fBva_list\fR.
.PP
\&\fBERR_load_strings\fR\|(3) can be used to register
error strings so that the application can a generate human-readable
error messages for the error code.
.SS "Reporting errors"
.IX Subsection "Reporting errors"
Each sub-library has a specific macro \fBXXXerr()\fR that is used to report
errors. Its first argument is a function code \fB\s-1XXX_F_...\s0\fR, the second
argument is a reason code \fB\s-1XXX_R_...\s0\fR. Function codes are derived
from the function names; reason codes consist of textual error
descriptions. For example, the function \fBssl3_read_bytes()\fR reports a
\&\*(L"handshake failure\*(R" as follows:
.PP
.Vb 1
\& SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
.Ve
.PP
Function and reason codes should consist of uppercase characters,
numbers and underscores only. The error file generation script translates
function codes into function names by looking in the header files
for an appropriate function name, if none is found it just uses
the capitalized form such as \*(L"\s-1SSL3_READ_BYTES\*(R"\s0 in the above example.
.PP
The trailing section of a reason code (after the \*(L"_R_\*(R") is translated
into lowercase and underscores changed to spaces.
.PP
Although a library will normally report errors using its own specific
XXXerr macro, another library's macro can be used. This is normally
only done when a library wants to include \s-1ASN1\s0 code which must use
the \fBASN1err()\fR macro.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBERR_put_error()\fR and \fBERR_add_error_data()\fR return
no values.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_load_strings\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_remove_state.3 b/secure/lib/libcrypto/man/man3/ERR_remove_state.3
index 91c884a3cfb9..ec979c96cceb 100644
--- a/secure/lib/libcrypto/man/man3/ERR_remove_state.3
+++ b/secure/lib/libcrypto/man/man3/ERR_remove_state.3
@@ -1,180 +1,180 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ERR_REMOVE_STATE 3"
-.TH ERR_REMOVE_STATE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ERR_REMOVE_STATE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ERR_remove_thread_state, ERR_remove_state \- DEPRECATED
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
Deprecated:
.PP
.Vb 3
\& #if OPENSSL_API_COMPAT < 0x10000000L
\& void ERR_remove_state(unsigned long tid);
\& #endif
\&
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& void ERR_remove_thread_state(void *tid);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBERR_remove_state()\fR frees the error queue associated with the specified
thread, identified by \fBtid\fR.
\&\fBERR_remove_thread_state()\fR does the same thing, except the identifier is
an opaque pointer.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBERR_remove_state()\fR and \fBERR_remove_thread_state()\fR return no value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
L\fBOPENSSL_init_crypto\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBERR_remove_state()\fR was deprecated in OpenSSL 1.0.0 and
\&\fBERR_remove_thread_state()\fR was deprecated in OpenSSL 1.1.0; these functions
and should not be used.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/ERR_set_mark.3 b/secure/lib/libcrypto/man/man3/ERR_set_mark.3
index fe01768ac029..b2677dbfbbc0 100644
--- a/secure/lib/libcrypto/man/man3/ERR_set_mark.3
+++ b/secure/lib/libcrypto/man/man3/ERR_set_mark.3
@@ -1,172 +1,172 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ERR_SET_MARK 3"
-.TH ERR_SET_MARK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ERR_SET_MARK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ERR_set_mark, ERR_pop_to_mark \- set marks and pop errors until mark
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/err.h>
\&
\& int ERR_set_mark(void);
\&
\& int ERR_pop_to_mark(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBERR_set_mark()\fR sets a mark on the current topmost error record if there
is one.
.PP
\&\fBERR_pop_to_mark()\fR will pop the top of the error stack until a mark is found.
The mark is then removed. If there is no mark, the whole stack is removed.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBERR_set_mark()\fR returns 0 if the error stack is empty, otherwise 1.
.PP
\&\fBERR_pop_to_mark()\fR returns 0 if there was no mark in the error stack, which
implies that the stack became empty, otherwise 1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2003\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3 b/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3
index 584d65b4013f..ab2b8de4ebfe 100644
--- a/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3
+++ b/secure/lib/libcrypto/man/man3/EVP_BytesToKey.3
@@ -1,210 +1,210 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_BYTESTOKEY 3"
-.TH EVP_BYTESTOKEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_BYTESTOKEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_BytesToKey \- password based encryption routine
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
\& const unsigned char *salt,
\& const unsigned char *data, int datal, int count,
\& unsigned char *key, unsigned char *iv);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBEVP_BytesToKey()\fR derives a key and \s-1IV\s0 from various parameters. \fBtype\fR is
the cipher to derive the key and \s-1IV\s0 for. \fBmd\fR is the message digest to use.
The \fBsalt\fR parameter is used as a salt in the derivation: it should point to
an 8 byte buffer or \s-1NULL\s0 if no salt is used. \fBdata\fR is a buffer containing
\&\fBdatal\fR bytes which is used to derive the keying data. \fBcount\fR is the
iteration count to use. The derived key and \s-1IV\s0 will be written to \fBkey\fR
and \fBiv\fR respectively.
.SH "NOTES"
.IX Header "NOTES"
A typical application of this function is to derive keying material for an
encryption algorithm from a password in the \fBdata\fR parameter.
.PP
Increasing the \fBcount\fR parameter slows down the algorithm which makes it
harder for an attacker to perform a brute force attack using a large number
of candidate passwords.
.PP
If the total key and \s-1IV\s0 length is less than the digest length and
\&\fB\s-1MD5\s0\fR is used then the derivation algorithm is compatible with PKCS#5 v1.5
otherwise a non standard extension is used to derive the extra data.
.PP
Newer applications should use a more modern algorithm such as \s-1PBKDF2\s0 as
defined in PKCS#5v2.1 and provided by \s-1PKCS5_PBKDF2_HMAC.\s0
.SH "KEY DERIVATION ALGORITHM"
.IX Header "KEY DERIVATION ALGORITHM"
The key and \s-1IV\s0 is derived by concatenating D_1, D_2, etc until
enough data is available for the key and \s-1IV.\s0 D_i is defined as:
.PP
.Vb 1
\& D_i = HASH^count(D_(i\-1) || data || salt)
.Ve
.PP
where || denotes concatenation, D_0 is empty, \s-1HASH\s0 is the digest
algorithm in use, HASH^1(data) is simply \s-1HASH\s0(data), HASH^2(data)
is \s-1HASH\s0(\s-1HASH\s0(data)) and so on.
.PP
The initial bytes are used for the key and the subsequent bytes for
the \s-1IV.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
If \fBdata\fR is \s-1NULL,\s0 then \fBEVP_BytesToKey()\fR returns the number of bytes
needed to store the derived key.
Otherwise, \fBEVP_BytesToKey()\fR returns the size of the derived key in bytes,
or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7), \fBRAND_bytes\fR\|(3),
\&\s-1\fBPKCS5_PBKDF2_HMAC\s0\fR\|(3),
\&\fBEVP_EncryptInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3
index eae2e5c485f7..719ebc85b50d 100644
--- a/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3
+++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_CTX_get_cipher_data.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_CIPHER_CTX_GET_CIPHER_DATA 3"
-.TH EVP_CIPHER_CTX_GET_CIPHER_DATA 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_CIPHER_CTX_GET_CIPHER_DATA 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_CIPHER_CTX_get_cipher_data, EVP_CIPHER_CTX_set_cipher_data \- Routines to inspect and modify EVP_CIPHER_CTX objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& void *EVP_CIPHER_CTX_get_cipher_data(const EVP_CIPHER_CTX *ctx);
\& void *EVP_CIPHER_CTX_set_cipher_data(EVP_CIPHER_CTX *ctx, void *cipher_data);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEVP_CIPHER_CTX_get_cipher_data()\fR function returns a pointer to the cipher
data relevant to \s-1EVP_CIPHER_CTX.\s0 The contents of this data is specific to the
particular implementation of the cipher. For example this data can be used by
engines to store engine specific information. The data is automatically
allocated and freed by OpenSSL, so applications and engines should not normally
free this directly (but see below).
.PP
The \fBEVP_CIPHER_CTX_set_cipher_data()\fR function allows an application or engine to
replace the cipher data with new data. A pointer to any existing cipher data is
returned from this function. If the old data is no longer required then it
should be freed through a call to \fBOPENSSL_free()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The \fBEVP_CIPHER_CTX_get_cipher_data()\fR function returns a pointer to the current
cipher data for the \s-1EVP_CIPHER_CTX.\s0
.PP
The \fBEVP_CIPHER_CTX_set_cipher_data()\fR function returns a pointer to the old
cipher data for the \s-1EVP_CIPHER_CTX.\s0
.SH "HISTORY"
.IX Header "HISTORY"
The \fBEVP_CIPHER_CTX_get_cipher_data()\fR and \fBEVP_CIPHER_CTX_set_cipher_data()\fR
functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3
index c849ae6a2ff2..2ff91eff9bfa 100644
--- a/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/EVP_CIPHER_meth_new.3
@@ -1,343 +1,343 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_CIPHER_METH_NEW 3"
-.TH EVP_CIPHER_METH_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_CIPHER_METH_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_CIPHER_meth_new, EVP_CIPHER_meth_dup, EVP_CIPHER_meth_free, EVP_CIPHER_meth_set_iv_length, EVP_CIPHER_meth_set_flags, EVP_CIPHER_meth_set_impl_ctx_size, EVP_CIPHER_meth_set_init, EVP_CIPHER_meth_set_do_cipher, EVP_CIPHER_meth_set_cleanup, EVP_CIPHER_meth_set_set_asn1_params, EVP_CIPHER_meth_set_get_asn1_params, EVP_CIPHER_meth_set_ctrl, EVP_CIPHER_meth_get_init, EVP_CIPHER_meth_get_do_cipher, EVP_CIPHER_meth_get_cleanup, EVP_CIPHER_meth_get_set_asn1_params, EVP_CIPHER_meth_get_get_asn1_params, EVP_CIPHER_meth_get_ctrl \- Routines to build up EVP_CIPHER methods
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len);
\& EVP_CIPHER *EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher);
\& void EVP_CIPHER_meth_free(EVP_CIPHER *cipher);
\&
\& int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len);
\& int EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags);
\& int EVP_CIPHER_meth_set_impl_ctx_size(EVP_CIPHER *cipher, int ctx_size);
\& int EVP_CIPHER_meth_set_init(EVP_CIPHER *cipher,
\& int (*init)(EVP_CIPHER_CTX *ctx,
\& const unsigned char *key,
\& const unsigned char *iv,
\& int enc));
\& int EVP_CIPHER_meth_set_do_cipher(EVP_CIPHER *cipher,
\& int (*do_cipher)(EVP_CIPHER_CTX *ctx,
\& unsigned char *out,
\& const unsigned char *in,
\& size_t inl));
\& int EVP_CIPHER_meth_set_cleanup(EVP_CIPHER *cipher,
\& int (*cleanup)(EVP_CIPHER_CTX *));
\& int EVP_CIPHER_meth_set_set_asn1_params(EVP_CIPHER *cipher,
\& int (*set_asn1_parameters)(EVP_CIPHER_CTX *,
\& ASN1_TYPE *));
\& int EVP_CIPHER_meth_set_get_asn1_params(EVP_CIPHER *cipher,
\& int (*get_asn1_parameters)(EVP_CIPHER_CTX *,
\& ASN1_TYPE *));
\& int EVP_CIPHER_meth_set_ctrl(EVP_CIPHER *cipher,
\& int (*ctrl)(EVP_CIPHER_CTX *, int type,
\& int arg, void *ptr));
\&
\& int (*EVP_CIPHER_meth_get_init(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx,
\& const unsigned char *key,
\& const unsigned char *iv,
\& int enc);
\& int (*EVP_CIPHER_meth_get_do_cipher(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx,
\& unsigned char *out,
\& const unsigned char *in,
\& size_t inl);
\& int (*EVP_CIPHER_meth_get_cleanup(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *);
\& int (*EVP_CIPHER_meth_get_set_asn1_params(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
\& ASN1_TYPE *);
\& int (*EVP_CIPHER_meth_get_get_asn1_params(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
\& ASN1_TYPE *);
\& int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *,
\& int type, int arg,
\& void *ptr);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1EVP_CIPHER\s0\fR type is a structure for symmetric cipher method
implementation.
.PP
\&\fBEVP_CIPHER_meth_new()\fR creates a new \fB\s-1EVP_CIPHER\s0\fR structure.
.PP
\&\fBEVP_CIPHER_meth_dup()\fR creates a copy of \fBcipher\fR.
.PP
\&\fBEVP_CIPHER_meth_free()\fR destroys a \fB\s-1EVP_CIPHER\s0\fR structure.
.PP
\&\fBEVP_CIPHER_meth_set_iv_length()\fR sets the length of the \s-1IV.\s0
This is only needed when the implemented cipher mode requires it.
.PP
\&\fBEVP_CIPHER_meth_set_flags()\fR sets the flags to describe optional
behaviours in the particular \fBcipher\fR.
With the exception of cipher modes, of which only one may be present,
several flags can be or'd together.
The available flags are:
.IP "\s-1EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE\s0" 4
.IX Item "EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE"
The cipher mode.
.IP "\s-1EVP_CIPH_VARIABLE_LENGTH\s0" 4
.IX Item "EVP_CIPH_VARIABLE_LENGTH"
This cipher is of variable length.
.IP "\s-1EVP_CIPH_CUSTOM_IV\s0" 4
.IX Item "EVP_CIPH_CUSTOM_IV"
Storing and initialising the \s-1IV\s0 is left entirely to the
implementation.
.IP "\s-1EVP_CIPH_ALWAYS_CALL_INIT\s0" 4
.IX Item "EVP_CIPH_ALWAYS_CALL_INIT"
Set this if the implementation's \fBinit()\fR function should be called even
if \fBkey\fR is \fB\s-1NULL\s0\fR.
.IP "\s-1EVP_CIPH_CTRL_INIT\s0" 4
.IX Item "EVP_CIPH_CTRL_INIT"
Set this to have the implementation's \fBctrl()\fR function called with
command code \fB\s-1EVP_CTRL_INIT\s0\fR early in its setup.
.IP "\s-1EVP_CIPH_CUSTOM_KEY_LENGTH\s0" 4
.IX Item "EVP_CIPH_CUSTOM_KEY_LENGTH"
Checking and setting the key length after creating the \fB\s-1EVP_CIPHER\s0\fR
is left to the implementation.
Whenever someone uses \fBEVP_CIPHER_CTX_set_key_length()\fR on a
\&\fB\s-1EVP_CIPHER\s0\fR with this flag set, the implementation's \fBctrl()\fR function
will be called with the control code \fB\s-1EVP_CTRL_SET_KEY_LENGTH\s0\fR and
the key length in \fBarg\fR.
.IP "\s-1EVP_CIPH_NO_PADDING\s0" 4
.IX Item "EVP_CIPH_NO_PADDING"
Don't use standard block padding.
.IP "\s-1EVP_CIPH_RAND_KEY\s0" 4
.IX Item "EVP_CIPH_RAND_KEY"
Making a key with random content is left to the implementation.
This is done by calling the implementation's \fBctrl()\fR function with the
control code \fB\s-1EVP_CTRL_RAND_KEY\s0\fR and the pointer to the key memory
storage in \fBptr\fR.
.IP "\s-1EVP_CIPH_CUSTOM_COPY\s0" 4
.IX Item "EVP_CIPH_CUSTOM_COPY"
Set this to have the implementation's \fBctrl()\fR function called with
command code \fB\s-1EVP_CTRL_COPY\s0\fR at the end of \fBEVP_CIPHER_CTX_copy()\fR.
The intended use is for further things to deal with after the
implementation specific data block has been copied.
The destination \fB\s-1EVP_CIPHER_CTX\s0\fR is passed to the control with the
\&\fBptr\fR parameter.
The implementation specific data block is reached with
\&\fBEVP_CIPHER_CTX_get_cipher_data()\fR.
.IP "\s-1EVP_CIPH_FLAG_DEFAULT_ASN1\s0" 4
.IX Item "EVP_CIPH_FLAG_DEFAULT_ASN1"
Use the default \s-1EVP\s0 routines to pass \s-1IV\s0 to and from \s-1ASN.1.\s0
.IP "\s-1EVP_CIPH_FLAG_LENGTH_BITS\s0" 4
.IX Item "EVP_CIPH_FLAG_LENGTH_BITS"
Signals that the length of the input buffer for encryption /
decryption is to be understood as the number of bits instead of
bytes for this implementation.
This is only useful for \s-1CFB1\s0 ciphers.
.IP "\s-1EVP_CIPH_FLAG_CUSTOM_CIPHER\s0" 4
.IX Item "EVP_CIPH_FLAG_CUSTOM_CIPHER"
This indicates that the implementation takes care of everything,
including padding, buffering and finalization.
The \s-1EVP\s0 routines will simply give them control and do nothing more.
.IP "\s-1EVP_CIPH_FLAG_AEAD_CIPHER\s0" 4
.IX Item "EVP_CIPH_FLAG_AEAD_CIPHER"
This indicates that this is an \s-1AEAD\s0 cipher implementation.
.IP "\s-1EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK\s0" 4
.IX Item "EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK"
Allow interleaving of crypto blocks, a particular optimization only applicable
to certain \s-1TLS\s0 ciphers.
.PP
\&\fBEVP_CIPHER_meth_set_impl_ctx_size()\fR sets the size of the \s-1EVP_CIPHER\s0's
implementation context so that it can be automatically allocated.
.PP
\&\fBEVP_CIPHER_meth_set_init()\fR sets the cipher init function for
\&\fBcipher\fR.
The cipher init function is called by \fBEVP_CipherInit()\fR,
\&\fBEVP_CipherInit_ex()\fR, \fBEVP_EncryptInit()\fR, \fBEVP_EncryptInit_ex()\fR,
\&\fBEVP_DecryptInit()\fR, \fBEVP_DecryptInit_ex()\fR.
.PP
\&\fBEVP_CIPHER_meth_set_do_cipher()\fR sets the cipher function for
\&\fBcipher\fR.
The cipher function is called by \fBEVP_CipherUpdate()\fR,
\&\fBEVP_EncryptUpdate()\fR, \fBEVP_DecryptUpdate()\fR, \fBEVP_CipherFinal()\fR,
\&\fBEVP_EncryptFinal()\fR, \fBEVP_EncryptFinal_ex()\fR, \fBEVP_DecryptFinal()\fR and
\&\fBEVP_DecryptFinal_ex()\fR.
.PP
\&\fBEVP_CIPHER_meth_set_cleanup()\fR sets the function for \fBcipher\fR to do
extra cleanup before the method's private data structure is cleaned
out and freed.
Note that the cleanup function is passed a \fB\s-1EVP_CIPHER_CTX\s0 *\fR, the
private data structure is then available with
\&\fBEVP_CIPHER_CTX_get_cipher_data()\fR.
This cleanup function is called by \fBEVP_CIPHER_CTX_reset()\fR and
\&\fBEVP_CIPHER_CTX_free()\fR.
.PP
\&\fBEVP_CIPHER_meth_set_set_asn1_params()\fR sets the function for \fBcipher\fR
to set the AlgorithmIdentifier \*(L"parameter\*(R" based on the passed cipher.
This function is called by \fBEVP_CIPHER_param_to_asn1()\fR.
\&\fBEVP_CIPHER_meth_set_get_asn1_params()\fR sets the function for \fBcipher\fR
that sets the cipher parameters based on an \s-1ASN.1\s0 AlgorithmIdentifier
\&\*(L"parameter\*(R".
Both these functions are needed when there is a need for custom data
(more or other than the cipher \s-1IV\s0).
They are called by \fBEVP_CIPHER_param_to_asn1()\fR and
\&\fBEVP_CIPHER_asn1_to_param()\fR respectively if defined.
.PP
\&\fBEVP_CIPHER_meth_set_ctrl()\fR sets the control function for \fBcipher\fR.
.PP
\&\fBEVP_CIPHER_meth_get_init()\fR, \fBEVP_CIPHER_meth_get_do_cipher()\fR,
\&\fBEVP_CIPHER_meth_get_cleanup()\fR, \fBEVP_CIPHER_meth_get_set_asn1_params()\fR,
\&\fBEVP_CIPHER_meth_get_get_asn1_params()\fR and \fBEVP_CIPHER_meth_get_ctrl()\fR
are all used to retrieve the method data given with the
EVP_CIPHER_meth_set_*() functions above.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_CIPHER_meth_new()\fR and \fBEVP_CIPHER_meth_dup()\fR return a pointer to a
newly created \fB\s-1EVP_CIPHER\s0\fR, or \s-1NULL\s0 on failure.
All EVP_CIPHER_meth_set_*() functions return 1.
All EVP_CIPHER_meth_get_*() functions return pointers to their
respective \fBcipher\fR function.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
EVP_EncryptInit
.SH "HISTORY"
.IX Header "HISTORY"
The functions described here were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestInit.3
index 1d06ccca0b9e..0f5920a803fd 100644
--- a/secure/lib/libcrypto/man/man3/EVP_DigestInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_DigestInit.3
@@ -1,497 +1,497 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_DIGESTINIT 3"
-.TH EVP_DIGESTINIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_DIGESTINIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy, EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl, EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags, EVP_Digest, EVP_DigestInit_ex, EVP_DigestInit, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_flags, EVP_MD_CTX_md, EVP_MD_CTX_type, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_md_data, EVP_MD_CTX_update_fn, EVP_MD_CTX_set_update_fn, EVP_md_null, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj, EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_set_pkey_ctx \- EVP digest routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& EVP_MD_CTX *EVP_MD_CTX_new(void);
\& int EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
\& void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
\& void EVP_MD_CTX_ctrl(EVP_MD_CTX *ctx, int cmd, int p1, void* p2);
\& void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags);
\& void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags);
\& int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags);
\&
\& int EVP_Digest(const void *data, size_t count, unsigned char *md,
\& unsigned int *size, const EVP_MD *type, ENGINE *impl);
\& int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
\& int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
\& int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s);
\& int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
\&
\& int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in);
\&
\& int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
\& int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s);
\&
\& int EVP_MD_CTX_copy(EVP_MD_CTX *out, EVP_MD_CTX *in);
\&
\& int EVP_MD_type(const EVP_MD *md);
\& int EVP_MD_pkey_type(const EVP_MD *md);
\& int EVP_MD_size(const EVP_MD *md);
\& int EVP_MD_block_size(const EVP_MD *md);
\& unsigned long EVP_MD_flags(const EVP_MD *md);
\&
\& const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
\& int EVP_MD_CTX_size(const EVP_MD_CTX *ctx);
\& int EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx);
\& int EVP_MD_CTX_type(const EVP_MD_CTX *ctx);
\& void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx);
\& int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx,
\& const void *data, size_t count);
\& void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx,
\& int (*update)(EVP_MD_CTX *ctx,
\& const void *data, size_t count));
\&
\& const EVP_MD *EVP_md_null(void);
\&
\& const EVP_MD *EVP_get_digestbyname(const char *name);
\& const EVP_MD *EVP_get_digestbynid(int type);
\& const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *o);
\&
\& EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx);
\& void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP\s0 digest routines are a high-level interface to message digests,
and should be used instead of the cipher-specific functions.
.IP "\fBEVP_MD_CTX_new()\fR" 4
.IX Item "EVP_MD_CTX_new()"
Allocates and returns a digest context.
.IP "\fBEVP_MD_CTX_reset()\fR" 4
.IX Item "EVP_MD_CTX_reset()"
Resets the digest context \fBctx\fR. This can be used to reuse an already
existing context.
.IP "\fBEVP_MD_CTX_free()\fR" 4
.IX Item "EVP_MD_CTX_free()"
Cleans up digest context \fBctx\fR and frees up the space allocated to it.
.IP "\fBEVP_MD_CTX_ctrl()\fR" 4
.IX Item "EVP_MD_CTX_ctrl()"
Performs digest-specific control actions on context \fBctx\fR. The control command
is indicated in \fBcmd\fR and any additional arguments in \fBp1\fR and \fBp2\fR.
\&\fBEVP_MD_CTX_ctrl()\fR must be called after \fBEVP_DigestInit_ex()\fR. Other restrictions
may apply depending on the control type and digest implementation.
See \*(L"\s-1CONTROLS\*(R"\s0 below for more information.
.IP "\fBEVP_MD_CTX_set_flags()\fR, \fBEVP_MD_CTX_clear_flags()\fR, \fBEVP_MD_CTX_test_flags()\fR" 4
.IX Item "EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags(), EVP_MD_CTX_test_flags()"
Sets, clears and tests \fBctx\fR flags. See \*(L"\s-1FLAGS\*(R"\s0 below for more information.
.IP "\fBEVP_Digest()\fR" 4
.IX Item "EVP_Digest()"
A wrapper around the Digest Init_ex, Update and Final_ex functions.
Hashes \fBcount\fR bytes of data at \fBdata\fR using a digest \fBtype\fR from \s-1ENGINE\s0
\&\fBimpl\fR. The digest value is placed in \fBmd\fR and its length is written at \fBsize\fR
if the pointer is not \s-1NULL.\s0 At most \fB\s-1EVP_MAX_MD_SIZE\s0\fR bytes will be written.
If \fBimpl\fR is \s-1NULL\s0 the default implementation of digest \fBtype\fR is used.
.IP "\fBEVP_DigestInit_ex()\fR" 4
.IX Item "EVP_DigestInit_ex()"
Sets up digest context \fBctx\fR to use a digest \fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR.
\&\fBtype\fR will typically be supplied by a function such as \fBEVP_sha1()\fR. If
\&\fBimpl\fR is \s-1NULL\s0 then the default implementation of digest \fBtype\fR is used.
.IP "\fBEVP_DigestUpdate()\fR" 4
.IX Item "EVP_DigestUpdate()"
Hashes \fBcnt\fR bytes of data at \fBd\fR into the digest context \fBctx\fR. This
function can be called several times on the same \fBctx\fR to hash additional
data.
.IP "\fBEVP_DigestFinal_ex()\fR" 4
.IX Item "EVP_DigestFinal_ex()"
Retrieves the digest value from \fBctx\fR and places it in \fBmd\fR. If the \fBs\fR
parameter is not \s-1NULL\s0 then the number of bytes of data written (i.e. the
length of the digest) will be written to the integer at \fBs\fR, at most
\&\fB\s-1EVP_MAX_MD_SIZE\s0\fR bytes will be written. After calling \fBEVP_DigestFinal_ex()\fR
no additional calls to \fBEVP_DigestUpdate()\fR can be made, but
\&\fBEVP_DigestInit_ex()\fR can be called to initialize a new digest operation.
.IP "\fBEVP_DigestFinalXOF()\fR" 4
.IX Item "EVP_DigestFinalXOF()"
Interfaces to extendable-output functions, XOFs, such as \s-1SHAKE128\s0 and \s-1SHAKE256.\s0
It retrieves the digest value from \fBctx\fR and places it in \fBlen\fR\-sized <B>md.
After calling this function no additional calls to \fBEVP_DigestUpdate()\fR can be
made, but \fBEVP_DigestInit_ex()\fR can be called to initialize a new operation.
.IP "\fBEVP_MD_CTX_copy_ex()\fR" 4
.IX Item "EVP_MD_CTX_copy_ex()"
Can be used to copy the message digest state from \fBin\fR to \fBout\fR. This is
useful if large amounts of data are to be hashed which only differ in the last
few bytes.
.IP "\fBEVP_DigestInit()\fR" 4
.IX Item "EVP_DigestInit()"
Behaves in the same way as \fBEVP_DigestInit_ex()\fR except it always uses the
default digest implementation and calls \fBEVP_MD_CTX_reset()\fR.
.IP "\fBEVP_DigestFinal()\fR" 4
.IX Item "EVP_DigestFinal()"
Similar to \fBEVP_DigestFinal_ex()\fR except the digest context \fBctx\fR is
automatically cleaned up.
.IP "\fBEVP_MD_CTX_copy()\fR" 4
.IX Item "EVP_MD_CTX_copy()"
Similar to \fBEVP_MD_CTX_copy_ex()\fR except the destination \fBout\fR does not have to
be initialized.
.IP "\fBEVP_MD_size()\fR, \fBEVP_MD_CTX_size()\fR" 4
.IX Item "EVP_MD_size(), EVP_MD_CTX_size()"
Return the size of the message digest when passed an \fB\s-1EVP_MD\s0\fR or an
\&\fB\s-1EVP_MD_CTX\s0\fR structure, i.e. the size of the hash.
.IP "\fBEVP_MD_block_size()\fR, \fBEVP_MD_CTX_block_size()\fR" 4
.IX Item "EVP_MD_block_size(), EVP_MD_CTX_block_size()"
Return the block size of the message digest when passed an \fB\s-1EVP_MD\s0\fR or an
\&\fB\s-1EVP_MD_CTX\s0\fR structure.
.IP "\fBEVP_MD_type()\fR, \fBEVP_MD_CTX_type()\fR" 4
.IX Item "EVP_MD_type(), EVP_MD_CTX_type()"
Return the \s-1NID\s0 of the \s-1OBJECT IDENTIFIER\s0 representing the given message digest
when passed an \fB\s-1EVP_MD\s0\fR structure. For example, \f(CW\*(C`EVP_MD_type(EVP_sha1())\*(C'\fR
returns \fBNID_sha1\fR. This function is normally used when setting \s-1ASN1\s0 OIDs.
.IP "\fBEVP_MD_CTX_md_data()\fR" 4
.IX Item "EVP_MD_CTX_md_data()"
Return the digest method private data for the passed \fB\s-1EVP_MD_CTX\s0\fR.
The space is allocated by OpenSSL and has the size originally set with
\&\fBEVP_MD_meth_set_app_datasize()\fR.
.IP "\fBEVP_MD_CTX_md()\fR" 4
.IX Item "EVP_MD_CTX_md()"
Returns the \fB\s-1EVP_MD\s0\fR structure corresponding to the passed \fB\s-1EVP_MD_CTX\s0\fR.
.IP "\fBEVP_MD_CTX_set_update_fn()\fR" 4
.IX Item "EVP_MD_CTX_set_update_fn()"
Sets the update function for \fBctx\fR to \fBupdate\fR.
This is the function that is called by EVP_DigestUpdate. If not set, the
update function from the \fB\s-1EVP_MD\s0\fR type specified at initialization is used.
.IP "\fBEVP_MD_CTX_update_fn()\fR" 4
.IX Item "EVP_MD_CTX_update_fn()"
Returns the update function for \fBctx\fR.
.IP "\fBEVP_MD_flags()\fR" 4
.IX Item "EVP_MD_flags()"
Returns the \fBmd\fR flags. Note that these are different from the \fB\s-1EVP_MD_CTX\s0\fR
ones. See \fBEVP_MD_meth_set_flags\fR\|(3) for more information.
.IP "\fBEVP_MD_pkey_type()\fR" 4
.IX Item "EVP_MD_pkey_type()"
Returns the \s-1NID\s0 of the public key signing algorithm associated with this
digest. For example \fBEVP_sha1()\fR is associated with \s-1RSA\s0 so this will return
\&\fBNID_sha1WithRSAEncryption\fR. Since digests and signature algorithms are no
longer linked this function is only retained for compatibility reasons.
.IP "\fBEVP_md_null()\fR" 4
.IX Item "EVP_md_null()"
A \*(L"null\*(R" message digest that does nothing: i.e. the hash it returns is of zero
length.
.IP "\fBEVP_get_digestbyname()\fR, \fBEVP_get_digestbynid()\fR, \fBEVP_get_digestbyobj()\fR" 4
.IX Item "EVP_get_digestbyname(), EVP_get_digestbynid(), EVP_get_digestbyobj()"
Returns an \fB\s-1EVP_MD\s0\fR structure when passed a digest name, a digest \fB\s-1NID\s0\fR or an
\&\fB\s-1ASN1_OBJECT\s0\fR structure respectively.
.IP "\fBEVP_MD_CTX_pkey_ctx()\fR" 4
.IX Item "EVP_MD_CTX_pkey_ctx()"
Returns the \fB\s-1EVP_PKEY_CTX\s0\fR assigned to \fBctx\fR. The returned pointer should not
be freed by the caller.
.IP "\fBEVP_MD_CTX_set_pkey_ctx()\fR" 4
.IX Item "EVP_MD_CTX_set_pkey_ctx()"
Assigns an \fB\s-1EVP_PKEY_CTX\s0\fR to \fB\s-1EVP_MD_CTX\s0\fR. This is usually used to provide
a customized \fB\s-1EVP_PKEY_CTX\s0\fR to \fBEVP_DigestSignInit\fR\|(3) or
\&\fBEVP_DigestVerifyInit\fR\|(3). The \fBpctx\fR passed to this function should be freed
by the caller. A \s-1NULL\s0 \fBpctx\fR pointer is also allowed to clear the \fB\s-1EVP_PKEY_CTX\s0\fR
assigned to \fBctx\fR. In such case, freeing the cleared \fB\s-1EVP_PKEY_CTX\s0\fR or not
depends on how the \fB\s-1EVP_PKEY_CTX\s0\fR is created.
.SH "CONTROLS"
.IX Header "CONTROLS"
\&\fBEVP_MD_CTX_ctrl()\fR can be used to send the following standard controls:
.IP "\s-1EVP_MD_CTRL_MICALG\s0" 4
.IX Item "EVP_MD_CTRL_MICALG"
Gets the digest Message Integrity Check algorithm string. This is used when
creating S/MIME multipart/signed messages, as specified in \s-1RFC 3851.\s0
The string value is written to \fBp2\fR.
.IP "\s-1EVP_MD_CTRL_XOF_LEN\s0" 4
.IX Item "EVP_MD_CTRL_XOF_LEN"
This control sets the digest length for extendable output functions to \fBp1\fR.
Sending this control directly should not be necessary, the use of
\&\f(CW\*(C`EVP_DigestFinalXOF()\*(C'\fR is preferred.
Currently used by \s-1SHAKE.\s0
.SH "FLAGS"
.IX Header "FLAGS"
\&\fBEVP_MD_CTX_set_flags()\fR, \fBEVP_MD_CTX_clear_flags()\fR and \fBEVP_MD_CTX_test_flags()\fR
can be used the manipulate and test these \fB\s-1EVP_MD_CTX\s0\fR flags:
.IP "\s-1EVP_MD_CTX_FLAG_ONESHOT\s0" 4
.IX Item "EVP_MD_CTX_FLAG_ONESHOT"
This flag instructs the digest to optimize for one update only, if possible.
.IP "\s-1EVP_MD_CTX_FLAG_NO_INIT\s0" 4
.IX Item "EVP_MD_CTX_FLAG_NO_INIT"
This flag instructs \fBEVP_DigestInit()\fR and similar not to initialise the
implementation specific data.
.IP "\s-1EVP_MD_CTX_FLAG_FINALISE\s0" 4
.IX Item "EVP_MD_CTX_FLAG_FINALISE"
Some functions such as EVP_DigestSign only finalise copies of internal
contexts so additional data can be included after the finalisation call.
This is inefficient if this functionality is not required, and can be
disabled with this flag.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
.IP "\fBEVP_DigestInit_ex()\fR, \fBEVP_DigestUpdate()\fR, \fBEVP_DigestFinal_ex()\fR" 4
.IX Item "EVP_DigestInit_ex(), EVP_DigestUpdate(), EVP_DigestFinal_ex()"
Returns 1 for
success and 0 for failure.
.IP "\fBEVP_MD_CTX_ctrl()\fR" 4
.IX Item "EVP_MD_CTX_ctrl()"
Returns 1 if successful or 0 for failure.
.IP "\fBEVP_MD_CTX_copy_ex()\fR" 4
.IX Item "EVP_MD_CTX_copy_ex()"
Returns 1 if successful or 0 for failure.
.IP "\fBEVP_MD_type()\fR, \fBEVP_MD_pkey_type()\fR" 4
.IX Item "EVP_MD_type(), EVP_MD_pkey_type()"
Returns the \s-1NID\s0 of the corresponding \s-1OBJECT IDENTIFIER\s0 or NID_undef if none
exists.
.IP "\fBEVP_MD_size()\fR, \fBEVP_MD_block_size()\fR, \fBEVP_MD_CTX_size()\fR, \fBEVP_MD_CTX_block_size()\fR" 4
.IX Item "EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size(), EVP_MD_CTX_block_size()"
Returns the digest or block size in bytes.
.IP "\fBEVP_md_null()\fR" 4
.IX Item "EVP_md_null()"
Returns a pointer to the \fB\s-1EVP_MD\s0\fR structure of the \*(L"null\*(R" message digest.
.IP "\fBEVP_get_digestbyname()\fR, \fBEVP_get_digestbynid()\fR, \fBEVP_get_digestbyobj()\fR" 4
.IX Item "EVP_get_digestbyname(), EVP_get_digestbynid(), EVP_get_digestbyobj()"
Returns either an \fB\s-1EVP_MD\s0\fR structure or \s-1NULL\s0 if an error occurs.
.IP "\fBEVP_MD_CTX_set_pkey_ctx()\fR" 4
.IX Item "EVP_MD_CTX_set_pkey_ctx()"
This function has no return value.
.SH "NOTES"
.IX Header "NOTES"
The \fB\s-1EVP\s0\fR interface to message digests should almost always be used in
preference to the low-level interfaces. This is because the code then becomes
transparent to the digest used and much more flexible.
.PP
New applications should use the \s-1SHA\-2\s0 (such as \fBEVP_sha256\fR\|(3)) or the \s-1SHA\-3\s0
digest algorithms (such as \fBEVP_sha3_512\fR\|(3)). The other digest algorithms
are still in common use.
.PP
For most applications the \fBimpl\fR parameter to \fBEVP_DigestInit_ex()\fR will be
set to \s-1NULL\s0 to use the default digest implementation.
.PP
The functions \fBEVP_DigestInit()\fR, \fBEVP_DigestFinal()\fR and \fBEVP_MD_CTX_copy()\fR are
obsolete but are retained to maintain compatibility with existing code. New
applications should use \fBEVP_DigestInit_ex()\fR, \fBEVP_DigestFinal_ex()\fR and
\&\fBEVP_MD_CTX_copy_ex()\fR because they can efficiently reuse a digest context
instead of initializing and cleaning it up on each call and allow non default
implementations of digests to be specified.
.PP
If digest contexts are not cleaned up after use,
memory leaks will occur.
.PP
\&\fBEVP_MD_CTX_size()\fR, \fBEVP_MD_CTX_block_size()\fR, \fBEVP_MD_CTX_type()\fR,
\&\fBEVP_get_digestbynid()\fR and \fBEVP_get_digestbyobj()\fR are defined as
macros.
.PP
\&\fBEVP_MD_CTX_ctrl()\fR sends commands to message digests for additional configuration
or control.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This example digests the data \*(L"Test Message\en\*(R" and \*(L"Hello World\en\*(R", using the
digest name passed on the command line.
.PP
.Vb 3
\& #include <stdio.h>
\& #include <string.h>
\& #include <openssl/evp.h>
\&
\& int main(int argc, char *argv[])
\& {
\& EVP_MD_CTX *mdctx;
\& const EVP_MD *md;
\& char mess1[] = "Test Message\en";
\& char mess2[] = "Hello World\en";
\& unsigned char md_value[EVP_MAX_MD_SIZE];
\& unsigned int md_len, i;
\&
\& if (argv[1] == NULL) {
\& printf("Usage: mdtest digestname\en");
\& exit(1);
\& }
\&
\& md = EVP_get_digestbyname(argv[1]);
\& if (md == NULL) {
\& printf("Unknown message digest %s\en", argv[1]);
\& exit(1);
\& }
\&
\& mdctx = EVP_MD_CTX_new();
\& EVP_DigestInit_ex(mdctx, md, NULL);
\& EVP_DigestUpdate(mdctx, mess1, strlen(mess1));
\& EVP_DigestUpdate(mdctx, mess2, strlen(mess2));
\& EVP_DigestFinal_ex(mdctx, md_value, &md_len);
\& EVP_MD_CTX_free(mdctx);
\&
\& printf("Digest is: ");
\& for (i = 0; i < md_len; i++)
\& printf("%02x", md_value[i]);
\& printf("\en");
\&
\& exit(0);
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_MD_meth_new\fR\|(3),
\&\fBdgst\fR\|(1),
\&\fBevp\fR\|(7)
.PP
The full list of digest algorithms are provided below.
.PP
\&\fBEVP_blake2b512\fR\|(3),
\&\fBEVP_md2\fR\|(3),
\&\fBEVP_md4\fR\|(3),
\&\fBEVP_md5\fR\|(3),
\&\fBEVP_mdc2\fR\|(3),
\&\fBEVP_ripemd160\fR\|(3),
\&\fBEVP_sha1\fR\|(3),
\&\fBEVP_sha224\fR\|(3),
\&\fBEVP_sha3_224\fR\|(3),
\&\fBEVP_sm3\fR\|(3),
\&\fBEVP_whirlpool\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBEVP_MD_CTX_create()\fR and \fBEVP_MD_CTX_destroy()\fR functions were renamed to
\&\fBEVP_MD_CTX_new()\fR and \fBEVP_MD_CTX_free()\fR in OpenSSL 1.1.0, respectively.
.PP
The link between digests and signing algorithms was fixed in OpenSSL 1.0 and
later, so now \fBEVP_sha1()\fR can be used with \s-1RSA\s0 and \s-1DSA.\s0
.PP
The \fBEVP_dss1()\fR function was removed in OpenSSL 1.1.0.
.PP
The \fBEVP_MD_CTX_set_pkey_ctx()\fR function was added in 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3
index 0b0c78a8bd3c..8f656eef26d3 100644
--- a/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_DigestSignInit.3
@@ -1,283 +1,283 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_DIGESTSIGNINIT 3"
-.TH EVP_DIGESTSIGNINIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_DIGESTSIGNINIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal, EVP_DigestSign \- EVP signing functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
\& const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
\& int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
\& int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen);
\&
\& int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret,
\& size_t *siglen, const unsigned char *tbs,
\& size_t tbslen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP\s0 signature routines are a high-level interface to digital signatures.
.PP
\&\fBEVP_DigestSignInit()\fR sets up signing context \fBctx\fR to use digest \fBtype\fR from
\&\s-1ENGINE\s0 \fBe\fR and private key \fBpkey\fR. \fBctx\fR must be created with
\&\fBEVP_MD_CTX_new()\fR before calling this function. If \fBpctx\fR is not \s-1NULL,\s0 the
\&\s-1EVP_PKEY_CTX\s0 of the signing operation will be written to \fB*pctx\fR: this can
be used to set alternative signing options. Note that any existing value in
\&\fB*pctx\fR is overwritten. The \s-1EVP_PKEY_CTX\s0 value returned must not be freed
directly by the application if \fBctx\fR is not assigned an \s-1EVP_PKEY_CTX\s0 value before
being passed to \fBEVP_DigestSignInit()\fR (which means the \s-1EVP_PKEY_CTX\s0 is created
inside \fBEVP_DigestSignInit()\fR and it will be freed automatically when the
\&\s-1EVP_MD_CTX\s0 is freed).
.PP
The digest \fBtype\fR may be \s-1NULL\s0 if the signing algorithm supports it.
.PP
No \fB\s-1EVP_PKEY_CTX\s0\fR will be created by \fBEVP_DigestSignInit()\fR if the passed \fBctx\fR
has already been assigned one via \fBEVP_MD_CTX_set_pkey_ctx\fR\|(3). See also \s-1\fBSM2\s0\fR\|(7).
.PP
Only \s-1EVP_PKEY\s0 types that support signing can be used with these functions. This
includes \s-1MAC\s0 algorithms where the \s-1MAC\s0 generation is considered as a form of
\&\*(L"signing\*(R". Built-in \s-1EVP_PKEY\s0 types supported by these functions are \s-1CMAC,\s0
Poly1305, \s-1DSA, ECDSA, HMAC, RSA,\s0 SipHash, Ed25519 and Ed448.
.PP
Not all digests can be used for all key types. The following combinations apply.
.IP "\s-1DSA\s0" 4
.IX Item "DSA"
Supports \s-1SHA1, SHA224, SHA256, SHA384\s0 and \s-1SHA512\s0
.IP "\s-1ECDSA\s0" 4
.IX Item "ECDSA"
Supports \s-1SHA1, SHA224, SHA256, SHA384, SHA512\s0 and \s-1SM3\s0
.IP "\s-1RSA\s0 with no padding" 4
.IX Item "RSA with no padding"
Supports no digests (the digest \fBtype\fR must be \s-1NULL\s0)
.IP "\s-1RSA\s0 with X931 padding" 4
.IX Item "RSA with X931 padding"
Supports \s-1SHA1, SHA256, SHA384\s0 and \s-1SHA512\s0
.IP "All other \s-1RSA\s0 padding types" 4
.IX Item "All other RSA padding types"
Support \s-1SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2,
SHA3\-224, SHA3\-256, SHA3\-384, SHA3\-512\s0
.IP "Ed25519 and Ed448" 4
.IX Item "Ed25519 and Ed448"
Support no digests (the digest \fBtype\fR must be \s-1NULL\s0)
.IP "\s-1HMAC\s0" 4
.IX Item "HMAC"
Supports any digest
.IP "\s-1CMAC,\s0 Poly1305 and SipHash" 4
.IX Item "CMAC, Poly1305 and SipHash"
Will ignore any digest provided.
.PP
If RSA-PSS is used and restrictions apply then the digest must match.
.PP
\&\fBEVP_DigestSignUpdate()\fR hashes \fBcnt\fR bytes of data at \fBd\fR into the
signature context \fBctx\fR. This function can be called several times on the
same \fBctx\fR to include additional data. This function is currently implemented
using a macro.
.PP
\&\fBEVP_DigestSignFinal()\fR signs the data in \fBctx\fR and places the signature in \fBsig\fR.
If \fBsig\fR is \fB\s-1NULL\s0\fR then the maximum size of the output buffer is written to
the \fBsiglen\fR parameter. If \fBsig\fR is not \fB\s-1NULL\s0\fR then before the call the
\&\fBsiglen\fR parameter should contain the length of the \fBsig\fR buffer. If the
call is successful the signature is written to \fBsig\fR and the amount of data
written to \fBsiglen\fR.
.PP
\&\fBEVP_DigestSign()\fR signs \fBtbslen\fR bytes of data at \fBtbs\fR and places the
signature in \fBsig\fR and its length in \fBsiglen\fR in a similar way to
\&\fBEVP_DigestSignFinal()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_DigestSignInit()\fR, \fBEVP_DigestSignUpdate()\fR, \fBEVP_DigestSignFinal()\fR and
\&\fBEVP_DigestSign()\fR return 1 for success and 0 for failure.
.PP
The error codes can be obtained from \fBERR_get_error\fR\|(3).
.SH "NOTES"
.IX Header "NOTES"
The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be used in
preference to the low-level interfaces. This is because the code then becomes
transparent to the algorithm used and much more flexible.
.PP
\&\fBEVP_DigestSign()\fR is a one shot operation which signs a single block of data
in one function. For algorithms that support streaming it is equivalent to
calling \fBEVP_DigestSignUpdate()\fR and \fBEVP_DigestSignFinal()\fR. For algorithms which
do not support streaming (e.g. PureEdDSA) it is the only way to sign data.
.PP
In previous versions of OpenSSL there was a link between message digest types
and public key algorithms. This meant that \*(L"clone\*(R" digests such as \fBEVP_dss1()\fR
needed to be used to sign using \s-1SHA1\s0 and \s-1DSA.\s0 This is no longer necessary and
the use of clone digest is now discouraged.
.PP
For some key types and parameters the random number generator must be seeded.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
.PP
The call to \fBEVP_DigestSignFinal()\fR internally finalizes a copy of the digest
context. This means that calls to \fBEVP_DigestSignUpdate()\fR and
\&\fBEVP_DigestSignFinal()\fR can be called later to digest and sign additional data.
.PP
Since only a copy of the digest context is ever finalized, the context must
be cleaned up after use by calling \fBEVP_MD_CTX_free()\fR or a memory leak
will occur.
.PP
The use of \fBEVP_PKEY_size()\fR with these functions is discouraged because some
signature operations may have a signature length which depends on the
parameters set. As a result \fBEVP_PKEY_size()\fR would have to return a value
which indicates the maximum possible signature for any set of parameters.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_DigestVerifyInit\fR\|(3),
\&\fBEVP_DigestInit\fR\|(3),
\&\fBevp\fR\|(7), \s-1\fBHMAC\s0\fR\|(3), \s-1\fBMD2\s0\fR\|(3),
\&\s-1\fBMD5\s0\fR\|(3), \s-1\fBMDC2\s0\fR\|(3), \s-1\fBRIPEMD160\s0\fR\|(3),
\&\s-1\fBSHA1\s0\fR\|(3), \fBdgst\fR\|(1),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBEVP_DigestSignInit()\fR, \fBEVP_DigestSignUpdate()\fR and \fBEVP_DigestSignFinal()\fR
were added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3 b/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3
index e9eece446c76..f35b47678d52 100644
--- a/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_DigestVerifyInit.3
@@ -1,243 +1,243 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_DIGESTVERIFYINIT 3"
-.TH EVP_DIGESTVERIFYINIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_DIGESTVERIFYINIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal, EVP_DigestVerify \- EVP signature verification functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
\& const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
\& int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
\& int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
\& size_t siglen);
\& int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
\& size_t siglen, const unsigned char *tbs, size_t tbslen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP\s0 signature routines are a high-level interface to digital signatures.
.PP
\&\fBEVP_DigestVerifyInit()\fR sets up verification context \fBctx\fR to use digest
\&\fBtype\fR from \s-1ENGINE\s0 \fBe\fR and public key \fBpkey\fR. \fBctx\fR must be created
with \fBEVP_MD_CTX_new()\fR before calling this function. If \fBpctx\fR is not \s-1NULL,\s0 the
\&\s-1EVP_PKEY_CTX\s0 of the verification operation will be written to \fB*pctx\fR: this
can be used to set alternative verification options. Note that any existing
value in \fB*pctx\fR is overwritten. The \s-1EVP_PKEY_CTX\s0 value returned must not be freed
directly by the application if \fBctx\fR is not assigned an \s-1EVP_PKEY_CTX\s0 value before
being passed to \fBEVP_DigestVerifyInit()\fR (which means the \s-1EVP_PKEY_CTX\s0 is created
inside \fBEVP_DigestVerifyInit()\fR and it will be freed automatically when the
\&\s-1EVP_MD_CTX\s0 is freed).
.PP
No \fB\s-1EVP_PKEY_CTX\s0\fR will be created by \fBEVP_DigestSignInit()\fR if the passed \fBctx\fR
has already been assigned one via \fBEVP_MD_CTX_set_pkey_ctx\fR\|(3). See also \s-1\fBSM2\s0\fR\|(7).
.PP
\&\fBEVP_DigestVerifyUpdate()\fR hashes \fBcnt\fR bytes of data at \fBd\fR into the
verification context \fBctx\fR. This function can be called several times on the
same \fBctx\fR to include additional data. This function is currently implemented
using a macro.
.PP
\&\fBEVP_DigestVerifyFinal()\fR verifies the data in \fBctx\fR against the signature in
\&\fBsig\fR of length \fBsiglen\fR.
.PP
\&\fBEVP_DigestVerify()\fR verifies \fBtbslen\fR bytes at \fBtbs\fR against the signature
in \fBsig\fR of length \fBsiglen\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_DigestVerifyInit()\fR and \fBEVP_DigestVerifyUpdate()\fR return 1 for success and 0
for failure.
.PP
\&\fBEVP_DigestVerifyFinal()\fR and \fBEVP_DigestVerify()\fR return 1 for success; any other
value indicates failure. A return value of zero indicates that the signature
did not verify successfully (that is, \fBtbs\fR did not match the original data or
the signature had an invalid form), while other values indicate a more serious
error (and sometimes also indicate an invalid signature form).
.PP
The error codes can be obtained from \fBERR_get_error\fR\|(3).
.SH "NOTES"
.IX Header "NOTES"
The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be used in
preference to the low-level interfaces. This is because the code then becomes
transparent to the algorithm used and much more flexible.
.PP
\&\fBEVP_DigestVerify()\fR is a one shot operation which verifies a single block of
data in one function. For algorithms that support streaming it is equivalent
to calling \fBEVP_DigestVerifyUpdate()\fR and \fBEVP_DigestVerifyFinal()\fR. For
algorithms which do not support streaming (e.g. PureEdDSA) it is the only way
to verify data.
.PP
In previous versions of OpenSSL there was a link between message digest types
and public key algorithms. This meant that \*(L"clone\*(R" digests such as \fBEVP_dss1()\fR
needed to be used to sign using \s-1SHA1\s0 and \s-1DSA.\s0 This is no longer necessary and
the use of clone digest is now discouraged.
.PP
For some key types and parameters the random number generator must be seeded.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
.PP
The call to \fBEVP_DigestVerifyFinal()\fR internally finalizes a copy of the digest
context. This means that \fBEVP_VerifyUpdate()\fR and \fBEVP_VerifyFinal()\fR can
be called later to digest and verify additional data.
.PP
Since only a copy of the digest context is ever finalized, the context must
be cleaned up after use by calling \fBEVP_MD_CTX_free()\fR or a memory leak
will occur.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_DigestSignInit\fR\|(3),
\&\fBEVP_DigestInit\fR\|(3),
\&\fBevp\fR\|(7), \s-1\fBHMAC\s0\fR\|(3), \s-1\fBMD2\s0\fR\|(3),
\&\s-1\fBMD5\s0\fR\|(3), \s-1\fBMDC2\s0\fR\|(3), \s-1\fBRIPEMD160\s0\fR\|(3),
\&\s-1\fBSHA1\s0\fR\|(3), \fBdgst\fR\|(1),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBEVP_DigestVerifyInit()\fR, \fBEVP_DigestVerifyUpdate()\fR and \fBEVP_DigestVerifyFinal()\fR
were added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3 b/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3
index 3644bd006f47..e3a23a33858f 100644
--- a/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_EncodeInit.3
@@ -1,290 +1,290 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_ENCODEINIT 3"
-.TH EVP_ENCODEINIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_ENCODEINIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_ENCODE_CTX_new, EVP_ENCODE_CTX_free, EVP_ENCODE_CTX_copy, EVP_ENCODE_CTX_num, EVP_EncodeInit, EVP_EncodeUpdate, EVP_EncodeFinal, EVP_EncodeBlock, EVP_DecodeInit, EVP_DecodeUpdate, EVP_DecodeFinal, EVP_DecodeBlock \- EVP base 64 encode/decode routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void);
\& void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx);
\& int EVP_ENCODE_CTX_copy(EVP_ENCODE_CTX *dctx, EVP_ENCODE_CTX *sctx);
\& int EVP_ENCODE_CTX_num(EVP_ENCODE_CTX *ctx);
\& void EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
\& int EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
\& const unsigned char *in, int inl);
\& void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl);
\& int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int n);
\&
\& void EVP_DecodeInit(EVP_ENCODE_CTX *ctx);
\& int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
\& const unsigned char *in, int inl);
\& int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl);
\& int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP\s0 encode routines provide a high-level interface to base 64 encoding and
decoding. Base 64 encoding converts binary data into a printable form that uses
the characters A\-Z, a\-z, 0\-9, \*(L"+\*(R" and \*(L"/\*(R" to represent the data. For every 3
bytes of binary data provided 4 bytes of base 64 encoded data will be produced
plus some occasional newlines (see below). If the input data length is not a
multiple of 3 then the output data will be padded at the end using the \*(L"=\*(R"
character.
.PP
\&\fBEVP_ENCODE_CTX_new()\fR allocates, initializes and returns a context to be used for
the encode/decode functions.
.PP
\&\fBEVP_ENCODE_CTX_free()\fR cleans up an encode/decode context \fBctx\fR and frees up the
space allocated to it.
.PP
Encoding of binary data is performed in blocks of 48 input bytes (or less for
the final block). For each 48 byte input block encoded 64 bytes of base 64 data
is output plus an additional newline character (i.e. 65 bytes in total). The
final block (which may be less than 48 bytes) will output 4 bytes for every 3
bytes of input. If the data length is not divisible by 3 then a full 4 bytes is
still output for the final 1 or 2 bytes of input. Similarly a newline character
will also be output.
.PP
\&\fBEVP_EncodeInit()\fR initialises \fBctx\fR for the start of a new encoding operation.
.PP
\&\fBEVP_EncodeUpdate()\fR encode \fBinl\fR bytes of data found in the buffer pointed to by
\&\fBin\fR. The output is stored in the buffer \fBout\fR and the number of bytes output
is stored in \fB*outl\fR. It is the caller's responsibility to ensure that the
buffer at \fBout\fR is sufficiently large to accommodate the output data. Only full
blocks of data (48 bytes) will be immediately processed and output by this
function. Any remainder is held in the \fBctx\fR object and will be processed by a
subsequent call to \fBEVP_EncodeUpdate()\fR or \fBEVP_EncodeFinal()\fR. To calculate the
required size of the output buffer add together the value of \fBinl\fR with the
amount of unprocessed data held in \fBctx\fR and divide the result by 48 (ignore
any remainder). This gives the number of blocks of data that will be processed.
Ensure the output buffer contains 65 bytes of storage for each block, plus an
additional byte for a \s-1NUL\s0 terminator. \fBEVP_EncodeUpdate()\fR may be called
repeatedly to process large amounts of input data. In the event of an error
\&\fBEVP_EncodeUpdate()\fR will set \fB*outl\fR to 0 and return 0. On success 1 will be
returned.
.PP
\&\fBEVP_EncodeFinal()\fR must be called at the end of an encoding operation. It will
process any partial block of data remaining in the \fBctx\fR object. The output
data will be stored in \fBout\fR and the length of the data written will be stored
in \fB*outl\fR. It is the caller's responsibility to ensure that \fBout\fR is
sufficiently large to accommodate the output data which will never be more than
65 bytes plus an additional \s-1NUL\s0 terminator (i.e. 66 bytes in total).
.PP
\&\fBEVP_ENCODE_CTX_copy()\fR can be used to copy a context \fBsctx\fR to a context
\&\fBdctx\fR. \fBdctx\fR must be initialized before calling this function.
.PP
\&\fBEVP_ENCODE_CTX_num()\fR will return the number of as yet unprocessed bytes still to
be encoded or decoded that are pending in the \fBctx\fR object.
.PP
\&\fBEVP_EncodeBlock()\fR encodes a full block of input data in \fBf\fR and of length
\&\fBn\fR and stores it in \fBt\fR. For every 3 bytes of input provided 4 bytes of
output data will be produced. If \fBn\fR is not divisible by 3 then the block is
encoded as a final block of data and the output is padded such that it is always
divisible by 4. Additionally a \s-1NUL\s0 terminator character will be added. For
example if 16 bytes of input data is provided then 24 bytes of encoded data is
created plus 1 byte for a \s-1NUL\s0 terminator (i.e. 25 bytes in total). The length of
the data generated \fIwithout\fR the \s-1NUL\s0 terminator is returned from the function.
.PP
\&\fBEVP_DecodeInit()\fR initialises \fBctx\fR for the start of a new decoding operation.
.PP
\&\fBEVP_DecodeUpdate()\fR decodes \fBinl\fR characters of data found in the buffer pointed
to by \fBin\fR. The output is stored in the buffer \fBout\fR and the number of bytes
output is stored in \fB*outl\fR. It is the caller's responsibility to ensure that
the buffer at \fBout\fR is sufficiently large to accommodate the output data. This
function will attempt to decode as much data as possible in 4 byte chunks. Any
whitespace, newline or carriage return characters are ignored. Any partial chunk
of unprocessed data (1, 2 or 3 bytes) that remains at the end will be held in
the \fBctx\fR object and processed by a subsequent call to \fBEVP_DecodeUpdate()\fR. If
any illegal base 64 characters are encountered or if the base 64 padding
character \*(L"=\*(R" is encountered in the middle of the data then the function returns
\&\-1 to indicate an error. A return value of 0 or 1 indicates successful
processing of the data. A return value of 0 additionally indicates that the last
input data characters processed included the base 64 padding character \*(L"=\*(R" and
therefore no more non-padding character data is expected to be processed. For
every 4 valid base 64 bytes processed (ignoring whitespace, carriage returns and
line feeds), 3 bytes of binary output data will be produced (or less at the end
of the data where the padding character \*(L"=\*(R" has been used).
.PP
\&\fBEVP_DecodeFinal()\fR must be called at the end of a decoding operation. If there
is any unprocessed data still in \fBctx\fR then the input data must not have been
a multiple of 4 and therefore an error has occurred. The function will return \-1
in this case. Otherwise the function returns 1 on success.
.PP
\&\fBEVP_DecodeBlock()\fR will decode the block of \fBn\fR characters of base 64 data
contained in \fBf\fR and store the result in \fBt\fR. Any leading whitespace will be
trimmed as will any trailing whitespace, newlines, carriage returns or \s-1EOF\s0
characters. After such trimming the length of the data in \fBf\fR must be divisible
by 4. For every 4 input bytes exactly 3 output bytes will be produced. The
output will be padded with 0 bits if necessary to ensure that the output is
always 3 bytes for every 4 input bytes. This function will return the length of
the data decoded or \-1 on error.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_ENCODE_CTX_new()\fR returns a pointer to the newly allocated \s-1EVP_ENCODE_CTX\s0
object or \s-1NULL\s0 on error.
.PP
\&\fBEVP_ENCODE_CTX_num()\fR returns the number of bytes pending encoding or decoding in
\&\fBctx\fR.
.PP
\&\fBEVP_EncodeUpdate()\fR returns 0 on error or 1 on success.
.PP
\&\fBEVP_EncodeBlock()\fR returns the number of bytes encoded excluding the \s-1NUL\s0
terminator.
.PP
\&\fBEVP_DecodeUpdate()\fR returns \-1 on error and 0 or 1 on success. If 0 is returned
then no more non-padding base 64 characters are expected.
.PP
\&\fBEVP_DecodeFinal()\fR returns \-1 on error or 1 on success.
.PP
\&\fBEVP_DecodeBlock()\fR returns the length of the data decoded or \-1 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3 b/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3
index fe30ff4bcff8..e635e17bb297 100644
--- a/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_EncryptInit.3
@@ -1,727 +1,727 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_ENCRYPTINIT 3"
-.TH EVP_ENCRYPTINIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_ENCRYPTINIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_reset, EVP_CIPHER_CTX_free, EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, EVP_DecryptInit_ex, EVP_DecryptUpdate, EVP_DecryptFinal_ex, EVP_CipherInit_ex, EVP_CipherUpdate, EVP_CipherFinal_ex, EVP_CIPHER_CTX_set_key_length, EVP_CIPHER_CTX_ctrl, EVP_EncryptInit, EVP_EncryptFinal, EVP_DecryptInit, EVP_DecryptFinal, EVP_CipherInit, EVP_CipherFinal, EVP_get_cipherbyname, EVP_get_cipherbynid, EVP_get_cipherbyobj, EVP_CIPHER_nid, EVP_CIPHER_block_size, EVP_CIPHER_key_length, EVP_CIPHER_iv_length, EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher, EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length, EVP_CIPHER_CTX_iv_length, EVP_CIPHER_CTX_get_app_data, EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_type, EVP_CIPHER_CTX_flags, EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param, EVP_CIPHER_CTX_set_padding, EVP_enc_null \&\- EVP cipher routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);
\& int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx);
\& void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
\&
\& int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
\& ENGINE *impl, const unsigned char *key, const unsigned char *iv);
\& int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
\& int *outl, const unsigned char *in, int inl);
\& int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
\&
\& int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
\& ENGINE *impl, const unsigned char *key, const unsigned char *iv);
\& int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
\& int *outl, const unsigned char *in, int inl);
\& int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
\&
\& int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
\& ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc);
\& int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
\& int *outl, const unsigned char *in, int inl);
\& int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
\&
\& int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
\& const unsigned char *key, const unsigned char *iv);
\& int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
\&
\& int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
\& const unsigned char *key, const unsigned char *iv);
\& int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
\&
\& int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
\& const unsigned char *key, const unsigned char *iv, int enc);
\& int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
\&
\& int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding);
\& int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
\& int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
\& int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key);
\&
\& const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
\& const EVP_CIPHER *EVP_get_cipherbynid(int nid);
\& const EVP_CIPHER *EVP_get_cipherbyobj(const ASN1_OBJECT *a);
\&
\& int EVP_CIPHER_nid(const EVP_CIPHER *e);
\& int EVP_CIPHER_block_size(const EVP_CIPHER *e);
\& int EVP_CIPHER_key_length(const EVP_CIPHER *e);
\& int EVP_CIPHER_iv_length(const EVP_CIPHER *e);
\& unsigned long EVP_CIPHER_flags(const EVP_CIPHER *e);
\& unsigned long EVP_CIPHER_mode(const EVP_CIPHER *e);
\& int EVP_CIPHER_type(const EVP_CIPHER *ctx);
\&
\& const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx);
\& int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx);
\& int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx);
\& int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx);
\& int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx);
\& void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx);
\& void EVP_CIPHER_CTX_set_app_data(const EVP_CIPHER_CTX *ctx, void *data);
\& int EVP_CIPHER_CTX_type(const EVP_CIPHER_CTX *ctx);
\& int EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx);
\&
\& int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
\& int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP\s0 cipher routines are a high-level interface to certain
symmetric ciphers.
.PP
\&\fBEVP_CIPHER_CTX_new()\fR creates a cipher context.
.PP
\&\fBEVP_CIPHER_CTX_free()\fR clears all information from a cipher context
and free up any allocated memory associate with it, including \fBctx\fR
itself. This function should be called after all operations using a
cipher are complete so sensitive information does not remain in
memory.
.PP
\&\fBEVP_EncryptInit_ex()\fR sets up cipher context \fBctx\fR for encryption
with cipher \fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be created
before calling this function. \fBtype\fR is normally supplied
by a function such as \fBEVP_aes_256_cbc()\fR. If \fBimpl\fR is \s-1NULL\s0 then the
default implementation is used. \fBkey\fR is the symmetric key to use
and \fBiv\fR is the \s-1IV\s0 to use (if necessary), the actual number of bytes
used for the key and \s-1IV\s0 depends on the cipher. It is possible to set
all parameters to \s-1NULL\s0 except \fBtype\fR in an initial call and supply
the remaining parameters in subsequent calls, all of which have \fBtype\fR
set to \s-1NULL.\s0 This is done when the default cipher parameters are not
appropriate.
.PP
\&\fBEVP_EncryptUpdate()\fR encrypts \fBinl\fR bytes from the buffer \fBin\fR and
writes the encrypted version to \fBout\fR. This function can be called
multiple times to encrypt successive blocks of data. The amount
of data written depends on the block alignment of the encrypted data.
For most ciphers and modes, the amount of data written can be anything
from zero bytes to (inl + cipher_block_size \- 1) bytes.
For wrap cipher modes, the amount of data written can be anything
from zero bytes to (inl + cipher_block_size) bytes.
For stream ciphers, the amount of data written can be anything from zero
bytes to inl bytes.
Thus, \fBout\fR should contain sufficient room for the operation being performed.
The actual number of bytes written is placed in \fBoutl\fR. It also
checks if \fBin\fR and \fBout\fR are partially overlapping, and if they are
0 is returned to indicate failure.
.PP
If padding is enabled (the default) then \fBEVP_EncryptFinal_ex()\fR encrypts
the \*(L"final\*(R" data, that is any data that remains in a partial block.
It uses standard block padding (aka \s-1PKCS\s0 padding) as described in
the \s-1NOTES\s0 section, below. The encrypted
final data is written to \fBout\fR which should have sufficient space for
one cipher block. The number of bytes written is placed in \fBoutl\fR. After
this function is called the encryption operation is finished and no further
calls to \fBEVP_EncryptUpdate()\fR should be made.
.PP
If padding is disabled then \fBEVP_EncryptFinal_ex()\fR will not encrypt any more
data and it will return an error if any data remains in a partial block:
that is if the total data length is not a multiple of the block size.
.PP
\&\fBEVP_DecryptInit_ex()\fR, \fBEVP_DecryptUpdate()\fR and \fBEVP_DecryptFinal_ex()\fR are the
corresponding decryption operations. \fBEVP_DecryptFinal()\fR will return an
error code if padding is enabled and the final block is not correctly
formatted. The parameters and restrictions are identical to the encryption
operations except that if padding is enabled the decrypted data buffer \fBout\fR
passed to \fBEVP_DecryptUpdate()\fR should have sufficient room for
(\fBinl\fR + cipher_block_size) bytes unless the cipher block size is 1 in
which case \fBinl\fR bytes is sufficient.
.PP
\&\fBEVP_CipherInit_ex()\fR, \fBEVP_CipherUpdate()\fR and \fBEVP_CipherFinal_ex()\fR are
functions that can be used for decryption or encryption. The operation
performed depends on the value of the \fBenc\fR parameter. It should be set
to 1 for encryption, 0 for decryption and \-1 to leave the value unchanged
(the actual value of 'enc' being supplied in a previous call).
.PP
\&\fBEVP_CIPHER_CTX_reset()\fR clears all information from a cipher context
and free up any allocated memory associate with it, except the \fBctx\fR
itself. This function should be called anytime \fBctx\fR is to be reused
for another \fBEVP_CipherInit()\fR / \fBEVP_CipherUpdate()\fR / \fBEVP_CipherFinal()\fR
series of calls.
.PP
\&\fBEVP_EncryptInit()\fR, \fBEVP_DecryptInit()\fR and \fBEVP_CipherInit()\fR behave in a
similar way to \fBEVP_EncryptInit_ex()\fR, \fBEVP_DecryptInit_ex()\fR and
\&\fBEVP_CipherInit_ex()\fR except they always use the default cipher implementation.
.PP
\&\fBEVP_EncryptFinal()\fR, \fBEVP_DecryptFinal()\fR and \fBEVP_CipherFinal()\fR are
identical to \fBEVP_EncryptFinal_ex()\fR, \fBEVP_DecryptFinal_ex()\fR and
\&\fBEVP_CipherFinal_ex()\fR. In previous releases they also cleaned up
the \fBctx\fR, but this is no longer done and \fBEVP_CIPHER_CTX_clean()\fR
must be called to free any context resources.
.PP
\&\fBEVP_get_cipherbyname()\fR, \fBEVP_get_cipherbynid()\fR and \fBEVP_get_cipherbyobj()\fR
return an \s-1EVP_CIPHER\s0 structure when passed a cipher name, a \s-1NID\s0 or an
\&\s-1ASN1_OBJECT\s0 structure.
.PP
\&\fBEVP_CIPHER_nid()\fR and \fBEVP_CIPHER_CTX_nid()\fR return the \s-1NID\s0 of a cipher when
passed an \fB\s-1EVP_CIPHER\s0\fR or \fB\s-1EVP_CIPHER_CTX\s0\fR structure. The actual \s-1NID\s0
value is an internal value which may not have a corresponding \s-1OBJECT
IDENTIFIER.\s0
.PP
\&\fBEVP_CIPHER_CTX_set_padding()\fR enables or disables padding. This
function should be called after the context is set up for encryption
or decryption with \fBEVP_EncryptInit_ex()\fR, \fBEVP_DecryptInit_ex()\fR or
\&\fBEVP_CipherInit_ex()\fR. By default encryption operations are padded using
standard block padding and the padding is checked and removed when
decrypting. If the \fBpad\fR parameter is zero then no padding is
performed, the total amount of data encrypted or decrypted must then
be a multiple of the block size or an error will occur.
.PP
\&\fBEVP_CIPHER_key_length()\fR and \fBEVP_CIPHER_CTX_key_length()\fR return the key
length of a cipher when passed an \fB\s-1EVP_CIPHER\s0\fR or \fB\s-1EVP_CIPHER_CTX\s0\fR
structure. The constant \fB\s-1EVP_MAX_KEY_LENGTH\s0\fR is the maximum key length
for all ciphers. Note: although \fBEVP_CIPHER_key_length()\fR is fixed for a
given cipher, the value of \fBEVP_CIPHER_CTX_key_length()\fR may be different
for variable key length ciphers.
.PP
\&\fBEVP_CIPHER_CTX_set_key_length()\fR sets the key length of the cipher ctx.
If the cipher is a fixed length cipher then attempting to set the key
length to any value other than the fixed value is an error.
.PP
\&\fBEVP_CIPHER_iv_length()\fR and \fBEVP_CIPHER_CTX_iv_length()\fR return the \s-1IV\s0
length of a cipher when passed an \fB\s-1EVP_CIPHER\s0\fR or \fB\s-1EVP_CIPHER_CTX\s0\fR.
It will return zero if the cipher does not use an \s-1IV.\s0 The constant
\&\fB\s-1EVP_MAX_IV_LENGTH\s0\fR is the maximum \s-1IV\s0 length for all ciphers.
.PP
\&\fBEVP_CIPHER_block_size()\fR and \fBEVP_CIPHER_CTX_block_size()\fR return the block
size of a cipher when passed an \fB\s-1EVP_CIPHER\s0\fR or \fB\s-1EVP_CIPHER_CTX\s0\fR
structure. The constant \fB\s-1EVP_MAX_BLOCK_LENGTH\s0\fR is also the maximum block
length for all ciphers.
.PP
\&\fBEVP_CIPHER_type()\fR and \fBEVP_CIPHER_CTX_type()\fR return the type of the passed
cipher or context. This \*(L"type\*(R" is the actual \s-1NID\s0 of the cipher \s-1OBJECT
IDENTIFIER\s0 as such it ignores the cipher parameters and 40 bit \s-1RC2\s0 and
128 bit \s-1RC2\s0 have the same \s-1NID.\s0 If the cipher does not have an object
identifier or does not have \s-1ASN1\s0 support this function will return
\&\fBNID_undef\fR.
.PP
\&\fBEVP_CIPHER_CTX_cipher()\fR returns the \fB\s-1EVP_CIPHER\s0\fR structure when passed
an \fB\s-1EVP_CIPHER_CTX\s0\fR structure.
.PP
\&\fBEVP_CIPHER_mode()\fR and \fBEVP_CIPHER_CTX_mode()\fR return the block cipher mode:
\&\s-1EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE,
EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE,
EVP_CIPH_WRAP_MODE\s0 or \s-1EVP_CIPH_OCB_MODE.\s0 If the cipher is a stream cipher then
\&\s-1EVP_CIPH_STREAM_CIPHER\s0 is returned.
.PP
\&\fBEVP_CIPHER_param_to_asn1()\fR sets the AlgorithmIdentifier \*(L"parameter\*(R" based
on the passed cipher. This will typically include any parameters and an
\&\s-1IV.\s0 The cipher \s-1IV\s0 (if any) must be set when this call is made. This call
should be made before the cipher is actually \*(L"used\*(R" (before any
\&\fBEVP_EncryptUpdate()\fR, \fBEVP_DecryptUpdate()\fR calls for example). This function
may fail if the cipher does not have any \s-1ASN1\s0 support.
.PP
\&\fBEVP_CIPHER_asn1_to_param()\fR sets the cipher parameters based on an \s-1ASN1\s0
AlgorithmIdentifier \*(L"parameter\*(R". The precise effect depends on the cipher
In the case of \s-1RC2,\s0 for example, it will set the \s-1IV\s0 and effective key length.
This function should be called after the base cipher type is set but before
the key is set. For example \fBEVP_CipherInit()\fR will be called with the \s-1IV\s0 and
key set to \s-1NULL,\s0 \fBEVP_CIPHER_asn1_to_param()\fR will be called and finally
\&\fBEVP_CipherInit()\fR again with all parameters except the key set to \s-1NULL.\s0 It is
possible for this function to fail if the cipher does not have any \s-1ASN1\s0 support
or the parameters cannot be set (for example the \s-1RC2\s0 effective key length
is not supported.
.PP
\&\fBEVP_CIPHER_CTX_ctrl()\fR allows various cipher specific parameters to be determined
and set.
.PP
\&\fBEVP_CIPHER_CTX_rand_key()\fR generates a random key of the appropriate length
based on the cipher context. The \s-1EVP_CIPHER\s0 can provide its own random key
generation routine to support keys of a specific form. \fBKey\fR must point to a
buffer at least as big as the value returned by \fBEVP_CIPHER_CTX_key_length()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_CIPHER_CTX_new()\fR returns a pointer to a newly created
\&\fB\s-1EVP_CIPHER_CTX\s0\fR for success and \fB\s-1NULL\s0\fR for failure.
.PP
\&\fBEVP_EncryptInit_ex()\fR, \fBEVP_EncryptUpdate()\fR and \fBEVP_EncryptFinal_ex()\fR
return 1 for success and 0 for failure.
.PP
\&\fBEVP_DecryptInit_ex()\fR and \fBEVP_DecryptUpdate()\fR return 1 for success and 0 for failure.
\&\fBEVP_DecryptFinal_ex()\fR returns 0 if the decrypt failed or 1 for success.
.PP
\&\fBEVP_CipherInit_ex()\fR and \fBEVP_CipherUpdate()\fR return 1 for success and 0 for failure.
\&\fBEVP_CipherFinal_ex()\fR returns 0 for a decryption failure or 1 for success.
.PP
\&\fBEVP_CIPHER_CTX_reset()\fR returns 1 for success and 0 for failure.
.PP
\&\fBEVP_get_cipherbyname()\fR, \fBEVP_get_cipherbynid()\fR and \fBEVP_get_cipherbyobj()\fR
return an \fB\s-1EVP_CIPHER\s0\fR structure or \s-1NULL\s0 on error.
.PP
\&\fBEVP_CIPHER_nid()\fR and \fBEVP_CIPHER_CTX_nid()\fR return a \s-1NID.\s0
.PP
\&\fBEVP_CIPHER_block_size()\fR and \fBEVP_CIPHER_CTX_block_size()\fR return the block
size.
.PP
\&\fBEVP_CIPHER_key_length()\fR and \fBEVP_CIPHER_CTX_key_length()\fR return the key
length.
.PP
\&\fBEVP_CIPHER_CTX_set_padding()\fR always returns 1.
.PP
\&\fBEVP_CIPHER_iv_length()\fR and \fBEVP_CIPHER_CTX_iv_length()\fR return the \s-1IV\s0
length or zero if the cipher does not use an \s-1IV.\s0
.PP
\&\fBEVP_CIPHER_type()\fR and \fBEVP_CIPHER_CTX_type()\fR return the \s-1NID\s0 of the cipher's
\&\s-1OBJECT IDENTIFIER\s0 or NID_undef if it has no defined \s-1OBJECT IDENTIFIER.\s0
.PP
\&\fBEVP_CIPHER_CTX_cipher()\fR returns an \fB\s-1EVP_CIPHER\s0\fR structure.
.PP
\&\fBEVP_CIPHER_param_to_asn1()\fR and \fBEVP_CIPHER_asn1_to_param()\fR return greater
than zero for success and zero or a negative number on failure.
.PP
\&\fBEVP_CIPHER_CTX_rand_key()\fR returns 1 for success.
.SH "CIPHER LISTING"
.IX Header "CIPHER LISTING"
All algorithms have a fixed key length unless otherwise stated.
.PP
Refer to \*(L"\s-1SEE ALSO\*(R"\s0 for the full list of ciphers available through the \s-1EVP\s0
interface.
.IP "\fBEVP_enc_null()\fR" 4
.IX Item "EVP_enc_null()"
Null cipher: does nothing.
.SH "AEAD Interface"
.IX Header "AEAD Interface"
The \s-1EVP\s0 interface for Authenticated Encryption with Associated Data (\s-1AEAD\s0)
modes are subtly altered and several additional \fIctrl\fR operations are supported
depending on the mode specified.
.PP
To specify additional authenticated data (\s-1AAD\s0), a call to \fBEVP_CipherUpdate()\fR,
\&\fBEVP_EncryptUpdate()\fR or \fBEVP_DecryptUpdate()\fR should be made with the output
parameter \fBout\fR set to \fB\s-1NULL\s0\fR.
.PP
When decrypting, the return value of \fBEVP_DecryptFinal()\fR or \fBEVP_CipherFinal()\fR
indicates whether the operation was successful. If it does not indicate success,
the authentication operation has failed and any output data \fB\s-1MUST NOT\s0\fR be used
as it is corrupted.
.SS "\s-1GCM\s0 and \s-1OCB\s0 Modes"
.IX Subsection "GCM and OCB Modes"
The following \fIctrl\fRs are supported in \s-1GCM\s0 and \s-1OCB\s0 modes.
.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_IVLEN,\s0 ivlen, \s-1NULL\s0)" 4
.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)"
Sets the \s-1IV\s0 length. This call can only be made before specifying an \s-1IV.\s0 If
not called a default \s-1IV\s0 length is used.
.Sp
For \s-1GCM AES\s0 and \s-1OCB AES\s0 the default is 12 (i.e. 96 bits). For \s-1OCB\s0 mode the
maximum is 15.
.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_GET_TAG,\s0 taglen, tag)" 4
.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)"
Writes \f(CW\*(C`taglen\*(C'\fR bytes of the tag value to the buffer indicated by \f(CW\*(C`tag\*(C'\fR.
This call can only be made when encrypting data and \fBafter\fR all data has been
processed (e.g. after an \fBEVP_EncryptFinal()\fR call).
.Sp
For \s-1OCB,\s0 \f(CW\*(C`taglen\*(C'\fR must either be 16 or the value previously set via
\&\fB\s-1EVP_CTRL_AEAD_SET_TAG\s0\fR.
.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_TAG,\s0 taglen, tag)" 4
.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)"
When decrypting, this call sets the expected tag to \f(CW\*(C`taglen\*(C'\fR bytes from \f(CW\*(C`tag\*(C'\fR.
\&\f(CW\*(C`taglen\*(C'\fR must be between 1 and 16 inclusive.
The tag must be set prior to any call to \fBEVP_DecryptFinal()\fR or
\&\fBEVP_DecryptFinal_ex()\fR.
.Sp
For \s-1GCM,\s0 this call is only valid when decrypting data.
.Sp
For \s-1OCB,\s0 this call is valid when decrypting data to set the expected tag,
and when encrypting to set the desired tag length.
.Sp
In \s-1OCB\s0 mode, calling this when encrypting with \f(CW\*(C`tag\*(C'\fR set to \f(CW\*(C`NULL\*(C'\fR sets the
tag length. The tag length can only be set before specifying an \s-1IV.\s0 If this is
not called prior to setting the \s-1IV\s0 during encryption, then a default tag length
is used.
.Sp
For \s-1OCB AES,\s0 the default tag length is 16 (i.e. 128 bits). It is also the
maximum tag length for \s-1OCB.\s0
.SS "\s-1CCM\s0 Mode"
.IX Subsection "CCM Mode"
The \s-1EVP\s0 interface for \s-1CCM\s0 mode is similar to that of the \s-1GCM\s0 mode but with a
few additional requirements and different \fIctrl\fR values.
.PP
For \s-1CCM\s0 mode, the total plaintext or ciphertext length \fB\s-1MUST\s0\fR be passed to
\&\fBEVP_CipherUpdate()\fR, \fBEVP_EncryptUpdate()\fR or \fBEVP_DecryptUpdate()\fR with the output
and input parameters (\fBin\fR and \fBout\fR) set to \fB\s-1NULL\s0\fR and the length passed in
the \fBinl\fR parameter.
.PP
The following \fIctrl\fRs are supported in \s-1CCM\s0 mode.
.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_TAG,\s0 taglen, tag)" 4
.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)"
This call is made to set the expected \fB\s-1CCM\s0\fR tag value when decrypting or
the length of the tag (with the \f(CW\*(C`tag\*(C'\fR parameter set to \s-1NULL\s0) when encrypting.
The tag length is often referred to as \fBM\fR. If not set a default value is
used (12 for \s-1AES\s0). When decrypting, the tag needs to be set before passing
in data to be decrypted, but as in \s-1GCM\s0 and \s-1OCB\s0 mode, it can be set after
passing additional authenticated data (see \*(L"\s-1AEAD\s0 Interface\*(R").
.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_CCM_SET_L,\s0 ivlen, \s-1NULL\s0)" 4
.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, ivlen, NULL)"
Sets the \s-1CCM\s0 \fBL\fR value. If not set a default is used (8 for \s-1AES\s0).
.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_IVLEN,\s0 ivlen, \s-1NULL\s0)" 4
.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)"
Sets the \s-1CCM\s0 nonce (\s-1IV\s0) length. This call can only be made before specifying
a nonce value. The nonce length is given by \fB15 \- L\fR so it is 7 by default for
\&\s-1AES.\s0
.SS "ChaCha20\-Poly1305"
.IX Subsection "ChaCha20-Poly1305"
The following \fIctrl\fRs are supported for the ChaCha20\-Poly1305 \s-1AEAD\s0 algorithm.
.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_IVLEN,\s0 ivlen, \s-1NULL\s0)" 4
.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)"
Sets the nonce length. This call can only be made before specifying the nonce.
If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum
nonce length is 12 bytes (i.e. 96\-bits). If a nonce of less than 12 bytes is set
then the nonce is automatically padded with leading 0 bytes to make it 12 bytes
in length.
.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_GET_TAG,\s0 taglen, tag)" 4
.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)"
Writes \f(CW\*(C`taglen\*(C'\fR bytes of the tag value to the buffer indicated by \f(CW\*(C`tag\*(C'\fR.
This call can only be made when encrypting data and \fBafter\fR all data has been
processed (e.g. after an \fBEVP_EncryptFinal()\fR call).
.Sp
\&\f(CW\*(C`taglen\*(C'\fR specified here must be 16 (\fB\s-1POLY1305_BLOCK_SIZE\s0\fR, i.e. 128\-bits) or
less.
.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_TAG,\s0 taglen, tag)" 4
.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)"
Sets the expected tag to \f(CW\*(C`taglen\*(C'\fR bytes from \f(CW\*(C`tag\*(C'\fR.
The tag length can only be set before specifying an \s-1IV.\s0
\&\f(CW\*(C`taglen\*(C'\fR must be between 1 and 16 (\fB\s-1POLY1305_BLOCK_SIZE\s0\fR) inclusive.
This call is only valid when decrypting data.
.SH "NOTES"
.IX Header "NOTES"
Where possible the \fB\s-1EVP\s0\fR interface to symmetric ciphers should be used in
preference to the low-level interfaces. This is because the code then becomes
transparent to the cipher used and much more flexible. Additionally, the
\&\fB\s-1EVP\s0\fR interface will ensure the use of platform specific cryptographic
acceleration such as AES-NI (the low-level interfaces do not provide the
guarantee).
.PP
\&\s-1PKCS\s0 padding works by adding \fBn\fR padding bytes of value \fBn\fR to make the total
length of the encrypted data a multiple of the block size. Padding is always
added so if the data is already a multiple of the block size \fBn\fR will equal
the block size. For example if the block size is 8 and 11 bytes are to be
encrypted then 5 padding bytes of value 5 will be added.
.PP
When decrypting the final block is checked to see if it has the correct form.
.PP
Although the decryption operation can produce an error if padding is enabled,
it is not a strong test that the input data or key is correct. A random block
has better than 1 in 256 chance of being of the correct format and problems with
the input data earlier on will not produce a final decrypt error.
.PP
If padding is disabled then the decryption operation will always succeed if
the total amount of data decrypted is a multiple of the block size.
.PP
The functions \fBEVP_EncryptInit()\fR, \fBEVP_EncryptFinal()\fR, \fBEVP_DecryptInit()\fR,
\&\fBEVP_CipherInit()\fR and \fBEVP_CipherFinal()\fR are obsolete but are retained for
compatibility with existing code. New code should use \fBEVP_EncryptInit_ex()\fR,
\&\fBEVP_EncryptFinal_ex()\fR, \fBEVP_DecryptInit_ex()\fR, \fBEVP_DecryptFinal_ex()\fR,
\&\fBEVP_CipherInit_ex()\fR and \fBEVP_CipherFinal_ex()\fR because they can reuse an
existing context without allocating and freeing it up on each call.
.PP
There are some differences between functions \fBEVP_CipherInit()\fR and
\&\fBEVP_CipherInit_ex()\fR, significant in some circumstances. \fBEVP_CipherInit()\fR fills
the passed context object with zeros. As a consequence, \fBEVP_CipherInit()\fR does
not allow step-by-step initialization of the ctx when the \fIkey\fR and \fIiv\fR are
passed in separate calls. It also means that the flags set for the \s-1CTX\s0 are
removed, and it is especially important for the
\&\fB\s-1EVP_CIPHER_CTX_FLAG_WRAP_ALLOW\s0\fR flag treated specially in
\&\fBEVP_CipherInit_ex()\fR.
.PP
\&\fBEVP_get_cipherbynid()\fR, and \fBEVP_get_cipherbyobj()\fR are implemented as macros.
.SH "BUGS"
.IX Header "BUGS"
\&\fB\s-1EVP_MAX_KEY_LENGTH\s0\fR and \fB\s-1EVP_MAX_IV_LENGTH\s0\fR only refer to the internal
ciphers with default key lengths. If custom ciphers exceed these values the
results are unpredictable. This is because it has become standard practice to
define a generic key as a fixed unsigned char array containing
\&\fB\s-1EVP_MAX_KEY_LENGTH\s0\fR bytes.
.PP
The \s-1ASN1\s0 code is incomplete (and sometimes inaccurate) it has only been tested
for certain common S/MIME ciphers (\s-1RC2, DES,\s0 triple \s-1DES\s0) in \s-1CBC\s0 mode.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Encrypt a string using \s-1IDEA:\s0
.PP
.Vb 10
\& int do_crypt(char *outfile)
\& {
\& unsigned char outbuf[1024];
\& int outlen, tmplen;
\& /*
\& * Bogus key and IV: we\*(Aqd normally set these from
\& * another source.
\& */
\& unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
\& unsigned char iv[] = {1,2,3,4,5,6,7,8};
\& char intext[] = "Some Crypto Text";
\& EVP_CIPHER_CTX *ctx;
\& FILE *out;
\&
\& ctx = EVP_CIPHER_CTX_new();
\& EVP_EncryptInit_ex(ctx, EVP_idea_cbc(), NULL, key, iv);
\&
\& if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) {
\& /* Error */
\& EVP_CIPHER_CTX_free(ctx);
\& return 0;
\& }
\& /*
\& * Buffer passed to EVP_EncryptFinal() must be after data just
\& * encrypted to avoid overwriting it.
\& */
\& if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) {
\& /* Error */
\& EVP_CIPHER_CTX_free(ctx);
\& return 0;
\& }
\& outlen += tmplen;
\& EVP_CIPHER_CTX_free(ctx);
\& /*
\& * Need binary mode for fopen because encrypted data is
\& * binary data. Also cannot use strlen() on it because
\& * it won\*(Aqt be NUL terminated and may contain embedded
\& * NULs.
\& */
\& out = fopen(outfile, "wb");
\& if (out == NULL) {
\& /* Error */
\& return 0;
\& }
\& fwrite(outbuf, 1, outlen, out);
\& fclose(out);
\& return 1;
\& }
.Ve
.PP
The ciphertext from the above example can be decrypted using the \fBopenssl\fR
utility with the command line (shown on two lines for clarity):
.PP
.Vb 2
\& openssl idea \-d \e
\& \-K 000102030405060708090A0B0C0D0E0F \-iv 0102030405060708 <filename
.Ve
.PP
General encryption and decryption function example using \s-1FILE I/O\s0 and \s-1AES128\s0
with a 128\-bit key:
.PP
.Vb 12
\& int do_crypt(FILE *in, FILE *out, int do_encrypt)
\& {
\& /* Allow enough space in output buffer for additional block */
\& unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
\& int inlen, outlen;
\& EVP_CIPHER_CTX *ctx;
\& /*
\& * Bogus key and IV: we\*(Aqd normally set these from
\& * another source.
\& */
\& unsigned char key[] = "0123456789abcdeF";
\& unsigned char iv[] = "1234567887654321";
\&
\& /* Don\*(Aqt set key or IV right away; we want to check lengths */
\& ctx = EVP_CIPHER_CTX_new();
\& EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, NULL, NULL,
\& do_encrypt);
\& OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
\& OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
\&
\& /* Now we can set key and IV */
\& EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, do_encrypt);
\&
\& for (;;) {
\& inlen = fread(inbuf, 1, 1024, in);
\& if (inlen <= 0)
\& break;
\& if (!EVP_CipherUpdate(ctx, outbuf, &outlen, inbuf, inlen)) {
\& /* Error */
\& EVP_CIPHER_CTX_free(ctx);
\& return 0;
\& }
\& fwrite(outbuf, 1, outlen, out);
\& }
\& if (!EVP_CipherFinal_ex(ctx, outbuf, &outlen)) {
\& /* Error */
\& EVP_CIPHER_CTX_free(ctx);
\& return 0;
\& }
\& fwrite(outbuf, 1, outlen, out);
\&
\& EVP_CIPHER_CTX_free(ctx);
\& return 1;
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7)
.PP
Supported ciphers are listed in:
.PP
\&\fBEVP_aes\fR\|(3),
\&\fBEVP_aria\fR\|(3),
\&\fBEVP_bf\fR\|(3),
\&\fBEVP_camellia\fR\|(3),
\&\fBEVP_cast5\fR\|(3),
\&\fBEVP_chacha20\fR\|(3),
\&\fBEVP_des\fR\|(3),
\&\fBEVP_desx\fR\|(3),
\&\fBEVP_idea\fR\|(3),
\&\fBEVP_rc2\fR\|(3),
\&\fBEVP_rc4\fR\|(3),
\&\fBEVP_rc5\fR\|(3),
\&\fBEVP_seed\fR\|(3),
\&\fBEVP_sm4\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
Support for \s-1OCB\s0 mode was added in OpenSSL 1.1.0.
.PP
\&\fB\s-1EVP_CIPHER_CTX\s0\fR was made opaque in OpenSSL 1.1.0. As a result,
\&\fBEVP_CIPHER_CTX_reset()\fR appeared and \fBEVP_CIPHER_CTX_cleanup()\fR
disappeared. \fBEVP_CIPHER_CTX_init()\fR remains as an alias for
\&\fBEVP_CIPHER_CTX_reset()\fR.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3
index 46416728c16b..09391dda6de3 100644
--- a/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/EVP_MD_meth_new.3
@@ -1,301 +1,301 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_MD_METH_NEW 3"
-.TH EVP_MD_METH_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_MD_METH_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_MD_meth_dup, EVP_MD_meth_new, EVP_MD_meth_free, EVP_MD_meth_set_input_blocksize, EVP_MD_meth_set_result_size, EVP_MD_meth_set_app_datasize, EVP_MD_meth_set_flags, EVP_MD_meth_set_init, EVP_MD_meth_set_update, EVP_MD_meth_set_final, EVP_MD_meth_set_copy, EVP_MD_meth_set_cleanup, EVP_MD_meth_set_ctrl, EVP_MD_meth_get_input_blocksize, EVP_MD_meth_get_result_size, EVP_MD_meth_get_app_datasize, EVP_MD_meth_get_flags, EVP_MD_meth_get_init, EVP_MD_meth_get_update, EVP_MD_meth_get_final, EVP_MD_meth_get_copy, EVP_MD_meth_get_cleanup, EVP_MD_meth_get_ctrl \&\- Routines to build up EVP_MD methods
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& EVP_MD *EVP_MD_meth_new(int md_type, int pkey_type);
\& void EVP_MD_meth_free(EVP_MD *md);
\& EVP_MD *EVP_MD_meth_dup(const EVP_MD *md);
\&
\& int EVP_MD_meth_set_input_blocksize(EVP_MD *md, int blocksize);
\& int EVP_MD_meth_set_result_size(EVP_MD *md, int resultsize);
\& int EVP_MD_meth_set_app_datasize(EVP_MD *md, int datasize);
\& int EVP_MD_meth_set_flags(EVP_MD *md, unsigned long flags);
\& int EVP_MD_meth_set_init(EVP_MD *md, int (*init)(EVP_MD_CTX *ctx));
\& int EVP_MD_meth_set_update(EVP_MD *md, int (*update)(EVP_MD_CTX *ctx,
\& const void *data,
\& size_t count));
\& int EVP_MD_meth_set_final(EVP_MD *md, int (*final)(EVP_MD_CTX *ctx,
\& unsigned char *md));
\& int EVP_MD_meth_set_copy(EVP_MD *md, int (*copy)(EVP_MD_CTX *to,
\& const EVP_MD_CTX *from));
\& int EVP_MD_meth_set_cleanup(EVP_MD *md, int (*cleanup)(EVP_MD_CTX *ctx));
\& int EVP_MD_meth_set_ctrl(EVP_MD *md, int (*ctrl)(EVP_MD_CTX *ctx, int cmd,
\& int p1, void *p2));
\&
\& int EVP_MD_meth_get_input_blocksize(const EVP_MD *md);
\& int EVP_MD_meth_get_result_size(const EVP_MD *md);
\& int EVP_MD_meth_get_app_datasize(const EVP_MD *md);
\& unsigned long EVP_MD_meth_get_flags(const EVP_MD *md);
\& int (*EVP_MD_meth_get_init(const EVP_MD *md))(EVP_MD_CTX *ctx);
\& int (*EVP_MD_meth_get_update(const EVP_MD *md))(EVP_MD_CTX *ctx,
\& const void *data,
\& size_t count);
\& int (*EVP_MD_meth_get_final(const EVP_MD *md))(EVP_MD_CTX *ctx,
\& unsigned char *md);
\& int (*EVP_MD_meth_get_copy(const EVP_MD *md))(EVP_MD_CTX *to,
\& const EVP_MD_CTX *from);
\& int (*EVP_MD_meth_get_cleanup(const EVP_MD *md))(EVP_MD_CTX *ctx);
\& int (*EVP_MD_meth_get_ctrl(const EVP_MD *md))(EVP_MD_CTX *ctx, int cmd,
\& int p1, void *p2);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1EVP_MD\s0\fR type is a structure for digest method implementation.
It can also have associated public/private key signing and verifying
routines.
.PP
\&\fBEVP_MD_meth_new()\fR creates a new \fB\s-1EVP_MD\s0\fR structure.
.PP
\&\fBEVP_MD_meth_dup()\fR creates a copy of \fBmd\fR.
.PP
\&\fBEVP_MD_meth_free()\fR destroys a \fB\s-1EVP_MD\s0\fR structure.
.PP
\&\fBEVP_MD_meth_set_input_blocksize()\fR sets the internal input block size
for the method \fBmd\fR to \fBblocksize\fR bytes.
.PP
\&\fBEVP_MD_meth_set_result_size()\fR sets the size of the result that the
digest method in \fBmd\fR is expected to produce to \fBresultsize\fR bytes.
.PP
The digest method may have its own private data, which OpenSSL will
allocate for it. \fBEVP_MD_meth_set_app_datasize()\fR should be used to
set the size for it to \fBdatasize\fR.
.PP
\&\fBEVP_MD_meth_set_flags()\fR sets the flags to describe optional
behaviours in the particular \fBmd\fR. Several flags can be or'd
together. The available flags are:
.IP "\s-1EVP_MD_FLAG_ONESHOT\s0" 4
.IX Item "EVP_MD_FLAG_ONESHOT"
This digest method can only handle one block of input.
.IP "\s-1EVP_MD_FLAG_XOF\s0" 4
.IX Item "EVP_MD_FLAG_XOF"
This digest method is an extensible-output function (\s-1XOF\s0) and supports
the \fB\s-1EVP_MD_CTRL_XOF_LEN\s0\fR control.
.IP "\s-1EVP_MD_FLAG_DIGALGID_NULL\s0" 4
.IX Item "EVP_MD_FLAG_DIGALGID_NULL"
When setting up a DigestAlgorithmIdentifier, this flag will have the
parameter set to \s-1NULL\s0 by default. Use this for PKCS#1. \fINote: if
combined with \s-1EVP_MD_FLAG_DIGALGID_ABSENT,\s0 the latter will override.\fR
.IP "\s-1EVP_MD_FLAG_DIGALGID_ABSENT\s0" 4
.IX Item "EVP_MD_FLAG_DIGALGID_ABSENT"
When setting up a DigestAlgorithmIdentifier, this flag will have the
parameter be left absent by default. \fINote: if combined with
\&\s-1EVP_MD_FLAG_DIGALGID_NULL,\s0 the latter will be overridden.\fR
.IP "\s-1EVP_MD_FLAG_DIGALGID_CUSTOM\s0" 4
.IX Item "EVP_MD_FLAG_DIGALGID_CUSTOM"
Custom DigestAlgorithmIdentifier handling via ctrl, with
\&\fB\s-1EVP_MD_FLAG_DIGALGID_ABSENT\s0\fR as default. \fINote: if combined with
\&\s-1EVP_MD_FLAG_DIGALGID_NULL,\s0 the latter will be overridden.\fR
Currently unused.
.IP "\s-1EVP_MD_FLAG_FIPS\s0" 4
.IX Item "EVP_MD_FLAG_FIPS"
This digest method is suitable for use in \s-1FIPS\s0 mode.
Currently unused.
.PP
\&\fBEVP_MD_meth_set_init()\fR sets the digest init function for \fBmd\fR.
The digest init function is called by \fBEVP_Digest()\fR, \fBEVP_DigestInit()\fR,
\&\fBEVP_DigestInit_ex()\fR, EVP_SignInit, \fBEVP_SignInit_ex()\fR, \fBEVP_VerifyInit()\fR
and \fBEVP_VerifyInit_ex()\fR.
.PP
\&\fBEVP_MD_meth_set_update()\fR sets the digest update function for \fBmd\fR.
The digest update function is called by \fBEVP_Digest()\fR, \fBEVP_DigestUpdate()\fR and
\&\fBEVP_SignUpdate()\fR.
.PP
\&\fBEVP_MD_meth_set_final()\fR sets the digest final function for \fBmd\fR.
The digest final function is called by \fBEVP_Digest()\fR, \fBEVP_DigestFinal()\fR,
\&\fBEVP_DigestFinal_ex()\fR, \fBEVP_SignFinal()\fR and \fBEVP_VerifyFinal()\fR.
.PP
\&\fBEVP_MD_meth_set_copy()\fR sets the function for \fBmd\fR to do extra
computations after the method's private data structure has been copied
from one \fB\s-1EVP_MD_CTX\s0\fR to another. If all that's needed is to copy
the data, there is no need for this copy function.
Note that the copy function is passed two \fB\s-1EVP_MD_CTX\s0 *\fR, the private
data structure is then available with \fBEVP_MD_CTX_md_data()\fR.
This copy function is called by \fBEVP_MD_CTX_copy()\fR and
\&\fBEVP_MD_CTX_copy_ex()\fR.
.PP
\&\fBEVP_MD_meth_set_cleanup()\fR sets the function for \fBmd\fR to do extra
cleanup before the method's private data structure is cleaned out and
freed.
Note that the cleanup function is passed a \fB\s-1EVP_MD_CTX\s0 *\fR, the
private data structure is then available with \fBEVP_MD_CTX_md_data()\fR.
This cleanup function is called by \fBEVP_MD_CTX_reset()\fR and
\&\fBEVP_MD_CTX_free()\fR.
.PP
\&\fBEVP_MD_meth_set_ctrl()\fR sets the control function for \fBmd\fR.
See \fBEVP_MD_CTX_ctrl\fR\|(3) for the available controls.
.PP
\&\fBEVP_MD_meth_get_input_blocksize()\fR, \fBEVP_MD_meth_get_result_size()\fR,
\&\fBEVP_MD_meth_get_app_datasize()\fR, \fBEVP_MD_meth_get_flags()\fR,
\&\fBEVP_MD_meth_get_init()\fR, \fBEVP_MD_meth_get_update()\fR,
\&\fBEVP_MD_meth_get_final()\fR, \fBEVP_MD_meth_get_copy()\fR,
\&\fBEVP_MD_meth_get_cleanup()\fR and \fBEVP_MD_meth_get_ctrl()\fR are all used
to retrieve the method data given with the EVP_MD_meth_set_*()
functions above.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_MD_meth_new()\fR and \fBEVP_MD_meth_dup()\fR return a pointer to a newly
created \fB\s-1EVP_MD\s0\fR, or \s-1NULL\s0 on failure.
All EVP_MD_meth_set_*() functions return 1.
\&\fBEVP_MD_get_input_blocksize()\fR, \fBEVP_MD_meth_get_result_size()\fR,
\&\fBEVP_MD_meth_get_app_datasize()\fR and \fBEVP_MD_meth_get_flags()\fR return the
indicated sizes or flags.
All other EVP_CIPHER_meth_get_*() functions return pointers to their
respective \fBmd\fR function.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_DigestInit\fR\|(3), \fBEVP_SignInit\fR\|(3), \fBEVP_VerifyInit\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\s-1EVP_MD\s0\fR structure was openly available in OpenSSL before version
1.1. The functions described here were added in OpenSSL 1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_OpenInit.3 b/secure/lib/libcrypto/man/man3/EVP_OpenInit.3
index db66780e943c..d867d1e01285 100644
--- a/secure/lib/libcrypto/man/man3/EVP_OpenInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_OpenInit.3
@@ -1,200 +1,200 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_OPENINIT 3"
-.TH EVP_OPENINIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_OPENINIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_OpenInit, EVP_OpenUpdate, EVP_OpenFinal \- EVP envelope decryption
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_OpenInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *ek,
\& int ekl, unsigned char *iv, EVP_PKEY *priv);
\& int EVP_OpenUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
\& int *outl, unsigned char *in, int inl);
\& int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP\s0 envelope routines are a high-level interface to envelope
decryption. They decrypt a public key encrypted symmetric key and
then decrypt data using it.
.PP
\&\fBEVP_OpenInit()\fR initializes a cipher context \fBctx\fR for decryption
with cipher \fBtype\fR. It decrypts the encrypted symmetric key of length
\&\fBekl\fR bytes passed in the \fBek\fR parameter using the private key \fBpriv\fR.
The \s-1IV\s0 is supplied in the \fBiv\fR parameter.
.PP
\&\fBEVP_OpenUpdate()\fR and \fBEVP_OpenFinal()\fR have exactly the same properties
as the \fBEVP_DecryptUpdate()\fR and \fBEVP_DecryptFinal()\fR routines, as
documented on the \fBEVP_EncryptInit\fR\|(3) manual
page.
.SH "NOTES"
.IX Header "NOTES"
It is possible to call \fBEVP_OpenInit()\fR twice in the same way as
\&\fBEVP_DecryptInit()\fR. The first call should have \fBpriv\fR set to \s-1NULL\s0
and (after setting any cipher parameters) it should be called again
with \fBtype\fR set to \s-1NULL.\s0
.PP
If the cipher passed in the \fBtype\fR parameter is a variable length
cipher then the key length will be set to the value of the recovered
key length. If the cipher is a fixed length cipher then the recovered
key length must match the fixed cipher length.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_OpenInit()\fR returns 0 on error or a non zero integer (actually the
recovered secret key size) if successful.
.PP
\&\fBEVP_OpenUpdate()\fR returns 1 for success or 0 for failure.
.PP
\&\fBEVP_OpenFinal()\fR returns 0 if the decrypt failed or 1 for success.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7), \fBRAND_bytes\fR\|(3),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_SealInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3
index 0712f2f61a3f..527e9b637734 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_ASN1_METHOD.3
@@ -1,553 +1,553 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_ASN1_METHOD 3"
-.TH EVP_PKEY_ASN1_METHOD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_ASN1_METHOD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_ASN1_METHOD, EVP_PKEY_asn1_new, EVP_PKEY_asn1_copy, EVP_PKEY_asn1_free, EVP_PKEY_asn1_add0, EVP_PKEY_asn1_add_alias, EVP_PKEY_asn1_set_public, EVP_PKEY_asn1_set_private, EVP_PKEY_asn1_set_param, EVP_PKEY_asn1_set_free, EVP_PKEY_asn1_set_ctrl, EVP_PKEY_asn1_set_item, EVP_PKEY_asn1_set_siginf, EVP_PKEY_asn1_set_check, EVP_PKEY_asn1_set_public_check, EVP_PKEY_asn1_set_param_check, EVP_PKEY_asn1_set_security_bits, EVP_PKEY_asn1_set_set_priv_key, EVP_PKEY_asn1_set_set_pub_key, EVP_PKEY_asn1_set_get_priv_key, EVP_PKEY_asn1_set_get_pub_key, EVP_PKEY_get0_asn1 \&\- manipulating and registering EVP_PKEY_ASN1_METHOD structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD;
\&
\& EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
\& const char *pem_str,
\& const char *info);
\& void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst,
\& const EVP_PKEY_ASN1_METHOD *src);
\& void EVP_PKEY_asn1_free(EVP_PKEY_ASN1_METHOD *ameth);
\& int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth);
\& int EVP_PKEY_asn1_add_alias(int to, int from);
\&
\& void EVP_PKEY_asn1_set_public(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*pub_decode) (EVP_PKEY *pk,
\& X509_PUBKEY *pub),
\& int (*pub_encode) (X509_PUBKEY *pub,
\& const EVP_PKEY *pk),
\& int (*pub_cmp) (const EVP_PKEY *a,
\& const EVP_PKEY *b),
\& int (*pub_print) (BIO *out,
\& const EVP_PKEY *pkey,
\& int indent, ASN1_PCTX *pctx),
\& int (*pkey_size) (const EVP_PKEY *pk),
\& int (*pkey_bits) (const EVP_PKEY *pk));
\& void EVP_PKEY_asn1_set_private(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*priv_decode) (EVP_PKEY *pk,
\& const PKCS8_PRIV_KEY_INFO
\& *p8inf),
\& int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8,
\& const EVP_PKEY *pk),
\& int (*priv_print) (BIO *out,
\& const EVP_PKEY *pkey,
\& int indent,
\& ASN1_PCTX *pctx));
\& void EVP_PKEY_asn1_set_param(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*param_decode) (EVP_PKEY *pkey,
\& const unsigned char **pder,
\& int derlen),
\& int (*param_encode) (const EVP_PKEY *pkey,
\& unsigned char **pder),
\& int (*param_missing) (const EVP_PKEY *pk),
\& int (*param_copy) (EVP_PKEY *to,
\& const EVP_PKEY *from),
\& int (*param_cmp) (const EVP_PKEY *a,
\& const EVP_PKEY *b),
\& int (*param_print) (BIO *out,
\& const EVP_PKEY *pkey,
\& int indent,
\& ASN1_PCTX *pctx));
\&
\& void EVP_PKEY_asn1_set_free(EVP_PKEY_ASN1_METHOD *ameth,
\& void (*pkey_free) (EVP_PKEY *pkey));
\& void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*pkey_ctrl) (EVP_PKEY *pkey, int op,
\& long arg1, void *arg2));
\& void EVP_PKEY_asn1_set_item(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*item_verify) (EVP_MD_CTX *ctx,
\& const ASN1_ITEM *it,
\& void *asn,
\& X509_ALGOR *a,
\& ASN1_BIT_STRING *sig,
\& EVP_PKEY *pkey),
\& int (*item_sign) (EVP_MD_CTX *ctx,
\& const ASN1_ITEM *it,
\& void *asn,
\& X509_ALGOR *alg1,
\& X509_ALGOR *alg2,
\& ASN1_BIT_STRING *sig));
\&
\& void EVP_PKEY_asn1_set_siginf(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*siginf_set) (X509_SIG_INFO *siginf,
\& const X509_ALGOR *alg,
\& const ASN1_STRING *sig));
\&
\& void EVP_PKEY_asn1_set_check(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*pkey_check) (const EVP_PKEY *pk));
\&
\& void EVP_PKEY_asn1_set_public_check(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*pkey_pub_check) (const EVP_PKEY *pk));
\&
\& void EVP_PKEY_asn1_set_param_check(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*pkey_param_check) (const EVP_PKEY *pk));
\&
\& void EVP_PKEY_asn1_set_security_bits(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*pkey_security_bits) (const EVP_PKEY
\& *pk));
\&
\& void EVP_PKEY_asn1_set_set_priv_key(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*set_priv_key) (EVP_PKEY *pk,
\& const unsigned char
\& *priv,
\& size_t len));
\&
\& void EVP_PKEY_asn1_set_set_pub_key(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*set_pub_key) (EVP_PKEY *pk,
\& const unsigned char *pub,
\& size_t len));
\&
\& void EVP_PKEY_asn1_set_get_priv_key(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*get_priv_key) (const EVP_PKEY *pk,
\& unsigned char *priv,
\& size_t *len));
\&
\& void EVP_PKEY_asn1_set_get_pub_key(EVP_PKEY_ASN1_METHOD *ameth,
\& int (*get_pub_key) (const EVP_PKEY *pk,
\& unsigned char *pub,
\& size_t *len));
\&
\& const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(const EVP_PKEY *pkey);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR is a structure which holds a set of \s-1ASN.1\s0
conversion, printing and information methods for a specific public key
algorithm.
.PP
There are two places where the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR objects are
stored: one is a built-in array representing the standard methods for
different algorithms, and the other one is a stack of user-defined
application-specific methods, which can be manipulated by using
\&\fBEVP_PKEY_asn1_add0\fR\|(3).
.SS "Methods"
.IX Subsection "Methods"
The methods are the underlying implementations of a particular public
key algorithm present by the \fB\s-1EVP_PKEY\s0\fR object.
.PP
.Vb 5
\& int (*pub_decode) (EVP_PKEY *pk, X509_PUBKEY *pub);
\& int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk);
\& int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
\& int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent,
\& ASN1_PCTX *pctx);
.Ve
.PP
The \fBpub_decode()\fR and \fBpub_encode()\fR methods are called to decode /
encode \fBX509_PUBKEY\fR \s-1ASN.1\s0 parameters to / from \fBpk\fR.
They \s-1MUST\s0 return 0 on error, 1 on success.
They're called by \fBX509_PUBKEY_get0\fR\|(3) and \fBX509_PUBKEY_set\fR\|(3).
.PP
The \fBpub_cmp()\fR method is called when two public keys are to be
compared.
It \s-1MUST\s0 return 1 when the keys are equal, 0 otherwise.
It's called by \fBEVP_PKEY_cmp\fR\|(3).
.PP
The \fBpub_print()\fR method is called to print a public key in humanly
readable text to \fBout\fR, indented \fBindent\fR spaces.
It \s-1MUST\s0 return 0 on error, 1 on success.
It's called by \fBEVP_PKEY_print_public\fR\|(3).
.PP
.Vb 4
\& int (*priv_decode) (EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf);
\& int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk);
\& int (*priv_print) (BIO *out, const EVP_PKEY *pkey, int indent,
\& ASN1_PCTX *pctx);
.Ve
.PP
The \fBpriv_decode()\fR and \fBpriv_encode()\fR methods are called to decode /
encode \fB\s-1PKCS8_PRIV_KEY_INFO\s0\fR form private key to / from \fBpk\fR.
They \s-1MUST\s0 return 0 on error, 1 on success.
They're called by \s-1\fBEVP_PKCS82PKEY\s0\fR\|(3) and \s-1\fBEVP_PKEY2PKCS8\s0\fR\|(3).
.PP
The \fBpriv_print()\fR method is called to print a private key in humanly
readable text to \fBout\fR, indented \fBindent\fR spaces.
It \s-1MUST\s0 return 0 on error, 1 on success.
It's called by \fBEVP_PKEY_print_private\fR\|(3).
.PP
.Vb 3
\& int (*pkey_size) (const EVP_PKEY *pk);
\& int (*pkey_bits) (const EVP_PKEY *pk);
\& int (*pkey_security_bits) (const EVP_PKEY *pk);
.Ve
.PP
The \fBpkey_size()\fR method returns the key size in bytes.
It's called by \fBEVP_PKEY_size\fR\|(3).
.PP
The \fBpkey_bits()\fR method returns the key size in bits.
It's called by \fBEVP_PKEY_bits\fR\|(3).
.PP
.Vb 8
\& int (*param_decode) (EVP_PKEY *pkey,
\& const unsigned char **pder, int derlen);
\& int (*param_encode) (const EVP_PKEY *pkey, unsigned char **pder);
\& int (*param_missing) (const EVP_PKEY *pk);
\& int (*param_copy) (EVP_PKEY *to, const EVP_PKEY *from);
\& int (*param_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
\& int (*param_print) (BIO *out, const EVP_PKEY *pkey, int indent,
\& ASN1_PCTX *pctx);
.Ve
.PP
The \fBparam_decode()\fR and \fBparam_encode()\fR methods are called to decode /
encode \s-1DER\s0 formatted parameters to / from \fBpk\fR.
They \s-1MUST\s0 return 0 on error, 1 on success.
They're called by \fBPEM_read_bio_Parameters\fR\|(3) and the \fBfile:\fR
\&\s-1\fBOSSL_STORE_LOADER\s0\fR\|(3).
.PP
The \fBparam_missing()\fR method returns 0 if a key parameter is missing,
otherwise 1.
It's called by \fBEVP_PKEY_missing_parameters\fR\|(3).
.PP
The \fBparam_copy()\fR method copies key parameters from \fBfrom\fR to \fBto\fR.
It \s-1MUST\s0 return 0 on error, 1 on success.
It's called by \fBEVP_PKEY_copy_parameters\fR\|(3).
.PP
The \fBparam_cmp()\fR method compares the parameters of keys \fBa\fR and \fBb\fR.
It \s-1MUST\s0 return 1 when the keys are equal, 0 when not equal, or a
negative number on error.
It's called by \fBEVP_PKEY_cmp_parameters\fR\|(3).
.PP
The \fBparam_print()\fR method prints the private key parameters in humanly
readable text to \fBout\fR, indented \fBindent\fR spaces.
It \s-1MUST\s0 return 0 on error, 1 on success.
It's called by \fBEVP_PKEY_print_params\fR\|(3).
.PP
.Vb 3
\& int (*sig_print) (BIO *out,
\& const X509_ALGOR *sigalg, const ASN1_STRING *sig,
\& int indent, ASN1_PCTX *pctx);
.Ve
.PP
The \fBsig_print()\fR method prints a signature in humanly readable text to
\&\fBout\fR, indented \fBindent\fR spaces.
\&\fBsigalg\fR contains the exact signature algorithm.
If the signature in \fBsig\fR doesn't correspond to what this method
expects, \fBX509_signature_dump()\fR must be used as a last resort.
It \s-1MUST\s0 return 0 on error, 1 on success.
It's called by \fBX509_signature_print\fR\|(3).
.PP
.Vb 1
\& void (*pkey_free) (EVP_PKEY *pkey);
.Ve
.PP
The \fBpkey_free()\fR method helps freeing the internals of \fBpkey\fR.
It's called by \fBEVP_PKEY_free\fR\|(3), \fBEVP_PKEY_set_type\fR\|(3),
\&\fBEVP_PKEY_set_type_str\fR\|(3), and \fBEVP_PKEY_assign\fR\|(3).
.PP
.Vb 1
\& int (*pkey_ctrl) (EVP_PKEY *pkey, int op, long arg1, void *arg2);
.Ve
.PP
The \fBpkey_ctrl()\fR method adds extra algorithm specific control.
It's called by \fBEVP_PKEY_get_default_digest_nid\fR\|(3),
\&\fBEVP_PKEY_set1_tls_encodedpoint\fR\|(3),
\&\fBEVP_PKEY_get1_tls_encodedpoint\fR\|(3), \fBPKCS7_SIGNER_INFO_set\fR\|(3),
\&\fBPKCS7_RECIP_INFO_set\fR\|(3), ...
.PP
.Vb 3
\& int (*old_priv_decode) (EVP_PKEY *pkey,
\& const unsigned char **pder, int derlen);
\& int (*old_priv_encode) (const EVP_PKEY *pkey, unsigned char **pder);
.Ve
.PP
The \fBold_priv_decode()\fR and \fBold_priv_encode()\fR methods decode / encode
they private key \fBpkey\fR from / to a \s-1DER\s0 formatted array.
These are exclusively used to help decoding / encoding older (pre
PKCS#8) \s-1PEM\s0 formatted encrypted private keys.
\&\fBold_priv_decode()\fR \s-1MUST\s0 return 0 on error, 1 on success.
\&\fBold_priv_encode()\fR \s-1MUST\s0 the return same kind of values as
\&\fBi2d_PrivateKey()\fR.
They're called by \fBd2i_PrivateKey\fR\|(3) and \fBi2d_PrivateKey\fR\|(3).
.PP
.Vb 5
\& int (*item_verify) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
\& X509_ALGOR *a, ASN1_BIT_STRING *sig, EVP_PKEY *pkey);
\& int (*item_sign) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
\& X509_ALGOR *alg1, X509_ALGOR *alg2,
\& ASN1_BIT_STRING *sig);
.Ve
.PP
The \fBitem_sign()\fR and \fBitem_verify()\fR methods make it possible to have
algorithm specific signatures and verification of them.
.PP
\&\fBitem_sign()\fR \s-1MUST\s0 return one of:
.IP "<=0" 4
.IX Item "<=0"
error
.IP "1" 4
.IX Item "1"
\&\fBitem_sign()\fR did everything, OpenSSL internals just needs to pass the
signature length back.
.IP "2" 4
.IX Item "2"
\&\fBitem_sign()\fR did nothing, OpenSSL internal standard routines are
expected to continue with the default signature production.
.IP "3" 4
.IX Item "3"
\&\fBitem_sign()\fR set the algorithm identifier \fBalgor1\fR and \fBalgor2\fR,
OpenSSL internals should just sign using those algorithms.
.PP
\&\fBitem_verify()\fR \s-1MUST\s0 return one of:
.IP "<=0" 4
.IX Item "<=0"
error
.IP "1" 4
.IX Item "1"
\&\fBitem_sign()\fR did everything, OpenSSL internals just needs to pass the
signature length back.
.IP "2" 4
.IX Item "2"
\&\fBitem_sign()\fR did nothing, OpenSSL internal standard routines are
expected to continue with the default signature production.
.PP
\&\fBitem_verify()\fR and \fBitem_sign()\fR are called by \fBASN1_item_verify\fR\|(3) and
\&\fBASN1_item_sign\fR\|(3), and by extension, \fBX509_verify\fR\|(3),
\&\fBX509_REQ_verify\fR\|(3), \fBX509_sign\fR\|(3), \fBX509_REQ_sign\fR\|(3), ...
.PP
.Vb 2
\& int (*siginf_set) (X509_SIG_INFO *siginf, const X509_ALGOR *alg,
\& const ASN1_STRING *sig);
.Ve
.PP
The \fBsiginf_set()\fR method is used to set custom \fBX509_SIG_INFO\fR
parameters.
It \s-1MUST\s0 return 0 on error, or 1 on success.
It's called as part of \fBX509_check_purpose\fR\|(3), \fBX509_check_ca\fR\|(3)
and \fBX509_check_issued\fR\|(3).
.PP
.Vb 3
\& int (*pkey_check) (const EVP_PKEY *pk);
\& int (*pkey_public_check) (const EVP_PKEY *pk);
\& int (*pkey_param_check) (const EVP_PKEY *pk);
.Ve
.PP
The \fBpkey_check()\fR, \fBpkey_public_check()\fR and \fBpkey_param_check()\fR methods are used
to check the validity of \fBpk\fR for key-pair, public component and parameters,
respectively.
They \s-1MUST\s0 return 0 for an invalid key, or 1 for a valid key.
They are called by \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3) and
\&\fBEVP_PKEY_param_check\fR\|(3) respectively.
.PP
.Vb 2
\& int (*set_priv_key) (EVP_PKEY *pk, const unsigned char *priv, size_t len);
\& int (*set_pub_key) (EVP_PKEY *pk, const unsigned char *pub, size_t len);
.Ve
.PP
The \fBset_priv_key()\fR and \fBset_pub_key()\fR methods are used to set the raw private and
public key data for an \s-1EVP_PKEY.\s0 They \s-1MUST\s0 return 0 on error, or 1 on success.
They are called by \fBEVP_PKEY_new_raw_private_key\fR\|(3), and
\&\fBEVP_PKEY_new_raw_public_key\fR\|(3) respectively.
.SS "Functions"
.IX Subsection "Functions"
\&\fBEVP_PKEY_asn1_new()\fR creates and returns a new \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR
object, and associates the given \fBid\fR, \fBflags\fR, \fBpem_str\fR and
\&\fBinfo\fR.
\&\fBid\fR is a \s-1NID,\s0 \fBpem_str\fR is the \s-1PEM\s0 type string, \fBinfo\fR is a
descriptive string.
The following \fBflags\fR are supported:
.PP
.Vb 1
\& ASN1_PKEY_SIGPARAM_NULL
.Ve
.PP
If \fB\s-1ASN1_PKEY_SIGPARAM_NULL\s0\fR is set, then the signature algorithm
parameters are given the type \fBV_ASN1_NULL\fR by default, otherwise
they will be given the type \fBV_ASN1_UNDEF\fR (i.e. the parameter is
omitted).
See \fBX509_ALGOR_set0\fR\|(3) for more information.
.PP
\&\fBEVP_PKEY_asn1_copy()\fR copies an \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object from
\&\fBsrc\fR to \fBdst\fR.
This function is not thread safe, it's recommended to only use this
when initializing the application.
.PP
\&\fBEVP_PKEY_asn1_free()\fR frees an existing \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR pointed
by \fBameth\fR.
.PP
\&\fBEVP_PKEY_asn1_add0()\fR adds \fBameth\fR to the user defined stack of
methods unless another \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with the same \s-1NID\s0 is
already there.
This function is not thread safe, it's recommended to only use this
when initializing the application.
.PP
\&\fBEVP_PKEY_asn1_add_alias()\fR creates an alias with the \s-1NID\s0 \fBto\fR for the
\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with \s-1NID\s0 \fBfrom\fR unless another
\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with the same \s-1NID\s0 is already added.
This function is not thread safe, it's recommended to only use this
when initializing the application.
.PP
\&\fBEVP_PKEY_asn1_set_public()\fR, \fBEVP_PKEY_asn1_set_private()\fR,
\&\fBEVP_PKEY_asn1_set_param()\fR, \fBEVP_PKEY_asn1_set_free()\fR,
\&\fBEVP_PKEY_asn1_set_ctrl()\fR, \fBEVP_PKEY_asn1_set_item()\fR,
\&\fBEVP_PKEY_asn1_set_siginf()\fR, \fBEVP_PKEY_asn1_set_check()\fR,
\&\fBEVP_PKEY_asn1_set_public_check()\fR, \fBEVP_PKEY_asn1_set_param_check()\fR,
\&\fBEVP_PKEY_asn1_set_security_bits()\fR, \fBEVP_PKEY_asn1_set_set_priv_key()\fR,
\&\fBEVP_PKEY_asn1_set_set_pub_key()\fR, \fBEVP_PKEY_asn1_set_get_priv_key()\fR and
\&\fBEVP_PKEY_asn1_set_get_pub_key()\fR set the diverse methods of the given
\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object.
.PP
\&\fBEVP_PKEY_get0_asn1()\fR finds the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR associated
with the key \fBpkey\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_asn1_new()\fR returns \s-1NULL\s0 on error, or a pointer to an
\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object otherwise.
.PP
\&\fBEVP_PKEY_asn1_add0()\fR and \fBEVP_PKEY_asn1_add_alias()\fR return 0 on error,
or 1 on success.
.PP
\&\fBEVP_PKEY_get0_asn1()\fR returns \s-1NULL\s0 on error, or a pointer to a constant
\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object otherwise.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3
index 14a60a826498..99e93372599e 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_ctrl.3
@@ -1,538 +1,538 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_CTX_CTRL 3"
-.TH EVP_PKEY_CTX_CTRL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_CTX_CTRL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_CTX_ctrl, EVP_PKEY_CTX_ctrl_str, EVP_PKEY_CTX_ctrl_uint64, EVP_PKEY_CTX_md, EVP_PKEY_CTX_set_signature_md, EVP_PKEY_CTX_get_signature_md, EVP_PKEY_CTX_set_mac_key, EVP_PKEY_CTX_set_rsa_padding, EVP_PKEY_CTX_get_rsa_padding, EVP_PKEY_CTX_set_rsa_pss_saltlen, EVP_PKEY_CTX_get_rsa_pss_saltlen, EVP_PKEY_CTX_set_rsa_keygen_bits, EVP_PKEY_CTX_set_rsa_keygen_pubexp, EVP_PKEY_CTX_set_rsa_keygen_primes, EVP_PKEY_CTX_set_rsa_mgf1_md, EVP_PKEY_CTX_get_rsa_mgf1_md, EVP_PKEY_CTX_set_rsa_oaep_md, EVP_PKEY_CTX_get_rsa_oaep_md, EVP_PKEY_CTX_set0_rsa_oaep_label, EVP_PKEY_CTX_get0_rsa_oaep_label, EVP_PKEY_CTX_set_dsa_paramgen_bits, EVP_PKEY_CTX_set_dsa_paramgen_q_bits, EVP_PKEY_CTX_set_dsa_paramgen_md, EVP_PKEY_CTX_set_dh_paramgen_prime_len, EVP_PKEY_CTX_set_dh_paramgen_subprime_len, EVP_PKEY_CTX_set_dh_paramgen_generator, EVP_PKEY_CTX_set_dh_paramgen_type, EVP_PKEY_CTX_set_dh_rfc5114, EVP_PKEY_CTX_set_dhx_rfc5114, EVP_PKEY_CTX_set_dh_pad, EVP_PKEY_CTX_set_dh_nid, EVP_PKEY_CTX_set_dh_kdf_type, EVP_PKEY_CTX_get_dh_kdf_type, EVP_PKEY_CTX_set0_dh_kdf_oid, EVP_PKEY_CTX_get0_dh_kdf_oid, EVP_PKEY_CTX_set_dh_kdf_md, EVP_PKEY_CTX_get_dh_kdf_md, EVP_PKEY_CTX_set_dh_kdf_outlen, EVP_PKEY_CTX_get_dh_kdf_outlen, EVP_PKEY_CTX_set0_dh_kdf_ukm, EVP_PKEY_CTX_get0_dh_kdf_ukm, EVP_PKEY_CTX_set_ec_paramgen_curve_nid, EVP_PKEY_CTX_set_ec_param_enc, EVP_PKEY_CTX_set_ecdh_cofactor_mode, EVP_PKEY_CTX_get_ecdh_cofactor_mode, EVP_PKEY_CTX_set_ecdh_kdf_type, EVP_PKEY_CTX_get_ecdh_kdf_type, EVP_PKEY_CTX_set_ecdh_kdf_md, EVP_PKEY_CTX_get_ecdh_kdf_md, EVP_PKEY_CTX_set_ecdh_kdf_outlen, EVP_PKEY_CTX_get_ecdh_kdf_outlen, EVP_PKEY_CTX_set0_ecdh_kdf_ukm, EVP_PKEY_CTX_get0_ecdh_kdf_ukm, EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len \&\- algorithm specific control operations
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
\& int cmd, int p1, void *p2);
\& int EVP_PKEY_CTX_ctrl_uint64(EVP_PKEY_CTX *ctx, int keytype, int optype,
\& int cmd, uint64_t value);
\& int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
\& const char *value);
\&
\& int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md);
\&
\& int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
\& int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD **pmd);
\&
\& int EVP_PKEY_CTX_set_mac_key(EVP_PKEY_CTX *ctx, unsigned char *key, int len);
\&
\& #include <openssl/rsa.h>
\&
\& int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad);
\& int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad);
\& int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len);
\& int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *len);
\& int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int mbits);
\& int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
\& int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes);
\& int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
\& int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
\& int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
\& int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
\& int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char *label, int len);
\& int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
\&
\& #include <openssl/dsa.h>
\&
\& int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits);
\& int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits);
\& int EVP_PKEY_CTX_set_dsa_paramgen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
\&
\& #include <openssl/dh.h>
\&
\& int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int len);
\& int EVP_PKEY_CTX_set_dh_paramgen_subprime_len(EVP_PKEY_CTX *ctx, int len);
\& int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen);
\& int EVP_PKEY_CTX_set_dh_paramgen_type(EVP_PKEY_CTX *ctx, int type);
\& int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad);
\& int EVP_PKEY_CTX_set_dh_nid(EVP_PKEY_CTX *ctx, int nid);
\& int EVP_PKEY_CTX_set_dh_rfc5114(EVP_PKEY_CTX *ctx, int rfc5114);
\& int EVP_PKEY_CTX_set_dhx_rfc5114(EVP_PKEY_CTX *ctx, int rfc5114);
\& int EVP_PKEY_CTX_set_dh_kdf_type(EVP_PKEY_CTX *ctx, int kdf);
\& int EVP_PKEY_CTX_get_dh_kdf_type(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_CTX_set0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT *oid);
\& int EVP_PKEY_CTX_get0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT **oid);
\& int EVP_PKEY_CTX_set_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
\& int EVP_PKEY_CTX_get_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
\& int EVP_PKEY_CTX_set_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int len);
\& int EVP_PKEY_CTX_get_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len);
\& int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len);
\& int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
\&
\& #include <openssl/ec.h>
\&
\& int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
\& int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc);
\& int EVP_PKEY_CTX_set_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx, int cofactor_mode);
\& int EVP_PKEY_CTX_get_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_CTX_set_ecdh_kdf_type(EVP_PKEY_CTX *ctx, int kdf);
\& int EVP_PKEY_CTX_get_ecdh_kdf_type(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_CTX_set_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
\& int EVP_PKEY_CTX_get_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
\& int EVP_PKEY_CTX_set_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int len);
\& int EVP_PKEY_CTX_get_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len);
\& int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len);
\& int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
\&
\& int EVP_PKEY_CTX_set1_id(EVP_PKEY_CTX *ctx, void *id, size_t id_len);
\& int EVP_PKEY_CTX_get1_id(EVP_PKEY_CTX *ctx, void *id);
\& int EVP_PKEY_CTX_get1_id_len(EVP_PKEY_CTX *ctx, size_t *id_len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBEVP_PKEY_CTX_ctrl()\fR sends a control operation to the context
\&\fBctx\fR. The key type used must match \fBkeytype\fR if it is not \-1. The parameter
\&\fBoptype\fR is a mask indicating which operations the control can be applied to.
The control command is indicated in \fBcmd\fR and any additional arguments in
\&\fBp1\fR and \fBp2\fR.
.PP
For \fBcmd\fR = \fB\s-1EVP_PKEY_CTRL_SET_MAC_KEY\s0\fR, \fBp1\fR is the length of the \s-1MAC\s0 key,
and \fBp2\fR is \s-1MAC\s0 key. This is used by Poly1305, SipHash, \s-1HMAC\s0 and \s-1CMAC.\s0
.PP
Applications will not normally call \fBEVP_PKEY_CTX_ctrl()\fR directly but will
instead call one of the algorithm specific macros below.
.PP
The function \fBEVP_PKEY_CTX_ctrl_uint64()\fR is a wrapper that directly passes a
uint64 value as \fBp2\fR to \fBEVP_PKEY_CTX_ctrl()\fR.
.PP
The function \fBEVP_PKEY_CTX_ctrl_str()\fR allows an application to send an algorithm
specific control operation to a context \fBctx\fR in string form. This is
intended to be used for options specified on the command line or in text
files. The commands supported are documented in the openssl utility
command line pages for the option \fB\-pkeyopt\fR which is supported by the
\&\fBpkeyutl\fR, \fBgenpkey\fR and \fBreq\fR commands.
.PP
The function \fBEVP_PKEY_CTX_md()\fR sends a message digest control operation
to the context \fBctx\fR. The message digest is specified by its name \fBmd\fR.
.PP
All the remaining \*(L"functions\*(R" are implemented as macros.
.PP
The \fBEVP_PKEY_CTX_set_signature_md()\fR macro sets the message digest type used
in a signature. It can be used in the \s-1RSA, DSA\s0 and \s-1ECDSA\s0 algorithms.
.PP
The \fBEVP_PKEY_CTX_get_signature_md()\fR macro gets the message digest type used in a
signature. It can be used in the \s-1RSA, DSA\s0 and \s-1ECDSA\s0 algorithms.
.PP
Key generation typically involves setting up parameters to be used and
generating the private and public key data. Some algorithm implementations
allow private key data to be set explicitly using the \fBEVP_PKEY_CTX_set_mac_key()\fR
macro. In this case key generation is simply the process of setting up the
parameters for the key and then setting the raw key data to the value explicitly
provided by that macro. Normally applications would call
\&\fBEVP_PKEY_new_raw_private_key\fR\|(3) or similar functions instead of this macro.
.PP
The \fBEVP_PKEY_CTX_set_mac_key()\fR macro can be used with any of the algorithms
supported by the \fBEVP_PKEY_new_raw_private_key\fR\|(3) function.
.SS "\s-1RSA\s0 parameters"
.IX Subsection "RSA parameters"
The \fBEVP_PKEY_CTX_set_rsa_padding()\fR macro sets the \s-1RSA\s0 padding mode for \fBctx\fR.
The \fBpad\fR parameter can take the value \fB\s-1RSA_PKCS1_PADDING\s0\fR for PKCS#1
padding, \fB\s-1RSA_SSLV23_PADDING\s0\fR for SSLv23 padding, \fB\s-1RSA_NO_PADDING\s0\fR for
no padding, \fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR for \s-1OAEP\s0 padding (encrypt and
decrypt only), \fB\s-1RSA_X931_PADDING\s0\fR for X9.31 padding (signature operations
only) and \fB\s-1RSA_PKCS1_PSS_PADDING\s0\fR (sign and verify only).
.PP
Two \s-1RSA\s0 padding modes behave differently if \fBEVP_PKEY_CTX_set_signature_md()\fR
is used. If this macro is called for PKCS#1 padding the plaintext buffer is
an actual digest value and is encapsulated in a DigestInfo structure according
to PKCS#1 when signing and this structure is expected (and stripped off) when
verifying. If this control is not used with \s-1RSA\s0 and PKCS#1 padding then the
supplied data is used directly and not encapsulated. In the case of X9.31
padding for \s-1RSA\s0 the algorithm identifier byte is added or checked and removed
if this control is called. If it is not called then the first byte of the plaintext
buffer is expected to be the algorithm identifier byte.
.PP
The \fBEVP_PKEY_CTX_get_rsa_padding()\fR macro gets the \s-1RSA\s0 padding mode for \fBctx\fR.
.PP
The \fBEVP_PKEY_CTX_set_rsa_pss_saltlen()\fR macro sets the \s-1RSA PSS\s0 salt length to
\&\fBlen\fR. As its name implies it is only supported for \s-1PSS\s0 padding. Three special
values are supported: \fB\s-1RSA_PSS_SALTLEN_DIGEST\s0\fR sets the salt length to the
digest length, \fB\s-1RSA_PSS_SALTLEN_MAX\s0\fR sets the salt length to the maximum
permissible value. When verifying \fB\s-1RSA_PSS_SALTLEN_AUTO\s0\fR causes the salt length
to be automatically determined based on the \fB\s-1PSS\s0\fR block structure. If this
macro is not called maximum salt length is used when signing and auto detection
when verifying is used by default.
.PP
The \fBEVP_PKEY_CTX_get_rsa_pss_saltlen()\fR macro gets the \s-1RSA PSS\s0 salt length
for \fBctx\fR. The padding mode must have been set to \fB\s-1RSA_PKCS1_PSS_PADDING\s0\fR.
.PP
The \fBEVP_PKEY_CTX_set_rsa_keygen_bits()\fR macro sets the \s-1RSA\s0 key length for
\&\s-1RSA\s0 key generation to \fBbits\fR. If not specified 1024 bits is used.
.PP
The \fBEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR macro sets the public exponent value
for \s-1RSA\s0 key generation to \fBpubexp\fR. Currently it should be an odd integer. The
\&\fBpubexp\fR pointer is used internally by this function so it should not be
modified or freed after the call. If not specified 65537 is used.
.PP
The \fBEVP_PKEY_CTX_set_rsa_keygen_primes()\fR macro sets the number of primes for
\&\s-1RSA\s0 key generation to \fBprimes\fR. If not specified 2 is used.
.PP
The \fBEVP_PKEY_CTX_set_rsa_mgf1_md()\fR macro sets the \s-1MGF1\s0 digest for \s-1RSA\s0 padding
schemes to \fBmd\fR. If not explicitly set the signing digest is used. The
padding mode must have been set to \fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR
or \fB\s-1RSA_PKCS1_PSS_PADDING\s0\fR.
.PP
The \fBEVP_PKEY_CTX_get_rsa_mgf1_md()\fR macro gets the \s-1MGF1\s0 digest for \fBctx\fR.
If not explicitly set the signing digest is used. The padding mode must have
been set to \fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR or \fB\s-1RSA_PKCS1_PSS_PADDING\s0\fR.
.PP
The \fBEVP_PKEY_CTX_set_rsa_oaep_md()\fR macro sets the message digest type used
in \s-1RSA OAEP\s0 to \fBmd\fR. The padding mode must have been set to
\&\fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR.
.PP
The \fBEVP_PKEY_CTX_get_rsa_oaep_md()\fR macro gets the message digest type used
in \s-1RSA OAEP\s0 to \fBmd\fR. The padding mode must have been set to
\&\fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR.
.PP
The \fBEVP_PKEY_CTX_set0_rsa_oaep_label()\fR macro sets the \s-1RSA OAEP\s0 label to
\&\fBlabel\fR and its length to \fBlen\fR. If \fBlabel\fR is \s-1NULL\s0 or \fBlen\fR is 0,
the label is cleared. The library takes ownership of the label so the
caller should not free the original memory pointed to by \fBlabel\fR.
The padding mode must have been set to \fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR.
.PP
The \fBEVP_PKEY_CTX_get0_rsa_oaep_label()\fR macro gets the \s-1RSA OAEP\s0 label to
\&\fBlabel\fR. The return value is the label length. The padding mode
must have been set to \fB\s-1RSA_PKCS1_OAEP_PADDING\s0\fR. The resulting pointer is owned
by the library and should not be freed by the caller.
.SS "\s-1DSA\s0 parameters"
.IX Subsection "DSA parameters"
The \fBEVP_PKEY_CTX_set_dsa_paramgen_bits()\fR macro sets the number of bits used
for \s-1DSA\s0 parameter generation to \fBnbits\fR. If not specified, 1024 is used.
.PP
The \fBEVP_PKEY_CTX_set_dsa_paramgen_q_bits()\fR macro sets the number of bits in the
subprime parameter \fBq\fR for \s-1DSA\s0 parameter generation to \fBqbits\fR. If not
specified, 160 is used. If a digest function is specified below, this parameter
is ignored and instead, the number of bits in \fBq\fR matches the size of the
digest.
.PP
The \fBEVP_PKEY_CTX_set_dsa_paramgen_md()\fR macro sets the digest function used for
\&\s-1DSA\s0 parameter generation to \fBmd\fR. If not specified, one of \s-1SHA\-1, SHA\-224,\s0 or
\&\s-1SHA\-256\s0 is selected to match the bit length of \fBq\fR above.
.SS "\s-1DH\s0 parameters"
.IX Subsection "DH parameters"
The \fBEVP_PKEY_CTX_set_dh_paramgen_prime_len()\fR macro sets the length of the \s-1DH\s0
prime parameter \fBp\fR for \s-1DH\s0 parameter generation. If this macro is not called
then 1024 is used. Only accepts lengths greater than or equal to 256.
.PP
The \fBEVP_PKEY_CTX_set_dh_paramgen_subprime_len()\fR macro sets the length of the \s-1DH\s0
optional subprime parameter \fBq\fR for \s-1DH\s0 parameter generation. The default is
256 if the prime is at least 2048 bits long or 160 otherwise. The \s-1DH\s0
paramgen type must have been set to x9.42.
.PP
The \fBEVP_PKEY_CTX_set_dh_paramgen_generator()\fR macro sets \s-1DH\s0 generator to \fBgen\fR
for \s-1DH\s0 parameter generation. If not specified 2 is used.
.PP
The \fBEVP_PKEY_CTX_set_dh_paramgen_type()\fR macro sets the key type for \s-1DH\s0
parameter generation. Use 0 for PKCS#3 \s-1DH\s0 and 1 for X9.42 \s-1DH.\s0
The default is 0.
.PP
The \fBEVP_PKEY_CTX_set_dh_pad()\fR macro sets the \s-1DH\s0 padding mode. If \fBpad\fR is
1 the shared secret is padded with zeros up to the size of the \s-1DH\s0 prime \fBp\fR.
If \fBpad\fR is zero (the default) then no padding is performed.
.PP
\&\fBEVP_PKEY_CTX_set_dh_nid()\fR sets the \s-1DH\s0 parameters to values corresponding to
\&\fBnid\fR as defined in \s-1RFC7919.\s0 The \fBnid\fR parameter must be \fBNID_ffdhe2048\fR,
\&\fBNID_ffdhe3072\fR, \fBNID_ffdhe4096\fR, \fBNID_ffdhe6144\fR, \fBNID_ffdhe8192\fR
or \fBNID_undef\fR to clear the stored value. This macro can be called during
parameter or key generation.
The nid parameter and the rfc5114 parameter are mutually exclusive.
.PP
The \fBEVP_PKEY_CTX_set_dh_rfc5114()\fR and \fBEVP_PKEY_CTX_set_dhx_rfc5114()\fR macros are
synonymous. They set the \s-1DH\s0 parameters to the values defined in \s-1RFC5114.\s0 The
\&\fBrfc5114\fR parameter must be 1, 2 or 3 corresponding to \s-1RFC5114\s0 sections
2.1, 2.2 and 2.3. or 0 to clear the stored value. This macro can be called
during parameter generation. The \fBctx\fR must have a key type of
\&\fB\s-1EVP_PKEY_DHX\s0\fR.
The rfc5114 parameter and the nid parameter are mutually exclusive.
.SS "\s-1DH\s0 key derivation function parameters"
.IX Subsection "DH key derivation function parameters"
Note that all of the following functions require that the \fBctx\fR parameter has
a private key type of \fB\s-1EVP_PKEY_DHX\s0\fR. When using key derivation, the output of
\&\fBEVP_PKEY_derive()\fR is the output of the \s-1KDF\s0 instead of the \s-1DH\s0 shared secret.
The \s-1KDF\s0 output is typically used as a Key Encryption Key (\s-1KEK\s0) that in turn
encrypts a Content Encryption Key (\s-1CEK\s0).
.PP
The \fBEVP_PKEY_CTX_set_dh_kdf_type()\fR macro sets the key derivation function type
to \fBkdf\fR for \s-1DH\s0 key derivation. Possible values are \fB\s-1EVP_PKEY_DH_KDF_NONE\s0\fR
and \fB\s-1EVP_PKEY_DH_KDF_X9_42\s0\fR which uses the key derivation specified in \s-1RFC2631\s0
(based on the keying algorithm described in X9.42). When using key derivation,
the \fBkdf_oid\fR, \fBkdf_md\fR and \fBkdf_outlen\fR parameters must also be specified.
.PP
The \fBEVP_PKEY_CTX_get_dh_kdf_type()\fR macro gets the key derivation function type
for \fBctx\fR used for \s-1DH\s0 key derivation. Possible values are \fB\s-1EVP_PKEY_DH_KDF_NONE\s0\fR
and \fB\s-1EVP_PKEY_DH_KDF_X9_42\s0\fR.
.PP
The \fBEVP_PKEY_CTX_set0_dh_kdf_oid()\fR macro sets the key derivation function
object identifier to \fBoid\fR for \s-1DH\s0 key derivation. This \s-1OID\s0 should identify
the algorithm to be used with the Content Encryption Key.
The library takes ownership of the object identifier so the caller should not
free the original memory pointed to by \fBoid\fR.
.PP
The \fBEVP_PKEY_CTX_get0_dh_kdf_oid()\fR macro gets the key derivation function oid
for \fBctx\fR used for \s-1DH\s0 key derivation. The resulting pointer is owned by the
library and should not be freed by the caller.
.PP
The \fBEVP_PKEY_CTX_set_dh_kdf_md()\fR macro sets the key derivation function
message digest to \fBmd\fR for \s-1DH\s0 key derivation. Note that \s-1RFC2631\s0 specifies
that this digest should be \s-1SHA1\s0 but OpenSSL tolerates other digests.
.PP
The \fBEVP_PKEY_CTX_get_dh_kdf_md()\fR macro gets the key derivation function
message digest for \fBctx\fR used for \s-1DH\s0 key derivation.
.PP
The \fBEVP_PKEY_CTX_set_dh_kdf_outlen()\fR macro sets the key derivation function
output length to \fBlen\fR for \s-1DH\s0 key derivation.
.PP
The \fBEVP_PKEY_CTX_get_dh_kdf_outlen()\fR macro gets the key derivation function
output length for \fBctx\fR used for \s-1DH\s0 key derivation.
.PP
The \fBEVP_PKEY_CTX_set0_dh_kdf_ukm()\fR macro sets the user key material to
\&\fBukm\fR and its length to \fBlen\fR for \s-1DH\s0 key derivation. This parameter is optional
and corresponds to the partyAInfo field in \s-1RFC2631\s0 terms. The specification
requires that it is 512 bits long but this is not enforced by OpenSSL.
The library takes ownership of the user key material so the caller should not
free the original memory pointed to by \fBukm\fR.
.PP
The \fBEVP_PKEY_CTX_get0_dh_kdf_ukm()\fR macro gets the user key material for \fBctx\fR.
The return value is the user key material length. The resulting pointer is owned
by the library and should not be freed by the caller.
.SS "\s-1EC\s0 parameters"
.IX Subsection "EC parameters"
The \fBEVP_PKEY_CTX_set_ec_paramgen_curve_nid()\fR sets the \s-1EC\s0 curve for \s-1EC\s0 parameter
generation to \fBnid\fR. For \s-1EC\s0 parameter generation this macro must be called
or an error occurs because there is no default curve.
This function can also be called to set the curve explicitly when
generating an \s-1EC\s0 key.
.PP
The \fBEVP_PKEY_CTX_set_ec_param_enc()\fR macro sets the \s-1EC\s0 parameter encoding to
\&\fBparam_enc\fR when generating \s-1EC\s0 parameters or an \s-1EC\s0 key. The encoding can be
\&\fB\s-1OPENSSL_EC_EXPLICIT_CURVE\s0\fR for explicit parameters (the default in versions
of OpenSSL before 1.1.0) or \fB\s-1OPENSSL_EC_NAMED_CURVE\s0\fR to use named curve form.
For maximum compatibility the named curve form should be used. Note: the
\&\fB\s-1OPENSSL_EC_NAMED_CURVE\s0\fR value was added in OpenSSL 1.1.0; previous
versions should use 0 instead.
.SS "\s-1ECDH\s0 parameters"
.IX Subsection "ECDH parameters"
The \fBEVP_PKEY_CTX_set_ecdh_cofactor_mode()\fR macro sets the cofactor mode to
\&\fBcofactor_mode\fR for \s-1ECDH\s0 key derivation. Possible values are 1 to enable
cofactor key derivation, 0 to disable it and \-1 to clear the stored cofactor
mode and fallback to the private key cofactor mode.
.PP
The \fBEVP_PKEY_CTX_get_ecdh_cofactor_mode()\fR macro returns the cofactor mode for
\&\fBctx\fR used for \s-1ECDH\s0 key derivation. Possible values are 1 when cofactor key
derivation is enabled and 0 otherwise.
.SS "\s-1ECDH\s0 key derivation function parameters"
.IX Subsection "ECDH key derivation function parameters"
The \fBEVP_PKEY_CTX_set_ecdh_kdf_type()\fR macro sets the key derivation function type
to \fBkdf\fR for \s-1ECDH\s0 key derivation. Possible values are \fB\s-1EVP_PKEY_ECDH_KDF_NONE\s0\fR
and \fB\s-1EVP_PKEY_ECDH_KDF_X9_63\s0\fR which uses the key derivation specified in X9.63.
When using key derivation, the \fBkdf_md\fR and \fBkdf_outlen\fR parameters must
also be specified.
.PP
The \fBEVP_PKEY_CTX_get_ecdh_kdf_type()\fR macro returns the key derivation function
type for \fBctx\fR used for \s-1ECDH\s0 key derivation. Possible values are
\&\fB\s-1EVP_PKEY_ECDH_KDF_NONE\s0\fR and \fB\s-1EVP_PKEY_ECDH_KDF_X9_63\s0\fR.
.PP
The \fBEVP_PKEY_CTX_set_ecdh_kdf_md()\fR macro sets the key derivation function
message digest to \fBmd\fR for \s-1ECDH\s0 key derivation. Note that X9.63 specifies
that this digest should be \s-1SHA1\s0 but OpenSSL tolerates other digests.
.PP
The \fBEVP_PKEY_CTX_get_ecdh_kdf_md()\fR macro gets the key derivation function
message digest for \fBctx\fR used for \s-1ECDH\s0 key derivation.
.PP
The \fBEVP_PKEY_CTX_set_ecdh_kdf_outlen()\fR macro sets the key derivation function
output length to \fBlen\fR for \s-1ECDH\s0 key derivation.
.PP
The \fBEVP_PKEY_CTX_get_ecdh_kdf_outlen()\fR macro gets the key derivation function
output length for \fBctx\fR used for \s-1ECDH\s0 key derivation.
.PP
The \fBEVP_PKEY_CTX_set0_ecdh_kdf_ukm()\fR macro sets the user key material to \fBukm\fR
for \s-1ECDH\s0 key derivation. This parameter is optional and corresponds to the
shared info in X9.63 terms. The library takes ownership of the user key material
so the caller should not free the original memory pointed to by \fBukm\fR.
.PP
The \fBEVP_PKEY_CTX_get0_ecdh_kdf_ukm()\fR macro gets the user key material for \fBctx\fR.
The return value is the user key material length. The resulting pointer is owned
by the library and should not be freed by the caller.
.SS "Other parameters"
.IX Subsection "Other parameters"
The \fBEVP_PKEY_CTX_set1_id()\fR, \fBEVP_PKEY_CTX_get1_id()\fR and \fBEVP_PKEY_CTX_get1_id_len()\fR
macros are used to manipulate the special identifier field for specific signature
algorithms such as \s-1SM2.\s0 The \fBEVP_PKEY_CTX_set1_id()\fR sets an \s-1ID\s0 pointed by \fBid\fR with
the length \fBid_len\fR to the library. The library takes a copy of the id so that
the caller can safely free the original memory pointed to by \fBid\fR. The
\&\fBEVP_PKEY_CTX_get1_id_len()\fR macro returns the length of the \s-1ID\s0 set via a previous
call to \fBEVP_PKEY_CTX_set1_id()\fR. The length is usually used to allocate adequate
memory for further calls to \fBEVP_PKEY_CTX_get1_id()\fR. The \fBEVP_PKEY_CTX_get1_id()\fR
macro returns the previously set \s-1ID\s0 value to caller in \fBid\fR. The caller should
allocate adequate memory space for the \fBid\fR before calling \fBEVP_PKEY_CTX_get1_id()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_CTX_ctrl()\fR and its macros return a positive value for success and 0
or a negative value for failure. In particular a return value of \-2
indicates the operation is not supported by the public key algorithm.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_encrypt\fR\|(3),
\&\fBEVP_PKEY_decrypt\fR\|(3),
\&\fBEVP_PKEY_sign\fR\|(3),
\&\fBEVP_PKEY_verify\fR\|(3),
\&\fBEVP_PKEY_verify_recover\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3),
\&\fBEVP_PKEY_keygen\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The
\&\fBEVP_PKEY_CTX_set1_id()\fR, \fBEVP_PKEY_CTX_get1_id()\fR and \fBEVP_PKEY_CTX_get1_id_len()\fR
macros were added in 1.1.1, other functions were added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3
index c91d3276112b..79675e1f1258 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_new.3
@@ -1,192 +1,192 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_CTX_NEW 3"
-.TH EVP_PKEY_CTX_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_CTX_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free \- public key algorithm context functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e);
\& EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e);
\& EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *ctx);
\& void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEVP_PKEY_CTX_new()\fR function allocates public key algorithm context using
the algorithm specified in \fBpkey\fR and \s-1ENGINE\s0 \fBe\fR.
.PP
The \fBEVP_PKEY_CTX_new_id()\fR function allocates public key algorithm context
using the algorithm specified by \fBid\fR and \s-1ENGINE\s0 \fBe\fR. It is normally used
when no \fB\s-1EVP_PKEY\s0\fR structure is associated with the operations, for example
during parameter generation of key generation for some algorithms.
.PP
\&\fBEVP_PKEY_CTX_dup()\fR duplicates the context \fBctx\fR.
.PP
\&\fBEVP_PKEY_CTX_free()\fR frees up the context \fBctx\fR.
If \fBctx\fR is \s-1NULL,\s0 nothing is done.
.SH "NOTES"
.IX Header "NOTES"
The \fB\s-1EVP_PKEY_CTX\s0\fR structure is an opaque public key algorithm context used
by the OpenSSL high-level public key \s-1API.\s0 Contexts \fB\s-1MUST NOT\s0\fR be shared between
threads: that is it is not permissible to use the same context simultaneously
in two threads.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_CTX_new()\fR, \fBEVP_PKEY_CTX_new_id()\fR, \fBEVP_PKEY_CTX_dup()\fR returns either
the newly allocated \fB\s-1EVP_PKEY_CTX\s0\fR structure of \fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBEVP_PKEY_CTX_free()\fR does not return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3
index 98039383b946..55a0d1b3f680 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set1_pbe_pass.3
@@ -1,183 +1,183 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_CTX_SET1_PBE_PASS 3"
-.TH EVP_PKEY_CTX_SET1_PBE_PASS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_CTX_SET1_PBE_PASS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_CTX_set1_pbe_pass \&\- generic KDF support functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/kdf.h>
\&
\& int EVP_PKEY_CTX_set1_pbe_pass(EVP_PKEY_CTX *pctx, unsigned char *pass,
\& int passlen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions are generic support functions for all \s-1KDF\s0 algorithms.
.PP
\&\fBEVP_PKEY_CTX_set1_pbe_pass()\fR sets the password to the \fBpasslen\fR first
bytes from \fBpass\fR.
.SH "STRING CTRLS"
.IX Header "STRING CTRLS"
There is also support for string based control operations via
\&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3).
The \fBpassword\fR can be directly specified using the \fBtype\fR parameter
\&\*(L"pass\*(R" or given in hex encoding using the \*(L"hexpass\*(R" parameter.
.SH "NOTES"
.IX Header "NOTES"
All these functions are implemented as macros.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All these functions return 1 for success and 0 or a negative value for failure.
In particular a return value of \-2 indicates the operation is not supported by
the public key algorithm.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3
index 2f8f86e73909..01e6b977d195 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_hkdf_md.3
@@ -1,288 +1,288 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_CTX_SET_HKDF_MD 3"
-.TH EVP_PKEY_CTX_SET_HKDF_MD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_CTX_SET_HKDF_MD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_CTX_set_hkdf_md, EVP_PKEY_CTX_set1_hkdf_salt, EVP_PKEY_CTX_set1_hkdf_key, EVP_PKEY_CTX_add1_hkdf_info, EVP_PKEY_CTX_hkdf_mode \- HMAC\-based Extract\-and\-Expand key derivation algorithm
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/kdf.h>
\&
\& int EVP_PKEY_CTX_hkdf_mode(EVP_PKEY_CTX *pctx, int mode);
\&
\& int EVP_PKEY_CTX_set_hkdf_md(EVP_PKEY_CTX *pctx, const EVP_MD *md);
\&
\& int EVP_PKEY_CTX_set1_hkdf_salt(EVP_PKEY_CTX *pctx, unsigned char *salt,
\& int saltlen);
\&
\& int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *pctx, unsigned char *key,
\& int keylen);
\&
\& int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *pctx, unsigned char *info,
\& int infolen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP_PKEY_HKDF\s0 algorithm implements the \s-1HKDF\s0 key derivation function.
\&\s-1HKDF\s0 follows the \*(L"extract-then-expand\*(R" paradigm, where the \s-1KDF\s0 logically
consists of two modules. The first stage takes the input keying material
and \*(L"extracts\*(R" from it a fixed-length pseudorandom key K. The second stage
\&\*(L"expands\*(R" the key K into several additional pseudorandom keys (the output
of the \s-1KDF\s0).
.PP
\&\fBEVP_PKEY_CTX_hkdf_mode()\fR sets the mode for the \s-1HKDF\s0 operation. There are three
modes that are currently defined:
.IP "\s-1EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND\s0" 4
.IX Item "EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND"
This is the default mode. Calling \fBEVP_PKEY_derive\fR\|(3) on an \s-1EVP_PKEY_CTX\s0 set
up for \s-1HKDF\s0 will perform an extract followed by an expand operation in one go.
The derived key returned will be the result after the expand operation. The
intermediate fixed-length pseudorandom key K is not returned.
.Sp
In this mode the digest, key, salt and info values must be set before a key is
derived or an error occurs.
.IP "\s-1EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY\s0" 4
.IX Item "EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY"
In this mode calling \fBEVP_PKEY_derive\fR\|(3) will just perform the extract
operation. The value returned will be the intermediate fixed-length pseudorandom
key K.
.Sp
The digest, key and salt values must be set before a key is derived or an
error occurs.
.IP "\s-1EVP_PKEY_HKDEF_MODE_EXPAND_ONLY\s0" 4
.IX Item "EVP_PKEY_HKDEF_MODE_EXPAND_ONLY"
In this mode calling \fBEVP_PKEY_derive\fR\|(3) will just perform the expand
operation. The input key should be set to the intermediate fixed-length
pseudorandom key K returned from a previous extract operation.
.Sp
The digest, key and info values must be set before a key is derived or an
error occurs.
.PP
\&\fBEVP_PKEY_CTX_set_hkdf_md()\fR sets the message digest associated with the \s-1HKDF.\s0
.PP
\&\fBEVP_PKEY_CTX_set1_hkdf_salt()\fR sets the salt to \fBsaltlen\fR bytes of the
buffer \fBsalt\fR. Any existing value is replaced.
.PP
\&\fBEVP_PKEY_CTX_set1_hkdf_key()\fR sets the key to \fBkeylen\fR bytes of the buffer
\&\fBkey\fR. Any existing value is replaced.
.PP
\&\fBEVP_PKEY_CTX_add1_hkdf_info()\fR sets the info value to \fBinfolen\fR bytes of the
buffer \fBinfo\fR. If a value is already set, it is appended to the existing
value.
.SH "STRING CTRLS"
.IX Header "STRING CTRLS"
\&\s-1HKDF\s0 also supports string based control operations via
\&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3).
The \fBtype\fR parameter \*(L"md\*(R" uses the supplied \fBvalue\fR as the name of the digest
algorithm to use.
The \fBtype\fR parameter \*(L"mode\*(R" uses the values \*(L"\s-1EXTRACT_AND_EXPAND\*(R",
\&\*(L"EXTRACT_ONLY\*(R"\s0 and \*(L"\s-1EXPAND_ONLY\*(R"\s0 to determine the mode to use.
The \fBtype\fR parameters \*(L"salt\*(R", \*(L"key\*(R" and \*(L"info\*(R" use the supplied \fBvalue\fR
parameter as a \fBseed\fR, \fBkey\fR or \fBinfo\fR value.
The names \*(L"hexsalt\*(R", \*(L"hexkey\*(R" and \*(L"hexinfo\*(R" are similar except they take a hex
string which is converted to binary.
.SH "NOTES"
.IX Header "NOTES"
All these functions are implemented as macros.
.PP
A context for \s-1HKDF\s0 can be obtained by calling:
.PP
.Vb 1
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
.Ve
.PP
The total length of the info buffer cannot exceed 1024 bytes in length: this
should be more than enough for any normal use of \s-1HKDF.\s0
.PP
The output length of an \s-1HKDF\s0 expand operation is specified via the length
parameter to the \fBEVP_PKEY_derive\fR\|(3) function.
Since the \s-1HKDF\s0 output length is variable, passing a \fB\s-1NULL\s0\fR buffer as a means
to obtain the requisite length is not meaningful with \s-1HKDF\s0 in any mode that
performs an expand operation. Instead, the caller must allocate a buffer of the
desired length, and pass that buffer to \fBEVP_PKEY_derive\fR\|(3) along with (a
pointer initialized to) the desired length. Passing a \fB\s-1NULL\s0\fR buffer to obtain
the length is allowed when using \s-1EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY.\s0
.PP
Optimised versions of \s-1HKDF\s0 can be implemented in an \s-1ENGINE.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All these functions return 1 for success and 0 or a negative value for failure.
In particular a return value of \-2 indicates the operation is not supported by
the public key algorithm.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This example derives 10 bytes using \s-1SHA\-256\s0 with the secret key \*(L"secret\*(R",
salt value \*(L"salt\*(R" and info value \*(L"label\*(R":
.PP
.Vb 4
\& EVP_PKEY_CTX *pctx;
\& unsigned char out[10];
\& size_t outlen = sizeof(out);
\& pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
\&
\& if (EVP_PKEY_derive_init(pctx) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, "salt", 4) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set1_hkdf_key(pctx, "secret", 6) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_add1_hkdf_info(pctx, "label", 5) <= 0)
\& /* Error */
\& if (EVP_PKEY_derive(pctx, out, &outlen) <= 0)
\& /* Error */
.Ve
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1RFC 5869\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3
index c52cc51fcaa0..edfdf3785680 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3
@@ -1,222 +1,222 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3"
-.TH EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_CTX_set_rsa_pss_keygen_md, EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md, EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen \&\- EVP_PKEY RSA\-PSS algorithm support functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *pctx,
\& const EVP_MD *md);
\& int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *pctx,
\& const EVP_MD *md);
\& int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *pctx,
\& int saltlen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These are the functions that implement \s-1\fBRSA\-PSS\s0\fR\|(7).
.SS "Signing and Verification"
.IX Subsection "Signing and Verification"
The macro \fBEVP_PKEY_CTX_set_rsa_padding()\fR is supported but an error is
returned if an attempt is made to set the padding mode to anything other
than \fB\s-1PSS\s0\fR. It is otherwise similar to the \fB\s-1RSA\s0\fR version.
.PP
The \fBEVP_PKEY_CTX_set_rsa_pss_saltlen()\fR macro is used to set the salt length.
If the key has usage restrictions then an error is returned if an attempt is
made to set the salt length below the minimum value. It is otherwise similar
to the \fB\s-1RSA\s0\fR operation except detection of the salt length (using
\&\s-1RSA_PSS_SALTLEN_AUTO\s0) is not supported for verification if the key has
usage restrictions.
.PP
The \fBEVP_PKEY_CTX_set_signature_md()\fR and \fBEVP_PKEY_CTX_set_rsa_mgf1_md()\fR macros
are used to set the digest and \s-1MGF1\s0 algorithms respectively. If the key has
usage restrictions then an error is returned if an attempt is made to set the
digest to anything other than the restricted value. Otherwise these are
similar to the \fB\s-1RSA\s0\fR versions.
.SS "Key Generation"
.IX Subsection "Key Generation"
As with \s-1RSA\s0 key generation the \fBEVP_PKEY_CTX_set_rsa_keygen_bits()\fR
and \fBEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR macros are supported for RSA-PSS:
they have exactly the same meaning as for the \s-1RSA\s0 algorithm.
.PP
Optional parameter restrictions can be specified when generating a \s-1PSS\s0 key.
If any restrictions are set (using the macros described below) then \fBall\fR
parameters are restricted. For example, setting a minimum salt length also
restricts the digest and \s-1MGF1\s0 algorithms. If any restrictions are in place
then they are reflected in the corresponding parameters of the public key
when (for example) a certificate request is signed.
.PP
\&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_md()\fR restricts the digest algorithm the
generated key can use to \fBmd\fR.
.PP
\&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md()\fR restricts the \s-1MGF1\s0 algorithm the
generated key can use to \fBmd\fR.
.PP
\&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_saltlen()\fR restricts the minimum salt length
to \fBsaltlen\fR.
.SH "NOTES"
.IX Header "NOTES"
A context for the \fBRSA-PSS\fR algorithm can be obtained by calling:
.PP
.Vb 1
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA_PSS, NULL);
.Ve
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All these functions return 1 for success and 0 or a negative value for failure.
In particular a return value of \-2 indicates the operation is not supported by
the public key algorithm.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\s-1\fBRSA\-PSS\s0\fR\|(7),
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3
index 378010fc5a47..bd2904716b00 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_scrypt_N.3
@@ -1,211 +1,211 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_CTX_SET_SCRYPT_N 3"
-.TH EVP_PKEY_CTX_SET_SCRYPT_N 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_CTX_SET_SCRYPT_N 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_CTX_set1_scrypt_salt, EVP_PKEY_CTX_set_scrypt_N, EVP_PKEY_CTX_set_scrypt_r, EVP_PKEY_CTX_set_scrypt_p, EVP_PKEY_CTX_set_scrypt_maxmem_bytes \&\- EVP_PKEY scrypt KDF support functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/kdf.h>
\&
\& int EVP_PKEY_CTX_set1_scrypt_salt(EVP_PKEY_CTX *pctx, unsigned char *salt,
\& int saltlen);
\&
\& int EVP_PKEY_CTX_set_scrypt_N(EVP_PKEY_CTX *pctx, uint64_t N);
\&
\& int EVP_PKEY_CTX_set_scrypt_r(EVP_PKEY_CTX *pctx, uint64_t r);
\&
\& int EVP_PKEY_CTX_set_scrypt_p(EVP_PKEY_CTX *pctx, uint64_t p);
\&
\& int EVP_PKEY_CTX_set_scrypt_maxmem_bytes(EVP_PKEY_CTX *pctx,
\& uint64_t maxmem);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions are used to set up the necessary data to use the
scrypt \s-1KDF.\s0
For more information on scrypt, see \fBscrypt\fR\|(7).
.PP
\&\fBEVP_PKEY_CTX_set1_scrypt_salt()\fR sets the \fBsaltlen\fR bytes long salt
value.
.PP
\&\fBEVP_PKEY_CTX_set_scrypt_N()\fR, \fBEVP_PKEY_CTX_set_scrypt_r()\fR and
\&\fBEVP_PKEY_CTX_set_scrypt_p()\fR configure the work factors N, r and p.
.PP
\&\fBEVP_PKEY_CTX_set_scrypt_maxmem_bytes()\fR sets how much \s-1RAM\s0 key
derivation may maximally use, given in bytes.
If \s-1RAM\s0 is exceeded because the load factors are chosen too high, the
key derivation will fail.
.SH "STRING CTRLS"
.IX Header "STRING CTRLS"
scrypt also supports string based control operations via
\&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3).
Similarly, the \fBsalt\fR can either be specified using the \fBtype\fR
parameter \*(L"salt\*(R" or in hex encoding by using the \*(L"hexsalt\*(R" parameter.
The work factors \fBN\fR, \fBr\fR and \fBp\fR as well as \fBmaxmem_bytes\fR can be
set by using the parameters \*(L"N\*(R", \*(L"r\*(R", \*(L"p\*(R" and \*(L"maxmem_bytes\*(R",
respectively.
.SH "NOTES"
.IX Header "NOTES"
The scrypt \s-1KDF\s0 also uses \fBEVP_PKEY_CTX_set1_pbe_pass()\fR as well as
the value from the string controls \*(L"pass\*(R" and \*(L"hexpass\*(R".
See \fBEVP_PKEY_CTX_set1_pbe_pass\fR\|(3).
.PP
All the functions described here are implemented as macros.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All these functions return 1 for success and 0 or a negative value for
failure.
In particular a return value of \-2 indicates the operation is not
supported by the public key algorithm.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBscrypt\fR\|(7),
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3
index 328b4ffadb25..5d3fe8f9bf20 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3
@@ -1,240 +1,240 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_CTX_SET_TLS1_PRF_MD 3"
-.TH EVP_PKEY_CTX_SET_TLS1_PRF_MD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_CTX_SET_TLS1_PRF_MD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_CTX_set_tls1_prf_md, EVP_PKEY_CTX_set1_tls1_prf_secret, EVP_PKEY_CTX_add1_tls1_prf_seed \- TLS PRF key derivation algorithm
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/kdf.h>
\&
\& int EVP_PKEY_CTX_set_tls1_prf_md(EVP_PKEY_CTX *pctx, const EVP_MD *md);
\& int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *pctx,
\& unsigned char *sec, int seclen);
\& int EVP_PKEY_CTX_add1_tls1_prf_seed(EVP_PKEY_CTX *pctx,
\& unsigned char *seed, int seedlen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1EVP_PKEY_TLS1_PRF\s0\fR algorithm implements the \s-1PRF\s0 key derivation function for
\&\s-1TLS.\s0 It has no associated private key and only implements key derivation
using \fBEVP_PKEY_derive\fR\|(3).
.PP
\&\fBEVP_PKEY_set_tls1_prf_md()\fR sets the message digest associated with the
\&\s-1TLS PRF.\s0 \fBEVP_md5_sha1()\fR is treated as a special case which uses the \s-1PRF\s0
algorithm using both \fB\s-1MD5\s0\fR and \fB\s-1SHA1\s0\fR as used in \s-1TLS 1.0\s0 and 1.1.
.PP
\&\fBEVP_PKEY_CTX_set_tls1_prf_secret()\fR sets the secret value of the \s-1TLS PRF\s0
to \fBseclen\fR bytes of the buffer \fBsec\fR. Any existing secret value is replaced
and any seed is reset.
.PP
\&\fBEVP_PKEY_CTX_add1_tls1_prf_seed()\fR sets the seed to \fBseedlen\fR bytes of \fBseed\fR.
If a seed is already set it is appended to the existing value.
.SH "STRING CTRLS"
.IX Header "STRING CTRLS"
The \s-1TLS PRF\s0 also supports string based control operations using
\&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3).
The \fBtype\fR parameter \*(L"md\*(R" uses the supplied \fBvalue\fR as the name of the digest
algorithm to use.
The \fBtype\fR parameters \*(L"secret\*(R" and \*(L"seed\*(R" use the supplied \fBvalue\fR parameter
as a secret or seed value.
The names \*(L"hexsecret\*(R" and \*(L"hexseed\*(R" are similar except they take a hex string
which is converted to binary.
.SH "NOTES"
.IX Header "NOTES"
All these functions are implemented as macros.
.PP
A context for the \s-1TLS PRF\s0 can be obtained by calling:
.PP
.Vb 1
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
.Ve
.PP
The digest, secret value and seed must be set before a key is derived or an
error occurs.
.PP
The total length of all seeds cannot exceed 1024 bytes in length: this should
be more than enough for any normal use of the \s-1TLS PRF.\s0
.PP
The output length of the \s-1PRF\s0 is specified by the length parameter in the
\&\fBEVP_PKEY_derive()\fR function. Since the output length is variable, setting
the buffer to \fB\s-1NULL\s0\fR is not meaningful for the \s-1TLS PRF.\s0
.PP
Optimised versions of the \s-1TLS PRF\s0 can be implemented in an \s-1ENGINE.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All these functions return 1 for success and 0 or a negative value for failure.
In particular a return value of \-2 indicates the operation is not supported by
the public key algorithm.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This example derives 10 bytes using \s-1SHA\-256\s0 with the secret key \*(L"secret\*(R"
and seed value \*(L"seed\*(R":
.PP
.Vb 3
\& EVP_PKEY_CTX *pctx;
\& unsigned char out[10];
\& size_t outlen = sizeof(out);
\&
\& pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
\& if (EVP_PKEY_derive_init(pctx) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_sha256()) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, "secret", 6) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, "seed", 4) <= 0)
\& /* Error */
\& if (EVP_PKEY_derive(pctx, out, &outlen) <= 0)
\& /* Error */
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3
index 293af2d1fc93..727d5055ba46 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_asn1_get_count.3
@@ -1,207 +1,207 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_ASN1_GET_COUNT 3"
-.TH EVP_PKEY_ASN1_GET_COUNT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_ASN1_GET_COUNT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_asn1_find, EVP_PKEY_asn1_find_str, EVP_PKEY_asn1_get_count, EVP_PKEY_asn1_get0, EVP_PKEY_asn1_get0_info \&\- enumerate public key ASN.1 methods
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_asn1_get_count(void);
\& const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx);
\& const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pe, int type);
\& const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe,
\& const char *str, int len);
\& int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *pkey_base_id,
\& int *ppkey_flags, const char **pinfo,
\& const char **ppem_str,
\& const EVP_PKEY_ASN1_METHOD *ameth);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBEVP_PKEY_asn1_count()\fR returns a count of the number of public key
\&\s-1ASN.1\s0 methods available: it includes standard methods and any methods
added by the application.
.PP
\&\fBEVP_PKEY_asn1_get0()\fR returns the public key \s-1ASN.1\s0 method \fBidx\fR.
The value of \fBidx\fR must be between zero and \fBEVP_PKEY_asn1_get_count()\fR
\&\- 1.
.PP
\&\fBEVP_PKEY_asn1_find()\fR looks up the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with \s-1NID\s0
\&\fBtype\fR.
If \fBpe\fR isn't \fB\s-1NULL\s0\fR, then it will look up an engine implementing a
\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR for the \s-1NID\s0 \fBtype\fR and return that instead,
and also set \fB*pe\fR to point at the engine that implements it.
.PP
\&\fBEVP_PKEY_asn1_find_str()\fR looks up the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with \s-1PEM\s0
type string \fBstr\fR.
Just like \fBEVP_PKEY_asn1_find()\fR, if \fBpe\fR isn't \fB\s-1NULL\s0\fR, then it will
look up an engine implementing a \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR for the \s-1NID\s0
\&\fBtype\fR and return that instead, and also set \fB*pe\fR to point at the
engine that implements it.
.PP
\&\fBEVP_PKEY_asn1_get0_info()\fR returns the public key \s-1ID,\s0 base public key
\&\s-1ID\s0 (both NIDs), any flags, the method description and \s-1PEM\s0 type string
associated with the public key \s-1ASN.1\s0 method \fB*ameth\fR.
.PP
\&\fBEVP_PKEY_asn1_count()\fR, \fBEVP_PKEY_asn1_get0()\fR, \fBEVP_PKEY_asn1_find()\fR and
\&\fBEVP_PKEY_asn1_find_str()\fR are not thread safe, but as long as all
\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR objects are added before the application gets
threaded, using them is safe. See \fBEVP_PKEY_asn1_add0\fR\|(3).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_asn1_count()\fR returns the number of available public key methods.
.PP
\&\fBEVP_PKEY_asn1_get0()\fR return a public key method or \fB\s-1NULL\s0\fR if \fBidx\fR is
out of range.
.PP
\&\fBEVP_PKEY_asn1_get0_info()\fR returns 0 on failure, 1 on success.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_asn1_new\fR\|(3), \fBEVP_PKEY_asn1_add0\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_cmp.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_cmp.3
index e27f45f66d18..1e85c8d57cc2 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_cmp.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_cmp.3
@@ -1,203 +1,203 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_CMP 3"
-.TH EVP_PKEY_CMP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_CMP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_copy_parameters, EVP_PKEY_missing_parameters, EVP_PKEY_cmp_parameters, EVP_PKEY_cmp \- public key parameter and comparison functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey);
\& int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from);
\&
\& int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b);
\& int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBEVP_PKEY_missing_parameters()\fR returns 1 if the public key
parameters of \fBpkey\fR are missing and 0 if they are present or the algorithm
doesn't use parameters.
.PP
The function \fBEVP_PKEY_copy_parameters()\fR copies the parameters from key
\&\fBfrom\fR to key \fBto\fR. An error is returned if the parameters are missing in
\&\fBfrom\fR or present in both \fBfrom\fR and \fBto\fR and mismatch. If the parameters
in \fBfrom\fR and \fBto\fR are both present and match this function has no effect.
.PP
The function \fBEVP_PKEY_cmp_parameters()\fR compares the parameters of keys
\&\fBa\fR and \fBb\fR.
.PP
The function \fBEVP_PKEY_cmp()\fR compares the public key components and parameters
(if present) of keys \fBa\fR and \fBb\fR.
.SH "NOTES"
.IX Header "NOTES"
The main purpose of the functions \fBEVP_PKEY_missing_parameters()\fR and
\&\fBEVP_PKEY_copy_parameters()\fR is to handle public keys in certificates where the
parameters are sometimes omitted from a public key if they are inherited from
the \s-1CA\s0 that signed it.
.PP
Since OpenSSL private keys contain public key components too the function
\&\fBEVP_PKEY_cmp()\fR can also be used to determine if a private key matches
a public key.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The function \fBEVP_PKEY_missing_parameters()\fR returns 1 if the public key
parameters of \fBpkey\fR are missing and 0 if they are present or the algorithm
doesn't use parameters.
.PP
These functions \fBEVP_PKEY_copy_parameters()\fR returns 1 for success and 0 for
failure.
.PP
The function \fBEVP_PKEY_cmp_parameters()\fR and \fBEVP_PKEY_cmp()\fR return 1 if the
keys match, 0 if they don't match, \-1 if the key types are different and
\&\-2 if the operation is not supported.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_keygen\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3
index 4c8a11100cdb..4f4e0c4f8b25 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_decrypt.3
@@ -1,236 +1,236 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_DECRYPT 3"
-.TH EVP_PKEY_DECRYPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_DECRYPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_decrypt_init, EVP_PKEY_decrypt \- decrypt using a public key algorithm
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx,
\& unsigned char *out, size_t *outlen,
\& const unsigned char *in, size_t inlen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEVP_PKEY_decrypt_init()\fR function initializes a public key algorithm
context using key \fBpkey\fR for a decryption operation.
.PP
The \fBEVP_PKEY_decrypt()\fR function performs a public key decryption operation
using \fBctx\fR. The data to be decrypted is specified using the \fBin\fR and
\&\fBinlen\fR parameters. If \fBout\fR is \fB\s-1NULL\s0\fR then the maximum size of the output
buffer is written to the \fBoutlen\fR parameter. If \fBout\fR is not \fB\s-1NULL\s0\fR then
before the call the \fBoutlen\fR parameter should contain the length of the
\&\fBout\fR buffer, if the call is successful the decrypted data is written to
\&\fBout\fR and the amount of data written to \fBoutlen\fR.
.SH "NOTES"
.IX Header "NOTES"
After the call to \fBEVP_PKEY_decrypt_init()\fR algorithm specific control
operations can be performed to set any appropriate parameters for the
operation.
.PP
The function \fBEVP_PKEY_decrypt()\fR can be called more than once on the same
context if several operations are performed using the same parameters.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_decrypt_init()\fR and \fBEVP_PKEY_decrypt()\fR return 1 for success and 0
or a negative value for failure. In particular a return value of \-2
indicates the operation is not supported by the public key algorithm.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Decrypt data using \s-1OAEP\s0 (for \s-1RSA\s0 keys):
.PP
.Vb 2
\& #include <openssl/evp.h>
\& #include <openssl/rsa.h>
\&
\& EVP_PKEY_CTX *ctx;
\& ENGINE *eng;
\& unsigned char *out, *in;
\& size_t outlen, inlen;
\& EVP_PKEY *key;
\&
\& /*
\& * NB: assumes key, eng, in, inlen are already set up
\& * and that key is an RSA private key
\& */
\& ctx = EVP_PKEY_CTX_new(key, eng);
\& if (!ctx)
\& /* Error occurred */
\& if (EVP_PKEY_decrypt_init(ctx) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING) <= 0)
\& /* Error */
\&
\& /* Determine buffer length */
\& if (EVP_PKEY_decrypt(ctx, NULL, &outlen, in, inlen) <= 0)
\& /* Error */
\&
\& out = OPENSSL_malloc(outlen);
\&
\& if (!out)
\& /* malloc failure */
\&
\& if (EVP_PKEY_decrypt(ctx, out, &outlen, in, inlen) <= 0)
\& /* Error */
\&
\& /* Decrypted data is outlen bytes written to buffer out */
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_encrypt\fR\|(3),
\&\fBEVP_PKEY_sign\fR\|(3),
\&\fBEVP_PKEY_verify\fR\|(3),
\&\fBEVP_PKEY_verify_recover\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3
index b1114171caf6..699506821441 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_derive.3
@@ -1,234 +1,234 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_DERIVE 3"
-.TH EVP_PKEY_DERIVE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_DERIVE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, EVP_PKEY_derive \- derive public key algorithm shared secret
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer);
\& int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEVP_PKEY_derive_init()\fR function initializes a public key algorithm
context using key \fBpkey\fR for shared secret derivation.
.PP
The \fBEVP_PKEY_derive_set_peer()\fR function sets the peer key: this will normally
be a public key.
.PP
The \fBEVP_PKEY_derive()\fR derives a shared secret using \fBctx\fR.
If \fBkey\fR is \fB\s-1NULL\s0\fR then the maximum size of the output buffer is written to
the \fBkeylen\fR parameter. If \fBkey\fR is not \fB\s-1NULL\s0\fR then before the call the
\&\fBkeylen\fR parameter should contain the length of the \fBkey\fR buffer, if the call
is successful the shared secret is written to \fBkey\fR and the amount of data
written to \fBkeylen\fR.
.SH "NOTES"
.IX Header "NOTES"
After the call to \fBEVP_PKEY_derive_init()\fR algorithm specific control
operations can be performed to set any appropriate parameters for the
operation.
.PP
The function \fBEVP_PKEY_derive()\fR can be called more than once on the same
context if several operations are performed using the same parameters.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_derive_init()\fR and \fBEVP_PKEY_derive()\fR return 1 for success and 0
or a negative value for failure. In particular a return value of \-2
indicates the operation is not supported by the public key algorithm.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Derive shared secret (for example \s-1DH\s0 or \s-1EC\s0 keys):
.PP
.Vb 2
\& #include <openssl/evp.h>
\& #include <openssl/rsa.h>
\&
\& EVP_PKEY_CTX *ctx;
\& ENGINE *eng;
\& unsigned char *skey;
\& size_t skeylen;
\& EVP_PKEY *pkey, *peerkey;
\& /* NB: assumes pkey, eng, peerkey have been already set up */
\&
\& ctx = EVP_PKEY_CTX_new(pkey, eng);
\& if (!ctx)
\& /* Error occurred */
\& if (EVP_PKEY_derive_init(ctx) <= 0)
\& /* Error */
\& if (EVP_PKEY_derive_set_peer(ctx, peerkey) <= 0)
\& /* Error */
\&
\& /* Determine buffer length */
\& if (EVP_PKEY_derive(ctx, NULL, &skeylen) <= 0)
\& /* Error */
\&
\& skey = OPENSSL_malloc(skeylen);
\&
\& if (!skey)
\& /* malloc failure */
\&
\& if (EVP_PKEY_derive(ctx, skey, &skeylen) <= 0)
\& /* Error */
\&
\& /* Shared secret is skey bytes written to buffer skey */
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_encrypt\fR\|(3),
\&\fBEVP_PKEY_decrypt\fR\|(3),
\&\fBEVP_PKEY_sign\fR\|(3),
\&\fBEVP_PKEY_verify\fR\|(3),
\&\fBEVP_PKEY_verify_recover\fR\|(3),
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3
index ecead5febc8a..e281b799c9ef 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_encrypt.3
@@ -1,241 +1,241 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_ENCRYPT 3"
-.TH EVP_PKEY_ENCRYPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_ENCRYPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_encrypt_init, EVP_PKEY_encrypt \- encrypt using a public key algorithm
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
\& unsigned char *out, size_t *outlen,
\& const unsigned char *in, size_t inlen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEVP_PKEY_encrypt_init()\fR function initializes a public key algorithm
context using key \fBpkey\fR for an encryption operation.
.PP
The \fBEVP_PKEY_encrypt()\fR function performs a public key encryption operation
using \fBctx\fR. The data to be encrypted is specified using the \fBin\fR and
\&\fBinlen\fR parameters. If \fBout\fR is \fB\s-1NULL\s0\fR then the maximum size of the output
buffer is written to the \fBoutlen\fR parameter. If \fBout\fR is not \fB\s-1NULL\s0\fR then
before the call the \fBoutlen\fR parameter should contain the length of the
\&\fBout\fR buffer, if the call is successful the encrypted data is written to
\&\fBout\fR and the amount of data written to \fBoutlen\fR.
.SH "NOTES"
.IX Header "NOTES"
After the call to \fBEVP_PKEY_encrypt_init()\fR algorithm specific control
operations can be performed to set any appropriate parameters for the
operation.
.PP
The function \fBEVP_PKEY_encrypt()\fR can be called more than once on the same
context if several operations are performed using the same parameters.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_encrypt_init()\fR and \fBEVP_PKEY_encrypt()\fR return 1 for success and 0
or a negative value for failure. In particular a return value of \-2
indicates the operation is not supported by the public key algorithm.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Encrypt data using \s-1OAEP\s0 (for \s-1RSA\s0 keys). See also \fBPEM_read_PUBKEY\fR\|(3) or
\&\fBd2i_X509\fR\|(3) for means to load a public key. You may also simply
set 'eng = \s-1NULL\s0;' to start with the default OpenSSL \s-1RSA\s0 implementation:
.PP
.Vb 3
\& #include <openssl/evp.h>
\& #include <openssl/rsa.h>
\& #include <openssl/engine.h>
\&
\& EVP_PKEY_CTX *ctx;
\& ENGINE *eng;
\& unsigned char *out, *in;
\& size_t outlen, inlen;
\& EVP_PKEY *key;
\&
\& /*
\& * NB: assumes eng, key, in, inlen are already set up,
\& * and that key is an RSA public key
\& */
\& ctx = EVP_PKEY_CTX_new(key, eng);
\& if (!ctx)
\& /* Error occurred */
\& if (EVP_PKEY_encrypt_init(ctx) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING) <= 0)
\& /* Error */
\&
\& /* Determine buffer length */
\& if (EVP_PKEY_encrypt(ctx, NULL, &outlen, in, inlen) <= 0)
\& /* Error */
\&
\& out = OPENSSL_malloc(outlen);
\&
\& if (!out)
\& /* malloc failure */
\&
\& if (EVP_PKEY_encrypt(ctx, out, &outlen, in, inlen) <= 0)
\& /* Error */
\&
\& /* Encrypted data is outlen bytes written to buffer out */
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBENGINE_by_id\fR\|(3),
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_decrypt\fR\|(3),
\&\fBEVP_PKEY_sign\fR\|(3),
\&\fBEVP_PKEY_verify\fR\|(3),
\&\fBEVP_PKEY_verify_recover\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3
index 23e86912f765..9165f4545e90 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_get_default_digest_nid.3
@@ -1,181 +1,181 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_GET_DEFAULT_DIGEST_NID 3"
-.TH EVP_PKEY_GET_DEFAULT_DIGEST_NID 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_GET_DEFAULT_DIGEST_NID 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_get_default_digest_nid \- get default signature digest
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 2
\& #include <openssl/evp.h>
\& int EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEVP_PKEY_get_default_digest_nid()\fR function sets \fBpnid\fR to the default
message digest \s-1NID\s0 for the public key signature operations associated with key
\&\fBpkey\fR. Note that some signature algorithms (i.e. Ed25519 and Ed448) do not use
a digest during signing. In this case \fBpnid\fR will be set to NID_undef.
.SH "NOTES"
.IX Header "NOTES"
For all current standard OpenSSL public key algorithms \s-1SHA1\s0 is returned.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The \fBEVP_PKEY_get_default_digest_nid()\fR function returns 1 if the message digest
is advisory (that is other digests can be used) and 2 if it is mandatory (other
digests can not be used). It returns 0 or a negative value for failure. In
particular a return value of \-2 indicates the operation is not supported by the
public key algorithm.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_sign\fR\|(3),
\&\fBEVP_PKEY_verify\fR\|(3),
\&\fBEVP_PKEY_verify_recover\fR\|(3),
.SH "HISTORY"
.IX Header "HISTORY"
This function was added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3
index df6dd8e0f14f..463aa73d169c 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_keygen.3
@@ -1,335 +1,335 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_KEYGEN 3"
-.TH EVP_PKEY_KEYGEN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_KEYGEN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_keygen_init, EVP_PKEY_keygen, EVP_PKEY_paramgen_init, EVP_PKEY_paramgen, EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb, EVP_PKEY_CTX_get_keygen_info, EVP_PKEY_CTX_set_app_data, EVP_PKEY_CTX_get_app_data, EVP_PKEY_gen_cb, EVP_PKEY_check, EVP_PKEY_public_check, EVP_PKEY_param_check \&\- key and parameter generation and check functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
\& int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey);
\&
\& typedef int EVP_PKEY_gen_cb(EVP_PKEY_CTX *ctx);
\&
\& void EVP_PKEY_CTX_set_cb(EVP_PKEY_CTX *ctx, EVP_PKEY_gen_cb *cb);
\& EVP_PKEY_gen_cb *EVP_PKEY_CTX_get_cb(EVP_PKEY_CTX *ctx);
\&
\& int EVP_PKEY_CTX_get_keygen_info(EVP_PKEY_CTX *ctx, int idx);
\&
\& void EVP_PKEY_CTX_set_app_data(EVP_PKEY_CTX *ctx, void *data);
\& void *EVP_PKEY_CTX_get_app_data(EVP_PKEY_CTX *ctx);
\&
\& int EVP_PKEY_check(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEVP_PKEY_keygen_init()\fR function initializes a public key algorithm
context using key \fBpkey\fR for a key generation operation.
.PP
The \fBEVP_PKEY_keygen()\fR function performs a key generation operation, the
generated key is written to \fBppkey\fR.
.PP
The functions \fBEVP_PKEY_paramgen_init()\fR and \fBEVP_PKEY_paramgen()\fR are similar
except parameters are generated.
.PP
The function \fBEVP_PKEY_set_cb()\fR sets the key or parameter generation callback
to \fBcb\fR. The function \fBEVP_PKEY_CTX_get_cb()\fR returns the key or parameter
generation callback.
.PP
The function \fBEVP_PKEY_CTX_get_keygen_info()\fR returns parameters associated
with the generation operation. If \fBidx\fR is \-1 the total number of
parameters available is returned. Any non negative value returns the value of
that parameter. \fBEVP_PKEY_CTX_gen_keygen_info()\fR with a nonnegative value for
\&\fBidx\fR should only be called within the generation callback.
.PP
If the callback returns 0 then the key generation operation is aborted and an
error occurs. This might occur during a time consuming operation where
a user clicks on a \*(L"cancel\*(R" button.
.PP
The functions \fBEVP_PKEY_CTX_set_app_data()\fR and \fBEVP_PKEY_CTX_get_app_data()\fR set
and retrieve an opaque pointer. This can be used to set some application
defined value which can be retrieved in the callback: for example a handle
which is used to update a \*(L"progress dialog\*(R".
.PP
\&\fBEVP_PKEY_check()\fR validates the key-pair given by \fBctx\fR. This function first tries
to use customized key check method in \fB\s-1EVP_PKEY_METHOD\s0\fR if it's present; otherwise
it calls a default one defined in \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR.
.PP
\&\fBEVP_PKEY_public_check()\fR validates the public component of the key-pair given by \fBctx\fR.
This function first tries to use customized key check method in \fB\s-1EVP_PKEY_METHOD\s0\fR
if it's present; otherwise it calls a default one defined in \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR.
.PP
\&\fBEVP_PKEY_param_check()\fR validates the algorithm parameters of the key-pair given by \fBctx\fR.
This function first tries to use customized key check method in \fB\s-1EVP_PKEY_METHOD\s0\fR
if it's present; otherwise it calls a default one defined in \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR.
.SH "NOTES"
.IX Header "NOTES"
After the call to \fBEVP_PKEY_keygen_init()\fR or \fBEVP_PKEY_paramgen_init()\fR algorithm
specific control operations can be performed to set any appropriate parameters
for the operation.
.PP
The functions \fBEVP_PKEY_keygen()\fR and \fBEVP_PKEY_paramgen()\fR can be called more than
once on the same context if several operations are performed using the same
parameters.
.PP
The meaning of the parameters passed to the callback will depend on the
algorithm and the specific implementation of the algorithm. Some might not
give any useful information at all during key or parameter generation. Others
might not even call the callback.
.PP
The operation performed by key or parameter generation depends on the algorithm
used. In some cases (e.g. \s-1EC\s0 with a supplied named curve) the \*(L"generation\*(R"
option merely sets the appropriate fields in an \s-1EVP_PKEY\s0 structure.
.PP
In OpenSSL an \s-1EVP_PKEY\s0 structure containing a private key also contains the
public key components and parameters (if any). An OpenSSL private key is
equivalent to what some libraries call a \*(L"key pair\*(R". A private key can be used
in functions which require the use of a public key or parameters.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_keygen_init()\fR, \fBEVP_PKEY_paramgen_init()\fR, \fBEVP_PKEY_keygen()\fR and
\&\fBEVP_PKEY_paramgen()\fR return 1 for success and 0 or a negative value for failure.
In particular a return value of \-2 indicates the operation is not supported by
the public key algorithm.
.PP
\&\fBEVP_PKEY_check()\fR, \fBEVP_PKEY_public_check()\fR and \fBEVP_PKEY_param_check()\fR return 1
for success or others for failure. They return \-2 if the operation is not supported
for the specific algorithm.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Generate a 2048 bit \s-1RSA\s0 key:
.PP
.Vb 2
\& #include <openssl/evp.h>
\& #include <openssl/rsa.h>
\&
\& EVP_PKEY_CTX *ctx;
\& EVP_PKEY *pkey = NULL;
\&
\& ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
\& if (!ctx)
\& /* Error occurred */
\& if (EVP_PKEY_keygen_init(ctx) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0)
\& /* Error */
\&
\& /* Generate key */
\& if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
\& /* Error */
.Ve
.PP
Generate a key from a set of parameters:
.PP
.Vb 2
\& #include <openssl/evp.h>
\& #include <openssl/rsa.h>
\&
\& EVP_PKEY_CTX *ctx;
\& ENGINE *eng;
\& EVP_PKEY *pkey = NULL, *param;
\&
\& /* Assumed param, eng are set up already */
\& ctx = EVP_PKEY_CTX_new(param, eng);
\& if (!ctx)
\& /* Error occurred */
\& if (EVP_PKEY_keygen_init(ctx) <= 0)
\& /* Error */
\&
\& /* Generate key */
\& if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
\& /* Error */
.Ve
.PP
Example of generation callback for OpenSSL public key implementations:
.PP
.Vb 1
\& /* Application data is a BIO to output status to */
\&
\& EVP_PKEY_CTX_set_app_data(ctx, status_bio);
\&
\& static int genpkey_cb(EVP_PKEY_CTX *ctx)
\& {
\& char c = \*(Aq*\*(Aq;
\& BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
\& int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
\&
\& if (p == 0)
\& c = \*(Aq.\*(Aq;
\& if (p == 1)
\& c = \*(Aq+\*(Aq;
\& if (p == 2)
\& c = \*(Aq*\*(Aq;
\& if (p == 3)
\& c = \*(Aq\en\*(Aq;
\& BIO_write(b, &c, 1);
\& (void)BIO_flush(b);
\& return 1;
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_encrypt\fR\|(3),
\&\fBEVP_PKEY_decrypt\fR\|(3),
\&\fBEVP_PKEY_sign\fR\|(3),
\&\fBEVP_PKEY_verify\fR\|(3),
\&\fBEVP_PKEY_verify_recover\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.0.
.PP
\&\fBEVP_PKEY_check()\fR, \fBEVP_PKEY_public_check()\fR and \fBEVP_PKEY_param_check()\fR were added
in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3
index 194bc16341c1..84d6e87a28ca 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_get_count.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_METH_GET_COUNT 3"
-.TH EVP_PKEY_METH_GET_COUNT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_METH_GET_COUNT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_meth_get_count, EVP_PKEY_meth_get0, EVP_PKEY_meth_get0_info \- enumerate public key methods
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& size_t EVP_PKEY_meth_get_count(void);
\& const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx);
\& void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags,
\& const EVP_PKEY_METHOD *meth);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBEVP_PKEY_meth_count()\fR returns a count of the number of public key methods
available: it includes standard methods and any methods added by the
application.
.PP
\&\fBEVP_PKEY_meth_get0()\fR returns the public key method \fBidx\fR. The value of \fBidx\fR
must be between zero and \fBEVP_PKEY_meth_get_count()\fR \- 1.
.PP
\&\fBEVP_PKEY_meth_get0_info()\fR returns the public key \s-1ID\s0 (a \s-1NID\s0) and any flags
associated with the public key method \fB*meth\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_meth_count()\fR returns the number of available public key methods.
.PP
\&\fBEVP_PKEY_meth_get0()\fR return a public key method or \fB\s-1NULL\s0\fR if \fBidx\fR is
out of range.
.PP
\&\fBEVP_PKEY_meth_get0_info()\fR does not return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3
index 10e870461111..4e3760f5fe6e 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_meth_new.3
@@ -1,594 +1,594 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_METH_NEW 3"
-.TH EVP_PKEY_METH_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_METH_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_meth_new, EVP_PKEY_meth_free, EVP_PKEY_meth_copy, EVP_PKEY_meth_find, EVP_PKEY_meth_add0, EVP_PKEY_METHOD, EVP_PKEY_meth_set_init, EVP_PKEY_meth_set_copy, EVP_PKEY_meth_set_cleanup, EVP_PKEY_meth_set_paramgen, EVP_PKEY_meth_set_keygen, EVP_PKEY_meth_set_sign, EVP_PKEY_meth_set_verify, EVP_PKEY_meth_set_verify_recover, EVP_PKEY_meth_set_signctx, EVP_PKEY_meth_set_verifyctx, EVP_PKEY_meth_set_encrypt, EVP_PKEY_meth_set_decrypt, EVP_PKEY_meth_set_derive, EVP_PKEY_meth_set_ctrl, EVP_PKEY_meth_set_digestsign, EVP_PKEY_meth_set_digestverify, EVP_PKEY_meth_set_check, EVP_PKEY_meth_set_public_check, EVP_PKEY_meth_set_param_check, EVP_PKEY_meth_set_digest_custom, EVP_PKEY_meth_get_init, EVP_PKEY_meth_get_copy, EVP_PKEY_meth_get_cleanup, EVP_PKEY_meth_get_paramgen, EVP_PKEY_meth_get_keygen, EVP_PKEY_meth_get_sign, EVP_PKEY_meth_get_verify, EVP_PKEY_meth_get_verify_recover, EVP_PKEY_meth_get_signctx, EVP_PKEY_meth_get_verifyctx, EVP_PKEY_meth_get_encrypt, EVP_PKEY_meth_get_decrypt, EVP_PKEY_meth_get_derive, EVP_PKEY_meth_get_ctrl, EVP_PKEY_meth_get_digestsign, EVP_PKEY_meth_get_digestverify, EVP_PKEY_meth_get_check, EVP_PKEY_meth_get_public_check, EVP_PKEY_meth_get_param_check, EVP_PKEY_meth_get_digest_custom, EVP_PKEY_meth_remove \&\- manipulating EVP_PKEY_METHOD structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
\&
\& EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);
\& void EVP_PKEY_meth_free(EVP_PKEY_METHOD *pmeth);
\& void EVP_PKEY_meth_copy(EVP_PKEY_METHOD *dst, const EVP_PKEY_METHOD *src);
\& const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
\& int EVP_PKEY_meth_add0(const EVP_PKEY_METHOD *pmeth);
\& int EVP_PKEY_meth_remove(const EVP_PKEY_METHOD *pmeth);
\&
\& void EVP_PKEY_meth_set_init(EVP_PKEY_METHOD *pmeth,
\& int (*init) (EVP_PKEY_CTX *ctx));
\& void EVP_PKEY_meth_set_copy(EVP_PKEY_METHOD *pmeth,
\& int (*copy) (EVP_PKEY_CTX *dst,
\& EVP_PKEY_CTX *src));
\& void EVP_PKEY_meth_set_cleanup(EVP_PKEY_METHOD *pmeth,
\& void (*cleanup) (EVP_PKEY_CTX *ctx));
\& void EVP_PKEY_meth_set_paramgen(EVP_PKEY_METHOD *pmeth,
\& int (*paramgen_init) (EVP_PKEY_CTX *ctx),
\& int (*paramgen) (EVP_PKEY_CTX *ctx,
\& EVP_PKEY *pkey));
\& void EVP_PKEY_meth_set_keygen(EVP_PKEY_METHOD *pmeth,
\& int (*keygen_init) (EVP_PKEY_CTX *ctx),
\& int (*keygen) (EVP_PKEY_CTX *ctx,
\& EVP_PKEY *pkey));
\& void EVP_PKEY_meth_set_sign(EVP_PKEY_METHOD *pmeth,
\& int (*sign_init) (EVP_PKEY_CTX *ctx),
\& int (*sign) (EVP_PKEY_CTX *ctx,
\& unsigned char *sig, size_t *siglen,
\& const unsigned char *tbs,
\& size_t tbslen));
\& void EVP_PKEY_meth_set_verify(EVP_PKEY_METHOD *pmeth,
\& int (*verify_init) (EVP_PKEY_CTX *ctx),
\& int (*verify) (EVP_PKEY_CTX *ctx,
\& const unsigned char *sig,
\& size_t siglen,
\& const unsigned char *tbs,
\& size_t tbslen));
\& void EVP_PKEY_meth_set_verify_recover(EVP_PKEY_METHOD *pmeth,
\& int (*verify_recover_init) (EVP_PKEY_CTX
\& *ctx),
\& int (*verify_recover) (EVP_PKEY_CTX
\& *ctx,
\& unsigned char
\& *sig,
\& size_t *siglen,
\& const unsigned
\& char *tbs,
\& size_t tbslen));
\& void EVP_PKEY_meth_set_signctx(EVP_PKEY_METHOD *pmeth,
\& int (*signctx_init) (EVP_PKEY_CTX *ctx,
\& EVP_MD_CTX *mctx),
\& int (*signctx) (EVP_PKEY_CTX *ctx,
\& unsigned char *sig,
\& size_t *siglen,
\& EVP_MD_CTX *mctx));
\& void EVP_PKEY_meth_set_verifyctx(EVP_PKEY_METHOD *pmeth,
\& int (*verifyctx_init) (EVP_PKEY_CTX *ctx,
\& EVP_MD_CTX *mctx),
\& int (*verifyctx) (EVP_PKEY_CTX *ctx,
\& const unsigned char *sig,
\& int siglen,
\& EVP_MD_CTX *mctx));
\& void EVP_PKEY_meth_set_encrypt(EVP_PKEY_METHOD *pmeth,
\& int (*encrypt_init) (EVP_PKEY_CTX *ctx),
\& int (*encryptfn) (EVP_PKEY_CTX *ctx,
\& unsigned char *out,
\& size_t *outlen,
\& const unsigned char *in,
\& size_t inlen));
\& void EVP_PKEY_meth_set_decrypt(EVP_PKEY_METHOD *pmeth,
\& int (*decrypt_init) (EVP_PKEY_CTX *ctx),
\& int (*decrypt) (EVP_PKEY_CTX *ctx,
\& unsigned char *out,
\& size_t *outlen,
\& const unsigned char *in,
\& size_t inlen));
\& void EVP_PKEY_meth_set_derive(EVP_PKEY_METHOD *pmeth,
\& int (*derive_init) (EVP_PKEY_CTX *ctx),
\& int (*derive) (EVP_PKEY_CTX *ctx,
\& unsigned char *key,
\& size_t *keylen));
\& void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
\& int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1,
\& void *p2),
\& int (*ctrl_str) (EVP_PKEY_CTX *ctx,
\& const char *type,
\& const char *value));
\& void EVP_PKEY_meth_set_digestsign(EVP_PKEY_METHOD *pmeth,
\& int (*digestsign) (EVP_MD_CTX *ctx,
\& unsigned char *sig,
\& size_t *siglen,
\& const unsigned char *tbs,
\& size_t tbslen));
\& void EVP_PKEY_meth_set_digestverify(EVP_PKEY_METHOD *pmeth,
\& int (*digestverify) (EVP_MD_CTX *ctx,
\& const unsigned char *sig,
\& size_t siglen,
\& const unsigned char *tbs,
\& size_t tbslen));
\& void EVP_PKEY_meth_set_check(EVP_PKEY_METHOD *pmeth,
\& int (*check) (EVP_PKEY *pkey));
\& void EVP_PKEY_meth_set_public_check(EVP_PKEY_METHOD *pmeth,
\& int (*check) (EVP_PKEY *pkey));
\& void EVP_PKEY_meth_set_param_check(EVP_PKEY_METHOD *pmeth,
\& int (*check) (EVP_PKEY *pkey));
\& void EVP_PKEY_meth_set_digest_custom(EVP_PKEY_METHOD *pmeth,
\& int (*digest_custom) (EVP_PKEY_CTX *ctx,
\& EVP_MD_CTX *mctx));
\&
\& void EVP_PKEY_meth_get_init(const EVP_PKEY_METHOD *pmeth,
\& int (**pinit) (EVP_PKEY_CTX *ctx));
\& void EVP_PKEY_meth_get_copy(const EVP_PKEY_METHOD *pmeth,
\& int (**pcopy) (EVP_PKEY_CTX *dst,
\& EVP_PKEY_CTX *src));
\& void EVP_PKEY_meth_get_cleanup(const EVP_PKEY_METHOD *pmeth,
\& void (**pcleanup) (EVP_PKEY_CTX *ctx));
\& void EVP_PKEY_meth_get_paramgen(const EVP_PKEY_METHOD *pmeth,
\& int (**pparamgen_init) (EVP_PKEY_CTX *ctx),
\& int (**pparamgen) (EVP_PKEY_CTX *ctx,
\& EVP_PKEY *pkey));
\& void EVP_PKEY_meth_get_keygen(const EVP_PKEY_METHOD *pmeth,
\& int (**pkeygen_init) (EVP_PKEY_CTX *ctx),
\& int (**pkeygen) (EVP_PKEY_CTX *ctx,
\& EVP_PKEY *pkey));
\& void EVP_PKEY_meth_get_sign(const EVP_PKEY_METHOD *pmeth,
\& int (**psign_init) (EVP_PKEY_CTX *ctx),
\& int (**psign) (EVP_PKEY_CTX *ctx,
\& unsigned char *sig, size_t *siglen,
\& const unsigned char *tbs,
\& size_t tbslen));
\& void EVP_PKEY_meth_get_verify(const EVP_PKEY_METHOD *pmeth,
\& int (**pverify_init) (EVP_PKEY_CTX *ctx),
\& int (**pverify) (EVP_PKEY_CTX *ctx,
\& const unsigned char *sig,
\& size_t siglen,
\& const unsigned char *tbs,
\& size_t tbslen));
\& void EVP_PKEY_meth_get_verify_recover(const EVP_PKEY_METHOD *pmeth,
\& int (**pverify_recover_init) (EVP_PKEY_CTX
\& *ctx),
\& int (**pverify_recover) (EVP_PKEY_CTX
\& *ctx,
\& unsigned char
\& *sig,
\& size_t *siglen,
\& const unsigned
\& char *tbs,
\& size_t tbslen));
\& void EVP_PKEY_meth_get_signctx(const EVP_PKEY_METHOD *pmeth,
\& int (**psignctx_init) (EVP_PKEY_CTX *ctx,
\& EVP_MD_CTX *mctx),
\& int (**psignctx) (EVP_PKEY_CTX *ctx,
\& unsigned char *sig,
\& size_t *siglen,
\& EVP_MD_CTX *mctx));
\& void EVP_PKEY_meth_get_verifyctx(const EVP_PKEY_METHOD *pmeth,
\& int (**pverifyctx_init) (EVP_PKEY_CTX *ctx,
\& EVP_MD_CTX *mctx),
\& int (**pverifyctx) (EVP_PKEY_CTX *ctx,
\& const unsigned char *sig,
\& int siglen,
\& EVP_MD_CTX *mctx));
\& void EVP_PKEY_meth_get_encrypt(const EVP_PKEY_METHOD *pmeth,
\& int (**pencrypt_init) (EVP_PKEY_CTX *ctx),
\& int (**pencryptfn) (EVP_PKEY_CTX *ctx,
\& unsigned char *out,
\& size_t *outlen,
\& const unsigned char *in,
\& size_t inlen));
\& void EVP_PKEY_meth_get_decrypt(const EVP_PKEY_METHOD *pmeth,
\& int (**pdecrypt_init) (EVP_PKEY_CTX *ctx),
\& int (**pdecrypt) (EVP_PKEY_CTX *ctx,
\& unsigned char *out,
\& size_t *outlen,
\& const unsigned char *in,
\& size_t inlen));
\& void EVP_PKEY_meth_get_derive(const EVP_PKEY_METHOD *pmeth,
\& int (**pderive_init) (EVP_PKEY_CTX *ctx),
\& int (**pderive) (EVP_PKEY_CTX *ctx,
\& unsigned char *key,
\& size_t *keylen));
\& void EVP_PKEY_meth_get_ctrl(const EVP_PKEY_METHOD *pmeth,
\& int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1,
\& void *p2),
\& int (**pctrl_str) (EVP_PKEY_CTX *ctx,
\& const char *type,
\& const char *value));
\& void EVP_PKEY_meth_get_digestsign(EVP_PKEY_METHOD *pmeth,
\& int (**digestsign) (EVP_MD_CTX *ctx,
\& unsigned char *sig,
\& size_t *siglen,
\& const unsigned char *tbs,
\& size_t tbslen));
\& void EVP_PKEY_meth_get_digestverify(EVP_PKEY_METHOD *pmeth,
\& int (**digestverify) (EVP_MD_CTX *ctx,
\& const unsigned char *sig,
\& size_t siglen,
\& const unsigned char *tbs,
\& size_t tbslen));
\& void EVP_PKEY_meth_get_check(const EVP_PKEY_METHOD *pmeth,
\& int (**pcheck) (EVP_PKEY *pkey));
\& void EVP_PKEY_meth_get_public_check(const EVP_PKEY_METHOD *pmeth,
\& int (**pcheck) (EVP_PKEY *pkey));
\& void EVP_PKEY_meth_get_param_check(const EVP_PKEY_METHOD *pmeth,
\& int (**pcheck) (EVP_PKEY *pkey));
\& void EVP_PKEY_meth_get_digest_custom(EVP_PKEY_METHOD *pmeth,
\& int (**pdigest_custom) (EVP_PKEY_CTX *ctx,
\& EVP_MD_CTX *mctx));
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fB\s-1EVP_PKEY_METHOD\s0\fR is a structure which holds a set of methods for a
specific public key cryptographic algorithm. Those methods are usually
used to perform different jobs, such as generating a key, signing or
verifying, encrypting or decrypting, etc.
.PP
There are two places where the \fB\s-1EVP_PKEY_METHOD\s0\fR objects are stored: one
is a built-in static array representing the standard methods for different
algorithms, and the other one is a stack of user-defined application-specific
methods, which can be manipulated by using \fBEVP_PKEY_meth_add0\fR\|(3).
.PP
The \fB\s-1EVP_PKEY_METHOD\s0\fR objects are usually referenced by \fB\s-1EVP_PKEY_CTX\s0\fR
objects.
.SS "Methods"
.IX Subsection "Methods"
The methods are the underlying implementations of a particular public key
algorithm present by the \fB\s-1EVP_PKEY_CTX\s0\fR object.
.PP
.Vb 3
\& int (*init) (EVP_PKEY_CTX *ctx);
\& int (*copy) (EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);
\& void (*cleanup) (EVP_PKEY_CTX *ctx);
.Ve
.PP
The \fBinit()\fR method is called to initialize algorithm-specific data when a new
\&\fB\s-1EVP_PKEY_CTX\s0\fR is created. As opposed to \fBinit()\fR, the \fBcleanup()\fR method is called
when an \fB\s-1EVP_PKEY_CTX\s0\fR is freed. The \fBcopy()\fR method is called when an \fB\s-1EVP_PKEY_CTX\s0\fR
is being duplicated. Refer to \fBEVP_PKEY_CTX_new\fR\|(3), \fBEVP_PKEY_CTX_new_id\fR\|(3),
\&\fBEVP_PKEY_CTX_free\fR\|(3) and \fBEVP_PKEY_CTX_dup\fR\|(3).
.PP
.Vb 2
\& int (*paramgen_init) (EVP_PKEY_CTX *ctx);
\& int (*paramgen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
.Ve
.PP
The \fBparamgen_init()\fR and \fBparamgen()\fR methods deal with key parameter generation.
They are called by \fBEVP_PKEY_paramgen_init\fR\|(3) and \fBEVP_PKEY_paramgen\fR\|(3) to
handle the parameter generation process.
.PP
.Vb 2
\& int (*keygen_init) (EVP_PKEY_CTX *ctx);
\& int (*keygen) (EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
.Ve
.PP
The \fBkeygen_init()\fR and \fBkeygen()\fR methods are used to generate the actual key for
the specified algorithm. They are called by \fBEVP_PKEY_keygen_init\fR\|(3) and
\&\fBEVP_PKEY_keygen\fR\|(3).
.PP
.Vb 3
\& int (*sign_init) (EVP_PKEY_CTX *ctx);
\& int (*sign) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
\& const unsigned char *tbs, size_t tbslen);
.Ve
.PP
The \fBsign_init()\fR and \fBsign()\fR methods are used to generate the signature of a
piece of data using a private key. They are called by \fBEVP_PKEY_sign_init\fR\|(3)
and \fBEVP_PKEY_sign\fR\|(3).
.PP
.Vb 4
\& int (*verify_init) (EVP_PKEY_CTX *ctx);
\& int (*verify) (EVP_PKEY_CTX *ctx,
\& const unsigned char *sig, size_t siglen,
\& const unsigned char *tbs, size_t tbslen);
.Ve
.PP
The \fBverify_init()\fR and \fBverify()\fR methods are used to verify whether a signature is
valid. They are called by \fBEVP_PKEY_verify_init\fR\|(3) and \fBEVP_PKEY_verify\fR\|(3).
.PP
.Vb 4
\& int (*verify_recover_init) (EVP_PKEY_CTX *ctx);
\& int (*verify_recover) (EVP_PKEY_CTX *ctx,
\& unsigned char *rout, size_t *routlen,
\& const unsigned char *sig, size_t siglen);
.Ve
.PP
The \fBverify_recover_init()\fR and \fBverify_recover()\fR methods are used to verify a
signature and then recover the digest from the signature (for instance, a
signature that was generated by \s-1RSA\s0 signing algorithm). They are called by
\&\fBEVP_PKEY_verify_recover_init\fR\|(3) and \fBEVP_PKEY_verify_recover\fR\|(3).
.PP
.Vb 3
\& int (*signctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
\& int (*signctx) (EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
\& EVP_MD_CTX *mctx);
.Ve
.PP
The \fBsignctx_init()\fR and \fBsignctx()\fR methods are used to sign a digest present by
a \fB\s-1EVP_MD_CTX\s0\fR object. They are called by the EVP_DigestSign functions. See
\&\fBEVP_DigestSignInit\fR\|(3) for details.
.PP
.Vb 3
\& int (*verifyctx_init) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
\& int (*verifyctx) (EVP_PKEY_CTX *ctx, const unsigned char *sig, int siglen,
\& EVP_MD_CTX *mctx);
.Ve
.PP
The \fBverifyctx_init()\fR and \fBverifyctx()\fR methods are used to verify a signature
against the data in a \fB\s-1EVP_MD_CTX\s0\fR object. They are called by the various
EVP_DigestVerify functions. See \fBEVP_DigestVerifyInit\fR\|(3) for details.
.PP
.Vb 3
\& int (*encrypt_init) (EVP_PKEY_CTX *ctx);
\& int (*encrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
\& const unsigned char *in, size_t inlen);
.Ve
.PP
The \fBencrypt_init()\fR and \fBencrypt()\fR methods are used to encrypt a piece of data.
They are called by \fBEVP_PKEY_encrypt_init\fR\|(3) and \fBEVP_PKEY_encrypt\fR\|(3).
.PP
.Vb 3
\& int (*decrypt_init) (EVP_PKEY_CTX *ctx);
\& int (*decrypt) (EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen,
\& const unsigned char *in, size_t inlen);
.Ve
.PP
The \fBdecrypt_init()\fR and \fBdecrypt()\fR methods are used to decrypt a piece of data.
They are called by \fBEVP_PKEY_decrypt_init\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3).
.PP
.Vb 2
\& int (*derive_init) (EVP_PKEY_CTX *ctx);
\& int (*derive) (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen);
.Ve
.PP
The \fBderive_init()\fR and \fBderive()\fR methods are used to derive the shared secret
from a public key algorithm (for instance, the \s-1DH\s0 algorithm). They are called by
\&\fBEVP_PKEY_derive_init\fR\|(3) and \fBEVP_PKEY_derive\fR\|(3).
.PP
.Vb 2
\& int (*ctrl) (EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
\& int (*ctrl_str) (EVP_PKEY_CTX *ctx, const char *type, const char *value);
.Ve
.PP
The \fBctrl()\fR and \fBctrl_str()\fR methods are used to adjust algorithm-specific
settings. See \fBEVP_PKEY_CTX_ctrl\fR\|(3) and related functions for details.
.PP
.Vb 5
\& int (*digestsign) (EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen,
\& const unsigned char *tbs, size_t tbslen);
\& int (*digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig,
\& size_t siglen, const unsigned char *tbs,
\& size_t tbslen);
.Ve
.PP
The \fBdigestsign()\fR and \fBdigestverify()\fR methods are used to generate or verify
a signature in a one-shot mode. They could be called by \fBEVP_DigestSign\fR\|(3)
and \fBEVP_DigestVerify\fR\|(3).
.PP
.Vb 3
\& int (*check) (EVP_PKEY *pkey);
\& int (*public_check) (EVP_PKEY *pkey);
\& int (*param_check) (EVP_PKEY *pkey);
.Ve
.PP
The \fBcheck()\fR, \fBpublic_check()\fR and \fBparam_check()\fR methods are used to validate a
key-pair, the public component and parameters respectively for a given \fBpkey\fR.
They could be called by \fBEVP_PKEY_check\fR\|(3), \fBEVP_PKEY_public_check\fR\|(3) and
\&\fBEVP_PKEY_param_check\fR\|(3) respectively.
.PP
.Vb 1
\& int (*digest_custom) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx);
.Ve
.PP
The \fBdigest_custom()\fR method is used to generate customized digest content before
the real message is passed to functions like \fBEVP_DigestSignUpdate\fR\|(3) or
\&\fBEVP_DigestVerifyInit\fR\|(3). This is usually required by some public key
signature algorithms like \s-1SM2\s0 which requires a hashed prefix to the message to
be signed. The \fBdigest_custom()\fR function will be called by \fBEVP_DigestSignInit\fR\|(3)
and \fBEVP_DigestVerifyInit\fR\|(3).
.SS "Functions"
.IX Subsection "Functions"
\&\fBEVP_PKEY_meth_new()\fR creates and returns a new \fB\s-1EVP_PKEY_METHOD\s0\fR object,
and associates the given \fBid\fR and \fBflags\fR. The following flags are
supported:
.PP
.Vb 2
\& EVP_PKEY_FLAG_AUTOARGLEN
\& EVP_PKEY_FLAG_SIGCTX_CUSTOM
.Ve
.PP
If an \fB\s-1EVP_PKEY_METHOD\s0\fR is set with the \fB\s-1EVP_PKEY_FLAG_AUTOARGLEN\s0\fR flag, the
maximum size of the output buffer will be automatically calculated or checked
in corresponding \s-1EVP\s0 methods by the \s-1EVP\s0 framework. Thus the implementations of
these methods don't need to care about handling the case of returning output
buffer size by themselves. For details on the output buffer size, refer to
\&\fBEVP_PKEY_sign\fR\|(3).
.PP
The \fB\s-1EVP_PKEY_FLAG_SIGCTX_CUSTOM\s0\fR is used to indicate the \fBsignctx()\fR method
of an \fB\s-1EVP_PKEY_METHOD\s0\fR is always called by the \s-1EVP\s0 framework while doing a
digest signing operation by calling \fBEVP_DigestSignFinal\fR\|(3).
.PP
\&\fBEVP_PKEY_meth_free()\fR frees an existing \fB\s-1EVP_PKEY_METHOD\s0\fR pointed by
\&\fBpmeth\fR.
.PP
\&\fBEVP_PKEY_meth_copy()\fR copies an \fB\s-1EVP_PKEY_METHOD\s0\fR object from \fBsrc\fR
to \fBdst\fR.
.PP
\&\fBEVP_PKEY_meth_find()\fR finds an \fB\s-1EVP_PKEY_METHOD\s0\fR object with the \fBid\fR.
This function first searches through the user-defined method objects and
then the built-in objects.
.PP
\&\fBEVP_PKEY_meth_add0()\fR adds \fBpmeth\fR to the user defined stack of methods.
.PP
\&\fBEVP_PKEY_meth_remove()\fR removes an \fB\s-1EVP_PKEY_METHOD\s0\fR object added by
\&\fBEVP_PKEY_meth_add0()\fR.
.PP
The EVP_PKEY_meth_set functions set the corresponding fields of
\&\fB\s-1EVP_PKEY_METHOD\s0\fR structure with the arguments passed.
.PP
The EVP_PKEY_meth_get functions get the corresponding fields of
\&\fB\s-1EVP_PKEY_METHOD\s0\fR structure to the arguments provided.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_meth_new()\fR returns a pointer to a new \fB\s-1EVP_PKEY_METHOD\s0\fR
object or returns \s-1NULL\s0 on error.
.PP
\&\fBEVP_PKEY_meth_free()\fR and \fBEVP_PKEY_meth_copy()\fR do not return values.
.PP
\&\fBEVP_PKEY_meth_find()\fR returns a pointer to the found \fB\s-1EVP_PKEY_METHOD\s0\fR
object or returns \s-1NULL\s0 if not found.
.PP
\&\fBEVP_PKEY_meth_add0()\fR returns 1 if method is added successfully or 0
if an error occurred.
.PP
\&\fBEVP_PKEY_meth_remove()\fR returns 1 if method is removed successfully or
0 if an error occurred.
.PP
All EVP_PKEY_meth_set and EVP_PKEY_meth_get functions have no return
values. For the 'get' functions, function pointers are returned by
arguments.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3
index c64a9af1c005..2f4b270b9ed5 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_new.3
@@ -1,261 +1,261 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_NEW 3"
-.TH EVP_PKEY_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_new, EVP_PKEY_up_ref, EVP_PKEY_free, EVP_PKEY_new_raw_private_key, EVP_PKEY_new_raw_public_key, EVP_PKEY_new_CMAC_key, EVP_PKEY_new_mac_key, EVP_PKEY_get_raw_private_key, EVP_PKEY_get_raw_public_key \&\- public/private key allocation and raw key handling functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& EVP_PKEY *EVP_PKEY_new(void);
\& int EVP_PKEY_up_ref(EVP_PKEY *key);
\& void EVP_PKEY_free(EVP_PKEY *key);
\&
\& EVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *e,
\& const unsigned char *key, size_t keylen);
\& EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *e,
\& const unsigned char *key, size_t keylen);
\& EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv,
\& size_t len, const EVP_CIPHER *cipher);
\& EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e, const unsigned char *key,
\& int keylen);
\&
\& int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, unsigned char *priv,
\& size_t *len);
\& int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, unsigned char *pub,
\& size_t *len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEVP_PKEY_new()\fR function allocates an empty \fB\s-1EVP_PKEY\s0\fR structure which is
used by OpenSSL to store public and private keys. The reference count is set to
\&\fB1\fR.
.PP
\&\fBEVP_PKEY_up_ref()\fR increments the reference count of \fBkey\fR.
.PP
\&\fBEVP_PKEY_free()\fR decrements the reference count of \fBkey\fR and, if the reference
count is zero, frees it up. If \fBkey\fR is \s-1NULL,\s0 nothing is done.
.PP
\&\fBEVP_PKEY_new_raw_private_key()\fR allocates a new \fB\s-1EVP_PKEY\s0\fR. If \fBe\fR is non-NULL
then the new \fB\s-1EVP_PKEY\s0\fR structure is associated with the engine \fBe\fR. The
\&\fBtype\fR argument indicates what kind of key this is. The value should be a \s-1NID\s0
for a public key algorithm that supports raw private keys, i.e. one of
\&\fB\s-1EVP_PKEY_HMAC\s0\fR, \fB\s-1EVP_PKEY_POLY1305\s0\fR, \fB\s-1EVP_PKEY_SIPHASH\s0\fR, \fB\s-1EVP_PKEY_X25519\s0\fR,
\&\fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or \fB\s-1EVP_PKEY_ED448\s0\fR. \fBkey\fR points to the
raw private key data for this \fB\s-1EVP_PKEY\s0\fR which should be of length \fBkeylen\fR.
The length should be appropriate for the type of the key. The public key data
will be automatically derived from the given private key data (if appropriate
for the algorithm type).
.PP
\&\fBEVP_PKEY_new_raw_public_key()\fR works in the same way as
\&\fBEVP_PKEY_new_raw_private_key()\fR except that \fBkey\fR points to the raw public key
data. The \fB\s-1EVP_PKEY\s0\fR structure will be initialised without any private key
information. Algorithm types that support raw public keys are
\&\fB\s-1EVP_PKEY_X25519\s0\fR, \fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or \fB\s-1EVP_PKEY_ED448\s0\fR.
.PP
\&\fBEVP_PKEY_new_CMAC_key()\fR works in the same way as \fBEVP_PKEY_new_raw_private_key()\fR
except it is only for the \fB\s-1EVP_PKEY_CMAC\s0\fR algorithm type. In addition to the
raw private key data, it also takes a cipher algorithm to be used during
creation of a \s-1CMAC\s0 in the \fBcipher\fR argument. The cipher should be a standard
encryption only cipher. For example \s-1AEAD\s0 and \s-1XTS\s0 ciphers should not be used.
.PP
\&\fBEVP_PKEY_new_mac_key()\fR works in the same way as \fBEVP_PKEY_new_raw_private_key()\fR.
New applications should use \fBEVP_PKEY_new_raw_private_key()\fR instead.
.PP
\&\fBEVP_PKEY_get_raw_private_key()\fR fills the buffer provided by \fBpriv\fR with raw
private key data. The size of the \fBpriv\fR buffer should be in \fB*len\fR on entry
to the function, and on exit \fB*len\fR is updated with the number of bytes
actually written. If the buffer \fBpriv\fR is \s-1NULL\s0 then \fB*len\fR is populated with
the number of bytes required to hold the key. The calling application is
responsible for ensuring that the buffer is large enough to receive the private
key data. This function only works for algorithms that support raw private keys.
Currently this is: \fB\s-1EVP_PKEY_HMAC\s0\fR, \fB\s-1EVP_PKEY_POLY1305\s0\fR, \fB\s-1EVP_PKEY_SIPHASH\s0\fR,
\&\fB\s-1EVP_PKEY_X25519\s0\fR, \fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or \fB\s-1EVP_PKEY_ED448\s0\fR.
.PP
\&\fBEVP_PKEY_get_raw_public_key()\fR fills the buffer provided by \fBpub\fR with raw
public key data. The size of the \fBpub\fR buffer should be in \fB*len\fR on entry
to the function, and on exit \fB*len\fR is updated with the number of bytes
actually written. If the buffer \fBpub\fR is \s-1NULL\s0 then \fB*len\fR is populated with
the number of bytes required to hold the key. The calling application is
responsible for ensuring that the buffer is large enough to receive the public
key data. This function only works for algorithms that support raw public keys.
Currently this is: \fB\s-1EVP_PKEY_X25519\s0\fR, \fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or
\&\fB\s-1EVP_PKEY_ED448\s0\fR.
.SH "NOTES"
.IX Header "NOTES"
The \fB\s-1EVP_PKEY\s0\fR structure is used by various OpenSSL functions which require a
general private key without reference to any particular algorithm.
.PP
The structure returned by \fBEVP_PKEY_new()\fR is empty. To add a private or public
key to this empty structure use the appropriate functions described in
\&\fBEVP_PKEY_set1_RSA\fR\|(3), EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH or
EVP_PKEY_set1_EC_KEY.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_new()\fR, \fBEVP_PKEY_new_raw_private_key()\fR, \fBEVP_PKEY_new_raw_public_key()\fR,
\&\fBEVP_PKEY_new_CMAC_key()\fR and \fBEVP_PKEY_new_mac_key()\fR return either the newly
allocated \fB\s-1EVP_PKEY\s0\fR structure or \fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBEVP_PKEY_up_ref()\fR, \fBEVP_PKEY_get_raw_private_key()\fR and
\&\fBEVP_PKEY_get_raw_public_key()\fR return 1 for success and 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_set1_RSA\fR\|(3), EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH or
EVP_PKEY_set1_EC_KEY
.SH "HISTORY"
.IX Header "HISTORY"
The
\&\fBEVP_PKEY_new()\fR and \fBEVP_PKEY_free()\fR functions exist in all versions of OpenSSL.
.PP
The \fBEVP_PKEY_up_ref()\fR function was added in OpenSSL 1.1.0.
.PP
The
\&\fBEVP_PKEY_new_raw_private_key()\fR, \fBEVP_PKEY_new_raw_public_key()\fR,
\&\fBEVP_PKEY_new_CMAC_key()\fR, \fBEVP_PKEY_new_raw_private_key()\fR and
\&\fBEVP_PKEY_get_raw_public_key()\fR functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3
index 85c5f464bf05..9cd462863d86 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_print_private.3
@@ -1,191 +1,191 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_PRINT_PRIVATE 3"
-.TH EVP_PKEY_PRINT_PRIVATE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_PRINT_PRIVATE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_print_public, EVP_PKEY_print_private, EVP_PKEY_print_params \- public key algorithm printing routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey,
\& int indent, ASN1_PCTX *pctx);
\& int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey,
\& int indent, ASN1_PCTX *pctx);
\& int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey,
\& int indent, ASN1_PCTX *pctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The functions \fBEVP_PKEY_print_public()\fR, \fBEVP_PKEY_print_private()\fR and
\&\fBEVP_PKEY_print_params()\fR print out the public, private or parameter components
of key \fBpkey\fR respectively. The key is sent to \s-1BIO\s0 \fBout\fR in human readable
form. The parameter \fBindent\fR indicated how far the printout should be indented.
.PP
The \fBpctx\fR parameter allows the print output to be finely tuned by using
\&\s-1ASN1\s0 printing options. If \fBpctx\fR is set to \s-1NULL\s0 then default values will
be used.
.SH "NOTES"
.IX Header "NOTES"
Currently no public key algorithms include any options in the \fBpctx\fR parameter.
.PP
If the key does not include all the components indicated by the function then
only those contained in the key will be printed. For example passing a public
key to \fBEVP_PKEY_print_private()\fR will only print the public components.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions all return 1 for success and 0 or a negative value for failure.
In particular a return value of \-2 indicates the operation is not supported by
the public key algorithm.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_keygen\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3
index 1c2c5690defc..48951d0eccd9 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_set1_RSA.3
@@ -1,282 +1,282 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_SET1_RSA 3"
-.TH EVP_PKEY_SET1_RSA 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_SET1_RSA 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY, EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY, EVP_PKEY_get0_RSA, EVP_PKEY_get0_DSA, EVP_PKEY_get0_DH, EVP_PKEY_get0_EC_KEY, EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH, EVP_PKEY_assign_EC_KEY, EVP_PKEY_assign_POLY1305, EVP_PKEY_assign_SIPHASH, EVP_PKEY_get0_hmac, EVP_PKEY_get0_poly1305, EVP_PKEY_get0_siphash, EVP_PKEY_type, EVP_PKEY_id, EVP_PKEY_base_id, EVP_PKEY_set_alias_type, EVP_PKEY_set1_engine, EVP_PKEY_get0_engine \- EVP_PKEY assignment functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key);
\& int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key);
\& int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key);
\& int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key);
\&
\& RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
\& DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey);
\& DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
\& EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
\&
\& const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len);
\& const unsigned char *EVP_PKEY_get0_poly1305(const EVP_PKEY *pkey, size_t *len);
\& const unsigned char *EVP_PKEY_get0_siphash(const EVP_PKEY *pkey, size_t *len);
\& RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
\& DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey);
\& DH *EVP_PKEY_get0_DH(EVP_PKEY *pkey);
\& EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
\&
\& int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key);
\& int EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key);
\& int EVP_PKEY_assign_DH(EVP_PKEY *pkey, DH *key);
\& int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key);
\& int EVP_PKEY_assign_POLY1305(EVP_PKEY *pkey, ASN1_OCTET_STRING *key);
\& int EVP_PKEY_assign_SIPHASH(EVP_PKEY *pkey, ASN1_OCTET_STRING *key);
\&
\& int EVP_PKEY_id(const EVP_PKEY *pkey);
\& int EVP_PKEY_base_id(const EVP_PKEY *pkey);
\& int EVP_PKEY_type(int type);
\& int EVP_PKEY_set_alias_type(EVP_PKEY *pkey, int type);
\&
\& ENGINE *EVP_PKEY_get0_engine(const EVP_PKEY *pkey);
\& int EVP_PKEY_set1_engine(EVP_PKEY *pkey, ENGINE *engine);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBEVP_PKEY_set1_RSA()\fR, \fBEVP_PKEY_set1_DSA()\fR, \fBEVP_PKEY_set1_DH()\fR and
\&\fBEVP_PKEY_set1_EC_KEY()\fR set the key referenced by \fBpkey\fR to \fBkey\fR.
.PP
\&\fBEVP_PKEY_get1_RSA()\fR, \fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR and
\&\fBEVP_PKEY_get1_EC_KEY()\fR return the referenced key in \fBpkey\fR or
\&\fB\s-1NULL\s0\fR if the key is not of the correct type.
.PP
\&\fBEVP_PKEY_get0_hmac()\fR, \fBEVP_PKEY_get0_poly1305()\fR, \fBEVP_PKEY_get0_siphash()\fR,
\&\fBEVP_PKEY_get0_RSA()\fR, \fBEVP_PKEY_get0_DSA()\fR, \fBEVP_PKEY_get0_DH()\fR
and \fBEVP_PKEY_get0_EC_KEY()\fR also return the referenced key in \fBpkey\fR or \fB\s-1NULL\s0\fR
if the key is not of the correct type but the reference count of the
returned key is \fBnot\fR incremented and so must not be freed up after use.
.PP
\&\fBEVP_PKEY_assign_RSA()\fR, \fBEVP_PKEY_assign_DSA()\fR, \fBEVP_PKEY_assign_DH()\fR,
\&\fBEVP_PKEY_assign_EC_KEY()\fR, \fBEVP_PKEY_assign_POLY1305()\fR and
\&\fBEVP_PKEY_assign_SIPHASH()\fR also set the referenced key to \fBkey\fR
however these use the supplied \fBkey\fR internally and so \fBkey\fR
will be freed when the parent \fBpkey\fR is freed.
.PP
\&\fBEVP_PKEY_base_id()\fR returns the type of \fBpkey\fR. For example
an \s-1RSA\s0 key will return \fB\s-1EVP_PKEY_RSA\s0\fR.
.PP
\&\fBEVP_PKEY_id()\fR returns the actual \s-1OID\s0 associated with \fBpkey\fR. Historically keys
using the same algorithm could use different OIDs. For example an \s-1RSA\s0 key could
use the OIDs corresponding to the NIDs \fBNID_rsaEncryption\fR (equivalent to
\&\fB\s-1EVP_PKEY_RSA\s0\fR) or \fBNID_rsa\fR (equivalent to \fB\s-1EVP_PKEY_RSA2\s0\fR). The use of
alternative non-standard OIDs is now rare so \fB\s-1EVP_PKEY_RSA2\s0\fR et al are not
often seen in practice.
.PP
\&\fBEVP_PKEY_type()\fR returns the underlying type of the \s-1NID\s0 \fBtype\fR. For example
EVP_PKEY_type(\s-1EVP_PKEY_RSA2\s0) will return \fB\s-1EVP_PKEY_RSA\s0\fR.
.PP
\&\fBEVP_PKEY_get0_engine()\fR returns a reference to the \s-1ENGINE\s0 handling \fBpkey\fR.
.PP
\&\fBEVP_PKEY_set1_engine()\fR sets the \s-1ENGINE\s0 handling \fBpkey\fR to \fBengine\fR. It
must be called after the key algorithm and components are set up.
If \fBengine\fR does not include an \fB\s-1EVP_PKEY_METHOD\s0\fR for \fBpkey\fR an
error occurs.
.PP
\&\fBEVP_PKEY_set_alias_type()\fR allows modifying a \s-1EVP_PKEY\s0 to use a
different set of algorithms than the default. This is currently used
to support \s-1SM2\s0 keys, which use an identical encoding to \s-1ECDSA.\s0
.SH "NOTES"
.IX Header "NOTES"
In accordance with the OpenSSL naming convention the key obtained
from or assigned to the \fBpkey\fR using the \fB1\fR functions must be
freed as well as \fBpkey\fR.
.PP
\&\fBEVP_PKEY_assign_RSA()\fR, \fBEVP_PKEY_assign_DSA()\fR, \fBEVP_PKEY_assign_DH()\fR,
\&\fBEVP_PKEY_assign_EC_KEY()\fR, \fBEVP_PKEY_assign_POLY1305()\fR
and \fBEVP_PKEY_assign_SIPHASH()\fR are implemented as macros.
.PP
Most applications wishing to know a key type will simply call
\&\fBEVP_PKEY_base_id()\fR and will not care about the actual type:
which will be identical in almost all cases.
.PP
Previous versions of this document suggested using EVP_PKEY_type(pkey\->type)
to determine the type of a key. Since \fB\s-1EVP_PKEY\s0\fR is now opaque this
is no longer possible: the equivalent is EVP_PKEY_base_id(pkey).
.PP
\&\fBEVP_PKEY_set1_engine()\fR is typically used by an \s-1ENGINE\s0 returning an \s-1HSM\s0
key as part of its routine to load a private key.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_set1_RSA()\fR, \fBEVP_PKEY_set1_DSA()\fR, \fBEVP_PKEY_set1_DH()\fR and
\&\fBEVP_PKEY_set1_EC_KEY()\fR return 1 for success or 0 for failure.
.PP
\&\fBEVP_PKEY_get1_RSA()\fR, \fBEVP_PKEY_get1_DSA()\fR, \fBEVP_PKEY_get1_DH()\fR and
\&\fBEVP_PKEY_get1_EC_KEY()\fR return the referenced key or \fB\s-1NULL\s0\fR if
an error occurred.
.PP
\&\fBEVP_PKEY_assign_RSA()\fR, \fBEVP_PKEY_assign_DSA()\fR, \fBEVP_PKEY_assign_DH()\fR,
\&\fBEVP_PKEY_assign_EC_KEY()\fR, \fBEVP_PKEY_assign_POLY1305()\fR
and \fBEVP_PKEY_assign_SIPHASH()\fR return 1 for success and 0 for failure.
.PP
\&\fBEVP_PKEY_base_id()\fR, \fBEVP_PKEY_id()\fR and \fBEVP_PKEY_type()\fR return a key
type or \fBNID_undef\fR (equivalently \fB\s-1EVP_PKEY_NONE\s0\fR) on error.
.PP
\&\fBEVP_PKEY_set1_engine()\fR returns 1 for success and 0 for failure.
.PP
\&\fBEVP_PKEY_set_alias_type()\fR returns 1 for success and 0 for error.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
After loading an \s-1ECC\s0 key, it is possible to convert it to using \s-1SM2\s0
algorithms with EVP_PKEY_set_alias_type:
.PP
.Vb 1
\& EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3
index 9ff08111ee26..7749307d7b13 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_sign.3
@@ -1,245 +1,245 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_SIGN 3"
-.TH EVP_PKEY_SIGN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_SIGN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_sign_init, EVP_PKEY_sign \- sign using a public key algorithm
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_sign(EVP_PKEY_CTX *ctx,
\& unsigned char *sig, size_t *siglen,
\& const unsigned char *tbs, size_t tbslen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEVP_PKEY_sign_init()\fR function initializes a public key algorithm
context using key \fBpkey\fR for a signing operation.
.PP
The \fBEVP_PKEY_sign()\fR function performs a public key signing operation
using \fBctx\fR. The data to be signed is specified using the \fBtbs\fR and
\&\fBtbslen\fR parameters. If \fBsig\fR is \fB\s-1NULL\s0\fR then the maximum size of the output
buffer is written to the \fBsiglen\fR parameter. If \fBsig\fR is not \fB\s-1NULL\s0\fR then
before the call the \fBsiglen\fR parameter should contain the length of the
\&\fBsig\fR buffer, if the call is successful the signature is written to
\&\fBsig\fR and the amount of data written to \fBsiglen\fR.
.SH "NOTES"
.IX Header "NOTES"
\&\fBEVP_PKEY_sign()\fR does not hash the data to be signed, and therefore is
normally used to sign digests. For signing arbitrary messages, see the
\&\fBEVP_DigestSignInit\fR\|(3) and
\&\fBEVP_SignInit\fR\|(3) signing interfaces instead.
.PP
After the call to \fBEVP_PKEY_sign_init()\fR algorithm specific control
operations can be performed to set any appropriate parameters for the
operation (see \fBEVP_PKEY_CTX_ctrl\fR\|(3)).
.PP
The function \fBEVP_PKEY_sign()\fR can be called more than once on the same
context if several operations are performed using the same parameters.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_sign_init()\fR and \fBEVP_PKEY_sign()\fR return 1 for success and 0
or a negative value for failure. In particular a return value of \-2
indicates the operation is not supported by the public key algorithm.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Sign data using \s-1RSA\s0 with PKCS#1 padding and \s-1SHA256\s0 digest:
.PP
.Vb 2
\& #include <openssl/evp.h>
\& #include <openssl/rsa.h>
\&
\& EVP_PKEY_CTX *ctx;
\& /* md is a SHA\-256 digest in this example. */
\& unsigned char *md, *sig;
\& size_t mdlen = 32, siglen;
\& EVP_PKEY *signing_key;
\&
\& /*
\& * NB: assumes signing_key and md are set up before the next
\& * step. signing_key must be an RSA private key and md must
\& * point to the SHA\-256 digest to be signed.
\& */
\& ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
\& if (!ctx)
\& /* Error occurred */
\& if (EVP_PKEY_sign_init(ctx) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
\& /* Error */
\&
\& /* Determine buffer length */
\& if (EVP_PKEY_sign(ctx, NULL, &siglen, md, mdlen) <= 0)
\& /* Error */
\&
\& sig = OPENSSL_malloc(siglen);
\&
\& if (!sig)
\& /* malloc failure */
\&
\& if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0)
\& /* Error */
\&
\& /* Signature is siglen bytes written to buffer sig */
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_CTX_ctrl\fR\|(3),
\&\fBEVP_PKEY_encrypt\fR\|(3),
\&\fBEVP_PKEY_decrypt\fR\|(3),
\&\fBEVP_PKEY_verify\fR\|(3),
\&\fBEVP_PKEY_verify_recover\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_size.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_size.3
index cb355e7c07c5..e4b342d00071 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_size.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_size.3
@@ -1,210 +1,210 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_SIZE 3"
-.TH EVP_PKEY_SIZE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_SIZE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_size, EVP_PKEY_bits, EVP_PKEY_security_bits \&\- EVP_PKEY information functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_size(const EVP_PKEY *pkey);
\& int EVP_PKEY_bits(const EVP_PKEY *pkey);
\& int EVP_PKEY_security_bits(const EVP_PKEY *pkey);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBEVP_PKEY_size()\fR returns the maximum suitable size for the output
buffers for almost all operations that can be done with \fIpkey\fR.
The primary documented use is with \fBEVP_SignFinal\fR\|(3) and
\&\fBEVP_SealInit\fR\|(3), but it isn't limited there. The returned size is
also large enough for the output buffer of \fBEVP_PKEY_sign\fR\|(3),
\&\fBEVP_PKEY_encrypt\fR\|(3), \fBEVP_PKEY_decrypt\fR\|(3), \fBEVP_PKEY_derive\fR\|(3).
.PP
It must be stressed that, unless the documentation for the operation
that's being performed says otherwise, the size returned by
\&\fBEVP_PKEY_size()\fR is only preliminary and not exact, so the final
contents of the target buffer may be smaller. It is therefore crucial
to take note of the size given back by the function that performs the
operation, such as \fBEVP_PKEY_sign\fR\|(3) (the \fIsiglen\fR argument will
receive that length), to avoid bugs.
.PP
\&\fBEVP_PKEY_bits()\fR returns the cryptographic length of the cryptosystem
to which the key in \fIpkey\fR belongs, in bits. Note that the definition
of cryptographic length is specific to the key cryptosystem.
.PP
\&\fBEVP_PKEY_security_bits()\fR returns the number of security bits of the given
\&\fIpkey\fR, bits of security is defined in \s-1NIST SP800\-57.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_size()\fR, \fBEVP_PKEY_bits()\fR and \fBEVP_PKEY_security_bits()\fR return a
positive number, or 0 if this size isn't available.
.SH "NOTES"
.IX Header "NOTES"
Most functions that have an output buffer and are mentioned with
\&\fBEVP_PKEY_size()\fR have a functionality where you can pass \s-1NULL\s0 for the
buffer and still pass a pointer to an integer and get the exact size
that this function call delivers in the context that it's called in.
This allows those functions to be called twice, once to find out the
exact buffer size, then allocate the buffer in between, and call that
function again actually output the data. For those functions, it
isn't strictly necessary to call \fBEVP_PKEY_size()\fR to find out the
buffer size, but may be useful in cases where it's desirable to know
the upper limit in advance.
.PP
It should also be especially noted that \fBEVP_PKEY_size()\fR shouldn't be
used to get the output size for \fBEVP_DigestSignFinal()\fR, according to
\&\*(L"\s-1NOTES\*(R"\s0 in \fBEVP_DigestSignFinal\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_SignFinal\fR\|(3),
\&\fBEVP_SealInit\fR\|(3),
\&\fBEVP_PKEY_sign\fR\|(3),
\&\fBEVP_PKEY_encrypt\fR\|(3),
\&\fBEVP_PKEY_decrypt\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3
index 6f604275cc26..995bb2e338cb 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify.3
@@ -1,234 +1,234 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_VERIFY 3"
-.TH EVP_PKEY_VERIFY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_VERIFY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_verify_init, EVP_PKEY_verify \- signature verification using a public key algorithm
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_verify(EVP_PKEY_CTX *ctx,
\& const unsigned char *sig, size_t siglen,
\& const unsigned char *tbs, size_t tbslen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEVP_PKEY_verify_init()\fR function initializes a public key algorithm
context using key \fBpkey\fR for a signature verification operation.
.PP
The \fBEVP_PKEY_verify()\fR function performs a public key verification operation
using \fBctx\fR. The signature is specified using the \fBsig\fR and
\&\fBsiglen\fR parameters. The verified data (i.e. the data believed originally
signed) is specified using the \fBtbs\fR and \fBtbslen\fR parameters.
.SH "NOTES"
.IX Header "NOTES"
After the call to \fBEVP_PKEY_verify_init()\fR algorithm specific control
operations can be performed to set any appropriate parameters for the
operation.
.PP
The function \fBEVP_PKEY_verify()\fR can be called more than once on the same
context if several operations are performed using the same parameters.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_verify_init()\fR and \fBEVP_PKEY_verify()\fR return 1 if the verification was
successful and 0 if it failed. Unlike other functions the return value 0 from
\&\fBEVP_PKEY_verify()\fR only indicates that the signature did not verify
successfully (that is tbs did not match the original data or the signature was
of invalid form) it is not an indication of a more serious error.
.PP
A negative value indicates an error other that signature verification failure.
In particular a return value of \-2 indicates the operation is not supported by
the public key algorithm.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Verify signature using PKCS#1 and \s-1SHA256\s0 digest:
.PP
.Vb 2
\& #include <openssl/evp.h>
\& #include <openssl/rsa.h>
\&
\& EVP_PKEY_CTX *ctx;
\& unsigned char *md, *sig;
\& size_t mdlen, siglen;
\& EVP_PKEY *verify_key;
\&
\& /*
\& * NB: assumes verify_key, sig, siglen md and mdlen are already set up
\& * and that verify_key is an RSA public key
\& */
\& ctx = EVP_PKEY_CTX_new(verify_key, NULL /* no engine */);
\& if (!ctx)
\& /* Error occurred */
\& if (EVP_PKEY_verify_init(ctx) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
\& /* Error */
\&
\& /* Perform operation */
\& ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen);
\&
\& /*
\& * ret == 1 indicates success, 0 verify failure and < 0 for some
\& * other error.
\& */
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_encrypt\fR\|(3),
\&\fBEVP_PKEY_decrypt\fR\|(3),
\&\fBEVP_PKEY_sign\fR\|(3),
\&\fBEVP_PKEY_verify_recover\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3 b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3
index a110fce99be1..4454c50cd695 100644
--- a/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3
+++ b/secure/lib/libcrypto/man/man3/EVP_PKEY_verify_recover.3
@@ -1,245 +1,245 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_PKEY_VERIFY_RECOVER 3"
-.TH EVP_PKEY_VERIFY_RECOVER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_PKEY_VERIFY_RECOVER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover \- recover signature using a public key algorithm
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
\& int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
\& unsigned char *rout, size_t *routlen,
\& const unsigned char *sig, size_t siglen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEVP_PKEY_verify_recover_init()\fR function initializes a public key algorithm
context using key \fBpkey\fR for a verify recover operation.
.PP
The \fBEVP_PKEY_verify_recover()\fR function recovers signed data
using \fBctx\fR. The signature is specified using the \fBsig\fR and
\&\fBsiglen\fR parameters. If \fBrout\fR is \fB\s-1NULL\s0\fR then the maximum size of the output
buffer is written to the \fBroutlen\fR parameter. If \fBrout\fR is not \fB\s-1NULL\s0\fR then
before the call the \fBroutlen\fR parameter should contain the length of the
\&\fBrout\fR buffer, if the call is successful recovered data is written to
\&\fBrout\fR and the amount of data written to \fBroutlen\fR.
.SH "NOTES"
.IX Header "NOTES"
Normally an application is only interested in whether a signature verification
operation is successful in those cases the \fBEVP_verify()\fR function should be
used.
.PP
Sometimes however it is useful to obtain the data originally signed using a
signing operation. Only certain public key algorithms can recover a signature
in this way (for example \s-1RSA\s0 in \s-1PKCS\s0 padding mode).
.PP
After the call to \fBEVP_PKEY_verify_recover_init()\fR algorithm specific control
operations can be performed to set any appropriate parameters for the
operation.
.PP
The function \fBEVP_PKEY_verify_recover()\fR can be called more than once on the same
context if several operations are performed using the same parameters.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_PKEY_verify_recover_init()\fR and \fBEVP_PKEY_verify_recover()\fR return 1 for success
and 0 or a negative value for failure. In particular a return value of \-2
indicates the operation is not supported by the public key algorithm.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Recover digest originally signed using PKCS#1 and \s-1SHA256\s0 digest:
.PP
.Vb 2
\& #include <openssl/evp.h>
\& #include <openssl/rsa.h>
\&
\& EVP_PKEY_CTX *ctx;
\& unsigned char *rout, *sig;
\& size_t routlen, siglen;
\& EVP_PKEY *verify_key;
\&
\& /*
\& * NB: assumes verify_key, sig and siglen are already set up
\& * and that verify_key is an RSA public key
\& */
\& ctx = EVP_PKEY_CTX_new(verify_key, NULL /* no engine */);
\& if (!ctx)
\& /* Error occurred */
\& if (EVP_PKEY_verify_recover_init(ctx) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
\& /* Error */
\& if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
\& /* Error */
\&
\& /* Determine buffer length */
\& if (EVP_PKEY_verify_recover(ctx, NULL, &routlen, sig, siglen) <= 0)
\& /* Error */
\&
\& rout = OPENSSL_malloc(routlen);
\&
\& if (!rout)
\& /* malloc failure */
\&
\& if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0)
\& /* Error */
\&
\& /* Recovered data is routlen bytes written to buffer rout */
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_encrypt\fR\|(3),
\&\fBEVP_PKEY_decrypt\fR\|(3),
\&\fBEVP_PKEY_sign\fR\|(3),
\&\fBEVP_PKEY_verify\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_SealInit.3 b/secure/lib/libcrypto/man/man3/EVP_SealInit.3
index d411beb2b5f9..dcc68470575f 100644
--- a/secure/lib/libcrypto/man/man3/EVP_SealInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_SealInit.3
@@ -1,223 +1,223 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_SEALINIT 3"
-.TH EVP_SEALINIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_SEALINIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_SealInit, EVP_SealUpdate, EVP_SealFinal \- EVP envelope encryption
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
\& unsigned char **ek, int *ekl, unsigned char *iv,
\& EVP_PKEY **pubk, int npubk);
\& int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
\& int *outl, unsigned char *in, int inl);
\& int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP\s0 envelope routines are a high-level interface to envelope
encryption. They generate a random key and \s-1IV\s0 (if required) then
\&\*(L"envelope\*(R" it by using public key encryption. Data can then be
encrypted using this key.
.PP
\&\fBEVP_SealInit()\fR initializes a cipher context \fBctx\fR for encryption
with cipher \fBtype\fR using a random secret key and \s-1IV.\s0 \fBtype\fR is normally
supplied by a function such as \fBEVP_aes_256_cbc()\fR. The secret key is encrypted
using one or more public keys, this allows the same encrypted data to be
decrypted using any of the corresponding private keys. \fBek\fR is an array of
buffers where the public key encrypted secret key will be written, each buffer
must contain enough room for the corresponding encrypted key: that is
\&\fBek[i]\fR must have room for \fBEVP_PKEY_size(pubk[i])\fR bytes. The actual
size of each encrypted secret key is written to the array \fBekl\fR. \fBpubk\fR is
an array of \fBnpubk\fR public keys.
.PP
The \fBiv\fR parameter is a buffer where the generated \s-1IV\s0 is written to. It must
contain enough room for the corresponding cipher's \s-1IV,\s0 as determined by (for
example) EVP_CIPHER_iv_length(type).
.PP
If the cipher does not require an \s-1IV\s0 then the \fBiv\fR parameter is ignored
and can be \fB\s-1NULL\s0\fR.
.PP
\&\fBEVP_SealUpdate()\fR and \fBEVP_SealFinal()\fR have exactly the same properties
as the \fBEVP_EncryptUpdate()\fR and \fBEVP_EncryptFinal()\fR routines, as
documented on the \fBEVP_EncryptInit\fR\|(3) manual
page.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_SealInit()\fR returns 0 on error or \fBnpubk\fR if successful.
.PP
\&\fBEVP_SealUpdate()\fR and \fBEVP_SealFinal()\fR return 1 for success and 0 for
failure.
.SH "NOTES"
.IX Header "NOTES"
Because a random secret key is generated the random number generator
must be seeded when \fBEVP_SealInit()\fR is called.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
.PP
The public key must be \s-1RSA\s0 because it is the only OpenSSL public key
algorithm that supports key transport.
.PP
Envelope encryption is the usual method of using public key encryption
on large amounts of data, this is because public key encryption is slow
but symmetric encryption is fast. So symmetric encryption is used for
bulk encryption and the small random symmetric key used is transferred
using public key encryption.
.PP
It is possible to call \fBEVP_SealInit()\fR twice in the same way as
\&\fBEVP_EncryptInit()\fR. The first call should have \fBnpubk\fR set to 0
and (after setting any cipher parameters) it should be called again
with \fBtype\fR set to \s-1NULL.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7), \fBRAND_bytes\fR\|(3),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_OpenInit\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_SignInit.3 b/secure/lib/libcrypto/man/man3/EVP_SignInit.3
index 11acdfc0813e..832b573cae10 100644
--- a/secure/lib/libcrypto/man/man3/EVP_SignInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_SignInit.3
@@ -1,228 +1,228 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_SIGNINIT 3"
-.TH EVP_SIGNINIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_SIGNINIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_SignInit, EVP_SignInit_ex, EVP_SignUpdate, EVP_SignFinal \&\- EVP signing functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_SignInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
\& int EVP_SignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
\& int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sig, unsigned int *s, EVP_PKEY *pkey);
\&
\& void EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP\s0 signature routines are a high-level interface to digital
signatures.
.PP
\&\fBEVP_SignInit_ex()\fR sets up signing context \fIctx\fR to use digest
\&\fItype\fR from \fB\s-1ENGINE\s0\fR \fIimpl\fR. \fIctx\fR must be created with
\&\fBEVP_MD_CTX_new()\fR before calling this function.
.PP
\&\fBEVP_SignUpdate()\fR hashes \fIcnt\fR bytes of data at \fId\fR into the
signature context \fIctx\fR. This function can be called several times on the
same \fIctx\fR to include additional data.
.PP
\&\fBEVP_SignFinal()\fR signs the data in \fIctx\fR using the private key \fIpkey\fR and
places the signature in \fIsig\fR. \fIsig\fR must be at least \f(CW\*(C`EVP_PKEY_size(pkey)\*(C'\fR
bytes in size. \fIs\fR is an \s-1OUT\s0 parameter, and not used as an \s-1IN\s0 parameter.
The number of bytes of data written (i.e. the length of the signature)
will be written to the integer at \fIs\fR, at most \f(CW\*(C`EVP_PKEY_size(pkey)\*(C'\fR bytes
will be written.
.PP
\&\fBEVP_SignInit()\fR initializes a signing context \fIctx\fR to use the default
implementation of digest \fItype\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_SignInit_ex()\fR, \fBEVP_SignUpdate()\fR and \fBEVP_SignFinal()\fR return 1
for success and 0 for failure.
.PP
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "NOTES"
.IX Header "NOTES"
The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be used in
preference to the low-level interfaces. This is because the code then becomes
transparent to the algorithm used and much more flexible.
.PP
When signing with \s-1DSA\s0 private keys the random number generator must be seeded.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
This requirement does not hold for \s-1RSA\s0 signatures.
.PP
The call to \fBEVP_SignFinal()\fR internally finalizes a copy of the digest context.
This means that calls to \fBEVP_SignUpdate()\fR and \fBEVP_SignFinal()\fR can be called
later to digest and sign additional data.
.PP
Since only a copy of the digest context is ever finalized the context must
be cleaned up after use by calling \fBEVP_MD_CTX_free()\fR or a memory leak
will occur.
.SH "BUGS"
.IX Header "BUGS"
Older versions of this documentation wrongly stated that calls to
\&\fBEVP_SignUpdate()\fR could not be made after calling \fBEVP_SignFinal()\fR.
.PP
Since the private key is passed in the call to \fBEVP_SignFinal()\fR any error
relating to the private key (for example an unsuitable key and digest
combination) will not be indicated until after potentially large amounts of
data have been passed through \fBEVP_SignUpdate()\fR.
.PP
It is not possible to change the signing parameters using these function.
.PP
The previous two bugs are fixed in the newer EVP_SignDigest*() function.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_size\fR\|(3), \fBEVP_PKEY_bits\fR\|(3), \fBEVP_PKEY_security_bits\fR\|(3),
\&\fBEVP_VerifyInit\fR\|(3),
\&\fBEVP_DigestInit\fR\|(3),
\&\fBevp\fR\|(7), \s-1\fBHMAC\s0\fR\|(3), \s-1\fBMD2\s0\fR\|(3),
\&\s-1\fBMD5\s0\fR\|(3), \s-1\fBMDC2\s0\fR\|(3), \s-1\fBRIPEMD160\s0\fR\|(3),
\&\s-1\fBSHA1\s0\fR\|(3), \fBdgst\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3 b/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3
index d9f88b654521..52db89a23fe5 100644
--- a/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3
+++ b/secure/lib/libcrypto/man/man3/EVP_VerifyInit.3
@@ -1,223 +1,223 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_VERIFYINIT 3"
-.TH EVP_VERIFYINIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_VERIFYINIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_VerifyInit_ex, EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal \&\- EVP signature verification functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int EVP_VerifyInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
\& int EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
\& int EVP_VerifyFinal(EVP_MD_CTX *ctx, unsigned char *sigbuf, unsigned int siglen,
\& EVP_PKEY *pkey);
\&
\& int EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP\s0 signature verification routines are a high-level interface to digital
signatures.
.PP
\&\fBEVP_VerifyInit_ex()\fR sets up verification context \fBctx\fR to use digest
\&\fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be created by calling
\&\fBEVP_MD_CTX_new()\fR before calling this function.
.PP
\&\fBEVP_VerifyUpdate()\fR hashes \fBcnt\fR bytes of data at \fBd\fR into the
verification context \fBctx\fR. This function can be called several times on the
same \fBctx\fR to include additional data.
.PP
\&\fBEVP_VerifyFinal()\fR verifies the data in \fBctx\fR using the public key \fBpkey\fR
and against the \fBsiglen\fR bytes at \fBsigbuf\fR.
.PP
\&\fBEVP_VerifyInit()\fR initializes verification context \fBctx\fR to use the default
implementation of digest \fBtype\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBEVP_VerifyInit_ex()\fR and \fBEVP_VerifyUpdate()\fR return 1 for success and 0 for
failure.
.PP
\&\fBEVP_VerifyFinal()\fR returns 1 for a correct signature, 0 for failure and \-1 if some
other error occurred.
.PP
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "NOTES"
.IX Header "NOTES"
The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be used in
preference to the low-level interfaces. This is because the code then becomes
transparent to the algorithm used and much more flexible.
.PP
The call to \fBEVP_VerifyFinal()\fR internally finalizes a copy of the digest context.
This means that calls to \fBEVP_VerifyUpdate()\fR and \fBEVP_VerifyFinal()\fR can be called
later to digest and verify additional data.
.PP
Since only a copy of the digest context is ever finalized the context must
be cleaned up after use by calling \fBEVP_MD_CTX_free()\fR or a memory leak
will occur.
.SH "BUGS"
.IX Header "BUGS"
Older versions of this documentation wrongly stated that calls to
\&\fBEVP_VerifyUpdate()\fR could not be made after calling \fBEVP_VerifyFinal()\fR.
.PP
Since the public key is passed in the call to \fBEVP_SignFinal()\fR any error
relating to the private key (for example an unsuitable key and digest
combination) will not be indicated until after potentially large amounts of
data have been passed through \fBEVP_SignUpdate()\fR.
.PP
It is not possible to change the signing parameters using these function.
.PP
The previous two bugs are fixed in the newer EVP_DigestVerify*() function.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_SignInit\fR\|(3),
\&\fBEVP_DigestInit\fR\|(3),
\&\fBevp\fR\|(7), \s-1\fBHMAC\s0\fR\|(3), \s-1\fBMD2\s0\fR\|(3),
\&\s-1\fBMD5\s0\fR\|(3), \s-1\fBMDC2\s0\fR\|(3), \s-1\fBRIPEMD160\s0\fR\|(3),
\&\s-1\fBSHA1\s0\fR\|(3), \fBdgst\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_aes.3 b/secure/lib/libcrypto/man/man3/EVP_aes.3
index 02e7b746edb0..74bf3d39ee94 100644
--- a/secure/lib/libcrypto/man/man3/EVP_aes.3
+++ b/secure/lib/libcrypto/man/man3/EVP_aes.3
@@ -1,223 +1,223 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_AES 3"
-.TH EVP_AES 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_AES 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_aes_128_cbc, EVP_aes_192_cbc, EVP_aes_256_cbc, EVP_aes_128_cfb, EVP_aes_192_cfb, EVP_aes_256_cfb, EVP_aes_128_cfb1, EVP_aes_192_cfb1, EVP_aes_256_cfb1, EVP_aes_128_cfb8, EVP_aes_192_cfb8, EVP_aes_256_cfb8, EVP_aes_128_cfb128, EVP_aes_192_cfb128, EVP_aes_256_cfb128, EVP_aes_128_ctr, EVP_aes_192_ctr, EVP_aes_256_ctr, EVP_aes_128_ecb, EVP_aes_192_ecb, EVP_aes_256_ecb, EVP_aes_128_ofb, EVP_aes_192_ofb, EVP_aes_256_ofb, EVP_aes_128_cbc_hmac_sha1, EVP_aes_256_cbc_hmac_sha1, EVP_aes_128_cbc_hmac_sha256, EVP_aes_256_cbc_hmac_sha256, EVP_aes_128_ccm, EVP_aes_192_ccm, EVP_aes_256_ccm, EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, EVP_aes_128_ocb, EVP_aes_192_ocb, EVP_aes_256_ocb, EVP_aes_128_wrap, EVP_aes_192_wrap, EVP_aes_256_wrap, EVP_aes_128_wrap_pad, EVP_aes_192_wrap_pad, EVP_aes_256_wrap_pad, EVP_aes_128_xts, EVP_aes_256_xts \&\- EVP AES cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_ciphername(void)
.Ve
.PP
\&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher
functions, such as \fIEVP_aes_128_cbc\fR.
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1AES\s0 encryption algorithm for \s-1EVP.\s0
.IP "\fBEVP_aes_128_cbc()\fR, \fBEVP_aes_192_cbc()\fR, \fBEVP_aes_256_cbc()\fR, \fBEVP_aes_128_cfb()\fR, \fBEVP_aes_192_cfb()\fR, \fBEVP_aes_256_cfb()\fR, \fBEVP_aes_128_cfb1()\fR, \fBEVP_aes_192_cfb1()\fR, \fBEVP_aes_256_cfb1()\fR, \fBEVP_aes_128_cfb8()\fR, \fBEVP_aes_192_cfb8()\fR, \fBEVP_aes_256_cfb8()\fR, \fBEVP_aes_128_cfb128()\fR, \fBEVP_aes_192_cfb128()\fR, \fBEVP_aes_256_cfb128()\fR, \fBEVP_aes_128_ctr()\fR, \fBEVP_aes_192_ctr()\fR, \fBEVP_aes_256_ctr()\fR, \fBEVP_aes_128_ecb()\fR, \fBEVP_aes_192_ecb()\fR, \fBEVP_aes_256_ecb()\fR, \fBEVP_aes_128_ofb()\fR, \fBEVP_aes_192_ofb()\fR, \fBEVP_aes_256_ofb()\fR" 4
.IX Item "EVP_aes_128_cbc(), EVP_aes_192_cbc(), EVP_aes_256_cbc(), EVP_aes_128_cfb(), EVP_aes_192_cfb(), EVP_aes_256_cfb(), EVP_aes_128_cfb1(), EVP_aes_192_cfb1(), EVP_aes_256_cfb1(), EVP_aes_128_cfb8(), EVP_aes_192_cfb8(), EVP_aes_256_cfb8(), EVP_aes_128_cfb128(), EVP_aes_192_cfb128(), EVP_aes_256_cfb128(), EVP_aes_128_ctr(), EVP_aes_192_ctr(), EVP_aes_256_ctr(), EVP_aes_128_ecb(), EVP_aes_192_ecb(), EVP_aes_256_ecb(), EVP_aes_128_ofb(), EVP_aes_192_ofb(), EVP_aes_256_ofb()"
\&\s-1AES\s0 for 128, 192 and 256 bit keys in the following modes: \s-1CBC, CFB\s0 with 128\-bit
shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit shift, \s-1CTR, ECB,\s0 and \s-1OFB.\s0
.IP "\fBEVP_aes_128_cbc_hmac_sha1()\fR, \fBEVP_aes_256_cbc_hmac_sha1()\fR" 4
.IX Item "EVP_aes_128_cbc_hmac_sha1(), EVP_aes_256_cbc_hmac_sha1()"
Authenticated encryption with \s-1AES\s0 in \s-1CBC\s0 mode using \s-1SHA\-1\s0 as \s-1HMAC,\s0 with keys of
128 and 256 bits length respectively. The authentication tag is 160 bits long.
.Sp
\&\s-1WARNING:\s0 this is not intended for usage outside of \s-1TLS\s0 and requires calling of
some undocumented ctrl functions. These ciphers do not conform to the \s-1EVP AEAD\s0
interface.
.IP "\fBEVP_aes_128_cbc_hmac_sha256()\fR, \fBEVP_aes_256_cbc_hmac_sha256()\fR" 4
.IX Item "EVP_aes_128_cbc_hmac_sha256(), EVP_aes_256_cbc_hmac_sha256()"
Authenticated encryption with \s-1AES\s0 in \s-1CBC\s0 mode using \s-1SHA256\s0 (\s-1SHA\-2,\s0 256\-bits) as
\&\s-1HMAC,\s0 with keys of 128 and 256 bits length respectively. The authentication tag
is 256 bits long.
.Sp
\&\s-1WARNING:\s0 this is not intended for usage outside of \s-1TLS\s0 and requires calling of
some undocumented ctrl functions. These ciphers do not conform to the \s-1EVP AEAD\s0
interface.
.IP "\fBEVP_aes_128_ccm()\fR, \fBEVP_aes_192_ccm()\fR, \fBEVP_aes_256_ccm()\fR, \fBEVP_aes_128_gcm()\fR, \fBEVP_aes_192_gcm()\fR, \fBEVP_aes_256_gcm()\fR, \fBEVP_aes_128_ocb()\fR, \fBEVP_aes_192_ocb()\fR, \fBEVP_aes_256_ocb()\fR" 4
.IX Item "EVP_aes_128_ccm(), EVP_aes_192_ccm(), EVP_aes_256_ccm(), EVP_aes_128_gcm(), EVP_aes_192_gcm(), EVP_aes_256_gcm(), EVP_aes_128_ocb(), EVP_aes_192_ocb(), EVP_aes_256_ocb()"
\&\s-1AES\s0 for 128, 192 and 256 bit keys in CBC-MAC Mode (\s-1CCM\s0), Galois Counter Mode
(\s-1GCM\s0) and \s-1OCB\s0 Mode respectively. These ciphers require additional control
operations to function correctly, see the \*(L"\s-1AEAD\s0 Interface\*(R" in \fBEVP_EncryptInit\fR\|(3)
section for details.
.IP "\fBEVP_aes_128_wrap()\fR, \fBEVP_aes_192_wrap()\fR, \fBEVP_aes_256_wrap()\fR, \fBEVP_aes_128_wrap_pad()\fR, \fBEVP_aes_128_wrap()\fR, \fBEVP_aes_192_wrap()\fR, \fBEVP_aes_256_wrap()\fR, \fBEVP_aes_192_wrap_pad()\fR, \fBEVP_aes_128_wrap()\fR, \fBEVP_aes_192_wrap()\fR, \fBEVP_aes_256_wrap()\fR, \fBEVP_aes_256_wrap_pad()\fR" 4
.IX Item "EVP_aes_128_wrap(), EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_128_wrap_pad(), EVP_aes_128_wrap(), EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_192_wrap_pad(), EVP_aes_128_wrap(), EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_256_wrap_pad()"
\&\s-1AES\s0 key wrap with 128, 192 and 256 bit keys, as according to \s-1RFC 3394\s0 section
2.2.1 (\*(L"wrap\*(R") and \s-1RFC 5649\s0 section 4.1 (\*(L"wrap with padding\*(R") respectively.
.IP "\fBEVP_aes_128_xts()\fR, \fBEVP_aes_256_xts()\fR" 4
.IX Item "EVP_aes_128_xts(), EVP_aes_256_xts()"
\&\s-1AES XTS\s0 mode (XTS-AES) is standardized in \s-1IEEE\s0 Std. 1619\-2007 and described in \s-1NIST
SP 800\-38E.\s0 The \s-1XTS\s0 (XEX-based tweaked-codebook mode with ciphertext stealing)
mode was designed by Prof. Phillip Rogaway of University of California, Davis,
intended for encrypting data on a storage device.
.Sp
XTS-AES provides confidentiality but not authentication of data. It also
requires a key of double-length for protection of a certain key size.
In particular, \s-1XTS\-AES\-128\s0 (\fBEVP_aes_128_xts\fR) takes input of a 256\-bit key to
achieve \s-1AES\s0 128\-bit security, and \s-1XTS\-AES\-256\s0 (\fBEVP_aes_256_xts\fR) takes input
of a 512\-bit key to achieve \s-1AES\s0 256\-bit security.
.Sp
The \s-1XTS\s0 implementation in OpenSSL does not support streaming. That is there must
only be one \fBEVP_EncryptUpdate\fR\|(3) call per \fBEVP_EncryptInit_ex\fR\|(3) call (and
similarly with the \*(L"Decrypt\*(R" functions).
.Sp
The \fIiv\fR parameter to \fBEVP_EncryptInit_ex\fR\|(3) or \fBEVP_DecryptInit_ex\fR\|(3) is
the \s-1XTS\s0 \*(L"tweak\*(R" value.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_aria.3 b/secure/lib/libcrypto/man/man3/EVP_aria.3
index 320e75307235..356879960fbb 100644
--- a/secure/lib/libcrypto/man/man3/EVP_aria.3
+++ b/secure/lib/libcrypto/man/man3/EVP_aria.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_ARIA 3"
-.TH EVP_ARIA 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_ARIA 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_aria_128_cbc, EVP_aria_192_cbc, EVP_aria_256_cbc, EVP_aria_128_cfb, EVP_aria_192_cfb, EVP_aria_256_cfb, EVP_aria_128_cfb1, EVP_aria_192_cfb1, EVP_aria_256_cfb1, EVP_aria_128_cfb8, EVP_aria_192_cfb8, EVP_aria_256_cfb8, EVP_aria_128_cfb128, EVP_aria_192_cfb128, EVP_aria_256_cfb128, EVP_aria_128_ctr, EVP_aria_192_ctr, EVP_aria_256_ctr, EVP_aria_128_ecb, EVP_aria_192_ecb, EVP_aria_256_ecb, EVP_aria_128_ofb, EVP_aria_192_ofb, EVP_aria_256_ofb, EVP_aria_128_ccm, EVP_aria_192_ccm, EVP_aria_256_ccm, EVP_aria_128_gcm, EVP_aria_192_gcm, EVP_aria_256_gcm, \&\- EVP ARIA cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_ciphername(void)
.Ve
.PP
\&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher
functions, such as \fIEVP_aria_128_cbc\fR.
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1ARIA\s0 encryption algorithm for \s-1EVP.\s0
.IP "\fBEVP_aria_128_cbc()\fR, \fBEVP_aria_192_cbc()\fR, \fBEVP_aria_256_cbc()\fR, \fBEVP_aria_128_cfb()\fR, \fBEVP_aria_192_cfb()\fR, \fBEVP_aria_256_cfb()\fR, \fBEVP_aria_128_cfb1()\fR, \fBEVP_aria_192_cfb1()\fR, \fBEVP_aria_256_cfb1()\fR, \fBEVP_aria_128_cfb8()\fR, \fBEVP_aria_192_cfb8()\fR, \fBEVP_aria_256_cfb8()\fR, \fBEVP_aria_128_cfb128()\fR, \fBEVP_aria_192_cfb128()\fR, \fBEVP_aria_256_cfb128()\fR, \fBEVP_aria_128_ctr()\fR, \fBEVP_aria_192_ctr()\fR, \fBEVP_aria_256_ctr()\fR, \fBEVP_aria_128_ecb()\fR, \fBEVP_aria_192_ecb()\fR, \fBEVP_aria_256_ecb()\fR, \fBEVP_aria_128_ofb()\fR, \fBEVP_aria_192_ofb()\fR, \fBEVP_aria_256_ofb()\fR" 4
.IX Item "EVP_aria_128_cbc(), EVP_aria_192_cbc(), EVP_aria_256_cbc(), EVP_aria_128_cfb(), EVP_aria_192_cfb(), EVP_aria_256_cfb(), EVP_aria_128_cfb1(), EVP_aria_192_cfb1(), EVP_aria_256_cfb1(), EVP_aria_128_cfb8(), EVP_aria_192_cfb8(), EVP_aria_256_cfb8(), EVP_aria_128_cfb128(), EVP_aria_192_cfb128(), EVP_aria_256_cfb128(), EVP_aria_128_ctr(), EVP_aria_192_ctr(), EVP_aria_256_ctr(), EVP_aria_128_ecb(), EVP_aria_192_ecb(), EVP_aria_256_ecb(), EVP_aria_128_ofb(), EVP_aria_192_ofb(), EVP_aria_256_ofb()"
\&\s-1ARIA\s0 for 128, 192 and 256 bit keys in the following modes: \s-1CBC, CFB\s0 with
128\-bit shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit shift, \s-1CTR, ECB\s0 and \s-1OFB.\s0
.IP "\fBEVP_aria_128_ccm()\fR, \fBEVP_aria_192_ccm()\fR, \fBEVP_aria_256_ccm()\fR, \fBEVP_aria_128_gcm()\fR, \fBEVP_aria_192_gcm()\fR, \fBEVP_aria_256_gcm()\fR," 4
.IX Item "EVP_aria_128_ccm(), EVP_aria_192_ccm(), EVP_aria_256_ccm(), EVP_aria_128_gcm(), EVP_aria_192_gcm(), EVP_aria_256_gcm(),"
\&\s-1ARIA\s0 for 128, 192 and 256 bit keys in CBC-MAC Mode (\s-1CCM\s0) and Galois Counter
Mode (\s-1GCM\s0). These ciphers require additional control operations to function
correctly, see the \*(L"\s-1AEAD\s0 Interface\*(R" in \fBEVP_EncryptInit\fR\|(3) section for details.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3
index 61a734a6029c..8ff245e75666 100644
--- a/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_bf_cbc.3
@@ -1,179 +1,179 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_BF_CBC 3"
-.TH EVP_BF_CBC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_BF_CBC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_bf_cbc, EVP_bf_cfb, EVP_bf_cfb64, EVP_bf_ecb, EVP_bf_ofb \&\- EVP Blowfish cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_bf_cbc(void)
\& const EVP_CIPHER *EVP_bf_cfb(void)
\& const EVP_CIPHER *EVP_bf_cfb64(void)
\& const EVP_CIPHER *EVP_bf_ecb(void)
\& const EVP_CIPHER *EVP_bf_ofb(void)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The Blowfish encryption algorithm for \s-1EVP.\s0
.PP
This is a variable key length cipher.
.IP "\fBEVP_bf_cbc()\fR, \fBEVP_bf_cfb()\fR, \fBEVP_bf_cfb64()\fR, \fBEVP_bf_ecb()\fR, \fBEVP_bf_ofb()\fR" 4
.IX Item "EVP_bf_cbc(), EVP_bf_cfb(), EVP_bf_cfb64(), EVP_bf_ecb(), EVP_bf_ofb()"
Blowfish encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_blake2b512.3 b/secure/lib/libcrypto/man/man3/EVP_blake2b512.3
index 0a0bd71804e6..826a09452be4 100644
--- a/secure/lib/libcrypto/man/man3/EVP_blake2b512.3
+++ b/secure/lib/libcrypto/man/man3/EVP_blake2b512.3
@@ -1,186 +1,186 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_BLAKE2B512 3"
-.TH EVP_BLAKE2B512 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_BLAKE2B512 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_blake2b512, EVP_blake2s256 \&\- BLAKE2 For EVP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_MD *EVP_blake2b512(void);
\& const EVP_MD *EVP_blake2s256(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1BLAKE2\s0 is an improved version of \s-1BLAKE,\s0 which was submitted to the \s-1NIST SHA\-3\s0
algorithm competition. The BLAKE2s and BLAKE2b algorithms are described in
\&\s-1RFC 7693.\s0
.IP "\fBEVP_blake2s256()\fR" 4
.IX Item "EVP_blake2s256()"
The BLAKE2s algorithm that produces a 256\-bit output from a given input.
.IP "\fBEVP_blake2b512()\fR" 4
.IX Item "EVP_blake2b512()"
The BLAKE2b algorithm that produces a 512\-bit output from a given input.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_MD_meth_new\fR\|(3) for
details of the \fB\s-1EVP_MD\s0\fR structure.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1RFC 7693.\s0
.SH "NOTES"
.IX Header "NOTES"
While the BLAKE2b and BLAKE2s algorithms supports a variable length digest,
this implementation outputs a digest of a fixed length (the maximum length
supported), which is 512\-bits for BLAKE2b and 256\-bits for BLAKE2s.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_camellia.3 b/secure/lib/libcrypto/man/man3/EVP_camellia.3
index 76d8b3c11593..b7f4d4584cff 100644
--- a/secure/lib/libcrypto/man/man3/EVP_camellia.3
+++ b/secure/lib/libcrypto/man/man3/EVP_camellia.3
@@ -1,177 +1,177 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_CAMELLIA 3"
-.TH EVP_CAMELLIA 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_CAMELLIA 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_camellia_128_cbc, EVP_camellia_192_cbc, EVP_camellia_256_cbc, EVP_camellia_128_cfb, EVP_camellia_192_cfb, EVP_camellia_256_cfb, EVP_camellia_128_cfb1, EVP_camellia_192_cfb1, EVP_camellia_256_cfb1, EVP_camellia_128_cfb8, EVP_camellia_192_cfb8, EVP_camellia_256_cfb8, EVP_camellia_128_cfb128, EVP_camellia_192_cfb128, EVP_camellia_256_cfb128, EVP_camellia_128_ctr, EVP_camellia_192_ctr, EVP_camellia_256_ctr, EVP_camellia_128_ecb, EVP_camellia_192_ecb, EVP_camellia_256_ecb, EVP_camellia_128_ofb, EVP_camellia_192_ofb, EVP_camellia_256_ofb \&\- EVP Camellia cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_ciphername(void)
.Ve
.PP
\&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher
functions, such as \fIEVP_camellia_128_cbc\fR.
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The Camellia encryption algorithm for \s-1EVP.\s0
.IP "\fBEVP_camellia_128_cbc()\fR, \fBEVP_camellia_192_cbc()\fR, \fBEVP_camellia_256_cbc()\fR, \fBEVP_camellia_128_cfb()\fR, \fBEVP_camellia_192_cfb()\fR, \fBEVP_camellia_256_cfb()\fR, \fBEVP_camellia_128_cfb1()\fR, \fBEVP_camellia_192_cfb1()\fR, \fBEVP_camellia_256_cfb1()\fR, \fBEVP_camellia_128_cfb8()\fR, \fBEVP_camellia_192_cfb8()\fR, \fBEVP_camellia_256_cfb8()\fR, \fBEVP_camellia_128_cfb128()\fR, \fBEVP_camellia_192_cfb128()\fR, \fBEVP_camellia_256_cfb128()\fR, \fBEVP_camellia_128_ctr()\fR, \fBEVP_camellia_192_ctr()\fR, \fBEVP_camellia_256_ctr()\fR, \fBEVP_camellia_128_ecb()\fR, \fBEVP_camellia_192_ecb()\fR, \fBEVP_camellia_256_ecb()\fR, \fBEVP_camellia_128_ofb()\fR, \fBEVP_camellia_192_ofb()\fR, \fBEVP_camellia_256_ofb()\fR" 4
.IX Item "EVP_camellia_128_cbc(), EVP_camellia_192_cbc(), EVP_camellia_256_cbc(), EVP_camellia_128_cfb(), EVP_camellia_192_cfb(), EVP_camellia_256_cfb(), EVP_camellia_128_cfb1(), EVP_camellia_192_cfb1(), EVP_camellia_256_cfb1(), EVP_camellia_128_cfb8(), EVP_camellia_192_cfb8(), EVP_camellia_256_cfb8(), EVP_camellia_128_cfb128(), EVP_camellia_192_cfb128(), EVP_camellia_256_cfb128(), EVP_camellia_128_ctr(), EVP_camellia_192_ctr(), EVP_camellia_256_ctr(), EVP_camellia_128_ecb(), EVP_camellia_192_ecb(), EVP_camellia_256_ecb(), EVP_camellia_128_ofb(), EVP_camellia_192_ofb(), EVP_camellia_256_ofb()"
Camellia for 128, 192 and 256 bit keys in the following modes: \s-1CBC, CFB\s0 with
128\-bit shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit shift, \s-1CTR, ECB\s0 and \s-1OFB.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3
index 325451490adf..6e53ad41f965 100644
--- a/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_cast5_cbc.3
@@ -1,179 +1,179 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_CAST5_CBC 3"
-.TH EVP_CAST5_CBC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_CAST5_CBC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_cast5_cbc, EVP_cast5_cfb, EVP_cast5_cfb64, EVP_cast5_ecb, EVP_cast5_ofb \&\- EVP CAST cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_cast5_cbc(void)
\& const EVP_CIPHER *EVP_cast5_cfb(void)
\& const EVP_CIPHER *EVP_cast5_cfb64(void)
\& const EVP_CIPHER *EVP_cast5_ecb(void)
\& const EVP_CIPHER *EVP_cast5_ofb(void)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1CAST\s0 encryption algorithm for \s-1EVP.\s0
.PP
This is a variable key length cipher.
.IP "\fBEVP_cast5_cbc()\fR, \fBEVP_cast5_ecb()\fR, \fBEVP_cast5_cfb()\fR, \fBEVP_cast5_cfb64()\fR, \fBEVP_cast5_ofb()\fR" 4
.IX Item "EVP_cast5_cbc(), EVP_cast5_ecb(), EVP_cast5_cfb(), EVP_cast5_cfb64(), EVP_cast5_ofb()"
\&\s-1CAST\s0 encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_chacha20.3 b/secure/lib/libcrypto/man/man3/EVP_chacha20.3
index 5f879c78687d..aa468517a423 100644
--- a/secure/lib/libcrypto/man/man3/EVP_chacha20.3
+++ b/secure/lib/libcrypto/man/man3/EVP_chacha20.3
@@ -1,188 +1,188 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_CHACHA20 3"
-.TH EVP_CHACHA20 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_CHACHA20 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_chacha20, EVP_chacha20_poly1305 \&\- EVP ChaCha20 stream cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_chacha20(void)
\& const EVP_CIPHER *EVP_chacha20_poly1305(void)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The ChaCha20 stream cipher for \s-1EVP.\s0
.IP "\fBEVP_chacha20()\fR" 4
.IX Item "EVP_chacha20()"
The ChaCha20 stream cipher. The key length is 256 bits, the \s-1IV\s0 is 128 bits long.
The first 32 bits consists of a counter in little-endian order followed by a 96
bit nonce. For example a nonce of:
.Sp
000000000000000000000002
.Sp
With an initial counter of 42 (2a in hex) would be expressed as:
.Sp
2a000000000000000000000000000002
.IP "\fBEVP_chacha20_poly1305()\fR" 4
.IX Item "EVP_chacha20_poly1305()"
Authenticated encryption with ChaCha20\-Poly1305. Like \fBEVP_chacha20()\fR, the key
is 256 bits and the \s-1IV\s0 is 96 bits. This supports additional authenticated data
(\s-1AAD\s0) and produces a 128\-bit authentication tag. See the
\&\*(L"\s-1AEAD\s0 Interface\*(R" in \fBEVP_EncryptInit\fR\|(3) section for more information.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_des.3 b/secure/lib/libcrypto/man/man3/EVP_des.3
index 87ca32fb6722..c5f7dcda75f7 100644
--- a/secure/lib/libcrypto/man/man3/EVP_des.3
+++ b/secure/lib/libcrypto/man/man3/EVP_des.3
@@ -1,187 +1,187 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_DES 3"
-.TH EVP_DES 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_DES 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_des_cbc, EVP_des_cfb, EVP_des_cfb1, EVP_des_cfb8, EVP_des_cfb64, EVP_des_ecb, EVP_des_ofb, EVP_des_ede, EVP_des_ede_cbc, EVP_des_ede_cfb, EVP_des_ede_cfb64, EVP_des_ede_ecb, EVP_des_ede_ofb, EVP_des_ede3, EVP_des_ede3_cbc, EVP_des_ede3_cfb, EVP_des_ede3_cfb1, EVP_des_ede3_cfb8, EVP_des_ede3_cfb64, EVP_des_ede3_ecb, EVP_des_ede3_ofb, EVP_des_ede3_wrap \&\- EVP DES cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_ciphername(void)
.Ve
.PP
\&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher
functions, such as \fIEVP_des_cbc\fR.
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1DES\s0 encryption algorithm for \s-1EVP.\s0
.IP "\fBEVP_des_cbc()\fR, \fBEVP_des_ecb()\fR, \fBEVP_des_cfb()\fR, \fBEVP_des_cfb1()\fR, \fBEVP_des_cfb8()\fR, \fBEVP_des_cfb64()\fR, \fBEVP_des_ofb()\fR" 4
.IX Item "EVP_des_cbc(), EVP_des_ecb(), EVP_des_cfb(), EVP_des_cfb1(), EVP_des_cfb8(), EVP_des_cfb64(), EVP_des_ofb()"
\&\s-1DES\s0 in \s-1CBC, ECB, CFB\s0 with 64\-bit shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit
shift and \s-1OFB\s0 modes.
.IP "\fBEVP_des_ede()\fR, \fBEVP_des_ede_cbc()\fR, \fBEVP_des_ede_cfb()\fR, \fBEVP_des_ede_cfb64()\fR, \fBEVP_des_ede_ecb()\fR, \fBEVP_des_ede_ofb()\fR" 4
.IX Item "EVP_des_ede(), EVP_des_ede_cbc(), EVP_des_ede_cfb(), EVP_des_ede_cfb64(), EVP_des_ede_ecb(), EVP_des_ede_ofb()"
Two key triple \s-1DES\s0 in \s-1ECB, CBC, CFB\s0 with 64\-bit shift and \s-1OFB\s0 modes.
.IP "\fBEVP_des_ede3()\fR, \fBEVP_des_ede3_cbc()\fR, \fBEVP_des_ede3_cfb()\fR, \fBEVP_des_ede3_cfb1()\fR, \fBEVP_des_ede3_cfb8()\fR, \fBEVP_des_ede3_cfb64()\fR, \fBEVP_des_ede3_ecb()\fR, \fBEVP_des_ede3_ofb()\fR" 4
.IX Item "EVP_des_ede3(), EVP_des_ede3_cbc(), EVP_des_ede3_cfb(), EVP_des_ede3_cfb1(), EVP_des_ede3_cfb8(), EVP_des_ede3_cfb64(), EVP_des_ede3_ecb(), EVP_des_ede3_ofb()"
Three-key triple \s-1DES\s0 in \s-1ECB, CBC, CFB\s0 with 64\-bit shift, \s-1CFB\s0 with 1\-bit shift,
\&\s-1CFB\s0 with 8\-bit shift and \s-1OFB\s0 modes.
.IP "\fBEVP_des_ede3_wrap()\fR" 4
.IX Item "EVP_des_ede3_wrap()"
Triple-DES key wrap according to \s-1RFC 3217\s0 Section 3.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3
index 025ba38fe004..bd78a6a010cd 100644
--- a/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_desx_cbc.3
@@ -1,175 +1,175 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_DESX_CBC 3"
-.TH EVP_DESX_CBC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_DESX_CBC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_desx_cbc \&\- EVP DES\-X cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_desx_cbc(void)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The DES-X encryption algorithm for \s-1EVP.\s0
.PP
All modes below use a key length of 128 bits and acts on blocks of 128\-bits.
.IP "\fBEVP_desx_cbc()\fR" 4
.IX Item "EVP_desx_cbc()"
The DES-X algorithm in \s-1CBC\s0 mode.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3
index 47a1d7759a2b..19caeb3f377a 100644
--- a/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_idea_cbc.3
@@ -1,177 +1,177 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_IDEA_CBC 3"
-.TH EVP_IDEA_CBC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_IDEA_CBC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_idea_cbc, EVP_idea_cfb, EVP_idea_cfb64, EVP_idea_ecb, EVP_idea_ofb \&\- EVP IDEA cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_idea_cbc(void)
\& const EVP_CIPHER *EVP_idea_cfb(void)
\& const EVP_CIPHER *EVP_idea_cfb64(void)
\& const EVP_CIPHER *EVP_idea_ecb(void)
\& const EVP_CIPHER *EVP_idea_ofb(void)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1IDEA\s0 encryption algorithm for \s-1EVP.\s0
.IP "\fBEVP_idea_cbc()\fR, \fBEVP_idea_cfb()\fR, \fBEVP_idea_cfb64()\fR, \fBEVP_idea_ecb()\fR, \fBEVP_idea_ofb()\fR" 4
.IX Item "EVP_idea_cbc(), EVP_idea_cfb(), EVP_idea_cfb64(), EVP_idea_ecb(), EVP_idea_ofb()"
The \s-1IDEA\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_md2.3 b/secure/lib/libcrypto/man/man3/EVP_md2.3
index 0482961b1d0b..6434d567a8a2 100644
--- a/secure/lib/libcrypto/man/man3/EVP_md2.3
+++ b/secure/lib/libcrypto/man/man3/EVP_md2.3
@@ -1,176 +1,176 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_MD2 3"
-.TH EVP_MD2 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_MD2 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_md2 \&\- MD2 For EVP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_MD *EVP_md2(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1MD2\s0 is a cryptographic hash function standardized in \s-1RFC 1319\s0 and designed by
Ronald Rivest.
.IP "\fBEVP_md2()\fR" 4
.IX Item "EVP_md2()"
The \s-1MD2\s0 algorithm which produces a 128\-bit output from a given input.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_MD_meth_new\fR\|(3) for
details of the \fB\s-1EVP_MD\s0\fR structure.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1IETF RFC 1319.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_md4.3 b/secure/lib/libcrypto/man/man3/EVP_md4.3
index 696dc6b62a78..37dd46d7465c 100644
--- a/secure/lib/libcrypto/man/man3/EVP_md4.3
+++ b/secure/lib/libcrypto/man/man3/EVP_md4.3
@@ -1,176 +1,176 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_MD4 3"
-.TH EVP_MD4 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_MD4 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_md4 \&\- MD4 For EVP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_MD *EVP_md4(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1MD4\s0 is a cryptographic hash function standardized in \s-1RFC 1320\s0 and designed by
Ronald Rivest, first published in 1990.
.IP "\fBEVP_md4()\fR" 4
.IX Item "EVP_md4()"
The \s-1MD4\s0 algorithm which produces a 128\-bit output from a given input.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_MD_meth_new\fR\|(3) for
details of the \fB\s-1EVP_MD\s0\fR structure.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1IETF RFC 1320.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_md5.3 b/secure/lib/libcrypto/man/man3/EVP_md5.3
index 939863a64098..e9e2d7a60f34 100644
--- a/secure/lib/libcrypto/man/man3/EVP_md5.3
+++ b/secure/lib/libcrypto/man/man3/EVP_md5.3
@@ -1,186 +1,186 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_MD5 3"
-.TH EVP_MD5 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_MD5 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_md5, EVP_md5_sha1 \&\- MD5 For EVP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_MD *EVP_md5(void);
\& const EVP_MD *EVP_md5_sha1(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1MD5\s0 is a cryptographic hash function standardized in \s-1RFC 1321\s0 and designed by
Ronald Rivest.
.PP
The \s-1CMU\s0 Software Engineering Institute considers \s-1MD5\s0 unsuitable for further
use since its security has been severely compromised.
.IP "\fBEVP_md5()\fR" 4
.IX Item "EVP_md5()"
The \s-1MD5\s0 algorithm which produces a 128\-bit output from a given input.
.IP "\fBEVP_md5_sha1()\fR" 4
.IX Item "EVP_md5_sha1()"
A hash algorithm of \s-1SSL\s0 v3 that combines \s-1MD5\s0 with \s-1SHA\-1\s0 as described in \s-1RFC
6101.\s0
.Sp
\&\s-1WARNING:\s0 this algorithm is not intended for non-SSL usage.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_MD_meth_new\fR\|(3) for
details of the \fB\s-1EVP_MD\s0\fR structure.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1IETF RFC 1321.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_mdc2.3 b/secure/lib/libcrypto/man/man3/EVP_mdc2.3
index 965c7bf65817..d102d8667846 100644
--- a/secure/lib/libcrypto/man/man3/EVP_mdc2.3
+++ b/secure/lib/libcrypto/man/man3/EVP_mdc2.3
@@ -1,177 +1,177 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_MDC2 3"
-.TH EVP_MDC2 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_MDC2 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_mdc2 \&\- MDC\-2 For EVP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_MD *EVP_mdc2(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1MDC\-2\s0 (Modification Detection Code 2 or Meyer-Schilling) is a cryptographic
hash function based on a block cipher.
.IP "\fBEVP_mdc2()\fR" 4
.IX Item "EVP_mdc2()"
The \s-1MDC\-2DES\s0 algorithm of using \s-1MDC\-2\s0 with the \s-1DES\s0 block cipher. It produces a
128\-bit output from a given input.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_MD_meth_new\fR\|(3) for
details of the \fB\s-1EVP_MD\s0\fR structure.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1ISO/IEC 10118\-2:2000\s0 Hash-Function 2, with \s-1DES\s0 as the underlying block cipher.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3
index a91f96d356d2..383a12e7f56f 100644
--- a/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_rc2_cbc.3
@@ -1,189 +1,189 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_RC2_CBC 3"
-.TH EVP_RC2_CBC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_RC2_CBC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_rc2_cbc, EVP_rc2_cfb, EVP_rc2_cfb64, EVP_rc2_ecb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc \&\- EVP RC2 cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_rc2_cbc(void)
\& const EVP_CIPHER *EVP_rc2_cfb(void)
\& const EVP_CIPHER *EVP_rc2_cfb64(void)
\& const EVP_CIPHER *EVP_rc2_ecb(void)
\& const EVP_CIPHER *EVP_rc2_ofb(void)
\& const EVP_CIPHER *EVP_rc2_40_cbc(void)
\& const EVP_CIPHER *EVP_rc2_64_cbc(void)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1RC2\s0 encryption algorithm for \s-1EVP.\s0
.IP "\fBEVP_rc2_cbc()\fR, \fBEVP_rc2_cfb()\fR, \fBEVP_rc2_cfb64()\fR, \fBEVP_rc2_ecb()\fR, \fBEVP_rc2_ofb()\fR" 4
.IX Item "EVP_rc2_cbc(), EVP_rc2_cfb(), EVP_rc2_cfb64(), EVP_rc2_ecb(), EVP_rc2_ofb()"
\&\s-1RC2\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively. This is a
variable key length cipher with an additional parameter called \*(L"effective key
bits\*(R" or \*(L"effective key length\*(R". By default both are set to 128 bits.
.IP "\fBEVP_rc2_40_cbc()\fR, \fBEVP_rc2_64_cbc()\fR" 4
.IX Item "EVP_rc2_40_cbc(), EVP_rc2_64_cbc()"
\&\s-1RC2\s0 algorithm in \s-1CBC\s0 mode with a default key length and effective key length of
40 and 64 bits.
.Sp
\&\s-1WARNING:\s0 these functions are obsolete. Their usage should be replaced with the
\&\fBEVP_rc2_cbc()\fR, \fBEVP_CIPHER_CTX_set_key_length()\fR and \fBEVP_CIPHER_CTX_ctrl()\fR
functions to set the key length and effective key length.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_rc4.3 b/secure/lib/libcrypto/man/man3/EVP_rc4.3
index b3d33401045b..7e3e1b61845c 100644
--- a/secure/lib/libcrypto/man/man3/EVP_rc4.3
+++ b/secure/lib/libcrypto/man/man3/EVP_rc4.3
@@ -1,189 +1,189 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_RC4 3"
-.TH EVP_RC4 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_RC4 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_rc4, EVP_rc4_40, EVP_rc4_hmac_md5 \&\- EVP RC4 stream cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_rc4(void)
\& const EVP_CIPHER *EVP_rc4_40(void)
\& const EVP_CIPHER *EVP_rc4_hmac_md5(void)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1RC4\s0 stream cipher for \s-1EVP.\s0
.IP "\fBEVP_rc4()\fR" 4
.IX Item "EVP_rc4()"
\&\s-1RC4\s0 stream cipher. This is a variable key length cipher with a default key
length of 128 bits.
.IP "\fBEVP_rc4_40()\fR" 4
.IX Item "EVP_rc4_40()"
\&\s-1RC4\s0 stream cipher with 40 bit key length.
.Sp
\&\s-1WARNING:\s0 this function is obsolete. Its usage should be replaced with the
\&\fBEVP_rc4()\fR and the \fBEVP_CIPHER_CTX_set_key_length()\fR functions.
.IP "\fBEVP_rc4_hmac_md5()\fR" 4
.IX Item "EVP_rc4_hmac_md5()"
Authenticated encryption with the \s-1RC4\s0 stream cipher with \s-1MD5\s0 as \s-1HMAC.\s0
.Sp
\&\s-1WARNING:\s0 this is not intended for usage outside of \s-1TLS\s0 and requires calling of
some undocumented ctrl functions. These ciphers do not conform to the \s-1EVP AEAD\s0
interface.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3
index 2876c7669366..2bb027ae02f8 100644
--- a/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_rc5_32_12_16_cbc.3
@@ -1,196 +1,196 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_RC5_32_12_16_CBC 3"
-.TH EVP_RC5_32_12_16_CBC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_RC5_32_12_16_CBC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_rc5_32_12_16_cbc, EVP_rc5_32_12_16_cfb, EVP_rc5_32_12_16_cfb64, EVP_rc5_32_12_16_ecb, EVP_rc5_32_12_16_ofb \&\- EVP RC5 cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void)
\& const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void)
\& const EVP_CIPHER *EVP_rc5_32_12_16_cfb64(void)
\& const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void)
\& const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1RC5\s0 encryption algorithm for \s-1EVP.\s0
.IP "\fBEVP_rc5_32_12_16_cbc()\fR, \fBEVP_rc5_32_12_16_cfb()\fR, \fBEVP_rc5_32_12_16_cfb64()\fR, \fBEVP_rc5_32_12_16_ecb()\fR, \fBEVP_rc5_32_12_16_ofb()\fR" 4
.IX Item "EVP_rc5_32_12_16_cbc(), EVP_rc5_32_12_16_cfb(), EVP_rc5_32_12_16_cfb64(), EVP_rc5_32_12_16_ecb(), EVP_rc5_32_12_16_ofb()"
\&\s-1RC5\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively. This is a
variable key length cipher with an additional \*(L"number of rounds\*(R" parameter. By
default the key length is set to 128 bits and 12 rounds. Alternative key lengths
can be set using \fBEVP_CIPHER_CTX_set_key_length\fR\|(3). The maximum key length is
2040 bits.
.Sp
The following rc5 specific \fIctrl\fRs are supported (see
\&\fBEVP_CIPHER_CTX_ctrl\fR\|(3)).
.RS 4
.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_SET_RC5_ROUNDS,\s0 rounds, \s-1NULL\s0)" 4
.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, rounds, NULL)"
Sets the number of rounds to \fBrounds\fR. This must be one of \s-1RC5_8_ROUNDS,
RC5_12_ROUNDS\s0 or \s-1RC5_16_ROUNDS.\s0
.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_GET_RC5_ROUNDS, 0,\s0 &rounds)" 4
.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &rounds)"
Stores the number of rounds currently configured in \fB*rounds\fR where \fB*rounds\fR
is an int.
.RE
.RS 4
.RE
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_ripemd160.3 b/secure/lib/libcrypto/man/man3/EVP_ripemd160.3
index f6611725052d..7e2bd74633a3 100644
--- a/secure/lib/libcrypto/man/man3/EVP_ripemd160.3
+++ b/secure/lib/libcrypto/man/man3/EVP_ripemd160.3
@@ -1,176 +1,176 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_RIPEMD160 3"
-.TH EVP_RIPEMD160 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_RIPEMD160 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_ripemd160 \&\- RIPEMD160 For EVP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_MD *EVP_ripemd160(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1RIPEMD\-160\s0 is a cryptographic hash function first published in 1996 belonging
to the \s-1RIPEMD\s0 family (\s-1RACE\s0 Integrity Primitives Evaluation Message Digest).
.IP "\fBEVP_ripemd160()\fR" 4
.IX Item "EVP_ripemd160()"
The \s-1RIPEMD\-160\s0 algorithm which produces a 160\-bit output from a given input.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_MD_meth_new\fR\|(3) for
details of the \fB\s-1EVP_MD\s0\fR structure.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1ISO/IEC 10118\-3:2016\s0 Dedicated Hash-Function 1 (\s-1RIPEMD\-160\s0).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3
index 91aa180acb1b..ef1919efed63 100644
--- a/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_seed_cbc.3
@@ -1,179 +1,179 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_SEED_CBC 3"
-.TH EVP_SEED_CBC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_SEED_CBC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_seed_cbc, EVP_seed_cfb, EVP_seed_cfb128, EVP_seed_ecb, EVP_seed_ofb \&\- EVP SEED cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_seed_cbc(void)
\& const EVP_CIPHER *EVP_seed_cfb(void)
\& const EVP_CIPHER *EVP_seed_cfb128(void)
\& const EVP_CIPHER *EVP_seed_ecb(void)
\& const EVP_CIPHER *EVP_seed_ofb(void)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1SEED\s0 encryption algorithm for \s-1EVP.\s0
.PP
All modes below use a key length of 128 bits and acts on blocks of 128\-bits.
.IP "\fBEVP_seed_cbc()\fR, \fBEVP_seed_cfb()\fR, \fBEVP_seed_cfb128()\fR, \fBEVP_seed_ecb()\fR, \fBEVP_seed_ofb()\fR" 4
.IX Item "EVP_seed_cbc(), EVP_seed_cfb(), EVP_seed_cfb128(), EVP_seed_ecb(), EVP_seed_ofb()"
The \s-1SEED\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_sha1.3 b/secure/lib/libcrypto/man/man3/EVP_sha1.3
index 6fbaec568196..0fe169442d3d 100644
--- a/secure/lib/libcrypto/man/man3/EVP_sha1.3
+++ b/secure/lib/libcrypto/man/man3/EVP_sha1.3
@@ -1,177 +1,177 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_SHA1 3"
-.TH EVP_SHA1 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_SHA1 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_sha1 \&\- SHA\-1 For EVP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_MD *EVP_sha1(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1SHA\-1\s0 (Secure Hash Algorithm 1) is a cryptographic hash function standardized
in \s-1NIST FIPS 180\-4.\s0 The algorithm was designed by the United States National
Security Agency and initially published in 1995.
.IP "\fBEVP_sha1()\fR" 4
.IX Item "EVP_sha1()"
The \s-1SHA\-1\s0 algorithm which produces a 160\-bit output from a given input.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_MD_meth_new\fR\|(3) for
details of the \fB\s-1EVP_MD\s0\fR structure.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1NIST FIPS 180\-4.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_sha224.3 b/secure/lib/libcrypto/man/man3/EVP_sha224.3
index 509d78e2ce0d..44b0629ec1af 100644
--- a/secure/lib/libcrypto/man/man3/EVP_sha224.3
+++ b/secure/lib/libcrypto/man/man3/EVP_sha224.3
@@ -1,187 +1,187 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_SHA224 3"
-.TH EVP_SHA224 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_SHA224 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_sha224, EVP_sha256, EVP_sha512_224, EVP_sha512_256, EVP_sha384, EVP_sha512 \&\- SHA\-2 For EVP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_MD *EVP_sha224(void);
\& const EVP_MD *EVP_sha256(void);
\& const EVP_MD *EVP_sha512_224(void);
\& const EVP_MD *EVP_sha512_256(void);
\& const EVP_MD *EVP_sha384(void);
\& const EVP_MD *EVP_sha512(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1SHA\-2\s0 (Secure Hash Algorithm 2) is a family of cryptographic hash functions
standardized in \s-1NIST FIPS 180\-4,\s0 first published in 2001.
.IP "\fBEVP_sha224()\fR, \fBEVP_sha256()\fR, EVP_sha512_224, EVP_sha512_256, \fBEVP_sha384()\fR, \fBEVP_sha512()\fR" 4
.IX Item "EVP_sha224(), EVP_sha256(), EVP_sha512_224, EVP_sha512_256, EVP_sha384(), EVP_sha512()"
The \s-1SHA\-2 SHA\-224, SHA\-256, SHA\-512/224, SHA512/256, SHA\-384\s0 and \s-1SHA\-512\s0
algorithms, which generate 224, 256, 224, 256, 384 and 512 bits
respectively of output from a given input.
.Sp
The two algorithms: \s-1SHA\-512/224\s0 and \s-1SHA512/256\s0 are truncated forms of the
\&\s-1SHA\-512\s0 algorithm. They are distinct from \s-1SHA\-224\s0 and \s-1SHA\-256\s0 even though
their outputs are of the same size.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_MD_meth_new\fR\|(3) for
details of the \fB\s-1EVP_MD\s0\fR structure.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1NIST FIPS 180\-4.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_sha3_224.3 b/secure/lib/libcrypto/man/man3/EVP_sha3_224.3
index c5a7af48a98f..a515f34aaf0b 100644
--- a/secure/lib/libcrypto/man/man3/EVP_sha3_224.3
+++ b/secure/lib/libcrypto/man/man3/EVP_sha3_224.3
@@ -1,192 +1,192 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_SHA3_224 3"
-.TH EVP_SHA3_224 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_SHA3_224 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_sha3_224, EVP_sha3_256, EVP_sha3_384, EVP_sha3_512, EVP_shake128, EVP_shake256 \&\- SHA\-3 For EVP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_MD *EVP_sha3_224(void);
\& const EVP_MD *EVP_sha3_256(void);
\& const EVP_MD *EVP_sha3_384(void);
\& const EVP_MD *EVP_sha3_512(void);
\&
\& const EVP_MD *EVP_shake128(void);
\& const EVP_MD *EVP_shake256(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1SHA\-3\s0 (Secure Hash Algorithm 3) is a family of cryptographic hash functions
standardized in \s-1NIST FIPS 202,\s0 first published in 2015. It is based on the
Keccak algorithm.
.IP "\fBEVP_sha3_224()\fR, \fBEVP_sha3_256()\fR, \fBEVP_sha3_384()\fR, \fBEVP_sha3_512()\fR" 4
.IX Item "EVP_sha3_224(), EVP_sha3_256(), EVP_sha3_384(), EVP_sha3_512()"
The \s-1SHA\-3 SHA\-3\-224, SHA\-3\-256, SHA\-3\-384,\s0 and \s-1SHA\-3\-512\s0 algorithms
respectively. They produce 224, 256, 384 and 512 bits of output from a given
input.
.IP "\fBEVP_shake128()\fR, \fBEVP_shake256()\fR" 4
.IX Item "EVP_shake128(), EVP_shake256()"
The \s-1SHAKE\-128\s0 and \s-1SHAKE\-256\s0 Extendable Output Functions (\s-1XOF\s0) that can generate
a variable hash length.
.Sp
Specifically, \fBEVP_shake128\fR provides an overall security of 128 bits, while
\&\fBEVP_shake256\fR provides that of 256 bits.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_MD_meth_new\fR\|(3) for
details of the \fB\s-1EVP_MD\s0\fR structure.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1NIST FIPS 202.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_sm3.3 b/secure/lib/libcrypto/man/man3/EVP_sm3.3
index e5d750fc71f1..ee979573e62a 100644
--- a/secure/lib/libcrypto/man/man3/EVP_sm3.3
+++ b/secure/lib/libcrypto/man/man3/EVP_sm3.3
@@ -1,177 +1,177 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_SM3 3"
-.TH EVP_SM3 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_SM3 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_sm3 \&\- SM3 for EVP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_MD *EVP_sm3(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1SM3\s0 is a cryptographic hash function with a 256\-bit output, defined in \s-1GB/T
32905\-2016.\s0
.IP "\fBEVP_sm3()\fR" 4
.IX Item "EVP_sm3()"
The \s-1SM3\s0 hash function.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_MD_meth_new\fR\|(3) for
details of the \fB\s-1EVP_MD\s0\fR structure.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1GB/T 32905\-2016\s0 and \s-1GM/T 0004\-2012.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017 Ribose Inc. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3 b/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3
index eb7d4a3648dc..44ece92f8cee 100644
--- a/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3
+++ b/secure/lib/libcrypto/man/man3/EVP_sm4_cbc.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_SM4_CBC 3"
-.TH EVP_SM4_CBC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_SM4_CBC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_sm4_cbc, EVP_sm4_ecb, EVP_sm4_cfb, EVP_sm4_cfb128, EVP_sm4_ofb, EVP_sm4_ctr \&\- EVP SM4 cipher
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_CIPHER *EVP_sm4_cbc(void);
\& const EVP_CIPHER *EVP_sm4_ecb(void);
\& const EVP_CIPHER *EVP_sm4_cfb(void);
\& const EVP_CIPHER *EVP_sm4_cfb128(void);
\& const EVP_CIPHER *EVP_sm4_ofb(void);
\& const EVP_CIPHER *EVP_sm4_ctr(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1SM4\s0 blockcipher (\s-1GB/T 32907\-2016\s0) for \s-1EVP.\s0
.PP
All modes below use a key length of 128 bits and acts on blocks of 128 bits.
.IP "\fBEVP_sm4_cbc()\fR, \fBEVP_sm4_ecb()\fR, \fBEVP_sm4_cfb()\fR, \fBEVP_sm4_cfb128()\fR, \fBEVP_sm4_ofb()\fR, \fBEVP_sm4_ctr()\fR" 4
.IX Item "EVP_sm4_cbc(), EVP_sm4_ecb(), EVP_sm4_cfb(), EVP_sm4_cfb128(), EVP_sm4_ofb(), EVP_sm4_ctr()"
The \s-1SM4\s0 blockcipher with a 128\-bit key in \s-1CBC, ECB, CFB, OFB\s0 and \s-1CTR\s0 modes
respectively.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_CIPHER\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_CIPHER_meth_new\fR\|(3) for
details of the \fB\s-1EVP_CIPHER\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_CIPHER_meth_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017 Ribose Inc. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/EVP_whirlpool.3 b/secure/lib/libcrypto/man/man3/EVP_whirlpool.3
index 8a62ac3b3be7..3967e0748e61 100644
--- a/secure/lib/libcrypto/man/man3/EVP_whirlpool.3
+++ b/secure/lib/libcrypto/man/man3/EVP_whirlpool.3
@@ -1,177 +1,177 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP_WHIRLPOOL 3"
-.TH EVP_WHIRLPOOL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP_WHIRLPOOL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
EVP_whirlpool \&\- WHIRLPOOL For EVP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& const EVP_MD *EVP_whirlpool(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1WHIRLPOOL\s0 is a cryptographic hash function standardized in \s-1ISO/IEC 10118\-3:2004\s0
designed by Vincent Rijmen and Paulo S. L. M. Barreto.
.IP "\fBEVP_whirlpool()\fR" 4
.IX Item "EVP_whirlpool()"
The \s-1WHIRLPOOL\s0 algorithm that produces a message digest of 512\-bits from a given
input.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the
implementation of the symmetric cipher. See \fBEVP_MD_meth_new\fR\|(3) for
details of the \fB\s-1EVP_MD\s0\fR structure.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1ISO/IEC 10118\-3:2004.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/HMAC.3 b/secure/lib/libcrypto/man/man3/HMAC.3
index 6bbaf778add6..7d0372e57b53 100644
--- a/secure/lib/libcrypto/man/man3/HMAC.3
+++ b/secure/lib/libcrypto/man/man3/HMAC.3
@@ -1,279 +1,279 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "HMAC 3"
-.TH HMAC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH HMAC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
HMAC, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free, HMAC_Init, HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags, HMAC_CTX_get_md, HMAC_size \&\- HMAC message authentication code
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/hmac.h>
\&
\& unsigned char *HMAC(const EVP_MD *evp_md, const void *key,
\& int key_len, const unsigned char *d, size_t n,
\& unsigned char *md, unsigned int *md_len);
\&
\& HMAC_CTX *HMAC_CTX_new(void);
\& int HMAC_CTX_reset(HMAC_CTX *ctx);
\&
\& int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
\& const EVP_MD *md, ENGINE *impl);
\& int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len);
\& int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
\&
\& void HMAC_CTX_free(HMAC_CTX *ctx);
\&
\& int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx);
\& void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);
\& const EVP_MD *HMAC_CTX_get_md(const HMAC_CTX *ctx);
\&
\& size_t HMAC_size(const HMAC_CTX *e);
.Ve
.PP
Deprecated:
.PP
.Vb 4
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
\& const EVP_MD *md);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1HMAC\s0 is a \s-1MAC\s0 (message authentication code), i.e. a keyed hash
function used for message authentication, which is based on a hash
function.
.PP
\&\s-1\fBHMAC\s0()\fR computes the message authentication code of the \fBn\fR bytes at
\&\fBd\fR using the hash function \fBevp_md\fR and the key \fBkey\fR which is
\&\fBkey_len\fR bytes long.
.PP
It places the result in \fBmd\fR (which must have space for the output of
the hash function, which is no more than \fB\s-1EVP_MAX_MD_SIZE\s0\fR bytes).
If \fBmd\fR is \s-1NULL,\s0 the digest is placed in a static array. The size of
the output is placed in \fBmd_len\fR, unless it is \fB\s-1NULL\s0\fR. Note: passing a \s-1NULL\s0
value for \fBmd\fR to use the static array is not thread safe.
.PP
\&\fBevp_md\fR is a message digest such as \fBEVP_sha1()\fR, \fBEVP_ripemd160()\fR etc. \s-1HMAC\s0 does
not support variable output length digests such as \fBEVP_shake128()\fR and
\&\fBEVP_shake256()\fR.
.PP
\&\fBHMAC_CTX_new()\fR creates a new \s-1HMAC_CTX\s0 in heap memory.
.PP
\&\fBHMAC_CTX_reset()\fR zeros an existing \fB\s-1HMAC_CTX\s0\fR and associated
resources, making it suitable for new computations as if it was newly
created with \fBHMAC_CTX_new()\fR.
.PP
\&\fBHMAC_CTX_free()\fR erases the key and other data from the \fB\s-1HMAC_CTX\s0\fR,
releases any associated resources and finally frees the \fB\s-1HMAC_CTX\s0\fR
itself.
.PP
The following functions may be used if the message is not completely
stored in memory:
.PP
\&\fBHMAC_Init_ex()\fR initializes or reuses a \fB\s-1HMAC_CTX\s0\fR structure to use the hash
function \fBevp_md\fR and key \fBkey\fR. If both are \s-1NULL,\s0 or if \fBkey\fR is \s-1NULL\s0
and \fBevp_md\fR is the same as the previous call, then the
existing key is
reused. \fBctx\fR must have been created with \fBHMAC_CTX_new()\fR before the first use
of an \fB\s-1HMAC_CTX\s0\fR in this function.
.PP
If \fBHMAC_Init_ex()\fR is called with \fBkey\fR \s-1NULL\s0 and \fBevp_md\fR is not the
same as the previous digest used by \fBctx\fR then an error is returned
because reuse of an existing key with a different digest is not supported.
.PP
\&\fBHMAC_Init()\fR initializes a \fB\s-1HMAC_CTX\s0\fR structure to use the hash
function \fBevp_md\fR and the key \fBkey\fR which is \fBkey_len\fR bytes
long.
.PP
\&\fBHMAC_Update()\fR can be called repeatedly with chunks of the message to
be authenticated (\fBlen\fR bytes at \fBdata\fR).
.PP
\&\fBHMAC_Final()\fR places the message authentication code in \fBmd\fR, which
must have space for the hash function output.
.PP
\&\fBHMAC_CTX_copy()\fR copies all of the internal state from \fBsctx\fR into \fBdctx\fR.
.PP
\&\fBHMAC_CTX_set_flags()\fR applies the specified flags to the internal EVP_MD_CTXs.
These flags have the same meaning as for \fBEVP_MD_CTX_set_flags\fR\|(3).
.PP
\&\fBHMAC_CTX_get_md()\fR returns the \s-1EVP_MD\s0 that has previously been set for the
supplied \s-1HMAC_CTX.\s0
.PP
\&\fBHMAC_size()\fR returns the length in bytes of the underlying hash function output.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\s-1\fBHMAC\s0()\fR returns a pointer to the message authentication code or \s-1NULL\s0 if
an error occurred.
.PP
\&\fBHMAC_CTX_new()\fR returns a pointer to a new \fB\s-1HMAC_CTX\s0\fR on success or
\&\fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBHMAC_CTX_reset()\fR, \fBHMAC_Init_ex()\fR, \fBHMAC_Update()\fR, \fBHMAC_Final()\fR and
\&\fBHMAC_CTX_copy()\fR return 1 for success or 0 if an error occurred.
.PP
\&\fBHMAC_CTX_get_md()\fR return the \s-1EVP_MD\s0 previously set for the supplied \s-1HMAC_CTX\s0 or
\&\s-1NULL\s0 if no \s-1EVP_MD\s0 has been set.
.PP
\&\fBHMAC_size()\fR returns the length in bytes of the underlying hash function output
or zero on error.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1RFC 2104\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\s-1\fBSHA1\s0\fR\|(3), \fBevp\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBHMAC_CTX_init()\fR was replaced with \fBHMAC_CTX_reset()\fR in OpenSSL 1.1.0.
.PP
\&\fBHMAC_CTX_cleanup()\fR existed in OpenSSL before version 1.1.0.
.PP
\&\fBHMAC_CTX_new()\fR, \fBHMAC_CTX_free()\fR and \fBHMAC_CTX_get_md()\fR are new in OpenSSL 1.1.0.
.PP
\&\fBHMAC_Init_ex()\fR, \fBHMAC_Update()\fR and \fBHMAC_Final()\fR did not return values in
OpenSSL before version 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/MD5.3 b/secure/lib/libcrypto/man/man3/MD5.3
index 6b569351e4e7..9e05cb0a5809 100644
--- a/secure/lib/libcrypto/man/man3/MD5.3
+++ b/secure/lib/libcrypto/man/man3/MD5.3
@@ -1,224 +1,224 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "MD5 3"
-.TH MD5 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH MD5 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
MD2, MD4, MD5, MD2_Init, MD2_Update, MD2_Final, MD4_Init, MD4_Update, MD4_Final, MD5_Init, MD5_Update, MD5_Final \- MD2, MD4, and MD5 hash functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/md2.h>
\&
\& unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md);
\&
\& int MD2_Init(MD2_CTX *c);
\& int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len);
\& int MD2_Final(unsigned char *md, MD2_CTX *c);
\&
\&
\& #include <openssl/md4.h>
\&
\& unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md);
\&
\& int MD4_Init(MD4_CTX *c);
\& int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
\& int MD4_Final(unsigned char *md, MD4_CTX *c);
\&
\&
\& #include <openssl/md5.h>
\&
\& unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md);
\&
\& int MD5_Init(MD5_CTX *c);
\& int MD5_Update(MD5_CTX *c, const void *data, unsigned long len);
\& int MD5_Final(unsigned char *md, MD5_CTX *c);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1MD2, MD4,\s0 and \s-1MD5\s0 are cryptographic hash functions with a 128 bit output.
.PP
\&\s-1\fBMD2\s0()\fR, \s-1\fBMD4\s0()\fR, and \s-1\fBMD5\s0()\fR compute the \s-1MD2, MD4,\s0 and \s-1MD5\s0 message digest
of the \fBn\fR bytes at \fBd\fR and place it in \fBmd\fR (which must have space
for \s-1MD2_DIGEST_LENGTH\s0 == \s-1MD4_DIGEST_LENGTH\s0 == \s-1MD5_DIGEST_LENGTH\s0 == 16
bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest is placed in a static
array.
.PP
The following functions may be used if the message is not completely
stored in memory:
.PP
\&\fBMD2_Init()\fR initializes a \fB\s-1MD2_CTX\s0\fR structure.
.PP
\&\fBMD2_Update()\fR can be called repeatedly with chunks of the message to
be hashed (\fBlen\fR bytes at \fBdata\fR).
.PP
\&\fBMD2_Final()\fR places the message digest in \fBmd\fR, which must have space
for \s-1MD2_DIGEST_LENGTH\s0 == 16 bytes of output, and erases the \fB\s-1MD2_CTX\s0\fR.
.PP
\&\fBMD4_Init()\fR, \fBMD4_Update()\fR, \fBMD4_Final()\fR, \fBMD5_Init()\fR, \fBMD5_Update()\fR, and
\&\fBMD5_Final()\fR are analogous using an \fB\s-1MD4_CTX\s0\fR and \fB\s-1MD5_CTX\s0\fR structure.
.PP
Applications should use the higher level functions
\&\fBEVP_DigestInit\fR\|(3)
etc. instead of calling the hash functions directly.
.SH "NOTE"
.IX Header "NOTE"
\&\s-1MD2, MD4,\s0 and \s-1MD5\s0 are recommended only for compatibility with existing
applications. In new applications, \s-1SHA\-1\s0 or \s-1RIPEMD\-160\s0 should be
preferred.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\s-1\fBMD2\s0()\fR, \s-1\fBMD4\s0()\fR, and \s-1\fBMD5\s0()\fR return pointers to the hash value.
.PP
\&\fBMD2_Init()\fR, \fBMD2_Update()\fR, \fBMD2_Final()\fR, \fBMD4_Init()\fR, \fBMD4_Update()\fR,
\&\fBMD4_Final()\fR, \fBMD5_Init()\fR, \fBMD5_Update()\fR, and \fBMD5_Final()\fR return 1 for
success, 0 otherwise.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1RFC 1319, RFC 1320, RFC 1321\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/MDC2_Init.3 b/secure/lib/libcrypto/man/man3/MDC2_Init.3
index c30de64a61d3..c42e4d9ee382 100644
--- a/secure/lib/libcrypto/man/man3/MDC2_Init.3
+++ b/secure/lib/libcrypto/man/man3/MDC2_Init.3
@@ -1,199 +1,199 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "MDC2_INIT 3"
-.TH MDC2_INIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH MDC2_INIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
MDC2, MDC2_Init, MDC2_Update, MDC2_Final \- MDC2 hash function
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/mdc2.h>
\&
\& unsigned char *MDC2(const unsigned char *d, unsigned long n,
\& unsigned char *md);
\&
\& int MDC2_Init(MDC2_CTX *c);
\& int MDC2_Update(MDC2_CTX *c, const unsigned char *data,
\& unsigned long len);
\& int MDC2_Final(unsigned char *md, MDC2_CTX *c);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1MDC2\s0 is a method to construct hash functions with 128 bit output from
block ciphers. These functions are an implementation of \s-1MDC2\s0 with
\&\s-1DES.\s0
.PP
\&\s-1\fBMDC2\s0()\fR computes the \s-1MDC2\s0 message digest of the \fBn\fR
bytes at \fBd\fR and places it in \fBmd\fR (which must have space for
\&\s-1MDC2_DIGEST_LENGTH\s0 == 16 bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest
is placed in a static array.
.PP
The following functions may be used if the message is not completely
stored in memory:
.PP
\&\fBMDC2_Init()\fR initializes a \fB\s-1MDC2_CTX\s0\fR structure.
.PP
\&\fBMDC2_Update()\fR can be called repeatedly with chunks of the message to
be hashed (\fBlen\fR bytes at \fBdata\fR).
.PP
\&\fBMDC2_Final()\fR places the message digest in \fBmd\fR, which must have space
for \s-1MDC2_DIGEST_LENGTH\s0 == 16 bytes of output, and erases the \fB\s-1MDC2_CTX\s0\fR.
.PP
Applications should use the higher level functions
\&\fBEVP_DigestInit\fR\|(3) etc. instead of calling the
hash functions directly.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\s-1\fBMDC2\s0()\fR returns a pointer to the hash value.
.PP
\&\fBMDC2_Init()\fR, \fBMDC2_Update()\fR and \fBMDC2_Final()\fR return 1 for success, 0 otherwise.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1ISO/IEC 10118\-2:2000\s0 Hash-Function 2, with \s-1DES\s0 as the underlying block cipher.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/Makefile b/secure/lib/libcrypto/man/man3/Makefile
index ccf42c0774f5..c50f9b2c5e63 100644
--- a/secure/lib/libcrypto/man/man3/Makefile
+++ b/secure/lib/libcrypto/man/man3/Makefile
@@ -1,3857 +1,3861 @@
# $FreeBSD$
MAN+= ADMISSIONS.3
MAN+= ASN1_INTEGER_get_int64.3
MAN+= ASN1_ITEM_lookup.3
MAN+= ASN1_OBJECT_new.3
MAN+= ASN1_STRING_TABLE_add.3
MAN+= ASN1_STRING_length.3
MAN+= ASN1_STRING_new.3
MAN+= ASN1_STRING_print_ex.3
MAN+= ASN1_TIME_set.3
MAN+= ASN1_TYPE_get.3
MAN+= ASN1_generate_nconf.3
MAN+= ASYNC_WAIT_CTX_new.3
MAN+= ASYNC_start_job.3
MAN+= BF_encrypt.3
MAN+= BIO_ADDR.3
MAN+= BIO_ADDRINFO.3
MAN+= BIO_connect.3
MAN+= BIO_ctrl.3
MAN+= BIO_f_base64.3
MAN+= BIO_f_buffer.3
MAN+= BIO_f_cipher.3
MAN+= BIO_f_md.3
MAN+= BIO_f_null.3
MAN+= BIO_f_ssl.3
MAN+= BIO_find_type.3
MAN+= BIO_get_data.3
MAN+= BIO_get_ex_new_index.3
MAN+= BIO_meth_new.3
MAN+= BIO_new.3
MAN+= BIO_new_CMS.3
MAN+= BIO_parse_hostserv.3
MAN+= BIO_printf.3
MAN+= BIO_push.3
MAN+= BIO_read.3
MAN+= BIO_s_accept.3
MAN+= BIO_s_bio.3
MAN+= BIO_s_connect.3
MAN+= BIO_s_fd.3
MAN+= BIO_s_file.3
MAN+= BIO_s_mem.3
MAN+= BIO_s_null.3
MAN+= BIO_s_socket.3
MAN+= BIO_set_callback.3
MAN+= BIO_should_retry.3
MAN+= BN_BLINDING_new.3
MAN+= BN_CTX_new.3
MAN+= BN_CTX_start.3
MAN+= BN_add.3
MAN+= BN_add_word.3
MAN+= BN_bn2bin.3
MAN+= BN_cmp.3
MAN+= BN_copy.3
MAN+= BN_generate_prime.3
MAN+= BN_mod_inverse.3
MAN+= BN_mod_mul_montgomery.3
MAN+= BN_mod_mul_reciprocal.3
MAN+= BN_new.3
MAN+= BN_num_bytes.3
MAN+= BN_rand.3
MAN+= BN_security_bits.3
MAN+= BN_set_bit.3
MAN+= BN_swap.3
MAN+= BN_zero.3
MAN+= BUF_MEM_new.3
MAN+= CMS_add0_cert.3
MAN+= CMS_add1_recipient_cert.3
MAN+= CMS_add1_signer.3
MAN+= CMS_compress.3
MAN+= CMS_decrypt.3
MAN+= CMS_encrypt.3
MAN+= CMS_final.3
MAN+= CMS_get0_RecipientInfos.3
MAN+= CMS_get0_SignerInfos.3
MAN+= CMS_get0_type.3
MAN+= CMS_get1_ReceiptRequest.3
MAN+= CMS_sign.3
MAN+= CMS_sign_receipt.3
MAN+= CMS_uncompress.3
MAN+= CMS_verify.3
MAN+= CMS_verify_receipt.3
MAN+= CONF_modules_free.3
MAN+= CONF_modules_load_file.3
MAN+= CRYPTO_THREAD_run_once.3
MAN+= CRYPTO_get_ex_new_index.3
MAN+= CRYPTO_memcmp.3
MAN+= CTLOG_STORE_get0_log_by_id.3
MAN+= CTLOG_STORE_new.3
MAN+= CTLOG_new.3
MAN+= CT_POLICY_EVAL_CTX_new.3
MAN+= DEFINE_STACK_OF.3
MAN+= DES_random_key.3
MAN+= DH_generate_key.3
MAN+= DH_generate_parameters.3
MAN+= DH_get0_pqg.3
MAN+= DH_get_1024_160.3
MAN+= DH_meth_new.3
MAN+= DH_new.3
MAN+= DH_new_by_nid.3
MAN+= DH_set_method.3
MAN+= DH_size.3
MAN+= DSA_SIG_new.3
MAN+= DSA_do_sign.3
MAN+= DSA_dup_DH.3
MAN+= DSA_generate_key.3
MAN+= DSA_generate_parameters.3
MAN+= DSA_get0_pqg.3
MAN+= DSA_meth_new.3
MAN+= DSA_new.3
MAN+= DSA_set_method.3
MAN+= DSA_sign.3
MAN+= DSA_size.3
MAN+= DTLS_get_data_mtu.3
MAN+= DTLS_set_timer_cb.3
MAN+= DTLSv1_listen.3
MAN+= ECDSA_SIG_new.3
MAN+= ECPKParameters_print.3
MAN+= EC_GFp_simple_method.3
MAN+= EC_GROUP_copy.3
MAN+= EC_GROUP_new.3
MAN+= EC_KEY_get_enc_flags.3
MAN+= EC_KEY_new.3
MAN+= EC_POINT_add.3
MAN+= EC_POINT_new.3
MAN+= ENGINE_add.3
MAN+= ERR_GET_LIB.3
MAN+= ERR_clear_error.3
MAN+= ERR_error_string.3
MAN+= ERR_get_error.3
MAN+= ERR_load_crypto_strings.3
MAN+= ERR_load_strings.3
MAN+= ERR_print_errors.3
MAN+= ERR_put_error.3
MAN+= ERR_remove_state.3
MAN+= ERR_set_mark.3
MAN+= EVP_BytesToKey.3
MAN+= EVP_CIPHER_CTX_get_cipher_data.3
MAN+= EVP_CIPHER_meth_new.3
MAN+= EVP_DigestInit.3
MAN+= EVP_DigestSignInit.3
MAN+= EVP_DigestVerifyInit.3
MAN+= EVP_EncodeInit.3
MAN+= EVP_EncryptInit.3
MAN+= EVP_MD_meth_new.3
MAN+= EVP_OpenInit.3
MAN+= EVP_PKEY_ASN1_METHOD.3
MAN+= EVP_PKEY_CTX_ctrl.3
MAN+= EVP_PKEY_CTX_new.3
MAN+= EVP_PKEY_CTX_set1_pbe_pass.3
MAN+= EVP_PKEY_CTX_set_hkdf_md.3
MAN+= EVP_PKEY_CTX_set_rsa_pss_keygen_md.3
MAN+= EVP_PKEY_CTX_set_scrypt_N.3
MAN+= EVP_PKEY_CTX_set_tls1_prf_md.3
MAN+= EVP_PKEY_asn1_get_count.3
MAN+= EVP_PKEY_cmp.3
MAN+= EVP_PKEY_decrypt.3
MAN+= EVP_PKEY_derive.3
MAN+= EVP_PKEY_encrypt.3
MAN+= EVP_PKEY_get_default_digest_nid.3
MAN+= EVP_PKEY_keygen.3
MAN+= EVP_PKEY_meth_get_count.3
MAN+= EVP_PKEY_meth_new.3
MAN+= EVP_PKEY_new.3
MAN+= EVP_PKEY_print_private.3
MAN+= EVP_PKEY_set1_RSA.3
MAN+= EVP_PKEY_sign.3
MAN+= EVP_PKEY_size.3
MAN+= EVP_PKEY_verify.3
MAN+= EVP_PKEY_verify_recover.3
MAN+= EVP_SealInit.3
MAN+= EVP_SignInit.3
MAN+= EVP_VerifyInit.3
MAN+= EVP_aes.3
MAN+= EVP_aria.3
MAN+= EVP_bf_cbc.3
MAN+= EVP_blake2b512.3
MAN+= EVP_camellia.3
MAN+= EVP_cast5_cbc.3
MAN+= EVP_chacha20.3
MAN+= EVP_des.3
MAN+= EVP_desx_cbc.3
MAN+= EVP_idea_cbc.3
MAN+= EVP_md2.3
MAN+= EVP_md4.3
MAN+= EVP_md5.3
MAN+= EVP_mdc2.3
MAN+= EVP_rc2_cbc.3
MAN+= EVP_rc4.3
MAN+= EVP_rc5_32_12_16_cbc.3
MAN+= EVP_ripemd160.3
MAN+= EVP_seed_cbc.3
MAN+= EVP_sha1.3
MAN+= EVP_sha224.3
MAN+= EVP_sha3_224.3
MAN+= EVP_sm3.3
MAN+= EVP_sm4_cbc.3
MAN+= EVP_whirlpool.3
MAN+= HMAC.3
MAN+= MD5.3
MAN+= MDC2_Init.3
MAN+= OBJ_nid2obj.3
MAN+= OCSP_REQUEST_new.3
MAN+= OCSP_cert_to_id.3
MAN+= OCSP_request_add1_nonce.3
MAN+= OCSP_resp_find_status.3
MAN+= OCSP_response_status.3
MAN+= OCSP_sendreq_new.3
MAN+= OPENSSL_Applink.3
MAN+= OPENSSL_LH_COMPFUNC.3
MAN+= OPENSSL_LH_stats.3
MAN+= OPENSSL_VERSION_NUMBER.3
MAN+= OPENSSL_config.3
MAN+= OPENSSL_fork_prepare.3
MAN+= OPENSSL_ia32cap.3
MAN+= OPENSSL_init_crypto.3
MAN+= OPENSSL_init_ssl.3
MAN+= OPENSSL_instrument_bus.3
MAN+= OPENSSL_load_builtin_modules.3
MAN+= OPENSSL_malloc.3
MAN+= OPENSSL_secure_malloc.3
MAN+= OSSL_STORE_INFO.3
MAN+= OSSL_STORE_LOADER.3
MAN+= OSSL_STORE_SEARCH.3
MAN+= OSSL_STORE_expect.3
MAN+= OSSL_STORE_open.3
MAN+= OpenSSL_add_all_algorithms.3
MAN+= PEM_bytes_read_bio.3
MAN+= PEM_read.3
MAN+= PEM_read_CMS.3
MAN+= PEM_read_bio_PrivateKey.3
MAN+= PEM_read_bio_ex.3
MAN+= PEM_write_bio_CMS_stream.3
MAN+= PEM_write_bio_PKCS7_stream.3
MAN+= PKCS12_create.3
MAN+= PKCS12_newpass.3
MAN+= PKCS12_parse.3
MAN+= PKCS5_PBKDF2_HMAC.3
MAN+= PKCS7_decrypt.3
MAN+= PKCS7_encrypt.3
MAN+= PKCS7_sign.3
MAN+= PKCS7_sign_add_signer.3
MAN+= PKCS7_verify.3
MAN+= RAND_DRBG_generate.3
MAN+= RAND_DRBG_get0_master.3
MAN+= RAND_DRBG_new.3
MAN+= RAND_DRBG_reseed.3
MAN+= RAND_DRBG_set_callbacks.3
MAN+= RAND_DRBG_set_ex_data.3
MAN+= RAND_add.3
MAN+= RAND_bytes.3
MAN+= RAND_cleanup.3
MAN+= RAND_egd.3
MAN+= RAND_load_file.3
MAN+= RAND_set_rand_method.3
MAN+= RC4_set_key.3
MAN+= RIPEMD160_Init.3
MAN+= RSA_blinding_on.3
MAN+= RSA_check_key.3
MAN+= RSA_generate_key.3
MAN+= RSA_get0_key.3
MAN+= RSA_meth_new.3
MAN+= RSA_new.3
MAN+= RSA_padding_add_PKCS1_type_1.3
MAN+= RSA_print.3
MAN+= RSA_private_encrypt.3
MAN+= RSA_public_encrypt.3
MAN+= RSA_set_method.3
MAN+= RSA_sign.3
MAN+= RSA_sign_ASN1_OCTET_STRING.3
MAN+= RSA_size.3
MAN+= SCT_new.3
MAN+= SCT_print.3
MAN+= SCT_validate.3
MAN+= SHA256_Init.3
MAN+= SMIME_read_CMS.3
MAN+= SMIME_read_PKCS7.3
MAN+= SMIME_write_CMS.3
MAN+= SMIME_write_PKCS7.3
MAN+= SSL_CIPHER_get_name.3
MAN+= SSL_COMP_add_compression_method.3
MAN+= SSL_CONF_CTX_new.3
MAN+= SSL_CONF_CTX_set1_prefix.3
MAN+= SSL_CONF_CTX_set_flags.3
MAN+= SSL_CONF_CTX_set_ssl_ctx.3
MAN+= SSL_CONF_cmd.3
MAN+= SSL_CONF_cmd_argv.3
MAN+= SSL_CTX_add1_chain_cert.3
MAN+= SSL_CTX_add_extra_chain_cert.3
MAN+= SSL_CTX_add_session.3
MAN+= SSL_CTX_config.3
MAN+= SSL_CTX_ctrl.3
MAN+= SSL_CTX_dane_enable.3
MAN+= SSL_CTX_flush_sessions.3
MAN+= SSL_CTX_free.3
MAN+= SSL_CTX_get0_param.3
MAN+= SSL_CTX_get_verify_mode.3
MAN+= SSL_CTX_has_client_custom_ext.3
MAN+= SSL_CTX_load_verify_locations.3
MAN+= SSL_CTX_new.3
MAN+= SSL_CTX_sess_number.3
MAN+= SSL_CTX_sess_set_cache_size.3
MAN+= SSL_CTX_sess_set_get_cb.3
MAN+= SSL_CTX_sessions.3
MAN+= SSL_CTX_set0_CA_list.3
MAN+= SSL_CTX_set1_curves.3
MAN+= SSL_CTX_set1_sigalgs.3
MAN+= SSL_CTX_set1_verify_cert_store.3
MAN+= SSL_CTX_set_alpn_select_cb.3
MAN+= SSL_CTX_set_cert_cb.3
MAN+= SSL_CTX_set_cert_store.3
MAN+= SSL_CTX_set_cert_verify_callback.3
MAN+= SSL_CTX_set_cipher_list.3
MAN+= SSL_CTX_set_client_cert_cb.3
MAN+= SSL_CTX_set_client_hello_cb.3
MAN+= SSL_CTX_set_ct_validation_callback.3
MAN+= SSL_CTX_set_ctlog_list_file.3
MAN+= SSL_CTX_set_default_passwd_cb.3
MAN+= SSL_CTX_set_ex_data.3
MAN+= SSL_CTX_set_generate_session_id.3
MAN+= SSL_CTX_set_info_callback.3
MAN+= SSL_CTX_set_keylog_callback.3
MAN+= SSL_CTX_set_max_cert_list.3
MAN+= SSL_CTX_set_min_proto_version.3
MAN+= SSL_CTX_set_mode.3
MAN+= SSL_CTX_set_msg_callback.3
MAN+= SSL_CTX_set_num_tickets.3
MAN+= SSL_CTX_set_options.3
MAN+= SSL_CTX_set_psk_client_callback.3
MAN+= SSL_CTX_set_quiet_shutdown.3
MAN+= SSL_CTX_set_read_ahead.3
MAN+= SSL_CTX_set_record_padding_callback.3
MAN+= SSL_CTX_set_security_level.3
MAN+= SSL_CTX_set_session_cache_mode.3
MAN+= SSL_CTX_set_session_id_context.3
MAN+= SSL_CTX_set_session_ticket_cb.3
MAN+= SSL_CTX_set_split_send_fragment.3
MAN+= SSL_CTX_set_ssl_version.3
MAN+= SSL_CTX_set_stateless_cookie_generate_cb.3
MAN+= SSL_CTX_set_timeout.3
MAN+= SSL_CTX_set_tlsext_servername_callback.3
MAN+= SSL_CTX_set_tlsext_status_cb.3
MAN+= SSL_CTX_set_tlsext_ticket_key_cb.3
MAN+= SSL_CTX_set_tlsext_use_srtp.3
MAN+= SSL_CTX_set_tmp_dh_callback.3
MAN+= SSL_CTX_set_verify.3
MAN+= SSL_CTX_use_certificate.3
MAN+= SSL_CTX_use_psk_identity_hint.3
MAN+= SSL_CTX_use_serverinfo.3
MAN+= SSL_SESSION_free.3
MAN+= SSL_SESSION_get0_cipher.3
MAN+= SSL_SESSION_get0_hostname.3
MAN+= SSL_SESSION_get0_id_context.3
MAN+= SSL_SESSION_get0_peer.3
MAN+= SSL_SESSION_get_compress_id.3
MAN+= SSL_SESSION_get_ex_data.3
MAN+= SSL_SESSION_get_protocol_version.3
MAN+= SSL_SESSION_get_time.3
MAN+= SSL_SESSION_has_ticket.3
MAN+= SSL_SESSION_is_resumable.3
MAN+= SSL_SESSION_print.3
MAN+= SSL_SESSION_set1_id.3
MAN+= SSL_accept.3
MAN+= SSL_alert_type_string.3
MAN+= SSL_alloc_buffers.3
MAN+= SSL_check_chain.3
MAN+= SSL_clear.3
MAN+= SSL_connect.3
MAN+= SSL_do_handshake.3
MAN+= SSL_export_keying_material.3
MAN+= SSL_extension_supported.3
MAN+= SSL_free.3
MAN+= SSL_get0_peer_scts.3
MAN+= SSL_get_SSL_CTX.3
MAN+= SSL_get_all_async_fds.3
MAN+= SSL_get_ciphers.3
MAN+= SSL_get_client_random.3
MAN+= SSL_get_current_cipher.3
MAN+= SSL_get_default_timeout.3
MAN+= SSL_get_error.3
MAN+= SSL_get_extms_support.3
MAN+= SSL_get_fd.3
MAN+= SSL_get_peer_cert_chain.3
MAN+= SSL_get_peer_certificate.3
MAN+= SSL_get_peer_signature_nid.3
MAN+= SSL_get_peer_tmp_key.3
MAN+= SSL_get_psk_identity.3
MAN+= SSL_get_rbio.3
MAN+= SSL_get_session.3
MAN+= SSL_get_shared_sigalgs.3
MAN+= SSL_get_verify_result.3
MAN+= SSL_get_version.3
MAN+= SSL_in_init.3
MAN+= SSL_key_update.3
MAN+= SSL_library_init.3
MAN+= SSL_load_client_CA_file.3
MAN+= SSL_new.3
MAN+= SSL_pending.3
MAN+= SSL_read.3
MAN+= SSL_read_early_data.3
MAN+= SSL_rstate_string.3
MAN+= SSL_session_reused.3
MAN+= SSL_set1_host.3
MAN+= SSL_set_bio.3
MAN+= SSL_set_connect_state.3
MAN+= SSL_set_fd.3
MAN+= SSL_set_session.3
MAN+= SSL_set_shutdown.3
MAN+= SSL_set_verify_result.3
MAN+= SSL_shutdown.3
MAN+= SSL_state_string.3
MAN+= SSL_want.3
MAN+= SSL_write.3
MAN+= UI_STRING.3
MAN+= UI_UTIL_read_pw.3
MAN+= UI_create_method.3
MAN+= UI_new.3
MAN+= X509V3_get_d2i.3
MAN+= X509_ALGOR_dup.3
MAN+= X509_CRL_get0_by_serial.3
MAN+= X509_EXTENSION_set_object.3
MAN+= X509_LOOKUP.3
MAN+= X509_LOOKUP_hash_dir.3
MAN+= X509_LOOKUP_meth_new.3
MAN+= X509_NAME_ENTRY_get_object.3
MAN+= X509_NAME_add_entry_by_txt.3
MAN+= X509_NAME_get0_der.3
MAN+= X509_NAME_get_index_by_NID.3
MAN+= X509_NAME_print_ex.3
MAN+= X509_PUBKEY_new.3
MAN+= X509_SIG_get0.3
MAN+= X509_STORE_CTX_get_error.3
MAN+= X509_STORE_CTX_new.3
MAN+= X509_STORE_CTX_set_verify_cb.3
MAN+= X509_STORE_add_cert.3
MAN+= X509_STORE_get0_param.3
MAN+= X509_STORE_new.3
MAN+= X509_STORE_set_verify_cb_func.3
MAN+= X509_VERIFY_PARAM_set_flags.3
MAN+= X509_check_ca.3
MAN+= X509_check_host.3
MAN+= X509_check_issued.3
MAN+= X509_check_private_key.3
MAN+= X509_check_purpose.3
MAN+= X509_cmp.3
MAN+= X509_cmp_time.3
MAN+= X509_digest.3
MAN+= X509_dup.3
MAN+= X509_get0_notBefore.3
MAN+= X509_get0_signature.3
MAN+= X509_get0_uids.3
MAN+= X509_get_extension_flags.3
MAN+= X509_get_pubkey.3
MAN+= X509_get_serialNumber.3
MAN+= X509_get_subject_name.3
MAN+= X509_get_version.3
MAN+= X509_new.3
MAN+= X509_sign.3
MAN+= X509_verify_cert.3
MAN+= X509v3_get_ext_by_NID.3
MAN+= d2i_DHparams.3
MAN+= d2i_PKCS8PrivateKey_bio.3
MAN+= d2i_PrivateKey.3
MAN+= d2i_SSL_SESSION.3
MAN+= d2i_X509.3
MAN+= i2d_CMS_bio_stream.3
MAN+= i2d_PKCS7_bio_stream.3
MAN+= i2d_re_X509_tbs.3
MAN+= o2i_SCT_LIST.3
MLINKS+= ADMISSIONS.3 ADMISSIONS_get0_admissionAuthority.3
MLINKS+= ADMISSIONS.3 ADMISSIONS_get0_namingAuthority.3
MLINKS+= ADMISSIONS.3 ADMISSIONS_get0_professionInfos.3
MLINKS+= ADMISSIONS.3 ADMISSIONS_set0_admissionAuthority.3
MLINKS+= ADMISSIONS.3 ADMISSIONS_set0_namingAuthority.3
MLINKS+= ADMISSIONS.3 ADMISSIONS_set0_professionInfos.3
MLINKS+= ADMISSIONS.3 ADMISSION_SYNTAX.3
MLINKS+= ADMISSIONS.3 ADMISSION_SYNTAX_get0_admissionAuthority.3
MLINKS+= ADMISSIONS.3 ADMISSION_SYNTAX_get0_contentsOfAdmissions.3
MLINKS+= ADMISSIONS.3 ADMISSION_SYNTAX_set0_admissionAuthority.3
MLINKS+= ADMISSIONS.3 ADMISSION_SYNTAX_set0_contentsOfAdmissions.3
MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY.3
MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_get0_authorityId.3
MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_get0_authorityText.3
MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_get0_authorityURL.3
MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_set0_authorityId.3
MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_set0_authorityText.3
MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_set0_authorityURL.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFO.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFOS.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFO_get0_addProfessionInfo.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFO_get0_namingAuthority.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFO_get0_professionItems.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFO_get0_professionOIDs.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFO_get0_registrationNumber.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFO_set0_addProfessionInfo.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFO_set0_namingAuthority.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFO_set0_professionItems.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFO_set0_professionOIDs.3
MLINKS+= ADMISSIONS.3 PROFESSION_INFO_set0_registrationNumber.3
MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_ENUMERATED_get.3
MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_ENUMERATED_get_int64.3
MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_ENUMERATED_set.3
MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_ENUMERATED_set_int64.3
MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_ENUMERATED_to_BN.3
MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_get.3
MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_get_uint64.3
MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_set.3
MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_set_int64.3
MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_set_uint64.3
MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_to_BN.3
MLINKS+= ASN1_INTEGER_get_int64.3 BN_to_ASN1_ENUMERATED.3
MLINKS+= ASN1_INTEGER_get_int64.3 BN_to_ASN1_INTEGER.3
MLINKS+= ASN1_ITEM_lookup.3 ASN1_ITEM_get.3
MLINKS+= ASN1_OBJECT_new.3 ASN1_OBJECT_free.3
MLINKS+= ASN1_STRING_TABLE_add.3 ASN1_STRING_TABLE.3
MLINKS+= ASN1_STRING_TABLE_add.3 ASN1_STRING_TABLE_cleanup.3
MLINKS+= ASN1_STRING_TABLE_add.3 ASN1_STRING_TABLE_get.3
MLINKS+= ASN1_STRING_length.3 ASN1_STRING_cmp.3
MLINKS+= ASN1_STRING_length.3 ASN1_STRING_data.3
MLINKS+= ASN1_STRING_length.3 ASN1_STRING_dup.3
MLINKS+= ASN1_STRING_length.3 ASN1_STRING_get0_data.3
MLINKS+= ASN1_STRING_length.3 ASN1_STRING_set.3
MLINKS+= ASN1_STRING_length.3 ASN1_STRING_to_UTF8.3
MLINKS+= ASN1_STRING_length.3 ASN1_STRING_type.3
MLINKS+= ASN1_STRING_new.3 ASN1_STRING_free.3
MLINKS+= ASN1_STRING_new.3 ASN1_STRING_type_new.3
MLINKS+= ASN1_STRING_print_ex.3 ASN1_STRING_print.3
MLINKS+= ASN1_STRING_print_ex.3 ASN1_STRING_print_ex_fp.3
MLINKS+= ASN1_STRING_print_ex.3 ASN1_tag2str.3
MLINKS+= ASN1_TIME_set.3 ASN1_GENERALIZEDTIME_adj.3
MLINKS+= ASN1_TIME_set.3 ASN1_GENERALIZEDTIME_check.3
MLINKS+= ASN1_TIME_set.3 ASN1_GENERALIZEDTIME_print.3
MLINKS+= ASN1_TIME_set.3 ASN1_GENERALIZEDTIME_set.3
MLINKS+= ASN1_TIME_set.3 ASN1_GENERALIZEDTIME_set_string.3
MLINKS+= ASN1_TIME_set.3 ASN1_TIME_adj.3
MLINKS+= ASN1_TIME_set.3 ASN1_TIME_check.3
MLINKS+= ASN1_TIME_set.3 ASN1_TIME_cmp_time_t.3
MLINKS+= ASN1_TIME_set.3 ASN1_TIME_compare.3
MLINKS+= ASN1_TIME_set.3 ASN1_TIME_diff.3
MLINKS+= ASN1_TIME_set.3 ASN1_TIME_normalize.3
MLINKS+= ASN1_TIME_set.3 ASN1_TIME_print.3
MLINKS+= ASN1_TIME_set.3 ASN1_TIME_set_string.3
MLINKS+= ASN1_TIME_set.3 ASN1_TIME_set_string_X509.3
MLINKS+= ASN1_TIME_set.3 ASN1_TIME_to_generalizedtime.3
MLINKS+= ASN1_TIME_set.3 ASN1_TIME_to_tm.3
MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_adj.3
MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_check.3
MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_cmp_time_t.3
MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_print.3
MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_set.3
MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_set_string.3
MLINKS+= ASN1_TYPE_get.3 ASN1_TYPE_cmp.3
MLINKS+= ASN1_TYPE_get.3 ASN1_TYPE_pack_sequence.3
MLINKS+= ASN1_TYPE_get.3 ASN1_TYPE_set.3
MLINKS+= ASN1_TYPE_get.3 ASN1_TYPE_set1.3
MLINKS+= ASN1_TYPE_get.3 ASN1_TYPE_unpack_sequence.3
MLINKS+= ASN1_generate_nconf.3 ASN1_generate_v3.3
MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_clear_fd.3
MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_free.3
MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_get_all_fds.3
MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_get_changed_fds.3
MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_get_fd.3
MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_set_wait_fd.3
MLINKS+= ASYNC_start_job.3 ASYNC_block_pause.3
MLINKS+= ASYNC_start_job.3 ASYNC_cleanup_thread.3
MLINKS+= ASYNC_start_job.3 ASYNC_get_current_job.3
MLINKS+= ASYNC_start_job.3 ASYNC_get_wait_ctx.3
MLINKS+= ASYNC_start_job.3 ASYNC_init_thread.3
MLINKS+= ASYNC_start_job.3 ASYNC_is_capable.3
MLINKS+= ASYNC_start_job.3 ASYNC_pause_job.3
MLINKS+= ASYNC_start_job.3 ASYNC_unblock_pause.3
MLINKS+= BF_encrypt.3 BF_cbc_encrypt.3
MLINKS+= BF_encrypt.3 BF_cfb64_encrypt.3
MLINKS+= BF_encrypt.3 BF_decrypt.3
MLINKS+= BF_encrypt.3 BF_ecb_encrypt.3
MLINKS+= BF_encrypt.3 BF_ofb64_encrypt.3
MLINKS+= BF_encrypt.3 BF_options.3
MLINKS+= BF_encrypt.3 BF_set_key.3
MLINKS+= BIO_ADDR.3 BIO_ADDR_clear.3
MLINKS+= BIO_ADDR.3 BIO_ADDR_family.3
MLINKS+= BIO_ADDR.3 BIO_ADDR_free.3
MLINKS+= BIO_ADDR.3 BIO_ADDR_hostname_string.3
MLINKS+= BIO_ADDR.3 BIO_ADDR_new.3
MLINKS+= BIO_ADDR.3 BIO_ADDR_path_string.3
MLINKS+= BIO_ADDR.3 BIO_ADDR_rawaddress.3
MLINKS+= BIO_ADDR.3 BIO_ADDR_rawmake.3
MLINKS+= BIO_ADDR.3 BIO_ADDR_rawport.3
MLINKS+= BIO_ADDR.3 BIO_ADDR_service_string.3
MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_address.3
MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_family.3
MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_free.3
MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_next.3
MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_protocol.3
MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_socktype.3
MLINKS+= BIO_ADDRINFO.3 BIO_lookup.3
MLINKS+= BIO_ADDRINFO.3 BIO_lookup_ex.3
MLINKS+= BIO_ADDRINFO.3 BIO_lookup_type.3
MLINKS+= BIO_connect.3 BIO_accept_ex.3
MLINKS+= BIO_connect.3 BIO_bind.3
MLINKS+= BIO_connect.3 BIO_closesocket.3
MLINKS+= BIO_connect.3 BIO_listen.3
MLINKS+= BIO_connect.3 BIO_socket.3
MLINKS+= BIO_ctrl.3 BIO_callback_ctrl.3
MLINKS+= BIO_ctrl.3 BIO_ctrl_pending.3
MLINKS+= BIO_ctrl.3 BIO_ctrl_wpending.3
MLINKS+= BIO_ctrl.3 BIO_eof.3
MLINKS+= BIO_ctrl.3 BIO_flush.3
MLINKS+= BIO_ctrl.3 BIO_get_close.3
MLINKS+= BIO_ctrl.3 BIO_get_info_callback.3
MLINKS+= BIO_ctrl.3 BIO_get_ktls_recv.3
MLINKS+= BIO_ctrl.3 BIO_get_ktls_send.3
MLINKS+= BIO_ctrl.3 BIO_info_cb.3
MLINKS+= BIO_ctrl.3 BIO_int_ctrl.3
MLINKS+= BIO_ctrl.3 BIO_pending.3
MLINKS+= BIO_ctrl.3 BIO_ptr_ctrl.3
MLINKS+= BIO_ctrl.3 BIO_reset.3
MLINKS+= BIO_ctrl.3 BIO_seek.3
MLINKS+= BIO_ctrl.3 BIO_set_close.3
MLINKS+= BIO_ctrl.3 BIO_set_info_callback.3
MLINKS+= BIO_ctrl.3 BIO_tell.3
MLINKS+= BIO_ctrl.3 BIO_wpending.3
MLINKS+= BIO_f_buffer.3 BIO_get_buffer_num_lines.3
MLINKS+= BIO_f_buffer.3 BIO_set_buffer_read_data.3
MLINKS+= BIO_f_buffer.3 BIO_set_buffer_size.3
MLINKS+= BIO_f_buffer.3 BIO_set_read_buffer_size.3
MLINKS+= BIO_f_buffer.3 BIO_set_write_buffer_size.3
MLINKS+= BIO_f_cipher.3 BIO_get_cipher_ctx.3
MLINKS+= BIO_f_cipher.3 BIO_get_cipher_status.3
MLINKS+= BIO_f_cipher.3 BIO_set_cipher.3
MLINKS+= BIO_f_md.3 BIO_get_md.3
MLINKS+= BIO_f_md.3 BIO_get_md_ctx.3
MLINKS+= BIO_f_md.3 BIO_set_md.3
MLINKS+= BIO_f_ssl.3 BIO_do_handshake.3
MLINKS+= BIO_f_ssl.3 BIO_get_num_renegotiates.3
MLINKS+= BIO_f_ssl.3 BIO_get_ssl.3
MLINKS+= BIO_f_ssl.3 BIO_new_buffer_ssl_connect.3
MLINKS+= BIO_f_ssl.3 BIO_new_ssl.3
MLINKS+= BIO_f_ssl.3 BIO_new_ssl_connect.3
MLINKS+= BIO_f_ssl.3 BIO_set_ssl.3
MLINKS+= BIO_f_ssl.3 BIO_set_ssl_mode.3
MLINKS+= BIO_f_ssl.3 BIO_set_ssl_renegotiate_bytes.3
MLINKS+= BIO_f_ssl.3 BIO_set_ssl_renegotiate_timeout.3
MLINKS+= BIO_f_ssl.3 BIO_ssl_copy_session_id.3
MLINKS+= BIO_f_ssl.3 BIO_ssl_shutdown.3
MLINKS+= BIO_find_type.3 BIO_method_type.3
MLINKS+= BIO_find_type.3 BIO_next.3
MLINKS+= BIO_get_data.3 BIO_get_init.3
MLINKS+= BIO_get_data.3 BIO_get_shutdown.3
MLINKS+= BIO_get_data.3 BIO_set_data.3
MLINKS+= BIO_get_data.3 BIO_set_init.3
MLINKS+= BIO_get_data.3 BIO_set_shutdown.3
MLINKS+= BIO_get_ex_new_index.3 BIO_get_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 BIO_set_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 DH_get_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 DH_get_ex_new_index.3
MLINKS+= BIO_get_ex_new_index.3 DH_set_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 DSA_get_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 DSA_get_ex_new_index.3
MLINKS+= BIO_get_ex_new_index.3 DSA_set_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 ECDH_get_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 ECDH_get_ex_new_index.3
MLINKS+= BIO_get_ex_new_index.3 ECDH_set_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 EC_KEY_get_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 EC_KEY_get_ex_new_index.3
MLINKS+= BIO_get_ex_new_index.3 EC_KEY_set_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 ENGINE_get_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 ENGINE_get_ex_new_index.3
MLINKS+= BIO_get_ex_new_index.3 ENGINE_set_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 RSA_get_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 RSA_get_ex_new_index.3
MLINKS+= BIO_get_ex_new_index.3 RSA_set_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 UI_get_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 UI_get_ex_new_index.3
MLINKS+= BIO_get_ex_new_index.3 UI_set_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 X509_STORE_CTX_get_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 X509_STORE_CTX_get_ex_new_index.3
MLINKS+= BIO_get_ex_new_index.3 X509_STORE_CTX_set_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 X509_STORE_get_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 X509_STORE_get_ex_new_index.3
MLINKS+= BIO_get_ex_new_index.3 X509_STORE_set_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 X509_get_ex_data.3
MLINKS+= BIO_get_ex_new_index.3 X509_get_ex_new_index.3
MLINKS+= BIO_get_ex_new_index.3 X509_set_ex_data.3
MLINKS+= BIO_meth_new.3 BIO_get_new_index.3
MLINKS+= BIO_meth_new.3 BIO_meth_free.3
MLINKS+= BIO_meth_new.3 BIO_meth_get_callback_ctrl.3
MLINKS+= BIO_meth_new.3 BIO_meth_get_create.3
MLINKS+= BIO_meth_new.3 BIO_meth_get_ctrl.3
MLINKS+= BIO_meth_new.3 BIO_meth_get_destroy.3
MLINKS+= BIO_meth_new.3 BIO_meth_get_gets.3
MLINKS+= BIO_meth_new.3 BIO_meth_get_puts.3
MLINKS+= BIO_meth_new.3 BIO_meth_get_read.3
MLINKS+= BIO_meth_new.3 BIO_meth_get_read_ex.3
MLINKS+= BIO_meth_new.3 BIO_meth_get_write.3
MLINKS+= BIO_meth_new.3 BIO_meth_get_write_ex.3
MLINKS+= BIO_meth_new.3 BIO_meth_set_callback_ctrl.3
MLINKS+= BIO_meth_new.3 BIO_meth_set_create.3
MLINKS+= BIO_meth_new.3 BIO_meth_set_ctrl.3
MLINKS+= BIO_meth_new.3 BIO_meth_set_destroy.3
MLINKS+= BIO_meth_new.3 BIO_meth_set_gets.3
MLINKS+= BIO_meth_new.3 BIO_meth_set_puts.3
MLINKS+= BIO_meth_new.3 BIO_meth_set_read.3
MLINKS+= BIO_meth_new.3 BIO_meth_set_read_ex.3
MLINKS+= BIO_meth_new.3 BIO_meth_set_write.3
MLINKS+= BIO_meth_new.3 BIO_meth_set_write_ex.3
MLINKS+= BIO_new.3 BIO_free.3
MLINKS+= BIO_new.3 BIO_free_all.3
MLINKS+= BIO_new.3 BIO_up_ref.3
MLINKS+= BIO_new.3 BIO_vfree.3
MLINKS+= BIO_parse_hostserv.3 BIO_hostserv_priorities.3
MLINKS+= BIO_printf.3 BIO_snprintf.3
MLINKS+= BIO_printf.3 BIO_vprintf.3
MLINKS+= BIO_printf.3 BIO_vsnprintf.3
MLINKS+= BIO_push.3 BIO_pop.3
MLINKS+= BIO_push.3 BIO_set_next.3
MLINKS+= BIO_read.3 BIO_gets.3
MLINKS+= BIO_read.3 BIO_puts.3
MLINKS+= BIO_read.3 BIO_read_ex.3
MLINKS+= BIO_read.3 BIO_write.3
MLINKS+= BIO_read.3 BIO_write_ex.3
MLINKS+= BIO_s_accept.3 BIO_do_accept.3
MLINKS+= BIO_s_accept.3 BIO_get_accept_ip_family.3
MLINKS+= BIO_s_accept.3 BIO_get_accept_name.3
MLINKS+= BIO_s_accept.3 BIO_get_accept_port.3
MLINKS+= BIO_s_accept.3 BIO_get_bind_mode.3
MLINKS+= BIO_s_accept.3 BIO_get_peer_name.3
MLINKS+= BIO_s_accept.3 BIO_get_peer_port.3
MLINKS+= BIO_s_accept.3 BIO_new_accept.3
MLINKS+= BIO_s_accept.3 BIO_set_accept_bios.3
MLINKS+= BIO_s_accept.3 BIO_set_accept_ip_family.3
MLINKS+= BIO_s_accept.3 BIO_set_accept_name.3
MLINKS+= BIO_s_accept.3 BIO_set_accept_port.3
MLINKS+= BIO_s_accept.3 BIO_set_bind_mode.3
MLINKS+= BIO_s_accept.3 BIO_set_nbio_accept.3
MLINKS+= BIO_s_bio.3 BIO_ctrl_get_read_request.3
MLINKS+= BIO_s_bio.3 BIO_ctrl_get_write_guarantee.3
MLINKS+= BIO_s_bio.3 BIO_ctrl_reset_read_request.3
MLINKS+= BIO_s_bio.3 BIO_destroy_bio_pair.3
MLINKS+= BIO_s_bio.3 BIO_get_read_request.3
MLINKS+= BIO_s_bio.3 BIO_get_write_buf_size.3
MLINKS+= BIO_s_bio.3 BIO_get_write_guarantee.3
MLINKS+= BIO_s_bio.3 BIO_make_bio_pair.3
MLINKS+= BIO_s_bio.3 BIO_new_bio_pair.3
MLINKS+= BIO_s_bio.3 BIO_set_write_buf_size.3
MLINKS+= BIO_s_bio.3 BIO_shutdown_wr.3
MLINKS+= BIO_s_connect.3 BIO_do_connect.3
MLINKS+= BIO_s_connect.3 BIO_get_conn_address.3
MLINKS+= BIO_s_connect.3 BIO_get_conn_hostname.3
MLINKS+= BIO_s_connect.3 BIO_get_conn_ip_family.3
MLINKS+= BIO_s_connect.3 BIO_get_conn_port.3
MLINKS+= BIO_s_connect.3 BIO_new_connect.3
MLINKS+= BIO_s_connect.3 BIO_set_conn_address.3
MLINKS+= BIO_s_connect.3 BIO_set_conn_hostname.3
MLINKS+= BIO_s_connect.3 BIO_set_conn_ip_family.3
MLINKS+= BIO_s_connect.3 BIO_set_conn_port.3
MLINKS+= BIO_s_connect.3 BIO_set_nbio.3
MLINKS+= BIO_s_fd.3 BIO_get_fd.3
MLINKS+= BIO_s_fd.3 BIO_new_fd.3
MLINKS+= BIO_s_fd.3 BIO_set_fd.3
MLINKS+= BIO_s_file.3 BIO_append_filename.3
MLINKS+= BIO_s_file.3 BIO_get_fp.3
MLINKS+= BIO_s_file.3 BIO_new_file.3
MLINKS+= BIO_s_file.3 BIO_new_fp.3
MLINKS+= BIO_s_file.3 BIO_read_filename.3
MLINKS+= BIO_s_file.3 BIO_rw_filename.3
MLINKS+= BIO_s_file.3 BIO_set_fp.3
MLINKS+= BIO_s_file.3 BIO_write_filename.3
MLINKS+= BIO_s_mem.3 BIO_get_mem_data.3
MLINKS+= BIO_s_mem.3 BIO_get_mem_ptr.3
MLINKS+= BIO_s_mem.3 BIO_new_mem_buf.3
MLINKS+= BIO_s_mem.3 BIO_s_secmem.3
MLINKS+= BIO_s_mem.3 BIO_set_mem_buf.3
MLINKS+= BIO_s_mem.3 BIO_set_mem_eof_return.3
MLINKS+= BIO_s_socket.3 BIO_new_socket.3
MLINKS+= BIO_set_callback.3 BIO_callback_fn.3
MLINKS+= BIO_set_callback.3 BIO_callback_fn_ex.3
MLINKS+= BIO_set_callback.3 BIO_debug_callback.3
MLINKS+= BIO_set_callback.3 BIO_get_callback.3
MLINKS+= BIO_set_callback.3 BIO_get_callback_arg.3
MLINKS+= BIO_set_callback.3 BIO_get_callback_ex.3
MLINKS+= BIO_set_callback.3 BIO_set_callback_arg.3
MLINKS+= BIO_set_callback.3 BIO_set_callback_ex.3
MLINKS+= BIO_should_retry.3 BIO_get_retry_BIO.3
MLINKS+= BIO_should_retry.3 BIO_get_retry_reason.3
MLINKS+= BIO_should_retry.3 BIO_retry_type.3
MLINKS+= BIO_should_retry.3 BIO_set_retry_reason.3
MLINKS+= BIO_should_retry.3 BIO_should_io_special.3
MLINKS+= BIO_should_retry.3 BIO_should_read.3
MLINKS+= BIO_should_retry.3 BIO_should_write.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_convert.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_convert_ex.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_create_param.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_free.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_get_flags.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_invert.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_invert_ex.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_is_current_thread.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_lock.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_set_current_thread.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_set_flags.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_unlock.3
MLINKS+= BN_BLINDING_new.3 BN_BLINDING_update.3
MLINKS+= BN_CTX_new.3 BN_CTX_free.3
MLINKS+= BN_CTX_new.3 BN_CTX_secure_new.3
MLINKS+= BN_CTX_start.3 BN_CTX_end.3
MLINKS+= BN_CTX_start.3 BN_CTX_get.3
MLINKS+= BN_add.3 BN_div.3
MLINKS+= BN_add.3 BN_exp.3
MLINKS+= BN_add.3 BN_gcd.3
MLINKS+= BN_add.3 BN_mod.3
MLINKS+= BN_add.3 BN_mod_add.3
MLINKS+= BN_add.3 BN_mod_exp.3
MLINKS+= BN_add.3 BN_mod_mul.3
MLINKS+= BN_add.3 BN_mod_sqr.3
+MLINKS+= BN_add.3 BN_mod_sqrt.3
MLINKS+= BN_add.3 BN_mod_sub.3
MLINKS+= BN_add.3 BN_mul.3
MLINKS+= BN_add.3 BN_nnmod.3
MLINKS+= BN_add.3 BN_sqr.3
MLINKS+= BN_add.3 BN_sub.3
MLINKS+= BN_add_word.3 BN_div_word.3
MLINKS+= BN_add_word.3 BN_mod_word.3
MLINKS+= BN_add_word.3 BN_mul_word.3
MLINKS+= BN_add_word.3 BN_sub_word.3
MLINKS+= BN_bn2bin.3 BN_bin2bn.3
MLINKS+= BN_bn2bin.3 BN_bn2binpad.3
MLINKS+= BN_bn2bin.3 BN_bn2dec.3
MLINKS+= BN_bn2bin.3 BN_bn2hex.3
MLINKS+= BN_bn2bin.3 BN_bn2lebinpad.3
MLINKS+= BN_bn2bin.3 BN_bn2mpi.3
MLINKS+= BN_bn2bin.3 BN_dec2bn.3
MLINKS+= BN_bn2bin.3 BN_hex2bn.3
MLINKS+= BN_bn2bin.3 BN_lebin2bn.3
MLINKS+= BN_bn2bin.3 BN_mpi2bn.3
MLINKS+= BN_bn2bin.3 BN_print.3
MLINKS+= BN_bn2bin.3 BN_print_fp.3
MLINKS+= BN_cmp.3 BN_abs_is_word.3
MLINKS+= BN_cmp.3 BN_is_odd.3
MLINKS+= BN_cmp.3 BN_is_one.3
MLINKS+= BN_cmp.3 BN_is_word.3
MLINKS+= BN_cmp.3 BN_is_zero.3
MLINKS+= BN_cmp.3 BN_ucmp.3
MLINKS+= BN_copy.3 BN_dup.3
MLINKS+= BN_copy.3 BN_with_flags.3
MLINKS+= BN_generate_prime.3 BN_GENCB_call.3
MLINKS+= BN_generate_prime.3 BN_GENCB_free.3
MLINKS+= BN_generate_prime.3 BN_GENCB_get_arg.3
MLINKS+= BN_generate_prime.3 BN_GENCB_new.3
MLINKS+= BN_generate_prime.3 BN_GENCB_set.3
MLINKS+= BN_generate_prime.3 BN_GENCB_set_old.3
MLINKS+= BN_generate_prime.3 BN_generate_prime_ex.3
MLINKS+= BN_generate_prime.3 BN_is_prime.3
MLINKS+= BN_generate_prime.3 BN_is_prime_ex.3
MLINKS+= BN_generate_prime.3 BN_is_prime_fasttest.3
MLINKS+= BN_generate_prime.3 BN_is_prime_fasttest_ex.3
MLINKS+= BN_mod_mul_montgomery.3 BN_MONT_CTX_copy.3
MLINKS+= BN_mod_mul_montgomery.3 BN_MONT_CTX_free.3
MLINKS+= BN_mod_mul_montgomery.3 BN_MONT_CTX_new.3
MLINKS+= BN_mod_mul_montgomery.3 BN_MONT_CTX_set.3
MLINKS+= BN_mod_mul_montgomery.3 BN_from_montgomery.3
MLINKS+= BN_mod_mul_montgomery.3 BN_to_montgomery.3
MLINKS+= BN_mod_mul_reciprocal.3 BN_RECP_CTX_free.3
MLINKS+= BN_mod_mul_reciprocal.3 BN_RECP_CTX_new.3
MLINKS+= BN_mod_mul_reciprocal.3 BN_RECP_CTX_set.3
MLINKS+= BN_mod_mul_reciprocal.3 BN_div_recp.3
MLINKS+= BN_new.3 BN_clear.3
MLINKS+= BN_new.3 BN_clear_free.3
MLINKS+= BN_new.3 BN_free.3
MLINKS+= BN_new.3 BN_secure_new.3
MLINKS+= BN_num_bytes.3 BN_num_bits.3
MLINKS+= BN_num_bytes.3 BN_num_bits_word.3
MLINKS+= BN_rand.3 BN_priv_rand.3
MLINKS+= BN_rand.3 BN_priv_rand_range.3
MLINKS+= BN_rand.3 BN_pseudo_rand.3
MLINKS+= BN_rand.3 BN_pseudo_rand_range.3
MLINKS+= BN_rand.3 BN_rand_range.3
MLINKS+= BN_set_bit.3 BN_clear_bit.3
MLINKS+= BN_set_bit.3 BN_is_bit_set.3
MLINKS+= BN_set_bit.3 BN_lshift.3
MLINKS+= BN_set_bit.3 BN_lshift1.3
MLINKS+= BN_set_bit.3 BN_mask_bits.3
MLINKS+= BN_set_bit.3 BN_rshift.3
MLINKS+= BN_set_bit.3 BN_rshift1.3
MLINKS+= BN_zero.3 BN_get_word.3
MLINKS+= BN_zero.3 BN_one.3
MLINKS+= BN_zero.3 BN_set_word.3
MLINKS+= BN_zero.3 BN_value_one.3
MLINKS+= BUF_MEM_new.3 BUF_MEM_free.3
MLINKS+= BUF_MEM_new.3 BUF_MEM_grow.3
MLINKS+= BUF_MEM_new.3 BUF_MEM_grow_clean.3
MLINKS+= BUF_MEM_new.3 BUF_MEM_new_ex.3
MLINKS+= BUF_MEM_new.3 BUF_reverse.3
MLINKS+= CMS_add0_cert.3 CMS_add0_crl.3
MLINKS+= CMS_add0_cert.3 CMS_add1_cert.3
MLINKS+= CMS_add0_cert.3 CMS_add1_crl.3
MLINKS+= CMS_add0_cert.3 CMS_get1_certs.3
MLINKS+= CMS_add0_cert.3 CMS_get1_crls.3
MLINKS+= CMS_add1_recipient_cert.3 CMS_add0_recipient_key.3
MLINKS+= CMS_add1_signer.3 CMS_SignerInfo_sign.3
MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_decrypt.3
MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_encrypt.3
MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_kekri_get0_id.3
MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_kekri_id_cmp.3
MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_ktri_cert_cmp.3
MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_ktri_get0_signer_id.3
MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_set0_key.3
MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_set0_pkey.3
MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_type.3
MLINKS+= CMS_get0_SignerInfos.3 CMS_SignerInfo_cert_cmp.3
MLINKS+= CMS_get0_SignerInfos.3 CMS_SignerInfo_get0_signature.3
MLINKS+= CMS_get0_SignerInfos.3 CMS_SignerInfo_get0_signer_id.3
MLINKS+= CMS_get0_SignerInfos.3 CMS_SignerInfo_set1_signer_cert.3
MLINKS+= CMS_get0_type.3 CMS_get0_content.3
MLINKS+= CMS_get0_type.3 CMS_get0_eContentType.3
MLINKS+= CMS_get0_type.3 CMS_set1_eContentType.3
MLINKS+= CMS_get1_ReceiptRequest.3 CMS_ReceiptRequest_create0.3
MLINKS+= CMS_get1_ReceiptRequest.3 CMS_ReceiptRequest_get0_values.3
MLINKS+= CMS_get1_ReceiptRequest.3 CMS_add1_ReceiptRequest.3
MLINKS+= CMS_verify.3 CMS_get0_signers.3
MLINKS+= CONF_modules_free.3 CONF_modules_finish.3
MLINKS+= CONF_modules_free.3 CONF_modules_unload.3
MLINKS+= CONF_modules_load_file.3 CONF_modules_load.3
MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_THREAD_lock_free.3
MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_THREAD_lock_new.3
MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_THREAD_read_lock.3
MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_THREAD_unlock.3
MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_THREAD_write_lock.3
MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_atomic_add.3
MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_EX_dup.3
MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_EX_free.3
MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_EX_new.3
MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_free_ex_data.3
MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_free_ex_index.3
MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_get_ex_data.3
MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_new_ex_data.3
MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_set_ex_data.3
MLINKS+= CTLOG_STORE_new.3 CTLOG_STORE_free.3
MLINKS+= CTLOG_STORE_new.3 CTLOG_STORE_load_default_file.3
MLINKS+= CTLOG_STORE_new.3 CTLOG_STORE_load_file.3
MLINKS+= CTLOG_new.3 CTLOG_free.3
MLINKS+= CTLOG_new.3 CTLOG_get0_log_id.3
MLINKS+= CTLOG_new.3 CTLOG_get0_name.3
MLINKS+= CTLOG_new.3 CTLOG_get0_public_key.3
MLINKS+= CTLOG_new.3 CTLOG_new_from_base64.3
MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_free.3
MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_get0_cert.3
MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_get0_issuer.3
MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_get0_log_store.3
MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_get_time.3
MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_set1_cert.3
MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_set1_issuer.3
MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE.3
MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_set_time.3
MLINKS+= DEFINE_STACK_OF.3 DEFINE_SPECIAL_STACK_OF.3
MLINKS+= DEFINE_STACK_OF.3 DEFINE_SPECIAL_STACK_OF_CONST.3
MLINKS+= DEFINE_STACK_OF.3 DEFINE_STACK_OF_CONST.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_deep_copy.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_delete.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_delete_ptr.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_dup.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_find.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_find_ex.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_free.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_insert.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_is_sorted.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_new.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_new_null.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_new_reserve.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_num.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_pop.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_pop_free.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_push.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_reserve.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_set.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_set_cmp_func.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_shift.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_sort.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_unshift.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_value.3
MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_zero.3
MLINKS+= DES_random_key.3 DES_cbc_cksum.3
MLINKS+= DES_random_key.3 DES_cfb64_encrypt.3
MLINKS+= DES_random_key.3 DES_cfb_encrypt.3
MLINKS+= DES_random_key.3 DES_crypt.3
MLINKS+= DES_random_key.3 DES_ecb2_encrypt.3
MLINKS+= DES_random_key.3 DES_ecb3_encrypt.3
MLINKS+= DES_random_key.3 DES_ecb_encrypt.3
MLINKS+= DES_random_key.3 DES_ede2_cbc_encrypt.3
MLINKS+= DES_random_key.3 DES_ede2_cfb64_encrypt.3
MLINKS+= DES_random_key.3 DES_ede2_ofb64_encrypt.3
MLINKS+= DES_random_key.3 DES_ede3_cbc_encrypt.3
MLINKS+= DES_random_key.3 DES_ede3_cfb64_encrypt.3
MLINKS+= DES_random_key.3 DES_ede3_ofb64_encrypt.3
MLINKS+= DES_random_key.3 DES_fcrypt.3
MLINKS+= DES_random_key.3 DES_is_weak_key.3
MLINKS+= DES_random_key.3 DES_key_sched.3
MLINKS+= DES_random_key.3 DES_ncbc_encrypt.3
MLINKS+= DES_random_key.3 DES_ofb64_encrypt.3
MLINKS+= DES_random_key.3 DES_ofb_encrypt.3
MLINKS+= DES_random_key.3 DES_pcbc_encrypt.3
MLINKS+= DES_random_key.3 DES_quad_cksum.3
MLINKS+= DES_random_key.3 DES_set_key.3
MLINKS+= DES_random_key.3 DES_set_key_checked.3
MLINKS+= DES_random_key.3 DES_set_key_unchecked.3
MLINKS+= DES_random_key.3 DES_set_odd_parity.3
MLINKS+= DES_random_key.3 DES_string_to_2keys.3
MLINKS+= DES_random_key.3 DES_string_to_key.3
MLINKS+= DES_random_key.3 DES_xcbc_encrypt.3
MLINKS+= DH_generate_key.3 DH_compute_key.3
MLINKS+= DH_generate_key.3 DH_compute_key_padded.3
MLINKS+= DH_generate_parameters.3 DH_check.3
MLINKS+= DH_generate_parameters.3 DH_check_ex.3
MLINKS+= DH_generate_parameters.3 DH_check_params.3
MLINKS+= DH_generate_parameters.3 DH_check_params_ex.3
MLINKS+= DH_generate_parameters.3 DH_check_pub_key_ex.3
MLINKS+= DH_generate_parameters.3 DH_generate_parameters_ex.3
MLINKS+= DH_get0_pqg.3 DH_clear_flags.3
MLINKS+= DH_get0_pqg.3 DH_get0_engine.3
MLINKS+= DH_get0_pqg.3 DH_get0_g.3
MLINKS+= DH_get0_pqg.3 DH_get0_key.3
MLINKS+= DH_get0_pqg.3 DH_get0_p.3
MLINKS+= DH_get0_pqg.3 DH_get0_priv_key.3
MLINKS+= DH_get0_pqg.3 DH_get0_pub_key.3
MLINKS+= DH_get0_pqg.3 DH_get0_q.3
MLINKS+= DH_get0_pqg.3 DH_get_length.3
MLINKS+= DH_get0_pqg.3 DH_set0_key.3
MLINKS+= DH_get0_pqg.3 DH_set0_pqg.3
MLINKS+= DH_get0_pqg.3 DH_set_flags.3
MLINKS+= DH_get0_pqg.3 DH_set_length.3
MLINKS+= DH_get0_pqg.3 DH_test_flags.3
MLINKS+= DH_get_1024_160.3 BN_get0_nist_prime_192.3
MLINKS+= DH_get_1024_160.3 BN_get0_nist_prime_224.3
MLINKS+= DH_get_1024_160.3 BN_get0_nist_prime_256.3
MLINKS+= DH_get_1024_160.3 BN_get0_nist_prime_384.3
MLINKS+= DH_get_1024_160.3 BN_get0_nist_prime_521.3
MLINKS+= DH_get_1024_160.3 BN_get_rfc2409_prime_1024.3
MLINKS+= DH_get_1024_160.3 BN_get_rfc2409_prime_768.3
MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_1536.3
MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_2048.3
MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_3072.3
MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_4096.3
MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_6144.3
MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_8192.3
MLINKS+= DH_get_1024_160.3 DH_get_2048_224.3
MLINKS+= DH_get_1024_160.3 DH_get_2048_256.3
MLINKS+= DH_meth_new.3 DH_meth_dup.3
MLINKS+= DH_meth_new.3 DH_meth_free.3
MLINKS+= DH_meth_new.3 DH_meth_get0_app_data.3
MLINKS+= DH_meth_new.3 DH_meth_get0_name.3
MLINKS+= DH_meth_new.3 DH_meth_get_bn_mod_exp.3
MLINKS+= DH_meth_new.3 DH_meth_get_compute_key.3
MLINKS+= DH_meth_new.3 DH_meth_get_finish.3
MLINKS+= DH_meth_new.3 DH_meth_get_flags.3
MLINKS+= DH_meth_new.3 DH_meth_get_generate_key.3
MLINKS+= DH_meth_new.3 DH_meth_get_generate_params.3
MLINKS+= DH_meth_new.3 DH_meth_get_init.3
MLINKS+= DH_meth_new.3 DH_meth_set0_app_data.3
MLINKS+= DH_meth_new.3 DH_meth_set1_name.3
MLINKS+= DH_meth_new.3 DH_meth_set_bn_mod_exp.3
MLINKS+= DH_meth_new.3 DH_meth_set_compute_key.3
MLINKS+= DH_meth_new.3 DH_meth_set_finish.3
MLINKS+= DH_meth_new.3 DH_meth_set_flags.3
MLINKS+= DH_meth_new.3 DH_meth_set_generate_key.3
MLINKS+= DH_meth_new.3 DH_meth_set_generate_params.3
MLINKS+= DH_meth_new.3 DH_meth_set_init.3
MLINKS+= DH_new.3 DH_free.3
MLINKS+= DH_new_by_nid.3 DH_get_nid.3
MLINKS+= DH_set_method.3 DH_OpenSSL.3
MLINKS+= DH_set_method.3 DH_get_default_method.3
MLINKS+= DH_set_method.3 DH_new_method.3
MLINKS+= DH_set_method.3 DH_set_default_method.3
MLINKS+= DH_size.3 DH_bits.3
MLINKS+= DH_size.3 DH_security_bits.3
MLINKS+= DSA_SIG_new.3 DSA_SIG_free.3
MLINKS+= DSA_SIG_new.3 DSA_SIG_get0.3
MLINKS+= DSA_SIG_new.3 DSA_SIG_set0.3
MLINKS+= DSA_do_sign.3 DSA_do_verify.3
MLINKS+= DSA_generate_parameters.3 DSA_generate_parameters_ex.3
MLINKS+= DSA_get0_pqg.3 DSA_clear_flags.3
MLINKS+= DSA_get0_pqg.3 DSA_get0_engine.3
MLINKS+= DSA_get0_pqg.3 DSA_get0_g.3
MLINKS+= DSA_get0_pqg.3 DSA_get0_key.3
MLINKS+= DSA_get0_pqg.3 DSA_get0_p.3
MLINKS+= DSA_get0_pqg.3 DSA_get0_priv_key.3
MLINKS+= DSA_get0_pqg.3 DSA_get0_pub_key.3
MLINKS+= DSA_get0_pqg.3 DSA_get0_q.3
MLINKS+= DSA_get0_pqg.3 DSA_set0_key.3
MLINKS+= DSA_get0_pqg.3 DSA_set0_pqg.3
MLINKS+= DSA_get0_pqg.3 DSA_set_flags.3
MLINKS+= DSA_get0_pqg.3 DSA_test_flags.3
MLINKS+= DSA_meth_new.3 DSA_meth_dup.3
MLINKS+= DSA_meth_new.3 DSA_meth_free.3
MLINKS+= DSA_meth_new.3 DSA_meth_get0_app_data.3
MLINKS+= DSA_meth_new.3 DSA_meth_get0_name.3
MLINKS+= DSA_meth_new.3 DSA_meth_get_bn_mod_exp.3
MLINKS+= DSA_meth_new.3 DSA_meth_get_finish.3
MLINKS+= DSA_meth_new.3 DSA_meth_get_flags.3
MLINKS+= DSA_meth_new.3 DSA_meth_get_init.3
MLINKS+= DSA_meth_new.3 DSA_meth_get_keygen.3
MLINKS+= DSA_meth_new.3 DSA_meth_get_mod_exp.3
MLINKS+= DSA_meth_new.3 DSA_meth_get_paramgen.3
MLINKS+= DSA_meth_new.3 DSA_meth_get_sign.3
MLINKS+= DSA_meth_new.3 DSA_meth_get_sign_setup.3
MLINKS+= DSA_meth_new.3 DSA_meth_get_verify.3
MLINKS+= DSA_meth_new.3 DSA_meth_set0_app_data.3
MLINKS+= DSA_meth_new.3 DSA_meth_set1_name.3
MLINKS+= DSA_meth_new.3 DSA_meth_set_bn_mod_exp.3
MLINKS+= DSA_meth_new.3 DSA_meth_set_finish.3
MLINKS+= DSA_meth_new.3 DSA_meth_set_flags.3
MLINKS+= DSA_meth_new.3 DSA_meth_set_init.3
MLINKS+= DSA_meth_new.3 DSA_meth_set_keygen.3
MLINKS+= DSA_meth_new.3 DSA_meth_set_mod_exp.3
MLINKS+= DSA_meth_new.3 DSA_meth_set_paramgen.3
MLINKS+= DSA_meth_new.3 DSA_meth_set_sign.3
MLINKS+= DSA_meth_new.3 DSA_meth_set_sign_setup.3
MLINKS+= DSA_meth_new.3 DSA_meth_set_verify.3
MLINKS+= DSA_new.3 DSA_free.3
MLINKS+= DSA_set_method.3 DSA_OpenSSL.3
MLINKS+= DSA_set_method.3 DSA_get_default_method.3
MLINKS+= DSA_set_method.3 DSA_new_method.3
MLINKS+= DSA_set_method.3 DSA_set_default_method.3
MLINKS+= DSA_sign.3 DSA_sign_setup.3
MLINKS+= DSA_sign.3 DSA_verify.3
MLINKS+= DSA_size.3 DSA_bits.3
MLINKS+= DSA_size.3 DSA_security_bits.3
MLINKS+= DTLS_set_timer_cb.3 DTLS_timer_cb.3
MLINKS+= DTLSv1_listen.3 SSL_stateless.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_SIG_free.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_SIG_get0.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_SIG_get0_r.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_SIG_get0_s.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_SIG_set0.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_do_sign.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_do_sign_ex.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_do_verify.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_sign.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_sign_ex.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_sign_setup.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_size.3
MLINKS+= ECDSA_SIG_new.3 ECDSA_verify.3
MLINKS+= ECPKParameters_print.3 ECPKParameters_print_fp.3
MLINKS+= EC_GFp_simple_method.3 EC_GF2m_simple_method.3
MLINKS+= EC_GFp_simple_method.3 EC_GFp_mont_method.3
MLINKS+= EC_GFp_simple_method.3 EC_GFp_nist_method.3
MLINKS+= EC_GFp_simple_method.3 EC_GFp_nistp224_method.3
MLINKS+= EC_GFp_simple_method.3 EC_GFp_nistp256_method.3
MLINKS+= EC_GFp_simple_method.3 EC_GFp_nistp521_method.3
MLINKS+= EC_GFp_simple_method.3 EC_METHOD_get_field_type.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_check.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_check_discriminant.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_cmp.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_dup.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get0_cofactor.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get0_generator.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get0_order.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get0_seed.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_asn1_flag.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_basis_type.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_cofactor.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_curve_name.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_degree.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_order.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_pentanomial_basis.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_point_conversion_form.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_seed_len.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_trinomial_basis.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_method_of.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_order_bits.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_set_asn1_flag.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_set_curve_name.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_set_generator.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_set_point_conversion_form.3
MLINKS+= EC_GROUP_copy.3 EC_GROUP_set_seed.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_clear_free.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_free.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_get_curve.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_get_curve_GF2m.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_get_curve_GFp.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_get_ecparameters.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_get_ecpkparameters.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_new_by_curve_name.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_new_curve_GF2m.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_new_curve_GFp.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_new_from_ecparameters.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_new_from_ecpkparameters.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_set_curve.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_set_curve_GF2m.3
MLINKS+= EC_GROUP_new.3 EC_GROUP_set_curve_GFp.3
MLINKS+= EC_GROUP_new.3 EC_get_builtin_curves.3
MLINKS+= EC_KEY_get_enc_flags.3 EC_KEY_set_enc_flags.3
MLINKS+= EC_KEY_new.3 EC_KEY_check_key.3
MLINKS+= EC_KEY_new.3 EC_KEY_clear_flags.3
MLINKS+= EC_KEY_new.3 EC_KEY_copy.3
MLINKS+= EC_KEY_new.3 EC_KEY_decoded_from_explicit_params.3
MLINKS+= EC_KEY_new.3 EC_KEY_dup.3
MLINKS+= EC_KEY_new.3 EC_KEY_free.3
MLINKS+= EC_KEY_new.3 EC_KEY_generate_key.3
MLINKS+= EC_KEY_new.3 EC_KEY_get0_engine.3
MLINKS+= EC_KEY_new.3 EC_KEY_get0_group.3
MLINKS+= EC_KEY_new.3 EC_KEY_get0_private_key.3
MLINKS+= EC_KEY_new.3 EC_KEY_get0_public_key.3
MLINKS+= EC_KEY_new.3 EC_KEY_get_conv_form.3
MLINKS+= EC_KEY_new.3 EC_KEY_get_flags.3
MLINKS+= EC_KEY_new.3 EC_KEY_get_method.3
MLINKS+= EC_KEY_new.3 EC_KEY_key2buf.3
MLINKS+= EC_KEY_new.3 EC_KEY_new_by_curve_name.3
MLINKS+= EC_KEY_new.3 EC_KEY_oct2key.3
MLINKS+= EC_KEY_new.3 EC_KEY_oct2priv.3
MLINKS+= EC_KEY_new.3 EC_KEY_precompute_mult.3
MLINKS+= EC_KEY_new.3 EC_KEY_priv2buf.3
MLINKS+= EC_KEY_new.3 EC_KEY_priv2oct.3
MLINKS+= EC_KEY_new.3 EC_KEY_set_asn1_flag.3
MLINKS+= EC_KEY_new.3 EC_KEY_set_conv_form.3
MLINKS+= EC_KEY_new.3 EC_KEY_set_flags.3
MLINKS+= EC_KEY_new.3 EC_KEY_set_group.3
MLINKS+= EC_KEY_new.3 EC_KEY_set_method.3
MLINKS+= EC_KEY_new.3 EC_KEY_set_private_key.3
MLINKS+= EC_KEY_new.3 EC_KEY_set_public_key.3
MLINKS+= EC_KEY_new.3 EC_KEY_set_public_key_affine_coordinates.3
MLINKS+= EC_KEY_new.3 EC_KEY_up_ref.3
MLINKS+= EC_POINT_add.3 EC_GROUP_have_precompute_mult.3
MLINKS+= EC_POINT_add.3 EC_GROUP_precompute_mult.3
MLINKS+= EC_POINT_add.3 EC_POINT_cmp.3
MLINKS+= EC_POINT_add.3 EC_POINT_dbl.3
MLINKS+= EC_POINT_add.3 EC_POINT_invert.3
MLINKS+= EC_POINT_add.3 EC_POINT_is_at_infinity.3
MLINKS+= EC_POINT_add.3 EC_POINT_is_on_curve.3
MLINKS+= EC_POINT_add.3 EC_POINT_make_affine.3
MLINKS+= EC_POINT_add.3 EC_POINT_mul.3
MLINKS+= EC_POINT_add.3 EC_POINTs_make_affine.3
MLINKS+= EC_POINT_add.3 EC_POINTs_mul.3
MLINKS+= EC_POINT_new.3 EC_POINT_bn2point.3
MLINKS+= EC_POINT_new.3 EC_POINT_clear_free.3
MLINKS+= EC_POINT_new.3 EC_POINT_copy.3
MLINKS+= EC_POINT_new.3 EC_POINT_dup.3
MLINKS+= EC_POINT_new.3 EC_POINT_free.3
MLINKS+= EC_POINT_new.3 EC_POINT_get_Jprojective_coordinates_GFp.3
MLINKS+= EC_POINT_new.3 EC_POINT_get_affine_coordinates.3
MLINKS+= EC_POINT_new.3 EC_POINT_get_affine_coordinates_GF2m.3
MLINKS+= EC_POINT_new.3 EC_POINT_get_affine_coordinates_GFp.3
MLINKS+= EC_POINT_new.3 EC_POINT_hex2point.3
MLINKS+= EC_POINT_new.3 EC_POINT_method_of.3
MLINKS+= EC_POINT_new.3 EC_POINT_oct2point.3
MLINKS+= EC_POINT_new.3 EC_POINT_point2bn.3
MLINKS+= EC_POINT_new.3 EC_POINT_point2buf.3
MLINKS+= EC_POINT_new.3 EC_POINT_point2hex.3
MLINKS+= EC_POINT_new.3 EC_POINT_point2oct.3
MLINKS+= EC_POINT_new.3 EC_POINT_set_Jprojective_coordinates_GFp.3
MLINKS+= EC_POINT_new.3 EC_POINT_set_affine_coordinates.3
MLINKS+= EC_POINT_new.3 EC_POINT_set_affine_coordinates_GF2m.3
MLINKS+= EC_POINT_new.3 EC_POINT_set_affine_coordinates_GFp.3
MLINKS+= EC_POINT_new.3 EC_POINT_set_compressed_coordinates.3
MLINKS+= EC_POINT_new.3 EC_POINT_set_compressed_coordinates_GF2m.3
MLINKS+= EC_POINT_new.3 EC_POINT_set_compressed_coordinates_GFp.3
MLINKS+= EC_POINT_new.3 EC_POINT_set_to_infinity.3
MLINKS+= ENGINE_add.3 ENGINE_by_id.3
MLINKS+= ENGINE_add.3 ENGINE_cleanup.3
MLINKS+= ENGINE_add.3 ENGINE_cmd_is_executable.3
MLINKS+= ENGINE_add.3 ENGINE_ctrl.3
MLINKS+= ENGINE_add.3 ENGINE_ctrl_cmd.3
MLINKS+= ENGINE_add.3 ENGINE_ctrl_cmd_string.3
MLINKS+= ENGINE_add.3 ENGINE_finish.3
MLINKS+= ENGINE_add.3 ENGINE_free.3
MLINKS+= ENGINE_add.3 ENGINE_get_DH.3
MLINKS+= ENGINE_add.3 ENGINE_get_DSA.3
MLINKS+= ENGINE_add.3 ENGINE_get_RAND.3
MLINKS+= ENGINE_add.3 ENGINE_get_RSA.3
MLINKS+= ENGINE_add.3 ENGINE_get_cipher.3
MLINKS+= ENGINE_add.3 ENGINE_get_cipher_engine.3
MLINKS+= ENGINE_add.3 ENGINE_get_ciphers.3
MLINKS+= ENGINE_add.3 ENGINE_get_cmd_defns.3
MLINKS+= ENGINE_add.3 ENGINE_get_ctrl_function.3
MLINKS+= ENGINE_add.3 ENGINE_get_default_DH.3
MLINKS+= ENGINE_add.3 ENGINE_get_default_DSA.3
MLINKS+= ENGINE_add.3 ENGINE_get_default_RAND.3
MLINKS+= ENGINE_add.3 ENGINE_get_default_RSA.3
MLINKS+= ENGINE_add.3 ENGINE_get_destroy_function.3
MLINKS+= ENGINE_add.3 ENGINE_get_digest.3
MLINKS+= ENGINE_add.3 ENGINE_get_digest_engine.3
MLINKS+= ENGINE_add.3 ENGINE_get_digests.3
MLINKS+= ENGINE_add.3 ENGINE_get_finish_function.3
MLINKS+= ENGINE_add.3 ENGINE_get_first.3
MLINKS+= ENGINE_add.3 ENGINE_get_flags.3
MLINKS+= ENGINE_add.3 ENGINE_get_id.3
MLINKS+= ENGINE_add.3 ENGINE_get_init_function.3
MLINKS+= ENGINE_add.3 ENGINE_get_last.3
MLINKS+= ENGINE_add.3 ENGINE_get_load_privkey_function.3
MLINKS+= ENGINE_add.3 ENGINE_get_load_pubkey_function.3
MLINKS+= ENGINE_add.3 ENGINE_get_name.3
MLINKS+= ENGINE_add.3 ENGINE_get_next.3
MLINKS+= ENGINE_add.3 ENGINE_get_prev.3
MLINKS+= ENGINE_add.3 ENGINE_get_table_flags.3
MLINKS+= ENGINE_add.3 ENGINE_init.3
MLINKS+= ENGINE_add.3 ENGINE_load_builtin_engines.3
MLINKS+= ENGINE_add.3 ENGINE_load_private_key.3
MLINKS+= ENGINE_add.3 ENGINE_load_public_key.3
MLINKS+= ENGINE_add.3 ENGINE_new.3
MLINKS+= ENGINE_add.3 ENGINE_register_DH.3
MLINKS+= ENGINE_add.3 ENGINE_register_DSA.3
MLINKS+= ENGINE_add.3 ENGINE_register_RAND.3
MLINKS+= ENGINE_add.3 ENGINE_register_RSA.3
MLINKS+= ENGINE_add.3 ENGINE_register_all_DH.3
MLINKS+= ENGINE_add.3 ENGINE_register_all_DSA.3
MLINKS+= ENGINE_add.3 ENGINE_register_all_RAND.3
MLINKS+= ENGINE_add.3 ENGINE_register_all_RSA.3
MLINKS+= ENGINE_add.3 ENGINE_register_all_ciphers.3
MLINKS+= ENGINE_add.3 ENGINE_register_all_complete.3
MLINKS+= ENGINE_add.3 ENGINE_register_all_digests.3
MLINKS+= ENGINE_add.3 ENGINE_register_ciphers.3
MLINKS+= ENGINE_add.3 ENGINE_register_complete.3
MLINKS+= ENGINE_add.3 ENGINE_register_digests.3
MLINKS+= ENGINE_add.3 ENGINE_remove.3
MLINKS+= ENGINE_add.3 ENGINE_set_DH.3
MLINKS+= ENGINE_add.3 ENGINE_set_DSA.3
MLINKS+= ENGINE_add.3 ENGINE_set_RAND.3
MLINKS+= ENGINE_add.3 ENGINE_set_RSA.3
MLINKS+= ENGINE_add.3 ENGINE_set_ciphers.3
MLINKS+= ENGINE_add.3 ENGINE_set_cmd_defns.3
MLINKS+= ENGINE_add.3 ENGINE_set_ctrl_function.3
MLINKS+= ENGINE_add.3 ENGINE_set_default.3
MLINKS+= ENGINE_add.3 ENGINE_set_default_DH.3
MLINKS+= ENGINE_add.3 ENGINE_set_default_DSA.3
MLINKS+= ENGINE_add.3 ENGINE_set_default_RAND.3
MLINKS+= ENGINE_add.3 ENGINE_set_default_RSA.3
MLINKS+= ENGINE_add.3 ENGINE_set_default_ciphers.3
MLINKS+= ENGINE_add.3 ENGINE_set_default_digests.3
MLINKS+= ENGINE_add.3 ENGINE_set_default_string.3
MLINKS+= ENGINE_add.3 ENGINE_set_destroy_function.3
MLINKS+= ENGINE_add.3 ENGINE_set_digests.3
MLINKS+= ENGINE_add.3 ENGINE_set_finish_function.3
MLINKS+= ENGINE_add.3 ENGINE_set_flags.3
MLINKS+= ENGINE_add.3 ENGINE_set_id.3
MLINKS+= ENGINE_add.3 ENGINE_set_init_function.3
MLINKS+= ENGINE_add.3 ENGINE_set_load_privkey_function.3
MLINKS+= ENGINE_add.3 ENGINE_set_load_pubkey_function.3
MLINKS+= ENGINE_add.3 ENGINE_set_name.3
MLINKS+= ENGINE_add.3 ENGINE_set_table_flags.3
MLINKS+= ENGINE_add.3 ENGINE_unregister_DH.3
MLINKS+= ENGINE_add.3 ENGINE_unregister_DSA.3
MLINKS+= ENGINE_add.3 ENGINE_unregister_RAND.3
MLINKS+= ENGINE_add.3 ENGINE_unregister_RSA.3
MLINKS+= ENGINE_add.3 ENGINE_unregister_ciphers.3
MLINKS+= ENGINE_add.3 ENGINE_unregister_digests.3
MLINKS+= ENGINE_add.3 ENGINE_up_ref.3
MLINKS+= ERR_GET_LIB.3 ERR_FATAL_ERROR.3
MLINKS+= ERR_GET_LIB.3 ERR_GET_FUNC.3
MLINKS+= ERR_GET_LIB.3 ERR_GET_REASON.3
MLINKS+= ERR_error_string.3 ERR_error_string_n.3
MLINKS+= ERR_error_string.3 ERR_func_error_string.3
MLINKS+= ERR_error_string.3 ERR_lib_error_string.3
MLINKS+= ERR_error_string.3 ERR_reason_error_string.3
MLINKS+= ERR_get_error.3 ERR_get_error_line.3
MLINKS+= ERR_get_error.3 ERR_get_error_line_data.3
MLINKS+= ERR_get_error.3 ERR_peek_error.3
MLINKS+= ERR_get_error.3 ERR_peek_error_line.3
MLINKS+= ERR_get_error.3 ERR_peek_error_line_data.3
MLINKS+= ERR_get_error.3 ERR_peek_last_error.3
MLINKS+= ERR_get_error.3 ERR_peek_last_error_line.3
MLINKS+= ERR_get_error.3 ERR_peek_last_error_line_data.3
MLINKS+= ERR_load_crypto_strings.3 ERR_free_strings.3
MLINKS+= ERR_load_crypto_strings.3 SSL_load_error_strings.3
MLINKS+= ERR_load_strings.3 ERR_PACK.3
MLINKS+= ERR_load_strings.3 ERR_get_next_error_library.3
MLINKS+= ERR_print_errors.3 ERR_print_errors_cb.3
MLINKS+= ERR_print_errors.3 ERR_print_errors_fp.3
MLINKS+= ERR_put_error.3 ERR_add_error_data.3
MLINKS+= ERR_put_error.3 ERR_add_error_vdata.3
MLINKS+= ERR_remove_state.3 ERR_remove_thread_state.3
MLINKS+= ERR_set_mark.3 ERR_pop_to_mark.3
MLINKS+= EVP_CIPHER_CTX_get_cipher_data.3 EVP_CIPHER_CTX_set_cipher_data.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_dup.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_free.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_cleanup.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_ctrl.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_do_cipher.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_get_asn1_params.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_init.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_set_asn1_params.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_cleanup.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_ctrl.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_do_cipher.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_flags.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_get_asn1_params.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_impl_ctx_size.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_init.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_iv_length.3
MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_set_asn1_params.3
MLINKS+= EVP_DigestInit.3 EVP_Digest.3
MLINKS+= EVP_DigestInit.3 EVP_DigestFinal.3
MLINKS+= EVP_DigestInit.3 EVP_DigestFinalXOF.3
MLINKS+= EVP_DigestInit.3 EVP_DigestFinal_ex.3
MLINKS+= EVP_DigestInit.3 EVP_DigestInit_ex.3
MLINKS+= EVP_DigestInit.3 EVP_DigestUpdate.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_block_size.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_clear_flags.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_copy.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_copy_ex.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_ctrl.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_free.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_md.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_md_data.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_new.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_pkey_ctx.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_reset.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_set_flags.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_set_pkey_ctx.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_set_update_fn.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_size.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_test_flags.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_type.3
MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_update_fn.3
MLINKS+= EVP_DigestInit.3 EVP_MD_block_size.3
MLINKS+= EVP_DigestInit.3 EVP_MD_flags.3
MLINKS+= EVP_DigestInit.3 EVP_MD_pkey_type.3
MLINKS+= EVP_DigestInit.3 EVP_MD_size.3
MLINKS+= EVP_DigestInit.3 EVP_MD_type.3
MLINKS+= EVP_DigestInit.3 EVP_get_digestbyname.3
MLINKS+= EVP_DigestInit.3 EVP_get_digestbynid.3
MLINKS+= EVP_DigestInit.3 EVP_get_digestbyobj.3
MLINKS+= EVP_DigestInit.3 EVP_md_null.3
MLINKS+= EVP_DigestSignInit.3 EVP_DigestSign.3
MLINKS+= EVP_DigestSignInit.3 EVP_DigestSignFinal.3
MLINKS+= EVP_DigestSignInit.3 EVP_DigestSignUpdate.3
MLINKS+= EVP_DigestVerifyInit.3 EVP_DigestVerify.3
MLINKS+= EVP_DigestVerifyInit.3 EVP_DigestVerifyFinal.3
MLINKS+= EVP_DigestVerifyInit.3 EVP_DigestVerifyUpdate.3
MLINKS+= EVP_EncodeInit.3 EVP_DecodeBlock.3
MLINKS+= EVP_EncodeInit.3 EVP_DecodeFinal.3
MLINKS+= EVP_EncodeInit.3 EVP_DecodeInit.3
MLINKS+= EVP_EncodeInit.3 EVP_DecodeUpdate.3
MLINKS+= EVP_EncodeInit.3 EVP_ENCODE_CTX_copy.3
MLINKS+= EVP_EncodeInit.3 EVP_ENCODE_CTX_free.3
MLINKS+= EVP_EncodeInit.3 EVP_ENCODE_CTX_new.3
MLINKS+= EVP_EncodeInit.3 EVP_ENCODE_CTX_num.3
MLINKS+= EVP_EncodeInit.3 EVP_EncodeBlock.3
MLINKS+= EVP_EncodeInit.3 EVP_EncodeFinal.3
MLINKS+= EVP_EncodeInit.3 EVP_EncodeUpdate.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_block_size.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_cipher.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_ctrl.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_flags.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_free.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_get_app_data.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_iv_length.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_key_length.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_mode.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_new.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_nid.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_reset.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_set_app_data.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_set_key_length.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_set_padding.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_type.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_asn1_to_param.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_block_size.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_flags.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_iv_length.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_key_length.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_mode.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_nid.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_param_to_asn1.3
MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_type.3
MLINKS+= EVP_EncryptInit.3 EVP_CipherFinal.3
MLINKS+= EVP_EncryptInit.3 EVP_CipherFinal_ex.3
MLINKS+= EVP_EncryptInit.3 EVP_CipherInit.3
MLINKS+= EVP_EncryptInit.3 EVP_CipherInit_ex.3
MLINKS+= EVP_EncryptInit.3 EVP_CipherUpdate.3
MLINKS+= EVP_EncryptInit.3 EVP_DecryptFinal.3
MLINKS+= EVP_EncryptInit.3 EVP_DecryptFinal_ex.3
MLINKS+= EVP_EncryptInit.3 EVP_DecryptInit.3
MLINKS+= EVP_EncryptInit.3 EVP_DecryptInit_ex.3
MLINKS+= EVP_EncryptInit.3 EVP_DecryptUpdate.3
MLINKS+= EVP_EncryptInit.3 EVP_EncryptFinal.3
MLINKS+= EVP_EncryptInit.3 EVP_EncryptFinal_ex.3
MLINKS+= EVP_EncryptInit.3 EVP_EncryptInit_ex.3
MLINKS+= EVP_EncryptInit.3 EVP_EncryptUpdate.3
MLINKS+= EVP_EncryptInit.3 EVP_enc_null.3
MLINKS+= EVP_EncryptInit.3 EVP_get_cipherbyname.3
MLINKS+= EVP_EncryptInit.3 EVP_get_cipherbynid.3
MLINKS+= EVP_EncryptInit.3 EVP_get_cipherbyobj.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_dup.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_free.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_app_datasize.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_cleanup.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_copy.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_ctrl.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_final.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_flags.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_init.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_input_blocksize.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_result_size.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_update.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_app_datasize.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_cleanup.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_copy.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_ctrl.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_final.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_flags.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_init.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_input_blocksize.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_result_size.3
MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_update.3
MLINKS+= EVP_OpenInit.3 EVP_OpenFinal.3
MLINKS+= EVP_OpenInit.3 EVP_OpenUpdate.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_add0.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_add_alias.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_copy.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_free.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_new.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_check.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_ctrl.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_free.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_get_priv_key.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_get_pub_key.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_item.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_param.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_param_check.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_private.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_public.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_public_check.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_security_bits.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_set_priv_key.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_set_pub_key.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_siginf.3
MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_get0_asn1.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_ctrl_str.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_ctrl_uint64.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get0_dh_kdf_oid.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get0_dh_kdf_ukm.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get0_ecdh_kdf_ukm.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get0_rsa_oaep_label.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get1_id.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get1_id_len.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_dh_kdf_md.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_dh_kdf_outlen.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_dh_kdf_type.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_ecdh_cofactor_mode.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_ecdh_kdf_md.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_ecdh_kdf_outlen.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_ecdh_kdf_type.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_rsa_mgf1_md.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_rsa_oaep_md.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_rsa_padding.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_rsa_pss_saltlen.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_signature_md.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_md.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set0_dh_kdf_oid.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set0_dh_kdf_ukm.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set0_ecdh_kdf_ukm.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set0_rsa_oaep_label.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set1_id.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_kdf_md.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_kdf_outlen.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_kdf_type.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_nid.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_pad.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_paramgen_generator.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_paramgen_prime_len.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_paramgen_subprime_len.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_paramgen_type.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_rfc5114.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dhx_rfc5114.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dsa_paramgen_bits.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dsa_paramgen_md.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dsa_paramgen_q_bits.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_ec_param_enc.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_ec_paramgen_curve_nid.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_ecdh_cofactor_mode.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_ecdh_kdf_md.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_ecdh_kdf_outlen.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_ecdh_kdf_type.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_mac_key.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_keygen_bits.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_keygen_primes.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_keygen_pubexp.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_mgf1_md.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_oaep_md.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_padding.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_pss_saltlen.3
MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_signature_md.3
MLINKS+= EVP_PKEY_CTX_new.3 EVP_PKEY_CTX_dup.3
MLINKS+= EVP_PKEY_CTX_new.3 EVP_PKEY_CTX_free.3
MLINKS+= EVP_PKEY_CTX_new.3 EVP_PKEY_CTX_new_id.3
MLINKS+= EVP_PKEY_CTX_set_hkdf_md.3 EVP_PKEY_CTX_add1_hkdf_info.3
MLINKS+= EVP_PKEY_CTX_set_hkdf_md.3 EVP_PKEY_CTX_hkdf_mode.3
MLINKS+= EVP_PKEY_CTX_set_hkdf_md.3 EVP_PKEY_CTX_set1_hkdf_key.3
MLINKS+= EVP_PKEY_CTX_set_hkdf_md.3 EVP_PKEY_CTX_set1_hkdf_salt.3
MLINKS+= EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md.3
MLINKS+= EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen.3
MLINKS+= EVP_PKEY_CTX_set_scrypt_N.3 EVP_PKEY_CTX_set1_scrypt_salt.3
MLINKS+= EVP_PKEY_CTX_set_scrypt_N.3 EVP_PKEY_CTX_set_scrypt_maxmem_bytes.3
MLINKS+= EVP_PKEY_CTX_set_scrypt_N.3 EVP_PKEY_CTX_set_scrypt_p.3
MLINKS+= EVP_PKEY_CTX_set_scrypt_N.3 EVP_PKEY_CTX_set_scrypt_r.3
MLINKS+= EVP_PKEY_CTX_set_tls1_prf_md.3 EVP_PKEY_CTX_add1_tls1_prf_seed.3
MLINKS+= EVP_PKEY_CTX_set_tls1_prf_md.3 EVP_PKEY_CTX_set1_tls1_prf_secret.3
MLINKS+= EVP_PKEY_asn1_get_count.3 EVP_PKEY_asn1_find.3
MLINKS+= EVP_PKEY_asn1_get_count.3 EVP_PKEY_asn1_find_str.3
MLINKS+= EVP_PKEY_asn1_get_count.3 EVP_PKEY_asn1_get0.3
MLINKS+= EVP_PKEY_asn1_get_count.3 EVP_PKEY_asn1_get0_info.3
MLINKS+= EVP_PKEY_cmp.3 EVP_PKEY_cmp_parameters.3
MLINKS+= EVP_PKEY_cmp.3 EVP_PKEY_copy_parameters.3
MLINKS+= EVP_PKEY_cmp.3 EVP_PKEY_missing_parameters.3
MLINKS+= EVP_PKEY_decrypt.3 EVP_PKEY_decrypt_init.3
MLINKS+= EVP_PKEY_derive.3 EVP_PKEY_derive_init.3
MLINKS+= EVP_PKEY_derive.3 EVP_PKEY_derive_set_peer.3
MLINKS+= EVP_PKEY_encrypt.3 EVP_PKEY_encrypt_init.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_CTX_get_app_data.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_CTX_get_cb.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_CTX_get_keygen_info.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_CTX_set_app_data.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_CTX_set_cb.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_check.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_gen_cb.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_keygen_init.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_param_check.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_paramgen.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_paramgen_init.3
MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_public_check.3
MLINKS+= EVP_PKEY_meth_get_count.3 EVP_PKEY_meth_get0.3
MLINKS+= EVP_PKEY_meth_get_count.3 EVP_PKEY_meth_get0_info.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_METHOD.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_add0.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_copy.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_find.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_free.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_check.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_cleanup.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_copy.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_ctrl.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_decrypt.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_derive.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_digest_custom.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_digestsign.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_digestverify.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_encrypt.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_init.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_keygen.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_param_check.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_paramgen.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_public_check.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_sign.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_signctx.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_verify.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_verify_recover.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_verifyctx.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_remove.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_check.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_cleanup.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_copy.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_ctrl.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_decrypt.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_derive.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_digest_custom.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_digestsign.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_digestverify.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_encrypt.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_init.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_keygen.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_param_check.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_paramgen.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_public_check.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_sign.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_signctx.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_verify.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_verify_recover.3
MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_verifyctx.3
MLINKS+= EVP_PKEY_new.3 EVP_PKEY_free.3
MLINKS+= EVP_PKEY_new.3 EVP_PKEY_get_raw_private_key.3
MLINKS+= EVP_PKEY_new.3 EVP_PKEY_get_raw_public_key.3
MLINKS+= EVP_PKEY_new.3 EVP_PKEY_new_CMAC_key.3
MLINKS+= EVP_PKEY_new.3 EVP_PKEY_new_mac_key.3
MLINKS+= EVP_PKEY_new.3 EVP_PKEY_new_raw_private_key.3
MLINKS+= EVP_PKEY_new.3 EVP_PKEY_new_raw_public_key.3
MLINKS+= EVP_PKEY_new.3 EVP_PKEY_up_ref.3
MLINKS+= EVP_PKEY_print_private.3 EVP_PKEY_print_params.3
MLINKS+= EVP_PKEY_print_private.3 EVP_PKEY_print_public.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_assign_DH.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_assign_DSA.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_assign_EC_KEY.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_assign_POLY1305.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_assign_RSA.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_assign_SIPHASH.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_base_id.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_DH.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_DSA.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_EC_KEY.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_RSA.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_engine.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_hmac.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_poly1305.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_siphash.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get1_DH.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get1_DSA.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get1_EC_KEY.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get1_RSA.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_id.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_set1_DH.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_set1_DSA.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_set1_EC_KEY.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_set1_engine.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_set_alias_type.3
MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_type.3
MLINKS+= EVP_PKEY_sign.3 EVP_PKEY_sign_init.3
MLINKS+= EVP_PKEY_size.3 EVP_PKEY_bits.3
MLINKS+= EVP_PKEY_size.3 EVP_PKEY_security_bits.3
MLINKS+= EVP_PKEY_verify.3 EVP_PKEY_verify_init.3
MLINKS+= EVP_PKEY_verify_recover.3 EVP_PKEY_verify_recover_init.3
MLINKS+= EVP_SealInit.3 EVP_SealFinal.3
MLINKS+= EVP_SealInit.3 EVP_SealUpdate.3
MLINKS+= EVP_SignInit.3 EVP_SignFinal.3
MLINKS+= EVP_SignInit.3 EVP_SignInit_ex.3
MLINKS+= EVP_SignInit.3 EVP_SignUpdate.3
MLINKS+= EVP_VerifyInit.3 EVP_VerifyFinal.3
MLINKS+= EVP_VerifyInit.3 EVP_VerifyInit_ex.3
MLINKS+= EVP_VerifyInit.3 EVP_VerifyUpdate.3
MLINKS+= EVP_aes.3 EVP_aes_128_cbc.3
MLINKS+= EVP_aes.3 EVP_aes_128_cbc_hmac_sha1.3
MLINKS+= EVP_aes.3 EVP_aes_128_cbc_hmac_sha256.3
MLINKS+= EVP_aes.3 EVP_aes_128_ccm.3
MLINKS+= EVP_aes.3 EVP_aes_128_cfb.3
MLINKS+= EVP_aes.3 EVP_aes_128_cfb1.3
MLINKS+= EVP_aes.3 EVP_aes_128_cfb128.3
MLINKS+= EVP_aes.3 EVP_aes_128_cfb8.3
MLINKS+= EVP_aes.3 EVP_aes_128_ctr.3
MLINKS+= EVP_aes.3 EVP_aes_128_ecb.3
MLINKS+= EVP_aes.3 EVP_aes_128_gcm.3
MLINKS+= EVP_aes.3 EVP_aes_128_ocb.3
MLINKS+= EVP_aes.3 EVP_aes_128_ofb.3
MLINKS+= EVP_aes.3 EVP_aes_128_wrap.3
MLINKS+= EVP_aes.3 EVP_aes_128_wrap_pad.3
MLINKS+= EVP_aes.3 EVP_aes_128_xts.3
MLINKS+= EVP_aes.3 EVP_aes_192_cbc.3
MLINKS+= EVP_aes.3 EVP_aes_192_ccm.3
MLINKS+= EVP_aes.3 EVP_aes_192_cfb.3
MLINKS+= EVP_aes.3 EVP_aes_192_cfb1.3
MLINKS+= EVP_aes.3 EVP_aes_192_cfb128.3
MLINKS+= EVP_aes.3 EVP_aes_192_cfb8.3
MLINKS+= EVP_aes.3 EVP_aes_192_ctr.3
MLINKS+= EVP_aes.3 EVP_aes_192_ecb.3
MLINKS+= EVP_aes.3 EVP_aes_192_gcm.3
MLINKS+= EVP_aes.3 EVP_aes_192_ocb.3
MLINKS+= EVP_aes.3 EVP_aes_192_ofb.3
MLINKS+= EVP_aes.3 EVP_aes_192_wrap.3
MLINKS+= EVP_aes.3 EVP_aes_192_wrap_pad.3
MLINKS+= EVP_aes.3 EVP_aes_256_cbc.3
MLINKS+= EVP_aes.3 EVP_aes_256_cbc_hmac_sha1.3
MLINKS+= EVP_aes.3 EVP_aes_256_cbc_hmac_sha256.3
MLINKS+= EVP_aes.3 EVP_aes_256_ccm.3
MLINKS+= EVP_aes.3 EVP_aes_256_cfb.3
MLINKS+= EVP_aes.3 EVP_aes_256_cfb1.3
MLINKS+= EVP_aes.3 EVP_aes_256_cfb128.3
MLINKS+= EVP_aes.3 EVP_aes_256_cfb8.3
MLINKS+= EVP_aes.3 EVP_aes_256_ctr.3
MLINKS+= EVP_aes.3 EVP_aes_256_ecb.3
MLINKS+= EVP_aes.3 EVP_aes_256_gcm.3
MLINKS+= EVP_aes.3 EVP_aes_256_ocb.3
MLINKS+= EVP_aes.3 EVP_aes_256_ofb.3
MLINKS+= EVP_aes.3 EVP_aes_256_wrap.3
MLINKS+= EVP_aes.3 EVP_aes_256_wrap_pad.3
MLINKS+= EVP_aes.3 EVP_aes_256_xts.3
MLINKS+= EVP_aria.3 EVP_aria_128_cbc.3
MLINKS+= EVP_aria.3 EVP_aria_128_ccm.3
MLINKS+= EVP_aria.3 EVP_aria_128_cfb.3
MLINKS+= EVP_aria.3 EVP_aria_128_cfb1.3
MLINKS+= EVP_aria.3 EVP_aria_128_cfb128.3
MLINKS+= EVP_aria.3 EVP_aria_128_cfb8.3
MLINKS+= EVP_aria.3 EVP_aria_128_ctr.3
MLINKS+= EVP_aria.3 EVP_aria_128_ecb.3
MLINKS+= EVP_aria.3 EVP_aria_128_gcm.3
MLINKS+= EVP_aria.3 EVP_aria_128_ofb.3
MLINKS+= EVP_aria.3 EVP_aria_192_cbc.3
MLINKS+= EVP_aria.3 EVP_aria_192_ccm.3
MLINKS+= EVP_aria.3 EVP_aria_192_cfb.3
MLINKS+= EVP_aria.3 EVP_aria_192_cfb1.3
MLINKS+= EVP_aria.3 EVP_aria_192_cfb128.3
MLINKS+= EVP_aria.3 EVP_aria_192_cfb8.3
MLINKS+= EVP_aria.3 EVP_aria_192_ctr.3
MLINKS+= EVP_aria.3 EVP_aria_192_ecb.3
MLINKS+= EVP_aria.3 EVP_aria_192_gcm.3
MLINKS+= EVP_aria.3 EVP_aria_192_ofb.3
MLINKS+= EVP_aria.3 EVP_aria_256_cbc.3
MLINKS+= EVP_aria.3 EVP_aria_256_ccm.3
MLINKS+= EVP_aria.3 EVP_aria_256_cfb.3
MLINKS+= EVP_aria.3 EVP_aria_256_cfb1.3
MLINKS+= EVP_aria.3 EVP_aria_256_cfb128.3
MLINKS+= EVP_aria.3 EVP_aria_256_cfb8.3
MLINKS+= EVP_aria.3 EVP_aria_256_ctr.3
MLINKS+= EVP_aria.3 EVP_aria_256_ecb.3
MLINKS+= EVP_aria.3 EVP_aria_256_gcm.3
MLINKS+= EVP_aria.3 EVP_aria_256_ofb.3
MLINKS+= EVP_bf_cbc.3 EVP_bf_cfb.3
MLINKS+= EVP_bf_cbc.3 EVP_bf_cfb64.3
MLINKS+= EVP_bf_cbc.3 EVP_bf_ecb.3
MLINKS+= EVP_bf_cbc.3 EVP_bf_ofb.3
MLINKS+= EVP_blake2b512.3 EVP_blake2s256.3
MLINKS+= EVP_camellia.3 EVP_camellia_128_cbc.3
MLINKS+= EVP_camellia.3 EVP_camellia_128_cfb.3
MLINKS+= EVP_camellia.3 EVP_camellia_128_cfb1.3
MLINKS+= EVP_camellia.3 EVP_camellia_128_cfb128.3
MLINKS+= EVP_camellia.3 EVP_camellia_128_cfb8.3
MLINKS+= EVP_camellia.3 EVP_camellia_128_ctr.3
MLINKS+= EVP_camellia.3 EVP_camellia_128_ecb.3
MLINKS+= EVP_camellia.3 EVP_camellia_128_ofb.3
MLINKS+= EVP_camellia.3 EVP_camellia_192_cbc.3
MLINKS+= EVP_camellia.3 EVP_camellia_192_cfb.3
MLINKS+= EVP_camellia.3 EVP_camellia_192_cfb1.3
MLINKS+= EVP_camellia.3 EVP_camellia_192_cfb128.3
MLINKS+= EVP_camellia.3 EVP_camellia_192_cfb8.3
MLINKS+= EVP_camellia.3 EVP_camellia_192_ctr.3
MLINKS+= EVP_camellia.3 EVP_camellia_192_ecb.3
MLINKS+= EVP_camellia.3 EVP_camellia_192_ofb.3
MLINKS+= EVP_camellia.3 EVP_camellia_256_cbc.3
MLINKS+= EVP_camellia.3 EVP_camellia_256_cfb.3
MLINKS+= EVP_camellia.3 EVP_camellia_256_cfb1.3
MLINKS+= EVP_camellia.3 EVP_camellia_256_cfb128.3
MLINKS+= EVP_camellia.3 EVP_camellia_256_cfb8.3
MLINKS+= EVP_camellia.3 EVP_camellia_256_ctr.3
MLINKS+= EVP_camellia.3 EVP_camellia_256_ecb.3
MLINKS+= EVP_camellia.3 EVP_camellia_256_ofb.3
MLINKS+= EVP_cast5_cbc.3 EVP_cast5_cfb.3
MLINKS+= EVP_cast5_cbc.3 EVP_cast5_cfb64.3
MLINKS+= EVP_cast5_cbc.3 EVP_cast5_ecb.3
MLINKS+= EVP_cast5_cbc.3 EVP_cast5_ofb.3
MLINKS+= EVP_chacha20.3 EVP_chacha20_poly1305.3
MLINKS+= EVP_des.3 EVP_des_cbc.3
MLINKS+= EVP_des.3 EVP_des_cfb.3
MLINKS+= EVP_des.3 EVP_des_cfb1.3
MLINKS+= EVP_des.3 EVP_des_cfb64.3
MLINKS+= EVP_des.3 EVP_des_cfb8.3
MLINKS+= EVP_des.3 EVP_des_ecb.3
MLINKS+= EVP_des.3 EVP_des_ede.3
MLINKS+= EVP_des.3 EVP_des_ede3.3
MLINKS+= EVP_des.3 EVP_des_ede3_cbc.3
MLINKS+= EVP_des.3 EVP_des_ede3_cfb.3
MLINKS+= EVP_des.3 EVP_des_ede3_cfb1.3
MLINKS+= EVP_des.3 EVP_des_ede3_cfb64.3
MLINKS+= EVP_des.3 EVP_des_ede3_cfb8.3
MLINKS+= EVP_des.3 EVP_des_ede3_ecb.3
MLINKS+= EVP_des.3 EVP_des_ede3_ofb.3
MLINKS+= EVP_des.3 EVP_des_ede3_wrap.3
MLINKS+= EVP_des.3 EVP_des_ede_cbc.3
MLINKS+= EVP_des.3 EVP_des_ede_cfb.3
MLINKS+= EVP_des.3 EVP_des_ede_cfb64.3
MLINKS+= EVP_des.3 EVP_des_ede_ecb.3
MLINKS+= EVP_des.3 EVP_des_ede_ofb.3
MLINKS+= EVP_des.3 EVP_des_ofb.3
MLINKS+= EVP_idea_cbc.3 EVP_idea_cfb.3
MLINKS+= EVP_idea_cbc.3 EVP_idea_cfb64.3
MLINKS+= EVP_idea_cbc.3 EVP_idea_ecb.3
MLINKS+= EVP_idea_cbc.3 EVP_idea_ofb.3
MLINKS+= EVP_md5.3 EVP_md5_sha1.3
MLINKS+= EVP_rc2_cbc.3 EVP_rc2_40_cbc.3
MLINKS+= EVP_rc2_cbc.3 EVP_rc2_64_cbc.3
MLINKS+= EVP_rc2_cbc.3 EVP_rc2_cfb.3
MLINKS+= EVP_rc2_cbc.3 EVP_rc2_cfb64.3
MLINKS+= EVP_rc2_cbc.3 EVP_rc2_ecb.3
MLINKS+= EVP_rc2_cbc.3 EVP_rc2_ofb.3
MLINKS+= EVP_rc4.3 EVP_rc4_40.3
MLINKS+= EVP_rc4.3 EVP_rc4_hmac_md5.3
MLINKS+= EVP_rc5_32_12_16_cbc.3 EVP_rc5_32_12_16_cfb.3
MLINKS+= EVP_rc5_32_12_16_cbc.3 EVP_rc5_32_12_16_cfb64.3
MLINKS+= EVP_rc5_32_12_16_cbc.3 EVP_rc5_32_12_16_ecb.3
MLINKS+= EVP_rc5_32_12_16_cbc.3 EVP_rc5_32_12_16_ofb.3
MLINKS+= EVP_seed_cbc.3 EVP_seed_cfb.3
MLINKS+= EVP_seed_cbc.3 EVP_seed_cfb128.3
MLINKS+= EVP_seed_cbc.3 EVP_seed_ecb.3
MLINKS+= EVP_seed_cbc.3 EVP_seed_ofb.3
MLINKS+= EVP_sha224.3 EVP_sha256.3
MLINKS+= EVP_sha224.3 EVP_sha384.3
MLINKS+= EVP_sha224.3 EVP_sha512.3
MLINKS+= EVP_sha224.3 EVP_sha512_224.3
MLINKS+= EVP_sha224.3 EVP_sha512_256.3
MLINKS+= EVP_sha3_224.3 EVP_sha3_256.3
MLINKS+= EVP_sha3_224.3 EVP_sha3_384.3
MLINKS+= EVP_sha3_224.3 EVP_sha3_512.3
MLINKS+= EVP_sha3_224.3 EVP_shake128.3
MLINKS+= EVP_sha3_224.3 EVP_shake256.3
MLINKS+= EVP_sm4_cbc.3 EVP_sm4_cfb.3
MLINKS+= EVP_sm4_cbc.3 EVP_sm4_cfb128.3
MLINKS+= EVP_sm4_cbc.3 EVP_sm4_ctr.3
MLINKS+= EVP_sm4_cbc.3 EVP_sm4_ecb.3
MLINKS+= EVP_sm4_cbc.3 EVP_sm4_ofb.3
MLINKS+= HMAC.3 HMAC_CTX_copy.3
MLINKS+= HMAC.3 HMAC_CTX_free.3
MLINKS+= HMAC.3 HMAC_CTX_get_md.3
MLINKS+= HMAC.3 HMAC_CTX_new.3
MLINKS+= HMAC.3 HMAC_CTX_reset.3
MLINKS+= HMAC.3 HMAC_CTX_set_flags.3
MLINKS+= HMAC.3 HMAC_Final.3
MLINKS+= HMAC.3 HMAC_Init.3
MLINKS+= HMAC.3 HMAC_Init_ex.3
MLINKS+= HMAC.3 HMAC_Update.3
MLINKS+= HMAC.3 HMAC_size.3
MLINKS+= MD5.3 MD2.3
MLINKS+= MD5.3 MD2_Final.3
MLINKS+= MD5.3 MD2_Init.3
MLINKS+= MD5.3 MD2_Update.3
MLINKS+= MD5.3 MD4.3
MLINKS+= MD5.3 MD4_Final.3
MLINKS+= MD5.3 MD4_Init.3
MLINKS+= MD5.3 MD4_Update.3
MLINKS+= MD5.3 MD5_Final.3
MLINKS+= MD5.3 MD5_Init.3
MLINKS+= MD5.3 MD5_Update.3
MLINKS+= MDC2_Init.3 MDC2.3
MLINKS+= MDC2_Init.3 MDC2_Final.3
MLINKS+= MDC2_Init.3 MDC2_Update.3
MLINKS+= OBJ_nid2obj.3 OBJ_cleanup.3
MLINKS+= OBJ_nid2obj.3 OBJ_cmp.3
MLINKS+= OBJ_nid2obj.3 OBJ_create.3
MLINKS+= OBJ_nid2obj.3 OBJ_dup.3
MLINKS+= OBJ_nid2obj.3 OBJ_get0_data.3
MLINKS+= OBJ_nid2obj.3 OBJ_length.3
MLINKS+= OBJ_nid2obj.3 OBJ_ln2nid.3
MLINKS+= OBJ_nid2obj.3 OBJ_nid2ln.3
MLINKS+= OBJ_nid2obj.3 OBJ_nid2sn.3
MLINKS+= OBJ_nid2obj.3 OBJ_obj2nid.3
MLINKS+= OBJ_nid2obj.3 OBJ_obj2txt.3
MLINKS+= OBJ_nid2obj.3 OBJ_sn2nid.3
MLINKS+= OBJ_nid2obj.3 OBJ_txt2nid.3
MLINKS+= OBJ_nid2obj.3 OBJ_txt2obj.3
MLINKS+= OBJ_nid2obj.3 i2t_ASN1_OBJECT.3
MLINKS+= OCSP_REQUEST_new.3 OCSP_REQUEST_free.3
MLINKS+= OCSP_REQUEST_new.3 OCSP_request_add0_id.3
MLINKS+= OCSP_REQUEST_new.3 OCSP_request_add1_cert.3
MLINKS+= OCSP_REQUEST_new.3 OCSP_request_onereq_count.3
MLINKS+= OCSP_REQUEST_new.3 OCSP_request_onereq_get0.3
MLINKS+= OCSP_REQUEST_new.3 OCSP_request_sign.3
MLINKS+= OCSP_cert_to_id.3 OCSP_CERTID_free.3
MLINKS+= OCSP_cert_to_id.3 OCSP_cert_id_new.3
MLINKS+= OCSP_cert_to_id.3 OCSP_id_cmp.3
MLINKS+= OCSP_cert_to_id.3 OCSP_id_get0_info.3
MLINKS+= OCSP_cert_to_id.3 OCSP_id_issuer_cmp.3
MLINKS+= OCSP_request_add1_nonce.3 OCSP_basic_add1_nonce.3
MLINKS+= OCSP_request_add1_nonce.3 OCSP_check_nonce.3
MLINKS+= OCSP_request_add1_nonce.3 OCSP_copy_nonce.3
MLINKS+= OCSP_resp_find_status.3 OCSP_basic_verify.3
MLINKS+= OCSP_resp_find_status.3 OCSP_check_validity.3
MLINKS+= OCSP_resp_find_status.3 OCSP_resp_count.3
MLINKS+= OCSP_resp_find_status.3 OCSP_resp_find.3
MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0.3
MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_certs.3
MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_id.3
MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_produced_at.3
MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_respdata.3
MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_signature.3
MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_signer.3
MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_tbs_sigalg.3
MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get1_id.3
MLINKS+= OCSP_resp_find_status.3 OCSP_single_get0_status.3
MLINKS+= OCSP_response_status.3 OCSP_RESPID_match.3
MLINKS+= OCSP_response_status.3 OCSP_RESPID_set_by_key.3
MLINKS+= OCSP_response_status.3 OCSP_RESPID_set_by_name.3
MLINKS+= OCSP_response_status.3 OCSP_RESPONSE_free.3
MLINKS+= OCSP_response_status.3 OCSP_basic_sign.3
MLINKS+= OCSP_response_status.3 OCSP_basic_sign_ctx.3
MLINKS+= OCSP_response_status.3 OCSP_response_create.3
MLINKS+= OCSP_response_status.3 OCSP_response_get1_basic.3
MLINKS+= OCSP_sendreq_new.3 OCSP_REQ_CTX_add1_header.3
MLINKS+= OCSP_sendreq_new.3 OCSP_REQ_CTX_free.3
MLINKS+= OCSP_sendreq_new.3 OCSP_REQ_CTX_i2d.3
MLINKS+= OCSP_sendreq_new.3 OCSP_REQ_CTX_set1_req.3
MLINKS+= OCSP_sendreq_new.3 OCSP_sendreq_bio.3
MLINKS+= OCSP_sendreq_new.3 OCSP_sendreq_nbio.3
MLINKS+= OCSP_sendreq_new.3 OCSP_set_max_response_length.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 DECLARE_LHASH_OF.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 IMPLEMENT_LHASH_COMP_FN.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 IMPLEMENT_LHASH_HASH_FN.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 LHASH.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 LHASH_DOALL_ARG_FN_TYPE.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 OPENSSL_LH_DOALL_FUNC.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 OPENSSL_LH_HASHFUNC.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_delete.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_doall.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_doall_arg.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_error.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_free.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_insert.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_new.3
MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_retrieve.3
MLINKS+= OPENSSL_LH_stats.3 OPENSSL_LH_node_stats.3
MLINKS+= OPENSSL_LH_stats.3 OPENSSL_LH_node_stats_bio.3
MLINKS+= OPENSSL_LH_stats.3 OPENSSL_LH_node_usage_stats.3
MLINKS+= OPENSSL_LH_stats.3 OPENSSL_LH_node_usage_stats_bio.3
MLINKS+= OPENSSL_LH_stats.3 OPENSSL_LH_stats_bio.3
MLINKS+= OPENSSL_VERSION_NUMBER.3 OPENSSL_VERSION_TEXT.3
MLINKS+= OPENSSL_VERSION_NUMBER.3 OpenSSL_version.3
MLINKS+= OPENSSL_VERSION_NUMBER.3 OpenSSL_version_num.3
MLINKS+= OPENSSL_config.3 OPENSSL_no_config.3
MLINKS+= OPENSSL_fork_prepare.3 OPENSSL_fork_child.3
MLINKS+= OPENSSL_fork_prepare.3 OPENSSL_fork_parent.3
MLINKS+= OPENSSL_init_crypto.3 OPENSSL_INIT_free.3
MLINKS+= OPENSSL_init_crypto.3 OPENSSL_INIT_new.3
MLINKS+= OPENSSL_init_crypto.3 OPENSSL_INIT_set_config_appname.3
MLINKS+= OPENSSL_init_crypto.3 OPENSSL_INIT_set_config_file_flags.3
MLINKS+= OPENSSL_init_crypto.3 OPENSSL_INIT_set_config_filename.3
MLINKS+= OPENSSL_init_crypto.3 OPENSSL_atexit.3
MLINKS+= OPENSSL_init_crypto.3 OPENSSL_cleanup.3
MLINKS+= OPENSSL_init_crypto.3 OPENSSL_thread_stop.3
MLINKS+= OPENSSL_instrument_bus.3 OPENSSL_instrument_bus2.3
MLINKS+= OPENSSL_load_builtin_modules.3 ASN1_add_oid_module.3
MLINKS+= OPENSSL_load_builtin_modules.3 ENGINE_add_conf_module.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_clear_free.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_clear_realloc.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_free.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_get_alloc_counts.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_get_mem_functions.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_malloc.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_ctrl.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_debug_pop.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_debug_push.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_leaks.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_leaks_cb.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_leaks_fp.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_realloc.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_set_mem_debug.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_set_mem_functions.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_strdup.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_strndup.3
MLINKS+= OPENSSL_malloc.3 CRYPTO_zalloc.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_MALLOC_FAILURES.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_MALLOC_FD.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_buf2hexstr.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_cleanse.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_clear_free.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_clear_realloc.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_free.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_hexchar2int.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_hexstr2buf.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_malloc_init.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_mem_debug_pop.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_mem_debug_push.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_memdup.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_realloc.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_strdup.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_strlcat.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_strlcpy.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_strndup.3
MLINKS+= OPENSSL_malloc.3 OPENSSL_zalloc.3
MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_allocated.3
MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_clear_free.3
MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_free.3
MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_malloc.3
MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_malloc_done.3
MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_malloc_init.3
MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_malloc_initialized.3
MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_used.3
MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_zalloc.3
MLINKS+= OPENSSL_secure_malloc.3 OPENSSL_secure_actual_size.3
MLINKS+= OPENSSL_secure_malloc.3 OPENSSL_secure_clear_free.3
MLINKS+= OPENSSL_secure_malloc.3 OPENSSL_secure_free.3
MLINKS+= OPENSSL_secure_malloc.3 OPENSSL_secure_zalloc.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_free.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_CERT.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_CRL.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_NAME.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_NAME_description.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_PARAMS.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_PKEY.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_CERT.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_CRL.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_NAME.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_NAME_description.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_PARAMS.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_PKEY.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get_type.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_new_CERT.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_new_CRL.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_new_NAME.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_new_PARAMS.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_new_PKEY.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_set0_NAME_description.3
MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_type_string.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_CTX.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_free.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_get0_engine.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_get0_scheme.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_new.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_close.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_ctrl.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_eof.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_error.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_expect.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_find.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_load.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_open.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_close_fn.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_ctrl_fn.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_eof_fn.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_error_fn.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_expect_fn.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_find_fn.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_load_fn.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_open_fn.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_register_loader.3
MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_unregister_loader.3
MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_by_alias.3
MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_by_issuer_serial.3
MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_by_key_fingerprint.3
MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_by_name.3
MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_free.3
MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get0_bytes.3
MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get0_digest.3
MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get0_name.3
MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get0_serial.3
MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get0_string.3
MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get_type.3
MLINKS+= OSSL_STORE_expect.3 OSSL_STORE_find.3
MLINKS+= OSSL_STORE_expect.3 OSSL_STORE_supports_search.3
MLINKS+= OSSL_STORE_open.3 OSSL_STORE_CTX.3
MLINKS+= OSSL_STORE_open.3 OSSL_STORE_close.3
MLINKS+= OSSL_STORE_open.3 OSSL_STORE_ctrl.3
MLINKS+= OSSL_STORE_open.3 OSSL_STORE_eof.3
MLINKS+= OSSL_STORE_open.3 OSSL_STORE_error.3
MLINKS+= OSSL_STORE_open.3 OSSL_STORE_load.3
MLINKS+= OSSL_STORE_open.3 OSSL_STORE_post_process_info_fn.3
MLINKS+= OpenSSL_add_all_algorithms.3 EVP_cleanup.3
MLINKS+= OpenSSL_add_all_algorithms.3 OpenSSL_add_all_ciphers.3
MLINKS+= OpenSSL_add_all_algorithms.3 OpenSSL_add_all_digests.3
MLINKS+= PEM_bytes_read_bio.3 PEM_bytes_read_bio_secmem.3
MLINKS+= PEM_read.3 PEM_do_header.3
MLINKS+= PEM_read.3 PEM_get_EVP_CIPHER_INFO.3
MLINKS+= PEM_read.3 PEM_read_bio.3
MLINKS+= PEM_read.3 PEM_write.3
MLINKS+= PEM_read.3 PEM_write_bio.3
MLINKS+= PEM_read_CMS.3 DECLARE_PEM_rw.3
MLINKS+= PEM_read_CMS.3 PEM_read_ECPKParameters.3
MLINKS+= PEM_read_CMS.3 PEM_read_ECPrivateKey.3
MLINKS+= PEM_read_CMS.3 PEM_read_EC_PUBKEY.3
MLINKS+= PEM_read_CMS.3 PEM_read_NETSCAPE_CERT_SEQUENCE.3
MLINKS+= PEM_read_CMS.3 PEM_read_PKCS8.3
MLINKS+= PEM_read_CMS.3 PEM_read_PKCS8_PRIV_KEY_INFO.3
MLINKS+= PEM_read_CMS.3 PEM_read_SSL_SESSION.3
MLINKS+= PEM_read_CMS.3 PEM_read_bio_CMS.3
MLINKS+= PEM_read_CMS.3 PEM_read_bio_ECPKParameters.3
MLINKS+= PEM_read_CMS.3 PEM_read_bio_EC_PUBKEY.3
MLINKS+= PEM_read_CMS.3 PEM_read_bio_NETSCAPE_CERT_SEQUENCE.3
MLINKS+= PEM_read_CMS.3 PEM_read_bio_PKCS8.3
MLINKS+= PEM_read_CMS.3 PEM_read_bio_PKCS8_PRIV_KEY_INFO.3
MLINKS+= PEM_read_CMS.3 PEM_read_bio_SSL_SESSION.3
MLINKS+= PEM_read_CMS.3 PEM_write_CMS.3
MLINKS+= PEM_read_CMS.3 PEM_write_DHxparams.3
MLINKS+= PEM_read_CMS.3 PEM_write_ECPKParameters.3
MLINKS+= PEM_read_CMS.3 PEM_write_ECPrivateKey.3
MLINKS+= PEM_read_CMS.3 PEM_write_EC_PUBKEY.3
MLINKS+= PEM_read_CMS.3 PEM_write_NETSCAPE_CERT_SEQUENCE.3
MLINKS+= PEM_read_CMS.3 PEM_write_PKCS8.3
MLINKS+= PEM_read_CMS.3 PEM_write_PKCS8_PRIV_KEY_INFO.3
MLINKS+= PEM_read_CMS.3 PEM_write_SSL_SESSION.3
MLINKS+= PEM_read_CMS.3 PEM_write_bio_CMS.3
MLINKS+= PEM_read_CMS.3 PEM_write_bio_DHxparams.3
MLINKS+= PEM_read_CMS.3 PEM_write_bio_ECPKParameters.3
MLINKS+= PEM_read_CMS.3 PEM_write_bio_ECPrivateKey.3
MLINKS+= PEM_read_CMS.3 PEM_write_bio_EC_PUBKEY.3
MLINKS+= PEM_read_CMS.3 PEM_write_bio_NETSCAPE_CERT_SEQUENCE.3
MLINKS+= PEM_read_CMS.3 PEM_write_bio_PKCS8.3
MLINKS+= PEM_read_CMS.3 PEM_write_bio_PKCS8_PRIV_KEY_INFO.3
MLINKS+= PEM_read_CMS.3 PEM_write_bio_SSL_SESSION.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_DHparams.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_DSAPrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_DSA_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_DSAparams.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_PKCS7.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_PrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_RSAPrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_RSAPublicKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_RSA_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_X509.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_X509_AUX.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_X509_CRL.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_X509_REQ.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_DHparams.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_DSAPrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_DSA_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_DSAparams.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_PKCS7.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_Parameters.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_RSAPrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_RSAPublicKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_RSA_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_X509.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_X509_AUX.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_X509_CRL.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_X509_REQ.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_DHparams.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_DSAPrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_DSA_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_DSAparams.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_PKCS7.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_PKCS8PrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_PKCS8PrivateKey_nid.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_PrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_RSAPrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_RSAPublicKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_RSA_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_X509.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_X509_AUX.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_X509_CRL.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_X509_REQ.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_X509_REQ_NEW.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_DHparams.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_DSAPrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_DSA_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_DSAparams.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PKCS7.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PKCS8PrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PKCS8PrivateKey_nid.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_Parameters.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PrivateKey_traditional.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_RSAPrivateKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_RSAPublicKey.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_RSA_PUBKEY.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_X509.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_X509_AUX.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_X509_CRL.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_X509_REQ.3
MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_X509_REQ_NEW.3
MLINKS+= PEM_read_bio_PrivateKey.3 pem_password_cb.3
MLINKS+= PEM_read_bio_ex.3 PEM_FLAG_EAY_COMPATIBLE.3
MLINKS+= PEM_read_bio_ex.3 PEM_FLAG_ONLY_B64.3
MLINKS+= PEM_read_bio_ex.3 PEM_FLAG_SECURE.3
MLINKS+= PKCS5_PBKDF2_HMAC.3 PKCS5_PBKDF2_HMAC_SHA1.3
MLINKS+= PKCS7_verify.3 PKCS7_get0_signers.3
MLINKS+= RAND_DRBG_generate.3 RAND_DRBG_bytes.3
MLINKS+= RAND_DRBG_get0_master.3 RAND_DRBG_get0_private.3
MLINKS+= RAND_DRBG_get0_master.3 RAND_DRBG_get0_public.3
MLINKS+= RAND_DRBG_new.3 RAND_DRBG_free.3
MLINKS+= RAND_DRBG_new.3 RAND_DRBG_instantiate.3
MLINKS+= RAND_DRBG_new.3 RAND_DRBG_secure_new.3
MLINKS+= RAND_DRBG_new.3 RAND_DRBG_set.3
MLINKS+= RAND_DRBG_new.3 RAND_DRBG_set_defaults.3
MLINKS+= RAND_DRBG_new.3 RAND_DRBG_uninstantiate.3
MLINKS+= RAND_DRBG_reseed.3 RAND_DRBG_set_reseed_defaults.3
MLINKS+= RAND_DRBG_reseed.3 RAND_DRBG_set_reseed_interval.3
MLINKS+= RAND_DRBG_reseed.3 RAND_DRBG_set_reseed_time_interval.3
MLINKS+= RAND_DRBG_set_callbacks.3 RAND_DRBG_cleanup_entropy_fn.3
MLINKS+= RAND_DRBG_set_callbacks.3 RAND_DRBG_cleanup_nonce_fn.3
MLINKS+= RAND_DRBG_set_callbacks.3 RAND_DRBG_get_entropy_fn.3
MLINKS+= RAND_DRBG_set_callbacks.3 RAND_DRBG_get_nonce_fn.3
MLINKS+= RAND_DRBG_set_ex_data.3 RAND_DRBG_get_ex_data.3
MLINKS+= RAND_DRBG_set_ex_data.3 RAND_DRBG_get_ex_new_index.3
MLINKS+= RAND_add.3 RAND_event.3
MLINKS+= RAND_add.3 RAND_keep_random_devices_open.3
MLINKS+= RAND_add.3 RAND_poll.3
MLINKS+= RAND_add.3 RAND_screen.3
MLINKS+= RAND_add.3 RAND_seed.3
MLINKS+= RAND_add.3 RAND_status.3
MLINKS+= RAND_bytes.3 RAND_priv_bytes.3
MLINKS+= RAND_bytes.3 RAND_pseudo_bytes.3
MLINKS+= RAND_egd.3 RAND_egd_bytes.3
MLINKS+= RAND_egd.3 RAND_query_egd_bytes.3
MLINKS+= RAND_load_file.3 RAND_file_name.3
MLINKS+= RAND_load_file.3 RAND_write_file.3
MLINKS+= RAND_set_rand_method.3 RAND_OpenSSL.3
MLINKS+= RAND_set_rand_method.3 RAND_get_rand_method.3
MLINKS+= RC4_set_key.3 RC4.3
MLINKS+= RIPEMD160_Init.3 RIPEMD160.3
MLINKS+= RIPEMD160_Init.3 RIPEMD160_Final.3
MLINKS+= RIPEMD160_Init.3 RIPEMD160_Update.3
MLINKS+= RSA_blinding_on.3 RSA_blinding_off.3
MLINKS+= RSA_check_key.3 RSA_check_key_ex.3
MLINKS+= RSA_generate_key.3 RSA_generate_key_ex.3
MLINKS+= RSA_generate_key.3 RSA_generate_multi_prime_key.3
MLINKS+= RSA_get0_key.3 RSA_clear_flags.3
MLINKS+= RSA_get0_key.3 RSA_get0_crt_params.3
MLINKS+= RSA_get0_key.3 RSA_get0_d.3
MLINKS+= RSA_get0_key.3 RSA_get0_dmp1.3
MLINKS+= RSA_get0_key.3 RSA_get0_dmq1.3
MLINKS+= RSA_get0_key.3 RSA_get0_e.3
MLINKS+= RSA_get0_key.3 RSA_get0_engine.3
MLINKS+= RSA_get0_key.3 RSA_get0_factors.3
MLINKS+= RSA_get0_key.3 RSA_get0_iqmp.3
MLINKS+= RSA_get0_key.3 RSA_get0_multi_prime_crt_params.3
MLINKS+= RSA_get0_key.3 RSA_get0_multi_prime_factors.3
MLINKS+= RSA_get0_key.3 RSA_get0_n.3
MLINKS+= RSA_get0_key.3 RSA_get0_p.3
MLINKS+= RSA_get0_key.3 RSA_get0_pss_params.3
MLINKS+= RSA_get0_key.3 RSA_get0_q.3
MLINKS+= RSA_get0_key.3 RSA_get_multi_prime_extra_count.3
MLINKS+= RSA_get0_key.3 RSA_get_version.3
MLINKS+= RSA_get0_key.3 RSA_set0_crt_params.3
MLINKS+= RSA_get0_key.3 RSA_set0_factors.3
MLINKS+= RSA_get0_key.3 RSA_set0_key.3
MLINKS+= RSA_get0_key.3 RSA_set0_multi_prime_params.3
MLINKS+= RSA_get0_key.3 RSA_set_flags.3
MLINKS+= RSA_get0_key.3 RSA_test_flags.3
MLINKS+= RSA_meth_new.3 RSA_meth_dup.3
MLINKS+= RSA_meth_new.3 RSA_meth_free.3
MLINKS+= RSA_meth_new.3 RSA_meth_get0_app_data.3
MLINKS+= RSA_meth_new.3 RSA_meth_get0_name.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_bn_mod_exp.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_finish.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_flags.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_init.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_keygen.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_mod_exp.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_multi_prime_keygen.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_priv_dec.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_priv_enc.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_pub_dec.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_pub_enc.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_sign.3
MLINKS+= RSA_meth_new.3 RSA_meth_get_verify.3
MLINKS+= RSA_meth_new.3 RSA_meth_set0_app_data.3
MLINKS+= RSA_meth_new.3 RSA_meth_set1_name.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_bn_mod_exp.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_finish.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_flags.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_init.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_keygen.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_mod_exp.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_multi_prime_keygen.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_priv_dec.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_priv_enc.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_pub_dec.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_pub_enc.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_sign.3
MLINKS+= RSA_meth_new.3 RSA_meth_set_verify.3
MLINKS+= RSA_new.3 RSA_free.3
MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_add_PKCS1_OAEP.3
MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_add_PKCS1_OAEP_mgf1.3
MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_add_PKCS1_type_2.3
MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_add_SSLv23.3
MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_add_none.3
MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_check_PKCS1_OAEP.3
MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_check_PKCS1_OAEP_mgf1.3
MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_check_PKCS1_type_1.3
MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_check_PKCS1_type_2.3
MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_check_SSLv23.3
MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_check_none.3
MLINKS+= RSA_print.3 DHparams_print.3
MLINKS+= RSA_print.3 DHparams_print_fp.3
MLINKS+= RSA_print.3 DSA_print.3
MLINKS+= RSA_print.3 DSA_print_fp.3
MLINKS+= RSA_print.3 DSAparams_print.3
MLINKS+= RSA_print.3 DSAparams_print_fp.3
MLINKS+= RSA_print.3 RSA_print_fp.3
MLINKS+= RSA_private_encrypt.3 RSA_public_decrypt.3
MLINKS+= RSA_public_encrypt.3 RSA_private_decrypt.3
MLINKS+= RSA_set_method.3 RSA_PKCS1_OpenSSL.3
MLINKS+= RSA_set_method.3 RSA_flags.3
MLINKS+= RSA_set_method.3 RSA_get_default_method.3
MLINKS+= RSA_set_method.3 RSA_get_method.3
MLINKS+= RSA_set_method.3 RSA_new_method.3
MLINKS+= RSA_set_method.3 RSA_set_default_method.3
MLINKS+= RSA_sign.3 RSA_verify.3
MLINKS+= RSA_sign_ASN1_OCTET_STRING.3 RSA_verify_ASN1_OCTET_STRING.3
MLINKS+= RSA_size.3 RSA_bits.3
MLINKS+= RSA_size.3 RSA_security_bits.3
MLINKS+= SCT_new.3 SCT_LIST_free.3
MLINKS+= SCT_new.3 SCT_free.3
MLINKS+= SCT_new.3 SCT_get0_extensions.3
MLINKS+= SCT_new.3 SCT_get0_log_id.3
MLINKS+= SCT_new.3 SCT_get0_signature.3
MLINKS+= SCT_new.3 SCT_get_log_entry_type.3
MLINKS+= SCT_new.3 SCT_get_signature_nid.3
MLINKS+= SCT_new.3 SCT_get_source.3
MLINKS+= SCT_new.3 SCT_get_timestamp.3
MLINKS+= SCT_new.3 SCT_get_version.3
MLINKS+= SCT_new.3 SCT_new_from_base64.3
MLINKS+= SCT_new.3 SCT_set0_extensions.3
MLINKS+= SCT_new.3 SCT_set0_log_id.3
MLINKS+= SCT_new.3 SCT_set0_signature.3
MLINKS+= SCT_new.3 SCT_set1_extensions.3
MLINKS+= SCT_new.3 SCT_set1_log_id.3
MLINKS+= SCT_new.3 SCT_set1_signature.3
MLINKS+= SCT_new.3 SCT_set_log_entry_type.3
MLINKS+= SCT_new.3 SCT_set_signature_nid.3
MLINKS+= SCT_new.3 SCT_set_source.3
MLINKS+= SCT_new.3 SCT_set_timestamp.3
MLINKS+= SCT_new.3 SCT_set_version.3
MLINKS+= SCT_print.3 SCT_LIST_print.3
MLINKS+= SCT_print.3 SCT_validation_status_string.3
MLINKS+= SCT_validate.3 SCT_LIST_validate.3
MLINKS+= SCT_validate.3 SCT_get_validation_status.3
MLINKS+= SHA256_Init.3 SHA1.3
MLINKS+= SHA256_Init.3 SHA1_Final.3
MLINKS+= SHA256_Init.3 SHA1_Init.3
MLINKS+= SHA256_Init.3 SHA1_Update.3
MLINKS+= SHA256_Init.3 SHA224.3
MLINKS+= SHA256_Init.3 SHA224_Final.3
MLINKS+= SHA256_Init.3 SHA224_Init.3
MLINKS+= SHA256_Init.3 SHA224_Update.3
MLINKS+= SHA256_Init.3 SHA256.3
MLINKS+= SHA256_Init.3 SHA256_Final.3
MLINKS+= SHA256_Init.3 SHA256_Update.3
MLINKS+= SHA256_Init.3 SHA384.3
MLINKS+= SHA256_Init.3 SHA384_Final.3
MLINKS+= SHA256_Init.3 SHA384_Init.3
MLINKS+= SHA256_Init.3 SHA384_Update.3
MLINKS+= SHA256_Init.3 SHA512.3
MLINKS+= SHA256_Init.3 SHA512_Final.3
MLINKS+= SHA256_Init.3 SHA512_Init.3
MLINKS+= SHA256_Init.3 SHA512_Update.3
MLINKS+= SSL_CIPHER_get_name.3 OPENSSL_cipher_name.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_description.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_find.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_auth_nid.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_bits.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_cipher_nid.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_digest_nid.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_handshake_digest.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_id.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_kx_nid.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_protocol_id.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_version.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_is_aead.3
MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_standard_name.3
MLINKS+= SSL_COMP_add_compression_method.3 SSL_COMP_free_compression_methods.3
MLINKS+= SSL_COMP_add_compression_method.3 SSL_COMP_get0_name.3
MLINKS+= SSL_COMP_add_compression_method.3 SSL_COMP_get_compression_methods.3
MLINKS+= SSL_COMP_add_compression_method.3 SSL_COMP_get_id.3
MLINKS+= SSL_CONF_CTX_new.3 SSL_CONF_CTX_free.3
MLINKS+= SSL_CONF_CTX_set_flags.3 SSL_CONF_CTX_clear_flags.3
MLINKS+= SSL_CONF_CTX_set_ssl_ctx.3 SSL_CONF_CTX_set_ssl.3
MLINKS+= SSL_CONF_cmd.3 SSL_CONF_cmd_value_type.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_add0_chain_cert.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_build_cert_chain.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_clear_chain_certs.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_get0_chain_certs.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_select_current_cert.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_set0_chain.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_set1_chain.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_set_current_cert.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_add0_chain_cert.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_add1_chain_cert.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_build_cert_chain.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_clear_chain_certs.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_get0_chain_certs.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_select_current_cert.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_set0_chain.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_set1_chain.3
MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_set_current_cert.3
MLINKS+= SSL_CTX_add_extra_chain_cert.3 SSL_CTX_clear_extra_chain_certs.3
MLINKS+= SSL_CTX_add_session.3 SSL_CTX_remove_session.3
MLINKS+= SSL_CTX_config.3 SSL_config.3
MLINKS+= SSL_CTX_ctrl.3 SSL_CTX_callback_ctrl.3
MLINKS+= SSL_CTX_ctrl.3 SSL_callback_ctrl.3
MLINKS+= SSL_CTX_ctrl.3 SSL_ctrl.3
MLINKS+= SSL_CTX_dane_enable.3 SSL_CTX_dane_clear_flags.3
MLINKS+= SSL_CTX_dane_enable.3 SSL_CTX_dane_mtype_set.3
MLINKS+= SSL_CTX_dane_enable.3 SSL_CTX_dane_set_flags.3
MLINKS+= SSL_CTX_dane_enable.3 SSL_dane_clear_flags.3
MLINKS+= SSL_CTX_dane_enable.3 SSL_dane_enable.3
MLINKS+= SSL_CTX_dane_enable.3 SSL_dane_set_flags.3
MLINKS+= SSL_CTX_dane_enable.3 SSL_dane_tlsa_add.3
MLINKS+= SSL_CTX_dane_enable.3 SSL_get0_dane_authority.3
MLINKS+= SSL_CTX_dane_enable.3 SSL_get0_dane_tlsa.3
MLINKS+= SSL_CTX_get0_param.3 SSL_CTX_set1_param.3
MLINKS+= SSL_CTX_get0_param.3 SSL_get0_param.3
MLINKS+= SSL_CTX_get0_param.3 SSL_set1_param.3
MLINKS+= SSL_CTX_get_verify_mode.3 SSL_CTX_get_verify_callback.3
MLINKS+= SSL_CTX_get_verify_mode.3 SSL_CTX_get_verify_depth.3
MLINKS+= SSL_CTX_get_verify_mode.3 SSL_get_verify_callback.3
MLINKS+= SSL_CTX_get_verify_mode.3 SSL_get_verify_depth.3
MLINKS+= SSL_CTX_get_verify_mode.3 SSL_get_verify_mode.3
MLINKS+= SSL_CTX_load_verify_locations.3 SSL_CTX_set_default_verify_dir.3
MLINKS+= SSL_CTX_load_verify_locations.3 SSL_CTX_set_default_verify_file.3
MLINKS+= SSL_CTX_load_verify_locations.3 SSL_CTX_set_default_verify_paths.3
MLINKS+= SSL_CTX_new.3 DTLS_client_method.3
MLINKS+= SSL_CTX_new.3 DTLS_method.3
MLINKS+= SSL_CTX_new.3 DTLS_server_method.3
MLINKS+= SSL_CTX_new.3 DTLSv1_2_client_method.3
MLINKS+= SSL_CTX_new.3 DTLSv1_2_method.3
MLINKS+= SSL_CTX_new.3 DTLSv1_2_server_method.3
MLINKS+= SSL_CTX_new.3 DTLSv1_client_method.3
MLINKS+= SSL_CTX_new.3 DTLSv1_method.3
MLINKS+= SSL_CTX_new.3 DTLSv1_server_method.3
MLINKS+= SSL_CTX_new.3 SSL_CTX_up_ref.3
MLINKS+= SSL_CTX_new.3 SSLv23_client_method.3
MLINKS+= SSL_CTX_new.3 SSLv23_method.3
MLINKS+= SSL_CTX_new.3 SSLv23_server_method.3
MLINKS+= SSL_CTX_new.3 SSLv3_client_method.3
MLINKS+= SSL_CTX_new.3 SSLv3_method.3
MLINKS+= SSL_CTX_new.3 SSLv3_server_method.3
MLINKS+= SSL_CTX_new.3 TLS_client_method.3
MLINKS+= SSL_CTX_new.3 TLS_method.3
MLINKS+= SSL_CTX_new.3 TLS_server_method.3
MLINKS+= SSL_CTX_new.3 TLSv1_1_client_method.3
MLINKS+= SSL_CTX_new.3 TLSv1_1_method.3
MLINKS+= SSL_CTX_new.3 TLSv1_1_server_method.3
MLINKS+= SSL_CTX_new.3 TLSv1_2_client_method.3
MLINKS+= SSL_CTX_new.3 TLSv1_2_method.3
MLINKS+= SSL_CTX_new.3 TLSv1_2_server_method.3
MLINKS+= SSL_CTX_new.3 TLSv1_client_method.3
MLINKS+= SSL_CTX_new.3 TLSv1_method.3
MLINKS+= SSL_CTX_new.3 TLSv1_server_method.3
MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_accept.3
MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_accept_good.3
MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_accept_renegotiate.3
MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_cache_full.3
MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_cb_hits.3
MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_connect.3
MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_connect_good.3
MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_connect_renegotiate.3
MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_hits.3
MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_misses.3
MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_timeouts.3
MLINKS+= SSL_CTX_sess_set_cache_size.3 SSL_CTX_sess_get_cache_size.3
MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_get_get_cb.3
MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_get_new_cb.3
MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_get_remove_cb.3
MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_set_new_cb.3
MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_set_remove_cb.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_CTX_add1_to_CA_list.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_CTX_add_client_CA.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_CTX_get0_CA_list.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_CTX_get_client_CA_list.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_CTX_set_client_CA_list.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_add1_to_CA_list.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_add_client_CA.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_get0_CA_list.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_get0_peer_CA_list.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_get_client_CA_list.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_set0_CA_list.3
MLINKS+= SSL_CTX_set0_CA_list.3 SSL_set_client_CA_list.3
MLINKS+= SSL_CTX_set1_curves.3 SSL_CTX_set1_curves_list.3
MLINKS+= SSL_CTX_set1_curves.3 SSL_CTX_set1_groups.3
MLINKS+= SSL_CTX_set1_curves.3 SSL_CTX_set1_groups_list.3
MLINKS+= SSL_CTX_set1_curves.3 SSL_get1_curves.3
MLINKS+= SSL_CTX_set1_curves.3 SSL_get1_groups.3
MLINKS+= SSL_CTX_set1_curves.3 SSL_get_shared_curve.3
MLINKS+= SSL_CTX_set1_curves.3 SSL_get_shared_group.3
MLINKS+= SSL_CTX_set1_curves.3 SSL_set1_curves.3
MLINKS+= SSL_CTX_set1_curves.3 SSL_set1_curves_list.3
MLINKS+= SSL_CTX_set1_curves.3 SSL_set1_groups.3
MLINKS+= SSL_CTX_set1_curves.3 SSL_set1_groups_list.3
MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_CTX_set1_client_sigalgs.3
MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_CTX_set1_client_sigalgs_list.3
MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_CTX_set1_sigalgs_list.3
MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_set1_client_sigalgs.3
MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_set1_client_sigalgs_list.3
MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_set1_sigalgs.3
MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_set1_sigalgs_list.3
MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_CTX_set0_chain_cert_store.3
MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_CTX_set0_verify_cert_store.3
MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_CTX_set1_chain_cert_store.3
MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set0_chain_cert_store.3
MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set0_verify_cert_store.3
MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set1_chain_cert_store.3
MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set1_verify_cert_store.3
MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_CTX_set_alpn_protos.3
MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_CTX_set_next_proto_select_cb.3
MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_CTX_set_next_protos_advertised_cb.3
MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_get0_alpn_selected.3
MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_get0_next_proto_negotiated.3
MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_select_next_proto.3
MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_set_alpn_protos.3
MLINKS+= SSL_CTX_set_cert_cb.3 SSL_set_cert_cb.3
MLINKS+= SSL_CTX_set_cert_store.3 SSL_CTX_get_cert_store.3
MLINKS+= SSL_CTX_set_cert_store.3 SSL_CTX_set1_cert_store.3
MLINKS+= SSL_CTX_set_cipher_list.3 SSL_CTX_set_ciphersuites.3
MLINKS+= SSL_CTX_set_cipher_list.3 SSL_set_cipher_list.3
MLINKS+= SSL_CTX_set_cipher_list.3 SSL_set_ciphersuites.3
MLINKS+= SSL_CTX_set_client_cert_cb.3 SSL_CTX_get_client_cert_cb.3
MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_cb_fn.3
MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_ciphers.3
MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_compression_methods.3
MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_ext.3
MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_legacy_version.3
MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_random.3
MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_session_id.3
MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get1_extensions_present.3
MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_isv2.3
MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_CTX_ct_is_enabled.3
MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_CTX_disable_ct.3
MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_CTX_enable_ct.3
MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_ct_is_enabled.3
MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_disable_ct.3
MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_enable_ct.3
MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_set_ct_validation_callback.3
MLINKS+= SSL_CTX_set_ct_validation_callback.3 ssl_ct_validation_cb.3
MLINKS+= SSL_CTX_set_ctlog_list_file.3 SSL_CTX_set_default_ctlog_list_file.3
MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_CTX_get_default_passwd_cb.3
MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_CTX_get_default_passwd_cb_userdata.3
MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_CTX_set_default_passwd_cb_userdata.3
MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_get_default_passwd_cb.3
MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_get_default_passwd_cb_userdata.3
MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_set_default_passwd_cb.3
MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_set_default_passwd_cb_userdata.3
MLINKS+= SSL_CTX_set_ex_data.3 SSL_CTX_get_ex_data.3
MLINKS+= SSL_CTX_set_ex_data.3 SSL_get_ex_data.3
MLINKS+= SSL_CTX_set_ex_data.3 SSL_set_ex_data.3
MLINKS+= SSL_CTX_set_generate_session_id.3 GEN_SESSION_CB.3
MLINKS+= SSL_CTX_set_generate_session_id.3 SSL_has_matching_session_id.3
MLINKS+= SSL_CTX_set_generate_session_id.3 SSL_set_generate_session_id.3
MLINKS+= SSL_CTX_set_info_callback.3 SSL_CTX_get_info_callback.3
MLINKS+= SSL_CTX_set_info_callback.3 SSL_get_info_callback.3
MLINKS+= SSL_CTX_set_info_callback.3 SSL_set_info_callback.3
MLINKS+= SSL_CTX_set_keylog_callback.3 SSL_CTX_get_keylog_callback.3
MLINKS+= SSL_CTX_set_keylog_callback.3 SSL_CTX_keylog_cb_func.3
MLINKS+= SSL_CTX_set_max_cert_list.3 SSL_CTX_get_max_cert_list.3
MLINKS+= SSL_CTX_set_max_cert_list.3 SSL_get_max_cert_list.3
MLINKS+= SSL_CTX_set_max_cert_list.3 SSL_set_max_cert_list.3
MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_CTX_get_max_proto_version.3
MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_CTX_get_min_proto_version.3
MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_CTX_set_max_proto_version.3
MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_get_max_proto_version.3
MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_get_min_proto_version.3
MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_set_max_proto_version.3
MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_set_min_proto_version.3
MLINKS+= SSL_CTX_set_mode.3 SSL_CTX_clear_mode.3
MLINKS+= SSL_CTX_set_mode.3 SSL_CTX_get_mode.3
MLINKS+= SSL_CTX_set_mode.3 SSL_clear_mode.3
MLINKS+= SSL_CTX_set_mode.3 SSL_get_mode.3
MLINKS+= SSL_CTX_set_mode.3 SSL_set_mode.3
MLINKS+= SSL_CTX_set_msg_callback.3 SSL_CTX_set_msg_callback_arg.3
MLINKS+= SSL_CTX_set_msg_callback.3 SSL_set_msg_callback.3
MLINKS+= SSL_CTX_set_msg_callback.3 SSL_set_msg_callback_arg.3
MLINKS+= SSL_CTX_set_num_tickets.3 SSL_CTX_get_num_tickets.3
MLINKS+= SSL_CTX_set_num_tickets.3 SSL_get_num_tickets.3
MLINKS+= SSL_CTX_set_num_tickets.3 SSL_set_num_tickets.3
MLINKS+= SSL_CTX_set_options.3 SSL_CTX_clear_options.3
MLINKS+= SSL_CTX_set_options.3 SSL_CTX_get_options.3
MLINKS+= SSL_CTX_set_options.3 SSL_clear_options.3
MLINKS+= SSL_CTX_set_options.3 SSL_get_options.3
MLINKS+= SSL_CTX_set_options.3 SSL_get_secure_renegotiation_support.3
MLINKS+= SSL_CTX_set_options.3 SSL_set_options.3
MLINKS+= SSL_CTX_set_psk_client_callback.3 SSL_CTX_set_psk_use_session_callback.3
MLINKS+= SSL_CTX_set_psk_client_callback.3 SSL_psk_client_cb_func.3
MLINKS+= SSL_CTX_set_psk_client_callback.3 SSL_psk_use_session_cb_func.3
MLINKS+= SSL_CTX_set_psk_client_callback.3 SSL_set_psk_client_callback.3
MLINKS+= SSL_CTX_set_psk_client_callback.3 SSL_set_psk_use_session_callback.3
MLINKS+= SSL_CTX_set_quiet_shutdown.3 SSL_CTX_get_quiet_shutdown.3
MLINKS+= SSL_CTX_set_quiet_shutdown.3 SSL_get_quiet_shutdown.3
MLINKS+= SSL_CTX_set_quiet_shutdown.3 SSL_set_quiet_shutdown.3
MLINKS+= SSL_CTX_set_read_ahead.3 SSL_CTX_get_default_read_ahead.3
MLINKS+= SSL_CTX_set_read_ahead.3 SSL_CTX_get_read_ahead.3
MLINKS+= SSL_CTX_set_read_ahead.3 SSL_get_read_ahead.3
MLINKS+= SSL_CTX_set_read_ahead.3 SSL_set_read_ahead.3
MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_CTX_get_record_padding_callback_arg.3
MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_CTX_set_block_padding.3
MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_CTX_set_record_padding_callback_arg.3
MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_get_record_padding_callback_arg.3
MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_set_block_padding.3
MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_set_record_padding_callback.3
MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_set_record_padding_callback_arg.3
MLINKS+= SSL_CTX_set_security_level.3 SSL_CTX_get0_security_ex_data.3
MLINKS+= SSL_CTX_set_security_level.3 SSL_CTX_get_security_callback.3
MLINKS+= SSL_CTX_set_security_level.3 SSL_CTX_get_security_level.3
MLINKS+= SSL_CTX_set_security_level.3 SSL_CTX_set0_security_ex_data.3
MLINKS+= SSL_CTX_set_security_level.3 SSL_CTX_set_security_callback.3
MLINKS+= SSL_CTX_set_security_level.3 SSL_get0_security_ex_data.3
MLINKS+= SSL_CTX_set_security_level.3 SSL_get_security_callback.3
MLINKS+= SSL_CTX_set_security_level.3 SSL_get_security_level.3
MLINKS+= SSL_CTX_set_security_level.3 SSL_set0_security_ex_data.3
MLINKS+= SSL_CTX_set_security_level.3 SSL_set_security_callback.3
MLINKS+= SSL_CTX_set_security_level.3 SSL_set_security_level.3
MLINKS+= SSL_CTX_set_session_cache_mode.3 SSL_CTX_get_session_cache_mode.3
MLINKS+= SSL_CTX_set_session_id_context.3 SSL_set_session_id_context.3
MLINKS+= SSL_CTX_set_session_ticket_cb.3 SSL_CTX_decrypt_session_ticket_fn.3
MLINKS+= SSL_CTX_set_session_ticket_cb.3 SSL_CTX_generate_session_ticket_fn.3
MLINKS+= SSL_CTX_set_session_ticket_cb.3 SSL_SESSION_get0_ticket_appdata.3
MLINKS+= SSL_CTX_set_session_ticket_cb.3 SSL_SESSION_set1_ticket_appdata.3
MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_CTX_set_default_read_buffer_len.3
MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_CTX_set_max_pipelines.3
MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_CTX_set_max_send_fragment.3
MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_CTX_set_tlsext_max_fragment_length.3
MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_SESSION_get_max_fragment_length.3
MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_set_default_read_buffer_len.3
MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_set_max_pipelines.3
MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_set_max_send_fragment.3
MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_set_split_send_fragment.3
MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_set_tlsext_max_fragment_length.3
MLINKS+= SSL_CTX_set_ssl_version.3 SSL_get_ssl_method.3
MLINKS+= SSL_CTX_set_ssl_version.3 SSL_set_ssl_method.3
MLINKS+= SSL_CTX_set_stateless_cookie_generate_cb.3 SSL_CTX_set_cookie_generate_cb.3
MLINKS+= SSL_CTX_set_stateless_cookie_generate_cb.3 SSL_CTX_set_cookie_verify_cb.3
MLINKS+= SSL_CTX_set_stateless_cookie_generate_cb.3 SSL_CTX_set_stateless_cookie_verify_cb.3
MLINKS+= SSL_CTX_set_timeout.3 SSL_CTX_get_timeout.3
MLINKS+= SSL_CTX_set_tlsext_servername_callback.3 SSL_CTX_set_tlsext_servername_arg.3
MLINKS+= SSL_CTX_set_tlsext_servername_callback.3 SSL_get_servername.3
MLINKS+= SSL_CTX_set_tlsext_servername_callback.3 SSL_get_servername_type.3
MLINKS+= SSL_CTX_set_tlsext_servername_callback.3 SSL_set_tlsext_host_name.3
MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_CTX_get_tlsext_status_arg.3
MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_CTX_get_tlsext_status_cb.3
MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_CTX_get_tlsext_status_type.3
MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_CTX_set_tlsext_status_arg.3
MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_CTX_set_tlsext_status_type.3
MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_get_tlsext_status_ocsp_resp.3
MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_get_tlsext_status_type.3
MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_set_tlsext_status_ocsp_resp.3
MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_set_tlsext_status_type.3
MLINKS+= SSL_CTX_set_tlsext_use_srtp.3 SSL_get_selected_srtp_profile.3
MLINKS+= SSL_CTX_set_tlsext_use_srtp.3 SSL_get_srtp_profiles.3
MLINKS+= SSL_CTX_set_tlsext_use_srtp.3 SSL_set_tlsext_use_srtp.3
MLINKS+= SSL_CTX_set_tmp_dh_callback.3 SSL_CTX_set_tmp_dh.3
MLINKS+= SSL_CTX_set_tmp_dh_callback.3 SSL_set_tmp_dh.3
MLINKS+= SSL_CTX_set_tmp_dh_callback.3 SSL_set_tmp_dh_callback.3
MLINKS+= SSL_CTX_set_verify.3 SSL_CTX_set_post_handshake_auth.3
MLINKS+= SSL_CTX_set_verify.3 SSL_CTX_set_verify_depth.3
MLINKS+= SSL_CTX_set_verify.3 SSL_get_ex_data_X509_STORE_CTX_idx.3
MLINKS+= SSL_CTX_set_verify.3 SSL_set_post_handshake_auth.3
MLINKS+= SSL_CTX_set_verify.3 SSL_set_verify.3
MLINKS+= SSL_CTX_set_verify.3 SSL_set_verify_depth.3
MLINKS+= SSL_CTX_set_verify.3 SSL_verify_cb.3
MLINKS+= SSL_CTX_set_verify.3 SSL_verify_client_post_handshake.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_check_private_key.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_PrivateKey.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_PrivateKey_ASN1.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_PrivateKey_file.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_RSAPrivateKey.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_RSAPrivateKey_ASN1.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_RSAPrivateKey_file.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_cert_and_key.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_certificate_ASN1.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_certificate_chain_file.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_certificate_file.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_check_private_key.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_use_PrivateKey.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_use_PrivateKey_ASN1.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_use_PrivateKey_file.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_use_RSAPrivateKey.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_use_RSAPrivateKey_ASN1.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_use_RSAPrivateKey_file.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_use_cert_and_key.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_use_certificate.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_use_certificate_ASN1.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_use_certificate_chain_file.3
MLINKS+= SSL_CTX_use_certificate.3 SSL_use_certificate_file.3
MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_CTX_set_psk_find_session_callback.3
MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_CTX_set_psk_server_callback.3
MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_psk_find_session_cb_func.3
MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_psk_server_cb_func.3
MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_set_psk_find_session_callback.3
MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_set_psk_server_callback.3
MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_use_psk_identity_hint.3
MLINKS+= SSL_CTX_use_serverinfo.3 SSL_CTX_use_serverinfo_ex.3
MLINKS+= SSL_CTX_use_serverinfo.3 SSL_CTX_use_serverinfo_file.3
MLINKS+= SSL_SESSION_free.3 SSL_SESSION_dup.3
MLINKS+= SSL_SESSION_free.3 SSL_SESSION_new.3
MLINKS+= SSL_SESSION_free.3 SSL_SESSION_up_ref.3
MLINKS+= SSL_SESSION_get0_cipher.3 SSL_SESSION_set_cipher.3
MLINKS+= SSL_SESSION_get0_hostname.3 SSL_SESSION_get0_alpn_selected.3
MLINKS+= SSL_SESSION_get0_hostname.3 SSL_SESSION_set1_alpn_selected.3
MLINKS+= SSL_SESSION_get0_hostname.3 SSL_SESSION_set1_hostname.3
MLINKS+= SSL_SESSION_get0_id_context.3 SSL_SESSION_set1_id_context.3
MLINKS+= SSL_SESSION_get_ex_data.3 SSL_SESSION_set_ex_data.3
MLINKS+= SSL_SESSION_get_protocol_version.3 SSL_SESSION_set_protocol_version.3
MLINKS+= SSL_SESSION_get_time.3 SSL_SESSION_get_timeout.3
MLINKS+= SSL_SESSION_get_time.3 SSL_SESSION_set_time.3
MLINKS+= SSL_SESSION_get_time.3 SSL_SESSION_set_timeout.3
MLINKS+= SSL_SESSION_get_time.3 SSL_get_time.3
MLINKS+= SSL_SESSION_get_time.3 SSL_get_timeout.3
MLINKS+= SSL_SESSION_get_time.3 SSL_set_time.3
MLINKS+= SSL_SESSION_get_time.3 SSL_set_timeout.3
MLINKS+= SSL_SESSION_has_ticket.3 SSL_SESSION_get0_ticket.3
MLINKS+= SSL_SESSION_has_ticket.3 SSL_SESSION_get_ticket_lifetime_hint.3
MLINKS+= SSL_SESSION_print.3 SSL_SESSION_print_fp.3
MLINKS+= SSL_SESSION_print.3 SSL_SESSION_print_keylog.3
MLINKS+= SSL_SESSION_set1_id.3 SSL_SESSION_get_id.3
MLINKS+= SSL_alert_type_string.3 SSL_alert_desc_string.3
MLINKS+= SSL_alert_type_string.3 SSL_alert_desc_string_long.3
MLINKS+= SSL_alert_type_string.3 SSL_alert_type_string_long.3
MLINKS+= SSL_alloc_buffers.3 SSL_free_buffers.3
MLINKS+= SSL_export_keying_material.3 SSL_export_keying_material_early.3
MLINKS+= SSL_extension_supported.3 SSL_CTX_add_client_custom_ext.3
MLINKS+= SSL_extension_supported.3 SSL_CTX_add_custom_ext.3
MLINKS+= SSL_extension_supported.3 SSL_CTX_add_server_custom_ext.3
MLINKS+= SSL_extension_supported.3 custom_ext_add_cb.3
MLINKS+= SSL_extension_supported.3 custom_ext_free_cb.3
MLINKS+= SSL_extension_supported.3 custom_ext_parse_cb.3
MLINKS+= SSL_get_all_async_fds.3 SSL_get_changed_async_fds.3
MLINKS+= SSL_get_all_async_fds.3 SSL_waiting_for_async.3
MLINKS+= SSL_get_ciphers.3 SSL_CTX_get_ciphers.3
MLINKS+= SSL_get_ciphers.3 SSL_bytes_to_cipher_list.3
MLINKS+= SSL_get_ciphers.3 SSL_get1_supported_ciphers.3
MLINKS+= SSL_get_ciphers.3 SSL_get_cipher_list.3
MLINKS+= SSL_get_ciphers.3 SSL_get_client_ciphers.3
MLINKS+= SSL_get_ciphers.3 SSL_get_shared_ciphers.3
MLINKS+= SSL_get_client_random.3 SSL_SESSION_get_master_key.3
MLINKS+= SSL_get_client_random.3 SSL_SESSION_set1_master_key.3
MLINKS+= SSL_get_client_random.3 SSL_get_server_random.3
MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher.3
MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher_bits.3
MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher_name.3
MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher_version.3
MLINKS+= SSL_get_current_cipher.3 SSL_get_pending_cipher.3
MLINKS+= SSL_get_fd.3 SSL_get_rfd.3
MLINKS+= SSL_get_fd.3 SSL_get_wfd.3
MLINKS+= SSL_get_peer_cert_chain.3 SSL_get0_verified_chain.3
MLINKS+= SSL_get_peer_signature_nid.3 SSL_get_peer_signature_type_nid.3
MLINKS+= SSL_get_peer_signature_nid.3 SSL_get_signature_nid.3
MLINKS+= SSL_get_peer_signature_nid.3 SSL_get_signature_type_nid.3
MLINKS+= SSL_get_peer_tmp_key.3 SSL_get_server_tmp_key.3
MLINKS+= SSL_get_peer_tmp_key.3 SSL_get_tmp_key.3
MLINKS+= SSL_get_psk_identity.3 SSL_get_psk_identity_hint.3
MLINKS+= SSL_get_rbio.3 SSL_get_wbio.3
MLINKS+= SSL_get_session.3 SSL_get0_session.3
MLINKS+= SSL_get_session.3 SSL_get1_session.3
MLINKS+= SSL_get_shared_sigalgs.3 SSL_get_sigalgs.3
MLINKS+= SSL_get_version.3 SSL_client_version.3
MLINKS+= SSL_get_version.3 SSL_is_dtls.3
MLINKS+= SSL_get_version.3 SSL_version.3
MLINKS+= SSL_in_init.3 SSL_get_state.3
MLINKS+= SSL_in_init.3 SSL_in_accept_init.3
MLINKS+= SSL_in_init.3 SSL_in_before.3
MLINKS+= SSL_in_init.3 SSL_in_connect_init.3
MLINKS+= SSL_in_init.3 SSL_is_init_finished.3
MLINKS+= SSL_key_update.3 SSL_get_key_update_type.3
MLINKS+= SSL_key_update.3 SSL_renegotiate.3
MLINKS+= SSL_key_update.3 SSL_renegotiate_abbreviated.3
MLINKS+= SSL_key_update.3 SSL_renegotiate_pending.3
MLINKS+= SSL_library_init.3 OpenSSL_add_ssl_algorithms.3
MLINKS+= SSL_load_client_CA_file.3 SSL_add_dir_cert_subjects_to_stack.3
MLINKS+= SSL_load_client_CA_file.3 SSL_add_file_cert_subjects_to_stack.3
MLINKS+= SSL_new.3 SSL_dup.3
MLINKS+= SSL_new.3 SSL_up_ref.3
MLINKS+= SSL_pending.3 SSL_has_pending.3
MLINKS+= SSL_read.3 SSL_peek.3
MLINKS+= SSL_read.3 SSL_peek_ex.3
MLINKS+= SSL_read.3 SSL_read_ex.3
MLINKS+= SSL_read_early_data.3 SSL_CTX_get_max_early_data.3
MLINKS+= SSL_read_early_data.3 SSL_CTX_get_recv_max_early_data.3
MLINKS+= SSL_read_early_data.3 SSL_CTX_set_allow_early_data_cb.3
MLINKS+= SSL_read_early_data.3 SSL_CTX_set_max_early_data.3
MLINKS+= SSL_read_early_data.3 SSL_CTX_set_recv_max_early_data.3
MLINKS+= SSL_read_early_data.3 SSL_SESSION_get_max_early_data.3
MLINKS+= SSL_read_early_data.3 SSL_SESSION_set_max_early_data.3
MLINKS+= SSL_read_early_data.3 SSL_allow_early_data_cb_fn.3
MLINKS+= SSL_read_early_data.3 SSL_get_early_data_status.3
MLINKS+= SSL_read_early_data.3 SSL_get_max_early_data.3
MLINKS+= SSL_read_early_data.3 SSL_get_recv_max_early_data.3
MLINKS+= SSL_read_early_data.3 SSL_set_allow_early_data_cb.3
MLINKS+= SSL_read_early_data.3 SSL_set_max_early_data.3
MLINKS+= SSL_read_early_data.3 SSL_set_recv_max_early_data.3
MLINKS+= SSL_read_early_data.3 SSL_write_early_data.3
MLINKS+= SSL_rstate_string.3 SSL_rstate_string_long.3
MLINKS+= SSL_set1_host.3 SSL_add1_host.3
MLINKS+= SSL_set1_host.3 SSL_get0_peername.3
MLINKS+= SSL_set1_host.3 SSL_set_hostflags.3
MLINKS+= SSL_set_bio.3 SSL_set0_rbio.3
MLINKS+= SSL_set_bio.3 SSL_set0_wbio.3
MLINKS+= SSL_set_connect_state.3 SSL_is_server.3
MLINKS+= SSL_set_connect_state.3 SSL_set_accept_state.3
MLINKS+= SSL_set_fd.3 SSL_set_rfd.3
MLINKS+= SSL_set_fd.3 SSL_set_wfd.3
MLINKS+= SSL_set_shutdown.3 SSL_get_shutdown.3
MLINKS+= SSL_state_string.3 SSL_state_string_long.3
MLINKS+= SSL_want.3 SSL_want_async.3
MLINKS+= SSL_want.3 SSL_want_async_job.3
MLINKS+= SSL_want.3 SSL_want_client_hello_cb.3
MLINKS+= SSL_want.3 SSL_want_nothing.3
MLINKS+= SSL_want.3 SSL_want_read.3
MLINKS+= SSL_want.3 SSL_want_write.3
MLINKS+= SSL_want.3 SSL_want_x509_lookup.3
MLINKS+= SSL_write.3 SSL_sendfile.3
MLINKS+= SSL_write.3 SSL_write_ex.3
MLINKS+= UI_STRING.3 UI_get0_action_string.3
MLINKS+= UI_STRING.3 UI_get0_output_string.3
MLINKS+= UI_STRING.3 UI_get0_result_string.3
MLINKS+= UI_STRING.3 UI_get0_test_string.3
MLINKS+= UI_STRING.3 UI_get_input_flags.3
MLINKS+= UI_STRING.3 UI_get_result_maxsize.3
MLINKS+= UI_STRING.3 UI_get_result_minsize.3
MLINKS+= UI_STRING.3 UI_get_result_string_length.3
MLINKS+= UI_STRING.3 UI_get_string_type.3
MLINKS+= UI_STRING.3 UI_set_result.3
MLINKS+= UI_STRING.3 UI_set_result_ex.3
MLINKS+= UI_STRING.3 UI_string_types.3
MLINKS+= UI_UTIL_read_pw.3 UI_UTIL_read_pw_string.3
MLINKS+= UI_UTIL_read_pw.3 UI_UTIL_wrap_read_pem_callback.3
MLINKS+= UI_create_method.3 UI_METHOD.3
MLINKS+= UI_create_method.3 UI_destroy_method.3
MLINKS+= UI_create_method.3 UI_method_get_closer.3
MLINKS+= UI_create_method.3 UI_method_get_data_destructor.3
MLINKS+= UI_create_method.3 UI_method_get_data_duplicator.3
MLINKS+= UI_create_method.3 UI_method_get_ex_data.3
MLINKS+= UI_create_method.3 UI_method_get_flusher.3
MLINKS+= UI_create_method.3 UI_method_get_opener.3
MLINKS+= UI_create_method.3 UI_method_get_prompt_constructor.3
MLINKS+= UI_create_method.3 UI_method_get_reader.3
MLINKS+= UI_create_method.3 UI_method_get_writer.3
MLINKS+= UI_create_method.3 UI_method_set_closer.3
MLINKS+= UI_create_method.3 UI_method_set_data_duplicator.3
MLINKS+= UI_create_method.3 UI_method_set_ex_data.3
MLINKS+= UI_create_method.3 UI_method_set_flusher.3
MLINKS+= UI_create_method.3 UI_method_set_opener.3
MLINKS+= UI_create_method.3 UI_method_set_prompt_constructor.3
MLINKS+= UI_create_method.3 UI_method_set_reader.3
MLINKS+= UI_create_method.3 UI_method_set_writer.3
MLINKS+= UI_new.3 UI.3
MLINKS+= UI_new.3 UI_OpenSSL.3
MLINKS+= UI_new.3 UI_add_error_string.3
MLINKS+= UI_new.3 UI_add_info_string.3
MLINKS+= UI_new.3 UI_add_input_boolean.3
MLINKS+= UI_new.3 UI_add_input_string.3
MLINKS+= UI_new.3 UI_add_user_data.3
MLINKS+= UI_new.3 UI_add_verify_string.3
MLINKS+= UI_new.3 UI_construct_prompt.3
MLINKS+= UI_new.3 UI_ctrl.3
MLINKS+= UI_new.3 UI_dup_error_string.3
MLINKS+= UI_new.3 UI_dup_info_string.3
MLINKS+= UI_new.3 UI_dup_input_boolean.3
MLINKS+= UI_new.3 UI_dup_input_string.3
MLINKS+= UI_new.3 UI_dup_user_data.3
MLINKS+= UI_new.3 UI_dup_verify_string.3
MLINKS+= UI_new.3 UI_free.3
MLINKS+= UI_new.3 UI_get0_result.3
MLINKS+= UI_new.3 UI_get0_user_data.3
MLINKS+= UI_new.3 UI_get_default_method.3
MLINKS+= UI_new.3 UI_get_method.3
MLINKS+= UI_new.3 UI_get_result_length.3
MLINKS+= UI_new.3 UI_new_method.3
MLINKS+= UI_new.3 UI_null.3
MLINKS+= UI_new.3 UI_process.3
MLINKS+= UI_new.3 UI_set_default_method.3
MLINKS+= UI_new.3 UI_set_method.3
MLINKS+= X509V3_get_d2i.3 X509V3_EXT_d2i.3
MLINKS+= X509V3_get_d2i.3 X509V3_EXT_i2d.3
MLINKS+= X509V3_get_d2i.3 X509V3_add1_i2d.3
MLINKS+= X509V3_get_d2i.3 X509_CRL_add1_ext_i2d.3
MLINKS+= X509V3_get_d2i.3 X509_CRL_get0_extensions.3
MLINKS+= X509V3_get_d2i.3 X509_CRL_get_ext_d2i.3
MLINKS+= X509V3_get_d2i.3 X509_REVOKED_add1_ext_i2d.3
MLINKS+= X509V3_get_d2i.3 X509_REVOKED_get0_extensions.3
MLINKS+= X509V3_get_d2i.3 X509_REVOKED_get_ext_d2i.3
MLINKS+= X509V3_get_d2i.3 X509_add1_ext_i2d.3
MLINKS+= X509V3_get_d2i.3 X509_get0_extensions.3
MLINKS+= X509V3_get_d2i.3 X509_get_ext_d2i.3
MLINKS+= X509_ALGOR_dup.3 X509_ALGOR_cmp.3
MLINKS+= X509_ALGOR_dup.3 X509_ALGOR_copy.3
MLINKS+= X509_ALGOR_dup.3 X509_ALGOR_get0.3
MLINKS+= X509_ALGOR_dup.3 X509_ALGOR_set0.3
MLINKS+= X509_ALGOR_dup.3 X509_ALGOR_set_md.3
MLINKS+= X509_CRL_get0_by_serial.3 X509_CRL_add0_revoked.3
MLINKS+= X509_CRL_get0_by_serial.3 X509_CRL_get0_by_cert.3
MLINKS+= X509_CRL_get0_by_serial.3 X509_CRL_get_REVOKED.3
MLINKS+= X509_CRL_get0_by_serial.3 X509_CRL_sort.3
MLINKS+= X509_CRL_get0_by_serial.3 X509_REVOKED_get0_revocationDate.3
MLINKS+= X509_CRL_get0_by_serial.3 X509_REVOKED_get0_serialNumber.3
MLINKS+= X509_CRL_get0_by_serial.3 X509_REVOKED_set_revocationDate.3
MLINKS+= X509_CRL_get0_by_serial.3 X509_REVOKED_set_serialNumber.3
MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_create_by_NID.3
MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_create_by_OBJ.3
MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_get_critical.3
MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_get_data.3
MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_get_object.3
MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_set_critical.3
MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_set_data.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_TYPE.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_add_dir.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_by_alias.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_by_fingerprint.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_by_issuer_serial.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_by_subject.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_ctrl.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_free.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_get_method_data.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_get_store.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_init.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_load_file.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_new.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_set_method_data.3
MLINKS+= X509_LOOKUP.3 X509_LOOKUP_shutdown.3
MLINKS+= X509_LOOKUP_hash_dir.3 X509_LOOKUP_file.3
MLINKS+= X509_LOOKUP_hash_dir.3 X509_load_cert_crl_file.3
MLINKS+= X509_LOOKUP_hash_dir.3 X509_load_cert_file.3
MLINKS+= X509_LOOKUP_hash_dir.3 X509_load_crl_file.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_METHOD.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_ctrl_fn.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_get_by_alias_fn.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_get_by_fingerprint_fn.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_get_by_issuer_serial_fn.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_get_by_subject_fn.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_free.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_ctrl.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_free.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_get_by_alias.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_get_by_fingerprint.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_get_by_issuer_serial.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_get_by_subject.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_init.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_new_item.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_shutdown.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_ctrl.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_free.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_get_by_alias.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_get_by_fingerprint.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_get_by_issuer_serial.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_get_by_subject.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_init.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_new_item.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_shutdown.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_OBJECT_set1_X509.3
MLINKS+= X509_LOOKUP_meth_new.3 X509_OBJECT_set1_X509_CRL.3
MLINKS+= X509_NAME_ENTRY_get_object.3 X509_NAME_ENTRY_create_by_NID.3
MLINKS+= X509_NAME_ENTRY_get_object.3 X509_NAME_ENTRY_create_by_OBJ.3
MLINKS+= X509_NAME_ENTRY_get_object.3 X509_NAME_ENTRY_create_by_txt.3
MLINKS+= X509_NAME_ENTRY_get_object.3 X509_NAME_ENTRY_get_data.3
MLINKS+= X509_NAME_ENTRY_get_object.3 X509_NAME_ENTRY_set_data.3
MLINKS+= X509_NAME_ENTRY_get_object.3 X509_NAME_ENTRY_set_object.3
MLINKS+= X509_NAME_add_entry_by_txt.3 X509_NAME_add_entry.3
MLINKS+= X509_NAME_add_entry_by_txt.3 X509_NAME_add_entry_by_NID.3
MLINKS+= X509_NAME_add_entry_by_txt.3 X509_NAME_add_entry_by_OBJ.3
MLINKS+= X509_NAME_add_entry_by_txt.3 X509_NAME_delete_entry.3
MLINKS+= X509_NAME_get_index_by_NID.3 X509_NAME_entry_count.3
MLINKS+= X509_NAME_get_index_by_NID.3 X509_NAME_get_entry.3
MLINKS+= X509_NAME_get_index_by_NID.3 X509_NAME_get_index_by_OBJ.3
MLINKS+= X509_NAME_get_index_by_NID.3 X509_NAME_get_text_by_NID.3
MLINKS+= X509_NAME_get_index_by_NID.3 X509_NAME_get_text_by_OBJ.3
MLINKS+= X509_NAME_print_ex.3 X509_NAME_oneline.3
MLINKS+= X509_NAME_print_ex.3 X509_NAME_print.3
MLINKS+= X509_NAME_print_ex.3 X509_NAME_print_ex_fp.3
MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_free.3
MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_get.3
MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_get0.3
MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_get0_param.3
MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_set.3
MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_set0_param.3
MLINKS+= X509_PUBKEY_new.3 d2i_PUBKEY.3
MLINKS+= X509_PUBKEY_new.3 d2i_PUBKEY_bio.3
MLINKS+= X509_PUBKEY_new.3 d2i_PUBKEY_fp.3
MLINKS+= X509_PUBKEY_new.3 i2d_PUBKEY.3
MLINKS+= X509_PUBKEY_new.3 i2d_PUBKEY_bio.3
MLINKS+= X509_PUBKEY_new.3 i2d_PUBKEY_fp.3
MLINKS+= X509_SIG_get0.3 X509_SIG_getm.3
MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_get0_cert.3
MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_get1_chain.3
MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_get_current_cert.3
MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_get_error_depth.3
MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_set_current_cert.3
MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_set_error.3
MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_set_error_depth.3
MLINKS+= X509_STORE_CTX_get_error.3 X509_verify_cert_error_string.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_cleanup.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_free.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_get0_chain.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_get0_param.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_get0_untrusted.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_get_num_untrusted.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_init.3
+MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_purpose_inherit.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set0_crls.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set0_param.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set0_trusted_stack.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set0_untrusted.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set0_verified_chain.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set_cert.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set_default.3
+MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set_purpose.3
+MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set_trust.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set_verify.3
MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_verify_fn.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_cert_crl.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_check_crl.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_check_issued.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_check_policy.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_check_revocation.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_cleanup.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_get_crl.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_get_issuer.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_lookup_certs.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_lookup_crls.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_verify_cb.3
MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_verify_cb.3
MLINKS+= X509_STORE_add_cert.3 X509_STORE.3
MLINKS+= X509_STORE_add_cert.3 X509_STORE_add_crl.3
MLINKS+= X509_STORE_add_cert.3 X509_STORE_add_lookup.3
MLINKS+= X509_STORE_add_cert.3 X509_STORE_load_locations.3
MLINKS+= X509_STORE_add_cert.3 X509_STORE_set_default_paths.3
MLINKS+= X509_STORE_add_cert.3 X509_STORE_set_depth.3
MLINKS+= X509_STORE_add_cert.3 X509_STORE_set_flags.3
MLINKS+= X509_STORE_add_cert.3 X509_STORE_set_purpose.3
MLINKS+= X509_STORE_add_cert.3 X509_STORE_set_trust.3
MLINKS+= X509_STORE_get0_param.3 X509_STORE_get0_objects.3
MLINKS+= X509_STORE_get0_param.3 X509_STORE_set1_param.3
MLINKS+= X509_STORE_new.3 X509_STORE_free.3
MLINKS+= X509_STORE_new.3 X509_STORE_lock.3
MLINKS+= X509_STORE_new.3 X509_STORE_unlock.3
MLINKS+= X509_STORE_new.3 X509_STORE_up_ref.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_cert_crl_fn.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_check_crl_fn.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_check_issued_fn.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_check_policy_fn.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_check_revocation_fn.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_cleanup_fn.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_get_crl_fn.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_get_issuer_fn.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_get_verify.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_lookup_certs_fn.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_lookup_crls_fn.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_cert_crl.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_check_crl.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_check_issued.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_check_policy.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_check_revocation.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_cleanup.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_get_crl.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_get_issuer.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_lookup_certs.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_lookup_crls.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_verify_cb.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_cert_crl.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_check_crl.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_check_issued.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_check_policy.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_check_revocation.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_cleanup.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_get_crl.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_get_issuer.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_lookup_certs.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_lookup_crls.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_lookup_crls_cb.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_verify.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_verify_cb.3
MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_verify_func.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_add0_policy.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_add1_host.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_clear_flags.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get0_peername.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_auth_level.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_depth.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_flags.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_hostflags.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_inh_flags.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_time.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set1_email.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set1_host.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set1_ip.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set1_ip_asc.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set1_policies.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_auth_level.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_depth.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_hostflags.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_inh_flags.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_purpose.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_time.3
MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_trust.3
MLINKS+= X509_check_host.3 X509_check_email.3
MLINKS+= X509_check_host.3 X509_check_ip.3
MLINKS+= X509_check_host.3 X509_check_ip_asc.3
MLINKS+= X509_check_private_key.3 X509_REQ_check_private_key.3
MLINKS+= X509_cmp.3 X509_CRL_cmp.3
MLINKS+= X509_cmp.3 X509_CRL_match.3
MLINKS+= X509_cmp.3 X509_NAME_cmp.3
MLINKS+= X509_cmp.3 X509_issuer_and_serial_cmp.3
MLINKS+= X509_cmp.3 X509_issuer_name_cmp.3
MLINKS+= X509_cmp.3 X509_subject_name_cmp.3
MLINKS+= X509_cmp_time.3 X509_cmp_current_time.3
MLINKS+= X509_cmp_time.3 X509_time_adj.3
MLINKS+= X509_cmp_time.3 X509_time_adj_ex.3
MLINKS+= X509_digest.3 PKCS7_ISSUER_AND_SERIAL_digest.3
MLINKS+= X509_digest.3 X509_CRL_digest.3
MLINKS+= X509_digest.3 X509_NAME_digest.3
MLINKS+= X509_digest.3 X509_REQ_digest.3
MLINKS+= X509_digest.3 X509_pubkey_digest.3
MLINKS+= X509_dup.3 ACCESS_DESCRIPTION_free.3
MLINKS+= X509_dup.3 ACCESS_DESCRIPTION_new.3
MLINKS+= X509_dup.3 ADMISSIONS_free.3
MLINKS+= X509_dup.3 ADMISSIONS_new.3
MLINKS+= X509_dup.3 ADMISSION_SYNTAX_free.3
MLINKS+= X509_dup.3 ADMISSION_SYNTAX_new.3
MLINKS+= X509_dup.3 ASIdOrRange_free.3
MLINKS+= X509_dup.3 ASIdOrRange_new.3
MLINKS+= X509_dup.3 ASIdentifierChoice_free.3
MLINKS+= X509_dup.3 ASIdentifierChoice_new.3
MLINKS+= X509_dup.3 ASIdentifiers_free.3
MLINKS+= X509_dup.3 ASIdentifiers_new.3
MLINKS+= X509_dup.3 ASN1_ITEM.3
MLINKS+= X509_dup.3 ASRange_free.3
MLINKS+= X509_dup.3 ASRange_new.3
MLINKS+= X509_dup.3 AUTHORITY_INFO_ACCESS_free.3
MLINKS+= X509_dup.3 AUTHORITY_INFO_ACCESS_new.3
MLINKS+= X509_dup.3 AUTHORITY_KEYID_free.3
MLINKS+= X509_dup.3 AUTHORITY_KEYID_new.3
MLINKS+= X509_dup.3 BASIC_CONSTRAINTS_free.3
MLINKS+= X509_dup.3 BASIC_CONSTRAINTS_new.3
MLINKS+= X509_dup.3 CERTIFICATEPOLICIES_free.3
MLINKS+= X509_dup.3 CERTIFICATEPOLICIES_new.3
MLINKS+= X509_dup.3 CMS_ContentInfo_free.3
MLINKS+= X509_dup.3 CMS_ContentInfo_new.3
MLINKS+= X509_dup.3 CMS_ContentInfo_print_ctx.3
MLINKS+= X509_dup.3 CMS_ReceiptRequest_free.3
MLINKS+= X509_dup.3 CMS_ReceiptRequest_new.3
MLINKS+= X509_dup.3 CRL_DIST_POINTS_free.3
MLINKS+= X509_dup.3 CRL_DIST_POINTS_new.3
MLINKS+= X509_dup.3 DECLARE_ASN1_FUNCTIONS.3
MLINKS+= X509_dup.3 DIRECTORYSTRING_free.3
MLINKS+= X509_dup.3 DIRECTORYSTRING_new.3
MLINKS+= X509_dup.3 DISPLAYTEXT_free.3
MLINKS+= X509_dup.3 DISPLAYTEXT_new.3
MLINKS+= X509_dup.3 DIST_POINT_NAME_free.3
MLINKS+= X509_dup.3 DIST_POINT_NAME_new.3
MLINKS+= X509_dup.3 DIST_POINT_free.3
MLINKS+= X509_dup.3 DIST_POINT_new.3
MLINKS+= X509_dup.3 DSAparams_dup.3
MLINKS+= X509_dup.3 ECPARAMETERS_free.3
MLINKS+= X509_dup.3 ECPARAMETERS_new.3
MLINKS+= X509_dup.3 ECPKPARAMETERS_free.3
MLINKS+= X509_dup.3 ECPKPARAMETERS_new.3
MLINKS+= X509_dup.3 EDIPARTYNAME_free.3
MLINKS+= X509_dup.3 EDIPARTYNAME_new.3
MLINKS+= X509_dup.3 ESS_CERT_ID_dup.3
MLINKS+= X509_dup.3 ESS_CERT_ID_free.3
MLINKS+= X509_dup.3 ESS_CERT_ID_new.3
MLINKS+= X509_dup.3 ESS_ISSUER_SERIAL_dup.3
MLINKS+= X509_dup.3 ESS_ISSUER_SERIAL_free.3
MLINKS+= X509_dup.3 ESS_ISSUER_SERIAL_new.3
MLINKS+= X509_dup.3 ESS_SIGNING_CERT_dup.3
MLINKS+= X509_dup.3 ESS_SIGNING_CERT_free.3
MLINKS+= X509_dup.3 ESS_SIGNING_CERT_new.3
MLINKS+= X509_dup.3 EXTENDED_KEY_USAGE_free.3
MLINKS+= X509_dup.3 EXTENDED_KEY_USAGE_new.3
MLINKS+= X509_dup.3 GENERAL_NAMES_free.3
MLINKS+= X509_dup.3 GENERAL_NAMES_new.3
MLINKS+= X509_dup.3 GENERAL_NAME_dup.3
MLINKS+= X509_dup.3 GENERAL_NAME_free.3
MLINKS+= X509_dup.3 GENERAL_NAME_new.3
MLINKS+= X509_dup.3 GENERAL_SUBTREE_free.3
MLINKS+= X509_dup.3 GENERAL_SUBTREE_new.3
MLINKS+= X509_dup.3 IMPLEMENT_ASN1_FUNCTIONS.3
MLINKS+= X509_dup.3 IPAddressChoice_free.3
MLINKS+= X509_dup.3 IPAddressChoice_new.3
MLINKS+= X509_dup.3 IPAddressFamily_free.3
MLINKS+= X509_dup.3 IPAddressFamily_new.3
MLINKS+= X509_dup.3 IPAddressOrRange_free.3
MLINKS+= X509_dup.3 IPAddressOrRange_new.3
MLINKS+= X509_dup.3 IPAddressRange_free.3
MLINKS+= X509_dup.3 IPAddressRange_new.3
MLINKS+= X509_dup.3 ISSUING_DIST_POINT_free.3
MLINKS+= X509_dup.3 ISSUING_DIST_POINT_new.3
MLINKS+= X509_dup.3 NAME_CONSTRAINTS_free.3
MLINKS+= X509_dup.3 NAME_CONSTRAINTS_new.3
MLINKS+= X509_dup.3 NAMING_AUTHORITY_free.3
MLINKS+= X509_dup.3 NAMING_AUTHORITY_new.3
MLINKS+= X509_dup.3 NETSCAPE_CERT_SEQUENCE_free.3
MLINKS+= X509_dup.3 NETSCAPE_CERT_SEQUENCE_new.3
MLINKS+= X509_dup.3 NETSCAPE_SPKAC_free.3
MLINKS+= X509_dup.3 NETSCAPE_SPKAC_new.3
MLINKS+= X509_dup.3 NETSCAPE_SPKI_free.3
MLINKS+= X509_dup.3 NETSCAPE_SPKI_new.3
MLINKS+= X509_dup.3 NOTICEREF_free.3
MLINKS+= X509_dup.3 NOTICEREF_new.3
MLINKS+= X509_dup.3 OCSP_BASICRESP_free.3
MLINKS+= X509_dup.3 OCSP_BASICRESP_new.3
MLINKS+= X509_dup.3 OCSP_CERTID_dup.3
MLINKS+= X509_dup.3 OCSP_CERTID_new.3
MLINKS+= X509_dup.3 OCSP_CERTSTATUS_free.3
MLINKS+= X509_dup.3 OCSP_CERTSTATUS_new.3
MLINKS+= X509_dup.3 OCSP_CRLID_free.3
MLINKS+= X509_dup.3 OCSP_CRLID_new.3
MLINKS+= X509_dup.3 OCSP_ONEREQ_free.3
MLINKS+= X509_dup.3 OCSP_ONEREQ_new.3
MLINKS+= X509_dup.3 OCSP_REQINFO_free.3
MLINKS+= X509_dup.3 OCSP_REQINFO_new.3
MLINKS+= X509_dup.3 OCSP_RESPBYTES_free.3
MLINKS+= X509_dup.3 OCSP_RESPBYTES_new.3
MLINKS+= X509_dup.3 OCSP_RESPDATA_free.3
MLINKS+= X509_dup.3 OCSP_RESPDATA_new.3
MLINKS+= X509_dup.3 OCSP_RESPID_free.3
MLINKS+= X509_dup.3 OCSP_RESPID_new.3
MLINKS+= X509_dup.3 OCSP_RESPONSE_new.3
MLINKS+= X509_dup.3 OCSP_REVOKEDINFO_free.3
MLINKS+= X509_dup.3 OCSP_REVOKEDINFO_new.3
MLINKS+= X509_dup.3 OCSP_SERVICELOC_free.3
MLINKS+= X509_dup.3 OCSP_SERVICELOC_new.3
MLINKS+= X509_dup.3 OCSP_SIGNATURE_free.3
MLINKS+= X509_dup.3 OCSP_SIGNATURE_new.3
MLINKS+= X509_dup.3 OCSP_SINGLERESP_free.3
MLINKS+= X509_dup.3 OCSP_SINGLERESP_new.3
MLINKS+= X509_dup.3 OTHERNAME_free.3
MLINKS+= X509_dup.3 OTHERNAME_new.3
MLINKS+= X509_dup.3 PBE2PARAM_free.3
MLINKS+= X509_dup.3 PBE2PARAM_new.3
MLINKS+= X509_dup.3 PBEPARAM_free.3
MLINKS+= X509_dup.3 PBEPARAM_new.3
MLINKS+= X509_dup.3 PBKDF2PARAM_free.3
MLINKS+= X509_dup.3 PBKDF2PARAM_new.3
MLINKS+= X509_dup.3 PKCS12_BAGS_free.3
MLINKS+= X509_dup.3 PKCS12_BAGS_new.3
MLINKS+= X509_dup.3 PKCS12_MAC_DATA_free.3
MLINKS+= X509_dup.3 PKCS12_MAC_DATA_new.3
MLINKS+= X509_dup.3 PKCS12_SAFEBAG_free.3
MLINKS+= X509_dup.3 PKCS12_SAFEBAG_new.3
MLINKS+= X509_dup.3 PKCS12_free.3
MLINKS+= X509_dup.3 PKCS12_new.3
MLINKS+= X509_dup.3 PKCS7_DIGEST_free.3
MLINKS+= X509_dup.3 PKCS7_DIGEST_new.3
MLINKS+= X509_dup.3 PKCS7_ENCRYPT_free.3
MLINKS+= X509_dup.3 PKCS7_ENCRYPT_new.3
MLINKS+= X509_dup.3 PKCS7_ENC_CONTENT_free.3
MLINKS+= X509_dup.3 PKCS7_ENC_CONTENT_new.3
MLINKS+= X509_dup.3 PKCS7_ENVELOPE_free.3
MLINKS+= X509_dup.3 PKCS7_ENVELOPE_new.3
MLINKS+= X509_dup.3 PKCS7_ISSUER_AND_SERIAL_free.3
MLINKS+= X509_dup.3 PKCS7_ISSUER_AND_SERIAL_new.3
MLINKS+= X509_dup.3 PKCS7_RECIP_INFO_free.3
MLINKS+= X509_dup.3 PKCS7_RECIP_INFO_new.3
MLINKS+= X509_dup.3 PKCS7_SIGNED_free.3
MLINKS+= X509_dup.3 PKCS7_SIGNED_new.3
MLINKS+= X509_dup.3 PKCS7_SIGNER_INFO_free.3
MLINKS+= X509_dup.3 PKCS7_SIGNER_INFO_new.3
MLINKS+= X509_dup.3 PKCS7_SIGN_ENVELOPE_free.3
MLINKS+= X509_dup.3 PKCS7_SIGN_ENVELOPE_new.3
MLINKS+= X509_dup.3 PKCS7_dup.3
MLINKS+= X509_dup.3 PKCS7_free.3
MLINKS+= X509_dup.3 PKCS7_new.3
MLINKS+= X509_dup.3 PKCS7_print_ctx.3
MLINKS+= X509_dup.3 PKCS8_PRIV_KEY_INFO_free.3
MLINKS+= X509_dup.3 PKCS8_PRIV_KEY_INFO_new.3
MLINKS+= X509_dup.3 PKEY_USAGE_PERIOD_free.3
MLINKS+= X509_dup.3 PKEY_USAGE_PERIOD_new.3
MLINKS+= X509_dup.3 POLICYINFO_free.3
MLINKS+= X509_dup.3 POLICYINFO_new.3
MLINKS+= X509_dup.3 POLICYQUALINFO_free.3
MLINKS+= X509_dup.3 POLICYQUALINFO_new.3
MLINKS+= X509_dup.3 POLICY_CONSTRAINTS_free.3
MLINKS+= X509_dup.3 POLICY_CONSTRAINTS_new.3
MLINKS+= X509_dup.3 POLICY_MAPPING_free.3
MLINKS+= X509_dup.3 POLICY_MAPPING_new.3
MLINKS+= X509_dup.3 PROFESSION_INFOS_free.3
MLINKS+= X509_dup.3 PROFESSION_INFOS_new.3
MLINKS+= X509_dup.3 PROFESSION_INFO_free.3
MLINKS+= X509_dup.3 PROFESSION_INFO_new.3
MLINKS+= X509_dup.3 PROXY_CERT_INFO_EXTENSION_free.3
MLINKS+= X509_dup.3 PROXY_CERT_INFO_EXTENSION_new.3
MLINKS+= X509_dup.3 PROXY_POLICY_free.3
MLINKS+= X509_dup.3 PROXY_POLICY_new.3
MLINKS+= X509_dup.3 RSAPrivateKey_dup.3
MLINKS+= X509_dup.3 RSAPublicKey_dup.3
MLINKS+= X509_dup.3 RSA_OAEP_PARAMS_free.3
MLINKS+= X509_dup.3 RSA_OAEP_PARAMS_new.3
MLINKS+= X509_dup.3 RSA_PSS_PARAMS_free.3
MLINKS+= X509_dup.3 RSA_PSS_PARAMS_new.3
MLINKS+= X509_dup.3 SCRYPT_PARAMS_free.3
MLINKS+= X509_dup.3 SCRYPT_PARAMS_new.3
MLINKS+= X509_dup.3 SXNETID_free.3
MLINKS+= X509_dup.3 SXNETID_new.3
MLINKS+= X509_dup.3 SXNET_free.3
MLINKS+= X509_dup.3 SXNET_new.3
MLINKS+= X509_dup.3 TLS_FEATURE_free.3
MLINKS+= X509_dup.3 TLS_FEATURE_new.3
MLINKS+= X509_dup.3 TS_ACCURACY_dup.3
MLINKS+= X509_dup.3 TS_ACCURACY_free.3
MLINKS+= X509_dup.3 TS_ACCURACY_new.3
MLINKS+= X509_dup.3 TS_MSG_IMPRINT_dup.3
MLINKS+= X509_dup.3 TS_MSG_IMPRINT_free.3
MLINKS+= X509_dup.3 TS_MSG_IMPRINT_new.3
MLINKS+= X509_dup.3 TS_REQ_dup.3
MLINKS+= X509_dup.3 TS_REQ_free.3
MLINKS+= X509_dup.3 TS_REQ_new.3
MLINKS+= X509_dup.3 TS_RESP_dup.3
MLINKS+= X509_dup.3 TS_RESP_free.3
MLINKS+= X509_dup.3 TS_RESP_new.3
MLINKS+= X509_dup.3 TS_STATUS_INFO_dup.3
MLINKS+= X509_dup.3 TS_STATUS_INFO_free.3
MLINKS+= X509_dup.3 TS_STATUS_INFO_new.3
MLINKS+= X509_dup.3 TS_TST_INFO_dup.3
MLINKS+= X509_dup.3 TS_TST_INFO_free.3
MLINKS+= X509_dup.3 TS_TST_INFO_new.3
MLINKS+= X509_dup.3 USERNOTICE_free.3
MLINKS+= X509_dup.3 USERNOTICE_new.3
MLINKS+= X509_dup.3 X509_ALGOR_free.3
MLINKS+= X509_dup.3 X509_ALGOR_new.3
MLINKS+= X509_dup.3 X509_ATTRIBUTE_dup.3
MLINKS+= X509_dup.3 X509_ATTRIBUTE_free.3
MLINKS+= X509_dup.3 X509_ATTRIBUTE_new.3
MLINKS+= X509_dup.3 X509_CERT_AUX_free.3
MLINKS+= X509_dup.3 X509_CERT_AUX_new.3
MLINKS+= X509_dup.3 X509_CINF_free.3
MLINKS+= X509_dup.3 X509_CINF_new.3
MLINKS+= X509_dup.3 X509_CRL_INFO_free.3
MLINKS+= X509_dup.3 X509_CRL_INFO_new.3
MLINKS+= X509_dup.3 X509_CRL_dup.3
MLINKS+= X509_dup.3 X509_CRL_free.3
MLINKS+= X509_dup.3 X509_CRL_new.3
MLINKS+= X509_dup.3 X509_EXTENSION_dup.3
MLINKS+= X509_dup.3 X509_EXTENSION_free.3
MLINKS+= X509_dup.3 X509_EXTENSION_new.3
MLINKS+= X509_dup.3 X509_NAME_ENTRY_dup.3
MLINKS+= X509_dup.3 X509_NAME_ENTRY_free.3
MLINKS+= X509_dup.3 X509_NAME_ENTRY_new.3
MLINKS+= X509_dup.3 X509_NAME_dup.3
MLINKS+= X509_dup.3 X509_NAME_free.3
MLINKS+= X509_dup.3 X509_NAME_new.3
MLINKS+= X509_dup.3 X509_REQ_INFO_free.3
MLINKS+= X509_dup.3 X509_REQ_INFO_new.3
MLINKS+= X509_dup.3 X509_REQ_dup.3
MLINKS+= X509_dup.3 X509_REQ_free.3
MLINKS+= X509_dup.3 X509_REQ_new.3
MLINKS+= X509_dup.3 X509_REVOKED_dup.3
MLINKS+= X509_dup.3 X509_REVOKED_free.3
MLINKS+= X509_dup.3 X509_REVOKED_new.3
MLINKS+= X509_dup.3 X509_SIG_free.3
MLINKS+= X509_dup.3 X509_SIG_new.3
MLINKS+= X509_dup.3 X509_VAL_free.3
MLINKS+= X509_dup.3 X509_VAL_new.3
MLINKS+= X509_get0_notBefore.3 X509_CRL_get0_lastUpdate.3
MLINKS+= X509_get0_notBefore.3 X509_CRL_get0_nextUpdate.3
MLINKS+= X509_get0_notBefore.3 X509_CRL_set1_lastUpdate.3
MLINKS+= X509_get0_notBefore.3 X509_CRL_set1_nextUpdate.3
MLINKS+= X509_get0_notBefore.3 X509_get0_notAfter.3
MLINKS+= X509_get0_notBefore.3 X509_getm_notAfter.3
MLINKS+= X509_get0_notBefore.3 X509_getm_notBefore.3
MLINKS+= X509_get0_notBefore.3 X509_set1_notAfter.3
MLINKS+= X509_get0_notBefore.3 X509_set1_notBefore.3
MLINKS+= X509_get0_signature.3 X509_CRL_get0_signature.3
MLINKS+= X509_get0_signature.3 X509_CRL_get_signature_nid.3
MLINKS+= X509_get0_signature.3 X509_REQ_get0_signature.3
MLINKS+= X509_get0_signature.3 X509_REQ_get_signature_nid.3
MLINKS+= X509_get0_signature.3 X509_REQ_set0_signature.3
MLINKS+= X509_get0_signature.3 X509_REQ_set1_signature_algo.3
MLINKS+= X509_get0_signature.3 X509_SIG_INFO_get.3
MLINKS+= X509_get0_signature.3 X509_SIG_INFO_set.3
MLINKS+= X509_get0_signature.3 X509_get0_tbs_sigalg.3
MLINKS+= X509_get0_signature.3 X509_get_signature_info.3
MLINKS+= X509_get0_signature.3 X509_get_signature_nid.3
MLINKS+= X509_get_extension_flags.3 X509_get0_authority_issuer.3
MLINKS+= X509_get_extension_flags.3 X509_get0_authority_key_id.3
MLINKS+= X509_get_extension_flags.3 X509_get0_authority_serial.3
MLINKS+= X509_get_extension_flags.3 X509_get0_subject_key_id.3
MLINKS+= X509_get_extension_flags.3 X509_get_extended_key_usage.3
MLINKS+= X509_get_extension_flags.3 X509_get_key_usage.3
MLINKS+= X509_get_extension_flags.3 X509_get_pathlen.3
MLINKS+= X509_get_extension_flags.3 X509_get_proxy_pathlen.3
MLINKS+= X509_get_extension_flags.3 X509_set_proxy_flag.3
MLINKS+= X509_get_extension_flags.3 X509_set_proxy_pathlen.3
MLINKS+= X509_get_pubkey.3 X509_REQ_get0_pubkey.3
MLINKS+= X509_get_pubkey.3 X509_REQ_get_X509_PUBKEY.3
MLINKS+= X509_get_pubkey.3 X509_REQ_get_pubkey.3
MLINKS+= X509_get_pubkey.3 X509_REQ_set_pubkey.3
MLINKS+= X509_get_pubkey.3 X509_get0_pubkey.3
MLINKS+= X509_get_pubkey.3 X509_get_X509_PUBKEY.3
MLINKS+= X509_get_pubkey.3 X509_set_pubkey.3
MLINKS+= X509_get_serialNumber.3 X509_get0_serialNumber.3
MLINKS+= X509_get_serialNumber.3 X509_set_serialNumber.3
MLINKS+= X509_get_subject_name.3 X509_CRL_get_issuer.3
MLINKS+= X509_get_subject_name.3 X509_CRL_set_issuer_name.3
MLINKS+= X509_get_subject_name.3 X509_REQ_get_subject_name.3
MLINKS+= X509_get_subject_name.3 X509_REQ_set_subject_name.3
MLINKS+= X509_get_subject_name.3 X509_get_issuer_name.3
MLINKS+= X509_get_subject_name.3 X509_set_issuer_name.3
MLINKS+= X509_get_subject_name.3 X509_set_subject_name.3
MLINKS+= X509_get_version.3 X509_CRL_get_version.3
MLINKS+= X509_get_version.3 X509_CRL_set_version.3
MLINKS+= X509_get_version.3 X509_REQ_get_version.3
MLINKS+= X509_get_version.3 X509_REQ_set_version.3
MLINKS+= X509_get_version.3 X509_set_version.3
MLINKS+= X509_new.3 X509_chain_up_ref.3
MLINKS+= X509_new.3 X509_free.3
MLINKS+= X509_new.3 X509_up_ref.3
MLINKS+= X509_sign.3 X509_CRL_sign.3
MLINKS+= X509_sign.3 X509_CRL_sign_ctx.3
MLINKS+= X509_sign.3 X509_CRL_verify.3
MLINKS+= X509_sign.3 X509_REQ_sign.3
MLINKS+= X509_sign.3 X509_REQ_sign_ctx.3
MLINKS+= X509_sign.3 X509_REQ_verify.3
MLINKS+= X509_sign.3 X509_sign_ctx.3
MLINKS+= X509_sign.3 X509_verify.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_add_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_delete_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_get_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_get_ext_by_NID.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_get_ext_by_OBJ.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_get_ext_by_critical.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_get_ext_count.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_add_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_delete_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_get_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_get_ext_by_NID.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_get_ext_by_OBJ.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_get_ext_by_critical.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_get_ext_count.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_add_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_delete_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_get_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_get_ext_by_NID.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_get_ext_by_OBJ.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_get_ext_by_critical.3
MLINKS+= X509v3_get_ext_by_NID.3 X509_get_ext_count.3
MLINKS+= X509v3_get_ext_by_NID.3 X509v3_add_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509v3_delete_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext.3
MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext_by_OBJ.3
MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext_by_critical.3
MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext_count.3
MLINKS+= d2i_DHparams.3 i2d_DHparams.3
MLINKS+= d2i_PKCS8PrivateKey_bio.3 d2i_PKCS8PrivateKey_fp.3
MLINKS+= d2i_PKCS8PrivateKey_bio.3 i2d_PKCS8PrivateKey_bio.3
MLINKS+= d2i_PKCS8PrivateKey_bio.3 i2d_PKCS8PrivateKey_fp.3
MLINKS+= d2i_PKCS8PrivateKey_bio.3 i2d_PKCS8PrivateKey_nid_bio.3
MLINKS+= d2i_PKCS8PrivateKey_bio.3 i2d_PKCS8PrivateKey_nid_fp.3
MLINKS+= d2i_PrivateKey.3 d2i_AutoPrivateKey.3
MLINKS+= d2i_PrivateKey.3 d2i_PrivateKey_bio.3
MLINKS+= d2i_PrivateKey.3 d2i_PrivateKey_fp.3
MLINKS+= d2i_PrivateKey.3 d2i_PublicKey.3
MLINKS+= d2i_PrivateKey.3 i2d_PrivateKey.3
MLINKS+= d2i_PrivateKey.3 i2d_PublicKey.3
MLINKS+= d2i_SSL_SESSION.3 i2d_SSL_SESSION.3
MLINKS+= d2i_X509.3 d2i_ACCESS_DESCRIPTION.3
MLINKS+= d2i_X509.3 d2i_ADMISSIONS.3
MLINKS+= d2i_X509.3 d2i_ADMISSION_SYNTAX.3
MLINKS+= d2i_X509.3 d2i_ASIdOrRange.3
MLINKS+= d2i_X509.3 d2i_ASIdentifierChoice.3
MLINKS+= d2i_X509.3 d2i_ASIdentifiers.3
MLINKS+= d2i_X509.3 d2i_ASN1_BIT_STRING.3
MLINKS+= d2i_X509.3 d2i_ASN1_BMPSTRING.3
MLINKS+= d2i_X509.3 d2i_ASN1_ENUMERATED.3
MLINKS+= d2i_X509.3 d2i_ASN1_GENERALIZEDTIME.3
MLINKS+= d2i_X509.3 d2i_ASN1_GENERALSTRING.3
MLINKS+= d2i_X509.3 d2i_ASN1_IA5STRING.3
MLINKS+= d2i_X509.3 d2i_ASN1_INTEGER.3
MLINKS+= d2i_X509.3 d2i_ASN1_NULL.3
MLINKS+= d2i_X509.3 d2i_ASN1_OBJECT.3
MLINKS+= d2i_X509.3 d2i_ASN1_OCTET_STRING.3
MLINKS+= d2i_X509.3 d2i_ASN1_PRINTABLE.3
MLINKS+= d2i_X509.3 d2i_ASN1_PRINTABLESTRING.3
MLINKS+= d2i_X509.3 d2i_ASN1_SEQUENCE_ANY.3
MLINKS+= d2i_X509.3 d2i_ASN1_SET_ANY.3
MLINKS+= d2i_X509.3 d2i_ASN1_T61STRING.3
MLINKS+= d2i_X509.3 d2i_ASN1_TIME.3
MLINKS+= d2i_X509.3 d2i_ASN1_TYPE.3
MLINKS+= d2i_X509.3 d2i_ASN1_UINTEGER.3
MLINKS+= d2i_X509.3 d2i_ASN1_UNIVERSALSTRING.3
MLINKS+= d2i_X509.3 d2i_ASN1_UTCTIME.3
MLINKS+= d2i_X509.3 d2i_ASN1_UTF8STRING.3
MLINKS+= d2i_X509.3 d2i_ASN1_VISIBLESTRING.3
MLINKS+= d2i_X509.3 d2i_ASRange.3
MLINKS+= d2i_X509.3 d2i_AUTHORITY_INFO_ACCESS.3
MLINKS+= d2i_X509.3 d2i_AUTHORITY_KEYID.3
MLINKS+= d2i_X509.3 d2i_BASIC_CONSTRAINTS.3
MLINKS+= d2i_X509.3 d2i_CERTIFICATEPOLICIES.3
MLINKS+= d2i_X509.3 d2i_CMS_ContentInfo.3
MLINKS+= d2i_X509.3 d2i_CMS_ReceiptRequest.3
MLINKS+= d2i_X509.3 d2i_CMS_bio.3
MLINKS+= d2i_X509.3 d2i_CRL_DIST_POINTS.3
MLINKS+= d2i_X509.3 d2i_DHxparams.3
MLINKS+= d2i_X509.3 d2i_DIRECTORYSTRING.3
MLINKS+= d2i_X509.3 d2i_DISPLAYTEXT.3
MLINKS+= d2i_X509.3 d2i_DIST_POINT.3
MLINKS+= d2i_X509.3 d2i_DIST_POINT_NAME.3
MLINKS+= d2i_X509.3 d2i_DSAPrivateKey.3
MLINKS+= d2i_X509.3 d2i_DSAPrivateKey_bio.3
MLINKS+= d2i_X509.3 d2i_DSAPrivateKey_fp.3
MLINKS+= d2i_X509.3 d2i_DSAPublicKey.3
MLINKS+= d2i_X509.3 d2i_DSA_PUBKEY.3
MLINKS+= d2i_X509.3 d2i_DSA_PUBKEY_bio.3
MLINKS+= d2i_X509.3 d2i_DSA_PUBKEY_fp.3
MLINKS+= d2i_X509.3 d2i_DSA_SIG.3
MLINKS+= d2i_X509.3 d2i_DSAparams.3
MLINKS+= d2i_X509.3 d2i_ECDSA_SIG.3
MLINKS+= d2i_X509.3 d2i_ECPKParameters.3
MLINKS+= d2i_X509.3 d2i_ECParameters.3
MLINKS+= d2i_X509.3 d2i_ECPrivateKey.3
MLINKS+= d2i_X509.3 d2i_ECPrivateKey_bio.3
MLINKS+= d2i_X509.3 d2i_ECPrivateKey_fp.3
MLINKS+= d2i_X509.3 d2i_EC_PUBKEY.3
MLINKS+= d2i_X509.3 d2i_EC_PUBKEY_bio.3
MLINKS+= d2i_X509.3 d2i_EC_PUBKEY_fp.3
MLINKS+= d2i_X509.3 d2i_EDIPARTYNAME.3
MLINKS+= d2i_X509.3 d2i_ESS_CERT_ID.3
MLINKS+= d2i_X509.3 d2i_ESS_ISSUER_SERIAL.3
MLINKS+= d2i_X509.3 d2i_ESS_SIGNING_CERT.3
MLINKS+= d2i_X509.3 d2i_EXTENDED_KEY_USAGE.3
MLINKS+= d2i_X509.3 d2i_GENERAL_NAME.3
MLINKS+= d2i_X509.3 d2i_GENERAL_NAMES.3
MLINKS+= d2i_X509.3 d2i_IPAddressChoice.3
MLINKS+= d2i_X509.3 d2i_IPAddressFamily.3
MLINKS+= d2i_X509.3 d2i_IPAddressOrRange.3
MLINKS+= d2i_X509.3 d2i_IPAddressRange.3
MLINKS+= d2i_X509.3 d2i_ISSUING_DIST_POINT.3
MLINKS+= d2i_X509.3 d2i_NAMING_AUTHORITY.3
MLINKS+= d2i_X509.3 d2i_NETSCAPE_CERT_SEQUENCE.3
MLINKS+= d2i_X509.3 d2i_NETSCAPE_SPKAC.3
MLINKS+= d2i_X509.3 d2i_NETSCAPE_SPKI.3
MLINKS+= d2i_X509.3 d2i_NOTICEREF.3
MLINKS+= d2i_X509.3 d2i_OCSP_BASICRESP.3
MLINKS+= d2i_X509.3 d2i_OCSP_CERTID.3
MLINKS+= d2i_X509.3 d2i_OCSP_CERTSTATUS.3
MLINKS+= d2i_X509.3 d2i_OCSP_CRLID.3
MLINKS+= d2i_X509.3 d2i_OCSP_ONEREQ.3
MLINKS+= d2i_X509.3 d2i_OCSP_REQINFO.3
MLINKS+= d2i_X509.3 d2i_OCSP_REQUEST.3
MLINKS+= d2i_X509.3 d2i_OCSP_RESPBYTES.3
MLINKS+= d2i_X509.3 d2i_OCSP_RESPDATA.3
MLINKS+= d2i_X509.3 d2i_OCSP_RESPID.3
MLINKS+= d2i_X509.3 d2i_OCSP_RESPONSE.3
MLINKS+= d2i_X509.3 d2i_OCSP_REVOKEDINFO.3
MLINKS+= d2i_X509.3 d2i_OCSP_SERVICELOC.3
MLINKS+= d2i_X509.3 d2i_OCSP_SIGNATURE.3
MLINKS+= d2i_X509.3 d2i_OCSP_SINGLERESP.3
MLINKS+= d2i_X509.3 d2i_OTHERNAME.3
MLINKS+= d2i_X509.3 d2i_PBE2PARAM.3
MLINKS+= d2i_X509.3 d2i_PBEPARAM.3
MLINKS+= d2i_X509.3 d2i_PBKDF2PARAM.3
MLINKS+= d2i_X509.3 d2i_PKCS12.3
MLINKS+= d2i_X509.3 d2i_PKCS12_BAGS.3
MLINKS+= d2i_X509.3 d2i_PKCS12_MAC_DATA.3
MLINKS+= d2i_X509.3 d2i_PKCS12_SAFEBAG.3
MLINKS+= d2i_X509.3 d2i_PKCS12_bio.3
MLINKS+= d2i_X509.3 d2i_PKCS12_fp.3
MLINKS+= d2i_X509.3 d2i_PKCS7.3
MLINKS+= d2i_X509.3 d2i_PKCS7_DIGEST.3
MLINKS+= d2i_X509.3 d2i_PKCS7_ENCRYPT.3
MLINKS+= d2i_X509.3 d2i_PKCS7_ENC_CONTENT.3
MLINKS+= d2i_X509.3 d2i_PKCS7_ENVELOPE.3
MLINKS+= d2i_X509.3 d2i_PKCS7_ISSUER_AND_SERIAL.3
MLINKS+= d2i_X509.3 d2i_PKCS7_RECIP_INFO.3
MLINKS+= d2i_X509.3 d2i_PKCS7_SIGNED.3
MLINKS+= d2i_X509.3 d2i_PKCS7_SIGNER_INFO.3
MLINKS+= d2i_X509.3 d2i_PKCS7_SIGN_ENVELOPE.3
MLINKS+= d2i_X509.3 d2i_PKCS7_bio.3
MLINKS+= d2i_X509.3 d2i_PKCS7_fp.3
MLINKS+= d2i_X509.3 d2i_PKCS8_PRIV_KEY_INFO.3
MLINKS+= d2i_X509.3 d2i_PKCS8_PRIV_KEY_INFO_bio.3
MLINKS+= d2i_X509.3 d2i_PKCS8_PRIV_KEY_INFO_fp.3
MLINKS+= d2i_X509.3 d2i_PKCS8_bio.3
MLINKS+= d2i_X509.3 d2i_PKCS8_fp.3
MLINKS+= d2i_X509.3 d2i_PKEY_USAGE_PERIOD.3
MLINKS+= d2i_X509.3 d2i_POLICYINFO.3
MLINKS+= d2i_X509.3 d2i_POLICYQUALINFO.3
MLINKS+= d2i_X509.3 d2i_PROFESSION_INFO.3
MLINKS+= d2i_X509.3 d2i_PROXY_CERT_INFO_EXTENSION.3
MLINKS+= d2i_X509.3 d2i_PROXY_POLICY.3
MLINKS+= d2i_X509.3 d2i_RSAPrivateKey.3
MLINKS+= d2i_X509.3 d2i_RSAPrivateKey_bio.3
MLINKS+= d2i_X509.3 d2i_RSAPrivateKey_fp.3
MLINKS+= d2i_X509.3 d2i_RSAPublicKey.3
MLINKS+= d2i_X509.3 d2i_RSAPublicKey_bio.3
MLINKS+= d2i_X509.3 d2i_RSAPublicKey_fp.3
MLINKS+= d2i_X509.3 d2i_RSA_OAEP_PARAMS.3
MLINKS+= d2i_X509.3 d2i_RSA_PSS_PARAMS.3
MLINKS+= d2i_X509.3 d2i_RSA_PUBKEY.3
MLINKS+= d2i_X509.3 d2i_RSA_PUBKEY_bio.3
MLINKS+= d2i_X509.3 d2i_RSA_PUBKEY_fp.3
MLINKS+= d2i_X509.3 d2i_SCRYPT_PARAMS.3
MLINKS+= d2i_X509.3 d2i_SCT_LIST.3
MLINKS+= d2i_X509.3 d2i_SXNET.3
MLINKS+= d2i_X509.3 d2i_SXNETID.3
MLINKS+= d2i_X509.3 d2i_TS_ACCURACY.3
MLINKS+= d2i_X509.3 d2i_TS_MSG_IMPRINT.3
MLINKS+= d2i_X509.3 d2i_TS_MSG_IMPRINT_bio.3
MLINKS+= d2i_X509.3 d2i_TS_MSG_IMPRINT_fp.3
MLINKS+= d2i_X509.3 d2i_TS_REQ.3
MLINKS+= d2i_X509.3 d2i_TS_REQ_bio.3
MLINKS+= d2i_X509.3 d2i_TS_REQ_fp.3
MLINKS+= d2i_X509.3 d2i_TS_RESP.3
MLINKS+= d2i_X509.3 d2i_TS_RESP_bio.3
MLINKS+= d2i_X509.3 d2i_TS_RESP_fp.3
MLINKS+= d2i_X509.3 d2i_TS_STATUS_INFO.3
MLINKS+= d2i_X509.3 d2i_TS_TST_INFO.3
MLINKS+= d2i_X509.3 d2i_TS_TST_INFO_bio.3
MLINKS+= d2i_X509.3 d2i_TS_TST_INFO_fp.3
MLINKS+= d2i_X509.3 d2i_USERNOTICE.3
MLINKS+= d2i_X509.3 d2i_X509_ALGOR.3
MLINKS+= d2i_X509.3 d2i_X509_ALGORS.3
MLINKS+= d2i_X509.3 d2i_X509_ATTRIBUTE.3
MLINKS+= d2i_X509.3 d2i_X509_CERT_AUX.3
MLINKS+= d2i_X509.3 d2i_X509_CINF.3
MLINKS+= d2i_X509.3 d2i_X509_CRL.3
MLINKS+= d2i_X509.3 d2i_X509_CRL_INFO.3
MLINKS+= d2i_X509.3 d2i_X509_CRL_bio.3
MLINKS+= d2i_X509.3 d2i_X509_CRL_fp.3
MLINKS+= d2i_X509.3 d2i_X509_EXTENSION.3
MLINKS+= d2i_X509.3 d2i_X509_EXTENSIONS.3
MLINKS+= d2i_X509.3 d2i_X509_NAME.3
MLINKS+= d2i_X509.3 d2i_X509_NAME_ENTRY.3
MLINKS+= d2i_X509.3 d2i_X509_PUBKEY.3
MLINKS+= d2i_X509.3 d2i_X509_REQ.3
MLINKS+= d2i_X509.3 d2i_X509_REQ_INFO.3
MLINKS+= d2i_X509.3 d2i_X509_REQ_bio.3
MLINKS+= d2i_X509.3 d2i_X509_REQ_fp.3
MLINKS+= d2i_X509.3 d2i_X509_REVOKED.3
MLINKS+= d2i_X509.3 d2i_X509_SIG.3
MLINKS+= d2i_X509.3 d2i_X509_VAL.3
MLINKS+= d2i_X509.3 d2i_X509_bio.3
MLINKS+= d2i_X509.3 d2i_X509_fp.3
MLINKS+= d2i_X509.3 i2d_ACCESS_DESCRIPTION.3
MLINKS+= d2i_X509.3 i2d_ADMISSIONS.3
MLINKS+= d2i_X509.3 i2d_ADMISSION_SYNTAX.3
MLINKS+= d2i_X509.3 i2d_ASIdOrRange.3
MLINKS+= d2i_X509.3 i2d_ASIdentifierChoice.3
MLINKS+= d2i_X509.3 i2d_ASIdentifiers.3
MLINKS+= d2i_X509.3 i2d_ASN1_BIT_STRING.3
MLINKS+= d2i_X509.3 i2d_ASN1_BMPSTRING.3
MLINKS+= d2i_X509.3 i2d_ASN1_ENUMERATED.3
MLINKS+= d2i_X509.3 i2d_ASN1_GENERALIZEDTIME.3
MLINKS+= d2i_X509.3 i2d_ASN1_GENERALSTRING.3
MLINKS+= d2i_X509.3 i2d_ASN1_IA5STRING.3
MLINKS+= d2i_X509.3 i2d_ASN1_INTEGER.3
MLINKS+= d2i_X509.3 i2d_ASN1_NULL.3
MLINKS+= d2i_X509.3 i2d_ASN1_OBJECT.3
MLINKS+= d2i_X509.3 i2d_ASN1_OCTET_STRING.3
MLINKS+= d2i_X509.3 i2d_ASN1_PRINTABLE.3
MLINKS+= d2i_X509.3 i2d_ASN1_PRINTABLESTRING.3
MLINKS+= d2i_X509.3 i2d_ASN1_SEQUENCE_ANY.3
MLINKS+= d2i_X509.3 i2d_ASN1_SET_ANY.3
MLINKS+= d2i_X509.3 i2d_ASN1_T61STRING.3
MLINKS+= d2i_X509.3 i2d_ASN1_TIME.3
MLINKS+= d2i_X509.3 i2d_ASN1_TYPE.3
MLINKS+= d2i_X509.3 i2d_ASN1_UNIVERSALSTRING.3
MLINKS+= d2i_X509.3 i2d_ASN1_UTCTIME.3
MLINKS+= d2i_X509.3 i2d_ASN1_UTF8STRING.3
MLINKS+= d2i_X509.3 i2d_ASN1_VISIBLESTRING.3
MLINKS+= d2i_X509.3 i2d_ASN1_bio_stream.3
MLINKS+= d2i_X509.3 i2d_ASRange.3
MLINKS+= d2i_X509.3 i2d_AUTHORITY_INFO_ACCESS.3
MLINKS+= d2i_X509.3 i2d_AUTHORITY_KEYID.3
MLINKS+= d2i_X509.3 i2d_BASIC_CONSTRAINTS.3
MLINKS+= d2i_X509.3 i2d_CERTIFICATEPOLICIES.3
MLINKS+= d2i_X509.3 i2d_CMS_ContentInfo.3
MLINKS+= d2i_X509.3 i2d_CMS_ReceiptRequest.3
MLINKS+= d2i_X509.3 i2d_CMS_bio.3
MLINKS+= d2i_X509.3 i2d_CRL_DIST_POINTS.3
MLINKS+= d2i_X509.3 i2d_DHxparams.3
MLINKS+= d2i_X509.3 i2d_DIRECTORYSTRING.3
MLINKS+= d2i_X509.3 i2d_DISPLAYTEXT.3
MLINKS+= d2i_X509.3 i2d_DIST_POINT.3
MLINKS+= d2i_X509.3 i2d_DIST_POINT_NAME.3
MLINKS+= d2i_X509.3 i2d_DSAPrivateKey.3
MLINKS+= d2i_X509.3 i2d_DSAPrivateKey_bio.3
MLINKS+= d2i_X509.3 i2d_DSAPrivateKey_fp.3
MLINKS+= d2i_X509.3 i2d_DSAPublicKey.3
MLINKS+= d2i_X509.3 i2d_DSA_PUBKEY.3
MLINKS+= d2i_X509.3 i2d_DSA_PUBKEY_bio.3
MLINKS+= d2i_X509.3 i2d_DSA_PUBKEY_fp.3
MLINKS+= d2i_X509.3 i2d_DSA_SIG.3
MLINKS+= d2i_X509.3 i2d_DSAparams.3
MLINKS+= d2i_X509.3 i2d_ECDSA_SIG.3
MLINKS+= d2i_X509.3 i2d_ECPKParameters.3
MLINKS+= d2i_X509.3 i2d_ECParameters.3
MLINKS+= d2i_X509.3 i2d_ECPrivateKey.3
MLINKS+= d2i_X509.3 i2d_ECPrivateKey_bio.3
MLINKS+= d2i_X509.3 i2d_ECPrivateKey_fp.3
MLINKS+= d2i_X509.3 i2d_EC_PUBKEY.3
MLINKS+= d2i_X509.3 i2d_EC_PUBKEY_bio.3
MLINKS+= d2i_X509.3 i2d_EC_PUBKEY_fp.3
MLINKS+= d2i_X509.3 i2d_EDIPARTYNAME.3
MLINKS+= d2i_X509.3 i2d_ESS_CERT_ID.3
MLINKS+= d2i_X509.3 i2d_ESS_ISSUER_SERIAL.3
MLINKS+= d2i_X509.3 i2d_ESS_SIGNING_CERT.3
MLINKS+= d2i_X509.3 i2d_EXTENDED_KEY_USAGE.3
MLINKS+= d2i_X509.3 i2d_GENERAL_NAME.3
MLINKS+= d2i_X509.3 i2d_GENERAL_NAMES.3
MLINKS+= d2i_X509.3 i2d_IPAddressChoice.3
MLINKS+= d2i_X509.3 i2d_IPAddressFamily.3
MLINKS+= d2i_X509.3 i2d_IPAddressOrRange.3
MLINKS+= d2i_X509.3 i2d_IPAddressRange.3
MLINKS+= d2i_X509.3 i2d_ISSUING_DIST_POINT.3
MLINKS+= d2i_X509.3 i2d_NAMING_AUTHORITY.3
MLINKS+= d2i_X509.3 i2d_NETSCAPE_CERT_SEQUENCE.3
MLINKS+= d2i_X509.3 i2d_NETSCAPE_SPKAC.3
MLINKS+= d2i_X509.3 i2d_NETSCAPE_SPKI.3
MLINKS+= d2i_X509.3 i2d_NOTICEREF.3
MLINKS+= d2i_X509.3 i2d_OCSP_BASICRESP.3
MLINKS+= d2i_X509.3 i2d_OCSP_CERTID.3
MLINKS+= d2i_X509.3 i2d_OCSP_CERTSTATUS.3
MLINKS+= d2i_X509.3 i2d_OCSP_CRLID.3
MLINKS+= d2i_X509.3 i2d_OCSP_ONEREQ.3
MLINKS+= d2i_X509.3 i2d_OCSP_REQINFO.3
MLINKS+= d2i_X509.3 i2d_OCSP_REQUEST.3
MLINKS+= d2i_X509.3 i2d_OCSP_RESPBYTES.3
MLINKS+= d2i_X509.3 i2d_OCSP_RESPDATA.3
MLINKS+= d2i_X509.3 i2d_OCSP_RESPID.3
MLINKS+= d2i_X509.3 i2d_OCSP_RESPONSE.3
MLINKS+= d2i_X509.3 i2d_OCSP_REVOKEDINFO.3
MLINKS+= d2i_X509.3 i2d_OCSP_SERVICELOC.3
MLINKS+= d2i_X509.3 i2d_OCSP_SIGNATURE.3
MLINKS+= d2i_X509.3 i2d_OCSP_SINGLERESP.3
MLINKS+= d2i_X509.3 i2d_OTHERNAME.3
MLINKS+= d2i_X509.3 i2d_PBE2PARAM.3
MLINKS+= d2i_X509.3 i2d_PBEPARAM.3
MLINKS+= d2i_X509.3 i2d_PBKDF2PARAM.3
MLINKS+= d2i_X509.3 i2d_PKCS12.3
MLINKS+= d2i_X509.3 i2d_PKCS12_BAGS.3
MLINKS+= d2i_X509.3 i2d_PKCS12_MAC_DATA.3
MLINKS+= d2i_X509.3 i2d_PKCS12_SAFEBAG.3
MLINKS+= d2i_X509.3 i2d_PKCS12_bio.3
MLINKS+= d2i_X509.3 i2d_PKCS12_fp.3
MLINKS+= d2i_X509.3 i2d_PKCS7.3
MLINKS+= d2i_X509.3 i2d_PKCS7_DIGEST.3
MLINKS+= d2i_X509.3 i2d_PKCS7_ENCRYPT.3
MLINKS+= d2i_X509.3 i2d_PKCS7_ENC_CONTENT.3
MLINKS+= d2i_X509.3 i2d_PKCS7_ENVELOPE.3
MLINKS+= d2i_X509.3 i2d_PKCS7_ISSUER_AND_SERIAL.3
MLINKS+= d2i_X509.3 i2d_PKCS7_NDEF.3
MLINKS+= d2i_X509.3 i2d_PKCS7_RECIP_INFO.3
MLINKS+= d2i_X509.3 i2d_PKCS7_SIGNED.3
MLINKS+= d2i_X509.3 i2d_PKCS7_SIGNER_INFO.3
MLINKS+= d2i_X509.3 i2d_PKCS7_SIGN_ENVELOPE.3
MLINKS+= d2i_X509.3 i2d_PKCS7_bio.3
MLINKS+= d2i_X509.3 i2d_PKCS7_fp.3
MLINKS+= d2i_X509.3 i2d_PKCS8PrivateKeyInfo_bio.3
MLINKS+= d2i_X509.3 i2d_PKCS8PrivateKeyInfo_fp.3
MLINKS+= d2i_X509.3 i2d_PKCS8_PRIV_KEY_INFO.3
MLINKS+= d2i_X509.3 i2d_PKCS8_PRIV_KEY_INFO_bio.3
MLINKS+= d2i_X509.3 i2d_PKCS8_PRIV_KEY_INFO_fp.3
MLINKS+= d2i_X509.3 i2d_PKCS8_bio.3
MLINKS+= d2i_X509.3 i2d_PKCS8_fp.3
MLINKS+= d2i_X509.3 i2d_PKEY_USAGE_PERIOD.3
MLINKS+= d2i_X509.3 i2d_POLICYINFO.3
MLINKS+= d2i_X509.3 i2d_POLICYQUALINFO.3
MLINKS+= d2i_X509.3 i2d_PROFESSION_INFO.3
MLINKS+= d2i_X509.3 i2d_PROXY_CERT_INFO_EXTENSION.3
MLINKS+= d2i_X509.3 i2d_PROXY_POLICY.3
MLINKS+= d2i_X509.3 i2d_RSAPrivateKey.3
MLINKS+= d2i_X509.3 i2d_RSAPrivateKey_bio.3
MLINKS+= d2i_X509.3 i2d_RSAPrivateKey_fp.3
MLINKS+= d2i_X509.3 i2d_RSAPublicKey.3
MLINKS+= d2i_X509.3 i2d_RSAPublicKey_bio.3
MLINKS+= d2i_X509.3 i2d_RSAPublicKey_fp.3
MLINKS+= d2i_X509.3 i2d_RSA_OAEP_PARAMS.3
MLINKS+= d2i_X509.3 i2d_RSA_PSS_PARAMS.3
MLINKS+= d2i_X509.3 i2d_RSA_PUBKEY.3
MLINKS+= d2i_X509.3 i2d_RSA_PUBKEY_bio.3
MLINKS+= d2i_X509.3 i2d_RSA_PUBKEY_fp.3
MLINKS+= d2i_X509.3 i2d_SCRYPT_PARAMS.3
MLINKS+= d2i_X509.3 i2d_SCT_LIST.3
MLINKS+= d2i_X509.3 i2d_SXNET.3
MLINKS+= d2i_X509.3 i2d_SXNETID.3
MLINKS+= d2i_X509.3 i2d_TS_ACCURACY.3
MLINKS+= d2i_X509.3 i2d_TS_MSG_IMPRINT.3
MLINKS+= d2i_X509.3 i2d_TS_MSG_IMPRINT_bio.3
MLINKS+= d2i_X509.3 i2d_TS_MSG_IMPRINT_fp.3
MLINKS+= d2i_X509.3 i2d_TS_REQ.3
MLINKS+= d2i_X509.3 i2d_TS_REQ_bio.3
MLINKS+= d2i_X509.3 i2d_TS_REQ_fp.3
MLINKS+= d2i_X509.3 i2d_TS_RESP.3
MLINKS+= d2i_X509.3 i2d_TS_RESP_bio.3
MLINKS+= d2i_X509.3 i2d_TS_RESP_fp.3
MLINKS+= d2i_X509.3 i2d_TS_STATUS_INFO.3
MLINKS+= d2i_X509.3 i2d_TS_TST_INFO.3
MLINKS+= d2i_X509.3 i2d_TS_TST_INFO_bio.3
MLINKS+= d2i_X509.3 i2d_TS_TST_INFO_fp.3
MLINKS+= d2i_X509.3 i2d_USERNOTICE.3
MLINKS+= d2i_X509.3 i2d_X509.3
MLINKS+= d2i_X509.3 i2d_X509_ALGOR.3
MLINKS+= d2i_X509.3 i2d_X509_ALGORS.3
MLINKS+= d2i_X509.3 i2d_X509_ATTRIBUTE.3
MLINKS+= d2i_X509.3 i2d_X509_CERT_AUX.3
MLINKS+= d2i_X509.3 i2d_X509_CINF.3
MLINKS+= d2i_X509.3 i2d_X509_CRL.3
MLINKS+= d2i_X509.3 i2d_X509_CRL_INFO.3
MLINKS+= d2i_X509.3 i2d_X509_CRL_bio.3
MLINKS+= d2i_X509.3 i2d_X509_CRL_fp.3
MLINKS+= d2i_X509.3 i2d_X509_EXTENSION.3
MLINKS+= d2i_X509.3 i2d_X509_EXTENSIONS.3
MLINKS+= d2i_X509.3 i2d_X509_NAME.3
MLINKS+= d2i_X509.3 i2d_X509_NAME_ENTRY.3
MLINKS+= d2i_X509.3 i2d_X509_PUBKEY.3
MLINKS+= d2i_X509.3 i2d_X509_REQ.3
MLINKS+= d2i_X509.3 i2d_X509_REQ_INFO.3
MLINKS+= d2i_X509.3 i2d_X509_REQ_bio.3
MLINKS+= d2i_X509.3 i2d_X509_REQ_fp.3
MLINKS+= d2i_X509.3 i2d_X509_REVOKED.3
MLINKS+= d2i_X509.3 i2d_X509_SIG.3
MLINKS+= d2i_X509.3 i2d_X509_VAL.3
MLINKS+= d2i_X509.3 i2d_X509_bio.3
MLINKS+= d2i_X509.3 i2d_X509_fp.3
MLINKS+= i2d_re_X509_tbs.3 d2i_X509_AUX.3
MLINKS+= i2d_re_X509_tbs.3 i2d_X509_AUX.3
MLINKS+= i2d_re_X509_tbs.3 i2d_re_X509_CRL_tbs.3
MLINKS+= i2d_re_X509_tbs.3 i2d_re_X509_REQ_tbs.3
MLINKS+= o2i_SCT_LIST.3 i2o_SCT.3
MLINKS+= o2i_SCT_LIST.3 i2o_SCT_LIST.3
MLINKS+= o2i_SCT_LIST.3 o2i_SCT.3
diff --git a/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3 b/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3
index 48e667c5f8f6..f232c519a706 100644
--- a/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3
+++ b/secure/lib/libcrypto/man/man3/OBJ_nid2obj.3
@@ -1,327 +1,328 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OBJ_NID2OBJ 3"
-.TH OBJ_NID2OBJ 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OBJ_NID2OBJ 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
i2t_ASN1_OBJECT, OBJ_length, OBJ_get0_data, OBJ_nid2obj, OBJ_nid2ln, OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid, OBJ_sn2nid, OBJ_cmp, OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup \&\- ASN1 object utility functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/objects.h>
\&
\& ASN1_OBJECT *OBJ_nid2obj(int n);
\& const char *OBJ_nid2ln(int n);
\& const char *OBJ_nid2sn(int n);
\&
\& int OBJ_obj2nid(const ASN1_OBJECT *o);
\& int OBJ_ln2nid(const char *ln);
\& int OBJ_sn2nid(const char *sn);
\&
\& int OBJ_txt2nid(const char *s);
\&
\& ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name);
\& int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name);
\&
\& int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a);
\&
\& int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b);
\& ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o);
\&
\& int OBJ_create(const char *oid, const char *sn, const char *ln);
\&
\& size_t OBJ_length(const ASN1_OBJECT *obj);
\& const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj);
.Ve
.PP
Deprecated:
.PP
.Vb 3
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& void OBJ_cleanup(void)
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1ASN1\s0 object utility functions process \s-1ASN1_OBJECT\s0 structures which are
a representation of the \s-1ASN1 OBJECT IDENTIFIER\s0 (\s-1OID\s0) type.
For convenience, OIDs are usually represented in source code as numeric
identifiers, or \fI\s-1NID\s0\fRs. OpenSSL has an internal table of OIDs that
are generated when the library is built, and their corresponding NIDs
are available as defined constants. For the functions below, application
code should treat all returned values \*(-- OIDs, NIDs, or names \*(-- as
constants.
.PP
\&\fBOBJ_nid2obj()\fR, \fBOBJ_nid2ln()\fR and \fBOBJ_nid2sn()\fR convert the \s-1NID\s0 \fIn\fR to
an \s-1ASN1_OBJECT\s0 structure, its long name and its short name respectively,
or \fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBOBJ_obj2nid()\fR, \fBOBJ_ln2nid()\fR, \fBOBJ_sn2nid()\fR return the corresponding \s-1NID\s0
for the object \fIo\fR, the long name <ln> or the short name <sn> respectively
or NID_undef if an error occurred.
.PP
\&\fBOBJ_txt2nid()\fR returns \s-1NID\s0 corresponding to text string \fIs\fR. \fIs\fR can be
a long name, a short name or the numerical representation of an object.
.PP
\&\fBOBJ_txt2obj()\fR converts the text string \fIs\fR into an \s-1ASN1_OBJECT\s0 structure.
If \fIno_name\fR is 0 then long names and short names will be interpreted
as well as numerical forms. If \fIno_name\fR is 1 only the numerical form
is acceptable.
.PP
-\&\fBOBJ_obj2txt()\fR converts the \fB\s-1ASN1_OBJECT\s0\fR \fBa\fR into a textual representation.
-The representation is written as a null terminated string to \fBbuf\fR
-at most \fBbuf_len\fR bytes are written, truncating the result if necessary.
-The total amount of space required is returned. If \fBno_name\fR is 0 then
-if the object has a long or short name then that will be used, otherwise
-the numerical form will be used. If \fBno_name\fR is 1 then the numerical
-form will always be used.
+\&\fBOBJ_obj2txt()\fR converts the \fB\s-1ASN1_OBJECT\s0\fR \fIa\fR into a textual representation.
+Unless \fIbuf\fR is \s-1NULL,\s0
+the representation is written as a NUL-terminated string to \fIbuf\fR, where
+at most \fIbuf_len\fR bytes are written, truncating the result if necessary.
+In any case it returns the total string length, excluding the \s-1NUL\s0 character,
+required for non-truncated representation, or \-1 on error.
+If \fIno_name\fR is 0 then if the object has a long or short name
+then that will be used, otherwise the numerical form will be used.
+If \fIno_name\fR is 1 then the numerical form will always be used.
.PP
\&\fBi2t_ASN1_OBJECT()\fR is the same as \fBOBJ_obj2txt()\fR with the \fIno_name\fR set to zero.
.PP
\&\fBOBJ_cmp()\fR compares \fIa\fR to \fIb\fR. If the two are identical 0 is returned.
.PP
\&\fBOBJ_dup()\fR returns a copy of \fIo\fR.
.PP
\&\fBOBJ_create()\fR adds a new object to the internal table. \fIoid\fR is the
numerical form of the object, \fIsn\fR the short name and \fIln\fR the
long name. A new \s-1NID\s0 is returned for the created object in case of
success and NID_undef in case of failure.
.PP
\&\fBOBJ_length()\fR returns the size of the content octets of \fIobj\fR.
.PP
\&\fBOBJ_get0_data()\fR returns a pointer to the content octets of \fIobj\fR.
The returned pointer is an internal pointer which \fBmust not\fR be freed.
.PP
\&\fBOBJ_cleanup()\fR releases any resources allocated by creating new objects.
.SH "NOTES"
.IX Header "NOTES"
Objects in OpenSSL can have a short name, a long name and a numerical
identifier (\s-1NID\s0) associated with them. A standard set of objects is
represented in an internal table. The appropriate values are defined
in the header file \fBobjects.h\fR.
.PP
For example the \s-1OID\s0 for commonName has the following definitions:
.PP
.Vb 3
\& #define SN_commonName "CN"
\& #define LN_commonName "commonName"
\& #define NID_commonName 13
.Ve
.PP
New objects can be added by calling \fBOBJ_create()\fR.
.PP
Table objects have certain advantages over other objects: for example
their NIDs can be used in a C language switch statement. They are
also static constant structures which are shared: that is there
is only a single constant structure for each table object.
.PP
Objects which are not in the table have the \s-1NID\s0 value NID_undef.
.PP
Objects do not need to be in the internal tables to be processed,
the functions \fBOBJ_txt2obj()\fR and \fBOBJ_obj2txt()\fR can process the numerical
form of an \s-1OID.\s0
.PP
Some objects are used to represent algorithms which do not have a
corresponding \s-1ASN.1 OBJECT IDENTIFIER\s0 encoding (for example no \s-1OID\s0 currently
exists for a particular algorithm). As a result they \fBcannot\fR be encoded or
decoded as part of \s-1ASN.1\s0 structures. Applications can determine if there
is a corresponding \s-1OBJECT IDENTIFIER\s0 by checking \fBOBJ_length()\fR is not zero.
.PP
These functions cannot return \fBconst\fR because an \fB\s-1ASN1_OBJECT\s0\fR can
represent both an internal, constant, \s-1OID\s0 and a dynamically-created one.
The latter cannot be constant because it needs to be freed after use.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOBJ_nid2obj()\fR returns an \fB\s-1ASN1_OBJECT\s0\fR structure or \fB\s-1NULL\s0\fR is an
error occurred.
.PP
\&\fBOBJ_nid2ln()\fR and \fBOBJ_nid2sn()\fR returns a valid string or \fB\s-1NULL\s0\fR
on error.
.PP
\&\fBOBJ_obj2nid()\fR, \fBOBJ_ln2nid()\fR, \fBOBJ_sn2nid()\fR and \fBOBJ_txt2nid()\fR return
a \s-1NID\s0 or \fBNID_undef\fR on error.
+.PP
+\&\fBOBJ_add_sigid()\fR returns 1 on success or 0 on error.
+.PP
+\&\fBi2t_ASN1_OBJECT()\fR an \fBOBJ_obj2txt()\fR return \-1 on error.
+On success, they return the length of the string written to \fIbuf\fR if \fIbuf\fR is
+not \s-1NULL\s0 and \fIbuf_len\fR is big enough, otherwise the total string length.
+Note that this does not count the trailing \s-1NUL\s0 character.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create an object for \fBcommonName\fR:
.PP
.Vb 1
\& ASN1_OBJECT *o = OBJ_nid2obj(NID_commonName);
.Ve
.PP
Check if an object is \fBcommonName\fR
.PP
.Vb 2
\& if (OBJ_obj2nid(obj) == NID_commonName)
\& /* Do something */
.Ve
.PP
Create a new \s-1NID\s0 and initialize an object from it:
.PP
.Vb 2
\& int new_nid = OBJ_create("1.2.3.4", "NewOID", "New Object Identifier");
\& ASN1_OBJECT *obj = OBJ_nid2obj(new_nid);
.Ve
.PP
Create a new object directly:
.PP
.Vb 1
\& obj = OBJ_txt2obj("1.2.3.4", 1);
.Ve
-.SH "BUGS"
-.IX Header "BUGS"
-\&\fBOBJ_obj2txt()\fR is awkward and messy to use: it doesn't follow the
-convention of other OpenSSL functions where the buffer can be set
-to \fB\s-1NULL\s0\fR to determine the amount of data that should be written.
-Instead \fBbuf\fR must point to a valid buffer and \fBbuf_len\fR should
-be set to a positive value. A buffer length of 80 should be more
-than enough to handle any \s-1OID\s0 encountered in practice.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBOBJ_cleanup()\fR was deprecated in OpenSSL 1.1.0 by \fBOPENSSL_init_crypto\fR\|(3)
and should not be used.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
-Copyright 2002\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002\-2022 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3 b/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3
index 1ef6f07d2cc2..48270fca6590 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_REQUEST_new.3
@@ -1,248 +1,248 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OCSP_REQUEST_NEW 3"
-.TH OCSP_REQUEST_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OCSP_REQUEST_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OCSP_REQUEST_new, OCSP_REQUEST_free, OCSP_request_add0_id, OCSP_request_sign, OCSP_request_add1_cert, OCSP_request_onereq_count, OCSP_request_onereq_get0 \- OCSP request functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ocsp.h>
\&
\& OCSP_REQUEST *OCSP_REQUEST_new(void);
\& void OCSP_REQUEST_free(OCSP_REQUEST *req);
\&
\& OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
\&
\& int OCSP_request_sign(OCSP_REQUEST *req,
\& X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
\& STACK_OF(X509) *certs, unsigned long flags);
\&
\& int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
\&
\& int OCSP_request_onereq_count(OCSP_REQUEST *req);
\& OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBOCSP_REQUEST_new()\fR allocates and returns an empty \fB\s-1OCSP_REQUEST\s0\fR structure.
.PP
\&\fBOCSP_REQUEST_free()\fR frees up the request structure \fBreq\fR.
.PP
\&\fBOCSP_request_add0_id()\fR adds certificate \s-1ID\s0 \fBcid\fR to \fBreq\fR. It returns
the \fB\s-1OCSP_ONEREQ\s0\fR structure added so an application can add additional
extensions to the request. The \fBid\fR parameter \fB\s-1MUST NOT\s0\fR be freed up after
the operation.
.PP
\&\fBOCSP_request_sign()\fR signs \s-1OCSP\s0 request \fBreq\fR using certificate
\&\fBsigner\fR, private key \fBkey\fR, digest \fBdgst\fR and additional certificates
\&\fBcerts\fR. If the \fBflags\fR option \fB\s-1OCSP_NOCERTS\s0\fR is set then no certificates
will be included in the request.
.PP
\&\fBOCSP_request_add1_cert()\fR adds certificate \fBcert\fR to request \fBreq\fR. The
application is responsible for freeing up \fBcert\fR after use.
.PP
\&\fBOCSP_request_onereq_count()\fR returns the total number of \fB\s-1OCSP_ONEREQ\s0\fR
structures in \fBreq\fR.
.PP
\&\fBOCSP_request_onereq_get0()\fR returns an internal pointer to the \fB\s-1OCSP_ONEREQ\s0\fR
contained in \fBreq\fR of index \fBi\fR. The index value \fBi\fR runs from 0 to
OCSP_request_onereq_count(req) \- 1.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOCSP_REQUEST_new()\fR returns an empty \fB\s-1OCSP_REQUEST\s0\fR structure or \fB\s-1NULL\s0\fR if
an error occurred.
.PP
\&\fBOCSP_request_add0_id()\fR returns the \fB\s-1OCSP_ONEREQ\s0\fR structure containing \fBcid\fR
or \fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBOCSP_request_sign()\fR and \fBOCSP_request_add1_cert()\fR return 1 for success and 0
for failure.
.PP
\&\fBOCSP_request_onereq_count()\fR returns the total number of \fB\s-1OCSP_ONEREQ\s0\fR
structures in \fBreq\fR.
.PP
\&\fBOCSP_request_onereq_get0()\fR returns a pointer to an \fB\s-1OCSP_ONEREQ\s0\fR structure
or \fB\s-1NULL\s0\fR if the index value is out or range.
.SH "NOTES"
.IX Header "NOTES"
An \s-1OCSP\s0 request structure contains one or more \fB\s-1OCSP_ONEREQ\s0\fR structures
corresponding to each certificate.
.PP
\&\fBOCSP_request_onereq_count()\fR and \fBOCSP_request_onereq_get0()\fR are mainly used by
\&\s-1OCSP\s0 responders.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create an \fB\s-1OCSP_REQUEST\s0\fR structure for certificate \fBcert\fR with issuer
\&\fBissuer\fR:
.PP
.Vb 2
\& OCSP_REQUEST *req;
\& OCSP_ID *cid;
\&
\& req = OCSP_REQUEST_new();
\& if (req == NULL)
\& /* error */
\& cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
\& if (cid == NULL)
\& /* error */
\&
\& if (OCSP_REQUEST_add0_id(req, cid) == NULL)
\& /* error */
\&
\& /* Do something with req, e.g. query responder */
\&
\& OCSP_REQUEST_free(req);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7),
\&\fBOCSP_cert_to_id\fR\|(3),
\&\fBOCSP_request_add1_nonce\fR\|(3),
\&\fBOCSP_resp_find_status\fR\|(3),
\&\fBOCSP_response_status\fR\|(3),
\&\fBOCSP_sendreq_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3 b/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3
index 62e25a50a5c4..c0b0e1e0b02f 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_cert_to_id.3
@@ -1,218 +1,218 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OCSP_CERT_TO_ID 3"
-.TH OCSP_CERT_TO_ID 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OCSP_CERT_TO_ID 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OCSP_cert_to_id, OCSP_cert_id_new, OCSP_CERTID_free, OCSP_id_issuer_cmp, OCSP_id_cmp, OCSP_id_get0_info \- OCSP certificate ID utility functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ocsp.h>
\&
\& OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst,
\& X509 *subject, X509 *issuer);
\&
\& OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
\& X509_NAME *issuerName,
\& ASN1_BIT_STRING *issuerKey,
\& ASN1_INTEGER *serialNumber);
\&
\& void OCSP_CERTID_free(OCSP_CERTID *id);
\&
\& int OCSP_id_issuer_cmp(const OCSP_CERTID *a, const OCSP_CERTID *b);
\& int OCSP_id_cmp(const OCSP_CERTID *a, const OCSP_CERTID *b);
\&
\& int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
\& ASN1_OCTET_STRING **pikeyHash,
\& ASN1_INTEGER **pserial, OCSP_CERTID *cid);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBOCSP_cert_to_id()\fR creates and returns a new \fB\s-1OCSP_CERTID\s0\fR structure using
message digest \fBdgst\fR for certificate \fBsubject\fR with issuer \fBissuer\fR. If
\&\fBdgst\fR is \fB\s-1NULL\s0\fR then \s-1SHA1\s0 is used.
.PP
\&\fBOCSP_cert_id_new()\fR creates and returns a new \fB\s-1OCSP_CERTID\s0\fR using \fBdgst\fR and
issuer name \fBissuerName\fR, issuer key hash \fBissuerKey\fR and serial number
\&\fBserialNumber\fR.
.PP
\&\fBOCSP_CERTID_free()\fR frees up \fBid\fR.
.PP
\&\fBOCSP_id_cmp()\fR compares \fB\s-1OCSP_CERTID\s0\fR \fBa\fR and \fBb\fR.
.PP
\&\fBOCSP_id_issuer_cmp()\fR compares only the issuer name of \fB\s-1OCSP_CERTID\s0\fR \fBa\fR and \fBb\fR.
.PP
\&\fBOCSP_id_get0_info()\fR returns the issuer name hash, hash \s-1OID,\s0 issuer key hash and
serial number contained in \fBcid\fR. If any of the values are not required the
corresponding parameter can be set to \fB\s-1NULL\s0\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOCSP_cert_to_id()\fR and \fBOCSP_cert_id_new()\fR return either a pointer to a valid
\&\fB\s-1OCSP_CERTID\s0\fR structure or \fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBOCSP_id_cmp()\fR and \fBOCSP_id_issuer_cmp()\fR returns zero for a match and nonzero
otherwise.
.PP
\&\fBOCSP_CERTID_free()\fR does not return a value.
.PP
\&\fBOCSP_id_get0_info()\fR returns 1 for success and 0 for failure.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1OCSP\s0 clients will typically only use \fBOCSP_cert_to_id()\fR or \fBOCSP_cert_id_new()\fR:
the other functions are used by responder applications.
.PP
The values returned by \fBOCSP_id_get0_info()\fR are internal pointers and \fB\s-1MUST
NOT\s0\fR be freed up by an application: they will be freed when the corresponding
\&\fB\s-1OCSP_CERTID\s0\fR structure is freed.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7),
\&\fBOCSP_request_add1_nonce\fR\|(3),
\&\fBOCSP_REQUEST_new\fR\|(3),
\&\fBOCSP_resp_find_status\fR\|(3),
\&\fBOCSP_response_status\fR\|(3),
\&\fBOCSP_sendreq_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3 b/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3
index b789b8fd70e0..229f82d9a483 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_request_add1_nonce.3
@@ -1,215 +1,215 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OCSP_REQUEST_ADD1_NONCE 3"
-.TH OCSP_REQUEST_ADD1_NONCE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OCSP_REQUEST_ADD1_NONCE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OCSP_request_add1_nonce, OCSP_basic_add1_nonce, OCSP_check_nonce, OCSP_copy_nonce \- OCSP nonce functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ocsp.h>
\&
\& int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
\& int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
\& int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
\& int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *resp);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBOCSP_request_add1_nonce()\fR adds a nonce of value \fBval\fR and length \fBlen\fR to
\&\s-1OCSP\s0 request \fBreq\fR. If \fBval\fR is \fB\s-1NULL\s0\fR a random nonce is used. If \fBlen\fR
is zero or negative a default length will be used (currently 16 bytes).
.PP
\&\fBOCSP_basic_add1_nonce()\fR is identical to \fBOCSP_request_add1_nonce()\fR except
it adds a nonce to \s-1OCSP\s0 basic response \fBresp\fR.
.PP
\&\fBOCSP_check_nonce()\fR compares the nonce value in \fBreq\fR and \fBresp\fR.
.PP
\&\fBOCSP_copy_nonce()\fR copies any nonce value present in \fBreq\fR to \fBresp\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOCSP_request_add1_nonce()\fR and \fBOCSP_basic_add1_nonce()\fR return 1 for success
and 0 for failure.
.PP
\&\fBOCSP_copy_nonce()\fR returns 1 if a nonce was successfully copied, 2 if no nonce
was present in \fBreq\fR and 0 if an error occurred.
.PP
\&\fBOCSP_check_nonce()\fR returns the result of the nonce comparison between \fBreq\fR
and \fBresp\fR. The return value indicates the result of the comparison. If
nonces are present and equal 1 is returned. If the nonces are absent 2 is
returned. If a nonce is present in the response only 3 is returned. If nonces
are present and unequal 0 is returned. If the nonce is present in the request
only then \-1 is returned.
.SH "NOTES"
.IX Header "NOTES"
For most purposes the nonce value in a request is set to a random value so
the \fBval\fR parameter in \fBOCSP_request_add1_nonce()\fR is usually \s-1NULL.\s0
.PP
An \s-1OCSP\s0 nonce is typically added to an \s-1OCSP\s0 request to thwart replay attacks
by checking the same nonce value appears in the response.
.PP
Some responders may include a nonce in all responses even if one is not
supplied.
.PP
Some responders cache \s-1OCSP\s0 responses and do not sign each response for
performance reasons. As a result they do not support nonces.
.PP
The return values of \fBOCSP_check_nonce()\fR can be checked to cover each case. A
positive return value effectively indicates success: nonces are both present
and match, both absent or present in the response only. A nonzero return
additionally covers the case where the nonce is present in the request only:
this will happen if the responder doesn't support nonces. A zero return value
indicates present and mismatched nonces: this should be treated as an error
condition.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7),
\&\fBOCSP_cert_to_id\fR\|(3),
\&\fBOCSP_REQUEST_new\fR\|(3),
\&\fBOCSP_resp_find_status\fR\|(3),
\&\fBOCSP_response_status\fR\|(3),
\&\fBOCSP_sendreq_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3 b/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3
index 0b15d591bba8..8382c0279807 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_resp_find_status.3
@@ -1,319 +1,319 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OCSP_RESP_FIND_STATUS 3"
-.TH OCSP_RESP_FIND_STATUS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OCSP_RESP_FIND_STATUS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OCSP_resp_get0_certs, OCSP_resp_get0_signer, OCSP_resp_get0_id, OCSP_resp_get1_id, OCSP_resp_get0_produced_at, OCSP_resp_get0_signature, OCSP_resp_get0_tbs_sigalg, OCSP_resp_get0_respdata, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status, OCSP_check_validity, OCSP_basic_verify \&\- OCSP response utility functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ocsp.h>
\&
\& int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
\& int *reason,
\& ASN1_GENERALIZEDTIME **revtime,
\& ASN1_GENERALIZEDTIME **thisupd,
\& ASN1_GENERALIZEDTIME **nextupd);
\&
\& int OCSP_resp_count(OCSP_BASICRESP *bs);
\& OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
\& int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
\& int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
\& ASN1_GENERALIZEDTIME **revtime,
\& ASN1_GENERALIZEDTIME **thisupd,
\& ASN1_GENERALIZEDTIME **nextupd);
\&
\& const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
\& const OCSP_BASICRESP* single);
\&
\& const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
\& const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
\& const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
\& const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
\&
\& int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
\& STACK_OF(X509) *extra_certs);
\&
\& int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
\& const ASN1_OCTET_STRING **pid,
\& const X509_NAME **pname);
\& int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
\& ASN1_OCTET_STRING **pid,
\& X509_NAME **pname);
\&
\& int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
\& ASN1_GENERALIZEDTIME *nextupd,
\& long sec, long maxsec);
\&
\& int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
\& X509_STORE *st, unsigned long flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBOCSP_resp_find_status()\fR searches \fBbs\fR for an \s-1OCSP\s0 response for \fBid\fR. If it is
successful the fields of the response are returned in \fB*status\fR, \fB*reason\fR,
\&\fB*revtime\fR, \fB*thisupd\fR and \fB*nextupd\fR. The \fB*status\fR value will be one of
\&\fBV_OCSP_CERTSTATUS_GOOD\fR, \fBV_OCSP_CERTSTATUS_REVOKED\fR or
\&\fBV_OCSP_CERTSTATUS_UNKNOWN\fR. The \fB*reason\fR and \fB*revtime\fR fields are only
set if the status is \fBV_OCSP_CERTSTATUS_REVOKED\fR. If set the \fB*reason\fR field
will be set to the revocation reason which will be one of
\&\fB\s-1OCSP_REVOKED_STATUS_NOSTATUS\s0\fR, \fB\s-1OCSP_REVOKED_STATUS_UNSPECIFIED\s0\fR,
\&\fB\s-1OCSP_REVOKED_STATUS_KEYCOMPROMISE\s0\fR, \fB\s-1OCSP_REVOKED_STATUS_CACOMPROMISE\s0\fR,
\&\fB\s-1OCSP_REVOKED_STATUS_AFFILIATIONCHANGED\s0\fR, \fB\s-1OCSP_REVOKED_STATUS_SUPERSEDED\s0\fR,
\&\fB\s-1OCSP_REVOKED_STATUS_CESSATIONOFOPERATION\s0\fR,
\&\fB\s-1OCSP_REVOKED_STATUS_CERTIFICATEHOLD\s0\fR or \fB\s-1OCSP_REVOKED_STATUS_REMOVEFROMCRL\s0\fR.
.PP
\&\fBOCSP_resp_count()\fR returns the number of \fB\s-1OCSP_SINGLERESP\s0\fR structures in \fBbs\fR.
.PP
\&\fBOCSP_resp_get0()\fR returns the \fB\s-1OCSP_SINGLERESP\s0\fR structure in \fBbs\fR
corresponding to index \fBidx\fR. Where \fBidx\fR runs from 0 to
OCSP_resp_count(bs) \- 1.
.PP
\&\fBOCSP_resp_find()\fR searches \fBbs\fR for \fBid\fR and returns the index of the first
matching entry after \fBlast\fR or starting from the beginning if \fBlast\fR is \-1.
.PP
\&\fBOCSP_single_get0_status()\fR extracts the fields of \fBsingle\fR in \fB*reason\fR,
\&\fB*revtime\fR, \fB*thisupd\fR and \fB*nextupd\fR.
.PP
\&\fBOCSP_resp_get0_produced_at()\fR extracts the \fBproducedAt\fR field from the
single response \fBbs\fR.
.PP
\&\fBOCSP_resp_get0_signature()\fR returns the signature from \fBbs\fR.
.PP
\&\fBOCSP_resp_get0_tbs_sigalg()\fR returns the \fBsignatureAlgorithm\fR from \fBbs\fR.
.PP
\&\fBOCSP_resp_get0_respdata()\fR returns the \fBtbsResponseData\fR from \fBbs\fR.
.PP
\&\fBOCSP_resp_get0_certs()\fR returns any certificates included in \fBbs\fR.
.PP
\&\fBOCSP_resp_get0_signer()\fR attempts to retrieve the certificate that directly
signed \fBbs\fR. The \s-1OCSP\s0 protocol does not require that this certificate
is included in the \fBcerts\fR field of the response, so additional certificates
can be supplied in \fBextra_certs\fR if the certificates that may have
signed the response are known via some out-of-band mechanism.
.PP
\&\fBOCSP_resp_get0_id()\fR gets the responder id of \fBbs\fR. If the responder \s-1ID\s0 is
a name then <*pname> is set to the name and \fB*pid\fR is set to \s-1NULL.\s0 If the
responder \s-1ID\s0 is by key \s-1ID\s0 then \fB*pid\fR is set to the key \s-1ID\s0 and \fB*pname\fR
is set to \s-1NULL.\s0 \fBOCSP_resp_get1_id()\fR leaves ownership of \fB*pid\fR and \fB*pname\fR
with the caller, who is responsible for freeing them. Both functions return 1
in case of success and 0 in case of failure. If \fBOCSP_resp_get1_id()\fR returns 0,
no freeing of the results is necessary.
.PP
\&\fBOCSP_check_validity()\fR checks the validity of \fBthisupd\fR and \fBnextupd\fR values
which will be typically obtained from \fBOCSP_resp_find_status()\fR or
\&\fBOCSP_single_get0_status()\fR. If \fBsec\fR is nonzero it indicates how many seconds
leeway should be allowed in the check. If \fBmaxsec\fR is positive it indicates
the maximum age of \fBthisupd\fR in seconds.
.PP
\&\fBOCSP_basic_verify()\fR checks that the basic response message \fBbs\fR is correctly
signed and that the signer certificate can be validated. It takes \fBst\fR as
the trusted store and \fBcerts\fR as a set of untrusted intermediate certificates.
The function first tries to find the signer certificate of the response
in <certs>. It also searches the certificates the responder may have included
in \fBbs\fR unless the \fBflags\fR contain \fB\s-1OCSP_NOINTERN\s0\fR.
It fails if the signer certificate cannot be found.
Next, the function checks the signature of \fBbs\fR and fails on error
unless the \fBflags\fR contain \fB\s-1OCSP_NOSIGS\s0\fR. Then the function already returns
success if the \fBflags\fR contain \fB\s-1OCSP_NOVERIFY\s0\fR or if the signer certificate
was found in \fBcerts\fR and the \fBflags\fR contain \fB\s-1OCSP_TRUSTOTHER\s0\fR.
Otherwise the function continues by validating the signer certificate.
To this end, all certificates in \fBcert\fR and in \fBbs\fR are considered as
untrusted certificates for the construction of the validation path for the
signer certificate unless the \fB\s-1OCSP_NOCHAIN\s0\fR flag is set. After successful path
validation the function returns success if the \fB\s-1OCSP_NOCHECKS\s0\fR flag is set.
Otherwise it verifies that the signer certificate meets the \s-1OCSP\s0 issuer
criteria including potential delegation. If this does not succeed and the
\&\fBflags\fR do not contain \fB\s-1OCSP_NOEXPLICIT\s0\fR the function checks for explicit
trust for \s-1OCSP\s0 signing in the root \s-1CA\s0 certificate.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOCSP_resp_find_status()\fR returns 1 if \fBid\fR is found in \fBbs\fR and 0 otherwise.
.PP
\&\fBOCSP_resp_count()\fR returns the total number of \fB\s-1OCSP_SINGLERESP\s0\fR fields in
\&\fBbs\fR.
.PP
\&\fBOCSP_resp_get0()\fR returns a pointer to an \fB\s-1OCSP_SINGLERESP\s0\fR structure or
\&\fB\s-1NULL\s0\fR if \fBidx\fR is out of range.
.PP
\&\fBOCSP_resp_find()\fR returns the index of \fBid\fR in \fBbs\fR (which may be 0) or \-1 if
\&\fBid\fR was not found.
.PP
\&\fBOCSP_single_get0_status()\fR returns the status of \fBsingle\fR or \-1 if an error
occurred.
.PP
\&\fBOCSP_resp_get0_signer()\fR returns 1 if the signing certificate was located,
or 0 on error.
.PP
\&\fBOCSP_basic_verify()\fR returns 1 on success, 0 on error, or \-1 on fatal error such
as malloc failure.
.SH "NOTES"
.IX Header "NOTES"
Applications will typically call \fBOCSP_resp_find_status()\fR using the certificate
\&\s-1ID\s0 of interest and then check its validity using \fBOCSP_check_validity()\fR. They
can then take appropriate action based on the status of the certificate.
.PP
An \s-1OCSP\s0 response for a certificate contains \fBthisUpdate\fR and \fBnextUpdate\fR
fields. Normally the current time should be between these two values. To
account for clock skew the \fBmaxsec\fR field can be set to nonzero in
\&\fBOCSP_check_validity()\fR. Some responders do not set the \fBnextUpdate\fR field, this
would otherwise mean an ancient response would be considered valid: the
\&\fBmaxsec\fR parameter to \fBOCSP_check_validity()\fR can be used to limit the permitted
age of responses.
.PP
The values written to \fB*revtime\fR, \fB*thisupd\fR and \fB*nextupd\fR by
\&\fBOCSP_resp_find_status()\fR and \fBOCSP_single_get0_status()\fR are internal pointers
which \fB\s-1MUST NOT\s0\fR be freed up by the calling application. Any or all of these
parameters can be set to \s-1NULL\s0 if their value is not required.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7),
\&\fBOCSP_cert_to_id\fR\|(3),
\&\fBOCSP_request_add1_nonce\fR\|(3),
\&\fBOCSP_REQUEST_new\fR\|(3),
\&\fBOCSP_response_status\fR\|(3),
\&\fBOCSP_sendreq_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_response_status.3 b/secure/lib/libcrypto/man/man3/OCSP_response_status.3
index 4e3ab24a9632..b77cb4bc2f4f 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_response_status.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_response_status.3
@@ -1,244 +1,244 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OCSP_RESPONSE_STATUS 3"
-.TH OCSP_RESPONSE_STATUS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OCSP_RESPONSE_STATUS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create, OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, OCSP_RESPID_set_by_key, OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx \- OCSP response functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ocsp.h>
\&
\& int OCSP_response_status(OCSP_RESPONSE *resp);
\& OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
\& OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
\& void OCSP_RESPONSE_free(OCSP_RESPONSE *resp);
\&
\& int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert);
\& int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert);
\& int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert);
\&
\& int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
\& const EVP_MD *dgst, STACK_OF(X509) *certs,
\& unsigned long flags);
\& int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx,
\& STACK_OF(X509) *certs, unsigned long flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBOCSP_response_status()\fR returns the \s-1OCSP\s0 response status of \fBresp\fR. It returns
one of the values: \fB\s-1OCSP_RESPONSE_STATUS_SUCCESSFUL\s0\fR,
\&\fB\s-1OCSP_RESPONSE_STATUS_MALFORMEDREQUEST\s0\fR,
\&\fB\s-1OCSP_RESPONSE_STATUS_INTERNALERROR\s0\fR, \fB\s-1OCSP_RESPONSE_STATUS_TRYLATER\s0\fR
\&\fB\s-1OCSP_RESPONSE_STATUS_SIGREQUIRED\s0\fR, or \fB\s-1OCSP_RESPONSE_STATUS_UNAUTHORIZED\s0\fR.
.PP
\&\fBOCSP_response_get1_basic()\fR decodes and returns the \fB\s-1OCSP_BASICRESP\s0\fR structure
contained in \fBresp\fR.
.PP
\&\fBOCSP_response_create()\fR creates and returns an \fB\s-1OCSP_RESPONSE\s0\fR structure for
\&\fBstatus\fR and optionally including basic response \fBbs\fR.
.PP
\&\fBOCSP_RESPONSE_free()\fR frees up \s-1OCSP\s0 response \fBresp\fR.
.PP
\&\fBOCSP_RESPID_set_by_name()\fR sets the name of the \s-1OCSP_RESPID\s0 to be the same as the
subject name in the supplied X509 certificate \fBcert\fR for the \s-1OCSP\s0 responder.
.PP
\&\fBOCSP_RESPID_set_by_key()\fR sets the key of the \s-1OCSP_RESPID\s0 to be the same as the
key in the supplied X509 certificate \fBcert\fR for the \s-1OCSP\s0 responder. The key is
stored as a \s-1SHA1\s0 hash.
.PP
Note that an \s-1OCSP_RESPID\s0 can only have one of the name, or the key set. Calling
\&\fBOCSP_RESPID_set_by_name()\fR or \fBOCSP_RESPID_set_by_key()\fR will clear any existing
setting.
.PP
\&\fBOCSP_RESPID_match()\fR tests whether the \s-1OCSP_RESPID\s0 given in \fBrespid\fR matches
with the X509 certificate \fBcert\fR.
.PP
\&\fBOCSP_basic_sign()\fR signs \s-1OCSP\s0 response \fBbrsp\fR using certificate \fBsigner\fR, private key
\&\fBkey\fR, digest \fBdgst\fR and additional certificates \fBcerts\fR. If the \fBflags\fR option
\&\fB\s-1OCSP_NOCERTS\s0\fR is set then no certificates will be included in the response. If the
\&\fBflags\fR option \fB\s-1OCSP_RESPID_KEY\s0\fR is set then the responder is identified by key \s-1ID\s0
rather than by name. \fBOCSP_basic_sign_ctx()\fR also signs \s-1OCSP\s0 response \fBbrsp\fR but
uses the parameters contained in digest context \fBctx\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOCSP_RESPONSE_status()\fR returns a status value.
.PP
\&\fBOCSP_response_get1_basic()\fR returns an \fB\s-1OCSP_BASICRESP\s0\fR structure pointer or
\&\fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBOCSP_response_create()\fR returns an \fB\s-1OCSP_RESPONSE\s0\fR structure pointer or \fB\s-1NULL\s0\fR
if an error occurred.
.PP
\&\fBOCSP_RESPONSE_free()\fR does not return a value.
.PP
\&\fBOCSP_RESPID_set_by_name()\fR, \fBOCSP_RESPID_set_by_key()\fR, \fBOCSP_basic_sign()\fR, and
\&\fBOCSP_basic_sign_ctx()\fR return 1 on success or 0
on failure.
.PP
\&\fBOCSP_RESPID_match()\fR returns 1 if the \s-1OCSP_RESPID\s0 and the X509 certificate match
or 0 otherwise.
.SH "NOTES"
.IX Header "NOTES"
\&\fBOCSP_response_get1_basic()\fR is only called if the status of a response is
\&\fB\s-1OCSP_RESPONSE_STATUS_SUCCESSFUL\s0\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7)
\&\fBOCSP_cert_to_id\fR\|(3)
\&\fBOCSP_request_add1_nonce\fR\|(3)
\&\fBOCSP_REQUEST_new\fR\|(3)
\&\fBOCSP_resp_find_status\fR\|(3)
\&\fBOCSP_sendreq_new\fR\|(3)
\&\fBOCSP_RESPID_new\fR\|(3)
\&\fBOCSP_RESPID_free\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBOCSP_RESPID_set_by_name()\fR, \fBOCSP_RESPID_set_by_key()\fR and \fBOCSP_RESPID_match()\fR
functions were added in OpenSSL 1.1.0a.
.PP
The \fBOCSP_basic_sign_ctx()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3 b/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3
index cc3551876e0f..fc93bc2dcaa3 100644
--- a/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3
+++ b/secure/lib/libcrypto/man/man3/OCSP_sendreq_new.3
@@ -1,266 +1,266 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OCSP_SENDREQ_NEW 3"
-.TH OCSP_SENDREQ_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OCSP_SENDREQ_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OCSP_sendreq_new, OCSP_sendreq_nbio, OCSP_REQ_CTX_free, OCSP_set_max_response_length, OCSP_REQ_CTX_add1_header, OCSP_REQ_CTX_set1_req, OCSP_sendreq_bio, OCSP_REQ_CTX_i2d \&\- OCSP responder query functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ocsp.h>
\&
\& OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req,
\& int maxline);
\&
\& int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
\&
\& void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
\&
\& void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len);
\&
\& int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
\& const char *name, const char *value);
\&
\& int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
\&
\& OCSP_RESPONSE *OCSP_sendreq_bio(BIO *io, const char *path, OCSP_REQUEST *req);
\&
\& int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const char *content_type,
\& const ASN1_ITEM *it, ASN1_VALUE *req);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBOCSP_sendreq_new()\fR returns an \fB\s-1OCSP_CTX\s0\fR structure using the
responder \fBio\fR, the \s-1URL\s0 path \fBpath\fR, the \s-1OCSP\s0 request \fBreq\fR and with a
response header maximum line length of \fBmaxline\fR. If \fBmaxline\fR is zero a
default value of 4k is used. The \s-1OCSP\s0 request \fBreq\fR may be set to \fB\s-1NULL\s0\fR
and provided later if required.
.PP
\&\fBOCSP_sendreq_nbio()\fR performs nonblocking I/O on the \s-1OCSP\s0 request context
\&\fBrctx\fR. When the operation is complete it returns the response in \fB*presp\fR.
.PP
\&\fBOCSP_REQ_CTX_free()\fR frees up the \s-1OCSP\s0 context \fBrctx\fR.
.PP
\&\fBOCSP_set_max_response_length()\fR sets the maximum response length for \fBrctx\fR
to \fBlen\fR. If the response exceeds this length an error occurs. If not
set a default value of 100k is used.
.PP
\&\fBOCSP_REQ_CTX_add1_header()\fR adds header \fBname\fR with value \fBvalue\fR to the
context \fBrctx\fR. It can be called more than once to add multiple headers.
It \fB\s-1MUST\s0\fR be called before any calls to \fBOCSP_sendreq_nbio()\fR. The \fBreq\fR
parameter in the initial to \fBOCSP_sendreq_new()\fR call \s-1MUST\s0 be set to \fB\s-1NULL\s0\fR if
additional headers are set.
.PP
\&\fBOCSP_REQ_CTX_set1_req()\fR sets the \s-1OCSP\s0 request in \fBrctx\fR to \fBreq\fR. This
function should be called after any calls to \fBOCSP_REQ_CTX_add1_header()\fR.
OCSP_REQ_CTX_set1_req(rctx, req) is equivalent to the following:
.PP
.Vb 2
\& OCSP_REQ_CTX_i2d(rctx, "application/ocsp\-request",
\& ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)req)
.Ve
.PP
\&\fBOCSP_REQ_CTX_i2d()\fR sets the request context \fBrctx\fR to have the request
\&\fBreq\fR, which has the \s-1ASN.1\s0 type \fBit\fR.
The \fBcontent_type\fR, if not \s-1NULL,\s0 will be included in the \s-1HTTP\s0 request.
The function should be called after all other headers have already been added.
.PP
\&\fBOCSP_sendreq_bio()\fR performs an \s-1OCSP\s0 request using the responder \fBio\fR, the \s-1URL\s0
path \fBpath\fR, and the \s-1OCSP\s0 request \fBreq\fR with a response header maximum line
length 4k. It waits indefinitely on a response.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOCSP_sendreq_new()\fR returns a valid \fB\s-1OCSP_REQ_CTX\s0\fR structure or \fB\s-1NULL\s0\fR if
an error occurred.
.PP
\&\fBOCSP_sendreq_nbio()\fR returns \fB1\fR if the operation was completed successfully,
\&\fB\-1\fR if the operation should be retried and \fB0\fR if an error occurred.
.PP
\&\fBOCSP_REQ_CTX_add1_header()\fR, \fBOCSP_REQ_CTX_set1_req()\fR, and \fBOCSP_REQ_CTX_i2d()\fR
return \fB1\fR for success and \fB0\fR for failure.
.PP
\&\fBOCSP_sendreq_bio()\fR returns the \fB\s-1OCSP_RESPONSE\s0\fR structure sent by the
responder or \fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBOCSP_REQ_CTX_free()\fR and \fBOCSP_set_max_response_length()\fR do not return values.
.SH "NOTES"
.IX Header "NOTES"
These functions only perform a minimal \s-1HTTP\s0 query to a responder. If an
application wishes to support more advanced features it should use an
alternative more complete \s-1HTTP\s0 library.
.PP
Currently only \s-1HTTP POST\s0 queries to responders are supported.
.PP
The arguments to \fBOCSP_sendreq_new()\fR correspond to the components of the \s-1URL.\s0
For example if the responder \s-1URL\s0 is \fBhttp://ocsp.com/ocspreq\fR the \s-1BIO\s0
\&\fBio\fR should be connected to host \fBocsp.com\fR on port 80 and \fBpath\fR
should be set to \fB\*(L"/ocspreq\*(R"\fR
.PP
The headers added with \fBOCSP_REQ_CTX_add1_header()\fR are of the form
"\fBname\fR: \fBvalue\fR\*(L" or just \*(R"\fBname\fR" if \fBvalue\fR is \fB\s-1NULL\s0\fR. So to add
a Host header for \fBocsp.com\fR you would call:
.PP
.Vb 1
\& OCSP_REQ_CTX_add1_header(ctx, "Host", "ocsp.com");
.Ve
.PP
If \fBOCSP_sendreq_nbio()\fR indicates an operation should be retried the
corresponding \s-1BIO\s0 can be examined to determine which operation (read or
write) should be retried and appropriate action taken (for example a \fBselect()\fR
call on the underlying socket).
.PP
\&\fBOCSP_sendreq_bio()\fR does not support retries and so cannot handle nonblocking
I/O efficiently. It is retained for compatibility and its use in new
applications is not recommended.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7),
\&\fBOCSP_cert_to_id\fR\|(3),
\&\fBOCSP_request_add1_nonce\fR\|(3),
\&\fBOCSP_REQUEST_new\fR\|(3),
\&\fBOCSP_resp_find_status\fR\|(3),
\&\fBOCSP_response_status\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3 b/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3
index f25d3b071a72..f45eddcefb5f 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_Applink.3
@@ -1,168 +1,168 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_APPLINK 3"
-.TH OPENSSL_APPLINK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_APPLINK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OPENSSL_Applink \- glue between OpenSSL BIO and Win32 compiler run\-time
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& _\|_declspec(dllexport) void **OPENSSL_Applink();
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
OPENSSL_Applink is application-side interface which provides a glue
between OpenSSL \s-1BIO\s0 layer and Win32 compiler run-time environment.
Even though it appears at application side, it's essentially OpenSSL
private interface. For this reason application developers are not
expected to implement it, but to compile provided module with
compiler of their choice and link it into the target application.
The referred module is available as \fIapplink.c\fR, located alongside
the public header files (only on the platforms where applicable).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Not available.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3 b/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3
index a4b43bff792a..454a419b0060 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_LH_COMPFUNC.3
@@ -1,369 +1,369 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_LH_COMPFUNC 3"
-.TH OPENSSL_LH_COMPFUNC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_LH_COMPFUNC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
LHASH, DECLARE_LHASH_OF, OPENSSL_LH_COMPFUNC, OPENSSL_LH_HASHFUNC, OPENSSL_LH_DOALL_FUNC, LHASH_DOALL_ARG_FN_TYPE, IMPLEMENT_LHASH_HASH_FN, IMPLEMENT_LHASH_COMP_FN, lh_TYPE_new, lh_TYPE_free, lh_TYPE_insert, lh_TYPE_delete, lh_TYPE_retrieve, lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_error \- dynamic hash table
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/lhash.h>
\&
\& DECLARE_LHASH_OF(TYPE);
\&
\& LHASH *lh_TYPE_new(OPENSSL_LH_HASHFUNC hash, OPENSSL_LH_COMPFUNC compare);
\& void lh_TYPE_free(LHASH_OF(TYPE) *table);
\&
\& TYPE *lh_TYPE_insert(LHASH_OF(TYPE) *table, TYPE *data);
\& TYPE *lh_TYPE_delete(LHASH_OF(TYPE) *table, TYPE *data);
\& TYPE *lh_retrieve(LHASH_OF(TYPE) *table, TYPE *data);
\&
\& void lh_TYPE_doall(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNC func);
\& void lh_TYPE_doall_arg(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNCARG func,
\& TYPE *arg);
\&
\& int lh_TYPE_error(LHASH_OF(TYPE) *table);
\&
\& typedef int (*OPENSSL_LH_COMPFUNC)(const void *, const void *);
\& typedef unsigned long (*OPENSSL_LH_HASHFUNC)(const void *);
\& typedef void (*OPENSSL_LH_DOALL_FUNC)(const void *);
\& typedef void (*LHASH_DOALL_ARG_FN_TYPE)(const void *, const void *);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This library implements type-checked dynamic hash tables. The hash
table entries can be arbitrary structures. Usually they consist of key
and value fields. In the description here, \fI\s-1TYPE\s0\fR is used a placeholder
for any of the OpenSSL datatypes, such as \fI\s-1SSL_SESSION\s0\fR.
.PP
\&\fBlh_TYPE_new()\fR creates a new \fB\s-1LHASH_OF\s0(\s-1TYPE\s0)\fR structure to store
arbitrary data entries, and specifies the 'hash' and 'compare'
callbacks to be used in organising the table's entries. The \fBhash\fR
callback takes a pointer to a table entry as its argument and returns
an unsigned long hash value for its key field. The hash value is
normally truncated to a power of 2, so make sure that your hash
function returns well mixed low order bits. The \fBcompare\fR callback
takes two arguments (pointers to two hash table entries), and returns
0 if their keys are equal, nonzero otherwise.
.PP
If your hash table
will contain items of some particular type and the \fBhash\fR and
\&\fBcompare\fR callbacks hash/compare these types, then the
\&\fB\s-1IMPLEMENT_LHASH_HASH_FN\s0\fR and \fB\s-1IMPLEMENT_LHASH_COMP_FN\s0\fR macros can be
used to create callback wrappers of the prototypes required by
\&\fBlh_TYPE_new()\fR as shown in this example:
.PP
.Vb 11
\& /*
\& * Implement the hash and compare functions; "stuff" can be any word.
\& */
\& static unsigned long stuff_hash(const TYPE *a)
\& {
\& ...
\& }
\& static int stuff_cmp(const TYPE *a, const TYPE *b)
\& {
\& ...
\& }
\&
\& /*
\& * Implement the wrapper functions.
\& */
\& static IMPLEMENT_LHASH_HASH_FN(stuff, TYPE)
\& static IMPLEMENT_LHASH_COMP_FN(stuff, TYPE)
.Ve
.PP
If the type is going to be used in several places, the following macros
can be used in a common header file to declare the function wrappers:
.PP
.Vb 2
\& DECLARE_LHASH_HASH_FN(stuff, TYPE)
\& DECLARE_LHASH_COMP_FN(stuff, TYPE)
.Ve
.PP
Then a hash table of \s-1TYPE\s0 objects can be created using this:
.PP
.Vb 1
\& LHASH_OF(TYPE) *htable;
\&
\& htable = lh_TYPE_new(LHASH_HASH_FN(stuff), LHASH_COMP_FN(stuff));
.Ve
.PP
\&\fBlh_TYPE_free()\fR frees the \fB\s-1LHASH_OF\s0(\s-1TYPE\s0)\fR structure
\&\fBtable\fR. Allocated hash table entries will not be freed; consider
using \fBlh_TYPE_doall()\fR to deallocate any remaining entries in the
hash table (see below).
.PP
\&\fBlh_TYPE_insert()\fR inserts the structure pointed to by \fBdata\fR into
\&\fBtable\fR. If there already is an entry with the same key, the old
value is replaced. Note that \fBlh_TYPE_insert()\fR stores pointers, the
data are not copied.
.PP
\&\fBlh_TYPE_delete()\fR deletes an entry from \fBtable\fR.
.PP
\&\fBlh_TYPE_retrieve()\fR looks up an entry in \fBtable\fR. Normally, \fBdata\fR
is a structure with the key field(s) set; the function will return a
pointer to a fully populated structure.
.PP
\&\fBlh_TYPE_doall()\fR will, for every entry in the hash table, call
\&\fBfunc\fR with the data item as its parameter.
For example:
.PP
.Vb 2
\& /* Cleans up resources belonging to \*(Aqa\*(Aq (this is implemented elsewhere) */
\& void TYPE_cleanup_doall(TYPE *a);
\&
\& /* Implement a prototype\-compatible wrapper for "TYPE_cleanup" */
\& IMPLEMENT_LHASH_DOALL_FN(TYPE_cleanup, TYPE)
\&
\& /* Call "TYPE_cleanup" against all items in a hash table. */
\& lh_TYPE_doall(hashtable, LHASH_DOALL_FN(TYPE_cleanup));
\&
\& /* Then the hash table itself can be deallocated */
\& lh_TYPE_free(hashtable);
.Ve
.PP
When doing this, be careful if you delete entries from the hash table
in your callbacks: the table may decrease in size, moving the item
that you are currently on down lower in the hash table \- this could
cause some entries to be skipped during the iteration. The second
best solution to this problem is to set hash\->down_load=0 before
you start (which will stop the hash table ever decreasing in size).
The best solution is probably to avoid deleting items from the hash
table inside a \*(L"doall\*(R" callback!
.PP
\&\fBlh_TYPE_doall_arg()\fR is the same as \fBlh_TYPE_doall()\fR except that
\&\fBfunc\fR will be called with \fBarg\fR as the second argument and \fBfunc\fR
should be of type \fB\s-1LHASH_DOALL_ARG_FN_TYPE\s0\fR (a callback prototype
that is passed both the table entry and an extra argument). As with
\&\fBlh_doall()\fR, you can instead choose to declare your callback with a
prototype matching the types you are dealing with and use the
declare/implement macros to create compatible wrappers that cast
variables before calling your type-specific callbacks. An example of
this is demonstrated here (printing all hash table entries to a \s-1BIO\s0
that is provided by the caller):
.PP
.Vb 2
\& /* Prints item \*(Aqa\*(Aq to \*(Aqoutput_bio\*(Aq (this is implemented elsewhere) */
\& void TYPE_print_doall_arg(const TYPE *a, BIO *output_bio);
\&
\& /* Implement a prototype\-compatible wrapper for "TYPE_print" */
\& static IMPLEMENT_LHASH_DOALL_ARG_FN(TYPE, const TYPE, BIO)
\&
\& /* Print out the entire hashtable to a particular BIO */
\& lh_TYPE_doall_arg(hashtable, LHASH_DOALL_ARG_FN(TYPE_print), BIO,
\& logging_bio);
.Ve
.PP
\&\fBlh_TYPE_error()\fR can be used to determine if an error occurred in the last
operation.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBlh_TYPE_new()\fR returns \fB\s-1NULL\s0\fR on error, otherwise a pointer to the new
\&\fB\s-1LHASH\s0\fR structure.
.PP
When a hash table entry is replaced, \fBlh_TYPE_insert()\fR returns the value
being replaced. \fB\s-1NULL\s0\fR is returned on normal operation and on error.
.PP
\&\fBlh_TYPE_delete()\fR returns the entry being deleted. \fB\s-1NULL\s0\fR is returned if
there is no such value in the hash table.
.PP
\&\fBlh_TYPE_retrieve()\fR returns the hash table entry if it has been found,
\&\fB\s-1NULL\s0\fR otherwise.
.PP
\&\fBlh_TYPE_error()\fR returns 1 if an error occurred in the last operation, 0
otherwise. It's meaningful only after non-retrieve operations.
.PP
\&\fBlh_TYPE_free()\fR, \fBlh_TYPE_doall()\fR and \fBlh_TYPE_doall_arg()\fR return no values.
.SH "NOTE"
.IX Header "NOTE"
The \s-1LHASH\s0 code is not thread safe. All updating operations, as well as
lh_TYPE_error call must be performed under a write lock. All retrieve
operations should be performed under a read lock, \fIunless\fR accurate
usage statistics are desired. In which case, a write lock should be used
for retrieve operations as well. For output of the usage statistics,
using the functions from \fBOPENSSL_LH_stats\fR\|(3), a read lock suffices.
.PP
The \s-1LHASH\s0 code regards table entries as constant data. As such, it
internally represents \fBlh_insert()\fR'd items with a \*(L"const void *\*(R"
pointer type. This is why callbacks such as those used by \fBlh_doall()\fR
and \fBlh_doall_arg()\fR declare their prototypes with \*(L"const\*(R", even for the
parameters that pass back the table items' data pointers \- for
consistency, user-provided data is \*(L"const\*(R" at all times as far as the
\&\s-1LHASH\s0 code is concerned. However, as callers are themselves providing
these pointers, they can choose whether they too should be treating
all such parameters as constant.
.PP
As an example, a hash table may be maintained by code that, for
reasons of encapsulation, has only \*(L"const\*(R" access to the data being
indexed in the hash table (i.e. it is returned as \*(L"const\*(R" from
elsewhere in their code) \- in this case the \s-1LHASH\s0 prototypes are
appropriate as-is. Conversely, if the caller is responsible for the
life-time of the data in question, then they may well wish to make
modifications to table item passed back in the \fBlh_doall()\fR or
\&\fBlh_doall_arg()\fR callbacks (see the \*(L"TYPE_cleanup\*(R" example above). If
so, the caller can either cast the \*(L"const\*(R" away (if they're providing
the raw callbacks themselves) or use the macros to declare/implement
the wrapper functions without \*(L"const\*(R" types.
.PP
Callers that only have \*(L"const\*(R" access to data they're indexing in a
table, yet declare callbacks without constant types (or cast the
\&\*(L"const\*(R" away themselves), are therefore creating their own risks/bugs
without being encouraged to do so by the \s-1API.\s0 On a related note,
those auditing code should pay special attention to any instances of
DECLARE/IMPLEMENT_LHASH_DOALL_[\s-1ARG_\s0]_FN macros that provide types
without any \*(L"const\*(R" qualifiers.
.SH "BUGS"
.IX Header "BUGS"
\&\fBlh_TYPE_insert()\fR returns \fB\s-1NULL\s0\fR both for success and error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBOPENSSL_LH_stats\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
In OpenSSL 1.0.0, the lhash interface was revamped for better
type checking.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3 b/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3
index 923c773e5d80..3ed4a1914392 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_LH_stats.3
@@ -1,197 +1,197 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_LH_STATS 3"
-.TH OPENSSL_LH_STATS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_LH_STATS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OPENSSL_LH_stats, OPENSSL_LH_node_stats, OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio, OPENSSL_LH_node_stats_bio, OPENSSL_LH_node_usage_stats_bio \- LHASH statistics
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/lhash.h>
\&
\& void OPENSSL_LH_stats(LHASH *table, FILE *out);
\& void OPENSSL_LH_node_stats(LHASH *table, FILE *out);
\& void OPENSSL_LH_node_usage_stats(LHASH *table, FILE *out);
\&
\& void OPENSSL_LH_stats_bio(LHASH *table, BIO *out);
\& void OPENSSL_LH_node_stats_bio(LHASH *table, BIO *out);
\& void OPENSSL_LH_node_usage_stats_bio(LHASH *table, BIO *out);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1LHASH\s0\fR structure records statistics about most aspects of
accessing the hash table.
.PP
\&\fBOPENSSL_LH_stats()\fR prints out statistics on the size of the hash table, how
many entries are in it, and the number and result of calls to the
routines in this library.
.PP
\&\fBOPENSSL_LH_node_stats()\fR prints the number of entries for each 'bucket' in the
hash table.
.PP
\&\fBOPENSSL_LH_node_usage_stats()\fR prints out a short summary of the state of the
hash table. It prints the 'load' and the 'actual load'. The load is
the average number of data items per 'bucket' in the hash table. The
\&'actual load' is the average number of items per 'bucket', but only
for buckets which contain entries. So the 'actual load' is the
average number of searches that will need to find an item in the hash
table, while the 'load' is the average number that will be done to
record a miss.
.PP
\&\fBOPENSSL_LH_stats_bio()\fR, \fBOPENSSL_LH_node_stats_bio()\fR and \fBOPENSSL_LH_node_usage_stats_bio()\fR
are the same as the above, except that the output goes to a \fB\s-1BIO\s0\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions do not return values.
.SH "NOTE"
.IX Header "NOTE"
These calls should be made under a read lock. Refer to
\&\*(L"\s-1NOTE\*(R"\s0 in \s-1\fBOPENSSL_LH_COMPFUNC\s0\fR\|(3) for more details about the locks required
when using the \s-1LHASH\s0 data structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBbio\fR\|(7), \s-1\fBOPENSSL_LH_COMPFUNC\s0\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_VERSION_NUMBER.3 b/secure/lib/libcrypto/man/man3/OPENSSL_VERSION_NUMBER.3
index 7eb8cdf99231..deb917091265 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_VERSION_NUMBER.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_VERSION_NUMBER.3
@@ -1,242 +1,242 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_VERSION_NUMBER 3"
-.TH OPENSSL_VERSION_NUMBER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_VERSION_NUMBER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT, OpenSSL_version, OpenSSL_version_num \- get OpenSSL version number
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 3
\& #include <openssl/opensslv.h>
\& #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL
\& #define OPENSSL_VERSION_TEXT "OpenSSL x.y.z xx XXX xxxx"
\&
\& #include <openssl/crypto.h>
\&
\& unsigned long OpenSSL_version_num();
\& const char *OpenSSL_version(int t);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1OPENSSL_VERSION_NUMBER\s0 is a numeric release version identifier:
.PP
.Vb 1
\& MNNFFPPS: major minor fix patch status
.Ve
.PP
The status nibble has one of the values 0 for development, 1 to e for betas
1 to 14, and f for release.
.PP
for example
.PP
.Vb 3
\& 0x000906000 == 0.9.6 dev
\& 0x000906023 == 0.9.6b beta 3
\& 0x00090605f == 0.9.6e release
.Ve
.PP
Versions prior to 0.9.3 have identifiers < 0x0930.
Versions between 0.9.3 and 0.9.5 had a version identifier with this
interpretation:
.PP
.Vb 1
\& MMNNFFRBB major minor fix final beta/patch
.Ve
.PP
for example
.PP
.Vb 2
\& 0x000904100 == 0.9.4 release
\& 0x000905000 == 0.9.5 dev
.Ve
.PP
Version 0.9.5a had an interim interpretation that is like the current one,
except the patch level got the highest bit set, to keep continuity. The
number was therefore 0x0090581f.
.PP
\&\s-1OPENSSL_VERSION_TEXT\s0 is the text variant of the version number and the
release date. For example,
\&\*(L"OpenSSL 1.0.1a 15 Oct 2015\*(R".
.PP
\&\fBOpenSSL_version_num()\fR returns the version number.
.PP
\&\fBOpenSSL_version()\fR returns different strings depending on \fBt\fR:
.IP "\s-1OPENSSL_VERSION\s0" 4
.IX Item "OPENSSL_VERSION"
The text variant of the version number and the release date. For example,
\&\*(L"OpenSSL 1.0.1a 15 Oct 2015\*(R".
.IP "\s-1OPENSSL_CFLAGS\s0" 4
.IX Item "OPENSSL_CFLAGS"
The compiler flags set for the compilation process in the form
\&\*(L"compiler: ...\*(R" if available or \*(L"compiler: information not available\*(R"
otherwise.
.IP "\s-1OPENSSL_BUILT_ON\s0" 4
.IX Item "OPENSSL_BUILT_ON"
The date of the build process in the form \*(L"built on: ...\*(R" if available
or \*(L"built on: date not available\*(R" otherwise.
.IP "\s-1OPENSSL_PLATFORM\s0" 4
.IX Item "OPENSSL_PLATFORM"
The \*(L"Configure\*(R" target of the library build in the form \*(L"platform: ...\*(R"
if available or \*(L"platform: information not available\*(R" otherwise.
.IP "\s-1OPENSSL_DIR\s0" 4
.IX Item "OPENSSL_DIR"
The \*(L"\s-1OPENSSLDIR\*(R"\s0 setting of the library build in the form \*(L"\s-1OPENSSLDIR: \*(R"..."\*(L"\s0
if available or \*(R"\s-1OPENSSLDIR: N/A"\s0 otherwise.
.IP "\s-1OPENSSL_ENGINES_DIR\s0" 4
.IX Item "OPENSSL_ENGINES_DIR"
The \*(L"\s-1ENGINESDIR\*(R"\s0 setting of the library build in the form \*(L"\s-1ENGINESDIR: \*(R"..."\*(L"\s0
if available or \*(R"\s-1ENGINESDIR: N/A"\s0 otherwise.
.PP
For an unknown \fBt\fR, the text \*(L"not available\*(R" is returned.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOpenSSL_version_num()\fR returns the version number.
.PP
\&\fBOpenSSL_version()\fR returns requested version strings.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_config.3 b/secure/lib/libcrypto/man/man3/OPENSSL_config.3
index 3c4a475ac5fc..46b21baab326 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_config.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_config.3
@@ -1,210 +1,210 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_CONFIG 3"
-.TH OPENSSL_CONFIG 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_CONFIG 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OPENSSL_config, OPENSSL_no_config \- simple OpenSSL configuration functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/conf.h>
\&
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& void OPENSSL_config(const char *appname);
\& void OPENSSL_no_config(void);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBOPENSSL_config()\fR configures OpenSSL using the standard \fBopenssl.cnf\fR and
reads from the application section \fBappname\fR. If \fBappname\fR is \s-1NULL\s0 then
the default section, \fBopenssl_conf\fR, will be used.
Errors are silently ignored.
Multiple calls have no effect.
.PP
\&\fBOPENSSL_no_config()\fR disables configuration. If called before \fBOPENSSL_config()\fR
no configuration takes place.
.PP
If the application is built with \fB\s-1OPENSSL_LOAD_CONF\s0\fR defined, then a
call to \fBOpenSSL_add_all_algorithms()\fR will implicitly call \fBOPENSSL_config()\fR
first.
.SH "NOTES"
.IX Header "NOTES"
The \fBOPENSSL_config()\fR function is designed to be a very simple \*(L"call it and
forget it\*(R" function.
It is however \fBmuch\fR better than nothing. Applications which need finer
control over their configuration functionality should use the configuration
functions such as \fBCONF_modules_load()\fR directly. This function is deprecated
and its use should be avoided.
Applications should instead call \fBCONF_modules_load()\fR during
initialization (that is before starting any threads).
.PP
There are several reasons why calling the OpenSSL configuration routines is
advisable. For example, to load dynamic ENGINEs from shared libraries (DSOs).
However, very few applications currently support the control interface and so
very few can load and use dynamic ENGINEs. Equally in future more sophisticated
ENGINEs will require certain control operations to customize them. If an
application calls \fBOPENSSL_config()\fR it doesn't need to know or care about
\&\s-1ENGINE\s0 control operations because they can be performed by editing a
configuration file.
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
.IP "\fB\s-1OPENSSL_CONF\s0\fR" 4
.IX Item "OPENSSL_CONF"
The path to the config file.
Ignored in set-user-ID and set-group-ID programs.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Neither \fBOPENSSL_config()\fR nor \fBOPENSSL_no_config()\fR return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBconfig\fR\|(5),
\&\fBCONF_modules_load_file\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBOPENSSL_no_config()\fR and \fBOPENSSL_config()\fR functions were
deprecated in OpenSSL 1.1.0 by \fBOPENSSL_init_crypto()\fR.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3 b/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3
index 713acc8916ba..13ef5ade08d1 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_fork_prepare.3
@@ -1,191 +1,191 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_FORK_PREPARE 3"
-.TH OPENSSL_FORK_PREPARE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_FORK_PREPARE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OPENSSL_fork_prepare, OPENSSL_fork_parent, OPENSSL_fork_child \&\- OpenSSL fork handlers
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/crypto.h>
\&
\& void OPENSSL_fork_prepare(void);
\& void OPENSSL_fork_parent(void);
\& void OPENSSL_fork_child(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
OpenSSL has state that should be reset when a process forks. For example,
the entropy pool used to generate random numbers (and therefore encryption
keys) should not be shared across multiple programs.
The \fBOPENSSL_fork_prepare()\fR, \fBOPENSSL_fork_parent()\fR, and \fBOPENSSL_fork_child()\fR
functions are used to reset this internal state.
.PP
Platforms without \fBfork\fR\|(2) will probably not need to use these functions.
Platforms with \fBfork\fR\|(2) but without \fBpthread_atfork\fR\|(3) will probably need
to call them manually, as described in the following paragraph. Platforms
such as Linux that have both functions will normally not need to call these
functions as the OpenSSL library will do so automatically.
.PP
\&\fBOPENSSL_init_crypto\fR\|(3) will register these functions with the appropriate
handler, when the \fB\s-1OPENSSL_INIT_ATFORK\s0\fR flag is used. For other
applications, these functions can be called directly. They should be used
according to the calling sequence described by the \fBpthread_atfork\fR\|(3)
documentation, which is summarized here. \fBOPENSSL_fork_prepare()\fR should
be called before a \fBfork()\fR is done. After the \fBfork()\fR returns, the parent
process should call \fBOPENSSL_fork_parent()\fR and the child process should
call \fBOPENSSL_fork_child()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOPENSSL_fork_prepare()\fR, \fBOPENSSL_fork_parent()\fR and \fBOPENSSL_fork_child()\fR do not
return values.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBOPENSSL_init_crypto\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3 b/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3
index c711c1935377..32e3adba3167 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_ia32cap.3
@@ -1,295 +1,295 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_IA32CAP 3"
-.TH OPENSSL_IA32CAP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_IA32CAP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OPENSSL_ia32cap \- the x86[_64] processor capabilities vector
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& env OPENSSL_ia32cap=... <application>
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
OpenSSL supports a range of x86[_64] instruction set extensions. These
extensions are denoted by individual bits in capability vector returned
by processor in \s-1EDX:ECX\s0 register pair after executing \s-1CPUID\s0 instruction
with EAX=1 input value (see Intel Application Note #241618). This vector
is copied to memory upon toolkit initialization and used to choose
between different code paths to provide optimal performance across wide
range of processors. For the moment of this writing following bits are
significant:
.IP "bit #4 denoting presence of Time-Stamp Counter." 4
.IX Item "bit #4 denoting presence of Time-Stamp Counter."
.PD 0
.IP "bit #19 denoting availability of \s-1CLFLUSH\s0 instruction;" 4
.IX Item "bit #19 denoting availability of CLFLUSH instruction;"
.IP "bit #20, reserved by Intel, is used to choose among \s-1RC4\s0 code paths;" 4
.IX Item "bit #20, reserved by Intel, is used to choose among RC4 code paths;"
.IP "bit #23 denoting \s-1MMX\s0 support;" 4
.IX Item "bit #23 denoting MMX support;"
.IP "bit #24, \s-1FXSR\s0 bit, denoting availability of \s-1XMM\s0 registers;" 4
.IX Item "bit #24, FXSR bit, denoting availability of XMM registers;"
.IP "bit #25 denoting \s-1SSE\s0 support;" 4
.IX Item "bit #25 denoting SSE support;"
.IP "bit #26 denoting \s-1SSE2\s0 support;" 4
.IX Item "bit #26 denoting SSE2 support;"
.IP "bit #28 denoting Hyperthreading, which is used to distinguish cores with shared cache;" 4
.IX Item "bit #28 denoting Hyperthreading, which is used to distinguish cores with shared cache;"
.IP "bit #30, reserved by Intel, denotes specifically Intel CPUs;" 4
.IX Item "bit #30, reserved by Intel, denotes specifically Intel CPUs;"
.IP "bit #33 denoting availability of \s-1PCLMULQDQ\s0 instruction;" 4
.IX Item "bit #33 denoting availability of PCLMULQDQ instruction;"
.IP "bit #41 denoting \s-1SSSE3,\s0 Supplemental \s-1SSE3,\s0 support;" 4
.IX Item "bit #41 denoting SSSE3, Supplemental SSE3, support;"
.IP "bit #43 denoting \s-1AMD XOP\s0 support (forced to zero on non-AMD CPUs);" 4
.IX Item "bit #43 denoting AMD XOP support (forced to zero on non-AMD CPUs);"
.IP "bit #54 denoting availability of \s-1MOVBE\s0 instruction;" 4
.IX Item "bit #54 denoting availability of MOVBE instruction;"
.IP "bit #57 denoting AES-NI instruction set extension;" 4
.IX Item "bit #57 denoting AES-NI instruction set extension;"
.IP "bit #58, \s-1XSAVE\s0 bit, lack of which in combination with \s-1MOVBE\s0 is used to identify Atom Silvermont core;" 4
.IX Item "bit #58, XSAVE bit, lack of which in combination with MOVBE is used to identify Atom Silvermont core;"
.IP "bit #59, \s-1OSXSAVE\s0 bit, denoting availability of \s-1YMM\s0 registers;" 4
.IX Item "bit #59, OSXSAVE bit, denoting availability of YMM registers;"
.IP "bit #60 denoting \s-1AVX\s0 extension;" 4
.IX Item "bit #60 denoting AVX extension;"
.IP "bit #62 denoting availability of \s-1RDRAND\s0 instruction;" 4
.IX Item "bit #62 denoting availability of RDRAND instruction;"
.PD
.PP
For example, in 32\-bit application context clearing bit #26 at run-time
disables high-performance \s-1SSE2\s0 code present in the crypto library, while
clearing bit #24 disables \s-1SSE2\s0 code operating on 128\-bit \s-1XMM\s0 register
bank. You might have to do the latter if target OpenSSL application is
executed on \s-1SSE2\s0 capable \s-1CPU,\s0 but under control of \s-1OS\s0 that does not
enable \s-1XMM\s0 registers. Historically address of the capability vector copy
was exposed to application through \fBOPENSSL_ia32cap_loc()\fR, but not
anymore. Now the only way to affect the capability detection is to set
OPENSSL_ia32cap environment variable prior target application start. To
give a specific example, on Intel P4 processor 'env
OPENSSL_ia32cap=0x16980010 apps/openssl', or better yet 'env
OPENSSL_ia32cap=~0x1000000 apps/openssl' would achieve the desired
effect. Alternatively you can reconfigure the toolkit with no\-sse2
option and recompile.
.PP
Less intuitive is clearing bit #28, or ~0x10000000 in the \*(L"environment
variable\*(R" terms. The truth is that it's not copied from \s-1CPUID\s0 output
verbatim, but is adjusted to reflect whether or not the data cache is
actually shared between logical cores. This in turn affects the decision
on whether or not expensive countermeasures against cache-timing attacks
are applied, most notably in \s-1AES\s0 assembler module.
.PP
The capability vector is further extended with \s-1EBX\s0 value returned by
\&\s-1CPUID\s0 with EAX=7 and ECX=0 as input. Following bits are significant:
.IP "bit #64+3 denoting availability of \s-1BMI1\s0 instructions, e.g. \s-1ANDN\s0;" 4
.IX Item "bit #64+3 denoting availability of BMI1 instructions, e.g. ANDN;"
.PD 0
.IP "bit #64+5 denoting availability of \s-1AVX2\s0 instructions;" 4
.IX Item "bit #64+5 denoting availability of AVX2 instructions;"
.IP "bit #64+8 denoting availability of \s-1BMI2\s0 instructions, e.g. \s-1MULX\s0 and \s-1RORX\s0;" 4
.IX Item "bit #64+8 denoting availability of BMI2 instructions, e.g. MULX and RORX;"
.IP "bit #64+16 denoting availability of \s-1AVX512F\s0 extension;" 4
.IX Item "bit #64+16 denoting availability of AVX512F extension;"
.IP "bit #64+18 denoting availability of \s-1RDSEED\s0 instruction;" 4
.IX Item "bit #64+18 denoting availability of RDSEED instruction;"
.IP "bit #64+19 denoting availability of \s-1ADCX\s0 and \s-1ADOX\s0 instructions;" 4
.IX Item "bit #64+19 denoting availability of ADCX and ADOX instructions;"
.IP "bit #64+21 denoting availability of VPMADD52[\s-1LH\s0]UQ instructions, aka \s-1AVX512IFMA\s0 extension;" 4
.IX Item "bit #64+21 denoting availability of VPMADD52[LH]UQ instructions, aka AVX512IFMA extension;"
.IP "bit #64+29 denoting availability of \s-1SHA\s0 extension;" 4
.IX Item "bit #64+29 denoting availability of SHA extension;"
.IP "bit #64+30 denoting availability of \s-1AVX512BW\s0 extension;" 4
.IX Item "bit #64+30 denoting availability of AVX512BW extension;"
.IP "bit #64+31 denoting availability of \s-1AVX512VL\s0 extension;" 4
.IX Item "bit #64+31 denoting availability of AVX512VL extension;"
.IP "bit #64+41 denoting availability of \s-1VAES\s0 extension;" 4
.IX Item "bit #64+41 denoting availability of VAES extension;"
.IP "bit #64+42 denoting availability of \s-1VPCLMULQDQ\s0 extension;" 4
.IX Item "bit #64+42 denoting availability of VPCLMULQDQ extension;"
.PD
.PP
To control this extended capability word use ':' as delimiter when
setting up OPENSSL_ia32cap environment variable. For example assigning
\&':~0x20' would disable \s-1AVX2\s0 code paths, and ':0' \- all post-AVX
extensions.
.PP
It should be noted that whether or not some of the most \*(L"fancy\*(R"
extension code paths are actually assembled depends on current assembler
version. Base minimum of \s-1AES\-NI/PCLMULQDQ, SSSE3\s0 and \s-1SHA\s0 extension code
paths are always assembled. Apart from that, minimum assembler version
requirements are summarized in below table:
.PP
.Vb 8
\& Extension | GNU as | nasm | llvm
\& \-\-\-\-\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-
\& AVX | 2.19 | 2.09 | 3.0
\& AVX2 | 2.22 | 2.10 | 3.1
\& ADCX/ADOX | 2.23 | 2.10 | 3.3
\& AVX512 | 2.25 | 2.11.8 | see NOTES
\& AVX512IFMA | 2.26 | 2.11.8 | see NOTES
\& VAES | 2.30 | 2.13.3 |
.Ve
.SH "NOTES"
.IX Header "NOTES"
Even though \s-1AVX512\s0 support was implemented in llvm 3.6, compilation of
assembly modules apparently requires explicit \-march flag. But then
compiler generates processor-specific code, which in turn contradicts
the mere idea of run-time switch execution facilitated by the variable
in question. Till the limitation is lifted, it's possible to work around
the problem by making build procedure use following script:
.PP
.Vb 2
\& #!/bin/sh
\& exec clang \-no\-integrated\-as "$@"
.Ve
.PP
instead of real clang. In which case it doesn't matter which clang
version is used, as it is \s-1GNU\s0 assembler version that will be checked.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Not available.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3 b/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3
index 72da970c0913..ff7711ba3f1b 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_init_crypto.3
@@ -1,379 +1,379 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_INIT_CRYPTO 3"
-.TH OPENSSL_INIT_CRYPTO 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_INIT_CRYPTO 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OPENSSL_INIT_new, OPENSSL_INIT_set_config_filename, OPENSSL_INIT_set_config_appname, OPENSSL_INIT_set_config_file_flags, OPENSSL_INIT_free, OPENSSL_init_crypto, OPENSSL_cleanup, OPENSSL_atexit, OPENSSL_thread_stop \- OpenSSL initialisation and deinitialisation functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/crypto.h>
\&
\& void OPENSSL_cleanup(void);
\& int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
\& int OPENSSL_atexit(void (*handler)(void));
\& void OPENSSL_thread_stop(void);
\&
\& OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void);
\& int OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *init,
\& const char* filename);
\& int OPENSSL_INIT_set_config_file_flags(OPENSSL_INIT_SETTINGS *init,
\& unsigned long flags);
\& int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *init,
\& const char* name);
\& void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *init);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
During normal operation OpenSSL (libcrypto) will allocate various resources at
start up that must, subsequently, be freed on close down of the library.
Additionally some resources are allocated on a per thread basis (if the
application is multi-threaded), and these resources must be freed prior to the
thread closing.
.PP
As of version 1.1.0 OpenSSL will automatically allocate all resources that it
needs so no explicit initialisation is required. Similarly it will also
automatically deinitialise as required.
.PP
However, there may be situations when explicit initialisation is desirable or
needed, for example when some nondefault initialisation is required. The
function \fBOPENSSL_init_crypto()\fR can be used for this purpose for
libcrypto (see also \fBOPENSSL_init_ssl\fR\|(3) for the libssl
equivalent).
.PP
Numerous internal OpenSSL functions call \fBOPENSSL_init_crypto()\fR.
Therefore, in order to perform nondefault initialisation,
\&\fBOPENSSL_init_crypto()\fR \s-1MUST\s0 be called by application code prior to
any other OpenSSL function calls.
.PP
The \fBopts\fR parameter specifies which aspects of libcrypto should be
initialised. Valid options are:
.IP "\s-1OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS\s0" 4
.IX Item "OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS"
Suppress automatic loading of the libcrypto error strings. This option is
not a default option. Once selected subsequent calls to
\&\fBOPENSSL_init_crypto()\fR with the option
\&\fB\s-1OPENSSL_INIT_LOAD_CRYPTO_STRINGS\s0\fR will be ignored.
.IP "\s-1OPENSSL_INIT_LOAD_CRYPTO_STRINGS\s0" 4
.IX Item "OPENSSL_INIT_LOAD_CRYPTO_STRINGS"
Automatic loading of the libcrypto error strings. With this option the
library will automatically load the libcrypto error strings.
This option is a default option. Once selected subsequent calls to
\&\fBOPENSSL_init_crypto()\fR with the option
\&\fB\s-1OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS\s0\fR will be ignored.
.IP "\s-1OPENSSL_INIT_ADD_ALL_CIPHERS\s0" 4
.IX Item "OPENSSL_INIT_ADD_ALL_CIPHERS"
With this option the library will automatically load and make available all
libcrypto ciphers. This option is a default option. Once selected subsequent
calls to \fBOPENSSL_init_crypto()\fR with the option
\&\fB\s-1OPENSSL_INIT_NO_ADD_ALL_CIPHERS\s0\fR will be ignored.
.IP "\s-1OPENSSL_INIT_ADD_ALL_DIGESTS\s0" 4
.IX Item "OPENSSL_INIT_ADD_ALL_DIGESTS"
With this option the library will automatically load and make available all
libcrypto digests. This option is a default option. Once selected subsequent
calls to \fBOPENSSL_init_crypto()\fR with the option
\&\fB\s-1OPENSSL_INIT_NO_ADD_ALL_CIPHERS\s0\fR will be ignored.
.IP "\s-1OPENSSL_INIT_NO_ADD_ALL_CIPHERS\s0" 4
.IX Item "OPENSSL_INIT_NO_ADD_ALL_CIPHERS"
With this option the library will suppress automatic loading of libcrypto
ciphers. This option is not a default option. Once selected subsequent
calls to \fBOPENSSL_init_crypto()\fR with the option
\&\fB\s-1OPENSSL_INIT_ADD_ALL_CIPHERS\s0\fR will be ignored.
.IP "\s-1OPENSSL_INIT_NO_ADD_ALL_DIGESTS\s0" 4
.IX Item "OPENSSL_INIT_NO_ADD_ALL_DIGESTS"
With this option the library will suppress automatic loading of libcrypto
digests. This option is not a default option. Once selected subsequent
calls to \fBOPENSSL_init_crypto()\fR with the option
\&\fB\s-1OPENSSL_INIT_ADD_ALL_DIGESTS\s0\fR will be ignored.
.IP "\s-1OPENSSL_INIT_LOAD_CONFIG\s0" 4
.IX Item "OPENSSL_INIT_LOAD_CONFIG"
With this option an OpenSSL configuration file will be automatically loaded and
used by calling \fBOPENSSL_config()\fR. This is not a default option for libcrypto.
As of OpenSSL 1.1.1 this is a default option for libssl (see
\&\fBOPENSSL_init_ssl\fR\|(3) for further details about libssl initialisation). See the
description of \fBOPENSSL_INIT_new()\fR, below.
.IP "\s-1OPENSSL_INIT_NO_LOAD_CONFIG\s0" 4
.IX Item "OPENSSL_INIT_NO_LOAD_CONFIG"
With this option the loading of OpenSSL configuration files will be suppressed.
It is the equivalent of calling \fBOPENSSL_no_config()\fR. This is not a default
option.
.IP "\s-1OPENSSL_INIT_ASYNC\s0" 4
.IX Item "OPENSSL_INIT_ASYNC"
With this option the library with automatically initialise the libcrypto async
sub-library (see \fBASYNC_start_job\fR\|(3)). This is a default option.
.IP "\s-1OPENSSL_INIT_ENGINE_RDRAND\s0" 4
.IX Item "OPENSSL_INIT_ENGINE_RDRAND"
With this option the library will automatically load and initialise the
\&\s-1RDRAND\s0 engine (if available). This not a default option.
.IP "\s-1OPENSSL_INIT_ENGINE_DYNAMIC\s0" 4
.IX Item "OPENSSL_INIT_ENGINE_DYNAMIC"
With this option the library will automatically load and initialise the
dynamic engine. This not a default option.
.IP "\s-1OPENSSL_INIT_ENGINE_OPENSSL\s0" 4
.IX Item "OPENSSL_INIT_ENGINE_OPENSSL"
With this option the library will automatically load and initialise the
openssl engine. This not a default option.
.IP "\s-1OPENSSL_INIT_ENGINE_CRYPTODEV\s0" 4
.IX Item "OPENSSL_INIT_ENGINE_CRYPTODEV"
With this option the library will automatically load and initialise the
cryptodev engine (if available). This not a default option.
.IP "\s-1OPENSSL_INIT_ENGINE_CAPI\s0" 4
.IX Item "OPENSSL_INIT_ENGINE_CAPI"
With this option the library will automatically load and initialise the
\&\s-1CAPI\s0 engine (if available). This not a default option.
.IP "\s-1OPENSSL_INIT_ENGINE_PADLOCK\s0" 4
.IX Item "OPENSSL_INIT_ENGINE_PADLOCK"
With this option the library will automatically load and initialise the
padlock engine (if available). This not a default option.
.IP "\s-1OPENSSL_INIT_ENGINE_AFALG\s0" 4
.IX Item "OPENSSL_INIT_ENGINE_AFALG"
With this option the library will automatically load and initialise the
\&\s-1AFALG\s0 engine. This not a default option.
.IP "\s-1OPENSSL_INIT_ENGINE_ALL_BUILTIN\s0" 4
.IX Item "OPENSSL_INIT_ENGINE_ALL_BUILTIN"
With this option the library will automatically load and initialise all the
built in engines listed above with the exception of the openssl and afalg
engines. This not a default option.
.IP "\s-1OPENSSL_INIT_ATFORK\s0" 4
.IX Item "OPENSSL_INIT_ATFORK"
With this option the library will register its fork handlers.
See \fBOPENSSL_fork_prepare\fR\|(3) for details.
.IP "\s-1OPENSSL_INIT_NO_ATEXIT\s0" 4
.IX Item "OPENSSL_INIT_NO_ATEXIT"
By default OpenSSL will attempt to clean itself up when the process exits via an
\&\*(L"atexit\*(R" handler. Using this option suppresses that behaviour. This means that
the application will have to clean up OpenSSL explicitly using
\&\fBOPENSSL_cleanup()\fR.
.PP
Multiple options may be combined together in a single call to
\&\fBOPENSSL_init_crypto()\fR. For example:
.PP
.Vb 2
\& OPENSSL_init_crypto(OPENSSL_INIT_NO_ADD_ALL_CIPHERS
\& | OPENSSL_INIT_NO_ADD_ALL_DIGESTS, NULL);
.Ve
.PP
The \fBOPENSSL_cleanup()\fR function deinitialises OpenSSL (both libcrypto
and libssl). All resources allocated by OpenSSL are freed. Typically there
should be no need to call this function directly as it is initiated
automatically on application exit. This is done via the standard C library
\&\fBatexit()\fR function. In the event that the application will close in a manner
that will not call the registered \fBatexit()\fR handlers then the application should
call \fBOPENSSL_cleanup()\fR directly. Developers of libraries using OpenSSL
are discouraged from calling this function and should instead, typically, rely
on auto-deinitialisation. This is to avoid error conditions where both an
application and a library it depends on both use OpenSSL, and the library
deinitialises it before the application has finished using it.
.PP
Once \fBOPENSSL_cleanup()\fR has been called the library cannot be reinitialised.
Attempts to call \fBOPENSSL_init_crypto()\fR will fail and an \s-1ERR_R_INIT_FAIL\s0 error
will be added to the error stack. Note that because initialisation has failed
OpenSSL error strings will not be available, only an error code. This code can
be put through the openssl errstr command line application to produce a human
readable error (see \fBerrstr\fR\|(1)).
.PP
The \fBOPENSSL_atexit()\fR function enables the registration of a
function to be called during \fBOPENSSL_cleanup()\fR. Stop handlers are
called after deinitialisation of resources local to a thread, but before other
process wide resources are freed. In the event that multiple stop handlers are
registered, no guarantees are made about the order of execution.
.PP
The \fBOPENSSL_thread_stop()\fR function deallocates resources associated
with the current thread. Typically this function will be called automatically by
the library when the thread exits. This should only be called directly if
resources should be freed at an earlier time, or under the circumstances
described in the \s-1NOTES\s0 section below.
.PP
The \fB\s-1OPENSSL_INIT_LOAD_CONFIG\s0\fR flag will load a configuration file, as with
\&\fBCONF_modules_load_file\fR\|(3) with \s-1NULL\s0 filename and application name and the
\&\fB\s-1CONF_MFLAGS_IGNORE_MISSING_FILE\s0\fR, \fB\s-1CONF_MFLAGS_IGNORE_RETURN_CODES\s0\fR and
\&\fB\s-1CONF_MFLAGS_DEFAULT_SECTION\s0\fR flags.
The filename, application name, and flags can be customized by providing a
non-null \fB\s-1OPENSSL_INIT_SETTINGS\s0\fR object.
The object can be allocated via \fB\fBOPENSSL_init_new()\fB\fR.
The \fB\fBOPENSSL_INIT_set_config_filename()\fB\fR function can be used to specify a
nondefault filename, which is copied and need not refer to persistent storage.
Similarly, \fBOPENSSL_INIT_set_config_appname()\fR can be used to specify a
nondefault application name.
Finally, OPENSSL_INIT_set_file_flags can be used to specify nondefault flags.
If the \fB\s-1CONF_MFLAGS_IGNORE_RETURN_CODES\s0\fR flag is not included, any errors in
the configuration file will cause an error return from \fBOPENSSL_init_crypto\fR
or indirectly \fBOPENSSL_init_ssl\fR\|(3).
The object can be released with \fBOPENSSL_INIT_free()\fR when done.
.SH "NOTES"
.IX Header "NOTES"
Resources local to a thread are deallocated automatically when the thread exits
(e.g. in a pthreads environment, when \fBpthread_exit()\fR is called). On Windows
platforms this is done in response to a \s-1DLL_THREAD_DETACH\s0 message being sent to
the libcrypto32.dll entry point. Some windows functions may cause threads to exit
without sending this message (for example \fBExitProcess()\fR). If the application
uses such functions, then the application must free up OpenSSL resources
directly via a call to \fBOPENSSL_thread_stop()\fR on each thread. Similarly this
message will also not be sent if OpenSSL is linked statically, and therefore
applications using static linking should also call \fBOPENSSL_thread_stop()\fR on each
thread. Additionally if OpenSSL is loaded dynamically via \fBLoadLibrary()\fR and the
threads are not destroyed until after \fBFreeLibrary()\fR is called then each thread
should call \fBOPENSSL_thread_stop()\fR prior to the \fBFreeLibrary()\fR call.
.PP
On Linux/Unix where OpenSSL has been loaded via \fBdlopen()\fR and the application is
multi-threaded and if \fBdlclose()\fR is subsequently called prior to the threads
being destroyed then OpenSSL will not be able to deallocate resources associated
with those threads. The application should either call \fBOPENSSL_thread_stop()\fR on
each thread prior to the \fBdlclose()\fR call, or alternatively the original \fBdlopen()\fR
call should use the \s-1RTLD_NODELETE\s0 flag (where available on the platform).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The functions OPENSSL_init_crypto, \fBOPENSSL_atexit()\fR and
\&\fBOPENSSL_INIT_set_config_appname()\fR return 1 on success or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBOPENSSL_init_ssl\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBOPENSSL_init_crypto()\fR, \fBOPENSSL_cleanup()\fR, \fBOPENSSL_atexit()\fR,
\&\fBOPENSSL_thread_stop()\fR, \fBOPENSSL_INIT_new()\fR, \fBOPENSSL_INIT_set_config_appname()\fR
and \fBOPENSSL_INIT_free()\fR functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3 b/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3
index 74501bd31669..10b1669c474d 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_init_ssl.3
@@ -1,209 +1,209 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_INIT_SSL 3"
-.TH OPENSSL_INIT_SSL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_INIT_SSL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OPENSSL_init_ssl \- OpenSSL (libssl and libcrypto) initialisation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
During normal operation OpenSSL (libssl and libcrypto) will allocate various
resources at start up that must, subsequently, be freed on close down of the
library. Additionally some resources are allocated on a per thread basis (if the
application is multi-threaded), and these resources must be freed prior to the
thread closing.
.PP
As of version 1.1.0 OpenSSL will automatically allocate all resources that it
needs so no explicit initialisation is required. Similarly it will also
automatically deinitialise as required.
.PP
However, there may be situations when explicit initialisation is desirable or
needed, for example when some nondefault initialisation is required. The
function \fBOPENSSL_init_ssl()\fR can be used for this purpose. Calling
this function will explicitly initialise \s-1BOTH\s0 libcrypto and libssl. To
explicitly initialise \s-1ONLY\s0 libcrypto see the
\&\fBOPENSSL_init_crypto\fR\|(3) function.
.PP
Numerous internal OpenSSL functions call \fBOPENSSL_init_ssl()\fR.
Therefore, in order to perform nondefault initialisation,
\&\fBOPENSSL_init_ssl()\fR \s-1MUST\s0 be called by application code prior to
any other OpenSSL function calls.
.PP
The \fBopts\fR parameter specifies which aspects of libssl and libcrypto should be
initialised. Valid options for libcrypto are described on the
\&\fBOPENSSL_init_crypto\fR\|(3) page. In addition to any libcrypto
specific option the following libssl options can also be used:
.IP "\s-1OPENSSL_INIT_NO_LOAD_SSL_STRINGS\s0" 4
.IX Item "OPENSSL_INIT_NO_LOAD_SSL_STRINGS"
Suppress automatic loading of the libssl error strings. This option is
not a default option. Once selected subsequent calls to
\&\fBOPENSSL_init_ssl()\fR with the option
\&\fB\s-1OPENSSL_INIT_LOAD_SSL_STRINGS\s0\fR will be ignored.
.IP "\s-1OPENSSL_INIT_LOAD_SSL_STRINGS\s0" 4
.IX Item "OPENSSL_INIT_LOAD_SSL_STRINGS"
Automatic loading of the libssl error strings. This option is a
default option. Once selected subsequent calls to
\&\fBOPENSSL_init_ssl()\fR with the option
\&\fB\s-1OPENSSL_INIT_LOAD_SSL_STRINGS\s0\fR will be ignored.
.PP
\&\fBOPENSSL_init_ssl()\fR takes a \fBsettings\fR parameter which can be used to
set parameter values. See \fBOPENSSL_init_crypto\fR\|(3) for details.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The function \fBOPENSSL_init_ssl()\fR returns 1 on success or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBOPENSSL_init_crypto\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBOPENSSL_init_ssl()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3 b/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3
index 975e466bce20..09a064d7f2cf 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_instrument_bus.3
@@ -1,186 +1,186 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_INSTRUMENT_BUS 3"
-.TH OPENSSL_INSTRUMENT_BUS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_INSTRUMENT_BUS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OPENSSL_instrument_bus, OPENSSL_instrument_bus2 \- instrument references to memory bus
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 4
\& #ifdef OPENSSL_CPUID_OBJ
\& size_t OPENSSL_instrument_bus(int *vector, size_t num);
\& size_t OPENSSL_instrument_bus2(int *vector, size_t num, size_t max);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
It was empirically found that timings of references to primary memory
are subject to irregular, apparently non-deterministic variations. The
subroutines in question instrument these references for purposes of
gathering randomness for random number generator. In order to make it
bus-bound a 'flush cache line' instruction is used between probes. In
addition probes are added to \fBvector\fR elements in atomic or
interlocked manner, which should contribute additional noise on
multi-processor systems. This also means that \fBvector[num]\fR should be
zeroed upon invocation (if you want to retrieve actual probe values).
.PP
\&\fBOPENSSL_instrument_bus()\fR performs \fBnum\fR probes and records the number of
oscillator cycles every probe took.
.PP
\&\fBOPENSSL_instrument_bus2()\fR on the other hand \fBaccumulates\fR consecutive
probes with the same value, i.e. in a way it records duration of
periods when probe values appeared deterministic. The subroutine
performs at most \fBmax\fR probes in attempt to fill the \fBvector[num]\fR,
with \fBmax\fR value of 0 meaning \*(L"as many as it takes.\*(R"
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Return value of 0 indicates that \s-1CPU\s0 is not capable of performing the
benchmark, either because oscillator counter or 'flush cache line' is
not available on current platform. For reference, on x86 'flush cache
line' was introduced with the \s-1SSE2\s0 extensions.
.PP
Otherwise number of recorded values is returned.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2011\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3 b/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3
index 81f192fbd1c2..c237ac3573b7 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_load_builtin_modules.3
@@ -1,187 +1,187 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_LOAD_BUILTIN_MODULES 3"
-.TH OPENSSL_LOAD_BUILTIN_MODULES 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_LOAD_BUILTIN_MODULES 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OPENSSL_load_builtin_modules, ASN1_add_oid_module, ENGINE_add_conf_module \- add standard configuration modules
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/conf.h>
\&
\& void OPENSSL_load_builtin_modules(void);
\& void ASN1_add_oid_module(void);
\& void ENGINE_add_conf_module(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBOPENSSL_load_builtin_modules()\fR adds all the standard OpenSSL
configuration modules to the internal list. They can then be used by the
OpenSSL configuration code.
.PP
\&\fBASN1_add_oid_module()\fR adds just the \s-1ASN1 OBJECT\s0 module.
.PP
\&\fBENGINE_add_conf_module()\fR adds just the \s-1ENGINE\s0 configuration module.
.SH "NOTES"
.IX Header "NOTES"
If the simple configuration function \fBOPENSSL_config()\fR is called then
\&\fBOPENSSL_load_builtin_modules()\fR is called automatically.
.PP
Applications which use the configuration functions directly will need to
call \fBOPENSSL_load_builtin_modules()\fR themselves \fIbefore\fR any other
configuration code.
.PP
Applications should call \fBOPENSSL_load_builtin_modules()\fR to load all
configuration modules instead of adding modules selectively: otherwise
functionality may be missing from the application if an when new
modules are added.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
None of the functions return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBconfig\fR\|(5), \fBOPENSSL_config\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3 b/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3
index a4d7171bae18..77cd8eafefaf 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_malloc.3
@@ -1,371 +1,371 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_MALLOC 3"
-.TH OPENSSL_MALLOC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_MALLOC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OPENSSL_malloc_init, OPENSSL_malloc, OPENSSL_zalloc, OPENSSL_realloc, OPENSSL_free, OPENSSL_clear_realloc, OPENSSL_clear_free, OPENSSL_cleanse, CRYPTO_malloc, CRYPTO_zalloc, CRYPTO_realloc, CRYPTO_free, OPENSSL_strdup, OPENSSL_strndup, OPENSSL_memdup, OPENSSL_strlcpy, OPENSSL_strlcat, OPENSSL_hexstr2buf, OPENSSL_buf2hexstr, OPENSSL_hexchar2int, CRYPTO_strdup, CRYPTO_strndup, OPENSSL_mem_debug_push, OPENSSL_mem_debug_pop, CRYPTO_mem_debug_push, CRYPTO_mem_debug_pop, CRYPTO_clear_realloc, CRYPTO_clear_free, CRYPTO_get_mem_functions, CRYPTO_set_mem_functions, CRYPTO_get_alloc_counts, CRYPTO_set_mem_debug, CRYPTO_mem_ctrl, CRYPTO_mem_leaks, CRYPTO_mem_leaks_fp, CRYPTO_mem_leaks_cb, OPENSSL_MALLOC_FAILURES, OPENSSL_MALLOC_FD \&\- Memory allocation functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/crypto.h>
\&
\& int OPENSSL_malloc_init(void)
\&
\& void *OPENSSL_malloc(size_t num)
\& void *OPENSSL_zalloc(size_t num)
\& void *OPENSSL_realloc(void *addr, size_t num)
\& void OPENSSL_free(void *addr)
\& char *OPENSSL_strdup(const char *str)
\& char *OPENSSL_strndup(const char *str, size_t s)
\& size_t OPENSSL_strlcat(char *dst, const char *src, size_t size);
\& size_t OPENSSL_strlcpy(char *dst, const char *src, size_t size);
\& void *OPENSSL_memdup(void *data, size_t s)
\& void *OPENSSL_clear_realloc(void *p, size_t old_len, size_t num)
\& void OPENSSL_clear_free(void *str, size_t num)
\& void OPENSSL_cleanse(void *ptr, size_t len);
\&
\& unsigned char *OPENSSL_hexstr2buf(const char *str, long *len);
\& char *OPENSSL_buf2hexstr(const unsigned char *buffer, long len);
\& int OPENSSL_hexchar2int(unsigned char c);
\&
\& void *CRYPTO_malloc(size_t num, const char *file, int line)
\& void *CRYPTO_zalloc(size_t num, const char *file, int line)
\& void *CRYPTO_realloc(void *p, size_t num, const char *file, int line)
\& void CRYPTO_free(void *str, const char *, int)
\& char *CRYPTO_strdup(const char *p, const char *file, int line)
\& char *CRYPTO_strndup(const char *p, size_t num, const char *file, int line)
\& void *CRYPTO_clear_realloc(void *p, size_t old_len, size_t num,
\& const char *file, int line)
\& void CRYPTO_clear_free(void *str, size_t num, const char *, int)
\&
\& void CRYPTO_get_mem_functions(
\& void *(**m)(size_t, const char *, int),
\& void *(**r)(void *, size_t, const char *, int),
\& void (**f)(void *, const char *, int))
\& int CRYPTO_set_mem_functions(
\& void *(*m)(size_t, const char *, int),
\& void *(*r)(void *, size_t, const char *, int),
\& void (*f)(void *, const char *, int))
\&
\& void CRYPTO_get_alloc_counts(int *m, int *r, int *f)
\&
\& int CRYPTO_set_mem_debug(int onoff)
\&
\& env OPENSSL_MALLOC_FAILURES=... <application>
\& env OPENSSL_MALLOC_FD=... <application>
\&
\& int CRYPTO_mem_ctrl(int mode);
\&
\& int OPENSSL_mem_debug_push(const char *info)
\& int OPENSSL_mem_debug_pop(void);
\&
\& int CRYPTO_mem_debug_push(const char *info, const char *file, int line);
\& int CRYPTO_mem_debug_pop(void);
\&
\& int CRYPTO_mem_leaks(BIO *b);
\& int CRYPTO_mem_leaks_fp(FILE *fp);
\& int CRYPTO_mem_leaks_cb(int (*cb)(const char *str, size_t len, void *u),
\& void *u);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
OpenSSL memory allocation is handled by the \fBOPENSSL_xxx\fR \s-1API.\s0 These are
generally macro's that add the standard C \fB_\|_FILE_\|_\fR and \fB_\|_LINE_\|_\fR
parameters and call a lower-level \fBCRYPTO_xxx\fR \s-1API.\s0
Some functions do not add those parameters, but exist for consistency.
.PP
\&\fBOPENSSL_malloc_init()\fR does nothing and does not need to be called. It is
included for compatibility with older versions of OpenSSL.
.PP
\&\fBOPENSSL_malloc()\fR, \fBOPENSSL_realloc()\fR, and \fBOPENSSL_free()\fR are like the
C \fBmalloc()\fR, \fBrealloc()\fR, and \fBfree()\fR functions.
\&\fBOPENSSL_zalloc()\fR calls \fBmemset()\fR to zero the memory before returning.
.PP
\&\fBOPENSSL_clear_realloc()\fR and \fBOPENSSL_clear_free()\fR should be used
when the buffer at \fBaddr\fR holds sensitive information.
The old buffer is filled with zero's by calling \fBOPENSSL_cleanse()\fR
before ultimately calling \fBOPENSSL_free()\fR.
.PP
\&\fBOPENSSL_cleanse()\fR fills \fBptr\fR of size \fBlen\fR with a string of 0's.
Use \fBOPENSSL_cleanse()\fR with care if the memory is a mapping of a file.
If the storage controller uses write compression, then it's possible
that sensitive tail bytes will survive zeroization because the block of
zeros will be compressed. If the storage controller uses wear leveling,
then the old sensitive data will not be overwritten; rather, a block of
0's will be written at a new physical location.
.PP
\&\fBOPENSSL_strdup()\fR, \fBOPENSSL_strndup()\fR and \fBOPENSSL_memdup()\fR are like the
equivalent C functions, except that memory is allocated by calling the
\&\fBOPENSSL_malloc()\fR and should be released by calling \fBOPENSSL_free()\fR.
.PP
\&\fBOPENSSL_strlcpy()\fR,
\&\fBOPENSSL_strlcat()\fR and \fBOPENSSL_strnlen()\fR are equivalents of the common C
library functions and are provided for portability.
.PP
\&\fBOPENSSL_hexstr2buf()\fR parses \fBstr\fR as a hex string and returns a
pointer to the parsed value. The memory is allocated by calling
\&\fBOPENSSL_malloc()\fR and should be released by calling \fBOPENSSL_free()\fR.
If \fBlen\fR is not \s-1NULL,\s0 it is filled in with the output length.
Colons between two-character hex \*(L"bytes\*(R" are ignored.
An odd number of hex digits is an error.
.PP
\&\fBOPENSSL_buf2hexstr()\fR takes the specified buffer and length, and returns
a hex string for value, or \s-1NULL\s0 on error.
\&\fBBuffer\fR cannot be \s-1NULL\s0; if \fBlen\fR is 0 an empty string is returned.
.PP
\&\fBOPENSSL_hexchar2int()\fR converts a character to the hexadecimal equivalent,
or returns \-1 on error.
.PP
If no allocations have been done, it is possible to \*(L"swap out\*(R" the default
implementations for \fBOPENSSL_malloc()\fR, OPENSSL_realloc and \fBOPENSSL_free()\fR
and replace them with alternate versions (hooks).
\&\fBCRYPTO_get_mem_functions()\fR function fills in the given arguments with the
function pointers for the current implementations.
With \fBCRYPTO_set_mem_functions()\fR, you can specify a different set of functions.
If any of \fBm\fR, \fBr\fR, or \fBf\fR are \s-1NULL,\s0 then the function is not changed.
.PP
The default implementation can include some debugging capability (if enabled
at build-time).
This adds some overhead by keeping a list of all memory allocations, and
removes items from the list when they are free'd.
This is most useful for identifying memory leaks.
\&\fBCRYPTO_set_mem_debug()\fR turns this tracking on and off. In order to have
any effect, is must be called before any of the allocation functions
(e.g., \fBCRYPTO_malloc()\fR) are called, and is therefore normally one of the
first lines of \fBmain()\fR in an application.
\&\fBCRYPTO_mem_ctrl()\fR provides fine-grained control of memory leak tracking.
To enable tracking call \fBCRYPTO_mem_ctrl()\fR with a \fBmode\fR argument of
the \fB\s-1CRYPTO_MEM_CHECK_ON\s0\fR.
To disable tracking call \fBCRYPTO_mem_ctrl()\fR with a \fBmode\fR argument of
the \fB\s-1CRYPTO_MEM_CHECK_OFF\s0\fR.
.PP
While checking memory, it can be useful to store additional context
about what is being done.
For example, identifying the field names when parsing a complicated
data structure.
\&\fBOPENSSL_mem_debug_push()\fR (which calls \fBCRYPTO_mem_debug_push()\fR)
attaches an identifying string to the allocation stack.
This must be a global or other static string; it is not copied.
\&\fBOPENSSL_mem_debug_pop()\fR removes identifying state from the stack.
.PP
At the end of the program, calling \fBCRYPTO_mem_leaks()\fR or
\&\fBCRYPTO_mem_leaks_fp()\fR will report all \*(L"leaked\*(R" memory, writing it
to the specified \s-1BIO\s0 \fBb\fR or \s-1FILE\s0 \fBfp\fR. These functions return 1 if
there are no leaks, 0 if there are leaks and \-1 if an error occurred.
.PP
\&\fBCRYPTO_mem_leaks_cb()\fR does the same as \fBCRYPTO_mem_leaks()\fR, but instead
of writing to a given \s-1BIO,\s0 the callback function is called for each
output string with the string, length, and userdata \fBu\fR as the callback
parameters.
.PP
If the library is built with the \f(CW\*(C`crypto\-mdebug\*(C'\fR option, then one
function, \fBCRYPTO_get_alloc_counts()\fR, and two additional environment
variables, \fB\s-1OPENSSL_MALLOC_FAILURES\s0\fR and \fB\s-1OPENSSL_MALLOC_FD\s0\fR,
are available.
.PP
The function \fBCRYPTO_get_alloc_counts()\fR fills in the number of times
each of \fBCRYPTO_malloc()\fR, \fBCRYPTO_realloc()\fR, and \fBCRYPTO_free()\fR have been
called, into the values pointed to by \fBmcount\fR, \fBrcount\fR, and \fBfcount\fR,
respectively. If a pointer is \s-1NULL,\s0 then the corresponding count is not stored.
.PP
The variable
\&\fB\s-1OPENSSL_MALLOC_FAILURES\s0\fR controls how often allocations should fail.
It is a set of fields separated by semicolons, which each field is a count
(defaulting to zero) and an optional atsign and percentage (defaulting
to 100). If the count is zero, then it lasts forever. For example,
\&\f(CW\*(C`100;@25\*(C'\fR or \f(CW\*(C`100@0;0@25\*(C'\fR means the first 100 allocations pass, then all
other allocations (until the program exits or crashes) have a 25% chance of
failing.
.PP
If the variable \fB\s-1OPENSSL_MALLOC_FD\s0\fR is parsed as a positive integer, then
it is taken as an open file descriptor, and a record of all allocations is
written to that descriptor. If an allocation will fail, and the platform
supports it, then a backtrace will be written to the descriptor. This can
be useful because a malloc may fail but not be checked, and problems will
only occur later. The following example in classic shell syntax shows how
to use this (will not work on all platforms):
.PP
.Vb 5
\& OPENSSL_MALLOC_FAILURES=\*(Aq200;@10\*(Aq
\& export OPENSSL_MALLOC_FAILURES
\& OPENSSL_MALLOC_FD=3
\& export OPENSSL_MALLOC_FD
\& ...app invocation... 3>/tmp/log$$
.Ve
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOPENSSL_malloc_init()\fR, \fBOPENSSL_free()\fR, \fBOPENSSL_clear_free()\fR
\&\fBCRYPTO_free()\fR, \fBCRYPTO_clear_free()\fR and \fBCRYPTO_get_mem_functions()\fR
return no value.
.PP
\&\fBCRYPTO_mem_leaks()\fR, \fBCRYPTO_mem_leaks_fp()\fR and \fBCRYPTO_mem_leaks_cb()\fR return 1 if
there are no leaks, 0 if there are leaks and \-1 if an error occurred.
.PP
\&\fBOPENSSL_malloc()\fR, \fBOPENSSL_zalloc()\fR, \fBOPENSSL_realloc()\fR,
\&\fBOPENSSL_clear_realloc()\fR,
\&\fBCRYPTO_malloc()\fR, \fBCRYPTO_zalloc()\fR, \fBCRYPTO_realloc()\fR,
\&\fBCRYPTO_clear_realloc()\fR,
\&\fBOPENSSL_buf2hexstr()\fR, \fBOPENSSL_hexstr2buf()\fR,
\&\fBOPENSSL_strdup()\fR, and \fBOPENSSL_strndup()\fR
return a pointer to allocated memory or \s-1NULL\s0 on error.
.PP
\&\fBCRYPTO_set_mem_functions()\fR and \fBCRYPTO_set_mem_debug()\fR
return 1 on success or 0 on failure (almost
always because allocations have already happened).
.PP
\&\fBCRYPTO_mem_ctrl()\fR returns \-1 if an error occurred, otherwise the
previous value of the mode.
.PP
\&\fBOPENSSL_mem_debug_push()\fR and \fBOPENSSL_mem_debug_pop()\fR
return 1 on success or 0 on failure.
.SH "NOTES"
.IX Header "NOTES"
While it's permitted to swap out only a few and not all the functions
with \fBCRYPTO_set_mem_functions()\fR, it's recommended to swap them all out
at once. \fIThis applies specially if OpenSSL was built with the
configuration option\fR \f(CW\*(C`crypto\-mdebug\*(C'\fR \fIenabled. In case, swapping out
only, say, the \f(BImalloc()\fI implementation is outright dangerous.\fR
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3 b/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3
index f3cbd9d51238..9fc7cdd94f22 100644
--- a/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3
+++ b/secure/lib/libcrypto/man/man3/OPENSSL_secure_malloc.3
@@ -1,263 +1,263 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_SECURE_MALLOC 3"
-.TH OPENSSL_SECURE_MALLOC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_SECURE_MALLOC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CRYPTO_secure_malloc_init, CRYPTO_secure_malloc_initialized, CRYPTO_secure_malloc_done, OPENSSL_secure_malloc, CRYPTO_secure_malloc, OPENSSL_secure_zalloc, CRYPTO_secure_zalloc, OPENSSL_secure_free, CRYPTO_secure_free, OPENSSL_secure_clear_free, CRYPTO_secure_clear_free, OPENSSL_secure_actual_size, CRYPTO_secure_allocated, CRYPTO_secure_used \- secure heap storage
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/crypto.h>
\&
\& int CRYPTO_secure_malloc_init(size_t size, int minsize);
\&
\& int CRYPTO_secure_malloc_initialized();
\&
\& int CRYPTO_secure_malloc_done();
\&
\& void *OPENSSL_secure_malloc(size_t num);
\& void *CRYPTO_secure_malloc(size_t num, const char *file, int line);
\&
\& void *OPENSSL_secure_zalloc(size_t num);
\& void *CRYPTO_secure_zalloc(size_t num, const char *file, int line);
\&
\& void OPENSSL_secure_free(void* ptr);
\& void CRYPTO_secure_free(void *ptr, const char *, int);
\&
\& void OPENSSL_secure_clear_free(void* ptr, size_t num);
\& void CRYPTO_secure_clear_free(void *ptr, size_t num, const char *, int);
\&
\& size_t OPENSSL_secure_actual_size(const void *ptr);
\&
\& int CRYPTO_secure_allocated(const void *ptr);
\& size_t CRYPTO_secure_used();
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In order to help protect applications (particularly long-running servers)
from pointer overruns or underruns that could return arbitrary data from
the program's dynamic memory area, where keys and other sensitive
information might be stored, OpenSSL supports the concept of a \*(L"secure heap.\*(R"
The level and type of security guarantees depend on the operating system.
It is a good idea to review the code and see if it addresses your
threat model and concerns.
.PP
If a secure heap is used, then private key \fB\s-1BIGNUM\s0\fR values are stored there.
This protects long-term storage of private keys, but will not necessarily
put all intermediate values and computations there.
.PP
\&\fBCRYPTO_secure_malloc_init()\fR creates the secure heap, with the specified
\&\f(CW\*(C`size\*(C'\fR in bytes. The \f(CW\*(C`minsize\*(C'\fR parameter is the minimum size to
allocate from the heap. Both \f(CW\*(C`size\*(C'\fR and \f(CW\*(C`minsize\*(C'\fR must be a power
of two.
.PP
\&\fBCRYPTO_secure_malloc_initialized()\fR indicates whether or not the secure
heap as been initialized and is available.
.PP
\&\fBCRYPTO_secure_malloc_done()\fR releases the heap and makes the memory unavailable
to the process if all secure memory has been freed.
It can take noticeably long to complete.
.PP
\&\fBOPENSSL_secure_malloc()\fR allocates \f(CW\*(C`num\*(C'\fR bytes from the heap.
If \fBCRYPTO_secure_malloc_init()\fR is not called, this is equivalent to
calling \fBOPENSSL_malloc()\fR.
It is a macro that expands to
\&\fBCRYPTO_secure_malloc()\fR and adds the \f(CW\*(C`_\|_FILE_\|_\*(C'\fR and \f(CW\*(C`_\|_LINE_\|_\*(C'\fR parameters.
.PP
\&\fBOPENSSL_secure_zalloc()\fR and \fBCRYPTO_secure_zalloc()\fR are like
\&\fBOPENSSL_secure_malloc()\fR and \fBCRYPTO_secure_malloc()\fR, respectively,
except that they call \fBmemset()\fR to zero the memory before returning.
.PP
\&\fBOPENSSL_secure_free()\fR releases the memory at \f(CW\*(C`ptr\*(C'\fR back to the heap.
It must be called with a value previously obtained from
\&\fBOPENSSL_secure_malloc()\fR.
If \fBCRYPTO_secure_malloc_init()\fR is not called, this is equivalent to
calling \fBOPENSSL_free()\fR.
It exists for consistency with \fBOPENSSL_secure_malloc()\fR , and
is a macro that expands to \fBCRYPTO_secure_free()\fR and adds the \f(CW\*(C`_\|_FILE_\|_\*(C'\fR
and \f(CW\*(C`_\|_LINE_\|_\*(C'\fR parameters..
.PP
\&\fBOPENSSL_secure_clear_free()\fR is similar to \fBOPENSSL_secure_free()\fR except
that it has an additional \f(CW\*(C`num\*(C'\fR parameter which is used to clear
the memory if it was not allocated from the secure heap.
If \fBCRYPTO_secure_malloc_init()\fR is not called, this is equivalent to
calling \fBOPENSSL_clear_free()\fR.
.PP
\&\fBOPENSSL_secure_actual_size()\fR tells the actual size allocated to the
pointer; implementations may allocate more space than initially
requested, in order to \*(L"round up\*(R" and reduce secure heap fragmentation.
.PP
\&\fBOPENSSL_secure_allocated()\fR tells if a pointer is allocated in the secure heap.
.PP
\&\fBCRYPTO_secure_used()\fR returns the number of bytes allocated in the
secure heap.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBCRYPTO_secure_malloc_init()\fR returns 0 on failure, 1 if successful,
and 2 if successful but the heap could not be protected by memory
mapping.
.PP
\&\fBCRYPTO_secure_malloc_initialized()\fR returns 1 if the secure heap is
available (that is, if \fBCRYPTO_secure_malloc_init()\fR has been called,
but \fBCRYPTO_secure_malloc_done()\fR has not been called or failed) or 0 if not.
.PP
\&\fBOPENSSL_secure_malloc()\fR and \fBOPENSSL_secure_zalloc()\fR return a pointer into
the secure heap of the requested size, or \f(CW\*(C`NULL\*(C'\fR if memory could not be
allocated.
.PP
\&\fBCRYPTO_secure_allocated()\fR returns 1 if the pointer is in the secure heap, or 0 if not.
.PP
\&\fBCRYPTO_secure_malloc_done()\fR returns 1 if the secure memory area is released, or 0 if not.
.PP
\&\fBOPENSSL_secure_free()\fR and \fBOPENSSL_secure_clear_free()\fR return no values.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBOPENSSL_malloc\fR\|(3),
\&\fBBN_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBOPENSSL_secure_clear_free()\fR function was added in OpenSSL 1.1.0g.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3
index dfa5f5ffa428..c178c2f1f2ab 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_INFO.3
@@ -1,314 +1,314 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OSSL_STORE_INFO 3"
-.TH OSSL_STORE_INFO 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OSSL_STORE_INFO 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OSSL_STORE_INFO, OSSL_STORE_INFO_get_type, OSSL_STORE_INFO_get0_NAME, OSSL_STORE_INFO_get0_NAME_description, OSSL_STORE_INFO_get0_PARAMS, OSSL_STORE_INFO_get0_PKEY, OSSL_STORE_INFO_get0_CERT, OSSL_STORE_INFO_get0_CRL, OSSL_STORE_INFO_get1_NAME, OSSL_STORE_INFO_get1_NAME_description, OSSL_STORE_INFO_get1_PARAMS, OSSL_STORE_INFO_get1_PKEY, OSSL_STORE_INFO_get1_CERT, OSSL_STORE_INFO_get1_CRL, OSSL_STORE_INFO_type_string, OSSL_STORE_INFO_free, OSSL_STORE_INFO_new_NAME, OSSL_STORE_INFO_set0_NAME_description, OSSL_STORE_INFO_new_PARAMS, OSSL_STORE_INFO_new_PKEY, OSSL_STORE_INFO_new_CERT, OSSL_STORE_INFO_new_CRL \- Functions to manipulate OSSL_STORE_INFO objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/store.h>
\&
\& typedef struct ossl_store_info_st OSSL_STORE_INFO;
\&
\& int OSSL_STORE_INFO_get_type(const OSSL_STORE_INFO *store_info);
\& const char *OSSL_STORE_INFO_get0_NAME(const OSSL_STORE_INFO *store_info);
\& char *OSSL_STORE_INFO_get1_NAME(const OSSL_STORE_INFO *store_info);
\& const char *OSSL_STORE_INFO_get0_NAME_description(const OSSL_STORE_INFO
\& *store_info);
\& char *OSSL_STORE_INFO_get1_NAME_description(const OSSL_STORE_INFO *store_info);
\& EVP_PKEY *OSSL_STORE_INFO_get0_PARAMS(const OSSL_STORE_INFO *store_info);
\& EVP_PKEY *OSSL_STORE_INFO_get1_PARAMS(const OSSL_STORE_INFO *store_info);
\& EVP_PKEY *OSSL_STORE_INFO_get0_PKEY(const OSSL_STORE_INFO *store_info);
\& EVP_PKEY *OSSL_STORE_INFO_get1_PKEY(const OSSL_STORE_INFO *store_info);
\& X509 *OSSL_STORE_INFO_get0_CERT(const OSSL_STORE_INFO *store_info);
\& X509 *OSSL_STORE_INFO_get1_CERT(const OSSL_STORE_INFO *store_info);
\& X509_CRL *OSSL_STORE_INFO_get0_CRL(const OSSL_STORE_INFO *store_info);
\& X509_CRL *OSSL_STORE_INFO_get1_CRL(const OSSL_STORE_INFO *store_info);
\&
\& const char *OSSL_STORE_INFO_type_string(int type);
\&
\& void OSSL_STORE_INFO_free(OSSL_STORE_INFO *store_info);
\&
\& OSSL_STORE_INFO *OSSL_STORE_INFO_new_NAME(char *name);
\& int OSSL_STORE_INFO_set0_NAME_description(OSSL_STORE_INFO *info, char *desc);
\& OSSL_STORE_INFO *OSSL_STORE_INFO_new_PARAMS(DSA *dsa_params);
\& OSSL_STORE_INFO *OSSL_STORE_INFO_new_PKEY(EVP_PKEY *pkey);
\& OSSL_STORE_INFO *OSSL_STORE_INFO_new_CERT(X509 *x509);
\& OSSL_STORE_INFO *OSSL_STORE_INFO_new_CRL(X509_CRL *crl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions are primarily useful for applications to retrieve
supported objects from \fB\s-1OSSL_STORE_INFO\s0\fR objects and for scheme specific
loaders to create \fB\s-1OSSL_STORE_INFO\s0\fR holders.
.SS "Types"
.IX Subsection "Types"
\&\fB\s-1OSSL_STORE_INFO\s0\fR is an opaque type that's just an intermediary holder for
the objects that have been retrieved by \fBOSSL_STORE_load()\fR and similar
functions.
Supported OpenSSL type object can be extracted using one of
\&\fBSTORE_INFO_get0_TYPE()\fR.
The life time of this extracted object is as long as the life time of
the \fB\s-1OSSL_STORE_INFO\s0\fR it was extracted from, so care should be taken not
to free the latter too early.
As an alternative, \fBSTORE_INFO_get1_TYPE()\fR extracts a duplicate (or the
same object with its reference count increased), which can be used
after the containing \fB\s-1OSSL_STORE_INFO\s0\fR has been freed.
The object returned by \fBSTORE_INFO_get1_TYPE()\fR must be freed separately
by the caller.
See \*(L"\s-1SUPPORTED OBJECTS\*(R"\s0 for more information on the types that are
supported.
.SS "Functions"
.IX Subsection "Functions"
\&\fBOSSL_STORE_INFO_get_type()\fR takes a \fB\s-1OSSL_STORE_INFO\s0\fR and returns the \s-1STORE\s0
type number for the object inside.
\&\fBSTORE_INFO_get_type_string()\fR takes a \s-1STORE\s0 type number and returns a
short string describing it.
.PP
\&\fBOSSL_STORE_INFO_get0_NAME()\fR, \fBOSSL_STORE_INFO_get0_NAME_description()\fR,
\&\fBOSSL_STORE_INFO_get0_PARAMS()\fR, \fBOSSL_STORE_INFO_get0_PKEY()\fR,
\&\fBOSSL_STORE_INFO_get0_CERT()\fR and \fBOSSL_STORE_INFO_get0_CRL()\fR all take a
\&\fB\s-1OSSL_STORE_INFO\s0\fR and return the held object of the appropriate OpenSSL
type provided that's what's held.
.PP
\&\fBOSSL_STORE_INFO_get1_NAME()\fR, \fBOSSL_STORE_INFO_get1_NAME_description()\fR,
\&\fBOSSL_STORE_INFO_get1_PARAMS()\fR, \fBOSSL_STORE_INFO_get1_PKEY()\fR,
\&\fBOSSL_STORE_INFO_get1_CERT()\fR and \fBOSSL_STORE_INFO_get1_CRL()\fR all take a
\&\fB\s-1OSSL_STORE_INFO\s0\fR and return a duplicate of the held object of the
appropriate OpenSSL type provided that's what's held.
.PP
\&\fBOSSL_STORE_INFO_free()\fR frees a \fB\s-1OSSL_STORE_INFO\s0\fR and its contained type.
.PP
\&\fBOSSL_STORE_INFO_new_NAME()\fR , \fBOSSL_STORE_INFO_new_PARAMS()\fR,
\&\fBOSSL_STORE_INFO_new_PKEY()\fR, \fBOSSL_STORE_INFO_new_CERT()\fR and
\&\fBOSSL_STORE_INFO_new_CRL()\fR create a \fB\s-1OSSL_STORE_INFO\s0\fR
object to hold the given input object.
Additionally, for \fB\s-1OSSL_STORE_INFO_NAME\s0\fR` objects,
\&\fBOSSL_STORE_INFO_set0_NAME_description()\fR can be used to add an extra
description.
This description is meant to be human readable and should be used for
information printout.
.SH "SUPPORTED OBJECTS"
.IX Header "SUPPORTED OBJECTS"
Currently supported object types are:
.IP "\s-1OSSL_STORE_INFO_NAME\s0" 4
.IX Item "OSSL_STORE_INFO_NAME"
A name is exactly that, a name.
It's like a name in a directory, but formatted as a complete \s-1URI.\s0
For example, the path in \s-1URI\s0 \f(CW\*(C`file:/foo/bar/\*(C'\fR could include a file
named \f(CW\*(C`cookie.pem\*(C'\fR, and in that case, the returned \fB\s-1OSSL_STORE_INFO_NAME\s0\fR
object would have the \s-1URI\s0 \f(CW\*(C`file:/foo/bar/cookie.pem\*(C'\fR, which can be
used by the application to get the objects in that file.
This can be applied to all schemes that can somehow support a listing
of object URIs.
.Sp
For \f(CW\*(C`file:\*(C'\fR URIs that are used without the explicit scheme, the
returned name will be the path of each object, so if \f(CW\*(C`/foo/bar\*(C'\fR was
given and that path has the file \f(CW\*(C`cookie.pem\*(C'\fR, the name
\&\f(CW\*(C`/foo/bar/cookie.pem\*(C'\fR will be returned.
.Sp
The returned \s-1URI\s0 is considered canonical and must be unique and permanent
for the storage where the object (or collection of objects) resides.
Each loader is responsible for ensuring that it only returns canonical
URIs.
However, it's possible that certain schemes allow an object (or collection
thereof) to be reached with alternative URIs; just because one \s-1URI\s0 is
canonical doesn't mean that other variants can't be used.
.Sp
At the discretion of the loader that was used to get these names, an
extra description may be attached as well.
.IP "\s-1OSSL_STORE_INFO_PARAMS\s0" 4
.IX Item "OSSL_STORE_INFO_PARAMS"
Key parameters.
.IP "\s-1OSSL_STORE_INFO_PKEY\s0" 4
.IX Item "OSSL_STORE_INFO_PKEY"
A private/public key of some sort.
.IP "\s-1OSSL_STORE_INFO_CERT\s0" 4
.IX Item "OSSL_STORE_INFO_CERT"
An X.509 certificate.
.IP "\s-1OSSL_STORE_INFO_CRL\s0" 4
.IX Item "OSSL_STORE_INFO_CRL"
A X.509 certificate revocation list.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOSSL_STORE_INFO_get_type()\fR returns the \s-1STORE\s0 type number of the given
\&\fB\s-1OSSL_STORE_INFO\s0\fR.
There is no error value.
.PP
\&\fBOSSL_STORE_INFO_get0_NAME()\fR, \fBOSSL_STORE_INFO_get0_NAME_description()\fR,
\&\fBOSSL_STORE_INFO_get0_PARAMS()\fR, \fBOSSL_STORE_INFO_get0_PKEY()\fR,
\&\fBOSSL_STORE_INFO_get0_CERT()\fR and \fBOSSL_STORE_INFO_get0_CRL()\fR all return
a pointer to the OpenSSL object on success, \s-1NULL\s0 otherwise.
.PP
\&\fBOSSL_STORE_INFO_get0_NAME()\fR, \fBOSSL_STORE_INFO_get0_NAME_description()\fR,
\&\fBOSSL_STORE_INFO_get0_PARAMS()\fR, \fBOSSL_STORE_INFO_get0_PKEY()\fR,
\&\fBOSSL_STORE_INFO_get0_CERT()\fR and \fBOSSL_STORE_INFO_get0_CRL()\fR all return
a pointer to a duplicate of the OpenSSL object on success, \s-1NULL\s0 otherwise.
.PP
\&\fBOSSL_STORE_INFO_type_string()\fR returns a string on success, or \fB\s-1NULL\s0\fR on
failure.
.PP
\&\fBOSSL_STORE_INFO_new_NAME()\fR, \fBOSSL_STORE_INFO_new_PARAMS()\fR,
\&\fBOSSL_STORE_INFO_new_PKEY()\fR, \fBOSSL_STORE_INFO_new_CERT()\fR and
\&\fBOSSL_STORE_INFO_new_CRL()\fR return a \fB\s-1OSSL_STORE_INFO\s0\fR
pointer on success, or \fB\s-1NULL\s0\fR on failure.
.PP
\&\fBOSSL_STORE_INFO_set0_NAME_description()\fR returns 1 on success, or 0 on
failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBossl_store\fR\|(7), \fBOSSL_STORE_open\fR\|(3), \fBOSSL_STORE_register_loader\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\s-1\fBOSSL_STORE_INFO\s0()\fR, \fBOSSL_STORE_INFO_get_type()\fR, \fBOSSL_STORE_INFO_get0_NAME()\fR,
\&\fBOSSL_STORE_INFO_get0_PARAMS()\fR, \fBOSSL_STORE_INFO_get0_PKEY()\fR,
\&\fBOSSL_STORE_INFO_get0_CERT()\fR, \fBOSSL_STORE_INFO_get0_CRL()\fR,
\&\fBOSSL_STORE_INFO_type_string()\fR, \fBOSSL_STORE_INFO_free()\fR, \fBOSSL_STORE_INFO_new_NAME()\fR,
\&\fBOSSL_STORE_INFO_new_PARAMS()\fR, \fBOSSL_STORE_INFO_new_PKEY()\fR,
\&\fBOSSL_STORE_INFO_new_CERT()\fR and \fBOSSL_STORE_INFO_new_CRL()\fR
were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3
index 210c24e0292b..b4bb21b12877 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_LOADER.3
@@ -1,362 +1,362 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OSSL_STORE_LOADER 3"
-.TH OSSL_STORE_LOADER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OSSL_STORE_LOADER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OSSL_STORE_LOADER, OSSL_STORE_LOADER_CTX, OSSL_STORE_LOADER_new, OSSL_STORE_LOADER_get0_engine, OSSL_STORE_LOADER_get0_scheme, OSSL_STORE_LOADER_set_open, OSSL_STORE_LOADER_set_ctrl, OSSL_STORE_LOADER_set_expect, OSSL_STORE_LOADER_set_find, OSSL_STORE_LOADER_set_load, OSSL_STORE_LOADER_set_eof, OSSL_STORE_LOADER_set_error, OSSL_STORE_LOADER_set_close, OSSL_STORE_LOADER_free, OSSL_STORE_register_loader, OSSL_STORE_unregister_loader, OSSL_STORE_open_fn, OSSL_STORE_ctrl_fn, OSSL_STORE_expect_fn, OSSL_STORE_find_fn, OSSL_STORE_load_fn, OSSL_STORE_eof_fn, OSSL_STORE_error_fn, OSSL_STORE_close_fn \- Types and functions to manipulate, register and unregister STORE loaders for different URI schemes
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/store.h>
\&
\& typedef struct ossl_store_loader_st OSSL_STORE_LOADER;
\&
\& OSSL_STORE_LOADER *OSSL_STORE_LOADER_new(ENGINE *e, const char *scheme);
\& const ENGINE *OSSL_STORE_LOADER_get0_engine(const OSSL_STORE_LOADER
\& *store_loader);
\& const char *OSSL_STORE_LOADER_get0_scheme(const OSSL_STORE_LOADER
\& *store_loader);
\&
\& /* struct ossl_store_loader_ctx_st is defined differently by each loader */
\& typedef struct ossl_store_loader_ctx_st OSSL_STORE_LOADER_CTX;
\&
\& typedef OSSL_STORE_LOADER_CTX *(*OSSL_STORE_open_fn)(const char *uri,
\& const UI_METHOD *ui_method,
\& void *ui_data);
\& int OSSL_STORE_LOADER_set_open(OSSL_STORE_LOADER *store_loader,
\& OSSL_STORE_open_fn store_open_function);
\& typedef int (*OSSL_STORE_ctrl_fn)(OSSL_STORE_LOADER_CTX *ctx, int cmd,
\& va_list args);
\& int OSSL_STORE_LOADER_set_ctrl(OSSL_STORE_LOADER *store_loader,
\& OSSL_STORE_ctrl_fn store_ctrl_function);
\& typedef int (*OSSL_STORE_expect_fn)(OSSL_STORE_LOADER_CTX *ctx, int expected);
\& int OSSL_STORE_LOADER_set_expect(OSSL_STORE_LOADER *loader,
\& OSSL_STORE_expect_fn expect_function);
\& typedef int (*OSSL_STORE_find_fn)(OSSL_STORE_LOADER_CTX *ctx,
\& OSSL_STORE_SEARCH *criteria);
\& int OSSL_STORE_LOADER_set_find(OSSL_STORE_LOADER *loader,
\& OSSL_STORE_find_fn find_function);
\& typedef OSSL_STORE_INFO *(*OSSL_STORE_load_fn)(OSSL_STORE_LOADER_CTX *ctx,
\& UI_METHOD *ui_method,
\& void *ui_data);
\& int OSSL_STORE_LOADER_set_load(OSSL_STORE_LOADER *store_loader,
\& OSSL_STORE_load_fn store_load_function);
\& typedef int (*OSSL_STORE_eof_fn)(OSSL_STORE_LOADER_CTX *ctx);
\& int OSSL_STORE_LOADER_set_eof(OSSL_STORE_LOADER *store_loader,
\& OSSL_STORE_eof_fn store_eof_function);
\& typedef int (*OSSL_STORE_error_fn)(OSSL_STORE_LOADER_CTX *ctx);
\& int OSSL_STORE_LOADER_set_error(OSSL_STORE_LOADER *store_loader,
\& OSSL_STORE_error_fn store_error_function);
\& typedef int (*OSSL_STORE_close_fn)(OSSL_STORE_LOADER_CTX *ctx);
\& int OSSL_STORE_LOADER_set_close(OSSL_STORE_LOADER *store_loader,
\& OSSL_STORE_close_fn store_close_function);
\& void OSSL_STORE_LOADER_free(OSSL_STORE_LOADER *store_loader);
\&
\& int OSSL_STORE_register_loader(OSSL_STORE_LOADER *loader);
\& OSSL_STORE_LOADER *OSSL_STORE_unregister_loader(const char *scheme);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions help applications and engines to create loaders for
schemes they support.
.SS "Types"
.IX Subsection "Types"
\&\fB\s-1OSSL_STORE_LOADER\s0\fR is the type to hold a loader.
It contains a scheme and the functions needed to implement
\&\fBOSSL_STORE_open()\fR, \fBOSSL_STORE_load()\fR, \fBOSSL_STORE_eof()\fR, \fBOSSL_STORE_error()\fR and
\&\fBOSSL_STORE_close()\fR for this scheme.
.PP
\&\fB\s-1OSSL_STORE_LOADER_CTX\s0\fR is a type template, to be defined by each loader
using \fBstruct ossl_store_loader_ctx_st { ... }\fR.
.PP
\&\fBOSSL_STORE_open_fn\fR, \fBOSSL_STORE_ctrl_fn\fR, \fBOSSL_STORE_expect_fn\fR,
\&\fBOSSL_STORE_find_fn\fR, \fBOSSL_STORE_load_fn\fR, \fBOSSL_STORE_eof_fn\fR,
and \fBOSSL_STORE_close_fn\fR
are the function pointer types used within a \s-1STORE\s0 loader.
The functions pointed at define the functionality of the given loader.
.IP "\fBOSSL_STORE_open_fn\fR" 4
.IX Item "OSSL_STORE_open_fn"
This function takes a \s-1URI\s0 and is expected to interpret it in the best
manner possible according to the scheme the loader implements, it also
takes a \fB\s-1UI_METHOD\s0\fR and associated data, to be used any time
something needs to be prompted for.
Furthermore, this function is expected to initialize what needs to be
initialized, to create a private data store (\fB\s-1OSSL_STORE_LOADER_CTX\s0\fR, see
above), and to return it.
If something goes wrong, this function is expected to return \s-1NULL.\s0
.IP "\fBOSSL_STORE_ctrl_fn\fR" 4
.IX Item "OSSL_STORE_ctrl_fn"
This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer, a command number
\&\fBcmd\fR and a \fBva_list\fR \fBargs\fR and is used to manipulate loader
specific parameters.
.Sp
Loader specific command numbers must begin at \fB\s-1OSSL_STORE_C_CUSTOM_START\s0\fR.
Any number below that is reserved for future globally known command
numbers.
.Sp
This function is expected to return 1 on success, 0 on error.
.IP "\fBOSSL_STORE_expect_fn\fR" 4
.IX Item "OSSL_STORE_expect_fn"
This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and a \fB\s-1OSSL_STORE_INFO\s0\fR
identity \fBexpected\fR, and is used to tell the loader what object type is
expected.
\&\fBexpected\fR may be zero to signify that no specific object type is expected.
.Sp
This function is expected to return 1 on success, 0 on error.
.IP "\fBOSSL_STORE_find_fn\fR" 4
.IX Item "OSSL_STORE_find_fn"
This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and a
\&\fB\s-1OSSL_STORE_SEARCH\s0\fR search criterion, and is used to tell the loader what
to search for.
.Sp
When called with the loader context being \fB\s-1NULL\s0\fR, this function is expected
to return 1 if the loader supports the criterion, otherwise 0.
.Sp
When called with the loader context being something other than \fB\s-1NULL\s0\fR, this
function is expected to return 1 on success, 0 on error.
.IP "\fBOSSL_STORE_load_fn\fR" 4
.IX Item "OSSL_STORE_load_fn"
This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and a \fB\s-1UI_METHOD\s0\fR
with associated data.
It's expected to load the next available data, mold it into a data
structure that can be wrapped in a \fB\s-1OSSL_STORE_INFO\s0\fR using one of the
\&\s-1\fBOSSL_STORE_INFO\s0\fR\|(3) functions.
If no more data is available or an error occurs, this function is
expected to return \s-1NULL.\s0
The \fBOSSL_STORE_eof_fn\fR and \fBOSSL_STORE_error_fn\fR functions must indicate if
it was in fact the end of data or if an error occurred.
.Sp
Note that this function retrieves \fIone\fR data item only.
.IP "\fBOSSL_STORE_eof_fn\fR" 4
.IX Item "OSSL_STORE_eof_fn"
This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and is expected to
return 1 to indicate that the end of available data has been reached.
It is otherwise expected to return 0.
.IP "\fBOSSL_STORE_error_fn\fR" 4
.IX Item "OSSL_STORE_error_fn"
This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and is expected to
return 1 to indicate that an error occurred in a previous call to the
\&\fBOSSL_STORE_load_fn\fR function.
It is otherwise expected to return 0.
.IP "\fBOSSL_STORE_close_fn\fR" 4
.IX Item "OSSL_STORE_close_fn"
This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and is expected to
close or shut down what needs to be closed, and finally free the
contents of the \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer.
It returns 1 on success and 0 on error.
.SS "Functions"
.IX Subsection "Functions"
\&\fBOSSL_STORE_LOADER_new()\fR creates a new \fB\s-1OSSL_STORE_LOADER\s0\fR.
It takes an \fB\s-1ENGINE\s0\fR \fBe\fR and a string \fBscheme\fR.
\&\fBscheme\fR must \fIalways\fR be set.
Both \fBe\fR and \fBscheme\fR are used as is and must therefore be alive as
long as the created loader is.
.PP
\&\fBOSSL_STORE_LOADER_get0_engine()\fR returns the engine of the \fBstore_loader\fR.
\&\fBOSSL_STORE_LOADER_get0_scheme()\fR returns the scheme of the \fBstore_loader\fR.
.PP
\&\fBOSSL_STORE_LOADER_set_open()\fR sets the opener function for the
\&\fBstore_loader\fR.
.PP
\&\fBOSSL_STORE_LOADER_set_ctrl()\fR sets the control function for the
\&\fBstore_loader\fR.
.PP
\&\fBOSSL_STORE_LOADER_set_expect()\fR sets the expect function for the
\&\fBstore_loader\fR.
.PP
\&\fBOSSL_STORE_LOADER_set_load()\fR sets the loader function for the
\&\fBstore_loader\fR.
.PP
\&\fBOSSL_STORE_LOADER_set_eof()\fR sets the end of file checker function for the
\&\fBstore_loader\fR.
.PP
\&\fBOSSL_STORE_LOADER_set_close()\fR sets the closing function for the
\&\fBstore_loader\fR.
.PP
\&\fBOSSL_STORE_LOADER_free()\fR frees the given \fBstore_loader\fR.
.PP
\&\fBOSSL_STORE_register_loader()\fR register the given \fBstore_loader\fR and thereby
makes it available for use with \fBOSSL_STORE_open()\fR, \fBOSSL_STORE_load()\fR,
\&\fBOSSL_STORE_eof()\fR and \fBOSSL_STORE_close()\fR.
.PP
\&\fBOSSL_STORE_unregister_loader()\fR unregister the store loader for the given
\&\fBscheme\fR.
.SH "NOTES"
.IX Header "NOTES"
The \fBfile:\fR scheme has built in support.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The functions with the types \fBOSSL_STORE_open_fn\fR, \fBOSSL_STORE_ctrl_fn\fR,
\&\fBOSSL_STORE_expect_fn\fR,
\&\fBOSSL_STORE_load_fn\fR, \fBOSSL_STORE_eof_fn\fR and \fBOSSL_STORE_close_fn\fR have the
same return values as \fBOSSL_STORE_open()\fR, \fBOSSL_STORE_ctrl()\fR, \fBOSSL_STORE_expect()\fR,
\&\fBOSSL_STORE_load()\fR, \fBOSSL_STORE_eof()\fR and \fBOSSL_STORE_close()\fR, respectively.
.PP
\&\fBOSSL_STORE_LOADER_new()\fR returns a pointer to a \fB\s-1OSSL_STORE_LOADER\s0\fR on success,
or \fB\s-1NULL\s0\fR on failure.
.PP
\&\fBOSSL_STORE_LOADER_set_open()\fR, \fBOSSL_STORE_LOADER_set_ctrl()\fR,
\&\fBOSSL_STORE_LOADER_set_load()\fR, \fBOSSL_STORE_LOADER_set_eof()\fR and
\&\fBOSSL_STORE_LOADER_set_close()\fR return 1 on success, or 0 on failure.
.PP
\&\fBOSSL_STORE_register_loader()\fR returns 1 on success, or 0 on failure.
.PP
\&\fBOSSL_STORE_unregister_loader()\fR returns the unregistered loader on success,
or \fB\s-1NULL\s0\fR on failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBossl_store\fR\|(7), \fBOSSL_STORE_open\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\s-1\fBOSSL_STORE_LOADER\s0()\fR, \s-1\fBOSSL_STORE_LOADER_CTX\s0()\fR, \fBOSSL_STORE_LOADER_new()\fR,
\&\fBOSSL_STORE_LOADER_set0_scheme()\fR, \fBOSSL_STORE_LOADER_set_open()\fR,
\&\fBOSSL_STORE_LOADER_set_ctrl()\fR, \fBOSSL_STORE_LOADER_set_load()\fR,
\&\fBOSSL_STORE_LOADER_set_eof()\fR, \fBOSSL_STORE_LOADER_set_close()\fR,
\&\fBOSSL_STORE_LOADER_free()\fR, \fBOSSL_STORE_register_loader()\fR,
\&\fBOSSL_STORE_unregister_loader()\fR, \fBOSSL_STORE_open_fn()\fR, \fBOSSL_STORE_ctrl_fn()\fR,
\&\fBOSSL_STORE_load_fn()\fR, \fBOSSL_STORE_eof_fn()\fR and \fBOSSL_STORE_close_fn()\fR
were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3
index e5dd6db4090a..11b521a3a056 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_SEARCH.3
@@ -1,300 +1,300 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OSSL_STORE_SEARCH 3"
-.TH OSSL_STORE_SEARCH 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OSSL_STORE_SEARCH 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OSSL_STORE_SEARCH, OSSL_STORE_SEARCH_by_name, OSSL_STORE_SEARCH_by_issuer_serial, OSSL_STORE_SEARCH_by_key_fingerprint, OSSL_STORE_SEARCH_by_alias, OSSL_STORE_SEARCH_free, OSSL_STORE_SEARCH_get_type, OSSL_STORE_SEARCH_get0_name, OSSL_STORE_SEARCH_get0_serial, OSSL_STORE_SEARCH_get0_bytes, OSSL_STORE_SEARCH_get0_string, OSSL_STORE_SEARCH_get0_digest \&\- Type and functions to create OSSL_STORE search criteria
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/store.h>
\&
\& typedef struct ossl_store_search_st OSSL_STORE_SEARCH;
\&
\& OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_name(X509_NAME *name);
\& OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_issuer_serial(X509_NAME *name,
\& const ASN1_INTEGER
\& *serial);
\& OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_key_fingerprint(const EVP_MD *digest,
\& const unsigned char
\& *bytes, int len);
\& OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_alias(const char *alias);
\&
\& void OSSL_STORE_SEARCH_free(OSSL_STORE_SEARCH *search);
\&
\& int OSSL_STORE_SEARCH_get_type(const OSSL_STORE_SEARCH *criterion);
\& X509_NAME *OSSL_STORE_SEARCH_get0_name(OSSL_STORE_SEARCH *criterion);
\& const ASN1_INTEGER *OSSL_STORE_SEARCH_get0_serial(const OSSL_STORE_SEARCH
\& *criterion);
\& const unsigned char *OSSL_STORE_SEARCH_get0_bytes(const OSSL_STORE_SEARCH
\& *criterion, size_t *length);
\& const char *OSSL_STORE_SEARCH_get0_string(const OSSL_STORE_SEARCH *criterion);
\& const EVP_MD *OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH
\& *criterion);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions are used to specify search criteria to help search for specific
objects through other names than just the \s-1URI\s0 that's given to \fBOSSL_STORE_open()\fR.
For example, this can be useful for an application that has received a \s-1URI\s0
and then wants to add on search criteria in a uniform and supported manner.
.SS "Types"
.IX Subsection "Types"
\&\fB\s-1OSSL_STORE_SEARCH\s0\fR is an opaque type that holds the constructed search
criterion, and that can be given to an \s-1OSSL_STORE\s0 context with
\&\fBOSSL_STORE_find()\fR.
.PP
The calling application owns the allocation of an \fB\s-1OSSL_STORE_SEARCH\s0\fR at all
times, and should therefore be careful not to deallocate it before
\&\fBOSSL_STORE_close()\fR has been called for the \s-1OSSL_STORE\s0 context it was given
to.
.SS "Application Functions"
.IX Subsection "Application Functions"
\&\fBOSSL_STORE_SEARCH_by_name()\fR,
\&\fBOSSL_STORE_SEARCH_by_issuer_serial()\fR,
\&\fBOSSL_STORE_SEARCH_by_key_fingerprint()\fR,
and \fBOSSL_STORE_SEARCH_by_alias()\fR
are used to create an \fB\s-1OSSL_STORE_SEARCH\s0\fR from a subject name, an issuer name
and serial number pair, a key fingerprint, and an alias (for example a friendly
name).
The parameters that are provided are not copied, only referred to in a
criterion, so they must have at least the same life time as the created
\&\fB\s-1OSSL_STORE_SEARCH\s0\fR.
.PP
\&\fBOSSL_STORE_SEARCH_free()\fR is used to free the \fB\s-1OSSL_STORE_SEARCH\s0\fR.
.SS "Loader Functions"
.IX Subsection "Loader Functions"
\&\fBOSSL_STORE_SEARCH_get_type()\fR returns the criterion type for the given
\&\fB\s-1OSSL_STORE_SEARCH\s0\fR.
.PP
\&\fBOSSL_STORE_SEARCH_get0_name()\fR, \fBOSSL_STORE_SEARCH_get0_serial()\fR,
\&\fBOSSL_STORE_SEARCH_get0_bytes()\fR, \fBOSSL_STORE_SEARCH_get0_string()\fR,
and \fBOSSL_STORE_SEARCH_get0_digest()\fR
are used to retrieve different data from a \fB\s-1OSSL_STORE_SEARCH\s0\fR, as
available for each type.
For more information, see \*(L"\s-1SUPPORTED CRITERION TYPES\*(R"\s0 below.
.SH "SUPPORTED CRITERION TYPES"
.IX Header "SUPPORTED CRITERION TYPES"
Currently supported criterion types are:
.IP "\s-1OSSL_STORE_SEARCH_BY_NAME\s0" 4
.IX Item "OSSL_STORE_SEARCH_BY_NAME"
This criterion supports a search by exact match of subject name.
The subject name itself is a \fBX509_NAME\fR pointer.
A criterion of this type is created with \fBOSSL_STORE_SEARCH_by_name()\fR,
and the actual subject name is retrieved with \fBOSSL_STORE_SEARCH_get0_name()\fR.
.IP "\s-1OSSL_STORE_SEARCH_BY_ISSUER_SERIAL\s0" 4
.IX Item "OSSL_STORE_SEARCH_BY_ISSUER_SERIAL"
This criterion supports a search by exact match of both issuer name and serial
number.
The issuer name itself is a \fBX509_NAME\fR pointer, and the serial number is
a \fB\s-1ASN1_INTEGER\s0\fR pointer.
A criterion of this type is created with \fBOSSL_STORE_SEARCH_by_issuer_serial()\fR
and the actual issuer name and serial number are retrieved with
\&\fBOSSL_STORE_SEARCH_get0_name()\fR and \fBOSSL_STORE_SEARCH_get0_serial()\fR.
.IP "\s-1OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT\s0" 4
.IX Item "OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT"
This criterion supports a search by exact match of key fingerprint.
The key fingerprint in itself is a string of bytes and its length, as
well as the algorithm that was used to compute the fingerprint.
The digest may be left unspecified (\s-1NULL\s0), and in that case, the
loader has to decide on a default digest and compare fingerprints
accordingly.
A criterion of this type is created with \fBOSSL_STORE_SEARCH_by_key_fingerprint()\fR
and the actual fingerprint and its length can be retrieved with
\&\fBOSSL_STORE_SEARCH_get0_bytes()\fR.
The digest can be retrieved with \fBOSSL_STORE_SEARCH_get0_digest()\fR.
.IP "\s-1OSSL_STORE_SEARCH_BY_ALIAS\s0" 4
.IX Item "OSSL_STORE_SEARCH_BY_ALIAS"
This criterion supports a search by match of an alias of some kind.
The alias in itself is a simple C string.
A criterion of this type is created with \fBOSSL_STORE_SEARCH_by_alias()\fR
and the actual alias is retrieved with \fBOSSL_STORE_SEARCH_get0_string()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOSSL_STORE_SEARCH_by_name()\fR,
\&\fBOSSL_STORE_SEARCH_by_issuer_serial()\fR,
\&\fBOSSL_STORE_SEARCH_by_key_fingerprint()\fR,
and \fBOSSL_STORE_SEARCH_by_alias()\fR
return a \fB\s-1OSSL_STORE_SEARCH\s0\fR pointer on success, or \fB\s-1NULL\s0\fR on failure.
.PP
\&\fBOSSL_STORE_SEARCH_get_type()\fR returns the criterion type of the given
\&\fB\s-1OSSL_STORE_SEARCH\s0\fR.
There is no error value.
.PP
\&\fBOSSL_STORE_SEARCH_get0_name()\fR returns a \fBX509_NAME\fR pointer on success,
or \fB\s-1NULL\s0\fR when the given \fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type.
.PP
\&\fBOSSL_STORE_SEARCH_get0_serial()\fR returns a \fB\s-1ASN1_INTEGER\s0\fR pointer on success,
or \fB\s-1NULL\s0\fR when the given \fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type.
.PP
\&\fBOSSL_STORE_SEARCH_get0_bytes()\fR returns a \fBconst unsigned char\fR pointer and
sets \fB*length\fR to the strings length on success, or \fB\s-1NULL\s0\fR when the given
\&\fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type.
.PP
\&\fBOSSL_STORE_SEARCH_get0_string()\fR returns a \fBconst char\fR pointer on success,
or \fB\s-1NULL\s0\fR when the given \fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type.
.PP
\&\fBOSSL_STORE_SEARCH_get0_digest()\fR returns a \fBconst \s-1EVP_MD\s0\fR pointer.
\&\fB\s-1NULL\s0\fR is a valid value and means that the store loader default will
be used when applicable.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBossl_store\fR\|(7), \fBOSSL_STORE_supports_search\fR\|(3), \fBOSSL_STORE_find\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fB\s-1OSSL_STORE_SEARCH\s0\fR,
\&\fBOSSL_STORE_SEARCH_by_name()\fR,
\&\fBOSSL_STORE_SEARCH_by_issuer_serial()\fR,
\&\fBOSSL_STORE_SEARCH_by_key_fingerprint()\fR,
\&\fBOSSL_STORE_SEARCH_by_alias()\fR,
\&\fBOSSL_STORE_SEARCH_free()\fR,
\&\fBOSSL_STORE_SEARCH_get_type()\fR,
\&\fBOSSL_STORE_SEARCH_get0_name()\fR,
\&\fBOSSL_STORE_SEARCH_get0_serial()\fR,
\&\fBOSSL_STORE_SEARCH_get0_bytes()\fR,
and \fBOSSL_STORE_SEARCH_get0_string()\fR
were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3
index 4b6936ccf9af..c1c2bf80ed7d 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_expect.3
@@ -1,206 +1,206 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OSSL_STORE_EXPECT 3"
-.TH OSSL_STORE_EXPECT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OSSL_STORE_EXPECT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OSSL_STORE_expect, OSSL_STORE_supports_search, OSSL_STORE_find \&\- Specify what object type is expected
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/store.h>
\&
\& int OSSL_STORE_expect(OSSL_STORE_CTX *ctx, int expected_type);
\&
\& int OSSL_STORE_supports_search(OSSL_STORE_CTX *ctx, int criterion_type);
\&
\& int OSSL_STORE_find(OSSL_STORE_CTX *ctx, OSSL_STORE_SEARCH *search);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBOSSL_STORE_expect()\fR helps applications filter what \fBOSSL_STORE_load()\fR returns
by specifying a \fB\s-1OSSL_STORE_INFO\s0\fR type.
For example, if \f(CW\*(C`file:/foo/bar/store.pem\*(C'\fR contains several different objects
and only the certificates are interesting, the application can simply say
that it expects the type \fB\s-1OSSL_STORE_INFO_CERT\s0\fR.
All known object types (see \*(L"\s-1SUPPORTED OBJECTS\*(R"\s0 in \s-1\fBOSSL_STORE_INFO\s0\fR\|(3))
except for \fB\s-1OSSL_STORE_INFO_NAME\s0\fR are supported.
.PP
\&\fBOSSL_STORE_find()\fR helps applications specify a criterion for a more fine
grained search of objects.
.PP
\&\fBOSSL_STORE_supports_search()\fR checks if the loader of the given \s-1OSSL_STORE\s0
context supports the given search type.
See \*(L"\s-1SUPPORTED CRITERION TYPES\*(R"\s0 in \s-1OSSL_STORE_SEARCH\s0 for information on the
supported search criterion types.
.PP
\&\fBOSSL_STORE_expect()\fR and OSSL_STORE_find \fImust\fR be called before the first
\&\fBOSSL_STORE_load()\fR of a given session, or they will fail.
.SH "NOTES"
.IX Header "NOTES"
If a more elaborate filter is required by the application, a better choice
would be to use a post-processing function.
See \fBOSSL_STORE_open\fR\|(3) for more information.
.PP
However, some loaders may take advantage of the knowledge of an expected type
to make object retrieval more efficient, so if a single type is expected, this
method is usually preferable.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOSSL_STORE_expect()\fR returns 1 on success, or 0 on failure.
.PP
\&\fBOSSL_STORE_supports_search()\fR returns 1 if the criterion is supported, or 0
otherwise.
.PP
\&\fBOSSL_STORE_find()\fR returns 1 on success, or 0 on failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBossl_store\fR\|(7), \s-1\fBOSSL_STORE_INFO\s0\fR\|(3), \s-1\fBOSSL_STORE_SEARCH\s0\fR\|(3),
\&\fBOSSL_STORE_load\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBOSSL_STORE_expect()\fR, \fBOSSL_STORE_supports_search()\fR and \fBOSSL_STORE_find()\fR
were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2018\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3 b/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3
index f78a816d5cfd..ec2191823f1d 100644
--- a/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3
+++ b/secure/lib/libcrypto/man/man3/OSSL_STORE_open.3
@@ -1,286 +1,286 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OSSL_STORE_OPEN 3"
-.TH OSSL_STORE_OPEN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OSSL_STORE_OPEN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OSSL_STORE_CTX, OSSL_STORE_post_process_info_fn, OSSL_STORE_open, OSSL_STORE_ctrl, OSSL_STORE_load, OSSL_STORE_eof, OSSL_STORE_error, OSSL_STORE_close \- Types and functions to read objects from a URI
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/store.h>
\&
\& typedef struct ossl_store_ctx_st OSSL_STORE_CTX;
\&
\& typedef OSSL_STORE_INFO *(*OSSL_STORE_post_process_info_fn)(OSSL_STORE_INFO *,
\& void *);
\&
\& OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method,
\& void *ui_data,
\& OSSL_STORE_post_process_info_fn post_process,
\& void *post_process_data);
\& int OSSL_STORE_ctrl(OSSL_STORE_CTX *ctx, int cmd, ... /* args */);
\& OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx);
\& int OSSL_STORE_eof(OSSL_STORE_CTX *ctx);
\& int OSSL_STORE_error(OSSL_STORE_CTX *ctx);
\& int OSSL_STORE_close(OSSL_STORE_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions help the application to fetch supported objects (see
\&\*(L"\s-1SUPPORTED OBJECTS\*(R"\s0 in \s-1\fBOSSL_STORE_INFO\s0\fR\|(3) for information on which those are)
from a given \s-1URI\s0 (see \*(L"\s-1SUPPORTED SCHEMES\*(R"\s0 for more information on
the supported \s-1URI\s0 schemes).
The general method to do so is to \*(L"open\*(R" the \s-1URI\s0 using \fBOSSL_STORE_open()\fR,
read each available and supported object using \fBOSSL_STORE_load()\fR as long as
\&\fBOSSL_STORE_eof()\fR hasn't been reached, and finish it off with \fBOSSL_STORE_close()\fR.
.PP
The retrieved information is stored in a \fB\s-1OSSL_STORE_INFO\s0\fR, which is further
described in \s-1\fBOSSL_STORE_INFO\s0\fR\|(3).
.SS "Types"
.IX Subsection "Types"
\&\fB\s-1OSSL_STORE_CTX\s0\fR is a context variable that holds all the internal
information for \fBOSSL_STORE_open()\fR, \fBOSSL_STORE_load()\fR, \fBOSSL_STORE_eof()\fR and
\&\fBOSSL_STORE_close()\fR to work together.
.SS "Functions"
.IX Subsection "Functions"
\&\fBOSSL_STORE_open()\fR takes a uri or path \fIuri\fR, password \s-1UI\s0 method
\&\fIui_method\fR with associated data \fIui_data\fR, and post processing
callback \fIpost_process\fR with associated data \fIpost_process_data\fR,
opens a channel to the data located at that \s-1URI\s0 and returns a
\&\fB\s-1OSSL_STORE_CTX\s0\fR with all necessary internal information.
The given \fIui_method\fR and \fIui_data\fR will be reused by all
functions that use \fB\s-1OSSL_STORE_CTX\s0\fR when interaction is needed,
for instance to provide a password.
The given \fIpost_process\fR and \fIpost_process_data\fR will be reused by
\&\fBOSSL_STORE_load()\fR to manipulate or drop the value to be returned.
The \fIpost_process\fR function drops values by returning \s-1NULL,\s0 which
will cause \fBOSSL_STORE_load()\fR to start its process over with loading
the next object, until \fIpost_process\fR returns something other than
\&\s-1NULL,\s0 or the end of data is reached as indicated by \fBOSSL_STORE_eof()\fR.
.PP
\&\fBOSSL_STORE_ctrl()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR, and command number \fIcmd\fR and
more arguments not specified here.
The available loader specific command numbers and arguments they each
take depends on the loader that's used and is documented together with
that loader.
.PP
There are also global controls available:
.IP "\fB\s-1OSSL_STORE_C_USE_SECMEM\s0\fR" 4
.IX Item "OSSL_STORE_C_USE_SECMEM"
Controls if the loader should attempt to use secure memory for any
allocated \fB\s-1OSSL_STORE_INFO\s0\fR and its contents.
This control expects one argument, a pointer to an \fBint\fR that is expected to
have the value 1 (yes) or 0 (no).
Any other value is an error.
.PP
\&\fBOSSL_STORE_load()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR, tries to load the next available
object and return it wrapped with \fB\s-1OSSL_STORE_INFO\s0\fR.
.PP
\&\fBOSSL_STORE_eof()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR and checks if we've reached the end
of data.
.PP
\&\fBOSSL_STORE_error()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR and checks if an error occurred in
the last \fBOSSL_STORE_load()\fR call.
Note that it may still be meaningful to try and load more objects, unless
\&\fBOSSL_STORE_eof()\fR shows that the end of data has been reached.
.PP
\&\fBOSSL_STORE_close()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR, closes the channel that was opened
by \fBOSSL_STORE_open()\fR and frees all other information that was stored in the
\&\fB\s-1OSSL_STORE_CTX\s0\fR, as well as the \fB\s-1OSSL_STORE_CTX\s0\fR itself.
If \fIctx\fR is \s-1NULL\s0 it does nothing.
.SH "SUPPORTED SCHEMES"
.IX Header "SUPPORTED SCHEMES"
The basic supported scheme is \fBfile:\fR.
Any other scheme can be added dynamically, using
\&\fBOSSL_STORE_register_loader()\fR.
.SH "NOTES"
.IX Header "NOTES"
A string without a scheme prefix (that is, a non-URI string) is
implicitly interpreted as using the \fIfile:\fR scheme.
.PP
There are some tools that can be used together with
\&\fBOSSL_STORE_open()\fR to determine if any failure is caused by an unparsable
\&\s-1URI,\s0 or if it's a different error (such as memory allocation
failures); if the \s-1URI\s0 was parsable but the scheme unregistered, the
top error will have the reason \f(CW\*(C`OSSL_STORE_R_UNREGISTERED_SCHEME\*(C'\fR.
.PP
These functions make no direct assumption regarding the pass phrase received
from the password callback.
The loaders may make assumptions, however.
For example, the \fBfile:\fR scheme loader inherits the assumptions made by
OpenSSL functionality that handles the different file types; this is mostly
relevant for PKCS#12 objects.
See \fBpassphrase\-encoding\fR\|(7) for further information.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBOSSL_STORE_open()\fR returns a pointer to a \fB\s-1OSSL_STORE_CTX\s0\fR on success, or
\&\s-1NULL\s0 on failure.
.PP
\&\fBOSSL_STORE_load()\fR returns a pointer to a \fB\s-1OSSL_STORE_INFO\s0\fR on success, or
\&\s-1NULL\s0 on error or when end of data is reached.
Use \fBOSSL_STORE_error()\fR and \fBOSSL_STORE_eof()\fR to determine the meaning of a
returned \s-1NULL.\s0
.PP
\&\fBOSSL_STORE_eof()\fR returns 1 if the end of data has been reached, otherwise
0.
.PP
\&\fBOSSL_STORE_error()\fR returns 1 if an error occurred in an \fBOSSL_STORE_load()\fR call,
otherwise 0.
.PP
\&\fBOSSL_STORE_ctrl()\fR and \fBOSSL_STORE_close()\fR returns 1 on success, or 0 on failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBossl_store\fR\|(7), \s-1\fBOSSL_STORE_INFO\s0\fR\|(3), \fBOSSL_STORE_register_loader\fR\|(3),
\&\fBpassphrase\-encoding\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
\&\s-1\fBOSSL_STORE_CTX\s0()\fR, \fBOSSL_STORE_post_process_info_fn()\fR, \fBOSSL_STORE_open()\fR,
\&\fBOSSL_STORE_ctrl()\fR, \fBOSSL_STORE_load()\fR, \fBOSSL_STORE_eof()\fR and \fBOSSL_STORE_close()\fR
were added in OpenSSL 1.1.1.
.PP
Handling of \s-1NULL\s0 \fIctx\fR argument for \fBOSSL_STORE_close()\fR
was introduced in OpenSSL 1.1.1h.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3 b/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3
index 436872f3e01e..9e4afb11d0b1 100644
--- a/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3
+++ b/secure/lib/libcrypto/man/man3/OpenSSL_add_all_algorithms.3
@@ -1,195 +1,195 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL_ADD_ALL_ALGORITHMS 3"
-.TH OPENSSL_ADD_ALL_ALGORITHMS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL_ADD_ALL_ALGORITHMS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
OpenSSL_add_all_algorithms, OpenSSL_add_all_ciphers, OpenSSL_add_all_digests, EVP_cleanup \- add algorithms to internal table
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
.Ve
.PP
Deprecated:
.PP
.Vb 4
\& # if OPENSSL_API_COMPAT < 0x10100000L
\& void OpenSSL_add_all_algorithms(void);
\& void OpenSSL_add_all_ciphers(void);
\& void OpenSSL_add_all_digests(void);
\&
\& void EVP_cleanup(void)
\&# endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
OpenSSL keeps an internal table of digest algorithms and ciphers. It uses
this table to lookup ciphers via functions such as \fBEVP_get_cipher_byname()\fR.
.PP
\&\fBOpenSSL_add_all_digests()\fR adds all digest algorithms to the table.
.PP
\&\fBOpenSSL_add_all_algorithms()\fR adds all algorithms to the table (digests and
ciphers).
.PP
\&\fBOpenSSL_add_all_ciphers()\fR adds all encryption algorithms to the table including
password based encryption algorithms.
.PP
In versions prior to 1.1.0 \fBEVP_cleanup()\fR removed all ciphers and digests from
the table. It no longer has any effect in OpenSSL 1.1.0.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
None of the functions return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7), \fBEVP_DigestInit\fR\|(3),
\&\fBEVP_EncryptInit\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBOpenSSL_add_all_algorithms()\fR, \fBOpenSSL_add_all_ciphers()\fR,
\&\fBOpenSSL_add_all_digests()\fR, and \fBEVP_cleanup()\fR, functions
were deprecated in OpenSSL 1.1.0 by \fBOPENSSL_init_crypto()\fR and should
not be used.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3 b/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3
index 38cb31e94beb..05bea56fd6e6 100644
--- a/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3
+++ b/secure/lib/libcrypto/man/man3/PEM_bytes_read_bio.3
@@ -1,216 +1,216 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PEM_BYTES_READ_BIO 3"
-.TH PEM_BYTES_READ_BIO 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PEM_BYTES_READ_BIO 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PEM_bytes_read_bio, PEM_bytes_read_bio_secmem \- read a PEM\-encoded data structure from a BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pem.h>
\&
\& int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm,
\& const char *name, BIO *bp, pem_password_cb *cb,
\& void *u);
\& int PEM_bytes_read_bio_secmem(unsigned char **pdata, long *plen, char **pnm,
\& const char *name, BIO *bp, pem_password_cb *cb,
\& void *u);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPEM_bytes_read_bio()\fR reads PEM-formatted (\s-1IETF RFC 1421\s0 and \s-1IETF RFC 7468\s0)
data from the \s-1BIO\s0
\&\fIbp\fR for the data type given in \fIname\fR (\s-1RSA PRIVATE KEY, CERTIFICATE,\s0
etc.). If multiple PEM-encoded data structures are present in the same
stream, \fBPEM_bytes_read_bio()\fR will skip non-matching data types and
continue reading. Non-PEM data present in the stream may cause an
error.
.PP
The \s-1PEM\s0 header may indicate that the following data is encrypted; if so,
the data will be decrypted, waiting on user input to supply a passphrase
if needed. The password callback \fIcb\fR and rock \fIu\fR are used to obtain
the decryption passphrase, if applicable.
.PP
Some data types have compatibility aliases, such as a file containing
X509 \s-1CERTIFICATE\s0 matching a request for the deprecated type \s-1CERTIFICATE.\s0
The actual type indicated by the file is returned in \fI*pnm\fR if \fIpnm\fR is
non-NULL. The caller must free the storage pointed to by \fI*pnm\fR.
.PP
The returned data is the DER-encoded form of the requested type, in
\&\fI*pdata\fR with length \fI*plen\fR. The caller must free the storage pointed
to by \fI*pdata\fR.
.PP
\&\fBPEM_bytes_read_bio_secmem()\fR is similar to \fBPEM_bytes_read_bio()\fR, but uses
memory from the secure heap for its temporary buffers and the storage
returned in \fI*pdata\fR and \fI*pnm\fR. Accordingly, the caller must use
\&\fBOPENSSL_secure_free()\fR to free that storage.
.SH "NOTES"
.IX Header "NOTES"
\&\fBPEM_bytes_read_bio_secmem()\fR only enforces that the secure heap is used for
storage allocated within the \s-1PEM\s0 processing stack. The \s-1BIO\s0 stack from
which input is read may also use temporary buffers, which are not necessarily
allocated from the secure heap. In cases where it is desirable to ensure
that the contents of the \s-1PEM\s0 file only appears in memory from the secure heap,
care is needed in generating the \s-1BIO\s0 passed as \fIbp\fR. In particular, the
use of \fBBIO_s_file()\fR indicates the use of the operating system stdio
functionality, which includes buffering as a feature; \fBBIO_s_fd()\fR is likely
to be more appropriate in such cases.
.PP
These functions make no assumption regarding the pass phrase received from the
password callback.
It will simply be treated as a byte sequence.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPEM_bytes_read_bio()\fR and \fBPEM_bytes_read_bio_secmem()\fR return 1 for success or
0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBPEM_read_bio_ex\fR\|(3),
\&\fBpassphrase\-encoding\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBPEM_bytes_read_bio_secmem()\fR was introduced in OpenSSL 1.1.1
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_read.3 b/secure/lib/libcrypto/man/man3/PEM_read.3
index cb588d4fe10c..12088e4b12b8 100644
--- a/secure/lib/libcrypto/man/man3/PEM_read.3
+++ b/secure/lib/libcrypto/man/man3/PEM_read.3
@@ -1,263 +1,263 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PEM_READ 3"
-.TH PEM_READ 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PEM_READ 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PEM_write, PEM_write_bio, PEM_read, PEM_read_bio, PEM_do_header, PEM_get_EVP_CIPHER_INFO \&\- PEM encoding routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pem.h>
\&
\& int PEM_write(FILE *fp, const char *name, const char *header,
\& const unsigned char *data, long len)
\& int PEM_write_bio(BIO *bp, const char *name, const char *header,
\& const unsigned char *data, long len)
\&
\& int PEM_read(FILE *fp, char **name, char **header,
\& unsigned char **data, long *len);
\& int PEM_read_bio(BIO *bp, char **name, char **header,
\& unsigned char **data, long *len);
\&
\& int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cinfo);
\& int PEM_do_header(EVP_CIPHER_INFO *cinfo, unsigned char *data, long *len,
\& pem_password_cb *cb, void *u);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions read and write PEM-encoded objects, using the \s-1PEM\s0
type \fBname\fR, any additional \fBheader\fR information, and the raw
\&\fBdata\fR of length \fBlen\fR.
.PP
\&\s-1PEM\s0 is the term used for binary content encoding first defined in \s-1IETF
RFC 1421.\s0 The content is a series of base64\-encoded lines, surrounded
by begin/end markers each on their own line. For example:
.PP
.Vb 4
\& \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
\& MIICdg....
\& ... bhTQ==
\& \-\-\-\-\-END PRIVATE KEY\-\-\-\-\-
.Ve
.PP
Optional header line(s) may appear after the begin line, and their
existence depends on the type of object being written or read.
.PP
\&\fBPEM_write()\fR writes to the file \fBfp\fR, while \fBPEM_write_bio()\fR writes to
the \s-1BIO\s0 \fBbp\fR. The \fBname\fR is the name to use in the marker, the
\&\fBheader\fR is the header value or \s-1NULL,\s0 and \fBdata\fR and \fBlen\fR specify
the data and its length.
.PP
The final \fBdata\fR buffer is typically an \s-1ASN.1\s0 object which can be decoded with
the \fBd2i\fR function appropriate to the type \fBname\fR; see \fBd2i_X509\fR\|(3)
for examples.
.PP
\&\fBPEM_read()\fR reads from the file \fBfp\fR, while \fBPEM_read_bio()\fR reads
from the \s-1BIO\s0 \fBbp\fR.
Both skip any non-PEM data that precedes the start of the next \s-1PEM\s0 object.
When an object is successfully retrieved, the type name from the \*(L"\-\-\-\-BEGIN
<type>\-\-\-\-\-\*(R" is returned via the \fBname\fR argument, any encapsulation headers
are returned in \fBheader\fR and the base64\-decoded content and its length are
returned via \fBdata\fR and \fBlen\fR respectively.
The \fBname\fR, \fBheader\fR and \fBdata\fR pointers are allocated via \fBOPENSSL_malloc()\fR
and should be freed by the caller via \fBOPENSSL_free()\fR when no longer needed.
.PP
\&\fBPEM_get_EVP_CIPHER_INFO()\fR can be used to determine the \fBdata\fR returned by
\&\fBPEM_read()\fR or \fBPEM_read_bio()\fR is encrypted and to retrieve the associated cipher
and \s-1IV.\s0
The caller passes a pointer to structure of type \fB\s-1EVP_CIPHER_INFO\s0\fR via the
\&\fBcinfo\fR argument and the \fBheader\fR returned via \fBPEM_read()\fR or \fBPEM_read_bio()\fR.
If the call is successful 1 is returned and the cipher and \s-1IV\s0 are stored at the
address pointed to by \fBcinfo\fR.
When the header is malformed, or not supported or when the cipher is unknown
or some internal error happens 0 is returned.
This function is deprecated, see \fB\s-1NOTES\s0\fR below.
.PP
\&\fBPEM_do_header()\fR can then be used to decrypt the data if the header
indicates encryption.
The \fBcinfo\fR argument is a pointer to the structure initialized by the previous
call to \fBPEM_get_EVP_CIPHER_INFO()\fR.
The \fBdata\fR and \fBlen\fR arguments are those returned by the previous call to
\&\fBPEM_read()\fR or \fBPEM_read_bio()\fR.
The \fBcb\fR and \fBu\fR arguments make it possible to override the default password
prompt function as described in \fBPEM_read_PrivateKey\fR\|(3).
On successful completion the \fBdata\fR is decrypted in place, and \fBlen\fR is
updated to indicate the plaintext length.
This function is deprecated, see \fB\s-1NOTES\s0\fR below.
.PP
If the data is a priori known to not be encrypted, then neither \fBPEM_do_header()\fR
nor \fBPEM_get_EVP_CIPHER_INFO()\fR need be called.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPEM_read()\fR and \fBPEM_read_bio()\fR return 1 on success and 0 on failure, the latter
includes the case when no more \s-1PEM\s0 objects remain in the input file.
To distinguish end of file from more serious errors the caller must peek at the
error stack and check for \fB\s-1PEM_R_NO_START_LINE\s0\fR, which indicates that no more
\&\s-1PEM\s0 objects were found. See \fBERR_peek_last_error\fR\|(3), \s-1\fBERR_GET_REASON\s0\fR\|(3).
.PP
\&\fBPEM_get_EVP_CIPHER_INFO()\fR and \fBPEM_do_header()\fR return 1 on success, and 0 on
failure.
The \fBdata\fR is likely meaningless if these functions fail.
.SH "NOTES"
.IX Header "NOTES"
The \fBPEM_get_EVP_CIPHER_INFO()\fR and \fBPEM_do_header()\fR functions are deprecated.
This is because the underlying \s-1PEM\s0 encryption format is obsolete, and should
be avoided.
It uses an encryption format with an OpenSSL-specific key-derivation function,
which employs \s-1MD5\s0 with an iteration count of 1!
Instead, private keys should be stored in PKCS#8 form, with a strong PKCS#5
v2.0 \s-1PBE.\s0
See \fBPEM_write_PrivateKey\fR\|(3) and \fBd2i_PKCS8PrivateKey_bio\fR\|(3).
.PP
\&\fBPEM_do_header()\fR makes no assumption regarding the pass phrase received from the
password callback.
It will simply be treated as a byte sequence.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_peek_last_error\fR\|(3), \s-1\fBERR_GET_LIB\s0\fR\|(3),
\&\fBd2i_PKCS8PrivateKey_bio\fR\|(3),
\&\fBpassphrase\-encoding\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 1998\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_read_CMS.3 b/secure/lib/libcrypto/man/man3/PEM_read_CMS.3
index ce96ced5c27f..3446ed58816e 100644
--- a/secure/lib/libcrypto/man/man3/PEM_read_CMS.3
+++ b/secure/lib/libcrypto/man/man3/PEM_read_CMS.3
@@ -1,199 +1,199 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PEM_READ_CMS 3"
-.TH PEM_READ_CMS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PEM_READ_CMS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DECLARE_PEM_rw, PEM_read_CMS, PEM_read_bio_CMS, PEM_write_CMS, PEM_write_bio_CMS, PEM_write_DHxparams, PEM_write_bio_DHxparams, PEM_read_ECPKParameters, PEM_read_bio_ECPKParameters, PEM_write_ECPKParameters, PEM_write_bio_ECPKParameters, PEM_read_ECPrivateKey, PEM_write_ECPrivateKey, PEM_write_bio_ECPrivateKey, PEM_read_EC_PUBKEY, PEM_read_bio_EC_PUBKEY, PEM_write_EC_PUBKEY, PEM_write_bio_EC_PUBKEY, PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_read_bio_NETSCAPE_CERT_SEQUENCE, PEM_write_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE, PEM_read_PKCS8, PEM_read_bio_PKCS8, PEM_write_PKCS8, PEM_write_bio_PKCS8, PEM_write_PKCS8_PRIV_KEY_INFO, PEM_read_bio_PKCS8_PRIV_KEY_INFO, PEM_read_PKCS8_PRIV_KEY_INFO, PEM_write_bio_PKCS8_PRIV_KEY_INFO, PEM_read_SSL_SESSION, PEM_read_bio_SSL_SESSION, PEM_write_SSL_SESSION, PEM_write_bio_SSL_SESSION \&\- PEM object encoding routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pem.h>
\&
\& DECLARE_PEM_rw(name, TYPE)
\&
\& TYPE *PEM_read_TYPE(FILE *fp, TYPE **a, pem_password_cb *cb, void *u);
\& TYPE *PEM_read_bio_TYPE(BIO *bp, TYPE **a, pem_password_cb *cb, void *u);
\& int PEM_write_TYPE(FILE *fp, const TYPE *a);
\& int PEM_write_bio_TYPE(BIO *bp, const TYPE *a);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In the description below, \fI\s-1TYPE\s0\fR is used
as a placeholder for any of the OpenSSL datatypes, such as \fIX509\fR.
The macro \fBDECLARE_PEM_rw\fR expands to the set of declarations shown in
the next four lines of the synopsis.
.PP
These routines convert between local instances of \s-1ASN1\s0 datatypes and
the \s-1PEM\s0 encoding. For more information on the templates, see
\&\s-1\fBASN1_ITEM\s0\fR\|(3). For more information on the lower-level routines used
by the functions here, see \fBPEM_read\fR\|(3).
.PP
\&\fBPEM_read_TYPE()\fR reads a PEM-encoded object of \fI\s-1TYPE\s0\fR from the file \fBfp\fR
and returns it. The \fBcb\fR and \fBu\fR parameters are as described in
\&\fBpem_password_cb\fR\|(3).
.PP
\&\fBPEM_read_bio_TYPE()\fR is similar to \fBPEM_read_TYPE()\fR but reads from the \s-1BIO\s0 \fBbp\fR.
.PP
\&\fBPEM_write_TYPE()\fR writes the \s-1PEM\s0 encoding of the object \fBa\fR to the file \fBfp\fR.
.PP
\&\fBPEM_write_bio_TYPE()\fR similarly writes to the \s-1BIO\s0 \fBbp\fR.
.SH "NOTES"
.IX Header "NOTES"
These functions make no assumption regarding the pass phrase received from the
password callback.
It will simply be treated as a byte sequence.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPEM_read_TYPE()\fR and \fBPEM_read_bio_TYPE()\fR return a pointer to an allocated
object, which should be released by calling \fBTYPE_free()\fR, or \s-1NULL\s0 on error.
.PP
\&\fBPEM_write_TYPE()\fR and \fBPEM_write_bio_TYPE()\fR return the number of bytes written
or zero on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBPEM_read\fR\|(3),
\&\fBpassphrase\-encoding\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 1998\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3 b/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3
index 2fea21081da7..45af927c61ab 100644
--- a/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3
+++ b/secure/lib/libcrypto/man/man3/PEM_read_bio_PrivateKey.3
@@ -1,622 +1,622 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PEM_READ_BIO_PRIVATEKEY 3"
-.TH PEM_READ_BIO_PRIVATEKEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PEM_READ_BIO_PRIVATEKEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
pem_password_cb, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey, PEM_write_bio_PrivateKey_traditional, PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey, PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid, PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY, PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey, PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey, PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey, PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey, PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey, PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY, PEM_write_DSA_PUBKEY, PEM_read_bio_Parameters, PEM_write_bio_Parameters, PEM_read_bio_DSAparams, PEM_read_DSAparams, PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams, PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams, PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509, PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX, PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ, PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW, PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL, PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7, PEM_write_bio_PKCS7, PEM_write_PKCS7 \- PEM routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pem.h>
\&
\& typedef int pem_password_cb(char *buf, int size, int rwflag, void *u);
\&
\& EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x,
\& pem_password_cb *cb, void *u);
\& EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,
\& pem_password_cb *cb, void *u);
\& int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
\& unsigned char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\& int PEM_write_bio_PrivateKey_traditional(BIO *bp, EVP_PKEY *x,
\& const EVP_CIPHER *enc,
\& unsigned char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\& int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
\& unsigned char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\&
\& int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
\& char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\& int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
\& char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\& int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
\& char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\& int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
\& char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\&
\& EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x,
\& pem_password_cb *cb, void *u);
\& EVP_PKEY *PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x,
\& pem_password_cb *cb, void *u);
\& int PEM_write_bio_PUBKEY(BIO *bp, EVP_PKEY *x);
\& int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x);
\&
\& RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x,
\& pem_password_cb *cb, void *u);
\& RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x,
\& pem_password_cb *cb, void *u);
\& int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
\& unsigned char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\& int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
\& unsigned char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\&
\& RSA *PEM_read_bio_RSAPublicKey(BIO *bp, RSA **x,
\& pem_password_cb *cb, void *u);
\& RSA *PEM_read_RSAPublicKey(FILE *fp, RSA **x,
\& pem_password_cb *cb, void *u);
\& int PEM_write_bio_RSAPublicKey(BIO *bp, RSA *x);
\& int PEM_write_RSAPublicKey(FILE *fp, RSA *x);
\&
\& RSA *PEM_read_bio_RSA_PUBKEY(BIO *bp, RSA **x,
\& pem_password_cb *cb, void *u);
\& RSA *PEM_read_RSA_PUBKEY(FILE *fp, RSA **x,
\& pem_password_cb *cb, void *u);
\& int PEM_write_bio_RSA_PUBKEY(BIO *bp, RSA *x);
\& int PEM_write_RSA_PUBKEY(FILE *fp, RSA *x);
\&
\& DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **x,
\& pem_password_cb *cb, void *u);
\& DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **x,
\& pem_password_cb *cb, void *u);
\& int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
\& unsigned char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\& int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
\& unsigned char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\&
\& DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x,
\& pem_password_cb *cb, void *u);
\& DSA *PEM_read_DSA_PUBKEY(FILE *fp, DSA **x,
\& pem_password_cb *cb, void *u);
\& int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x);
\& int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x);
\&
\& EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x);
\& int PEM_write_bio_Parameters(BIO *bp, const EVP_PKEY *x);
\&
\& DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u);
\& DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u);
\& int PEM_write_bio_DSAparams(BIO *bp, DSA *x);
\& int PEM_write_DSAparams(FILE *fp, DSA *x);
\&
\& DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
\& DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u);
\& int PEM_write_bio_DHparams(BIO *bp, DH *x);
\& int PEM_write_DHparams(FILE *fp, DH *x);
\&
\& X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
\& X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
\& int PEM_write_bio_X509(BIO *bp, X509 *x);
\& int PEM_write_X509(FILE *fp, X509 *x);
\&
\& X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
\& X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
\& int PEM_write_bio_X509_AUX(BIO *bp, X509 *x);
\& int PEM_write_X509_AUX(FILE *fp, X509 *x);
\&
\& X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x,
\& pem_password_cb *cb, void *u);
\& X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x,
\& pem_password_cb *cb, void *u);
\& int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x);
\& int PEM_write_X509_REQ(FILE *fp, X509_REQ *x);
\& int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x);
\& int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x);
\&
\& X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x,
\& pem_password_cb *cb, void *u);
\& X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x,
\& pem_password_cb *cb, void *u);
\& int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x);
\& int PEM_write_X509_CRL(FILE *fp, X509_CRL *x);
\&
\& PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u);
\& PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u);
\& int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x);
\& int PEM_write_PKCS7(FILE *fp, PKCS7 *x);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1PEM\s0 functions read or write structures in \s-1PEM\s0 format. In
this sense \s-1PEM\s0 format is simply base64 encoded data surrounded
by header lines.
.PP
For more details about the meaning of arguments see the
\&\fB\s-1PEM FUNCTION ARGUMENTS\s0\fR section.
.PP
Each operation has four functions associated with it. For
brevity the term "\fB\s-1TYPE\s0\fR functions" will be used below to collectively
refer to the \fBPEM_read_bio_TYPE()\fR, \fBPEM_read_TYPE()\fR,
\&\fBPEM_write_bio_TYPE()\fR, and \fBPEM_write_TYPE()\fR functions.
.PP
The \fBPrivateKey\fR functions read or write a private key in \s-1PEM\s0 format using an
\&\s-1EVP_PKEY\s0 structure. The write routines use PKCS#8 private key format and are
equivalent to \fBPEM_write_bio_PKCS8PrivateKey()\fR.The read functions transparently
handle traditional and PKCS#8 format encrypted and unencrypted keys.
.PP
\&\fBPEM_write_bio_PrivateKey_traditional()\fR writes out a private key in the
\&\*(L"traditional\*(R" format with a simple private key marker and should only
be used for compatibility with legacy programs.
.PP
\&\fBPEM_write_bio_PKCS8PrivateKey()\fR and \fBPEM_write_PKCS8PrivateKey()\fR write a private
key in an \s-1EVP_PKEY\s0 structure in PKCS#8 EncryptedPrivateKeyInfo format using
PKCS#5 v2.0 password based encryption algorithms. The \fBcipher\fR argument
specifies the encryption algorithm to use: unlike some other \s-1PEM\s0 routines the
encryption is applied at the PKCS#8 level and not in the \s-1PEM\s0 headers. If
\&\fBcipher\fR is \s-1NULL\s0 then no encryption is used and a PKCS#8 PrivateKeyInfo
structure is used instead.
.PP
\&\fBPEM_write_bio_PKCS8PrivateKey_nid()\fR and \fBPEM_write_PKCS8PrivateKey_nid()\fR
also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however
it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead. The algorithm
to use is specified in the \fBnid\fR parameter and should be the \s-1NID\s0 of the
corresponding \s-1OBJECT IDENTIFIER\s0 (see \s-1NOTES\s0 section).
.PP
The \fB\s-1PUBKEY\s0\fR functions process a public key using an \s-1EVP_PKEY\s0
structure. The public key is encoded as a SubjectPublicKeyInfo
structure.
.PP
The \fBRSAPrivateKey\fR functions process an \s-1RSA\s0 private key using an
\&\s-1RSA\s0 structure. The write routines uses traditional format. The read
routines handles the same formats as the \fBPrivateKey\fR
functions but an error occurs if the private key is not \s-1RSA.\s0
.PP
The \fBRSAPublicKey\fR functions process an \s-1RSA\s0 public key using an
\&\s-1RSA\s0 structure. The public key is encoded using a PKCS#1 RSAPublicKey
structure.
.PP
The \fB\s-1RSA_PUBKEY\s0\fR functions also process an \s-1RSA\s0 public key using
an \s-1RSA\s0 structure. However, the public key is encoded using a
SubjectPublicKeyInfo structure and an error occurs if the public
key is not \s-1RSA.\s0
.PP
The \fBDSAPrivateKey\fR functions process a \s-1DSA\s0 private key using a
\&\s-1DSA\s0 structure. The write routines uses traditional format. The read
routines handles the same formats as the \fBPrivateKey\fR
functions but an error occurs if the private key is not \s-1DSA.\s0
.PP
The \fB\s-1DSA_PUBKEY\s0\fR functions process a \s-1DSA\s0 public key using
a \s-1DSA\s0 structure. The public key is encoded using a
SubjectPublicKeyInfo structure and an error occurs if the public
key is not \s-1DSA.\s0
.PP
The \fBParameters\fR functions read or write key parameters in \s-1PEM\s0 format using
an \s-1EVP_PKEY\s0 structure. The encoding depends on the type of key; for \s-1DSA\s0 key
parameters, it will be a Dss-Parms structure as defined in \s-1RFC2459,\s0 and for \s-1DH\s0
key parameters, it will be a PKCS#3 DHparameter structure. \fIThese functions
only exist for the \f(BI\s-1BIO\s0\fI type\fR.
.PP
The \fBDSAparams\fR functions process \s-1DSA\s0 parameters using a \s-1DSA\s0
structure. The parameters are encoded using a Dss-Parms structure
as defined in \s-1RFC2459.\s0
.PP
The \fBDHparams\fR functions process \s-1DH\s0 parameters using a \s-1DH\s0
structure. The parameters are encoded using a PKCS#3 DHparameter
structure.
.PP
The \fBX509\fR functions process an X509 certificate using an X509
structure. They will also process a trusted X509 certificate but
any trust settings are discarded.
.PP
The \fBX509_AUX\fR functions process a trusted X509 certificate using
an X509 structure.
.PP
The \fBX509_REQ\fR and \fBX509_REQ_NEW\fR functions process a PKCS#10
certificate request using an X509_REQ structure. The \fBX509_REQ\fR
write functions use \fB\s-1CERTIFICATE REQUEST\s0\fR in the header whereas
the \fBX509_REQ_NEW\fR functions use \fB\s-1NEW CERTIFICATE REQUEST\s0\fR
(as required by some CAs). The \fBX509_REQ\fR read functions will
handle either form so there are no \fBX509_REQ_NEW\fR read functions.
.PP
The \fBX509_CRL\fR functions process an X509 \s-1CRL\s0 using an X509_CRL
structure.
.PP
The \fB\s-1PKCS7\s0\fR functions process a PKCS#7 ContentInfo using a \s-1PKCS7\s0
structure.
.SH "PEM FUNCTION ARGUMENTS"
.IX Header "PEM FUNCTION ARGUMENTS"
The \s-1PEM\s0 functions have many common arguments.
.PP
The \fBbp\fR \s-1BIO\s0 parameter (if present) specifies the \s-1BIO\s0 to read from
or write to.
.PP
The \fBfp\fR \s-1FILE\s0 parameter (if present) specifies the \s-1FILE\s0 pointer to
read from or write to.
.PP
The \s-1PEM\s0 read functions all take an argument \fB\s-1TYPE\s0 **x\fR and return
a \fB\s-1TYPE\s0 *\fR pointer. Where \fB\s-1TYPE\s0\fR is whatever structure the function
uses. If \fBx\fR is \s-1NULL\s0 then the parameter is ignored. If \fBx\fR is not
\&\s-1NULL\s0 but \fB*x\fR is \s-1NULL\s0 then the structure returned will be written
to \fB*x\fR. If neither \fBx\fR nor \fB*x\fR is \s-1NULL\s0 then an attempt is made
to reuse the structure at \fB*x\fR (but see \s-1BUGS\s0 and \s-1EXAMPLES\s0 sections).
Irrespective of the value of \fBx\fR a pointer to the structure is always
returned (or \s-1NULL\s0 if an error occurred).
.PP
The \s-1PEM\s0 functions which write private keys take an \fBenc\fR parameter
which specifies the encryption algorithm to use, encryption is done
at the \s-1PEM\s0 level. If this parameter is set to \s-1NULL\s0 then the private
key is written in unencrypted form.
.PP
The \fBcb\fR argument is the callback to use when querying for the pass
phrase used for encrypted \s-1PEM\s0 structures (normally only private keys).
.PP
For the \s-1PEM\s0 write routines if the \fBkstr\fR parameter is not \s-1NULL\s0 then
\&\fBklen\fR bytes at \fBkstr\fR are used as the passphrase and \fBcb\fR is
ignored.
.PP
If the \fBcb\fR parameters is set to \s-1NULL\s0 and the \fBu\fR parameter is not
\&\s-1NULL\s0 then the \fBu\fR parameter is interpreted as a null terminated string
to use as the passphrase. If both \fBcb\fR and \fBu\fR are \s-1NULL\s0 then the
default callback routine is used which will typically prompt for the
passphrase on the current terminal with echoing turned off.
.PP
The default passphrase callback is sometimes inappropriate (for example
in a \s-1GUI\s0 application) so an alternative can be supplied. The callback
routine has the following form:
.PP
.Vb 1
\& int cb(char *buf, int size, int rwflag, void *u);
.Ve
.PP
\&\fBbuf\fR is the buffer to write the passphrase to. \fBsize\fR is the maximum
length of the passphrase (i.e. the size of buf). \fBrwflag\fR is a flag
which is set to 0 when reading and 1 when writing. A typical routine
will ask the user to verify the passphrase (for example by prompting
for it twice) if \fBrwflag\fR is 1. The \fBu\fR parameter has the same
value as the \fBu\fR parameter passed to the \s-1PEM\s0 routine. It allows
arbitrary data to be passed to the callback by the application
(for example a window handle in a \s-1GUI\s0 application). The callback
\&\fBmust\fR return the number of characters in the passphrase or \-1 if
an error occurred.
.SH "NOTES"
.IX Header "NOTES"
The old \fBPrivateKey\fR write routines are retained for compatibility.
New applications should write private keys using the
\&\fBPEM_write_bio_PKCS8PrivateKey()\fR or \fBPEM_write_PKCS8PrivateKey()\fR routines
because they are more secure (they use an iteration count of 2048 whereas
the traditional routines use a count of 1) unless compatibility with older
versions of OpenSSL is important.
.PP
The \fBPrivateKey\fR read routines can be used in all applications because
they handle all formats transparently.
.PP
A frequent cause of problems is attempting to use the \s-1PEM\s0 routines like
this:
.PP
.Vb 1
\& X509 *x;
\&
\& PEM_read_bio_X509(bp, &x, 0, NULL);
.Ve
.PP
this is a bug because an attempt will be made to reuse the data at \fBx\fR
which is an uninitialised pointer.
.PP
These functions make no assumption regarding the pass phrase received from the
password callback.
It will simply be treated as a byte sequence.
.SH "PEM ENCRYPTION FORMAT"
.IX Header "PEM ENCRYPTION FORMAT"
These old \fBPrivateKey\fR routines use a non standard technique for encryption.
.PP
The private key (or other data) takes the following form:
.PP
.Vb 3
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& Proc\-Type: 4,ENCRYPTED
\& DEK\-Info: DES\-EDE3\-CBC,3F17F5316E2BAC89
\&
\& ...base64 encoded data...
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
.Ve
.PP
The line beginning with \fIProc-Type\fR contains the version and the
protection on the encapsulated data. The line beginning \fIDEK-Info\fR
contains two comma separated values: the encryption algorithm name as
used by \fBEVP_get_cipherbyname()\fR and an initialization vector used by the
cipher encoded as a set of hexadecimal digits. After those two lines is
the base64\-encoded encrypted data.
.PP
The encryption key is derived using \fBEVP_BytesToKey()\fR. The cipher's
initialization vector is passed to \fBEVP_BytesToKey()\fR as the \fBsalt\fR
parameter. Internally, \fB\s-1PKCS5_SALT_LEN\s0\fR bytes of the salt are used
(regardless of the size of the initialization vector). The user's
password is passed to \fBEVP_BytesToKey()\fR using the \fBdata\fR and \fBdatal\fR
parameters. Finally, the library uses an iteration count of 1 for
\&\fBEVP_BytesToKey()\fR.
.PP
The \fBkey\fR derived by \fBEVP_BytesToKey()\fR along with the original initialization
vector is then used to decrypt the encrypted data. The \fBiv\fR produced by
\&\fBEVP_BytesToKey()\fR is not utilized or needed, and \s-1NULL\s0 should be passed to
the function.
.PP
The pseudo code to derive the key would look similar to:
.PP
.Vb 2
\& EVP_CIPHER* cipher = EVP_des_ede3_cbc();
\& EVP_MD* md = EVP_md5();
\&
\& unsigned int nkey = EVP_CIPHER_key_length(cipher);
\& unsigned int niv = EVP_CIPHER_iv_length(cipher);
\& unsigned char key[nkey];
\& unsigned char iv[niv];
\&
\& memcpy(iv, HexToBin("3F17F5316E2BAC89"), niv);
\& rc = EVP_BytesToKey(cipher, md, iv /*salt*/, pword, plen, 1, key, NULL /*iv*/);
\& if (rc != nkey)
\& /* Error */
\&
\& /* On success, use key and iv to initialize the cipher */
.Ve
.SH "BUGS"
.IX Header "BUGS"
The \s-1PEM\s0 read routines in some versions of OpenSSL will not correctly reuse
an existing structure. Therefore, the following:
.PP
.Vb 1
\& PEM_read_bio_X509(bp, &x, 0, NULL);
.Ve
.PP
where \fBx\fR already contains a valid certificate, may not work, whereas:
.PP
.Vb 2
\& X509_free(x);
\& x = PEM_read_bio_X509(bp, NULL, 0, NULL);
.Ve
.PP
is guaranteed to work.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The read routines return either a pointer to the structure read or \s-1NULL\s0
if an error occurred.
.PP
The write routines return 1 for success or 0 for failure.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Although the \s-1PEM\s0 routines take several arguments in almost all applications
most of them are set to 0 or \s-1NULL.\s0
.PP
Read a certificate in \s-1PEM\s0 format from a \s-1BIO:\s0
.PP
.Vb 1
\& X509 *x;
\&
\& x = PEM_read_bio_X509(bp, NULL, 0, NULL);
\& if (x == NULL)
\& /* Error */
.Ve
.PP
Alternative method:
.PP
.Vb 1
\& X509 *x = NULL;
\&
\& if (!PEM_read_bio_X509(bp, &x, 0, NULL))
\& /* Error */
.Ve
.PP
Write a certificate to a \s-1BIO:\s0
.PP
.Vb 2
\& if (!PEM_write_bio_X509(bp, x))
\& /* Error */
.Ve
.PP
Write a private key (using traditional format) to a \s-1BIO\s0 using
triple \s-1DES\s0 encryption, the pass phrase is prompted for:
.PP
.Vb 2
\& if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL))
\& /* Error */
.Ve
.PP
Write a private key (using PKCS#8 format) to a \s-1BIO\s0 using triple
\&\s-1DES\s0 encryption, using the pass phrase \*(L"hello\*(R":
.PP
.Vb 3
\& if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(),
\& NULL, 0, 0, "hello"))
\& /* Error */
.Ve
.PP
Read a private key from a \s-1BIO\s0 using a pass phrase callback:
.PP
.Vb 3
\& key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key");
\& if (key == NULL)
\& /* Error */
.Ve
.PP
Skeleton pass phrase callback:
.PP
.Vb 2
\& int pass_cb(char *buf, int size, int rwflag, void *u)
\& {
\&
\& /* We\*(Aqd probably do something else if \*(Aqrwflag\*(Aq is 1 */
\& printf("Enter pass phrase for \e"%s\e"\en", (char *)u);
\&
\& /* get pass phrase, length \*(Aqlen\*(Aq into \*(Aqtmp\*(Aq */
\& char *tmp = "hello";
\& if (tmp == NULL) /* An error occurred */
\& return \-1;
\&
\& size_t len = strlen(tmp);
\&
\& if (len > size)
\& len = size;
\& memcpy(buf, tmp, len);
\& return len;
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_EncryptInit\fR\|(3), \fBEVP_BytesToKey\fR\|(3),
\&\fBpassphrase\-encoding\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The old Netscape certificate sequences were no longer documented
in OpenSSL 1.1.0; applications should use the \s-1PKCS7\s0 standard instead
as they will be formally deprecated in a future releases.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3 b/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3
index 273511ea8749..fd21918db9cd 100644
--- a/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3
+++ b/secure/lib/libcrypto/man/man3/PEM_read_bio_ex.3
@@ -1,199 +1,199 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PEM_READ_BIO_EX 3"
-.TH PEM_READ_BIO_EX 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PEM_READ_BIO_EX 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PEM_read_bio_ex, PEM_FLAG_SECURE, PEM_FLAG_EAY_COMPATIBLE, PEM_FLAG_ONLY_B64 \- read PEM format files with custom processing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pem.h>
\&
\& #define PEM_FLAG_SECURE 0x1
\& #define PEM_FLAG_EAY_COMPATIBLE 0x2
\& #define PEM_FLAG_ONLY_B64 0x4
\& int PEM_read_bio_ex(BIO *in, char **name, char **header,
\& unsigned char **data, long *len, unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPEM_read_bio_ex()\fR reads in \s-1PEM\s0 formatted data from an input \s-1BIO,\s0 outputting
the name of the type of contained data, the header information regarding
the possibly encrypted data, and the binary data payload (after base64 decoding).
It should generally only be used to implement PEM_read_bio_\-family functions
for specific data types or other usage, but is exposed to allow greater flexibility
over how processing is performed, if needed.
.PP
If \s-1PEM_FLAG_SECURE\s0 is set, the intermediate buffers used to read in lines of
input are allocated from the secure heap.
.PP
If \s-1PEM_FLAG_EAY_COMPATIBLE\s0 is set, a simple algorithm is used to remove whitespace
and control characters from the end of each line, so as to be compatible with
the historical behavior of \fBPEM_read_bio()\fR.
.PP
If \s-1PEM_FLAG_ONLY_B64\s0 is set, all characters are required to be valid base64
characters (or newlines); non\-base64 characters are treated as end of input.
.PP
If neither \s-1PEM_FLAG_EAY_COMPATIBLE\s0 or \s-1PEM_FLAG_ONLY_B64\s0 is set, control characters
are ignored.
.PP
If both \s-1PEM_FLAG_EAY_COMPATIBLE\s0 and \s-1PEM_FLAG_ONLY_B64\s0 are set, an error is returned;
these options are not compatible with each other.
.SH "NOTES"
.IX Header "NOTES"
The caller must release the storage allocated for *name, *header, and *data.
If \s-1PEM_FLAG_SECURE\s0 was set, use \fBOPENSSL_secure_free()\fR; otherwise,
\&\fBOPENSSL_free()\fR is used.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPEM_read_bio_ex()\fR returns 1 for success or 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBPEM_bytes_read_bio\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBPEM_read_bio_ex()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3 b/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3
index a877692ad7c1..dc7f8cb99d0e 100644
--- a/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3
+++ b/secure/lib/libcrypto/man/man3/PEM_write_bio_CMS_stream.3
@@ -1,180 +1,180 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PEM_WRITE_BIO_CMS_STREAM 3"
-.TH PEM_WRITE_BIO_CMS_STREAM 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PEM_WRITE_BIO_CMS_STREAM 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PEM_write_bio_CMS_stream \- output CMS_ContentInfo structure in PEM format
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& int PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPEM_write_bio_CMS_stream()\fR outputs a CMS_ContentInfo structure in \s-1PEM\s0 format.
.PP
It is otherwise identical to the function \fBSMIME_write_CMS()\fR.
.SH "NOTES"
.IX Header "NOTES"
This function is effectively a version of the \fBPEM_write_bio_CMS()\fR supporting
streaming.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPEM_write_bio_CMS_stream()\fR returns 1 for success or 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
\&\fBCMS_verify\fR\|(3), \fBCMS_encrypt\fR\|(3)
\&\fBCMS_decrypt\fR\|(3),
\&\fBPEM_write\fR\|(3),
\&\fBSMIME_write_CMS\fR\|(3),
\&\fBi2d_CMS_bio_stream\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBPEM_write_bio_CMS_stream()\fR function was added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3 b/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3
index 5083613c47b2..d64c55ceda16 100644
--- a/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3
+++ b/secure/lib/libcrypto/man/man3/PEM_write_bio_PKCS7_stream.3
@@ -1,179 +1,179 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PEM_WRITE_BIO_PKCS7_STREAM 3"
-.TH PEM_WRITE_BIO_PKCS7_STREAM 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PEM_WRITE_BIO_PKCS7_STREAM 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PEM_write_bio_PKCS7_stream \- output PKCS7 structure in PEM format
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs7.h>
\&
\& int PEM_write_bio_PKCS7_stream(BIO *out, PKCS7 *p7, BIO *data, int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPEM_write_bio_PKCS7_stream()\fR outputs a \s-1PKCS7\s0 structure in \s-1PEM\s0 format.
.PP
It is otherwise identical to the function \fBSMIME_write_PKCS7()\fR.
.SH "NOTES"
.IX Header "NOTES"
This function is effectively a version of the \fBPEM_write_bio_PKCS7()\fR supporting
streaming.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPEM_write_bio_PKCS7_stream()\fR returns 1 for success or 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBPKCS7_sign\fR\|(3),
\&\fBPKCS7_verify\fR\|(3), \fBPKCS7_encrypt\fR\|(3)
\&\fBPKCS7_decrypt\fR\|(3),
\&\fBSMIME_write_PKCS7\fR\|(3),
\&\fBi2d_PKCS7_bio_stream\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBPEM_write_bio_PKCS7_stream()\fR function was added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2007\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_create.3 b/secure/lib/libcrypto/man/man3/PKCS12_create.3
index ed9d8f4ff6fa..e82b7b4b0fd7 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_create.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_create.3
@@ -1,217 +1,217 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS12_CREATE 3"
-.TH PKCS12_CREATE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS12_CREATE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PKCS12_create \- create a PKCS#12 structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs12.h>
\&
\& PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey,
\& X509 *cert, STACK_OF(X509) *ca,
\& int nid_key, int nid_cert, int iter, int mac_iter, int keytype);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPKCS12_create()\fR creates a PKCS#12 structure.
.PP
\&\fBpass\fR is the passphrase to use. \fBname\fR is the \fBfriendlyName\fR to use for
the supplied certificate and key. \fBpkey\fR is the private key to include in
the structure and \fBcert\fR its corresponding certificates. \fBca\fR, if not \fB\s-1NULL\s0\fR
is an optional set of certificates to also include in the structure.
.PP
\&\fBnid_key\fR and \fBnid_cert\fR are the encryption algorithms that should be used
for the key and certificate respectively. The modes
\&\s-1GCM, CCM, XTS,\s0 and \s-1OCB\s0 are unsupported. \fBiter\fR is the encryption algorithm
iteration count to use and \fBmac_iter\fR is the \s-1MAC\s0 iteration count to use.
\&\fBkeytype\fR is the type of key.
.SH "NOTES"
.IX Header "NOTES"
The parameters \fBnid_key\fR, \fBnid_cert\fR, \fBiter\fR, \fBmac_iter\fR and \fBkeytype\fR
can all be set to zero and sensible defaults will be used.
.PP
These defaults are: 40 bit \s-1RC2\s0 encryption for certificates, triple \s-1DES\s0
encryption for private keys, a key iteration count of \s-1PKCS12_DEFAULT_ITER\s0
(currently 2048) and a \s-1MAC\s0 iteration count of 1.
.PP
The default \s-1MAC\s0 iteration count is 1 in order to retain compatibility with
old software which did not interpret \s-1MAC\s0 iteration counts. If such compatibility
is not required then \fBmac_iter\fR should be set to \s-1PKCS12_DEFAULT_ITER.\s0
.PP
\&\fBkeytype\fR adds a flag to the store private key. This is a non standard extension
that is only currently interpreted by \s-1MSIE.\s0 If set to zero the flag is omitted,
if set to \fB\s-1KEY_SIG\s0\fR the key can be used for signing only, if set to \fB\s-1KEY_EX\s0\fR
it can be used for signing and encryption. This option was useful for old
export grade software which could use signing only keys of arbitrary size but
had restrictions on the permissible sizes of keys which could be used for
encryption.
.PP
If a certificate contains an \fBalias\fR or \fBkeyid\fR then this will be
used for the corresponding \fBfriendlyName\fR or \fBlocalKeyID\fR in the
\&\s-1PKCS12\s0 structure.
.PP
Either \fBpkey\fR, \fBcert\fR or both can be \fB\s-1NULL\s0\fR to indicate that no key or
certificate is required. In previous versions both had to be present or
a fatal error is returned.
.PP
\&\fBnid_key\fR or \fBnid_cert\fR can be set to \-1 indicating that no encryption
should be used.
.PP
\&\fBmac_iter\fR can be set to \-1 and the \s-1MAC\s0 will then be omitted entirely.
.PP
\&\fBPKCS12_create()\fR makes assumptions regarding the encoding of the given pass
phrase.
See \fBpassphrase\-encoding\fR\|(7) for more information.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPKCS12_create()\fR returns a valid \fB\s-1PKCS12\s0\fR structure or \s-1NULL\s0 if an error occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_PKCS12\fR\|(3),
\&\fBpassphrase\-encoding\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_newpass.3 b/secure/lib/libcrypto/man/man3/PKCS12_newpass.3
index 7f10c4aa8ad0..cc1e6b86bf7b 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_newpass.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_newpass.3
@@ -1,246 +1,246 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS12_NEWPASS 3"
-.TH PKCS12_NEWPASS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS12_NEWPASS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PKCS12_newpass \- change the password of a PKCS12 structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs12.h>
\&
\& int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPKCS12_newpass()\fR changes the password of a \s-1PKCS12\s0 structure.
.PP
\&\fBp12\fR is a pointer to a \s-1PKCS12\s0 structure. \fBoldpass\fR is the existing password
and \fBnewpass\fR is the new password.
.SH "NOTES"
.IX Header "NOTES"
Each of \fBoldpass\fR and \fBnewpass\fR is independently interpreted as a string in
the \s-1UTF\-8\s0 encoding. If it is not valid \s-1UTF\-8,\s0 it is assumed to be \s-1ISO8859\-1\s0
instead.
.PP
In particular, this means that passwords in the locale character set
(or code page on Windows) must potentially be converted to \s-1UTF\-8\s0 before
use. This may include passwords from local text files, or input from
the terminal or command line. Refer to the documentation of
\&\fBUI_OpenSSL\fR\|(3), for example.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPKCS12_newpass()\fR returns 1 on success or 0 on failure. Applications can
retrieve the most recent error from \fBPKCS12_newpass()\fR with \fBERR_get_error()\fR.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This example loads a PKCS#12 file, changes its password and writes out
the result to a new file.
.PP
.Vb 5
\& #include <stdio.h>
\& #include <stdlib.h>
\& #include <openssl/pem.h>
\& #include <openssl/err.h>
\& #include <openssl/pkcs12.h>
\&
\& int main(int argc, char **argv)
\& {
\& FILE *fp;
\& PKCS12 *p12;
\&
\& if (argc != 5) {
\& fprintf(stderr, "Usage: pkread p12file password newpass opfile\en");
\& return 1;
\& }
\& if ((fp = fopen(argv[1], "rb")) == NULL) {
\& fprintf(stderr, "Error opening file %s\en", argv[1]);
\& return 1;
\& }
\& p12 = d2i_PKCS12_fp(fp, NULL);
\& fclose(fp);
\& if (p12 == NULL) {
\& fprintf(stderr, "Error reading PKCS#12 file\en");
\& ERR_print_errors_fp(stderr);
\& return 1;
\& }
\& if (PKCS12_newpass(p12, argv[2], argv[3]) == 0) {
\& fprintf(stderr, "Error changing password\en");
\& ERR_print_errors_fp(stderr);
\& PKCS12_free(p12);
\& return 1;
\& }
\& if ((fp = fopen(argv[4], "wb")) == NULL) {
\& fprintf(stderr, "Error opening file %s\en", argv[4]);
\& PKCS12_free(p12);
\& return 1;
\& }
\& i2d_PKCS12_fp(fp, p12);
\& PKCS12_free(p12);
\& fclose(fp);
\& return 0;
\& }
.Ve
.SH "NOTES"
.IX Header "NOTES"
If the PKCS#12 structure does not have a password, then you must use the empty
string "" for \fBoldpass\fR. Using \s-1NULL\s0 for \fBoldpass\fR will result in a
\&\fBPKCS12_newpass()\fR failure.
.PP
If the wrong password is used for \fBoldpass\fR then the function will fail,
with a \s-1MAC\s0 verification error. In rare cases the \s-1PKCS12\s0 structure does not
contain a \s-1MAC:\s0 in this case it will usually fail with a decryption padding
error.
.SH "BUGS"
.IX Header "BUGS"
The password format is a \s-1NULL\s0 terminated \s-1ASCII\s0 string which is converted to
Unicode form internally. As a result some passwords cannot be supplied to
this function.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBPKCS12_create\fR\|(3), \fBERR_get_error\fR\|(3),
\&\fBpassphrase\-encoding\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS12_parse.3 b/secure/lib/libcrypto/man/man3/PKCS12_parse.3
index df0ea8617a47..5a385d3c7ed2 100644
--- a/secure/lib/libcrypto/man/man3/PKCS12_parse.3
+++ b/secure/lib/libcrypto/man/man3/PKCS12_parse.3
@@ -1,203 +1,203 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS12_PARSE 3"
-.TH PKCS12_PARSE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS12_PARSE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PKCS12_parse \- parse a PKCS#12 structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs12.h>
\&
\& int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
\& STACK_OF(X509) **ca);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPKCS12_parse()\fR parses a \s-1PKCS12\s0 structure.
.PP
\&\fBp12\fR is the \fB\s-1PKCS12\s0\fR structure to parse. \fBpass\fR is the passphrase to use.
If successful the private key will be written to \fB*pkey\fR, the corresponding
certificate to \fB*cert\fR and any additional certificates to \fB*ca\fR.
.SH "NOTES"
.IX Header "NOTES"
The parameters \fBpkey\fR and \fBcert\fR cannot be \fB\s-1NULL\s0\fR. \fBca\fR can be <\s-1NULL\s0> in
which case additional certificates will be discarded. \fB*ca\fR can also be a
valid \s-1STACK\s0 in which case additional certificates are appended to \fB*ca\fR. If
\&\fB*ca\fR is \fB\s-1NULL\s0\fR a new \s-1STACK\s0 will be allocated.
.PP
The \fBfriendlyName\fR and \fBlocalKeyID\fR attributes (if present) on each
certificate will be stored in the \fBalias\fR and \fBkeyid\fR attributes of the
\&\fBX509\fR structure.
.PP
The parameter \fBpass\fR is interpreted as a string in the \s-1UTF\-8\s0 encoding. If it
is not valid \s-1UTF\-8,\s0 then it is assumed to be \s-1ISO8859\-1\s0 instead.
.PP
In particular, this means that passwords in the locale character set
(or code page on Windows) must potentially be converted to \s-1UTF\-8\s0 before
use. This may include passwords from local text files, or input from
the terminal or command line. Refer to the documentation of
\&\fBUI_OpenSSL\fR\|(3), for example.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPKCS12_parse()\fR returns 1 for success and zero if an error occurred.
.PP
The error can be obtained from \fBERR_get_error\fR\|(3)
.SH "BUGS"
.IX Header "BUGS"
Only a single private key and corresponding certificate is returned by this
function. More complex PKCS#12 files with multiple private keys will only
return the first match.
.PP
Only \fBfriendlyName\fR and \fBlocalKeyID\fR attributes are currently stored in
certificates. Other attributes are discarded.
.PP
Attributes currently cannot be stored in the private key \fB\s-1EVP_PKEY\s0\fR structure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_PKCS12\fR\|(3),
\&\fBpassphrase\-encoding\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3 b/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3
index 0203865f6751..1204245405f4 100644
--- a/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3
+++ b/secure/lib/libcrypto/man/man3/PKCS5_PBKDF2_HMAC.3
@@ -1,208 +1,208 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS5_PBKDF2_HMAC 3"
-.TH PKCS5_PBKDF2_HMAC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS5_PBKDF2_HMAC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PKCS5_PBKDF2_HMAC, PKCS5_PBKDF2_HMAC_SHA1 \- password based derivation routines with salt and iteration count
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
\& const unsigned char *salt, int saltlen, int iter,
\& const EVP_MD *digest,
\& int keylen, unsigned char *out);
\&
\& int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
\& const unsigned char *salt, int saltlen, int iter,
\& int keylen, unsigned char *out);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1\fBPKCS5_PBKDF2_HMAC\s0()\fR derives a key from a password using a salt and iteration count
as specified in \s-1RFC 2898.\s0
.PP
\&\fBpass\fR is the password used in the derivation of length \fBpasslen\fR. \fBpass\fR
is an optional parameter and can be \s-1NULL.\s0 If \fBpasslen\fR is \-1, then the
function will calculate the length of \fBpass\fR using \fBstrlen()\fR.
.PP
\&\fBsalt\fR is the salt used in the derivation of length \fBsaltlen\fR. If the
\&\fBsalt\fR is \s-1NULL,\s0 then \fBsaltlen\fR must be 0. The function will not
attempt to calculate the length of the \fBsalt\fR because it is not assumed to
be \s-1NULL\s0 terminated.
.PP
\&\fBiter\fR is the iteration count and its value should be greater than or
equal to 1. \s-1RFC 2898\s0 suggests an iteration count of at least 1000. Any
\&\fBiter\fR less than 1 is treated as a single iteration.
.PP
\&\fBdigest\fR is the message digest function used in the derivation. Values include
any of the EVP_* message digests. \s-1\fBPKCS5_PBKDF2_HMAC_SHA1\s0()\fR calls
\&\s-1\fBPKCS5_PBKDF2_HMAC\s0()\fR with \fBEVP_sha1()\fR.
.PP
The derived key will be written to \fBout\fR. The size of the \fBout\fR buffer
is specified via \fBkeylen\fR.
.SH "NOTES"
.IX Header "NOTES"
A typical application of this function is to derive keying material for an
encryption algorithm from a password in the \fBpass\fR, a salt in \fBsalt\fR,
and an iteration count.
.PP
Increasing the \fBiter\fR parameter slows down the algorithm which makes it
harder for an attacker to perform a brute force attack using a large number
of candidate passwords.
.PP
These functions make no assumption regarding the given password.
It will simply be treated as a byte sequence.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\s-1\fBPKCS5_PBKDF2_HMAC\s0()\fR and \s-1\fBPBKCS5_PBKDF2_HMAC_SHA1\s0()\fR return 1 on success or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7), \fBRAND_bytes\fR\|(3),
\&\fBEVP_BytesToKey\fR\|(3),
\&\fBpassphrase\-encoding\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2014\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3 b/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3
index 6d8fab4e094b..63e6b5e88ce7 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_decrypt.3
@@ -1,187 +1,187 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS7_DECRYPT 3"
-.TH PKCS7_DECRYPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS7_DECRYPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PKCS7_decrypt \- decrypt content from a PKCS#7 envelopedData structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs7.h>
\&
\& int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPKCS7_decrypt()\fR extracts and decrypts the content from a PKCS#7 envelopedData
structure. \fBpkey\fR is the private key of the recipient, \fBcert\fR is the
recipients certificate, \fBdata\fR is a \s-1BIO\s0 to write the content to and
\&\fBflags\fR is an optional set of flags.
.SH "NOTES"
.IX Header "NOTES"
Although the recipients certificate is not needed to decrypt the data it is needed
to locate the appropriate (of possible several) recipients in the PKCS#7 structure.
.PP
The following flags can be passed in the \fBflags\fR parameter.
.PP
If the \fB\s-1PKCS7_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are deleted
from the content. If the content is not of type \fBtext/plain\fR then an error is
returned.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPKCS7_decrypt()\fR returns either 1 for success or 0 for failure.
The error can be obtained from \fBERR_get_error\fR\|(3)
.SH "BUGS"
.IX Header "BUGS"
\&\fBPKCS7_decrypt()\fR must be passed the correct recipient key and certificate. It would
be better if it could look up the correct key and certificate from a database.
.PP
The lack of single pass processing and need to hold all data in memory as
mentioned in \fBPKCS7_sign()\fR also applies to \fBPKCS7_verify()\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBPKCS7_encrypt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3 b/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3
index 0ea0fdec8939..eccab0f5ee2a 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_encrypt.3
@@ -1,218 +1,218 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS7_ENCRYPT 3"
-.TH PKCS7_ENCRYPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS7_ENCRYPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PKCS7_encrypt \- create a PKCS#7 envelopedData structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs7.h>
\&
\& PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
\& int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPKCS7_encrypt()\fR creates and returns a PKCS#7 envelopedData structure. \fBcerts\fR
is a list of recipient certificates. \fBin\fR is the content to be encrypted.
\&\fBcipher\fR is the symmetric cipher to use. \fBflags\fR is an optional set of flags.
.SH "NOTES"
.IX Header "NOTES"
Only \s-1RSA\s0 keys are supported in PKCS#7 and envelopedData so the recipient
certificates supplied to this function must all contain \s-1RSA\s0 public keys, though
they do not have to be signed using the \s-1RSA\s0 algorithm.
.PP
\&\fBEVP_des_ede3_cbc()\fR (triple \s-1DES\s0) is the algorithm of choice for S/MIME use
because most clients will support it.
.PP
Some old \*(L"export grade\*(R" clients may only support weak encryption using 40 or 64
bit \s-1RC2.\s0 These can be used by passing \fBEVP_rc2_40_cbc()\fR and \fBEVP_rc2_64_cbc()\fR
respectively.
.PP
The algorithm passed in the \fBcipher\fR parameter must support \s-1ASN1\s0 encoding of
its parameters.
.PP
Many browsers implement a \*(L"sign and encrypt\*(R" option which is simply an S/MIME
envelopedData containing an S/MIME signed message. This can be readily produced
by storing the S/MIME signed message in a memory \s-1BIO\s0 and passing it to
\&\fBPKCS7_encrypt()\fR.
.PP
The following flags can be passed in the \fBflags\fR parameter.
.PP
If the \fB\s-1PKCS7_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are
prepended to the data.
.PP
Normally the supplied content is translated into \s-1MIME\s0 canonical format (as
required by the S/MIME specifications) if \fB\s-1PKCS7_BINARY\s0\fR is set no translation
occurs. This option should be used if the supplied data is in binary format
otherwise the translation will corrupt it. If \fB\s-1PKCS7_BINARY\s0\fR is set then
\&\fB\s-1PKCS7_TEXT\s0\fR is ignored.
.PP
If the \fB\s-1PKCS7_STREAM\s0\fR flag is set a partial \fB\s-1PKCS7\s0\fR structure is output
suitable for streaming I/O: no data is read from the \s-1BIO\s0 \fBin\fR.
.SH "NOTES"
.IX Header "NOTES"
If the flag \fB\s-1PKCS7_STREAM\s0\fR is set the returned \fB\s-1PKCS7\s0\fR structure is \fBnot\fR
complete and outputting its contents via a function that does not
properly finalize the \fB\s-1PKCS7\s0\fR structure will give unpredictable
results.
.PP
Several functions including \fBSMIME_write_PKCS7()\fR, \fBi2d_PKCS7_bio_stream()\fR,
\&\fBPEM_write_bio_PKCS7_stream()\fR finalize the structure. Alternatively finalization
can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
\&\fBBIO_new_PKCS7()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPKCS7_encrypt()\fR returns either a \s-1PKCS7\s0 structure or \s-1NULL\s0 if an error occurred.
The error can be obtained from \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBPKCS7_decrypt\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\s-1PKCS7_STREAM\s0\fR flag was added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_sign.3 b/secure/lib/libcrypto/man/man3/PKCS7_sign.3
index 62b7ad2bc661..9a46071cad82 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_sign.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_sign.3
@@ -1,252 +1,252 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS7_SIGN 3"
-.TH PKCS7_SIGN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS7_SIGN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PKCS7_sign \- create a PKCS#7 signedData structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs7.h>
\&
\& PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
\& BIO *data, int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPKCS7_sign()\fR creates and returns a PKCS#7 signedData structure. \fBsigncert\fR is
the certificate to sign with, \fBpkey\fR is the corresponding private key.
\&\fBcerts\fR is an optional additional set of certificates to include in the PKCS#7
structure (for example any intermediate CAs in the chain).
.PP
The data to be signed is read from \s-1BIO\s0 \fBdata\fR.
.PP
\&\fBflags\fR is an optional set of flags.
.SH "NOTES"
.IX Header "NOTES"
Any of the following flags (ored together) can be passed in the \fBflags\fR
parameter.
.PP
Many S/MIME clients expect the signed content to include valid \s-1MIME\s0 headers. If
the \fB\s-1PKCS7_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are prepended
to the data.
.PP
If \fB\s-1PKCS7_NOCERTS\s0\fR is set the signer's certificate will not be included in the
\&\s-1PKCS7\s0 structure, the signer's certificate must still be supplied in the
\&\fBsigncert\fR parameter though. This can reduce the size of the signature if the
signers certificate can be obtained by other means: for example a previously
signed message.
.PP
The data being signed is included in the \s-1PKCS7\s0 structure, unless
\&\fB\s-1PKCS7_DETACHED\s0\fR is set in which case it is omitted. This is used for \s-1PKCS7\s0
detached signatures which are used in S/MIME plaintext signed messages for
example.
.PP
Normally the supplied content is translated into \s-1MIME\s0 canonical format (as
required by the S/MIME specifications) if \fB\s-1PKCS7_BINARY\s0\fR is set no translation
occurs. This option should be used if the supplied data is in binary format
otherwise the translation will corrupt it.
.PP
The signedData structure includes several PKCS#7 authenticatedAttributes
including the signing time, the PKCS#7 content type and the supported list of
ciphers in an SMIMECapabilities attribute. If \fB\s-1PKCS7_NOATTR\s0\fR is set then no
authenticatedAttributes will be used. If \fB\s-1PKCS7_NOSMIMECAP\s0\fR is set then just
the SMIMECapabilities are omitted.
.PP
If present the SMIMECapabilities attribute indicates support for the following
algorithms: triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0 If any of
these algorithms is disabled then it will not be included.
.PP
If the flags \fB\s-1PKCS7_STREAM\s0\fR is set then the returned \fB\s-1PKCS7\s0\fR structure is
just initialized ready to perform the signing operation. The signing is however
\&\fBnot\fR performed and the data to be signed is not read from the \fBdata\fR
parameter. Signing is deferred until after the data has been written. In this
way data can be signed in a single pass.
.PP
If the \fB\s-1PKCS7_PARTIAL\s0\fR flag is set a partial \fB\s-1PKCS7\s0\fR structure is output to
which additional signers and capabilities can be added before finalization.
.SH "NOTES"
.IX Header "NOTES"
If the flag \fB\s-1PKCS7_STREAM\s0\fR is set the returned \fB\s-1PKCS7\s0\fR structure is \fBnot\fR
complete and outputting its contents via a function that does not properly
finalize the \fB\s-1PKCS7\s0\fR structure will give unpredictable results.
.PP
Several functions including \fBSMIME_write_PKCS7()\fR, \fBi2d_PKCS7_bio_stream()\fR,
\&\fBPEM_write_bio_PKCS7_stream()\fR finalize the structure. Alternatively finalization
can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directly using
\&\fBBIO_new_PKCS7()\fR.
.PP
If a signer is specified it will use the default digest for the signing
algorithm. This is \fB\s-1SHA1\s0\fR for both \s-1RSA\s0 and \s-1DSA\s0 keys.
.PP
The \fBcerts\fR, \fBsigncert\fR and \fBpkey\fR parameters can all be
\&\fB\s-1NULL\s0\fR if the \fB\s-1PKCS7_PARTIAL\s0\fR flag is set. One or more signers can be added
using the function \fBPKCS7_sign_add_signer()\fR. \fBPKCS7_final()\fR must also be
called to finalize the structure if streaming is not enabled. Alternative
signing digests can also be specified using this method.
.PP
If \fBsigncert\fR and \fBpkey\fR are \s-1NULL\s0 then a certificates only
PKCS#7 structure is output.
.PP
In versions of OpenSSL before 1.0.0 the \fBsigncert\fR and \fBpkey\fR parameters must
\&\fB\s-1NOT\s0\fR be \s-1NULL.\s0
.SH "BUGS"
.IX Header "BUGS"
Some advanced attributes such as counter signatures are not supported.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPKCS7_sign()\fR returns either a valid \s-1PKCS7\s0 structure or \s-1NULL\s0 if an error
occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBPKCS7_verify\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\s-1PKCS7_PARTIAL\s0\fR flag, and the ability for \fBcerts\fR, \fBsigncert\fR,
and \fBpkey\fR parameters to be \fB\s-1NULL\s0\fR were added in OpenSSL 1.0.0.
.PP
The \fB\s-1PKCS7_STREAM\s0\fR flag was added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3 b/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3
index 649efa0000c0..27edd8730f24 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_sign_add_signer.3
@@ -1,224 +1,224 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS7_SIGN_ADD_SIGNER 3"
-.TH PKCS7_SIGN_ADD_SIGNER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS7_SIGN_ADD_SIGNER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PKCS7_sign_add_signer \- add a signer PKCS7 signed data structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs7.h>
\&
\& PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert,
\& EVP_PKEY *pkey, const EVP_MD *md, int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPKCS7_sign_add_signer()\fR adds a signer with certificate \fBsigncert\fR and private
key \fBpkey\fR using message digest \fBmd\fR to a \s-1PKCS7\s0 signed data structure
\&\fBp7\fR.
.PP
The \s-1PKCS7\s0 structure should be obtained from an initial call to \fBPKCS7_sign()\fR
with the flag \fB\s-1PKCS7_PARTIAL\s0\fR set or in the case or re-signing a valid \s-1PKCS7\s0
signed data structure.
.PP
If the \fBmd\fR parameter is \fB\s-1NULL\s0\fR then the default digest for the public
key algorithm will be used.
.PP
Unless the \fB\s-1PKCS7_REUSE_DIGEST\s0\fR flag is set the returned \s-1PKCS7\s0 structure
is not complete and must be finalized either by streaming (if applicable) or
a call to \fBPKCS7_final()\fR.
.SH "NOTES"
.IX Header "NOTES"
The main purpose of this function is to provide finer control over a PKCS#7
signed data structure where the simpler \fBPKCS7_sign()\fR function defaults are
not appropriate. For example if multiple signers or non default digest
algorithms are needed.
.PP
Any of the following flags (ored together) can be passed in the \fBflags\fR
parameter.
.PP
If \fB\s-1PKCS7_REUSE_DIGEST\s0\fR is set then an attempt is made to copy the content
digest value from the \s-1PKCS7\s0 structure: to add a signer to an existing structure.
An error occurs if a matching digest value cannot be found to copy. The
returned \s-1PKCS7\s0 structure will be valid and finalized when this flag is set.
.PP
If \fB\s-1PKCS7_PARTIAL\s0\fR is set in addition to \fB\s-1PKCS7_REUSE_DIGEST\s0\fR then the
\&\fB\s-1PKCS7_SIGNER_INO\s0\fR structure will not be finalized so additional attributes
can be added. In this case an explicit call to \fBPKCS7_SIGNER_INFO_sign()\fR is
needed to finalize it.
.PP
If \fB\s-1PKCS7_NOCERTS\s0\fR is set the signer's certificate will not be included in the
\&\s-1PKCS7\s0 structure, the signer's certificate must still be supplied in the
\&\fBsigncert\fR parameter though. This can reduce the size of the signature if the
signers certificate can be obtained by other means: for example a previously
signed message.
.PP
The signedData structure includes several PKCS#7 authenticatedAttributes
including the signing time, the PKCS#7 content type and the supported list of
ciphers in an SMIMECapabilities attribute. If \fB\s-1PKCS7_NOATTR\s0\fR is set then no
authenticatedAttributes will be used. If \fB\s-1PKCS7_NOSMIMECAP\s0\fR is set then just
the SMIMECapabilities are omitted.
.PP
If present the SMIMECapabilities attribute indicates support for the following
algorithms: triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 bit \s-1RC2.\s0 If any of
these algorithms is disabled then it will not be included.
.PP
\&\fBPKCS7_sign_add_signers()\fR returns an internal pointer to the \s-1PKCS7_SIGNER_INFO\s0
structure just added, this can be used to set additional attributes
before it is finalized.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPKCS7_sign_add_signers()\fR returns an internal pointer to the \s-1PKCS7_SIGNER_INFO\s0
structure just added or \s-1NULL\s0 if an error occurs.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBPKCS7_sign\fR\|(3),
\&\fBPKCS7_final\fR\|(3),
.SH "HISTORY"
.IX Header "HISTORY"
The \fBPPKCS7_sign_add_signer()\fR function was added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2007\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/PKCS7_verify.3 b/secure/lib/libcrypto/man/man3/PKCS7_verify.3
index c559cb3a6e8b..5602242f14c1 100644
--- a/secure/lib/libcrypto/man/man3/PKCS7_verify.3
+++ b/secure/lib/libcrypto/man/man3/PKCS7_verify.3
@@ -1,258 +1,258 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS7_VERIFY 3"
-.TH PKCS7_VERIFY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS7_VERIFY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
PKCS7_verify, PKCS7_get0_signers \- verify a PKCS#7 signedData structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs7.h>
\&
\& int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
\& BIO *indata, BIO *out, int flags);
\&
\& STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBPKCS7_verify()\fR verifies a PKCS#7 signedData structure. \fBp7\fR is the \s-1PKCS7\s0
structure to verify. \fBcerts\fR is a set of certificates in which to search for
the signer's certificate. \fBstore\fR is a trusted certificate store (used for
chain verification). \fBindata\fR is the signed data if the content is not
present in \fBp7\fR (that is it is detached). The content is written to \fBout\fR
if it is not \s-1NULL.\s0
.PP
\&\fBflags\fR is an optional set of flags, which can be used to modify the verify
operation.
.PP
\&\fBPKCS7_get0_signers()\fR retrieves the signer's certificates from \fBp7\fR, it does
\&\fBnot\fR check their validity or whether any signatures are valid. The \fBcerts\fR
and \fBflags\fR parameters have the same meanings as in \fBPKCS7_verify()\fR.
.SH "VERIFY PROCESS"
.IX Header "VERIFY PROCESS"
Normally the verify process proceeds as follows.
.PP
Initially some sanity checks are performed on \fBp7\fR. The type of \fBp7\fR must
be signedData. There must be at least one signature on the data and if
the content is detached \fBindata\fR cannot be \fB\s-1NULL\s0\fR. If the content is
not detached and \fBindata\fR is not \fB\s-1NULL\s0\fR, then the structure has both
embedded and external content. To treat this as an error, use the flag
\&\fB\s-1PKCS7_NO_DUAL_CONTENT\s0\fR.
The default behavior allows this, for compatibility with older
versions of OpenSSL.
.PP
An attempt is made to locate all the signer's certificates, first looking in
the \fBcerts\fR parameter (if it is not \fB\s-1NULL\s0\fR) and then looking in any certificates
contained in the \fBp7\fR structure itself. If any signer's certificates cannot be
located the operation fails.
.PP
Each signer's certificate is chain verified using the \fBsmimesign\fR purpose and
the supplied trusted certificate store. Any internal certificates in the message
are used as untrusted CAs. If any chain verify fails an error code is returned.
.PP
Finally the signed content is read (and written to \fBout\fR is it is not \s-1NULL\s0) and
the signature's checked.
.PP
If all signature's verify correctly then the function is successful.
.PP
Any of the following flags (ored together) can be passed in the \fBflags\fR parameter
to change the default verify behaviour. Only the flag \fB\s-1PKCS7_NOINTERN\s0\fR is
meaningful to \fBPKCS7_get0_signers()\fR.
.PP
If \fB\s-1PKCS7_NOINTERN\s0\fR is set the certificates in the message itself are not
searched when locating the signer's certificate. This means that all the signers
certificates must be in the \fBcerts\fR parameter.
.PP
If the \fB\s-1PKCS7_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are deleted
from the content. If the content is not of type \fBtext/plain\fR then an error is
returned.
.PP
If \fB\s-1PKCS7_NOVERIFY\s0\fR is set the signer's certificates are not chain verified.
.PP
If \fB\s-1PKCS7_NOCHAIN\s0\fR is set then the certificates contained in the message are
not used as untrusted CAs. This means that the whole verify chain (apart from
the signer's certificate) must be contained in the trusted store.
.PP
If \fB\s-1PKCS7_NOSIGS\s0\fR is set then the signatures on the data are not checked.
.SH "NOTES"
.IX Header "NOTES"
One application of \fB\s-1PKCS7_NOINTERN\s0\fR is to only accept messages signed by
a small number of certificates. The acceptable certificates would be passed
in the \fBcerts\fR parameter. In this case if the signer is not one of the
certificates supplied in \fBcerts\fR then the verify will fail because the
signer cannot be found.
.PP
Care should be taken when modifying the default verify behaviour, for example
setting \fBPKCS7_NOVERIFY|PKCS7_NOSIGS\fR will totally disable all verification
and any signed message will be considered valid. This combination is however
useful if one merely wishes to write the content to \fBout\fR and its validity
is not considered important.
.PP
Chain verification should arguably be performed using the signing time rather
than the current time. However, since the signing time is supplied by the
signer it cannot be trusted without additional evidence (such as a trusted
timestamp).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBPKCS7_verify()\fR returns one for a successful verification and zero
if an error occurs.
.PP
\&\fBPKCS7_get0_signers()\fR returns all signers or \fB\s-1NULL\s0\fR if an error occurred.
.PP
The error can be obtained from \fBERR_get_error\fR\|(3)
.SH "BUGS"
.IX Header "BUGS"
The trusted certificate store is not searched for the signers certificate,
this is primarily due to the inadequacies of the current \fBX509_STORE\fR
functionality.
.PP
The lack of single pass processing and need to hold all data in memory as
mentioned in \fBPKCS7_sign()\fR also applies to \fBPKCS7_verify()\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBPKCS7_sign\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_DRBG_generate.3 b/secure/lib/libcrypto/man/man3/RAND_DRBG_generate.3
index 7057f3ffaa16..e28e0f1843d9 100644
--- a/secure/lib/libcrypto/man/man3/RAND_DRBG_generate.3
+++ b/secure/lib/libcrypto/man/man3/RAND_DRBG_generate.3
@@ -1,214 +1,214 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_DRBG_GENERATE 3"
-.TH RAND_DRBG_GENERATE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_DRBG_GENERATE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_DRBG_generate, RAND_DRBG_bytes \&\- generate random bytes using the given drbg instance
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand_drbg.h>
\&
\& int RAND_DRBG_generate(RAND_DRBG *drbg,
\& unsigned char *out, size_t outlen,
\& int prediction_resistance,
\& const unsigned char *adin, size_t adinlen);
\&
\& int RAND_DRBG_bytes(RAND_DRBG *drbg,
\& unsigned char *out, size_t outlen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRAND_DRBG_generate()\fR generates \fBoutlen\fR random bytes using the given
\&\s-1DRBG\s0 instance \fBdrbg\fR and stores them in the buffer at \fBout\fR.
.PP
Before generating the output, the \s-1DRBG\s0 instance checks whether the maximum
number of generate requests (\fIreseed interval\fR) or the maximum timespan
(\fIreseed time interval\fR) since its last seeding have been reached.
If this is the case, the \s-1DRBG\s0 reseeds automatically.
Additionally, an immediate reseeding can be requested by setting the
\&\fBprediction_resistance\fR flag to 1. See \s-1NOTES\s0 section for more details.
.PP
The caller can optionally provide additional data to be used for reseeding
by passing a pointer \fBadin\fR to a buffer of length \fBadinlen\fR.
This additional data is mixed into the internal state of the random
generator but does not contribute to the entropy count.
The additional data can be omitted by setting \fBadin\fR to \s-1NULL\s0 and
\&\fBadinlen\fR to 0;
.PP
\&\fBRAND_DRBG_bytes()\fR generates \fBoutlen\fR random bytes using the given
\&\s-1DRBG\s0 instance \fBdrbg\fR and stores them in the buffer at \fBout\fR.
This function is a wrapper around the \fBRAND_DRBG_generate()\fR call,
which collects some additional data from low entropy sources
(e.g., a high resolution timer) and calls
RAND_DRBG_generate(drbg, out, outlen, 0, adin, adinlen).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_DRBG_generate()\fR and \fBRAND_DRBG_bytes()\fR return 1 on success,
and 0 on failure.
.SH "NOTES"
.IX Header "NOTES"
The \fIreseed interval\fR and \fIreseed time interval\fR of the \fBdrbg\fR are set to
reasonable default values, which in general do not have to be adjusted.
If necessary, they can be changed using \fBRAND_DRBG_set_reseed_interval\fR\|(3)
and \fBRAND_DRBG_set_reseed_time_interval\fR\|(3), respectively.
.PP
A request for prediction resistance can only be satisfied by pulling fresh
entropy from one of the approved entropy sources listed in section 5.5.2 of
[\s-1NIST SP 800\-90C\s0].
Since the default \s-1DRBG\s0 implementation does not have access to such an approved
entropy source, a request for prediction resistance will always fail.
In other words, prediction resistance is currently not supported yet by the \s-1DRBG.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_bytes\fR\|(3),
\&\fBRAND_DRBG_set_reseed_interval\fR\|(3),
\&\fBRAND_DRBG_set_reseed_time_interval\fR\|(3),
\&\s-1\fBRAND_DRBG\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \s-1RAND_DRBG\s0 functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_DRBG_get0_master.3 b/secure/lib/libcrypto/man/man3/RAND_DRBG_get0_master.3
index bd1639ea3905..7107a482b05d 100644
--- a/secure/lib/libcrypto/man/man3/RAND_DRBG_get0_master.3
+++ b/secure/lib/libcrypto/man/man3/RAND_DRBG_get0_master.3
@@ -1,204 +1,204 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_DRBG_GET0_MASTER 3"
-.TH RAND_DRBG_GET0_MASTER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_DRBG_GET0_MASTER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_DRBG_get0_master, RAND_DRBG_get0_public, RAND_DRBG_get0_private \&\- get access to the global RAND_DRBG instances
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand_drbg.h>
\&
\& RAND_DRBG *RAND_DRBG_get0_master(void);
\& RAND_DRBG *RAND_DRBG_get0_public(void);
\& RAND_DRBG *RAND_DRBG_get0_private(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The default \s-1RAND API\s0 implementation (\fBRAND_OpenSSL()\fR) utilizes three
shared \s-1DRBG\s0 instances which are accessed via the \s-1RAND API:\s0
.PP
The <public> and <private> \s-1DRBG\s0 are thread-local instances, which are used
by \fBRAND_bytes()\fR and \fBRAND_priv_bytes()\fR, respectively.
The <master> \s-1DRBG\s0 is a global instance, which is not intended to be used
directly, but is used internally to reseed the other two instances.
.PP
These functions here provide access to the shared \s-1DRBG\s0 instances.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_DRBG_get0_master()\fR returns a pointer to the <master> \s-1DRBG\s0 instance.
.PP
\&\fBRAND_DRBG_get0_public()\fR returns a pointer to the <public> \s-1DRBG\s0 instance.
.PP
\&\fBRAND_DRBG_get0_private()\fR returns a pointer to the <private> \s-1DRBG\s0 instance.
.SH "NOTES"
.IX Header "NOTES"
It is not thread-safe to access the <master> \s-1DRBG\s0 instance.
The <public> and <private> \s-1DRBG\s0 instance can be accessed safely, because
they are thread-local. Note however, that changes to these two instances
apply only to the current thread.
.PP
For that reason it is recommended not to change the settings of these
three instances directly.
Instead, an application should change the default settings for new \s-1DRBG\s0 instances
at initialization time, before creating additional threads.
.PP
During initialization, it is possible to change the reseed interval
and reseed time interval.
It is also possible to exchange the reseeding callbacks entirely.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_DRBG_set_callbacks\fR\|(3),
\&\fBRAND_DRBG_set_reseed_defaults\fR\|(3),
\&\fBRAND_DRBG_set_reseed_interval\fR\|(3),
\&\fBRAND_DRBG_set_reseed_time_interval\fR\|(3),
\&\fBRAND_DRBG_set_callbacks\fR\|(3),
\&\fBRAND_DRBG_generate\fR\|(3),
\&\s-1\fBRAND_DRBG\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \s-1RAND_DRBG\s0 functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_DRBG_new.3 b/secure/lib/libcrypto/man/man3/RAND_DRBG_new.3
index ff86e6d287bd..2b502f529a27 100644
--- a/secure/lib/libcrypto/man/man3/RAND_DRBG_new.3
+++ b/secure/lib/libcrypto/man/man3/RAND_DRBG_new.3
@@ -1,247 +1,247 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_DRBG_NEW 3"
-.TH RAND_DRBG_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_DRBG_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_DRBG_new, RAND_DRBG_secure_new, RAND_DRBG_set, RAND_DRBG_set_defaults, RAND_DRBG_instantiate, RAND_DRBG_uninstantiate, RAND_DRBG_free \&\- initialize and cleanup a RAND_DRBG instance
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand_drbg.h>
\&
\&
\& RAND_DRBG *RAND_DRBG_new(int type,
\& unsigned int flags,
\& RAND_DRBG *parent);
\&
\& RAND_DRBG *RAND_DRBG_secure_new(int type,
\& unsigned int flags,
\& RAND_DRBG *parent);
\&
\& int RAND_DRBG_set(RAND_DRBG *drbg,
\& int type, unsigned int flags);
\&
\& int RAND_DRBG_set_defaults(int type, unsigned int flags);
\&
\& int RAND_DRBG_instantiate(RAND_DRBG *drbg,
\& const unsigned char *pers, size_t perslen);
\&
\& int RAND_DRBG_uninstantiate(RAND_DRBG *drbg);
\&
\& void RAND_DRBG_free(RAND_DRBG *drbg);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRAND_DRBG_new()\fR and \fBRAND_DRBG_secure_new()\fR
create a new \s-1DRBG\s0 instance of the given \fBtype\fR, allocated from the heap resp.
the secure heap
(using \fBOPENSSL_zalloc()\fR resp. \fBOPENSSL_secure_zalloc()\fR).
.PP
\&\fBRAND_DRBG_set()\fR initializes the \fBdrbg\fR with the given \fBtype\fR and \fBflags\fR.
.PP
\&\fBRAND_DRBG_set_defaults()\fR sets the default \fBtype\fR and \fBflags\fR for new \s-1DRBG\s0
instances.
.PP
Currently, all \s-1DRBG\s0 types are based on AES-CTR, so \fBtype\fR can be one of the
following values: NID_aes_128_ctr, NID_aes_192_ctr, NID_aes_256_ctr.
Before the \s-1DRBG\s0 can be used to generate random bits, it is necessary to set
its type and to instantiate it.
.PP
The optional \fBflags\fR argument specifies a set of bit flags which can be
joined using the | operator. Currently, the only flag is
\&\s-1RAND_DRBG_FLAG_CTR_NO_DF,\s0 which disables the use of the derivation function
ctr_df. For an explanation, see [\s-1NIST SP 800\-90A\s0 Rev. 1].
.PP
If a \fBparent\fR instance is specified then this will be used instead of
the default entropy source for reseeding the \fBdrbg\fR. It is said that the
\&\fBdrbg\fR is \fIchained\fR to its \fBparent\fR.
For more information, see the \s-1NOTES\s0 section.
.PP
\&\fBRAND_DRBG_instantiate()\fR
seeds the \fBdrbg\fR instance using random input from trusted entropy sources.
Optionally, a personalization string \fBpers\fR of length \fBperslen\fR can be
specified.
To omit the personalization string, set \fBpers\fR=NULL and \fBperslen\fR=0;
.PP
\&\fBRAND_DRBG_uninstantiate()\fR
clears the internal state of the \fBdrbg\fR and puts it back in the
uninstantiated state.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_DRBG_new()\fR and \fBRAND_DRBG_secure_new()\fR return a pointer to a \s-1DRBG\s0
instance allocated on the heap, resp. secure heap.
.PP
\&\fBRAND_DRBG_set()\fR,
\&\fBRAND_DRBG_instantiate()\fR, and
\&\fBRAND_DRBG_uninstantiate()\fR
return 1 on success, and 0 on failure.
.PP
\&\fBRAND_DRBG_free()\fR does not return a value.
.SH "NOTES"
.IX Header "NOTES"
The \s-1DRBG\s0 design supports \fIchaining\fR, which means that a \s-1DRBG\s0 instance can
use another \fBparent\fR \s-1DRBG\s0 instance instead of the default entropy source
to obtain fresh random input for reseeding, provided that \fBparent\fR \s-1DRBG\s0
instance was properly instantiated, either from a trusted entropy source,
or from yet another parent \s-1DRBG\s0 instance.
For a detailed description of the reseeding process, see \s-1\fBRAND_DRBG\s0\fR\|(7).
.PP
The default \s-1DRBG\s0 type and flags are applied only during creation of a \s-1DRBG\s0
instance.
To ensure that they are applied to the global and thread-local \s-1DRBG\s0 instances
(<master>, resp. <public> and <private>), it is necessary to call
\&\fBRAND_DRBG_set_defaults()\fR before creating any thread and before calling any
cryptographic routines that obtain random data directly or indirectly.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBOPENSSL_zalloc\fR\|(3),
\&\fBOPENSSL_secure_zalloc\fR\|(3),
\&\fBRAND_DRBG_generate\fR\|(3),
\&\s-1\fBRAND_DRBG\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \s-1RAND_DRBG\s0 functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_DRBG_reseed.3 b/secure/lib/libcrypto/man/man3/RAND_DRBG_reseed.3
index 5ba6c08078f2..21f4e7f4059a 100644
--- a/secure/lib/libcrypto/man/man3/RAND_DRBG_reseed.3
+++ b/secure/lib/libcrypto/man/man3/RAND_DRBG_reseed.3
@@ -1,239 +1,239 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_DRBG_RESEED 3"
-.TH RAND_DRBG_RESEED 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_DRBG_RESEED 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_DRBG_reseed, RAND_DRBG_set_reseed_interval, RAND_DRBG_set_reseed_time_interval, RAND_DRBG_set_reseed_defaults \&\- reseed a RAND_DRBG instance
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand_drbg.h>
\&
\& int RAND_DRBG_reseed(RAND_DRBG *drbg,
\& const unsigned char *adin, size_t adinlen,
\& int prediction_resistance);
\&
\& int RAND_DRBG_set_reseed_interval(RAND_DRBG *drbg,
\& unsigned int interval);
\&
\& int RAND_DRBG_set_reseed_time_interval(RAND_DRBG *drbg,
\& time_t interval);
\&
\& int RAND_DRBG_set_reseed_defaults(
\& unsigned int master_reseed_interval,
\& unsigned int slave_reseed_interval,
\& time_t master_reseed_time_interval,
\& time_t slave_reseed_time_interval
\& );
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRAND_DRBG_reseed()\fR
reseeds the given \fBdrbg\fR, obtaining entropy input from its entropy source
and mixing in the specified additional data provided in the buffer \fBadin\fR
of length \fBadinlen\fR.
The additional data can be omitted by setting \fBadin\fR to \s-1NULL\s0 and \fBadinlen\fR
to 0.
An immediate reseeding from a live entropy source can be requested by setting
the \fBprediction_resistance\fR flag to 1.
This feature is not implemented yet, so reseeding with prediction resistance
requested will always fail.
.PP
\&\fBRAND_DRBG_set_reseed_interval()\fR
sets the reseed interval of the \fBdrbg\fR, which is the maximum allowed number
of generate requests between consecutive reseedings.
If \fBinterval\fR > 0, then the \fBdrbg\fR will reseed automatically whenever the
number of generate requests since its last seeding exceeds the given reseed
interval.
If \fBinterval\fR == 0, then this feature is disabled.
.PP
\&\fBRAND_DRBG_set_reseed_time_interval()\fR
sets the reseed time interval of the \fBdrbg\fR, which is the maximum allowed
number of seconds between consecutive reseedings.
If \fBinterval\fR > 0, then the \fBdrbg\fR will reseed automatically whenever the
elapsed time since its last reseeding exceeds the given reseed time interval.
If \fBinterval\fR == 0, then this feature is disabled.
.PP
\&\fBRAND_DRBG_set_reseed_defaults()\fR sets the default values for the reseed interval
(\fBmaster_reseed_interval\fR and \fBslave_reseed_interval\fR)
and the reseed time interval
(\fBmaster_reseed_time_interval\fR and \fBslave_reseed_tme_interval\fR)
of \s-1DRBG\s0 instances.
The default values are set independently for master \s-1DRBG\s0 instances (which don't
have a parent) and slave \s-1DRBG\s0 instances (which are chained to a parent \s-1DRBG\s0).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_DRBG_reseed()\fR,
\&\fBRAND_DRBG_set_reseed_interval()\fR, and
\&\fBRAND_DRBG_set_reseed_time_interval()\fR,
return 1 on success, 0 on failure.
.SH "NOTES"
.IX Header "NOTES"
The default OpenSSL random generator is already set up for automatic reseeding,
so in general it is not necessary to reseed it explicitly, or to modify
its reseeding thresholds.
.PP
Normally, the entropy input for seeding a \s-1DRBG\s0 is either obtained from a
trusted os entropy source or from a parent \s-1DRBG\s0 instance, which was seeded
(directly or indirectly) from a trusted os entropy source.
In exceptional cases it is possible to replace the reseeding mechanism entirely
by providing application defined callbacks using \fBRAND_DRBG_set_callbacks()\fR.
.PP
The reseeding default values are applied only during creation of a \s-1DRBG\s0 instance.
To ensure that they are applied to the global and thread-local \s-1DRBG\s0 instances
(<master>, resp. <public> and <private>), it is necessary to call
\&\fBRAND_DRBG_set_reseed_defaults()\fR before creating any thread and before calling any
cryptographic routines that obtain random data directly or indirectly.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_DRBG_generate\fR\|(3),
\&\fBRAND_DRBG_bytes\fR\|(3),
\&\fBRAND_DRBG_set_callbacks\fR\|(3).
\&\s-1\fBRAND_DRBG\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \s-1RAND_DRBG\s0 functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_DRBG_set_callbacks.3 b/secure/lib/libcrypto/man/man3/RAND_DRBG_set_callbacks.3
index 6b3c9b6ba1c2..a043be3faa9d 100644
--- a/secure/lib/libcrypto/man/man3/RAND_DRBG_set_callbacks.3
+++ b/secure/lib/libcrypto/man/man3/RAND_DRBG_set_callbacks.3
@@ -1,268 +1,268 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_DRBG_SET_CALLBACKS 3"
-.TH RAND_DRBG_SET_CALLBACKS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_DRBG_SET_CALLBACKS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_DRBG_set_callbacks, RAND_DRBG_get_entropy_fn, RAND_DRBG_cleanup_entropy_fn, RAND_DRBG_get_nonce_fn, RAND_DRBG_cleanup_nonce_fn \&\- set callbacks for reseeding
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand_drbg.h>
\&
\&
\& int RAND_DRBG_set_callbacks(RAND_DRBG *drbg,
\& RAND_DRBG_get_entropy_fn get_entropy,
\& RAND_DRBG_cleanup_entropy_fn cleanup_entropy,
\& RAND_DRBG_get_nonce_fn get_nonce,
\& RAND_DRBG_cleanup_nonce_fn cleanup_nonce);
.Ve
.SS "Callback Functions"
.IX Subsection "Callback Functions"
.Vb 6
\& typedef size_t (*RAND_DRBG_get_entropy_fn)(
\& RAND_DRBG *drbg,
\& unsigned char **pout,
\& int entropy,
\& size_t min_len, size_t max_len,
\& int prediction_resistance);
\&
\& typedef void (*RAND_DRBG_cleanup_entropy_fn)(
\& RAND_DRBG *drbg,
\& unsigned char *out, size_t outlen);
\&
\& typedef size_t (*RAND_DRBG_get_nonce_fn)(
\& RAND_DRBG *drbg,
\& unsigned char **pout,
\& int entropy,
\& size_t min_len, size_t max_len);
\&
\& typedef void (*RAND_DRBG_cleanup_nonce_fn)(
\& RAND_DRBG *drbg,
\& unsigned char *out, size_t outlen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRAND_DRBG_set_callbacks()\fR sets the callbacks for obtaining fresh entropy and
the nonce when reseeding the given \fBdrbg\fR.
The callback functions are implemented and provided by the caller.
Their parameter lists need to match the function prototypes above.
.PP
Setting the callbacks is allowed only if the \s-1DRBG\s0 has not been initialized yet.
Otherwise, the operation will fail.
To change the settings for one of the three shared DRBGs it is necessary to call
\&\fBRAND_DRBG_uninstantiate()\fR first.
.PP
The \fBget_entropy\fR() callback is called by the \fBdrbg\fR when it requests fresh
random input.
It is expected that the callback allocates and fills a random buffer of size
\&\fBmin_len\fR <= size <= \fBmax_len\fR (in bytes) which contains at least \fBentropy\fR
bits of randomness.
The \fBprediction_resistance\fR flag indicates whether the reseeding was
triggered by a prediction resistance request.
.PP
The buffer's address is to be returned in *\fBpout\fR and the number of collected
randomness bytes as return value.
.PP
If the callback fails to acquire at least \fBentropy\fR bits of randomness,
it must indicate an error by returning a buffer length of 0.
.PP
If \fBprediction_resistance\fR was requested and the random source of the \s-1DRBG\s0
does not satisfy the conditions requested by [\s-1NIST SP 800\-90C\s0], then
it must also indicate an error by returning a buffer length of 0.
See \s-1NOTES\s0 section for more details.
.PP
The \fBcleanup_entropy\fR() callback is called from the \fBdrbg\fR to clear and
free the buffer allocated previously by \fBget_entropy()\fR.
The values \fBout\fR and \fBoutlen\fR are the random buffer's address and length,
as returned by the \fBget_entropy()\fR callback.
.PP
The \fBget_nonce\fR() and \fBcleanup_nonce\fR() callbacks are used to obtain a nonce
and free it again. A nonce is only required for instantiation (not for reseeding)
and only in the case where the \s-1DRBG\s0 uses a derivation function.
The callbacks are analogous to \fBget_entropy()\fR and \fBcleanup_entropy()\fR,
except for the missing prediction_resistance flag.
.PP
If the derivation function is disabled, then no nonce is used for instantiation,
and the \fBget_nonce\fR() and \fBcleanup_nonce\fR() callbacks can be omitted by
setting them to \s-1NULL.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_DRBG_set_callbacks()\fR return 1 on success, and 0 on failure
.SH "NOTES"
.IX Header "NOTES"
It is important that \fBcleanup_entropy\fR() and \fBcleanup_nonce\fR() clear the buffer
contents safely before freeing it, in order not to leave sensitive information
about the \s-1DRBG\s0's state in memory.
.PP
A request for prediction resistance can only be satisfied by pulling fresh
entropy from one of the approved entropy sources listed in section 5.5.2 of
[\s-1NIST SP 800\-90C\s0].
Since the default implementation of the get_entropy callback does not have access
to such an approved entropy source, a request for prediction resistance will
always fail.
In other words, prediction resistance is currently not supported yet by the \s-1DRBG.\s0
.PP
The derivation function is disabled during initialization by calling the
\&\fBRAND_DRBG_set()\fR function with the \s-1RAND_DRBG_FLAG_CTR_NO_DF\s0 flag.
For more information on the derivation function and when it can be omitted,
see [\s-1NIST SP 800\-90A\s0 Rev. 1]. Roughly speaking it can be omitted if the random
source has \*(L"full entropy\*(R", i.e., contains 8 bits of entropy per byte.
.PP
Even if a nonce is required, the \fBget_nonce\fR() and \fBcleanup_nonce\fR()
callbacks can be omitted by setting them to \s-1NULL.\s0
In this case the \s-1DRBG\s0 will automatically request an extra amount of entropy
(using the \fBget_entropy\fR() and \fBcleanup_entropy\fR() callbacks) which it will
utilize for the nonce, following the recommendations of [\s-1NIST SP 800\-90A\s0 Rev. 1],
section 8.6.7.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_DRBG_new\fR\|(3),
\&\fBRAND_DRBG_reseed\fR\|(3),
\&\s-1\fBRAND_DRBG\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \s-1RAND_DRBG\s0 functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_DRBG_set_ex_data.3 b/secure/lib/libcrypto/man/man3/RAND_DRBG_set_ex_data.3
index 5db89b7de216..feccaf9720b5 100644
--- a/secure/lib/libcrypto/man/man3/RAND_DRBG_set_ex_data.3
+++ b/secure/lib/libcrypto/man/man3/RAND_DRBG_set_ex_data.3
@@ -1,193 +1,193 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_DRBG_SET_EX_DATA 3"
-.TH RAND_DRBG_SET_EX_DATA 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_DRBG_SET_EX_DATA 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_DRBG_set_ex_data, RAND_DRBG_get_ex_data, RAND_DRBG_get_ex_new_index \&\- store and retrieve extra data from the DRBG instance
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand_drbg.h>
\&
\& int RAND_DRBG_set_ex_data(RAND_DRBG *drbg, int idx, void *data);
\&
\& void *RAND_DRBG_get_ex_data(const RAND_DRBG *drbg, int idx);
\&
\& int RAND_DRBG_get_ex_new_index(long argl, void *argp,
\& CRYPTO_EX_new *new_func,
\& CRYPTO_EX_dup *dup_func,
\& CRYPTO_EX_free *free_func);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRAND_DRBG_set_ex_data()\fR enables an application to store arbitrary application
specific data \fBdata\fR in a \s-1RAND_DRBG\s0 instance \fBdrbg\fR. The index \fBidx\fR should
be a value previously returned from a call to \fBRAND_DRBG_get_ex_new_index()\fR.
.PP
\&\fBRAND_DRBG_get_ex_data()\fR retrieves application specific data previously stored
in an \s-1RAND_DRBG\s0 instance \fBdrbg\fR. The \fBidx\fR value should be the same as that
used when originally storing the data.
.PP
For more detailed information see \fBCRYPTO_get_ex_data\fR\|(3) and
\&\fBCRYPTO_set_ex_data\fR\|(3) which implement these functions and
\&\fBCRYPTO_get_ex_new_index\fR\|(3) for generating a unique index.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_DRBG_set_ex_data()\fR returns 1 for success or 0 for failure.
.PP
\&\fBRAND_DRBG_get_ex_data()\fR returns the previously stored value or \s-1NULL\s0 on
failure. \s-1NULL\s0 may also be a valid value.
.SH "NOTES"
.IX Header "NOTES"
RAND_DRBG_get_ex_new_index(...) is implemented as a macro and equivalent to
CRYPTO_get_ex_new_index(\s-1CRYPTO_EX_INDEX_DRBG,...\s0).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBCRYPTO_get_ex_data\fR\|(3),
\&\fBCRYPTO_set_ex_data\fR\|(3),
\&\fBCRYPTO_get_ex_new_index\fR\|(3),
\&\s-1\fBRAND_DRBG\s0\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_add.3 b/secure/lib/libcrypto/man/man3/RAND_add.3
index d050bbdd622d..0a2742f14d19 100644
--- a/secure/lib/libcrypto/man/man3/RAND_add.3
+++ b/secure/lib/libcrypto/man/man3/RAND_add.3
@@ -1,235 +1,235 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_ADD 3"
-.TH RAND_ADD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_ADD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_add, RAND_poll, RAND_seed, RAND_status, RAND_event, RAND_screen, RAND_keep_random_devices_open \&\- add randomness to the PRNG or get its status
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand.h>
\&
\& int RAND_status(void);
\& int RAND_poll();
\&
\& void RAND_add(const void *buf, int num, double randomness);
\& void RAND_seed(const void *buf, int num);
\&
\& void RAND_keep_random_devices_open(int keep);
.Ve
.PP
Deprecated:
.PP
.Vb 4
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam);
\& void RAND_screen(void);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions can be used to seed the random generator and to check its
seeded state.
In general, manual (re\-)seeding of the default OpenSSL random generator
(\fBRAND_OpenSSL\fR\|(3)) is not necessary (but allowed), since it does (re\-)seed
itself automatically using trusted system entropy sources.
This holds unless the default \s-1RAND_METHOD\s0 has been replaced or OpenSSL was
built with automatic reseeding disabled, see \s-1\fBRAND\s0\fR\|(7) for more details.
.PP
\&\fBRAND_status()\fR indicates whether or not the random generator has been sufficiently
seeded. If not, functions such as \fBRAND_bytes\fR\|(3) will fail.
.PP
\&\fBRAND_poll()\fR uses the system's capabilities to seed the random generator using
random input obtained from polling various trusted entropy sources.
The default choice of the entropy source can be modified at build time,
see \s-1\fBRAND\s0\fR\|(7) for more details.
.PP
\&\fBRAND_add()\fR mixes the \fBnum\fR bytes at \fBbuf\fR into the internal state
of the random generator.
This function will not normally be needed, as mentioned above.
The \fBrandomness\fR argument is an estimate of how much randomness is
contained in
\&\fBbuf\fR, in bytes, and should be a number between zero and \fBnum\fR.
Details about sources of randomness and how to estimate their randomness
can be found in the literature; for example [\s-1NIST SP 800\-90B\s0].
The content of \fBbuf\fR cannot be recovered from subsequent random generator output.
Applications that intend to save and restore random state in an external file
should consider using \fBRAND_load_file\fR\|(3) instead.
.PP
\&\fBRAND_seed()\fR is equivalent to \fBRAND_add()\fR with \fBrandomness\fR set to \fBnum\fR.
.PP
\&\fBRAND_keep_random_devices_open()\fR is used to control file descriptor
usage by the random seed sources. Some seed sources maintain open file
descriptors by default, which allows such sources to operate in a
\&\fBchroot\fR\|(2) jail without the associated device nodes being available. When
the \fBkeep\fR argument is zero, this call disables the retention of file
descriptors. Conversely, a nonzero argument enables the retention of
file descriptors. This function is usually called during initialization
and it takes effect immediately.
.PP
\&\fBRAND_event()\fR and \fBRAND_screen()\fR are equivalent to \fBRAND_poll()\fR and exist
for compatibility reasons only. See \s-1HISTORY\s0 section below.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_status()\fR returns 1 if the random generator has been seeded
with enough data, 0 otherwise.
.PP
\&\fBRAND_poll()\fR returns 1 if it generated seed data, 0 otherwise.
.PP
\&\fBRAND_event()\fR returns \fBRAND_status()\fR.
.PP
The other functions do not return values.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_bytes\fR\|(3),
\&\fBRAND_egd\fR\|(3),
\&\fBRAND_load_file\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBRAND_event()\fR and \fBRAND_screen()\fR were deprecated in OpenSSL 1.1.0 and should
not be used.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_bytes.3 b/secure/lib/libcrypto/man/man3/RAND_bytes.3
index be0af48bb905..068205a0ce34 100644
--- a/secure/lib/libcrypto/man/man3/RAND_bytes.3
+++ b/secure/lib/libcrypto/man/man3/RAND_bytes.3
@@ -1,215 +1,215 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_BYTES 3"
-.TH RAND_BYTES 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_BYTES 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_bytes, RAND_priv_bytes, RAND_pseudo_bytes \- generate random data
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand.h>
\&
\& int RAND_bytes(unsigned char *buf, int num);
\& int RAND_priv_bytes(unsigned char *buf, int num);
.Ve
.PP
Deprecated:
.PP
.Vb 3
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& int RAND_pseudo_bytes(unsigned char *buf, int num);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRAND_bytes()\fR generates \fBnum\fR random bytes using a cryptographically
secure pseudo random generator (\s-1CSPRNG\s0) and stores them in \fBbuf\fR.
.PP
\&\fBRAND_priv_bytes()\fR has the same semantics as \fBRAND_bytes()\fR. It is intended to
be used for generating values that should remain private. If using the
default \s-1RAND_METHOD,\s0 this function uses a separate \*(L"private\*(R" \s-1PRNG\s0
instance so that a compromise of the \*(L"public\*(R" \s-1PRNG\s0 instance will not
affect the secrecy of these private values, as described in \s-1\fBRAND\s0\fR\|(7)
and \s-1\fBRAND_DRBG\s0\fR\|(7).
.SH "NOTES"
.IX Header "NOTES"
By default, the OpenSSL \s-1CSPRNG\s0 supports a security level of 256 bits, provided it
was able to seed itself from a trusted entropy source.
On all major platforms supported by OpenSSL (including the Unix-like platforms
and Windows), OpenSSL is configured to automatically seed the \s-1CSPRNG\s0 on first use
using the operating systems's random generator.
.PP
If the entropy source fails or is not available, the \s-1CSPRNG\s0 will enter an
error state and refuse to generate random bytes. For that reason, it is important
to always check the error return value of \fBRAND_bytes()\fR and \fBRAND_priv_bytes()\fR and
not take randomness for granted.
.PP
On other platforms, there might not be a trusted entropy source available
or OpenSSL might have been explicitly configured to use different entropy sources.
If you are in doubt about the quality of the entropy source, don't hesitate to ask
your operating system vendor or post a question on GitHub or the openssl-users
mailing list.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_bytes()\fR and \fBRAND_priv_bytes()\fR
return 1 on success, \-1 if not supported by the current
\&\s-1RAND\s0 method, or 0 on other failure. The error code can be
obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_add\fR\|(3),
\&\fBRAND_bytes\fR\|(3),
\&\fBRAND_priv_bytes\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7),
\&\s-1\fBRAND_DRBG\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
.IP "\(bu" 2
\&\fBRAND_pseudo_bytes()\fR was deprecated in OpenSSL 1.1.0; use \fBRAND_bytes()\fR instead.
.IP "\(bu" 2
The \fBRAND_priv_bytes()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_cleanup.3 b/secure/lib/libcrypto/man/man3/RAND_cleanup.3
index 3800a478bc69..1e5db65b8366 100644
--- a/secure/lib/libcrypto/man/man3/RAND_cleanup.3
+++ b/secure/lib/libcrypto/man/man3/RAND_cleanup.3
@@ -1,175 +1,175 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_CLEANUP 3"
-.TH RAND_CLEANUP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_CLEANUP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_cleanup \- erase the PRNG state
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand.h>
\&
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& void RAND_cleanup(void)
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Prior to OpenSSL 1.1.0, \fBRAND_cleanup()\fR released all resources used by
the \s-1PRNG.\s0 As of version 1.1.0, it does nothing and should not be called,
since no explicit initialisation or de-initialisation is necessary. See
\&\fBOPENSSL_init_crypto\fR\|(3).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_cleanup()\fR returns no value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\s-1\fBRAND\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBRAND_cleanup()\fR was deprecated in OpenSSL 1.1.0; do not use it.
See \fBOPENSSL_init_crypto\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_egd.3 b/secure/lib/libcrypto/man/man3/RAND_egd.3
index 1b9719ae9470..166b9d7b4911 100644
--- a/secure/lib/libcrypto/man/man3/RAND_egd.3
+++ b/secure/lib/libcrypto/man/man3/RAND_egd.3
@@ -1,193 +1,193 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_EGD 3"
-.TH RAND_EGD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_EGD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_egd, RAND_egd_bytes, RAND_query_egd_bytes \- query entropy gathering daemon
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand.h>
\&
\& int RAND_egd_bytes(const char *path, int num);
\& int RAND_egd(const char *path);
\&
\& int RAND_query_egd_bytes(const char *path, unsigned char *buf, int num);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
On older platforms without a good source of randomness such as \f(CW\*(C`/dev/urandom\*(C'\fR,
it is possible to query an Entropy Gathering Daemon (\s-1EGD\s0) over a local
socket to obtain randomness and seed the OpenSSL \s-1RNG.\s0
The protocol used is defined by the EGDs available at
<http://egd.sourceforge.net/> or <http://prngd.sourceforge.net>.
.PP
\&\fBRAND_egd_bytes()\fR requests \fBnum\fR bytes of randomness from an \s-1EGD\s0 at the
specified socket \fBpath\fR, and passes the data it receives into \fBRAND_add()\fR.
\&\fBRAND_egd()\fR is equivalent to \fBRAND_egd_bytes()\fR with \fBnum\fR set to 255.
.PP
\&\fBRAND_query_egd_bytes()\fR requests \fBnum\fR bytes of randomness from an \s-1EGD\s0 at
the specified socket \fBpath\fR, where \fBnum\fR must be less than 256.
If \fBbuf\fR is \fB\s-1NULL\s0\fR, it is equivalent to \fBRAND_egd_bytes()\fR.
If \fBbuf\fR is not \fB\s-1NULL\s0\fR, then the data is copied to the buffer and
\&\fBRAND_add()\fR is not called.
.PP
OpenSSL can be configured at build time to try to use the \s-1EGD\s0 for seeding
automatically.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_egd()\fR and \fBRAND_egd_bytes()\fR return the number of bytes read from the
daemon on success, or \-1 if the connection failed or the daemon did not
return enough data to fully seed the \s-1PRNG.\s0
.PP
\&\fBRAND_query_egd_bytes()\fR returns the number of bytes read from the daemon on
success, or \-1 if the connection failed.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_add\fR\|(3),
\&\fBRAND_bytes\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_load_file.3 b/secure/lib/libcrypto/man/man3/RAND_load_file.3
index 9a5c9d244cec..97cd2e5cd79e 100644
--- a/secure/lib/libcrypto/man/man3/RAND_load_file.3
+++ b/secure/lib/libcrypto/man/man3/RAND_load_file.3
@@ -1,218 +1,218 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_LOAD_FILE 3"
-.TH RAND_LOAD_FILE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_LOAD_FILE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_load_file, RAND_write_file, RAND_file_name \- PRNG seed file
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand.h>
\&
\& int RAND_load_file(const char *filename, long max_bytes);
\&
\& int RAND_write_file(const char *filename);
\&
\& const char *RAND_file_name(char *buf, size_t num);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRAND_load_file()\fR reads a number of bytes from file \fBfilename\fR and
adds them to the \s-1PRNG.\s0 If \fBmax_bytes\fR is nonnegative,
up to \fBmax_bytes\fR are read;
if \fBmax_bytes\fR is \-1, the complete file is read.
Do not load the same file multiple times unless its contents have
been updated by \fBRAND_write_file()\fR between reads.
Also, note that \fBfilename\fR should be adequately protected so that an
attacker cannot replace or examine the contents.
If \fBfilename\fR is not a regular file, then user is considered to be
responsible for any side effects, e.g. non-anticipated blocking or
capture of controlling terminal.
.PP
\&\fBRAND_write_file()\fR writes a number of random bytes (currently 128) to
file \fBfilename\fR which can be used to initialize the \s-1PRNG\s0 by calling
\&\fBRAND_load_file()\fR in a later session.
.PP
\&\fBRAND_file_name()\fR generates a default path for the random seed
file. \fBbuf\fR points to a buffer of size \fBnum\fR in which to store the
filename.
.PP
On all systems, if the environment variable \fB\s-1RANDFILE\s0\fR is set, its
value will be used as the seed filename.
Otherwise, the file is called \f(CW\*(C`.rnd\*(C'\fR, found in platform dependent locations:
.IP "On Windows (in order of preference)" 4
.IX Item "On Windows (in order of preference)"
.Vb 1
\& %HOME%, %USERPROFILE%, %SYSTEMROOT%, C:\e
.Ve
.IP "On \s-1VMS\s0" 4
.IX Item "On VMS"
.Vb 1
\& SYS$LOGIN:
.Ve
.IP "On all other systems" 4
.IX Item "On all other systems"
.Vb 1
\& $HOME
.Ve
.PP
If \f(CW$HOME\fR (on non-Windows and non-VMS system) is not set either, or
\&\fBnum\fR is too small for the pathname, an error occurs.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_load_file()\fR returns the number of bytes read or \-1 on error.
.PP
\&\fBRAND_write_file()\fR returns the number of bytes written, or \-1 if the
bytes written were generated without appropriate seeding.
.PP
\&\fBRAND_file_name()\fR returns a pointer to \fBbuf\fR on success, and \s-1NULL\s0 on
error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_add\fR\|(3),
\&\fBRAND_bytes\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3 b/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3
index 30480d0fa6a3..bd7dcf810199 100644
--- a/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3
+++ b/secure/lib/libcrypto/man/man3/RAND_set_rand_method.3
@@ -1,203 +1,203 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_SET_RAND_METHOD 3"
-.TH RAND_SET_RAND_METHOD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_SET_RAND_METHOD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_set_rand_method, RAND_get_rand_method, RAND_OpenSSL \- select RAND method
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand.h>
\&
\& RAND_METHOD *RAND_OpenSSL(void);
\&
\& int RAND_set_rand_method(const RAND_METHOD *meth);
\&
\& const RAND_METHOD *RAND_get_rand_method(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A \fB\s-1RAND_METHOD\s0\fR specifies the functions that OpenSSL uses for random number
generation.
.PP
\&\fBRAND_OpenSSL()\fR returns the default \fB\s-1RAND_METHOD\s0\fR implementation by OpenSSL.
This implementation ensures that the \s-1PRNG\s0 state is unique for each thread.
.PP
If an \fB\s-1ENGINE\s0\fR is loaded that provides the \s-1RAND API,\s0 however, it will
be used instead of the method returned by \fBRAND_OpenSSL()\fR.
.PP
\&\fBRAND_set_rand_method()\fR makes \fBmeth\fR the method for \s-1PRNG\s0 use. If an
\&\s-1ENGINE\s0 was providing the method, it will be released first.
.PP
\&\fBRAND_get_rand_method()\fR returns a pointer to the current \fB\s-1RAND_METHOD\s0\fR.
.SH "THE RAND_METHOD STRUCTURE"
.IX Header "THE RAND_METHOD STRUCTURE"
.Vb 8
\& typedef struct rand_meth_st {
\& int (*seed)(const void *buf, int num);
\& int (*bytes)(unsigned char *buf, int num);
\& void (*cleanup)(void);
\& int (*add)(const void *buf, int num, double entropy);
\& int (*pseudorand)(unsigned char *buf, int num);
\& int (*status)(void);
\& } RAND_METHOD;
.Ve
.PP
The fields point to functions that are used by, in order,
\&\fBRAND_seed()\fR, \fBRAND_bytes()\fR, internal \s-1RAND\s0 cleanup, \fBRAND_add()\fR, \fBRAND_pseudo_rand()\fR
and \fBRAND_status()\fR.
Each pointer may be \s-1NULL\s0 if the function is not implemented.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRAND_set_rand_method()\fR returns 1 on success and 0 on failure.
\&\fBRAND_get_rand_method()\fR and \fBRAND_OpenSSL()\fR return pointers to the respective
methods.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_bytes\fR\|(3),
\&\fBENGINE_by_id\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RC4_set_key.3 b/secure/lib/libcrypto/man/man3/RC4_set_key.3
index cbf66940a994..08104828e6a9 100644
--- a/secure/lib/libcrypto/man/man3/RC4_set_key.3
+++ b/secure/lib/libcrypto/man/man3/RC4_set_key.3
@@ -1,197 +1,197 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RC4_SET_KEY 3"
-.TH RC4_SET_KEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RC4_SET_KEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RC4_set_key, RC4 \- RC4 encryption
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rc4.h>
\&
\& void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
\&
\& void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
\& unsigned char *outdata);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This library implements the Alleged \s-1RC4\s0 cipher, which is described for
example in \fIApplied Cryptography\fR. It is believed to be compatible
with RC4[\s-1TM\s0], a proprietary cipher of \s-1RSA\s0 Security Inc.
.PP
\&\s-1RC4\s0 is a stream cipher with variable key length. Typically, 128 bit
(16 byte) keys are used for strong encryption, but shorter insecure
key sizes have been widely used due to export restrictions.
.PP
\&\s-1RC4\s0 consists of a key setup phase and the actual encryption or
decryption phase.
.PP
\&\fBRC4_set_key()\fR sets up the \fB\s-1RC4_KEY\s0\fR \fBkey\fR using the \fBlen\fR bytes long
key at \fBdata\fR.
.PP
\&\s-1\fBRC4\s0()\fR encrypts or decrypts the \fBlen\fR bytes of data at \fBindata\fR using
\&\fBkey\fR and places the result at \fBoutdata\fR. Repeated \s-1\fBRC4\s0()\fR calls with
the same \fBkey\fR yield a continuous key stream.
.PP
Since \s-1RC4\s0 is a stream cipher (the input is XORed with a pseudo-random
key stream to produce the output), decryption uses the same function
calls as encryption.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRC4_set_key()\fR and \s-1\fBRC4\s0()\fR do not return values.
.SH "NOTE"
.IX Header "NOTE"
Applications should use the higher level functions
\&\fBEVP_EncryptInit\fR\|(3) etc. instead of calling these
functions directly.
.PP
It is difficult to securely use stream ciphers. For example, do not perform
multiple encryptions using the same key stream.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_EncryptInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3 b/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3
index 3178b5de4e5d..f94ff5745532 100644
--- a/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3
+++ b/secure/lib/libcrypto/man/man3/RIPEMD160_Init.3
@@ -1,200 +1,200 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RIPEMD160_INIT 3"
-.TH RIPEMD160_INIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RIPEMD160_INIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final \- RIPEMD\-160 hash function
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ripemd.h>
\&
\& unsigned char *RIPEMD160(const unsigned char *d, unsigned long n,
\& unsigned char *md);
\&
\& int RIPEMD160_Init(RIPEMD160_CTX *c);
\& int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, unsigned long len);
\& int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1RIPEMD\-160\s0 is a cryptographic hash function with a
160 bit output.
.PP
\&\s-1\fBRIPEMD160\s0()\fR computes the \s-1RIPEMD\-160\s0 message digest of the \fBn\fR
bytes at \fBd\fR and places it in \fBmd\fR (which must have space for
\&\s-1RIPEMD160_DIGEST_LENGTH\s0 == 20 bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest
is placed in a static array.
.PP
The following functions may be used if the message is not completely
stored in memory:
.PP
\&\fBRIPEMD160_Init()\fR initializes a \fB\s-1RIPEMD160_CTX\s0\fR structure.
.PP
\&\fBRIPEMD160_Update()\fR can be called repeatedly with chunks of the message to
be hashed (\fBlen\fR bytes at \fBdata\fR).
.PP
\&\fBRIPEMD160_Final()\fR places the message digest in \fBmd\fR, which must have
space for \s-1RIPEMD160_DIGEST_LENGTH\s0 == 20 bytes of output, and erases
the \fB\s-1RIPEMD160_CTX\s0\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\s-1\fBRIPEMD160\s0()\fR returns a pointer to the hash value.
.PP
\&\fBRIPEMD160_Init()\fR, \fBRIPEMD160_Update()\fR and \fBRIPEMD160_Final()\fR return 1 for
success, 0 otherwise.
.SH "NOTE"
.IX Header "NOTE"
Applications should use the higher level functions
\&\fBEVP_DigestInit\fR\|(3) etc. instead of calling these
functions directly.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1ISO/IEC 10118\-3:2016\s0 Dedicated Hash-Function 1 (\s-1RIPEMD\-160\s0).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_blinding_on.3 b/secure/lib/libcrypto/man/man3/RSA_blinding_on.3
index 59ab3b051379..a41a38b873ab 100644
--- a/secure/lib/libcrypto/man/man3/RSA_blinding_on.3
+++ b/secure/lib/libcrypto/man/man3/RSA_blinding_on.3
@@ -1,176 +1,176 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_BLINDING_ON 3"
-.TH RSA_BLINDING_ON 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_BLINDING_ON 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_blinding_on, RSA_blinding_off \- protect the RSA operation from timing attacks
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
\&
\& void RSA_blinding_off(RSA *rsa);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1RSA\s0 is vulnerable to timing attacks. In a setup where attackers can
measure the time of \s-1RSA\s0 decryption or signature operations, blinding
must be used to protect the \s-1RSA\s0 operation from that attack.
.PP
\&\fBRSA_blinding_on()\fR turns blinding on for key \fBrsa\fR and generates a
random blinding factor. \fBctx\fR is \fB\s-1NULL\s0\fR or a preallocated and
initialized \fB\s-1BN_CTX\s0\fR.
.PP
\&\fBRSA_blinding_off()\fR turns blinding off and frees the memory used for
the blinding factor.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_blinding_on()\fR returns 1 on success, and 0 if an error occurred.
.PP
\&\fBRSA_blinding_off()\fR returns no value.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_check_key.3 b/secure/lib/libcrypto/man/man3/RSA_check_key.3
index a895b1090f6a..919ec91a727d 100644
--- a/secure/lib/libcrypto/man/man3/RSA_check_key.3
+++ b/secure/lib/libcrypto/man/man3/RSA_check_key.3
@@ -1,213 +1,213 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_CHECK_KEY 3"
-.TH RSA_CHECK_KEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_CHECK_KEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_check_key_ex, RSA_check_key \- validate private RSA keys
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int RSA_check_key_ex(RSA *rsa, BN_GENCB *cb);
\&
\& int RSA_check_key(RSA *rsa);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRSA_check_key_ex()\fR function validates \s-1RSA\s0 keys.
It checks that \fBp\fR and \fBq\fR are
in fact prime, and that \fBn = p*q\fR.
.PP
It does not work on \s-1RSA\s0 public keys that have only the modulus
and public exponent elements populated.
It also checks that \fBd*e = 1 mod (p\-1*q\-1)\fR,
and that \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR are set correctly or are \fB\s-1NULL\s0\fR.
It performs integrity checks on all
the \s-1RSA\s0 key material, so the \s-1RSA\s0 key structure must contain all the private
key data too.
Therefore, it cannot be used with any arbitrary \s-1RSA\s0 key object,
even if it is otherwise fit for regular \s-1RSA\s0 operation.
.PP
The \fBcb\fR parameter is a callback that will be invoked in the same
manner as \fBBN_is_prime_ex\fR\|(3).
.PP
\&\fBRSA_check_key()\fR is equivalent to \fBRSA_check_key_ex()\fR with a \s-1NULL\s0 \fBcb\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_check_key_ex()\fR and \fBRSA_check_key()\fR
return 1 if \fBrsa\fR is a valid \s-1RSA\s0 key, and 0 otherwise.
They return \-1 if an error occurs while checking the key.
.PP
If the key is invalid or an error occurred, the reason code can be
obtained using \fBERR_get_error\fR\|(3).
.SH "NOTES"
.IX Header "NOTES"
Unlike most other \s-1RSA\s0 functions, this function does \fBnot\fR work
transparently with any underlying \s-1ENGINE\s0 implementation because it uses the
key data in the \s-1RSA\s0 structure directly. An \s-1ENGINE\s0 implementation can
override the way key data is stored and handled, and can even provide
support for \s-1HSM\s0 keys \- in which case the \s-1RSA\s0 structure may contain \fBno\fR
key data at all! If the \s-1ENGINE\s0 in question is only being used for
acceleration or analysis purposes, then in all likelihood the \s-1RSA\s0 key data
is complete and untouched, but this can't be assumed in the general case.
.SH "BUGS"
.IX Header "BUGS"
A method of verifying the \s-1RSA\s0 key using opaque \s-1RSA API\s0 functions might need
to be considered. Right now \fBRSA_check_key()\fR simply uses the \s-1RSA\s0 structure
elements directly, bypassing the \s-1RSA_METHOD\s0 table altogether (and
completely violating encapsulation and object-orientation in the process).
The best fix will probably be to introduce a \*(L"\fBcheck_key()\fR\*(R" handler to the
\&\s-1RSA_METHOD\s0 function table so that alternative implementations can also
provide their own verifiers.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBN_is_prime_ex\fR\|(3),
\&\fBERR_get_error\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBRSA_check_key_ex()\fR appeared after OpenSSL 1.0.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_generate_key.3 b/secure/lib/libcrypto/man/man3/RSA_generate_key.3
index 97484cd77b76..e8237aba2ed8 100644
--- a/secure/lib/libcrypto/man/man3/RSA_generate_key.3
+++ b/secure/lib/libcrypto/man/man3/RSA_generate_key.3
@@ -1,233 +1,233 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_GENERATE_KEY 3"
-.TH RSA_GENERATE_KEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_GENERATE_KEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_generate_key_ex, RSA_generate_key, RSA_generate_multi_prime_key \- generate RSA key pair
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
\& int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, BIGNUM *e, BN_GENCB *cb);
.Ve
.PP
Deprecated:
.PP
.Vb 4
\& #if OPENSSL_API_COMPAT < 0x00908000L
\& RSA *RSA_generate_key(int bits, unsigned long e,
\& void (*callback)(int, int, void *), void *cb_arg);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRSA_generate_key_ex()\fR generates a 2\-prime \s-1RSA\s0 key pair and stores it in the
\&\fB\s-1RSA\s0\fR structure provided in \fBrsa\fR. The pseudo-random number generator must
be seeded prior to calling \fBRSA_generate_key_ex()\fR.
.PP
\&\fBRSA_generate_multi_prime_key()\fR generates a multi-prime \s-1RSA\s0 key pair and stores
it in the \fB\s-1RSA\s0\fR structure provided in \fBrsa\fR. The number of primes is given by
the \fBprimes\fR parameter. The random number generator must be seeded when
calling \fBRSA_generate_multi_prime_key()\fR.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
.PP
The modulus size will be of length \fBbits\fR, the number of primes to form the
modulus will be \fBprimes\fR, and the public exponent will be \fBe\fR. Key sizes
with \fBnum\fR < 1024 should be considered insecure. The exponent is an odd
number, typically 3, 17 or 65537.
.PP
In order to maintain adequate security level, the maximum number of permitted
\&\fBprimes\fR depends on modulus bit length:
.PP
.Vb 3
\& <1024 | >=1024 | >=4096 | >=8192
\& \-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-
\& 2 | 3 | 4 | 5
.Ve
.PP
A callback function may be used to provide feedback about the
progress of the key generation. If \fBcb\fR is not \fB\s-1NULL\s0\fR, it
will be called as follows using the \fBBN_GENCB_call()\fR function
described on the \fBBN_generate_prime\fR\|(3) page.
.PP
\&\fBRSA_generate_key()\fR is similar to \fBRSA_generate_key_ex()\fR but
expects an old-style callback function; see
\&\fBBN_generate_prime\fR\|(3) for information on the old-style callback.
.IP "\(bu" 2
While a random prime number is generated, it is called as
described in \fBBN_generate_prime\fR\|(3).
.IP "\(bu" 2
When the n\-th randomly generated prime is rejected as not
suitable for the key, \fBBN_GENCB_call(cb, 2, n)\fR is called.
.IP "\(bu" 2
When a random p has been found with p\-1 relatively prime to \fBe\fR,
it is called as \fBBN_GENCB_call(cb, 3, 0)\fR.
.PP
The process is then repeated for prime q and other primes (if any)
with \fBBN_GENCB_call(cb, 3, i)\fR where \fBi\fR indicates the i\-th prime.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_generate_multi_prime_key()\fR returns 1 on success or 0 on error.
\&\fBRSA_generate_key_ex()\fR returns 1 on success or 0 on error.
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.PP
\&\fBRSA_generate_key()\fR returns a pointer to the \s-1RSA\s0 structure or
\&\fB\s-1NULL\s0\fR if the key generation fails.
.SH "BUGS"
.IX Header "BUGS"
\&\fBBN_GENCB_call(cb, 2, x)\fR is used with two different meanings.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3), \fBBN_generate_prime\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBRSA_generate_key()\fR was deprecated in OpenSSL 0.9.8; use
\&\fBRSA_generate_key_ex()\fR instead.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_get0_key.3 b/secure/lib/libcrypto/man/man3/RSA_get0_key.3
index bb8bcbe598eb..63e2b40ac40d 100644
--- a/secure/lib/libcrypto/man/man3/RSA_get0_key.3
+++ b/secure/lib/libcrypto/man/man3/RSA_get0_key.3
@@ -1,303 +1,303 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_GET0_KEY 3"
-.TH RSA_GET0_KEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_GET0_KEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_set0_key, RSA_set0_factors, RSA_set0_crt_params, RSA_get0_key, RSA_get0_factors, RSA_get0_crt_params, RSA_get0_n, RSA_get0_e, RSA_get0_d, RSA_get0_p, RSA_get0_q, RSA_get0_dmp1, RSA_get0_dmq1, RSA_get0_iqmp, RSA_get0_pss_params, RSA_clear_flags, RSA_test_flags, RSA_set_flags, RSA_get0_engine, RSA_get_multi_prime_extra_count, RSA_get0_multi_prime_factors, RSA_get0_multi_prime_crt_params, RSA_set0_multi_prime_params, RSA_get_version \&\- Routines for getting and setting data in an RSA object
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
\& int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
\& int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
\& void RSA_get0_key(const RSA *r,
\& const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
\& void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
\& void RSA_get0_crt_params(const RSA *r,
\& const BIGNUM **dmp1, const BIGNUM **dmq1,
\& const BIGNUM **iqmp);
\& const BIGNUM *RSA_get0_n(const RSA *d);
\& const BIGNUM *RSA_get0_e(const RSA *d);
\& const BIGNUM *RSA_get0_d(const RSA *d);
\& const BIGNUM *RSA_get0_p(const RSA *d);
\& const BIGNUM *RSA_get0_q(const RSA *d);
\& const BIGNUM *RSA_get0_dmp1(const RSA *r);
\& const BIGNUM *RSA_get0_dmq1(const RSA *r);
\& const BIGNUM *RSA_get0_iqmp(const RSA *r);
\& const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r);
\& void RSA_clear_flags(RSA *r, int flags);
\& int RSA_test_flags(const RSA *r, int flags);
\& void RSA_set_flags(RSA *r, int flags);
\& ENGINE *RSA_get0_engine(RSA *r);
\& int RSA_get_multi_prime_extra_count(const RSA *r);
\& int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[]);
\& int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[],
\& const BIGNUM *coeffs[]);
\& int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
\& BIGNUM *coeffs[], int pnum);
\& int RSA_get_version(RSA *r);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
An \s-1RSA\s0 object contains the components for the public and private key,
\&\fBn\fR, \fBe\fR, \fBd\fR, \fBp\fR, \fBq\fR, \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR. \fBn\fR is
the modulus common to both public and private key, \fBe\fR is the public
exponent and \fBd\fR is the private exponent. \fBp\fR, \fBq\fR, \fBdmp1\fR,
\&\fBdmq1\fR and \fBiqmp\fR are the factors for the second representation of a
private key (see PKCS#1 section 3 Key Types), where \fBp\fR and \fBq\fR are
the first and second factor of \fBn\fR and \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR
are the exponents and coefficient for \s-1CRT\s0 calculations.
.PP
For multi-prime \s-1RSA\s0 (defined in \s-1RFC 8017\s0), there are also one or more
\&'triplet' in an \s-1RSA\s0 object. A triplet contains three members, \fBr\fR, \fBd\fR
and \fBt\fR. \fBr\fR is the additional prime besides \fBp\fR and \fBq\fR. \fBd\fR and
\&\fBt\fR are the exponent and coefficient for \s-1CRT\s0 calculations.
.PP
The \fBn\fR, \fBe\fR and \fBd\fR parameters can be obtained by calling
\&\fBRSA_get0_key()\fR. If they have not been set yet, then \fB*n\fR, \fB*e\fR and
\&\fB*d\fR will be set to \s-1NULL.\s0 Otherwise, they are set to pointers to
their respective values. These point directly to the internal
representations of the values and therefore should not be freed
by the caller.
.PP
The \fBn\fR, \fBe\fR and \fBd\fR parameter values can be set by calling
\&\fBRSA_set0_key()\fR and passing the new values for \fBn\fR, \fBe\fR and \fBd\fR as
parameters to the function. The values \fBn\fR and \fBe\fR must be non-NULL
the first time this function is called on a given \s-1RSA\s0 object. The
value \fBd\fR may be \s-1NULL.\s0 On subsequent calls any of these values may be
\&\s-1NULL\s0 which means the corresponding \s-1RSA\s0 field is left untouched.
Calling this function transfers the memory management of the values to
the \s-1RSA\s0 object, and therefore the values that have been passed in
should not be freed by the caller after this function has been called.
.PP
In a similar fashion, the \fBp\fR and \fBq\fR parameters can be obtained and
set with \fBRSA_get0_factors()\fR and \fBRSA_set0_factors()\fR, and the \fBdmp1\fR,
\&\fBdmq1\fR and \fBiqmp\fR parameters can be obtained and set with
\&\fBRSA_get0_crt_params()\fR and \fBRSA_set0_crt_params()\fR.
.PP
For \fBRSA_get0_key()\fR, \fBRSA_get0_factors()\fR, and \fBRSA_get0_crt_params()\fR,
\&\s-1NULL\s0 value \s-1BIGNUM\s0 ** output parameters are permitted. The functions
ignore \s-1NULL\s0 parameters but return values for other, non-NULL, parameters.
.PP
For multi-prime \s-1RSA,\s0 \fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_params()\fR
can be used to obtain other primes and related \s-1CRT\s0 parameters. The
return values are stored in an array of \fB\s-1BIGNUM\s0 *\fR. \fBRSA_set0_multi_prime_params()\fR
sets a collect of multi-prime 'triplet' members (prime, exponent and coefficient)
into an \s-1RSA\s0 object.
.PP
Any of the values \fBn\fR, \fBe\fR, \fBd\fR, \fBp\fR, \fBq\fR, \fBdmp1\fR, \fBdmq1\fR, and \fBiqmp\fR can also be
retrieved separately by the corresponding function
\&\fBRSA_get0_n()\fR, \fBRSA_get0_e()\fR, \fBRSA_get0_d()\fR, \fBRSA_get0_p()\fR, \fBRSA_get0_q()\fR,
\&\fBRSA_get0_dmp1()\fR, \fBRSA_get0_dmq1()\fR, and \fBRSA_get0_iqmp()\fR, respectively.
.PP
\&\fBRSA_get0_pss_params()\fR is used to retrieve the RSA-PSS parameters.
.PP
\&\fBRSA_set_flags()\fR sets the flags in the \fBflags\fR parameter on the \s-1RSA\s0
object. Multiple flags can be passed in one go (bitwise ORed together).
Any flags that are already set are left set. \fBRSA_test_flags()\fR tests to
see whether the flags passed in the \fBflags\fR parameter are currently
set in the \s-1RSA\s0 object. Multiple flags can be tested in one go. All
flags that are currently set are returned, or zero if none of the
flags are set. \fBRSA_clear_flags()\fR clears the specified flags within the
\&\s-1RSA\s0 object.
.PP
\&\fBRSA_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for
this \s-1RSA\s0 object, or \s-1NULL\s0 if no such \s-1ENGINE\s0 has been set.
.PP
\&\fBRSA_get_version()\fR returns the version of an \s-1RSA\s0 object \fBr\fR.
.SH "NOTES"
.IX Header "NOTES"
Values retrieved with \fBRSA_get0_key()\fR are owned by the \s-1RSA\s0 object used
in the call and may therefore \fInot\fR be passed to \fBRSA_set0_key()\fR. If
needed, duplicate the received value using \fBBN_dup()\fR and pass the
duplicate. The same applies to \fBRSA_get0_factors()\fR and \fBRSA_set0_factors()\fR
as well as \fBRSA_get0_crt_params()\fR and \fBRSA_set0_crt_params()\fR.
.PP
The caller should obtain the size by calling \fBRSA_get_multi_prime_extra_count()\fR
in advance and allocate sufficient buffer to store the return values before
calling \fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_params()\fR.
.PP
\&\fBRSA_set0_multi_prime_params()\fR always clears the original multi-prime
triplets in \s-1RSA\s0 object \fBr\fR and assign the new set of triplets into it.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_set0_key()\fR, \fBRSA_set0_factors()\fR, \fBRSA_set0_crt_params()\fR and
\&\fBRSA_set0_multi_prime_params()\fR return 1 on success or 0 on failure.
.PP
\&\fBRSA_get0_n()\fR, \fBRSA_get0_e()\fR, \fBRSA_get0_d()\fR, \fBRSA_get0_p()\fR, \fBRSA_get0_q()\fR,
\&\fBRSA_get0_dmp1()\fR, \fBRSA_get0_dmq1()\fR, and \fBRSA_get0_iqmp()\fR
return the respective value.
.PP
\&\fBRSA_get0_multi_prime_factors()\fR and \fBRSA_get0_multi_prime_crt_params()\fR return
1 on success or 0 on failure.
.PP
\&\fBRSA_get_multi_prime_extra_count()\fR returns two less than the number of primes
in use, which is 0 for traditional \s-1RSA\s0 and the number of extra primes for
multi-prime \s-1RSA.\s0
.PP
\&\fBRSA_get_version()\fR returns \fB\s-1RSA_ASN1_VERSION_MULTI\s0\fR for multi-prime \s-1RSA\s0 and
\&\fB\s-1RSA_ASN1_VERSION_DEFAULT\s0\fR for normal two-prime \s-1RSA,\s0 as defined in \s-1RFC 8017.\s0
.PP
\&\fBRSA_test_flags()\fR returns the current state of the flags in the \s-1RSA\s0 object.
.PP
\&\fBRSA_get0_engine()\fR returns the \s-1ENGINE\s0 set for the \s-1RSA\s0 object or \s-1NULL\s0 if no
\&\s-1ENGINE\s0 has been set.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRSA_new\fR\|(3), \fBRSA_size\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBRSA_get0_pss_params()\fR function was added in OpenSSL 1.1.1e.
.PP
The
\&\fBRSA_get_multi_prime_extra_count()\fR, \fBRSA_get0_multi_prime_factors()\fR,
\&\fBRSA_get0_multi_prime_crt_params()\fR, \fBRSA_set0_multi_prime_params()\fR,
and \fBRSA_get_version()\fR functions were added in OpenSSL 1.1.1.
.PP
Other functions described here were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_meth_new.3 b/secure/lib/libcrypto/man/man3/RSA_meth_new.3
index 8f3480d4d388..ba8bcff7462a 100644
--- a/secure/lib/libcrypto/man/man3/RSA_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/RSA_meth_new.3
@@ -1,382 +1,382 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_METH_NEW 3"
-.TH RSA_METH_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_METH_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_meth_get0_app_data, RSA_meth_set0_app_data, RSA_meth_new, RSA_meth_free, RSA_meth_dup, RSA_meth_get0_name, RSA_meth_set1_name, RSA_meth_get_flags, RSA_meth_set_flags, RSA_meth_get_pub_enc, RSA_meth_set_pub_enc, RSA_meth_get_pub_dec, RSA_meth_set_pub_dec, RSA_meth_get_priv_enc, RSA_meth_set_priv_enc, RSA_meth_get_priv_dec, RSA_meth_set_priv_dec, RSA_meth_get_mod_exp, RSA_meth_set_mod_exp, RSA_meth_get_bn_mod_exp, RSA_meth_set_bn_mod_exp, RSA_meth_get_init, RSA_meth_set_init, RSA_meth_get_finish, RSA_meth_set_finish, RSA_meth_get_sign, RSA_meth_set_sign, RSA_meth_get_verify, RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen, RSA_meth_get_multi_prime_keygen, RSA_meth_set_multi_prime_keygen \&\- Routines to build up RSA methods
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& RSA_METHOD *RSA_meth_new(const char *name, int flags);
\& void RSA_meth_free(RSA_METHOD *meth);
\&
\& RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
\&
\& const char *RSA_meth_get0_name(const RSA_METHOD *meth);
\& int RSA_meth_set1_name(RSA_METHOD *meth, const char *name);
\&
\& int RSA_meth_get_flags(const RSA_METHOD *meth);
\& int RSA_meth_set_flags(RSA_METHOD *meth, int flags);
\&
\& void *RSA_meth_get0_app_data(const RSA_METHOD *meth);
\& int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data);
\&
\& int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))(int flen, const unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\& int RSA_meth_set_pub_enc(RSA_METHOD *rsa,
\& int (*pub_enc)(int flen, const unsigned char *from,
\& unsigned char *to, RSA *rsa,
\& int padding));
\&
\& int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))
\& (int flen, const unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\& int RSA_meth_set_pub_dec(RSA_METHOD *rsa,
\& int (*pub_dec)(int flen, const unsigned char *from,
\& unsigned char *to, RSA *rsa,
\& int padding));
\&
\& int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))(int flen, const unsigned char *from,
\& unsigned char *to, RSA *rsa,
\& int padding);
\& int RSA_meth_set_priv_enc(RSA_METHOD *rsa,
\& int (*priv_enc)(int flen, const unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding));
\&
\& int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))(int flen, const unsigned char *from,
\& unsigned char *to, RSA *rsa,
\& int padding);
\& int RSA_meth_set_priv_dec(RSA_METHOD *rsa,
\& int (*priv_dec)(int flen, const unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding));
\&
\& /* Can be null */
\& int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))(BIGNUM *r0, const BIGNUM *i,
\& RSA *rsa, BN_CTX *ctx);
\& int RSA_meth_set_mod_exp(RSA_METHOD *rsa,
\& int (*mod_exp)(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
\& BN_CTX *ctx));
\&
\& /* Can be null */
\& int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))(BIGNUM *r, const BIGNUM *a,
\& const BIGNUM *p, const BIGNUM *m,
\& BN_CTX *ctx, BN_MONT_CTX *m_ctx);
\& int RSA_meth_set_bn_mod_exp(RSA_METHOD *rsa,
\& int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a,
\& const BIGNUM *p, const BIGNUM *m,
\& BN_CTX *ctx, BN_MONT_CTX *m_ctx));
\&
\& /* called at new */
\& int (*RSA_meth_get_init(const RSA_METHOD *meth) (RSA *rsa);
\& int RSA_meth_set_init(RSA_METHOD *rsa, int (*init (RSA *rsa));
\&
\& /* called at free */
\& int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa);
\& int RSA_meth_set_finish(RSA_METHOD *rsa, int (*finish)(RSA *rsa));
\&
\& int (*RSA_meth_get_sign(const RSA_METHOD *meth))(int type, const unsigned char *m,
\& unsigned int m_length,
\& unsigned char *sigret,
\& unsigned int *siglen, const RSA *rsa);
\& int RSA_meth_set_sign(RSA_METHOD *rsa,
\& int (*sign)(int type, const unsigned char *m,
\& unsigned int m_length, unsigned char *sigret,
\& unsigned int *siglen, const RSA *rsa));
\&
\& int (*RSA_meth_get_verify(const RSA_METHOD *meth))(int dtype, const unsigned char *m,
\& unsigned int m_length,
\& const unsigned char *sigbuf,
\& unsigned int siglen, const RSA *rsa);
\& int RSA_meth_set_verify(RSA_METHOD *rsa,
\& int (*verify)(int dtype, const unsigned char *m,
\& unsigned int m_length,
\& const unsigned char *sigbuf,
\& unsigned int siglen, const RSA *rsa));
\&
\& int (*RSA_meth_get_keygen(const RSA_METHOD *meth))(RSA *rsa, int bits, BIGNUM *e,
\& BN_GENCB *cb);
\& int RSA_meth_set_keygen(RSA_METHOD *rsa,
\& int (*keygen)(RSA *rsa, int bits, BIGNUM *e,
\& BN_GENCB *cb));
\&
\& int (*RSA_meth_get_multi_prime_keygen(const RSA_METHOD *meth))(RSA *rsa, int bits,
\& int primes, BIGNUM *e,
\& BN_GENCB *cb);
\&
\& int RSA_meth_set_multi_prime_keygen(RSA_METHOD *meth,
\& int (*keygen) (RSA *rsa, int bits,
\& int primes, BIGNUM *e,
\& BN_GENCB *cb));
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1RSA_METHOD\s0\fR type is a structure used for the provision of custom
\&\s-1RSA\s0 implementations. It provides a set of functions used by OpenSSL
for the implementation of the various \s-1RSA\s0 capabilities. See the rsa
page for more information.
.PP
\&\fBRSA_meth_new()\fR creates a new \fB\s-1RSA_METHOD\s0\fR structure. It should be
given a unique \fBname\fR and a set of \fBflags\fR. The \fBname\fR should be a
\&\s-1NULL\s0 terminated string, which will be duplicated and stored in the
\&\fB\s-1RSA_METHOD\s0\fR object. It is the callers responsibility to free the
original string. The flags will be used during the construction of a
new \fB\s-1RSA\s0\fR object based on this \fB\s-1RSA_METHOD\s0\fR. Any new \fB\s-1RSA\s0\fR object
will have those flags set by default.
.PP
\&\fBRSA_meth_dup()\fR creates a duplicate copy of the \fB\s-1RSA_METHOD\s0\fR object
passed as a parameter. This might be useful for creating a new
\&\fB\s-1RSA_METHOD\s0\fR based on an existing one, but with some differences.
.PP
\&\fBRSA_meth_free()\fR destroys an \fB\s-1RSA_METHOD\s0\fR structure and frees up any
memory associated with it.
.PP
\&\fBRSA_meth_get0_name()\fR will return a pointer to the name of this
\&\s-1RSA_METHOD.\s0 This is a pointer to the internal name string and so
should not be freed by the caller. \fBRSA_meth_set1_name()\fR sets the name
of the \s-1RSA_METHOD\s0 to \fBname\fR. The string is duplicated and the copy is
stored in the \s-1RSA_METHOD\s0 structure, so the caller remains responsible
for freeing the memory associated with the name.
.PP
\&\fBRSA_meth_get_flags()\fR returns the current value of the flags associated
with this \s-1RSA_METHOD.\s0 \fBRSA_meth_set_flags()\fR provides the ability to set
these flags.
.PP
The functions \fBRSA_meth_get0_app_data()\fR and \fBRSA_meth_set0_app_data()\fR
provide the ability to associate implementation specific data with the
\&\s-1RSA_METHOD.\s0 It is the application's responsibility to free this data
before the \s-1RSA_METHOD\s0 is freed via a call to \fBRSA_meth_free()\fR.
.PP
\&\fBRSA_meth_get_sign()\fR and \fBRSA_meth_set_sign()\fR get and set the function
used for creating an \s-1RSA\s0 signature respectively. This function will be
called in response to the application calling \fBRSA_sign()\fR. The
parameters for the function have the same meaning as for \fBRSA_sign()\fR.
.PP
\&\fBRSA_meth_get_verify()\fR and \fBRSA_meth_set_verify()\fR get and set the
function used for verifying an \s-1RSA\s0 signature respectively. This
function will be called in response to the application calling
\&\fBRSA_verify()\fR. The parameters for the function have the same meaning as
for \fBRSA_verify()\fR.
.PP
\&\fBRSA_meth_get_mod_exp()\fR and \fBRSA_meth_set_mod_exp()\fR get and set the
function used for \s-1CRT\s0 computations.
.PP
\&\fBRSA_meth_get_bn_mod_exp()\fR and \fBRSA_meth_set_bn_mod_exp()\fR get and set
the function used for \s-1CRT\s0 computations, specifically the following
value:
.PP
.Vb 1
\& r = a ^ p mod m
.Ve
.PP
Both the \fBmod_exp()\fR and \fBbn_mod_exp()\fR functions are called by the
default OpenSSL method during encryption, decryption, signing and
verification.
.PP
\&\fBRSA_meth_get_init()\fR and \fBRSA_meth_set_init()\fR get and set the function
used for creating a new \s-1RSA\s0 instance respectively. This function will
be called in response to the application calling \fBRSA_new()\fR (if the
current default \s-1RSA_METHOD\s0 is this one) or \fBRSA_new_method()\fR. The
\&\fBRSA_new()\fR and \fBRSA_new_method()\fR functions will allocate the memory for
the new \s-1RSA\s0 object, and a pointer to this newly allocated structure
will be passed as a parameter to the function. This function may be
\&\s-1NULL.\s0
.PP
\&\fBRSA_meth_get_finish()\fR and \fBRSA_meth_set_finish()\fR get and set the
function used for destroying an instance of an \s-1RSA\s0 object respectively.
This function will be called in response to the application calling
\&\fBRSA_free()\fR. A pointer to the \s-1RSA\s0 to be destroyed is passed as a
parameter. The destroy function should be used for \s-1RSA\s0 implementation
specific clean up. The memory for the \s-1RSA\s0 itself should not be freed
by this function. This function may be \s-1NULL.\s0
.PP
\&\fBRSA_meth_get_keygen()\fR and \fBRSA_meth_set_keygen()\fR get and set the
function used for generating a new \s-1RSA\s0 key pair respectively. This
function will be called in response to the application calling
\&\fBRSA_generate_key_ex()\fR. The parameter for the function has the same
meaning as for \fBRSA_generate_key_ex()\fR.
.PP
\&\fBRSA_meth_get_multi_prime_keygen()\fR and \fBRSA_meth_set_multi_prime_keygen()\fR get
and set the function used for generating a new multi-prime \s-1RSA\s0 key pair
respectively. This function will be called in response to the application calling
\&\fBRSA_generate_multi_prime_key()\fR. The parameter for the function has the same
meaning as for \fBRSA_generate_multi_prime_key()\fR.
.PP
\&\fBRSA_meth_get_pub_enc()\fR, \fBRSA_meth_set_pub_enc()\fR,
\&\fBRSA_meth_get_pub_dec()\fR, \fBRSA_meth_set_pub_dec()\fR,
\&\fBRSA_meth_get_priv_enc()\fR, \fBRSA_meth_set_priv_enc()\fR,
\&\fBRSA_meth_get_priv_dec()\fR, \fBRSA_meth_set_priv_dec()\fR get and set the
functions used for public and private key encryption and decryption.
These functions will be called in response to the application calling
\&\fBRSA_public_encrypt()\fR, \fBRSA_private_decrypt()\fR, \fBRSA_private_encrypt()\fR and
\&\fBRSA_public_decrypt()\fR and take the same parameters as those.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_meth_new()\fR and \fBRSA_meth_dup()\fR return the newly allocated
\&\s-1RSA_METHOD\s0 object or \s-1NULL\s0 on failure.
.PP
\&\fBRSA_meth_get0_name()\fR and \fBRSA_meth_get_flags()\fR return the name and
flags associated with the \s-1RSA_METHOD\s0 respectively.
.PP
All other RSA_meth_get_*() functions return the appropriate function
pointer that has been set in the \s-1RSA_METHOD,\s0 or \s-1NULL\s0 if no such
pointer has yet been set.
.PP
RSA_meth_set1_name and all RSA_meth_set_*() functions return 1 on
success or 0 on failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRSA_new\fR\|(3), \fBRSA_generate_key_ex\fR\|(3), \fBRSA_sign\fR\|(3),
\&\fBRSA_set_method\fR\|(3), \fBRSA_size\fR\|(3), \fBRSA_get0_key\fR\|(3),
\&\fBRSA_generate_multi_prime_key\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBRSA_meth_get_multi_prime_keygen()\fR and \fBRSA_meth_set_multi_prime_keygen()\fR were
added in OpenSSL 1.1.1.
.PP
Other functions described here were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_new.3 b/secure/lib/libcrypto/man/man3/RSA_new.3
index 29109ea2e65a..f01b3841ca03 100644
--- a/secure/lib/libcrypto/man/man3/RSA_new.3
+++ b/secure/lib/libcrypto/man/man3/RSA_new.3
@@ -1,179 +1,179 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_NEW 3"
-.TH RSA_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_new, RSA_free \- allocate and free RSA objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& RSA *RSA_new(void);
\&
\& void RSA_free(RSA *rsa);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRSA_new()\fR allocates and initializes an \fB\s-1RSA\s0\fR structure. It is equivalent to
calling RSA_new_method(\s-1NULL\s0).
.PP
\&\fBRSA_free()\fR frees the \fB\s-1RSA\s0\fR structure and its components. The key is
erased before the memory is returned to the system.
If \fBrsa\fR is \s-1NULL\s0 nothing is done.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
If the allocation fails, \fBRSA_new()\fR returns \fB\s-1NULL\s0\fR and sets an error
code that can be obtained by \fBERR_get_error\fR\|(3). Otherwise it returns
a pointer to the newly allocated structure.
.PP
\&\fBRSA_free()\fR returns no value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3),
\&\fBRSA_generate_key\fR\|(3),
\&\fBRSA_new_method\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3 b/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3
index 1d15db12d7df..7cf06ed1f2ff 100644
--- a/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3
+++ b/secure/lib/libcrypto/man/man3/RSA_padding_add_PKCS1_type_1.3
@@ -1,276 +1,276 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_PADDING_ADD_PKCS1_TYPE_1 3"
-.TH RSA_PADDING_ADD_PKCS1_TYPE_1 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_PADDING_ADD_PKCS1_TYPE_1 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1, RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2, RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP, RSA_padding_add_PKCS1_OAEP_mgf1, RSA_padding_check_PKCS1_OAEP_mgf1, RSA_padding_add_SSLv23, RSA_padding_check_SSLv23, RSA_padding_add_none, RSA_padding_check_none \- asymmetric encryption padding
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
\& const unsigned char *f, int fl);
\&
\& int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
\& const unsigned char *f, int fl, int rsa_len);
\&
\& int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
\& const unsigned char *f, int fl);
\&
\& int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
\& const unsigned char *f, int fl, int rsa_len);
\&
\& int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
\& const unsigned char *f, int fl,
\& const unsigned char *p, int pl);
\&
\& int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
\& const unsigned char *f, int fl, int rsa_len,
\& const unsigned char *p, int pl);
\&
\& int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
\& const unsigned char *f, int fl,
\& const unsigned char *p, int pl,
\& const EVP_MD *md, const EVP_MD *mgf1md);
\&
\& int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
\& const unsigned char *f, int fl, int rsa_len,
\& const unsigned char *p, int pl,
\& const EVP_MD *md, const EVP_MD *mgf1md);
\&
\& int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
\& const unsigned char *f, int fl);
\&
\& int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
\& const unsigned char *f, int fl, int rsa_len);
\&
\& int RSA_padding_add_none(unsigned char *to, int tlen,
\& const unsigned char *f, int fl);
\&
\& int RSA_padding_check_none(unsigned char *to, int tlen,
\& const unsigned char *f, int fl, int rsa_len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBRSA_padding_xxx_xxx()\fR functions are called from the \s-1RSA\s0 encrypt,
decrypt, sign and verify functions. Normally they should not be called
from application programs.
.PP
However, they can also be called directly to implement padding for other
asymmetric ciphers. \fBRSA_padding_add_PKCS1_OAEP()\fR and
\&\fBRSA_padding_check_PKCS1_OAEP()\fR may be used in an application combined
with \fB\s-1RSA_NO_PADDING\s0\fR in order to implement \s-1OAEP\s0 with an encoding
parameter.
.PP
\&\fBRSA_padding_add_xxx()\fR encodes \fBfl\fR bytes from \fBf\fR so as to fit into
\&\fBtlen\fR bytes and stores the result at \fBto\fR. An error occurs if \fBfl\fR
does not meet the size requirements of the encoding method.
.PP
The following encoding methods are implemented:
.IP "PKCS1_type_1" 4
.IX Item "PKCS1_type_1"
\&\s-1PKCS\s0 #1 v2.0 EMSA\-PKCS1\-v1_5 (\s-1PKCS\s0 #1 v1.5 block type 1); used for signatures
.IP "PKCS1_type_2" 4
.IX Item "PKCS1_type_2"
\&\s-1PKCS\s0 #1 v2.0 EME\-PKCS1\-v1_5 (\s-1PKCS\s0 #1 v1.5 block type 2)
.IP "\s-1PKCS1_OAEP\s0" 4
.IX Item "PKCS1_OAEP"
\&\s-1PKCS\s0 #1 v2.0 EME-OAEP
.IP "SSLv23" 4
.IX Item "SSLv23"
\&\s-1PKCS\s0 #1 EME\-PKCS1\-v1_5 with SSL-specific modification
.IP "none" 4
.IX Item "none"
simply copy the data
.PP
The random number generator must be seeded prior to calling
\&\fBRSA_padding_add_xxx()\fR.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
.PP
\&\fBRSA_padding_check_xxx()\fR verifies that the \fBfl\fR bytes at \fBf\fR contain
a valid encoding for a \fBrsa_len\fR byte \s-1RSA\s0 key in the respective
encoding method and stores the recovered data of at most \fBtlen\fR bytes
(for \fB\s-1RSA_NO_PADDING\s0\fR: of size \fBtlen\fR)
at \fBto\fR.
.PP
For \fBRSA_padding_xxx_OAEP()\fR, \fBp\fR points to the encoding parameter
of length \fBpl\fR. \fBp\fR may be \fB\s-1NULL\s0\fR if \fBpl\fR is 0.
.PP
For \fBRSA_padding_xxx_OAEP_mgf1()\fR, \fBmd\fR points to the md hash,
if \fBmd\fR is \fB\s-1NULL\s0\fR that means md=sha1, and \fBmgf1md\fR points to
the mgf1 hash, if \fBmgf1md\fR is \fB\s-1NULL\s0\fR that means mgf1md=md.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The \fBRSA_padding_add_xxx()\fR functions return 1 on success, 0 on error.
The \fBRSA_padding_check_xxx()\fR functions return the length of the
recovered data, \-1 on error. Error codes can be obtained by calling
\&\fBERR_get_error\fR\|(3).
.SH "WARNINGS"
.IX Header "WARNINGS"
The result of \fBRSA_padding_check_PKCS1_type_2()\fR is a very sensitive
information which can potentially be used to mount a Bleichenbacher
padding oracle attack. This is an inherent weakness in the \s-1PKCS\s0 #1
v1.5 padding design. Prefer \s-1PKCS1_OAEP\s0 padding. If that is not
possible, the result of \fBRSA_padding_check_PKCS1_type_2()\fR should be
checked in constant time if it matches the expected length of the
plaintext and additionally some application specific consistency
checks on the plaintext need to be performed in constant time.
If the plaintext is rejected it must be kept secret which of the
checks caused the application to reject the message.
Do not remove the zero-padding from the decrypted raw \s-1RSA\s0 data
which was computed by \fBRSA_private_decrypt()\fR with \fB\s-1RSA_NO_PADDING\s0\fR,
as this would create a small timing side channel which could be
used to mount a Bleichenbacher attack against any padding mode
including \s-1PKCS1_OAEP.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRSA_public_encrypt\fR\|(3),
\&\fBRSA_private_decrypt\fR\|(3),
\&\fBRSA_sign\fR\|(3), \fBRSA_verify\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_print.3 b/secure/lib/libcrypto/man/man3/RSA_print.3
index de072f0912d9..f98e40a6669b 100644
--- a/secure/lib/libcrypto/man/man3/RSA_print.3
+++ b/secure/lib/libcrypto/man/man3/RSA_print.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_PRINT 3"
-.TH RSA_PRINT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_PRINT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_print, RSA_print_fp, DSAparams_print, DSAparams_print_fp, DSA_print, DSA_print_fp, DHparams_print, DHparams_print_fp \- print cryptographic parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int RSA_print(BIO *bp, RSA *x, int offset);
\& int RSA_print_fp(FILE *fp, RSA *x, int offset);
\&
\& #include <openssl/dsa.h>
\&
\& int DSAparams_print(BIO *bp, DSA *x);
\& int DSAparams_print_fp(FILE *fp, DSA *x);
\& int DSA_print(BIO *bp, DSA *x, int offset);
\& int DSA_print_fp(FILE *fp, DSA *x, int offset);
\&
\& #include <openssl/dh.h>
\&
\& int DHparams_print(BIO *bp, DH *x);
\& int DHparams_print_fp(FILE *fp, DH *x);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A human-readable hexadecimal output of the components of the \s-1RSA\s0
key, \s-1DSA\s0 parameters or key or \s-1DH\s0 parameters is printed to \fBbp\fR or \fBfp\fR.
.PP
The output lines are indented by \fBoffset\fR spaces.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return 1 on success, 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBN_bn2bin\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3 b/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3
index fe0c14076186..2a9d5922a259 100644
--- a/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/RSA_private_encrypt.3
@@ -1,200 +1,200 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_PRIVATE_ENCRYPT 3"
-.TH RSA_PRIVATE_ENCRYPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_PRIVATE_ENCRYPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_private_encrypt, RSA_public_decrypt \- low\-level signature operations
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int RSA_private_encrypt(int flen, unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\&
\& int RSA_public_decrypt(int flen, unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions handle \s-1RSA\s0 signatures at a low-level.
.PP
\&\fBRSA_private_encrypt()\fR signs the \fBflen\fR bytes at \fBfrom\fR (usually a
message digest with an algorithm identifier) using the private key
\&\fBrsa\fR and stores the signature in \fBto\fR. \fBto\fR must point to
\&\fBRSA_size(rsa)\fR bytes of memory.
.PP
\&\fBpadding\fR denotes one of the following modes:
.IP "\s-1RSA_PKCS1_PADDING\s0" 4
.IX Item "RSA_PKCS1_PADDING"
\&\s-1PKCS\s0 #1 v1.5 padding. This function does not handle the
\&\fBalgorithmIdentifier\fR specified in \s-1PKCS\s0 #1. When generating or
verifying \s-1PKCS\s0 #1 signatures, \fBRSA_sign\fR\|(3) and \fBRSA_verify\fR\|(3) should be
used.
.IP "\s-1RSA_NO_PADDING\s0" 4
.IX Item "RSA_NO_PADDING"
Raw \s-1RSA\s0 signature. This mode should \fIonly\fR be used to implement
cryptographically sound padding modes in the application code.
Signing user data directly with \s-1RSA\s0 is insecure.
.PP
\&\fBRSA_public_decrypt()\fR recovers the message digest from the \fBflen\fR
bytes long signature at \fBfrom\fR using the signer's public key
\&\fBrsa\fR. \fBto\fR must point to a memory section large enough to hold the
message digest (which is smaller than \fBRSA_size(rsa) \-
11\fR). \fBpadding\fR is the padding mode that was used to sign the data.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_private_encrypt()\fR returns the size of the signature (i.e.,
RSA_size(rsa)). \fBRSA_public_decrypt()\fR returns the size of the
recovered message digest.
.PP
On error, \-1 is returned; the error codes can be
obtained by \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3),
\&\fBRSA_sign\fR\|(3), \fBRSA_verify\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3 b/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3
index 64a7627ea55c..d9a2de13683b 100644
--- a/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3
+++ b/secure/lib/libcrypto/man/man3/RSA_public_encrypt.3
@@ -1,231 +1,231 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_PUBLIC_ENCRYPT 3"
-.TH RSA_PUBLIC_ENCRYPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_PUBLIC_ENCRYPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_public_encrypt, RSA_private_decrypt \- RSA public key cryptography
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int RSA_public_encrypt(int flen, const unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\&
\& int RSA_private_decrypt(int flen, const unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRSA_public_encrypt()\fR encrypts the \fBflen\fR bytes at \fBfrom\fR (usually a
session key) using the public key \fBrsa\fR and stores the ciphertext in
\&\fBto\fR. \fBto\fR must point to RSA_size(\fBrsa\fR) bytes of memory.
.PP
\&\fBpadding\fR denotes one of the following modes:
.IP "\s-1RSA_PKCS1_PADDING\s0" 4
.IX Item "RSA_PKCS1_PADDING"
\&\s-1PKCS\s0 #1 v1.5 padding. This currently is the most widely used mode.
However, it is highly recommended to use \s-1RSA_PKCS1_OAEP_PADDING\s0 in
new applications. \s-1SEE WARNING BELOW.\s0
.IP "\s-1RSA_PKCS1_OAEP_PADDING\s0" 4
.IX Item "RSA_PKCS1_OAEP_PADDING"
EME-OAEP as defined in \s-1PKCS\s0 #1 v2.0 with \s-1SHA\-1, MGF1\s0 and an empty
encoding parameter. This mode is recommended for all new applications.
.IP "\s-1RSA_SSLV23_PADDING\s0" 4
.IX Item "RSA_SSLV23_PADDING"
\&\s-1PKCS\s0 #1 v1.5 padding with an SSL-specific modification that denotes
that the server is \s-1SSL3\s0 capable.
.IP "\s-1RSA_NO_PADDING\s0" 4
.IX Item "RSA_NO_PADDING"
Raw \s-1RSA\s0 encryption. This mode should \fIonly\fR be used to implement
cryptographically sound padding modes in the application code.
Encrypting user data directly with \s-1RSA\s0 is insecure.
.PP
\&\fBflen\fR must not be more than RSA_size(\fBrsa\fR) \- 11 for the \s-1PKCS\s0 #1 v1.5
based padding modes, not more than RSA_size(\fBrsa\fR) \- 42 for
\&\s-1RSA_PKCS1_OAEP_PADDING\s0 and exactly RSA_size(\fBrsa\fR) for \s-1RSA_NO_PADDING.\s0
When a padding mode other than \s-1RSA_NO_PADDING\s0 is in use, then
\&\fBRSA_public_encrypt()\fR will include some random bytes into the ciphertext
and therefore the ciphertext will be different each time, even if the
plaintext and the public key are exactly identical.
The returned ciphertext in \fBto\fR will always be zero padded to exactly
RSA_size(\fBrsa\fR) bytes.
\&\fBto\fR and \fBfrom\fR may overlap.
.PP
\&\fBRSA_private_decrypt()\fR decrypts the \fBflen\fR bytes at \fBfrom\fR using the
private key \fBrsa\fR and stores the plaintext in \fBto\fR. \fBflen\fR should
be equal to RSA_size(\fBrsa\fR) but may be smaller, when leading zero
bytes are in the ciphertext. Those are not important and may be removed,
but \fBRSA_public_encrypt()\fR does not do that. \fBto\fR must point
to a memory section large enough to hold the maximal possible decrypted
data (which is equal to RSA_size(\fBrsa\fR) for \s-1RSA_NO_PADDING,\s0
RSA_size(\fBrsa\fR) \- 11 for the \s-1PKCS\s0 #1 v1.5 based padding modes and
RSA_size(\fBrsa\fR) \- 42 for \s-1RSA_PKCS1_OAEP_PADDING\s0).
\&\fBpadding\fR is the padding mode that was used to encrypt the data.
\&\fBto\fR and \fBfrom\fR may overlap.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_public_encrypt()\fR returns the size of the encrypted data (i.e.,
RSA_size(\fBrsa\fR)). \fBRSA_private_decrypt()\fR returns the size of the
recovered plaintext. A return value of 0 is not an error and
means only that the plaintext was empty.
.PP
On error, \-1 is returned; the error codes can be
obtained by \fBERR_get_error\fR\|(3).
.SH "WARNINGS"
.IX Header "WARNINGS"
Decryption failures in the \s-1RSA_PKCS1_PADDING\s0 mode leak information
which can potentially be used to mount a Bleichenbacher padding oracle
attack. This is an inherent weakness in the \s-1PKCS\s0 #1 v1.5 padding
design. Prefer \s-1RSA_PKCS1_OAEP_PADDING.\s0
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1SSL, PKCS\s0 #1 v2.0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBRAND_bytes\fR\|(3),
\&\fBRSA_size\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_set_method.3 b/secure/lib/libcrypto/man/man3/RSA_set_method.3
index 006d72279ad8..72344b6764cf 100644
--- a/secure/lib/libcrypto/man/man3/RSA_set_method.3
+++ b/secure/lib/libcrypto/man/man3/RSA_set_method.3
@@ -1,315 +1,315 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_SET_METHOD 3"
-.TH RSA_SET_METHOD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_SET_METHOD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_set_default_method, RSA_get_default_method, RSA_set_method, RSA_get_method, RSA_PKCS1_OpenSSL, RSA_flags, RSA_new_method \- select RSA method
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& void RSA_set_default_method(const RSA_METHOD *meth);
\&
\& RSA_METHOD *RSA_get_default_method(void);
\&
\& int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
\&
\& RSA_METHOD *RSA_get_method(const RSA *rsa);
\&
\& RSA_METHOD *RSA_PKCS1_OpenSSL(void);
\&
\& int RSA_flags(const RSA *rsa);
\&
\& RSA *RSA_new_method(ENGINE *engine);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
An \fB\s-1RSA_METHOD\s0\fR specifies the functions that OpenSSL uses for \s-1RSA\s0
operations. By modifying the method, alternative implementations such as
hardware accelerators may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for
important information about how these \s-1RSA API\s0 functions are affected by the
use of \fB\s-1ENGINE\s0\fR \s-1API\s0 calls.
.PP
Initially, the default \s-1RSA_METHOD\s0 is the OpenSSL internal implementation,
as returned by \fBRSA_PKCS1_OpenSSL()\fR.
.PP
\&\fBRSA_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1RSA\s0
structures created later.
\&\fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has
been set as a default for \s-1RSA,\s0 so this function is no longer recommended.
This function is not thread-safe and should not be called at the same time
as other OpenSSL functions.
.PP
\&\fBRSA_get_default_method()\fR returns a pointer to the current default
\&\s-1RSA_METHOD.\s0 However, the meaningfulness of this result is dependent on
whether the \s-1ENGINE API\s0 is being used, so this function is no longer
recommended.
.PP
\&\fBRSA_set_method()\fR selects \fBmeth\fR to perform all operations using the key
\&\fBrsa\fR. This will replace the \s-1RSA_METHOD\s0 used by the \s-1RSA\s0 key and if the
previous method was supplied by an \s-1ENGINE,\s0 the handle to that \s-1ENGINE\s0 will
be released during the change. It is possible to have \s-1RSA\s0 keys that only
work with certain \s-1RSA_METHOD\s0 implementations (e.g. from an \s-1ENGINE\s0 module
that supports embedded hardware-protected keys), and in such cases
attempting to change the \s-1RSA_METHOD\s0 for the key can have unexpected
results.
.PP
\&\fBRSA_get_method()\fR returns a pointer to the \s-1RSA_METHOD\s0 being used by \fBrsa\fR.
This method may or may not be supplied by an \s-1ENGINE\s0 implementation, but if
it is, the return value can only be guaranteed to be valid as long as the
\&\s-1RSA\s0 key itself is valid and does not have its implementation changed by
\&\fBRSA_set_method()\fR.
.PP
\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR's current
\&\s-1RSA_METHOD.\s0 See the \s-1BUGS\s0 section.
.PP
\&\fBRSA_new_method()\fR allocates and initializes an \s-1RSA\s0 structure so that
\&\fBengine\fR will be used for the \s-1RSA\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the
default \s-1ENGINE\s0 for \s-1RSA\s0 operations is used, and if no default \s-1ENGINE\s0 is set,
the \s-1RSA_METHOD\s0 controlled by \fBRSA_set_default_method()\fR is used.
.PP
\&\fBRSA_flags()\fR returns the \fBflags\fR that are set for \fBrsa\fR's current method.
.PP
\&\fBRSA_new_method()\fR allocates and initializes an \fB\s-1RSA\s0\fR structure so that
\&\fBmethod\fR will be used for the \s-1RSA\s0 operations. If \fBmethod\fR is \fB\s-1NULL\s0\fR,
the default method is used.
.SH "THE RSA_METHOD STRUCTURE"
.IX Header "THE RSA_METHOD STRUCTURE"
.Vb 4
\& typedef struct rsa_meth_st
\& {
\& /* name of the implementation */
\& const char *name;
\&
\& /* encrypt */
\& int (*rsa_pub_enc)(int flen, unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\&
\& /* verify arbitrary data */
\& int (*rsa_pub_dec)(int flen, unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\&
\& /* sign arbitrary data */
\& int (*rsa_priv_enc)(int flen, unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\&
\& /* decrypt */
\& int (*rsa_priv_dec)(int flen, unsigned char *from,
\& unsigned char *to, RSA *rsa, int padding);
\&
\& /* compute r0 = r0 ^ I mod rsa\->n (May be NULL for some implementations) */
\& int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa);
\&
\& /* compute r = a ^ p mod m (May be NULL for some implementations) */
\& int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
\& const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
\&
\& /* called at RSA_new */
\& int (*init)(RSA *rsa);
\&
\& /* called at RSA_free */
\& int (*finish)(RSA *rsa);
\&
\& /*
\& * RSA_FLAG_EXT_PKEY \- rsa_mod_exp is called for private key
\& * operations, even if p,q,dmp1,dmq1,iqmp
\& * are NULL
\& * RSA_METHOD_FLAG_NO_CHECK \- don\*(Aqt check pub/private match
\& */
\& int flags;
\&
\& char *app_data; /* ?? */
\&
\& int (*rsa_sign)(int type,
\& const unsigned char *m, unsigned int m_length,
\& unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
\& int (*rsa_verify)(int dtype,
\& const unsigned char *m, unsigned int m_length,
\& const unsigned char *sigbuf, unsigned int siglen,
\& const RSA *rsa);
\& /* keygen. If NULL builtin RSA key generation will be used */
\& int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
\&
\& } RSA_METHOD;
.Ve
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_PKCS1_OpenSSL()\fR, \fBRSA_PKCS1_null_method()\fR, \fBRSA_get_default_method()\fR
and \fBRSA_get_method()\fR return pointers to the respective RSA_METHODs.
.PP
\&\fBRSA_set_default_method()\fR returns no value.
.PP
\&\fBRSA_set_method()\fR returns a pointer to the old \s-1RSA_METHOD\s0 implementation
that was replaced. However, this return value should probably be ignored
because if it was supplied by an \s-1ENGINE,\s0 the pointer could be invalidated
at any time if the \s-1ENGINE\s0 is unloaded (in fact it could be unloaded as a
result of the \fBRSA_set_method()\fR function releasing its handle to the
\&\s-1ENGINE\s0). For this reason, the return type may be replaced with a \fBvoid\fR
declaration in a future release.
.PP
\&\fBRSA_new_method()\fR returns \s-1NULL\s0 and sets an error code that can be obtained
by \fBERR_get_error\fR\|(3) if the allocation fails. Otherwise
it returns a pointer to the newly allocated structure.
.SH "BUGS"
.IX Header "BUGS"
The behaviour of \fBRSA_flags()\fR is a mis-feature that is left as-is for now
to avoid creating compatibility problems. \s-1RSA\s0 functionality, such as the
encryption functions, are controlled by the \fBflags\fR value in the \s-1RSA\s0 key
itself, not by the \fBflags\fR value in the \s-1RSA_METHOD\s0 attached to the \s-1RSA\s0 key
(which is what this function returns). If the flags element of an \s-1RSA\s0 key
is changed, the changes will be honoured by \s-1RSA\s0 functionality but will not
be reflected in the return value of the \fBRSA_flags()\fR function \- in effect
\&\fBRSA_flags()\fR behaves more like an \fBRSA_default_flags()\fR function (which does
not currently exist).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRSA_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBRSA_null_method()\fR, which was a partial attempt to avoid patent issues,
was replaced to always return \s-1NULL\s0 in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_sign.3 b/secure/lib/libcrypto/man/man3/RSA_sign.3
index 49c25e969df0..0bb146ab50f2 100644
--- a/secure/lib/libcrypto/man/man3/RSA_sign.3
+++ b/secure/lib/libcrypto/man/man3/RSA_sign.3
@@ -1,196 +1,196 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_SIGN 3"
-.TH RSA_SIGN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_SIGN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_sign, RSA_verify \- RSA signatures
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
\& unsigned char *sigret, unsigned int *siglen, RSA *rsa);
\&
\& int RSA_verify(int type, const unsigned char *m, unsigned int m_len,
\& unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRSA_sign()\fR signs the message digest \fBm\fR of size \fBm_len\fR using the
private key \fBrsa\fR using RSASSA\-PKCS1\-v1_5 as specified in \s-1RFC 3447.\s0 It
stores the signature in \fBsigret\fR and the signature size in \fBsiglen\fR.
\&\fBsigret\fR must point to RSA_size(\fBrsa\fR) bytes of memory.
Note that \s-1PKCS\s0 #1 adds meta-data, placing limits on the size of the
key that can be used.
See \fBRSA_private_encrypt\fR\|(3) for lower-level
operations.
.PP
\&\fBtype\fR denotes the message digest algorithm that was used to generate
\&\fBm\fR.
If \fBtype\fR is \fBNID_md5_sha1\fR,
an \s-1SSL\s0 signature (\s-1MD5\s0 and \s-1SHA1\s0 message digests with \s-1PKCS\s0 #1 padding
and no algorithm identifier) is created.
.PP
\&\fBRSA_verify()\fR verifies that the signature \fBsigbuf\fR of size \fBsiglen\fR
matches a given message digest \fBm\fR of size \fBm_len\fR. \fBtype\fR denotes
the message digest algorithm that was used to generate the signature.
\&\fBrsa\fR is the signer's public key.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_sign()\fR returns 1 on success.
\&\fBRSA_verify()\fR returns 1 on successful verification.
.PP
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1SSL, PKCS\s0 #1 v2.0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3),
\&\fBRSA_private_encrypt\fR\|(3),
\&\fBRSA_public_decrypt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3 b/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3
index 351300e7039b..3db370ff4e79 100644
--- a/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3
+++ b/secure/lib/libcrypto/man/man3/RSA_sign_ASN1_OCTET_STRING.3
@@ -1,198 +1,198 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_SIGN_ASN1_OCTET_STRING 3"
-.TH RSA_SIGN_ASN1_OCTET_STRING 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_SIGN_ASN1_OCTET_STRING 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING \- RSA signatures
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m,
\& unsigned int m_len, unsigned char *sigret,
\& unsigned int *siglen, RSA *rsa);
\&
\& int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m,
\& unsigned int m_len, unsigned char *sigbuf,
\& unsigned int siglen, RSA *rsa);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRSA_sign_ASN1_OCTET_STRING()\fR signs the octet string \fBm\fR of size
\&\fBm_len\fR using the private key \fBrsa\fR represented in \s-1DER\s0 using \s-1PKCS\s0 #1
padding. It stores the signature in \fBsigret\fR and the signature size
in \fBsiglen\fR. \fBsigret\fR must point to \fBRSA_size(rsa)\fR bytes of
memory.
.PP
\&\fBdummy\fR is ignored.
.PP
The random number generator must be seeded when calling
\&\fBRSA_sign_ASN1_OCTET_STRING()\fR.
If the automatic seeding or reseeding of the OpenSSL \s-1CSPRNG\s0 fails due to
external circumstances (see \s-1\fBRAND\s0\fR\|(7)), the operation will fail.
.PP
\&\fBRSA_verify_ASN1_OCTET_STRING()\fR verifies that the signature \fBsigbuf\fR
of size \fBsiglen\fR is the \s-1DER\s0 representation of a given octet string
\&\fBm\fR of size \fBm_len\fR. \fBdummy\fR is ignored. \fBrsa\fR is the signer's
public key.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_sign_ASN1_OCTET_STRING()\fR returns 1 on success, 0 otherwise.
\&\fBRSA_verify_ASN1_OCTET_STRING()\fR returns 1 on successful verification, 0
otherwise.
.PP
The error codes can be obtained by \fBERR_get_error\fR\|(3).
.SH "BUGS"
.IX Header "BUGS"
These functions serve no recognizable purpose.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3),
\&\fBRAND_bytes\fR\|(3), \fBRSA_sign\fR\|(3),
\&\fBRSA_verify\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/RSA_size.3 b/secure/lib/libcrypto/man/man3/RSA_size.3
index 7ed192ca1a89..1d20f81691c4 100644
--- a/secure/lib/libcrypto/man/man3/RSA_size.3
+++ b/secure/lib/libcrypto/man/man3/RSA_size.3
@@ -1,186 +1,186 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA_SIZE 3"
-.TH RSA_SIZE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA_SIZE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA_size, RSA_bits, RSA_security_bits \- get RSA modulus size or security bits
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rsa.h>
\&
\& int RSA_size(const RSA *rsa);
\&
\& int RSA_bits(const RSA *rsa);
\&
\& int RSA_security_bits(const RSA *rsa)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBRSA_size()\fR returns the \s-1RSA\s0 modulus size in bytes. It can be used to
determine how much memory must be allocated for an \s-1RSA\s0 encrypted
value.
.PP
\&\fBRSA_bits()\fR returns the number of significant bits.
.PP
\&\fBrsa\fR and \fBrsa\->n\fR must not be \fB\s-1NULL\s0\fR.
.PP
\&\fBRSA_security_bits()\fR returns the number of security bits of the given \fBrsa\fR
key. See \fBBN_security_bits\fR\|(3).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBRSA_size()\fR returns the size of modulus in bytes.
.PP
\&\fBDSA_bits()\fR returns the number of bits in the key.
.PP
\&\fBRSA_security_bits()\fR returns the number of security bits.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBN_num_bits\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBRSA_bits()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SCT_new.3 b/secure/lib/libcrypto/man/man3/SCT_new.3
index dd2845f2a038..4167b565e898 100644
--- a/secure/lib/libcrypto/man/man3/SCT_new.3
+++ b/secure/lib/libcrypto/man/man3/SCT_new.3
@@ -1,306 +1,306 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SCT_NEW 3"
-.TH SCT_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SCT_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SCT_new, SCT_new_from_base64, SCT_free, SCT_LIST_free, SCT_get_version, SCT_set_version, SCT_get_log_entry_type, SCT_set_log_entry_type, SCT_get0_log_id, SCT_set0_log_id, SCT_set1_log_id, SCT_get_timestamp, SCT_set_timestamp, SCT_get_signature_nid, SCT_set_signature_nid, SCT_get0_signature, SCT_set0_signature, SCT_set1_signature, SCT_get0_extensions, SCT_set0_extensions, SCT_set1_extensions, SCT_get_source, SCT_set_source \&\- A Certificate Transparency Signed Certificate Timestamp
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ct.h>
\&
\& typedef enum {
\& CT_LOG_ENTRY_TYPE_NOT_SET = \-1,
\& CT_LOG_ENTRY_TYPE_X509 = 0,
\& CT_LOG_ENTRY_TYPE_PRECERT = 1
\& } ct_log_entry_type_t;
\&
\& typedef enum {
\& SCT_VERSION_NOT_SET = \-1,
\& SCT_VERSION_V1 = 0
\& } sct_version_t;
\&
\& typedef enum {
\& SCT_SOURCE_UNKNOWN,
\& SCT_SOURCE_TLS_EXTENSION,
\& SCT_SOURCE_X509V3_EXTENSION,
\& SCT_SOURCE_OCSP_STAPLED_RESPONSE
\& } sct_source_t;
\&
\& SCT *SCT_new(void);
\& SCT *SCT_new_from_base64(unsigned char version,
\& const char *logid_base64,
\& ct_log_entry_type_t entry_type,
\& uint64_t timestamp,
\& const char *extensions_base64,
\& const char *signature_base64);
\&
\& void SCT_free(SCT *sct);
\& void SCT_LIST_free(STACK_OF(SCT) *a);
\&
\& sct_version_t SCT_get_version(const SCT *sct);
\& int SCT_set_version(SCT *sct, sct_version_t version);
\&
\& ct_log_entry_type_t SCT_get_log_entry_type(const SCT *sct);
\& int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type);
\&
\& size_t SCT_get0_log_id(const SCT *sct, unsigned char **log_id);
\& int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len);
\& int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len);
\&
\& uint64_t SCT_get_timestamp(const SCT *sct);
\& void SCT_set_timestamp(SCT *sct, uint64_t timestamp);
\&
\& int SCT_get_signature_nid(const SCT *sct);
\& int SCT_set_signature_nid(SCT *sct, int nid);
\&
\& size_t SCT_get0_signature(const SCT *sct, unsigned char **sig);
\& void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len);
\& int SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len);
\&
\& size_t SCT_get0_extensions(const SCT *sct, unsigned char **ext);
\& void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len);
\& int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len);
\&
\& sct_source_t SCT_get_source(const SCT *sct);
\& int SCT_set_source(SCT *sct, sct_source_t source);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Signed Certificate Timestamps (SCTs) are defined by \s-1RFC 6962,\s0 Section 3.2.
They constitute a promise by a Certificate Transparency (\s-1CT\s0) log to publicly
record a certificate. By cryptographically verifying that a log did indeed issue
an \s-1SCT,\s0 some confidence can be gained that the certificate is publicly known.
.PP
An internal representation of an \s-1SCT\s0 can be created in one of two ways.
The first option is to create a blank \s-1SCT,\s0 using \fBSCT_new()\fR, and then populate
it using:
.IP "\(bu" 2
\&\fBSCT_set_version()\fR to set the \s-1SCT\s0 version.
.Sp
Only \s-1SCT_VERSION_V1\s0 is currently supported.
.IP "\(bu" 2
\&\fBSCT_set_log_entry_type()\fR to set the type of certificate the \s-1SCT\s0 was issued for:
.Sp
\&\fB\s-1CT_LOG_ENTRY_TYPE_X509\s0\fR for a normal certificate.
\&\fB\s-1CT_LOG_ENTRY_TYPE_PRECERT\s0\fR for a pre-certificate.
.IP "\(bu" 2
\&\fBSCT_set0_log_id()\fR or \fBSCT_set1_log_id()\fR to set the LogID of the \s-1CT\s0 log that the \s-1SCT\s0 came from.
.Sp
The former takes ownership, whereas the latter makes a copy.
See \s-1RFC 6962,\s0 Section 3.2 for the definition of LogID.
.IP "\(bu" 2
\&\fBSCT_set_timestamp()\fR to set the time the \s-1SCT\s0 was issued (epoch time in milliseconds).
.IP "\(bu" 2
\&\fBSCT_set_signature_nid()\fR to set the \s-1NID\s0 of the signature.
.IP "\(bu" 2
\&\fBSCT_set0_signature()\fR or \fBSCT_set1_signature()\fR to set the raw signature value.
.Sp
The former takes ownership, whereas the latter makes a copy.
.IP "\(bu" 2
\&\fBSCT_set0_extensions()\fR or \fBSCT_set1_extensions\fR to provide \s-1SCT\s0 extensions.
.Sp
The former takes ownership, whereas the latter makes a copy.
.PP
Alternatively, the \s-1SCT\s0 can be pre-populated from the following data using
\&\fBSCT_new_from_base64()\fR:
.IP "\(bu" 2
The \s-1SCT\s0 version (only \s-1SCT_VERSION_V1\s0 is currently supported).
.IP "\(bu" 2
The LogID (see \s-1RFC 6962,\s0 Section 3.2), base64 encoded.
.IP "\(bu" 2
The type of certificate the \s-1SCT\s0 was issued for:
\&\fB\s-1CT_LOG_ENTRY_TYPE_X509\s0\fR for a normal certificate.
\&\fB\s-1CT_LOG_ENTRY_TYPE_PRECERT\s0\fR for a pre-certificate.
.IP "\(bu" 2
The time that the \s-1SCT\s0 was issued (epoch time in milliseconds).
.IP "\(bu" 2
The \s-1SCT\s0 extensions, base64 encoded.
.IP "\(bu" 2
The \s-1SCT\s0 signature, base64 encoded.
.PP
\&\fBSCT_set_source()\fR can be used to record where the \s-1SCT\s0 was found
(\s-1TLS\s0 extension, X.509 certificate extension or \s-1OCSP\s0 response). This is not
required for verifying the \s-1SCT.\s0
.SH "NOTES"
.IX Header "NOTES"
Some of the setters return int, instead of void. These will all return 1 on
success, 0 on failure. They will not make changes on failure.
.PP
All of the setters will reset the validation status of the \s-1SCT\s0 to
\&\s-1SCT_VALIDATION_STATUS_NOT_SET\s0 (see \fBSCT_validate\fR\|(3)).
.PP
\&\fBSCT_set_source()\fR will call \fBSCT_set_log_entry_type()\fR if the type of
certificate the \s-1SCT\s0 was issued for can be inferred from where the \s-1SCT\s0 was found.
For example, an \s-1SCT\s0 found in an X.509 extension must have been issued for a pre\-
certificate.
.PP
\&\fBSCT_set_source()\fR will not refuse unknown values.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSCT_set_version()\fR returns 1 if the specified version is supported, 0 otherwise.
.PP
\&\fBSCT_set_log_entry_type()\fR returns 1 if the specified log entry type is supported, 0 otherwise.
.PP
\&\fBSCT_set0_log_id()\fR and \fBSCT_set1_log_id\fR return 1 if the specified LogID is a
valid \s-1SHA\-256\s0 hash, 0 otherwise. Additionally, \fBSCT_set1_log_id\fR returns 0 if
malloc fails.
.PP
\&\fBSCT_set_signature_nid\fR returns 1 if the specified \s-1NID\s0 is supported, 0 otherwise.
.PP
\&\fBSCT_set1_extensions\fR and \fBSCT_set1_signature\fR return 1 if the supplied buffer
is copied successfully, 0 otherwise (i.e. if malloc fails).
.PP
\&\fBSCT_set_source\fR returns 1 on success, 0 otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBct\fR\|(7),
\&\fBSCT_validate\fR\|(3),
\&\fBOBJ_nid2obj\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SCT_print.3 b/secure/lib/libcrypto/man/man3/SCT_print.3
index 3d3db9e58ae4..0ac01994aa0d 100644
--- a/secure/lib/libcrypto/man/man3/SCT_print.3
+++ b/secure/lib/libcrypto/man/man3/SCT_print.3
@@ -1,187 +1,187 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SCT_PRINT 3"
-.TH SCT_PRINT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SCT_PRINT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SCT_print, SCT_LIST_print, SCT_validation_status_string \- Prints Signed Certificate Timestamps in a human\-readable way
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ct.h>
\&
\& void SCT_print(const SCT *sct, BIO *out, int indent, const CTLOG_STORE *logs);
\& void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent,
\& const char *separator, const CTLOG_STORE *logs);
\& const char *SCT_validation_status_string(const SCT *sct);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSCT_print()\fR prints a single Signed Certificate Timestamp (\s-1SCT\s0) to a bio in
a human-readable format. \fBSCT_LIST_print()\fR prints an entire list of SCTs in a
similar way. A separator can be specified to delimit each \s-1SCT\s0 in the output.
.PP
The output can be indented by a specified number of spaces. If a \fB\s-1CTLOG_STORE\s0\fR
is provided, it will be used to print the description of the \s-1CT\s0 log that issued
each \s-1SCT\s0 (if that log is in the \s-1CTLOG_STORE\s0). Alternatively, \s-1NULL\s0 can be passed
as the \s-1CTLOG_STORE\s0 parameter to disable this feature.
.PP
\&\fBSCT_validation_status_string()\fR will return the validation status of an \s-1SCT\s0 as
a human-readable string. Call \fBSCT_validate()\fR or \fBSCT_LIST_validate()\fR
beforehand in order to set the validation status of an \s-1SCT\s0 first.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSCT_validation_status_string()\fR returns a null-terminated string representing
the validation status of an \fB\s-1SCT\s0\fR object.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBct\fR\|(7),
\&\fBbio\fR\|(7),
\&\fBCTLOG_STORE_new\fR\|(3),
\&\fBSCT_validate\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SCT_validate.3 b/secure/lib/libcrypto/man/man3/SCT_validate.3
index 608f05883869..483a0071b0fb 100644
--- a/secure/lib/libcrypto/man/man3/SCT_validate.3
+++ b/secure/lib/libcrypto/man/man3/SCT_validate.3
@@ -1,223 +1,223 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SCT_VALIDATE 3"
-.TH SCT_VALIDATE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SCT_VALIDATE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SCT_validate, SCT_LIST_validate, SCT_get_validation_status \- checks Signed Certificate Timestamps (SCTs) are valid
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ct.h>
\&
\& typedef enum {
\& SCT_VALIDATION_STATUS_NOT_SET,
\& SCT_VALIDATION_STATUS_UNKNOWN_LOG,
\& SCT_VALIDATION_STATUS_VALID,
\& SCT_VALIDATION_STATUS_INVALID,
\& SCT_VALIDATION_STATUS_UNVERIFIED,
\& SCT_VALIDATION_STATUS_UNKNOWN_VERSION
\& } sct_validation_status_t;
\&
\& int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx);
\& int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx);
\& sct_validation_status_t SCT_get_validation_status(const SCT *sct);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSCT_validate()\fR will check that an \s-1SCT\s0 is valid and verify its signature.
\&\fBSCT_LIST_validate()\fR performs the same checks on an entire stack of SCTs.
The result of the validation checks can be obtained by passing the \s-1SCT\s0 to
\&\fBSCT_get_validation_status()\fR.
.PP
A \s-1CT_POLICY_EVAL_CTX\s0 must be provided that specifies:
.IP "\(bu" 2
The certificate the \s-1SCT\s0 was issued for.
.Sp
Failure to provide the certificate will result in the validation status being
\&\s-1SCT_VALIDATION_STATUS_UNVERIFIED.\s0
.IP "\(bu" 2
The issuer of that certificate.
.Sp
This is only required if the \s-1SCT\s0 was issued for a pre-certificate
(see \s-1RFC 6962\s0). If it is required but not provided, the validation status will
be \s-1SCT_VALIDATION_STATUS_UNVERIFIED.\s0
.IP "\(bu" 2
A \s-1CTLOG_STORE\s0 that contains the \s-1CT\s0 log that issued this \s-1SCT.\s0
.Sp
If the \s-1SCT\s0 was issued by a log that is not in this \s-1CTLOG_STORE,\s0 the validation
status will be \s-1SCT_VALIDATION_STATUS_UNKNOWN_LOG.\s0
.PP
If the \s-1SCT\s0 is of an unsupported version (only v1 is currently supported), the
validation status will be \s-1SCT_VALIDATION_STATUS_UNKNOWN_VERSION.\s0
.PP
If the \s-1SCT\s0's signature is incorrect, its timestamp is in the future (relative to
the time in \s-1CT_POLICY_EVAL_CTX\s0), or if it is otherwise invalid, the validation
status will be \s-1SCT_VALIDATION_STATUS_INVALID.\s0
.PP
If all checks pass, the validation status will be \s-1SCT_VALIDATION_STATUS_VALID.\s0
.SH "NOTES"
.IX Header "NOTES"
A return value of 0 from \fBSCT_LIST_validate()\fR should not be interpreted as a
failure. At a minimum, only one valid \s-1SCT\s0 may provide sufficient confidence
that a certificate has been publicly logged.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSCT_validate()\fR returns a negative integer if an internal error occurs, 0 if the
\&\s-1SCT\s0 fails validation, or 1 if the \s-1SCT\s0 passes validation.
.PP
\&\fBSCT_LIST_validate()\fR returns a negative integer if an internal error occurs, 0
if any of SCTs fails validation, or 1 if they all pass validation.
.PP
\&\fBSCT_get_validation_status()\fR returns the validation status of the \s-1SCT.\s0
If \fBSCT_validate()\fR or \fBSCT_LIST_validate()\fR have not been passed that \s-1SCT,\s0 the
returned value will be \s-1SCT_VALIDATION_STATUS_NOT_SET.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBct\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SHA256_Init.3 b/secure/lib/libcrypto/man/man3/SHA256_Init.3
index eeaa2c47fb51..9697889a7d23 100644
--- a/secure/lib/libcrypto/man/man3/SHA256_Init.3
+++ b/secure/lib/libcrypto/man/man3/SHA256_Init.3
@@ -1,233 +1,233 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SHA256_INIT 3"
-.TH SHA256_INIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SHA256_INIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SHA1, SHA1_Init, SHA1_Update, SHA1_Final, SHA224, SHA224_Init, SHA224_Update, SHA224_Final, SHA256, SHA256_Init, SHA256_Update, SHA256_Final, SHA384, SHA384_Init, SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update, SHA512_Final \- Secure Hash Algorithm
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/sha.h>
\&
\& int SHA1_Init(SHA_CTX *c);
\& int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
\& int SHA1_Final(unsigned char *md, SHA_CTX *c);
\& unsigned char *SHA1(const unsigned char *d, size_t n,
\& unsigned char *md);
\&
\& int SHA224_Init(SHA256_CTX *c);
\& int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
\& int SHA224_Final(unsigned char *md, SHA256_CTX *c);
\& unsigned char *SHA224(const unsigned char *d, size_t n,
\& unsigned char *md);
\&
\& int SHA256_Init(SHA256_CTX *c);
\& int SHA256_Update(SHA256_CTX *c, const void *data, size_t len);
\& int SHA256_Final(unsigned char *md, SHA256_CTX *c);
\& unsigned char *SHA256(const unsigned char *d, size_t n,
\& unsigned char *md);
\&
\& int SHA384_Init(SHA512_CTX *c);
\& int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
\& int SHA384_Final(unsigned char *md, SHA512_CTX *c);
\& unsigned char *SHA384(const unsigned char *d, size_t n,
\& unsigned char *md);
\&
\& int SHA512_Init(SHA512_CTX *c);
\& int SHA512_Update(SHA512_CTX *c, const void *data, size_t len);
\& int SHA512_Final(unsigned char *md, SHA512_CTX *c);
\& unsigned char *SHA512(const unsigned char *d, size_t n,
\& unsigned char *md);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Applications should use the higher level functions
\&\fBEVP_DigestInit\fR\|(3) etc. instead of calling the hash
functions directly.
.PP
\&\s-1SHA\-1\s0 (Secure Hash Algorithm) is a cryptographic hash function with a
160 bit output.
.PP
\&\s-1\fBSHA1\s0()\fR computes the \s-1SHA\-1\s0 message digest of the \fBn\fR
bytes at \fBd\fR and places it in \fBmd\fR (which must have space for
\&\s-1SHA_DIGEST_LENGTH\s0 == 20 bytes of output). If \fBmd\fR is \s-1NULL,\s0 the digest
is placed in a static array. Note: setting \fBmd\fR to \s-1NULL\s0 is \fBnot thread safe\fR.
.PP
The following functions may be used if the message is not completely
stored in memory:
.PP
\&\fBSHA1_Init()\fR initializes a \fB\s-1SHA_CTX\s0\fR structure.
.PP
\&\fBSHA1_Update()\fR can be called repeatedly with chunks of the message to
be hashed (\fBlen\fR bytes at \fBdata\fR).
.PP
\&\fBSHA1_Final()\fR places the message digest in \fBmd\fR, which must have space
for \s-1SHA_DIGEST_LENGTH\s0 == 20 bytes of output, and erases the \fB\s-1SHA_CTX\s0\fR.
.PP
The \s-1SHA224, SHA256, SHA384\s0 and \s-1SHA512\s0 families of functions operate in the
same way as for the \s-1SHA1\s0 functions. Note that \s-1SHA224\s0 and \s-1SHA256\s0 use a
\&\fB\s-1SHA256_CTX\s0\fR object instead of \fB\s-1SHA_CTX\s0\fR. \s-1SHA384\s0 and \s-1SHA512\s0 use \fB\s-1SHA512_CTX\s0\fR.
The buffer \fBmd\fR must have space for the output from the \s-1SHA\s0 variant being used
(defined by \s-1SHA224_DIGEST_LENGTH, SHA256_DIGEST_LENGTH, SHA384_DIGEST_LENGTH\s0 and
\&\s-1SHA512_DIGEST_LENGTH\s0). Also note that, as for the \s-1\fBSHA1\s0()\fR function above, the
\&\s-1\fBSHA224\s0()\fR, \s-1\fBSHA256\s0()\fR, \s-1\fBSHA384\s0()\fR and \s-1\fBSHA512\s0()\fR functions are not thread safe if
\&\fBmd\fR is \s-1NULL.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\s-1\fBSHA1\s0()\fR, \s-1\fBSHA224\s0()\fR, \s-1\fBSHA256\s0()\fR, \s-1\fBSHA384\s0()\fR and \s-1\fBSHA512\s0()\fR return a pointer to the hash
value.
.PP
\&\fBSHA1_Init()\fR, \fBSHA1_Update()\fR and \fBSHA1_Final()\fR and equivalent \s-1SHA224, SHA256,
SHA384\s0 and \s-1SHA512\s0 functions return 1 for success, 0 otherwise.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1US\s0 Federal Information Processing Standard \s-1FIPS PUB 180\-4\s0 (Secure Hash
Standard),
\&\s-1ANSI X9.30\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_DigestInit\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3 b/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3
index 2a1029a8d293..4fd8478f5b67 100644
--- a/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3
+++ b/secure/lib/libcrypto/man/man3/SMIME_read_CMS.3
@@ -1,207 +1,207 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SMIME_READ_CMS 3"
-.TH SMIME_READ_CMS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SMIME_READ_CMS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SMIME_read_CMS \- parse S/MIME message
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& CMS_ContentInfo *SMIME_read_CMS(BIO *in, BIO **bcont);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSMIME_read_CMS()\fR parses a message in S/MIME format.
.PP
\&\fBin\fR is a \s-1BIO\s0 to read the message from.
.PP
If cleartext signing is used then the content is saved in a memory bio which is
written to \fB*bcont\fR, otherwise \fB*bcont\fR is set to \s-1NULL.\s0
.PP
The parsed CMS_ContentInfo structure is returned or \s-1NULL\s0 if an
error occurred.
.SH "NOTES"
.IX Header "NOTES"
If \fB*bcont\fR is not \s-1NULL\s0 then the message is clear text signed. \fB*bcont\fR can
then be passed to \fBCMS_verify()\fR with the \fB\s-1CMS_DETACHED\s0\fR flag set.
.PP
Otherwise the type of the returned structure can be determined
using \fBCMS_get0_type()\fR.
.PP
To support future functionality if \fBbcont\fR is not \s-1NULL\s0 \fB*bcont\fR should be
initialized to \s-1NULL.\s0 For example:
.PP
.Vb 2
\& BIO *cont = NULL;
\& CMS_ContentInfo *cms;
\&
\& cms = SMIME_read_CMS(in, &cont);
.Ve
.SH "BUGS"
.IX Header "BUGS"
The \s-1MIME\s0 parser used by \fBSMIME_read_CMS()\fR is somewhat primitive. While it will
handle most S/MIME messages more complex compound formats may not work.
.PP
The parser assumes that the CMS_ContentInfo structure is always base64 encoded
and will not handle the case where it is in binary format or uses quoted
printable format.
.PP
The use of a memory \s-1BIO\s0 to hold the signed content limits the size of message
which can be processed due to memory restraints: a streaming single pass option
should be available.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSMIME_read_CMS()\fR returns a valid \fBCMS_ContentInfo\fR structure or \fB\s-1NULL\s0\fR
if an error occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_type\fR\|(3),
\&\fBSMIME_read_CMS\fR\|(3), \fBCMS_sign\fR\|(3),
\&\fBCMS_verify\fR\|(3), \fBCMS_encrypt\fR\|(3),
\&\fBCMS_decrypt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3 b/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3
index 76b91998ec7e..1c180a104a36 100644
--- a/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3
+++ b/secure/lib/libcrypto/man/man3/SMIME_read_PKCS7.3
@@ -1,210 +1,210 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SMIME_READ_PKCS7 3"
-.TH SMIME_READ_PKCS7 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SMIME_READ_PKCS7 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SMIME_read_PKCS7 \- parse S/MIME message
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs7.h>
\&
\& PKCS7 *SMIME_read_PKCS7(BIO *in, BIO **bcont);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSMIME_read_PKCS7()\fR parses a message in S/MIME format.
.PP
\&\fBin\fR is a \s-1BIO\s0 to read the message from.
.PP
If cleartext signing is used then the content is saved in
a memory bio which is written to \fB*bcont\fR, otherwise
\&\fB*bcont\fR is set to \fB\s-1NULL\s0\fR.
.PP
The parsed PKCS#7 structure is returned or \fB\s-1NULL\s0\fR if an
error occurred.
.SH "NOTES"
.IX Header "NOTES"
If \fB*bcont\fR is not \fB\s-1NULL\s0\fR then the message is clear text
signed. \fB*bcont\fR can then be passed to \fBPKCS7_verify()\fR with
the \fB\s-1PKCS7_DETACHED\s0\fR flag set.
.PP
Otherwise the type of the returned structure can be determined
using \fBPKCS7_type_is_enveloped()\fR, etc.
.PP
To support future functionality if \fBbcont\fR is not \fB\s-1NULL\s0\fR
\&\fB*bcont\fR should be initialized to \fB\s-1NULL\s0\fR. For example:
.PP
.Vb 2
\& BIO *cont = NULL;
\& PKCS7 *p7;
\&
\& p7 = SMIME_read_PKCS7(in, &cont);
.Ve
.SH "BUGS"
.IX Header "BUGS"
The \s-1MIME\s0 parser used by \fBSMIME_read_PKCS7()\fR is somewhat primitive.
While it will handle most S/MIME messages more complex compound
formats may not work.
.PP
The parser assumes that the \s-1PKCS7\s0 structure is always base64
encoded and will not handle the case where it is in binary format
or uses quoted printable format.
.PP
The use of a memory \s-1BIO\s0 to hold the signed content limits the size
of message which can be processed due to memory restraints: a
streaming single pass option should be available.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSMIME_read_PKCS7()\fR returns a valid \fB\s-1PKCS7\s0\fR structure or \fB\s-1NULL\s0\fR
if an error occurred. The error can be obtained from \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3),
\&\fBSMIME_read_PKCS7\fR\|(3), \fBPKCS7_sign\fR\|(3),
\&\fBPKCS7_verify\fR\|(3), \fBPKCS7_encrypt\fR\|(3)
\&\fBPKCS7_decrypt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3 b/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3
index 3b6054293cc0..c4886dab4047 100644
--- a/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3
+++ b/secure/lib/libcrypto/man/man3/SMIME_write_CMS.3
@@ -1,199 +1,199 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SMIME_WRITE_CMS 3"
-.TH SMIME_WRITE_CMS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SMIME_WRITE_CMS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SMIME_write_CMS \- convert CMS structure to S/MIME format
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& int SMIME_write_CMS(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSMIME_write_CMS()\fR adds the appropriate \s-1MIME\s0 headers to a \s-1CMS\s0
structure to produce an S/MIME message.
.PP
\&\fBout\fR is the \s-1BIO\s0 to write the data to. \fBcms\fR is the appropriate
\&\fBCMS_ContentInfo\fR structure. If streaming is enabled then the content must be
supplied in the \fBdata\fR argument. \fBflags\fR is an optional set of flags.
.SH "NOTES"
.IX Header "NOTES"
The following flags can be passed in the \fBflags\fR parameter.
.PP
If \fB\s-1CMS_DETACHED\s0\fR is set then cleartext signing will be used, this option only
makes sense for SignedData where \fB\s-1CMS_DETACHED\s0\fR is also set when \fBCMS_sign()\fR is
called.
.PP
If the \fB\s-1CMS_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR are added to
the content, this only makes sense if \fB\s-1CMS_DETACHED\s0\fR is also set.
.PP
If the \fB\s-1CMS_STREAM\s0\fR flag is set streaming is performed. This flag should only
be set if \fB\s-1CMS_STREAM\s0\fR was also set in the previous call to a CMS_ContentInfo
creation function.
.PP
If cleartext signing is being used and \fB\s-1CMS_STREAM\s0\fR not set then the data must
be read twice: once to compute the signature in \fBCMS_sign()\fR and once to output
the S/MIME message.
.PP
If streaming is performed the content is output in \s-1BER\s0 format using indefinite
length constructed encoding except in the case of signed data with detached
content where the content is absent and \s-1DER\s0 format is used.
.SH "BUGS"
.IX Header "BUGS"
\&\fBSMIME_write_CMS()\fR always base64 encodes \s-1CMS\s0 structures, there should be an
option to disable this.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSMIME_write_CMS()\fR returns 1 for success or 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
\&\fBCMS_verify\fR\|(3), \fBCMS_encrypt\fR\|(3)
\&\fBCMS_decrypt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3 b/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3
index 4d5cc23c5547..395e7eb6de6c 100644
--- a/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3
+++ b/secure/lib/libcrypto/man/man3/SMIME_write_PKCS7.3
@@ -1,200 +1,200 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SMIME_WRITE_PKCS7 3"
-.TH SMIME_WRITE_PKCS7 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SMIME_WRITE_PKCS7 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SMIME_write_PKCS7 \- convert PKCS#7 structure to S/MIME format
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs7.h>
\&
\& int SMIME_write_PKCS7(BIO *out, PKCS7 *p7, BIO *data, int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSMIME_write_PKCS7()\fR adds the appropriate \s-1MIME\s0 headers to a PKCS#7
structure to produce an S/MIME message.
.PP
\&\fBout\fR is the \s-1BIO\s0 to write the data to. \fBp7\fR is the appropriate \fB\s-1PKCS7\s0\fR
structure. If streaming is enabled then the content must be supplied in the
\&\fBdata\fR argument. \fBflags\fR is an optional set of flags.
.SH "NOTES"
.IX Header "NOTES"
The following flags can be passed in the \fBflags\fR parameter.
.PP
If \fB\s-1PKCS7_DETACHED\s0\fR is set then cleartext signing will be used,
this option only makes sense for signedData where \fB\s-1PKCS7_DETACHED\s0\fR
is also set when \fBPKCS7_sign()\fR is also called.
.PP
If the \fB\s-1PKCS7_TEXT\s0\fR flag is set \s-1MIME\s0 headers for type \fBtext/plain\fR
are added to the content, this only makes sense if \fB\s-1PKCS7_DETACHED\s0\fR
is also set.
.PP
If the \fB\s-1PKCS7_STREAM\s0\fR flag is set streaming is performed. This flag should
only be set if \fB\s-1PKCS7_STREAM\s0\fR was also set in the previous call to
\&\fBPKCS7_sign()\fR or \fBPKCS7_encrypt()\fR.
.PP
If cleartext signing is being used and \fB\s-1PKCS7_STREAM\s0\fR not set then
the data must be read twice: once to compute the signature in \fBPKCS7_sign()\fR
and once to output the S/MIME message.
.PP
If streaming is performed the content is output in \s-1BER\s0 format using indefinite
length constructed encoding except in the case of signed data with detached
content where the content is absent and \s-1DER\s0 format is used.
.SH "BUGS"
.IX Header "BUGS"
\&\fBSMIME_write_PKCS7()\fR always base64 encodes PKCS#7 structures, there
should be an option to disable this.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSMIME_write_PKCS7()\fR returns 1 for success or 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBPKCS7_sign\fR\|(3),
\&\fBPKCS7_verify\fR\|(3), \fBPKCS7_encrypt\fR\|(3)
\&\fBPKCS7_decrypt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3 b/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3
index 035877492469..c1827deabe02 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CIPHER_get_name.3
@@ -1,325 +1,325 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CIPHER_GET_NAME 3"
-.TH SSL_CIPHER_GET_NAME 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CIPHER_GET_NAME 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CIPHER_get_name, SSL_CIPHER_standard_name, OPENSSL_cipher_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_description, SSL_CIPHER_get_cipher_nid, SSL_CIPHER_get_digest_nid, SSL_CIPHER_get_handshake_digest, SSL_CIPHER_get_kx_nid, SSL_CIPHER_get_auth_nid, SSL_CIPHER_is_aead, SSL_CIPHER_find, SSL_CIPHER_get_id, SSL_CIPHER_get_protocol_id \&\- get SSL_CIPHER properties
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
\& const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher);
\& const char *OPENSSL_cipher_name(const char *stdname);
\& int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits);
\& char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
\& char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size);
\& int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);
\& int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);
\& const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c);
\& int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
\& int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
\& int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
\& const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
\& uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
\& uint32_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CIPHER_get_name()\fR returns a pointer to the name of \fBcipher\fR. If the
\&\fBcipher\fR is \s-1NULL,\s0 it returns \*(L"(\s-1NONE\s0)\*(R".
.PP
\&\fBSSL_CIPHER_standard_name()\fR returns a pointer to the standard \s-1RFC\s0 name of
\&\fBcipher\fR. If the \fBcipher\fR is \s-1NULL,\s0 it returns \*(L"(\s-1NONE\s0)\*(R". If the \fBcipher\fR
has no standard name, it returns \fB\s-1NULL\s0\fR. If \fBcipher\fR was defined in both
SSLv3 and \s-1TLS,\s0 it returns the \s-1TLS\s0 name.
.PP
\&\fBOPENSSL_cipher_name()\fR returns a pointer to the OpenSSL name of \fBstdname\fR.
If the \fBstdname\fR is \s-1NULL,\s0 or \fBstdname\fR has no corresponding OpenSSL name,
it returns \*(L"(\s-1NONE\s0)\*(R". Where both exist, \fBstdname\fR should be the \s-1TLS\s0 name rather
than the SSLv3 name.
.PP
\&\fBSSL_CIPHER_get_bits()\fR returns the number of secret bits used for \fBcipher\fR.
If \fBcipher\fR is \s-1NULL, 0\s0 is returned.
.PP
\&\fBSSL_CIPHER_get_version()\fR returns string which indicates the \s-1SSL/TLS\s0 protocol
version that first defined the cipher. It returns \*(L"(\s-1NONE\s0)\*(R" if \fBcipher\fR is \s-1NULL.\s0
.PP
\&\fBSSL_CIPHER_get_cipher_nid()\fR returns the cipher \s-1NID\s0 corresponding to \fBc\fR.
If there is no cipher (e.g. for cipher suites with no encryption) then
\&\fBNID_undef\fR is returned.
.PP
\&\fBSSL_CIPHER_get_digest_nid()\fR returns the digest \s-1NID\s0 corresponding to the \s-1MAC\s0
used by \fBc\fR during record encryption/decryption. If there is no digest (e.g.
for \s-1AEAD\s0 cipher suites) then \fBNID_undef\fR is returned.
.PP
\&\fBSSL_CIPHER_get_handshake_digest()\fR returns an \s-1EVP_MD\s0 for the digest used during
the \s-1SSL/TLS\s0 handshake when using the \s-1SSL_CIPHER\s0 \fBc\fR. Note that this may be
different to the digest used to calculate the \s-1MAC\s0 for encrypted records.
.PP
\&\fBSSL_CIPHER_get_kx_nid()\fR returns the key exchange \s-1NID\s0 corresponding to the method
used by \fBc\fR. If there is no key exchange, then \fBNID_undef\fR is returned.
If any appropriate key exchange algorithm can be used (as in the case of \s-1TLS 1.3\s0
cipher suites) \fBNID_kx_any\fR is returned. Examples (not comprehensive):
.PP
.Vb 4
\& NID_kx_rsa
\& NID_kx_ecdhe
\& NID_kx_dhe
\& NID_kx_psk
.Ve
.PP
\&\fBSSL_CIPHER_get_auth_nid()\fR returns the authentication \s-1NID\s0 corresponding to the method
used by \fBc\fR. If there is no authentication, then \fBNID_undef\fR is returned.
If any appropriate authentication algorithm can be used (as in the case of
\&\s-1TLS 1.3\s0 cipher suites) \fBNID_auth_any\fR is returned. Examples (not comprehensive):
.PP
.Vb 3
\& NID_auth_rsa
\& NID_auth_ecdsa
\& NID_auth_psk
.Ve
.PP
\&\fBSSL_CIPHER_is_aead()\fR returns 1 if the cipher \fBc\fR is \s-1AEAD\s0 (e.g. \s-1GCM\s0 or
ChaCha20/Poly1305), and 0 if it is not \s-1AEAD.\s0
.PP
\&\fBSSL_CIPHER_find()\fR returns a \fB\s-1SSL_CIPHER\s0\fR structure which has the cipher \s-1ID\s0 stored
in \fBptr\fR. The \fBptr\fR parameter is a two element array of \fBchar\fR, which stores the
two-byte \s-1TLS\s0 cipher \s-1ID\s0 (as allocated by \s-1IANA\s0) in network byte order. This parameter
is usually retrieved from a \s-1TLS\s0 packet by using functions like
\&\fBSSL_client_hello_get0_ciphers\fR\|(3). \fBSSL_CIPHER_find()\fR returns \s-1NULL\s0 if an
error occurs or the indicated cipher is not found.
.PP
\&\fBSSL_CIPHER_get_id()\fR returns the OpenSSL-specific \s-1ID\s0 of the given cipher \fBc\fR. That \s-1ID\s0 is
not the same as the IANA-specific \s-1ID.\s0
.PP
\&\fBSSL_CIPHER_get_protocol_id()\fR returns the two-byte \s-1ID\s0 used in the \s-1TLS\s0 protocol of the given
cipher \fBc\fR.
.PP
\&\fBSSL_CIPHER_description()\fR returns a textual description of the cipher used
into the buffer \fBbuf\fR of length \fBlen\fR provided. If \fBbuf\fR is provided, it
must be at least 128 bytes, otherwise a buffer will be allocated using
\&\fBOPENSSL_malloc()\fR. If the provided buffer is too small, or the allocation fails,
\&\fB\s-1NULL\s0\fR is returned.
.PP
The string returned by \fBSSL_CIPHER_description()\fR consists of several fields
separated by whitespace:
.IP "<ciphername>" 4
.IX Item "<ciphername>"
Textual representation of the cipher name.
.IP "<protocol version>" 4
.IX Item "<protocol version>"
The minimum protocol version that the ciphersuite supports, such as \fBTLSv1.2\fR.
Note that this is not always the same as the protocol version in which the
ciphersuite was first defined because some ciphersuites are backwards compatible
with earlier protocol versions.
.IP "Kx=<key exchange>" 4
.IX Item "Kx=<key exchange>"
Key exchange method such as \fB\s-1RSA\s0\fR, \fB\s-1ECDHE\s0\fR, etc.
.IP "Au=<authentication>" 4
.IX Item "Au=<authentication>"
Authentication method such as \fB\s-1RSA\s0\fR, \fBNone\fR, etc.. None is the
representation of anonymous ciphers.
.IP "Enc=<symmetric encryption method>" 4
.IX Item "Enc=<symmetric encryption method>"
Encryption method, with number of secret bits, such as \fB\s-1AESGCM\s0(128)\fR.
.IP "Mac=<message authentication code>" 4
.IX Item "Mac=<message authentication code>"
Message digest, such as \fB\s-1SHA256\s0\fR.
.PP
Some examples for the output of \fBSSL_CIPHER_description()\fR:
.PP
.Vb 2
\& ECDHE\-RSA\-AES256\-GCM\-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
\& RSA\-PSK\-AES256\-CBC\-SHA384 TLSv1.0 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA384
.Ve
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CIPHER_get_name()\fR, \fBSSL_CIPHER_standard_name()\fR, \fBOPENSSL_cipher_name()\fR,
\&\fBSSL_CIPHER_get_version()\fR and \fBSSL_CIPHER_description()\fR return the corresponding
value in a null-terminated string for a specific cipher or \*(L"(\s-1NONE\s0)\*(R"
if the cipher is not found.
.PP
\&\fBSSL_CIPHER_get_bits()\fR returns a positive integer representing the number of
secret bits or 0 if an error occurred.
.PP
\&\fBSSL_CIPHER_get_cipher_nid()\fR, \fBSSL_CIPHER_get_digest_nid()\fR,
\&\fBSSL_CIPHER_get_kx_nid()\fR and \fBSSL_CIPHER_get_auth_nid()\fR return the \s-1NID\s0 value or
\&\fBNID_undef\fR if an error occurred.
.PP
\&\fBSSL_CIPHER_get_handshake_digest()\fR returns a valid \fB\s-1EVP_MD\s0\fR structure or \s-1NULL\s0
if an error occurred.
.PP
\&\fBSSL_CIPHER_is_aead()\fR returns 1 if the cipher is \s-1AEAD\s0 or 0 otherwise.
.PP
\&\fBSSL_CIPHER_find()\fR returns a valid \fB\s-1SSL_CIPHER\s0\fR structure or \s-1NULL\s0 if an error
occurred.
.PP
\&\fBSSL_CIPHER_get_id()\fR returns a 4\-byte integer representing the OpenSSL-specific \s-1ID.\s0
.PP
\&\fBSSL_CIPHER_get_protocol_id()\fR returns a 2\-byte integer representing the \s-1TLS\s0
protocol-specific \s-1ID.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_get_current_cipher\fR\|(3),
\&\fBSSL_get_ciphers\fR\|(3), \fBciphers\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_CIPHER_get_version()\fR function was updated to always return the
correct protocol string in OpenSSL 1.1.0.
.PP
The \fBSSL_CIPHER_description()\fR function was changed to return \fB\s-1NULL\s0\fR on error,
rather than a fixed string, in OpenSSL 1.1.0.
.PP
The \fBSSL_CIPHER_get_handshake_digest()\fR function was added in OpenSSL 1.1.1.
.PP
The \fBSSL_CIPHER_standard_name()\fR function was globally available in OpenSSL 1.1.1.
Before OpenSSL 1.1.1, tracing (\fBenable-ssl-trace\fR argument to Configure) was
required to enable this function.
.PP
The \fBOPENSSL_cipher_name()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3 b/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3
index 3ce7d2aea906..4ef325b5f2bf 100644
--- a/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3
+++ b/secure/lib/libcrypto/man/man3/SSL_COMP_add_compression_method.3
@@ -1,229 +1,229 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_COMP_ADD_COMPRESSION_METHOD 3"
-.TH SSL_COMP_ADD_COMPRESSION_METHOD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_COMP_ADD_COMPRESSION_METHOD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_COMP_add_compression_method, SSL_COMP_get_compression_methods, SSL_COMP_get0_name, SSL_COMP_get_id, SSL_COMP_free_compression_methods \&\- handle SSL/TLS integrated compression methods
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
\& STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
\& const char *SSL_COMP_get0_name(const SSL_COMP *comp);
\& int SSL_COMP_get_id(const SSL_COMP *comp);
.Ve
.PP
Deprecated:
.PP
.Vb 3
\& #if OPENSSL_API_COMPAT < 0x10100000L
\& void SSL_COMP_free_compression_methods(void)
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_COMP_add_compression_method()\fR adds the compression method \fBcm\fR with
the identifier \fBid\fR to the list of available compression methods. This
list is globally maintained for all \s-1SSL\s0 operations within this application.
It cannot be set for specific \s-1SSL_CTX\s0 or \s-1SSL\s0 objects.
.PP
\&\fBSSL_COMP_get_compression_methods()\fR returns a stack of all of the available
compression methods or \s-1NULL\s0 on error.
.PP
\&\fBSSL_COMP_get0_name()\fR returns the name of the compression method \fBcomp\fR.
.PP
\&\fBSSL_COMP_get_id()\fR returns the id of the compression method \fBcomp\fR.
.PP
\&\fBSSL_COMP_free_compression_methods()\fR releases any resources acquired to
maintain the internal table of compression methods.
.SH "NOTES"
.IX Header "NOTES"
The \s-1TLS\s0 standard (or SSLv3) allows the integration of compression methods
into the communication. The \s-1TLS RFC\s0 does however not specify compression
methods or their corresponding identifiers, so there is currently no compatible
way to integrate compression with unknown peers. It is therefore currently not
recommended to integrate compression into applications. Applications for
non-public use may agree on certain compression methods. Using different
compression methods with the same identifier will lead to connection failure.
.PP
An OpenSSL client speaking a protocol that allows compression (SSLv3, TLSv1)
will unconditionally send the list of all compression methods enabled with
\&\fBSSL_COMP_add_compression_method()\fR to the server during the handshake.
Unlike the mechanisms to set a cipher list, there is no method available to
restrict the list of compression method on a per connection basis.
.PP
An OpenSSL server will match the identifiers listed by a client against
its own compression methods and will unconditionally activate compression
when a matching identifier is found. There is no way to restrict the list
of compression methods supported on a per connection basis.
.PP
If enabled during compilation, the OpenSSL library will have the
\&\fBCOMP_zlib()\fR compression method available.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_COMP_add_compression_method()\fR may return the following values:
.IP "0" 4
The operation succeeded.
.IP "1" 4
.IX Item "1"
The operation failed. Check the error queue to find out the reason.
.PP
\&\fBSSL_COMP_get_compression_methods()\fR returns the stack of compressions methods or
\&\s-1NULL\s0 on error.
.PP
\&\fBSSL_COMP_get0_name()\fR returns the name of the compression method or \s-1NULL\s0 on error.
.PP
\&\fBSSL_COMP_get_id()\fR returns the name of the compression method or \-1 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_COMP_free_compression_methods()\fR function was deprecated in OpenSSL 1.1.0.
The \fBSSL_COMP_get0_name()\fR and \fBSSL_comp_get_id()\fR functions were added in OpenSSL 1.1.0d.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3
index 017db60caef3..6239df4f7318 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_new.3
@@ -1,181 +1,181 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CONF_CTX_NEW 3"
-.TH SSL_CONF_CTX_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CONF_CTX_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CONF_CTX_new, SSL_CONF_CTX_free \- SSL configuration allocation functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& SSL_CONF_CTX *SSL_CONF_CTX_new(void);
\& void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBSSL_CONF_CTX_new()\fR allocates and initialises an \fB\s-1SSL_CONF_CTX\s0\fR
structure for use with the \s-1SSL_CONF\s0 functions.
.PP
The function \fBSSL_CONF_CTX_free()\fR frees up the context \fBcctx\fR.
If \fBcctx\fR is \s-1NULL\s0 nothing is done.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CONF_CTX_new()\fR returns either the newly allocated \fB\s-1SSL_CONF_CTX\s0\fR structure
or \fB\s-1NULL\s0\fR if an error occurs.
.PP
\&\fBSSL_CONF_CTX_free()\fR does not return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CONF_CTX_set_flags\fR\|(3),
\&\fBSSL_CONF_CTX_set_ssl_ctx\fR\|(3),
\&\fBSSL_CONF_CTX_set1_prefix\fR\|(3),
\&\fBSSL_CONF_cmd\fR\|(3),
\&\fBSSL_CONF_cmd_argv\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3
index aac78e98a032..679641cf82cb 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set1_prefix.3
@@ -1,188 +1,188 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CONF_CTX_SET1_PREFIX 3"
-.TH SSL_CONF_CTX_SET1_PREFIX 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CONF_CTX_SET1_PREFIX 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CONF_CTX_set1_prefix \- Set configuration context command prefix
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& unsigned int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *prefix);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBSSL_CONF_CTX_set1_prefix()\fR sets the command prefix of \fBcctx\fR
to \fBprefix\fR. If \fBprefix\fR is \fB\s-1NULL\s0\fR it is restored to the default value.
.SH "NOTES"
.IX Header "NOTES"
Command prefixes alter the commands recognised by subsequent \fBSSL_CONF_cmd()\fR
calls. For example for files, if the prefix \*(L"\s-1SSL\*(R"\s0 is set then command names
such as \*(L"SSLProtocol\*(R", \*(L"SSLOptions\*(R" etc. are recognised instead of \*(L"Protocol\*(R"
and \*(L"Options\*(R". Similarly for command lines if the prefix is \*(L"\-\-ssl\-\*(R" then
\&\*(L"\-\-ssl\-no_tls1_2\*(R" is recognised instead of \*(L"\-no_tls1_2\*(R".
.PP
If the \fB\s-1SSL_CONF_FLAG_CMDLINE\s0\fR flag is set then prefix checks are case
sensitive and \*(L"\-\*(R" is the default. In the unlikely even an application
explicitly wants to set no prefix it must be explicitly set to "".
.PP
If the \fB\s-1SSL_CONF_FLAG_FILE\s0\fR flag is set then prefix checks are case
insensitive and no prefix is the default.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CONF_CTX_set1_prefix()\fR returns 1 for success and 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CONF_CTX_new\fR\|(3),
\&\fBSSL_CONF_CTX_set_flags\fR\|(3),
\&\fBSSL_CONF_CTX_set_ssl_ctx\fR\|(3),
\&\fBSSL_CONF_cmd\fR\|(3),
\&\fBSSL_CONF_cmd_argv\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3
index 8d43ccadc99c..f6e604f4d38d 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_flags.3
@@ -1,205 +1,205 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CONF_CTX_SET_FLAGS 3"
-.TH SSL_CONF_CTX_SET_FLAGS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CONF_CTX_SET_FLAGS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CONF_CTX_set_flags, SSL_CONF_CTX_clear_flags \- Set or clear SSL configuration context flags
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags);
\& unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx, unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBSSL_CONF_CTX_set_flags()\fR sets \fBflags\fR in the context \fBcctx\fR.
.PP
The function \fBSSL_CONF_CTX_clear_flags()\fR clears \fBflags\fR in the context \fBcctx\fR.
.SH "NOTES"
.IX Header "NOTES"
The flags set affect how subsequent calls to \fBSSL_CONF_cmd()\fR or
\&\fBSSL_CONF_argv()\fR behave.
.PP
Currently the following \fBflags\fR values are recognised:
.IP "\s-1SSL_CONF_FLAG_CMDLINE, SSL_CONF_FLAG_FILE\s0" 4
.IX Item "SSL_CONF_FLAG_CMDLINE, SSL_CONF_FLAG_FILE"
recognise options intended for command line or configuration file use. At
least one of these flags must be set.
.IP "\s-1SSL_CONF_FLAG_CLIENT, SSL_CONF_FLAG_SERVER\s0" 4
.IX Item "SSL_CONF_FLAG_CLIENT, SSL_CONF_FLAG_SERVER"
recognise options intended for use in \s-1SSL/TLS\s0 clients or servers. One or
both of these flags must be set.
.IP "\s-1SSL_CONF_FLAG_CERTIFICATE\s0" 4
.IX Item "SSL_CONF_FLAG_CERTIFICATE"
recognise certificate and private key options.
.IP "\s-1SSL_CONF_FLAG_REQUIRE_PRIVATE\s0" 4
.IX Item "SSL_CONF_FLAG_REQUIRE_PRIVATE"
If this option is set then if a private key is not specified for a certificate
it will attempt to load a private key from the certificate file when
\&\fBSSL_CONF_CTX_finish()\fR is called. If a key cannot be loaded from the certificate
file an error occurs.
.IP "\s-1SSL_CONF_FLAG_SHOW_ERRORS\s0" 4
.IX Item "SSL_CONF_FLAG_SHOW_ERRORS"
indicate errors relating to unrecognised options or missing arguments in
the error queue. If this option isn't set such errors are only reflected
in the return values of \fBSSL_CONF_set_cmd()\fR or \fBSSL_CONF_set_argv()\fR
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CONF_CTX_set_flags()\fR and \fBSSL_CONF_CTX_clear_flags()\fR returns the new flags
value after setting or clearing flags.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CONF_CTX_new\fR\|(3),
\&\fBSSL_CONF_CTX_set_ssl_ctx\fR\|(3),
\&\fBSSL_CONF_CTX_set1_prefix\fR\|(3),
\&\fBSSL_CONF_cmd\fR\|(3),
\&\fBSSL_CONF_cmd_argv\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3
index 6a14658cf7ce..c755b1ac6bca 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_CTX_set_ssl_ctx.3
@@ -1,186 +1,186 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CONF_CTX_SET_SSL_CTX 3"
-.TH SSL_CONF_CTX_SET_SSL_CTX 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CONF_CTX_SET_SSL_CTX 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CONF_CTX_set_ssl_ctx, SSL_CONF_CTX_set_ssl \- set context to configure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx);
\& void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CONF_CTX_set_ssl_ctx()\fR sets the context associated with \fBcctx\fR to the
\&\fB\s-1SSL_CTX\s0\fR structure \fBctx\fR. Any previous \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR associated with
\&\fBcctx\fR is cleared. Subsequent calls to \fBSSL_CONF_cmd()\fR will be sent to
\&\fBctx\fR.
.PP
\&\fBSSL_CONF_CTX_set_ssl()\fR sets the context associated with \fBcctx\fR to the
\&\fB\s-1SSL\s0\fR structure \fBssl\fR. Any previous \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR associated with
\&\fBcctx\fR is cleared. Subsequent calls to \fBSSL_CONF_cmd()\fR will be sent to
\&\fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
The context need not be set or it can be set to \fB\s-1NULL\s0\fR in which case only
syntax checking of commands is performed, where possible.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CONF_CTX_set_ssl_ctx()\fR and \fBSSL_CTX_set_ssl()\fR do not return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CONF_CTX_new\fR\|(3),
\&\fBSSL_CONF_CTX_set_flags\fR\|(3),
\&\fBSSL_CONF_CTX_set1_prefix\fR\|(3),
\&\fBSSL_CONF_cmd\fR\|(3),
\&\fBSSL_CONF_cmd_argv\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3
index 2e5c97dc0ca1..b282fbf4b733 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3
@@ -1,792 +1,792 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CONF_CMD 3"
-.TH SSL_CONF_CMD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CONF_CMD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CONF_cmd_value_type, SSL_CONF_cmd \- send configuration command
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
\& int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBSSL_CONF_cmd()\fR performs configuration operation \fBcmd\fR with
optional parameter \fBvalue\fR on \fBctx\fR. Its purpose is to simplify application
configuration of \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR structures by providing a common
framework for command line options or configuration files.
.PP
\&\fBSSL_CONF_cmd_value_type()\fR returns the type of value that \fBcmd\fR refers to.
.SH "SUPPORTED COMMAND LINE COMMANDS"
.IX Header "SUPPORTED COMMAND LINE COMMANDS"
Currently supported \fBcmd\fR names for command lines (i.e. when the
flag \fB\s-1SSL_CONF_CMDLINE\s0\fR is set) are listed below. Note: all \fBcmd\fR names
are case sensitive. Unless otherwise stated commands can be used by
both clients and servers and the \fBvalue\fR parameter is not used. The default
prefix for command line commands is \fB\-\fR and that is reflected below.
.IP "\fB\-sigalgs\fR" 4
.IX Item "-sigalgs"
This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
For clients this
value is used directly for the supported signature algorithms extension. For
servers it is used to determine which signature algorithms to support.
.Sp
The \fBvalue\fR argument should be a colon separated list of signature algorithms
in order of decreasing preference of the form \fBalgorithm+hash\fR or
\&\fBsignature_scheme\fR. \fBalgorithm\fR
is one of \fB\s-1RSA\s0\fR, \fB\s-1DSA\s0\fR or \fB\s-1ECDSA\s0\fR and \fBhash\fR is a supported algorithm
\&\s-1OID\s0 short name such as \fB\s-1SHA1\s0\fR, \fB\s-1SHA224\s0\fR, \fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR of \fB\s-1SHA512\s0\fR.
Note: algorithm and hash names are case sensitive.
\&\fBsignature_scheme\fR is one of the signature schemes defined in TLSv1.3,
specified using the \s-1IETF\s0 name, e.g., \fBecdsa_secp256r1_sha256\fR, \fBed25519\fR,
or \fBrsa_pss_pss_sha256\fR.
.Sp
If this option is not set then all signature algorithms supported by the
OpenSSL library are permissible.
.Sp
Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
using \fB\s-1RSA\s0\fR as the \fBalgorithm\fR or by using one of the \fBrsa_pkcs1_*\fR
identifiers) are ignored in TLSv1.3 and will not be negotiated.
.IP "\fB\-client_sigalgs\fR" 4
.IX Item "-client_sigalgs"
This sets the supported signature algorithms associated with client
authentication for TLSv1.2 and TLSv1.3.
For servers the value is used in the
\&\fBsignature_algorithms\fR field of a \fBCertificateRequest\fR message.
For clients it is
used to determine which signature algorithm to use with the client certificate.
If a server does not request a certificate this option has no effect.
.Sp
The syntax of \fBvalue\fR is identical to \fB\-sigalgs\fR. If not set then
the value set for \fB\-sigalgs\fR will be used instead.
.IP "\fB\-groups\fR" 4
.IX Item "-groups"
This sets the supported groups. For clients, the groups are
sent using the supported groups extension. For servers, it is used
to determine which group to use. This setting affects groups used for
signatures (in TLSv1.2 and earlier) and key exchange. The first group listed
will also be used for the \fBkey_share\fR sent by a client in a TLSv1.3
\&\fBClientHello\fR.
.Sp
The \fBvalue\fR argument is a colon separated list of groups. The group can be
either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR), some other commonly used name where
applicable (e.g. \fBX25519\fR) or an OpenSSL \s-1OID\s0 name (e.g. \fBprime256v1\fR). Group
names are case sensitive. The list should be in order of preference with the
most preferred group first.
.IP "\fB\-curves\fR" 4
.IX Item "-curves"
This is a synonym for the \*(L"\-groups\*(R" command.
.IP "\fB\-named_curve\fR" 4
.IX Item "-named_curve"
This sets the temporary curve used for ephemeral \s-1ECDH\s0 modes. Only used by
servers
.Sp
The \fBvalue\fR argument is a curve name or the special value \fBauto\fR which
picks an appropriate curve based on client and server preferences. The curve
can be either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR) or an OpenSSL \s-1OID\s0 name
(e.g. \fBprime256v1\fR). Curve names are case sensitive.
.IP "\fB\-cipher\fR" 4
.IX Item "-cipher"
Sets the TLSv1.2 and below ciphersuite list to \fBvalue\fR. This list will be
combined with any configured TLSv1.3 ciphersuites. Note: syntax checking
of \fBvalue\fR is currently not performed unless a \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR structure is
associated with \fBcctx\fR.
.IP "\fB\-ciphersuites\fR" 4
.IX Item "-ciphersuites"
Sets the available ciphersuites for TLSv1.3 to value. This is a simple colon
(\*(L":\*(R") separated list of TLSv1.3 ciphersuite names in order of preference. This
list will be combined any configured TLSv1.2 and below ciphersuites.
See \fBciphers\fR\|(1) for more information.
.IP "\fB\-cert\fR" 4
.IX Item "-cert"
Attempts to use the file \fBvalue\fR as the certificate for the appropriate
context. It currently uses \fBSSL_CTX_use_certificate_chain_file()\fR if an \fB\s-1SSL_CTX\s0\fR
structure is set or \fBSSL_use_certificate_file()\fR with filetype \s-1PEM\s0 if an \fB\s-1SSL\s0\fR
structure is set. This option is only supported if certificate operations
are permitted.
.IP "\fB\-key\fR" 4
.IX Item "-key"
Attempts to use the file \fBvalue\fR as the private key for the appropriate
context. This option is only supported if certificate operations
are permitted. Note: if no \fB\-key\fR option is set then a private key is
not loaded unless the flag \fB\s-1SSL_CONF_FLAG_REQUIRE_PRIVATE\s0\fR is set.
.IP "\fB\-dhparam\fR" 4
.IX Item "-dhparam"
Attempts to use the file \fBvalue\fR as the set of temporary \s-1DH\s0 parameters for
the appropriate context. This option is only supported if certificate
operations are permitted.
.IP "\fB\-record_padding\fR" 4
.IX Item "-record_padding"
Attempts to pad TLSv1.3 records so that they are a multiple of \fBvalue\fR in
length on send. A \fBvalue\fR of 0 or 1 turns off padding. Otherwise, the
\&\fBvalue\fR must be >1 or <=16384.
.IP "\fB\-no_renegotiation\fR" 4
.IX Item "-no_renegotiation"
Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting
\&\fB\s-1SSL_OP_NO_RENEGOTIATION\s0\fR.
.IP "\fB\-min_protocol\fR, \fB\-max_protocol\fR" 4
.IX Item "-min_protocol, -max_protocol"
Sets the minimum and maximum supported protocol.
Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR,
\&\fBTLSv1.2\fR, \fBTLSv1.3\fR for \s-1TLS\s0; \fBDTLSv1\fR, \fBDTLSv1.2\fR for \s-1DTLS,\s0 and \fBNone\fR
for no limit.
If either the lower or upper bound is not specified then only the other bound
applies, if specified.
If your application supports both \s-1TLS\s0 and \s-1DTLS\s0 you can specify any of these
options twice, once with a bound for \s-1TLS\s0 and again with an appropriate bound
for \s-1DTLS.\s0
To restrict the supported protocol versions use these commands rather than the
deprecated alternative commands below.
.IP "\fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4
.IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3"
Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by
setting the corresponding options \fBSSL_OP_NO_SSLv3\fR, \fBSSL_OP_NO_TLSv1\fR,
\&\fBSSL_OP_NO_TLSv1_1\fR, \fBSSL_OP_NO_TLSv1_2\fR and \fBSSL_OP_NO_TLSv1_3\fR
respectively. These options are deprecated, instead use \fB\-min_protocol\fR and
\&\fB\-max_protocol\fR.
.IP "\fB\-bugs\fR" 4
.IX Item "-bugs"
Various bug workarounds are set, same as setting \fB\s-1SSL_OP_ALL\s0\fR.
.IP "\fB\-comp\fR" 4
.IX Item "-comp"
Enables support for \s-1SSL/TLS\s0 compression, same as clearing
\&\fB\s-1SSL_OP_NO_COMPRESSION\s0\fR.
This command was introduced in OpenSSL 1.1.0.
As of OpenSSL 1.1.0, compression is off by default.
.IP "\fB\-no_comp\fR" 4
.IX Item "-no_comp"
Disables support for \s-1SSL/TLS\s0 compression, same as setting
\&\fB\s-1SSL_OP_NO_COMPRESSION\s0\fR.
As of OpenSSL 1.1.0, compression is off by default.
.IP "\fB\-no_ticket\fR" 4
.IX Item "-no_ticket"
Disables support for session tickets, same as setting \fB\s-1SSL_OP_NO_TICKET\s0\fR.
.IP "\fB\-serverpref\fR" 4
.IX Item "-serverpref"
Use server and not client preference order when determining which cipher suite,
signature algorithm or elliptic curve to use for an incoming connection.
Equivalent to \fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR. Only used by servers.
.IP "\fB\-prioritize_chacha\fR" 4
.IX Item "-prioritize_chacha"
Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of
its preference list. This usually indicates a client without \s-1AES\s0 hardware
acceleration (e.g. mobile) is in use. Equivalent to \fB\s-1SSL_OP_PRIORITIZE_CHACHA\s0\fR.
Only used by servers. Requires \fB\-serverpref\fR.
.IP "\fB\-no_resumption_on_reneg\fR" 4
.IX Item "-no_resumption_on_reneg"
set \s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0 flag. Only used by servers.
.IP "\fB\-legacyrenegotiation\fR" 4
.IX Item "-legacyrenegotiation"
permits the use of unsafe legacy renegotiation. Equivalent to setting
\&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR.
.IP "\fB\-legacy_server_connect\fR, \fB\-no_legacy_server_connect\fR" 4
.IX Item "-legacy_server_connect, -no_legacy_server_connect"
permits or prohibits the use of unsafe legacy renegotiation for OpenSSL
clients only. Equivalent to setting or clearing \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR.
Set by default.
.IP "\fB\-allow_no_dhe_kex\fR" 4
.IX Item "-allow_no_dhe_kex"
In TLSv1.3 allow a non\-(ec)dhe based key exchange mode on resumption. This means
that there will be no forward secrecy for the resumed session.
.IP "\fB\-strict\fR" 4
.IX Item "-strict"
enables strict mode protocol handling. Equivalent to setting
\&\fB\s-1SSL_CERT_FLAG_TLS_STRICT\s0\fR.
.IP "\fB\-anti_replay\fR, \fB\-no_anti_replay\fR" 4
.IX Item "-anti_replay, -no_anti_replay"
Switches replay protection, on or off respectively. With replay protection on,
OpenSSL will automatically detect if a session ticket has been used more than
once, TLSv1.3 has been negotiated, and early data is enabled on the server. A
full handshake is forced if a session ticket is used a second or subsequent
time. Anti-Replay is on by default unless overridden by a configuration file and
is only used by servers. Anti-replay measures are required for compliance with
the TLSv1.3 specification. Some applications may be able to mitigate the replay
risks in other ways and in such cases the built-in OpenSSL functionality is not
required. Switching off anti-replay is equivalent to \fB\s-1SSL_OP_NO_ANTI_REPLAY\s0\fR.
.SH "SUPPORTED CONFIGURATION FILE COMMANDS"
.IX Header "SUPPORTED CONFIGURATION FILE COMMANDS"
Currently supported \fBcmd\fR names for configuration files (i.e. when the
flag \fB\s-1SSL_CONF_FLAG_FILE\s0\fR is set) are listed below. All configuration file
\&\fBcmd\fR names are case insensitive so \fBsignaturealgorithms\fR is recognised
as well as \fBSignatureAlgorithms\fR. Unless otherwise stated the \fBvalue\fR names
are also case insensitive.
.PP
Note: the command prefix (if set) alters the recognised \fBcmd\fR values.
.IP "\fBCipherString\fR" 4
.IX Item "CipherString"
Sets the ciphersuite list for TLSv1.2 and below to \fBvalue\fR. This list will be
combined with any configured TLSv1.3 ciphersuites. Note: syntax
checking of \fBvalue\fR is currently not performed unless an \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR
structure is associated with \fBcctx\fR.
.IP "\fBCiphersuites\fR" 4
.IX Item "Ciphersuites"
Sets the available ciphersuites for TLSv1.3 to \fBvalue\fR. This is a simple colon
(\*(L":\*(R") separated list of TLSv1.3 ciphersuite names in order of preference. This
list will be combined any configured TLSv1.2 and below ciphersuites.
See \fBciphers\fR\|(1) for more information.
.IP "\fBCertificate\fR" 4
.IX Item "Certificate"
Attempts to use the file \fBvalue\fR as the certificate for the appropriate
context. It currently uses \fBSSL_CTX_use_certificate_chain_file()\fR if an \fB\s-1SSL_CTX\s0\fR
structure is set or \fBSSL_use_certificate_file()\fR with filetype \s-1PEM\s0 if an \fB\s-1SSL\s0\fR
structure is set. This option is only supported if certificate operations
are permitted.
.IP "\fBPrivateKey\fR" 4
.IX Item "PrivateKey"
Attempts to use the file \fBvalue\fR as the private key for the appropriate
context. This option is only supported if certificate operations
are permitted. Note: if no \fBPrivateKey\fR option is set then a private key is
not loaded unless the \fB\s-1SSL_CONF_FLAG_REQUIRE_PRIVATE\s0\fR is set.
.IP "\fBChainCAFile\fR, \fBChainCAPath\fR, \fBVerifyCAFile\fR, \fBVerifyCAPath\fR" 4
.IX Item "ChainCAFile, ChainCAPath, VerifyCAFile, VerifyCAPath"
These options indicate a file or directory used for building certificate
chains or verifying certificate chains. These options are only supported
if certificate operations are permitted.
.IP "\fBRequestCAFile\fR" 4
.IX Item "RequestCAFile"
This option indicates a file containing a set of certificates in \s-1PEM\s0 form.
The subject names of the certificates are sent to the peer in the
\&\fBcertificate_authorities\fR extension for \s-1TLS 1.3\s0 (in ClientHello or
CertificateRequest) or in a certificate request for previous versions or
\&\s-1TLS.\s0
.IP "\fBServerInfoFile\fR" 4
.IX Item "ServerInfoFile"
Attempts to use the file \fBvalue\fR in the \*(L"serverinfo\*(R" extension using the
function SSL_CTX_use_serverinfo_file.
.IP "\fBDHParameters\fR" 4
.IX Item "DHParameters"
Attempts to use the file \fBvalue\fR as the set of temporary \s-1DH\s0 parameters for
the appropriate context. This option is only supported if certificate
operations are permitted.
.IP "\fBRecordPadding\fR" 4
.IX Item "RecordPadding"
Attempts to pad TLSv1.3 records so that they are a multiple of \fBvalue\fR in
length on send. A \fBvalue\fR of 0 or 1 turns off padding. Otherwise, the
\&\fBvalue\fR must be >1 or <=16384.
.IP "\fBSignatureAlgorithms\fR" 4
.IX Item "SignatureAlgorithms"
This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
For clients this
value is used directly for the supported signature algorithms extension. For
servers it is used to determine which signature algorithms to support.
.Sp
The \fBvalue\fR argument should be a colon separated list of signature algorithms
in order of decreasing preference of the form \fBalgorithm+hash\fR or
\&\fBsignature_scheme\fR. \fBalgorithm\fR
is one of \fB\s-1RSA\s0\fR, \fB\s-1DSA\s0\fR or \fB\s-1ECDSA\s0\fR and \fBhash\fR is a supported algorithm
\&\s-1OID\s0 short name such as \fB\s-1SHA1\s0\fR, \fB\s-1SHA224\s0\fR, \fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR of \fB\s-1SHA512\s0\fR.
Note: algorithm and hash names are case sensitive.
\&\fBsignature_scheme\fR is one of the signature schemes defined in TLSv1.3,
specified using the \s-1IETF\s0 name, e.g., \fBecdsa_secp256r1_sha256\fR, \fBed25519\fR,
or \fBrsa_pss_pss_sha256\fR.
.Sp
If this option is not set then all signature algorithms supported by the
OpenSSL library are permissible.
.Sp
Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by
using \fB\s-1RSA\s0\fR as the \fBalgorithm\fR or by using one of the \fBrsa_pkcs1_*\fR
identifiers) are ignored in TLSv1.3 and will not be negotiated.
.IP "\fBClientSignatureAlgorithms\fR" 4
.IX Item "ClientSignatureAlgorithms"
This sets the supported signature algorithms associated with client
authentication for TLSv1.2 and TLSv1.3.
For servers the value is used in the
\&\fBsignature_algorithms\fR field of a \fBCertificateRequest\fR message.
For clients it is
used to determine which signature algorithm to use with the client certificate.
If a server does not request a certificate this option has no effect.
.Sp
The syntax of \fBvalue\fR is identical to \fBSignatureAlgorithms\fR. If not set then
the value set for \fBSignatureAlgorithms\fR will be used instead.
.IP "\fBGroups\fR" 4
.IX Item "Groups"
This sets the supported groups. For clients, the groups are
sent using the supported groups extension. For servers, it is used
to determine which group to use. This setting affects groups used for
signatures (in TLSv1.2 and earlier) and key exchange. The first group listed
will also be used for the \fBkey_share\fR sent by a client in a TLSv1.3
\&\fBClientHello\fR.
.Sp
The \fBvalue\fR argument is a colon separated list of groups. The group can be
either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR), some other commonly used name where
applicable (e.g. \fBX25519\fR) or an OpenSSL \s-1OID\s0 name (e.g. \fBprime256v1\fR). Group
names are case sensitive. The list should be in order of preference with the
most preferred group first.
.IP "\fBCurves\fR" 4
.IX Item "Curves"
This is a synonym for the \*(L"Groups\*(R" command.
.IP "\fBMinProtocol\fR" 4
.IX Item "MinProtocol"
This sets the minimum supported \s-1SSL, TLS\s0 or \s-1DTLS\s0 version.
.Sp
Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR,
\&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR.
The \s-1SSL\s0 and \s-1TLS\s0 bounds apply only to TLS-based contexts, while the \s-1DTLS\s0 bounds
apply only to DTLS-based contexts.
The command can be repeated with one instance setting a \s-1TLS\s0 bound, and the
other setting a \s-1DTLS\s0 bound.
The value \fBNone\fR applies to both types of contexts and disables the limits.
.IP "\fBMaxProtocol\fR" 4
.IX Item "MaxProtocol"
This sets the maximum supported \s-1SSL, TLS\s0 or \s-1DTLS\s0 version.
.Sp
Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR,
\&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR.
The \s-1SSL\s0 and \s-1TLS\s0 bounds apply only to TLS-based contexts, while the \s-1DTLS\s0 bounds
apply only to DTLS-based contexts.
The command can be repeated with one instance setting a \s-1TLS\s0 bound, and the
other setting a \s-1DTLS\s0 bound.
The value \fBNone\fR applies to both types of contexts and disables the limits.
.IP "\fBProtocol\fR" 4
.IX Item "Protocol"
This can be used to enable or disable certain versions of the \s-1SSL,
TLS\s0 or \s-1DTLS\s0 protocol.
.Sp
The \fBvalue\fR argument is a comma separated list of supported protocols
to enable or disable.
If a protocol is preceded by \fB\-\fR that version is disabled.
.Sp
All protocol versions are enabled by default.
You need to disable at least one protocol version for this setting have any
effect.
Only enabling some protocol versions does not disable the other protocol
versions.
.Sp
Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR,
\&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR.
The special value \fB\s-1ALL\s0\fR refers to all supported versions.
.Sp
This can't enable protocols that are disabled using \fBMinProtocol\fR
or \fBMaxProtocol\fR, but can disable protocols that are still allowed
by them.
.Sp
The \fBProtocol\fR command is fragile and deprecated; do not use it.
Use \fBMinProtocol\fR and \fBMaxProtocol\fR instead.
If you do use \fBProtocol\fR, make sure that the resulting range of enabled
protocols has no \*(L"holes\*(R", e.g. if \s-1TLS 1.0\s0 and \s-1TLS 1.2\s0 are both enabled, make
sure to also leave \s-1TLS 1.1\s0 enabled.
.IP "\fBOptions\fR" 4
.IX Item "Options"
The \fBvalue\fR argument is a comma separated list of various flags to set.
If a flag string is preceded \fB\-\fR it is disabled.
See the \fBSSL_CTX_set_options\fR\|(3) function for more details of
individual options.
.Sp
Each option is listed below. Where an operation is enabled by default
the \fB\-flag\fR syntax is needed to disable it.
.Sp
\&\fBSessionTicket\fR: session ticket support, enabled by default. Inverse of
\&\fB\s-1SSL_OP_NO_TICKET\s0\fR: that is \fB\-SessionTicket\fR is the same as setting
\&\fB\s-1SSL_OP_NO_TICKET\s0\fR.
.Sp
-\&\fBCompression\fR: \s-1SSL/TLS\s0 compression support, enabled by default. Inverse
+\&\fBCompression\fR: \s-1SSL/TLS\s0 compression support, disabled by default. Inverse
of \fB\s-1SSL_OP_NO_COMPRESSION\s0\fR.
.Sp
\&\fBEmptyFragments\fR: use empty fragments as a countermeasure against a
\&\s-1SSL 3.0/TLS 1.0\s0 protocol vulnerability affecting \s-1CBC\s0 ciphers. It
is set by default. Inverse of \fB\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0\fR.
.Sp
\&\fBBugs\fR: enable various bug workarounds. Same as \fB\s-1SSL_OP_ALL\s0\fR.
.Sp
\&\fBDHSingle\fR: enable single use \s-1DH\s0 keys, set by default. Inverse of
\&\fB\s-1SSL_OP_DH_SINGLE\s0\fR. Only used by servers.
.Sp
\&\fBECDHSingle\fR: enable single use \s-1ECDH\s0 keys, set by default. Inverse of
\&\fB\s-1SSL_OP_ECDH_SINGLE\s0\fR. Only used by servers.
.Sp
\&\fBServerPreference\fR: use server and not client preference order when
determining which cipher suite, signature algorithm or elliptic curve
to use for an incoming connection. Equivalent to
\&\fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR. Only used by servers.
.Sp
\&\fBPrioritizeChaCha\fR: prioritizes ChaCha ciphers when the client has a
ChaCha20 cipher at the top of its preference list. This usually indicates
a mobile client is in use. Equivalent to \fB\s-1SSL_OP_PRIORITIZE_CHACHA\s0\fR.
Only used by servers.
.Sp
\&\fBNoResumptionOnRenegotiation\fR: set
\&\fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR flag. Only used by servers.
.Sp
\&\fBNoRenegotiation\fR: disables all attempts at renegotiation in TLSv1.2 and
earlier, same as setting \fB\s-1SSL_OP_NO_RENEGOTIATION\s0\fR.
.Sp
\&\fBUnsafeLegacyRenegotiation\fR: permits the use of unsafe legacy renegotiation.
Equivalent to \fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR.
.Sp
\&\fBUnsafeLegacyServerConnect\fR: permits the use of unsafe legacy renegotiation
for OpenSSL clients only. Equivalent to \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR.
Set by default.
.Sp
\&\fBEncryptThenMac\fR: use encrypt-then-mac extension, enabled by
default. Inverse of \fB\s-1SSL_OP_NO_ENCRYPT_THEN_MAC\s0\fR: that is,
\&\fB\-EncryptThenMac\fR is the same as setting \fB\s-1SSL_OP_NO_ENCRYPT_THEN_MAC\s0\fR.
.Sp
\&\fBAllowNoDHEKEX\fR: In TLSv1.3 allow a non\-(ec)dhe based key exchange mode on
resumption. This means that there will be no forward secrecy for the resumed
session. Equivalent to \fB\s-1SSL_OP_ALLOW_NO_DHE_KEX\s0\fR.
.Sp
\&\fBMiddleboxCompat\fR: If set then dummy Change Cipher Spec (\s-1CCS\s0) messages are sent
in TLSv1.3. This has the effect of making TLSv1.3 look more like TLSv1.2 so that
middleboxes that do not understand TLSv1.3 will not drop the connection. This
option is set by default. A future version of OpenSSL may not set this by
default. Equivalent to \fB\s-1SSL_OP_ENABLE_MIDDLEBOX_COMPAT\s0\fR.
.Sp
\&\fBAntiReplay\fR: If set then OpenSSL will automatically detect if a session ticket
has been used more than once, TLSv1.3 has been negotiated, and early data is
enabled on the server. A full handshake is forced if a session ticket is used a
second or subsequent time. This option is set by default and is only used by
servers. Anti-replay measures are required to comply with the TLSv1.3
specification. Some applications may be able to mitigate the replay risks in
other ways and in such cases the built-in OpenSSL functionality is not required.
Disabling anti-replay is equivalent to setting \fB\s-1SSL_OP_NO_ANTI_REPLAY\s0\fR.
.Sp
\&\fB\s-1KTLS\s0\fR: Enables kernel \s-1TLS\s0 if support has been compiled in, and it is supported
by the negotiated ciphersuites and extensions. Equivalent to
\&\fB\s-1SSL_OP_ENABLE_KTLS\s0\fR.
.IP "\fBVerifyMode\fR" 4
.IX Item "VerifyMode"
The \fBvalue\fR argument is a comma separated list of flags to set.
.Sp
\&\fBPeer\fR enables peer verification: for clients only.
.Sp
\&\fBRequest\fR requests but does not require a certificate from the client.
Servers only.
.Sp
\&\fBRequire\fR requests and requires a certificate from the client: an error
occurs if the client does not present a certificate. Servers only.
.Sp
\&\fBOnce\fR requests a certificate from a client only on the initial connection:
not when renegotiating. Servers only.
.Sp
\&\fBRequestPostHandshake\fR configures the connection to support requests but does
not require a certificate from the client post-handshake. A certificate will
not be requested during the initial handshake. The server application must
provide a mechanism to request a certificate post-handshake. Servers only.
TLSv1.3 only.
.Sp
\&\fBRequiresPostHandshake\fR configures the connection to support requests and
requires a certificate from the client post-handshake: an error occurs if the
client does not present a certificate. A certificate will not be requested
during the initial handshake. The server application must provide a mechanism
to request a certificate post-handshake. Servers only. TLSv1.3 only.
.IP "\fBClientCAFile\fR, \fBClientCAPath\fR" 4
.IX Item "ClientCAFile, ClientCAPath"
A file or directory of certificates in \s-1PEM\s0 format whose names are used as the
set of acceptable names for client CAs. Servers only. This option is only
supported if certificate operations are permitted.
.SH "SUPPORTED COMMAND TYPES"
.IX Header "SUPPORTED COMMAND TYPES"
The function \fBSSL_CONF_cmd_value_type()\fR currently returns one of the following
types:
.IP "\fB\s-1SSL_CONF_TYPE_UNKNOWN\s0\fR" 4
.IX Item "SSL_CONF_TYPE_UNKNOWN"
The \fBcmd\fR string is unrecognised, this return value can be use to flag
syntax errors.
.IP "\fB\s-1SSL_CONF_TYPE_STRING\s0\fR" 4
.IX Item "SSL_CONF_TYPE_STRING"
The value is a string without any specific structure.
.IP "\fB\s-1SSL_CONF_TYPE_FILE\s0\fR" 4
.IX Item "SSL_CONF_TYPE_FILE"
The value is a filename.
.IP "\fB\s-1SSL_CONF_TYPE_DIR\s0\fR" 4
.IX Item "SSL_CONF_TYPE_DIR"
The value is a directory name.
.IP "\fB\s-1SSL_CONF_TYPE_NONE\s0\fR" 4
.IX Item "SSL_CONF_TYPE_NONE"
The value string is not used e.g. a command line option which doesn't take an
argument.
.SH "NOTES"
.IX Header "NOTES"
The order of operations is significant. This can be used to set either defaults
or values which cannot be overridden. For example if an application calls:
.PP
.Vb 2
\& SSL_CONF_cmd(ctx, "Protocol", "\-SSLv3");
\& SSL_CONF_cmd(ctx, userparam, uservalue);
.Ve
.PP
it will disable SSLv3 support by default but the user can override it. If
however the call sequence is:
.PP
.Vb 2
\& SSL_CONF_cmd(ctx, userparam, uservalue);
\& SSL_CONF_cmd(ctx, "Protocol", "\-SSLv3");
.Ve
.PP
SSLv3 is \fBalways\fR disabled and attempt to override this by the user are
ignored.
.PP
By checking the return code of \fBSSL_CONF_cmd()\fR it is possible to query if a
given \fBcmd\fR is recognised, this is useful if \fBSSL_CONF_cmd()\fR values are
mixed with additional application specific operations.
.PP
For example an application might call \fBSSL_CONF_cmd()\fR and if it returns
\&\-2 (unrecognised command) continue with processing of application specific
commands.
.PP
Applications can also use \fBSSL_CONF_cmd()\fR to process command lines though the
utility function \fBSSL_CONF_cmd_argv()\fR is normally used instead. One way
to do this is to set the prefix to an appropriate value using
\&\fBSSL_CONF_CTX_set1_prefix()\fR, pass the current argument to \fBcmd\fR and the
following argument to \fBvalue\fR (which may be \s-1NULL\s0).
.PP
In this case if the return value is positive then it is used to skip that
number of arguments as they have been processed by \fBSSL_CONF_cmd()\fR. If \-2 is
returned then \fBcmd\fR is not recognised and application specific arguments
can be checked instead. If \-3 is returned a required argument is missing
and an error is indicated. If 0 is returned some other error occurred and
this can be reported back to the user.
.PP
The function \fBSSL_CONF_cmd_value_type()\fR can be used by applications to
check for the existence of a command or to perform additional syntax
checking or translation of the command value. For example if the return
value is \fB\s-1SSL_CONF_TYPE_FILE\s0\fR an application could translate a relative
pathname to an absolute pathname.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CONF_cmd()\fR returns 1 if the value of \fBcmd\fR is recognised and \fBvalue\fR is
\&\fB\s-1NOT\s0\fR used and 2 if both \fBcmd\fR and \fBvalue\fR are used. In other words it
returns the number of arguments processed. This is useful when processing
command lines.
.PP
A return value of \-2 means \fBcmd\fR is not recognised.
.PP
A return value of \-3 means \fBcmd\fR is recognised and the command requires a
value but \fBvalue\fR is \s-1NULL.\s0
.PP
A return code of 0 indicates that both \fBcmd\fR and \fBvalue\fR are valid but an
error occurred attempting to perform the operation: for example due to an
error in the syntax of \fBvalue\fR in this case the error queue may provide
additional information.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Set supported signature algorithms:
.PP
.Vb 1
\& SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256");
.Ve
.PP
There are various ways to select the supported protocols.
.PP
This set the minimum protocol version to TLSv1, and so disables SSLv3.
This is the recommended way to disable protocols.
.PP
.Vb 1
\& SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1");
.Ve
.PP
The following also disables SSLv3:
.PP
.Vb 1
\& SSL_CONF_cmd(ctx, "Protocol", "\-SSLv3");
.Ve
.PP
The following will first enable all protocols, and then disable
SSLv3.
If no protocol versions were disabled before this has the same effect as
\&\*(L"\-SSLv3\*(R", but if some versions were disables this will re-enable them before
disabling SSLv3.
.PP
.Vb 1
\& SSL_CONF_cmd(ctx, "Protocol", "ALL,\-SSLv3");
.Ve
.PP
Only enable TLSv1.2:
.PP
.Vb 2
\& SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2");
\& SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2");
.Ve
.PP
This also only enables TLSv1.2:
.PP
.Vb 1
\& SSL_CONF_cmd(ctx, "Protocol", "\-ALL,TLSv1.2");
.Ve
.PP
Disable \s-1TLS\s0 session tickets:
.PP
.Vb 1
\& SSL_CONF_cmd(ctx, "Options", "\-SessionTicket");
.Ve
.PP
Enable compression:
.PP
.Vb 1
\& SSL_CONF_cmd(ctx, "Options", "Compression");
.Ve
.PP
Set supported curves to P\-256, P\-384:
.PP
.Vb 1
\& SSL_CONF_cmd(ctx, "Curves", "P\-256:P\-384");
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CONF_CTX_new\fR\|(3),
\&\fBSSL_CONF_CTX_set_flags\fR\|(3),
\&\fBSSL_CONF_CTX_set1_prefix\fR\|(3),
\&\fBSSL_CONF_CTX_set_ssl_ctx\fR\|(3),
\&\fBSSL_CONF_cmd_argv\fR\|(3),
\&\fBSSL_CTX_set_options\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_CONF_cmd()\fR function was added in OpenSSL 1.0.2.
.PP
The \fB\s-1SSL_OP_NO_SSL2\s0\fR option doesn't have effect since 1.1.0, but the macro
is retained for backwards compatibility.
.PP
The \fB\s-1SSL_CONF_TYPE_NONE\s0\fR was added in OpenSSL 1.1.0. In earlier versions of
OpenSSL passing a command which didn't take an argument would return
\&\fB\s-1SSL_CONF_TYPE_UNKNOWN\s0\fR.
.PP
\&\fBMinProtocol\fR and \fBMaxProtocol\fR where added in OpenSSL 1.1.0.
.PP
\&\fBAllowNoDHEKEX\fR and \fBPrioritizeChaCha\fR were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
-Copyright 2012\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012\-2022 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3 b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3
index 4c662b8e5e35..83a63df999e1 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CONF_cmd_argv.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CONF_CMD_ARGV 3"
-.TH SSL_CONF_CMD_ARGV 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CONF_CMD_ARGV 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CONF_cmd_argv \- SSL configuration command line processing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBSSL_CONF_cmd_argv()\fR processes at most two command line
arguments from \fBpargv\fR and \fBpargc\fR. The values of \fBpargv\fR and \fBpargc\fR
are updated to reflect the number of command options processed. The \fBpargc\fR
argument can be set to \fB\s-1NULL\s0\fR if it is not used.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CONF_cmd_argv()\fR returns the number of command arguments processed: 0, 1, 2
or a negative error code.
.PP
If \-2 is returned then an argument for a command is missing.
.PP
If \-1 is returned the command is recognised but couldn't be processed due
to an error: for example a syntax error in the argument.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CONF_CTX_new\fR\|(3),
\&\fBSSL_CONF_CTX_set_flags\fR\|(3),
\&\fBSSL_CONF_CTX_set1_prefix\fR\|(3),
\&\fBSSL_CONF_CTX_set_ssl_ctx\fR\|(3),
\&\fBSSL_CONF_cmd\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3
index d4566636d0a7..db61bfacd96f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add1_chain_cert.3
@@ -1,282 +1,282 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_ADD1_CHAIN_CERT 3"
-.TH SSL_CTX_ADD1_CHAIN_CERT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_ADD1_CHAIN_CERT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set0_chain, SSL_CTX_set1_chain, SSL_CTX_add0_chain_cert, SSL_CTX_add1_chain_cert, SSL_CTX_get0_chain_certs, SSL_CTX_clear_chain_certs, SSL_set0_chain, SSL_set1_chain, SSL_add0_chain_cert, SSL_add1_chain_cert, SSL_get0_chain_certs, SSL_clear_chain_certs, SSL_CTX_build_cert_chain, SSL_build_cert_chain, SSL_CTX_select_current_cert, SSL_select_current_cert, SSL_CTX_set_current_cert, SSL_set_current_cert \- extra chain certificate processing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *sk);
\& int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *sk);
\& int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509);
\& int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509);
\& int SSL_CTX_get0_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **sk);
\& int SSL_CTX_clear_chain_certs(SSL_CTX *ctx);
\&
\& int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *sk);
\& int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *sk);
\& int SSL_add0_chain_cert(SSL *ssl, X509 *x509);
\& int SSL_add1_chain_cert(SSL *ssl, X509 *x509);
\& int SSL_get0_chain_certs(SSL *ssl, STACK_OF(X509) **sk);
\& int SSL_clear_chain_certs(SSL *ssl);
\&
\& int SSL_CTX_build_cert_chain(SSL_CTX *ctx, flags);
\& int SSL_build_cert_chain(SSL *ssl, flags);
\&
\& int SSL_CTX_select_current_cert(SSL_CTX *ctx, X509 *x509);
\& int SSL_select_current_cert(SSL *ssl, X509 *x509);
\& int SSL_CTX_set_current_cert(SSL_CTX *ctx, long op);
\& int SSL_set_current_cert(SSL *ssl, long op);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set0_chain()\fR and \fBSSL_CTX_set1_chain()\fR set the certificate chain
associated with the current certificate of \fBctx\fR to \fBsk\fR.
.PP
\&\fBSSL_CTX_add0_chain_cert()\fR and \fBSSL_CTX_add1_chain_cert()\fR append the single
certificate \fBx509\fR to the chain associated with the current certificate of
\&\fBctx\fR.
.PP
\&\fBSSL_CTX_get0_chain_certs()\fR retrieves the chain associated with the current
certificate of \fBctx\fR.
.PP
\&\fBSSL_CTX_clear_chain_certs()\fR clears any existing chain associated with the
current certificate of \fBctx\fR. (This is implemented by calling
\&\fBSSL_CTX_set0_chain()\fR with \fBsk\fR set to \fB\s-1NULL\s0\fR).
.PP
\&\fBSSL_CTX_build_cert_chain()\fR builds the certificate chain for \fBctx\fR normally
this uses the chain store or the verify store if the chain store is not set.
If the function is successful the built chain will replace any existing chain.
The \fBflags\fR parameter can be set to \fB\s-1SSL_BUILD_CHAIN_FLAG_UNTRUSTED\s0\fR to use
existing chain certificates as untrusted CAs, \fB\s-1SSL_BUILD_CHAIN_FLAG_NO_ROOT\s0\fR
to omit the root \s-1CA\s0 from the built chain, \fB\s-1SSL_BUILD_CHAIN_FLAG_CHECK\s0\fR to
use all existing chain certificates only to build the chain (effectively
sanity checking and rearranging them if necessary), the flag
\&\fB\s-1SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR\s0\fR ignores any errors during verification:
if flag \fB\s-1SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR\s0\fR is also set verification errors
are cleared from the error queue.
.PP
Each of these functions operates on the \fIcurrent\fR end entity
(i.e. server or client) certificate. This is the last certificate loaded or
selected on the corresponding \fBctx\fR structure.
.PP
\&\fBSSL_CTX_select_current_cert()\fR selects \fBx509\fR as the current end entity
certificate, but only if \fBx509\fR has already been loaded into \fBctx\fR using a
function such as \fBSSL_CTX_use_certificate()\fR.
.PP
\&\fBSSL_set0_chain()\fR, \fBSSL_set1_chain()\fR, \fBSSL_add0_chain_cert()\fR,
\&\fBSSL_add1_chain_cert()\fR, \fBSSL_get0_chain_certs()\fR, \fBSSL_clear_chain_certs()\fR,
\&\fBSSL_build_cert_chain()\fR, \fBSSL_select_current_cert()\fR and \fBSSL_set_current_cert()\fR
are similar except they apply to \s-1SSL\s0 structure \fBssl\fR.
.PP
\&\fBSSL_CTX_set_current_cert()\fR changes the current certificate to a value based
on the \fBop\fR argument. Currently \fBop\fR can be \fB\s-1SSL_CERT_SET_FIRST\s0\fR to use
the first valid certificate or \fB\s-1SSL_CERT_SET_NEXT\s0\fR to set the next valid
certificate after the current certificate. These two operations can be
used to iterate over all certificates in an \fB\s-1SSL_CTX\s0\fR structure.
.PP
\&\fBSSL_set_current_cert()\fR also supports the option \fB\s-1SSL_CERT_SET_SERVER\s0\fR.
If \fBssl\fR is a server and has sent a certificate to a connected client
this option sets that certificate to the current certificate and returns 1.
If the negotiated cipher suite is anonymous (and thus no certificate will
be sent) 2 is returned and the current certificate is unchanged. If \fBssl\fR
is not a server or a certificate has not been sent 0 is returned and
the current certificate is unchanged.
.PP
All these functions are implemented as macros. Those containing a \fB1\fR
increment the reference count of the supplied certificate or chain so it must
be freed at some point after the operation. Those containing a \fB0\fR do
not increment reference counts and the supplied certificate or chain
\&\fB\s-1MUST NOT\s0\fR be freed after the operation.
.SH "NOTES"
.IX Header "NOTES"
The chains associate with an \s-1SSL_CTX\s0 structure are copied to any \s-1SSL\s0
structures when \fBSSL_new()\fR is called. \s-1SSL\s0 structures will not be affected
by any chains subsequently changed in the parent \s-1SSL_CTX.\s0
.PP
One chain can be set for each key type supported by a server. So, for example,
an \s-1RSA\s0 and a \s-1DSA\s0 certificate can (and often will) have different chains.
.PP
The functions \fBSSL_CTX_build_cert_chain()\fR and \fBSSL_build_cert_chain()\fR can
be used to check application configuration and to ensure any necessary
subordinate CAs are sent in the correct order. Misconfigured applications
sending incorrect certificate chains often cause problems with peers.
.PP
For example an application can add any set of certificates using
\&\fBSSL_CTX_use_certificate_chain_file()\fR then call \fBSSL_CTX_build_cert_chain()\fR
with the option \fB\s-1SSL_BUILD_CHAIN_FLAG_CHECK\s0\fR to check and reorder them.
.PP
Applications can issue non fatal warnings when checking chains by setting
the flag \fB\s-1SSL_BUILD_CHAIN_FLAG_IGNORE_ERRORS\s0\fR and checking the return
value.
.PP
Calling \fBSSL_CTX_build_cert_chain()\fR or \fBSSL_build_cert_chain()\fR is more
efficient than the automatic chain building as it is only performed once.
Automatic chain building is performed on each new session.
.PP
If any certificates are added using these functions no certificates added
using \fBSSL_CTX_add_extra_chain_cert()\fR will be used.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_set_current_cert()\fR with \fB\s-1SSL_CERT_SET_SERVER\s0\fR return 1 for success, 2 if
no server certificate is used because the cipher suites is anonymous and 0
for failure.
.PP
\&\fBSSL_CTX_build_cert_chain()\fR and \fBSSL_build_cert_chain()\fR return 1 for success
and 0 for failure. If the flag \fB\s-1SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR\s0\fR and
a verification error occurs then 2 is returned.
.PP
All other functions return 1 for success and 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3
index 075d81d5488d..d1957380dd59 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add_extra_chain_cert.3
@@ -1,209 +1,209 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_ADD_EXTRA_CHAIN_CERT 3"
-.TH SSL_CTX_ADD_EXTRA_CHAIN_CERT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_ADD_EXTRA_CHAIN_CERT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_add_extra_chain_cert, SSL_CTX_clear_extra_chain_certs \- add or clear extra chain certificates
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);
\& long SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_add_extra_chain_cert()\fR adds the certificate \fBx509\fR to the extra chain
certificates associated with \fBctx\fR. Several certificates can be added one
after another.
.PP
\&\fBSSL_CTX_clear_extra_chain_certs()\fR clears all extra chain certificates
associated with \fBctx\fR.
.PP
These functions are implemented as macros.
.SH "NOTES"
.IX Header "NOTES"
When sending a certificate chain, extra chain certificates are sent in order
following the end entity certificate.
.PP
If no chain is specified, the library will try to complete the chain from the
available \s-1CA\s0 certificates in the trusted \s-1CA\s0 storage, see
\&\fBSSL_CTX_load_verify_locations\fR\|(3).
.PP
The \fBx509\fR certificate provided to \fBSSL_CTX_add_extra_chain_cert()\fR will be
freed by the library when the \fB\s-1SSL_CTX\s0\fR is destroyed. An application
\&\fBshould not\fR free the \fBx509\fR object.
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
Only one set of extra chain certificates can be specified per \s-1SSL_CTX\s0
structure. Different chains for different certificates (for example if both
\&\s-1RSA\s0 and \s-1DSA\s0 certificates are specified by the same server) or different \s-1SSL\s0
structures with the same parent \s-1SSL_CTX\s0 cannot be specified using this
function. For more flexibility functions such as \fBSSL_add1_chain_cert()\fR should
be used instead.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_add_extra_chain_cert()\fR and \fBSSL_CTX_clear_extra_chain_certs()\fR return
1 on success and 0 for failure. Check out the error stack to find out the
reason for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_use_certificate\fR\|(3),
\&\fBSSL_CTX_set_client_cert_cb\fR\|(3),
\&\fBSSL_CTX_load_verify_locations\fR\|(3)
\&\fBSSL_CTX_set0_chain\fR\|(3)
\&\fBSSL_CTX_set1_chain\fR\|(3)
\&\fBSSL_CTX_add0_chain_cert\fR\|(3)
\&\fBSSL_CTX_add1_chain_cert\fR\|(3)
\&\fBSSL_set0_chain\fR\|(3)
\&\fBSSL_set1_chain\fR\|(3)
\&\fBSSL_add0_chain_cert\fR\|(3)
\&\fBSSL_add1_chain_cert\fR\|(3)
\&\fBSSL_CTX_build_cert_chain\fR\|(3)
\&\fBSSL_build_cert_chain\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3
index 08359c3b5e6f..7da05836c157 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_add_session.3
@@ -1,200 +1,200 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_ADD_SESSION 3"
-.TH SSL_CTX_ADD_SESSION 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_ADD_SESSION 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_add_session, SSL_CTX_remove_session \- manipulate session cache
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c);
\&
\& int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_add_session()\fR adds the session \fBc\fR to the context \fBctx\fR. The
reference count for session \fBc\fR is incremented by 1. If a session with
the same session id already exists, the old session is removed by calling
\&\fBSSL_SESSION_free\fR\|(3).
.PP
\&\fBSSL_CTX_remove_session()\fR removes the session \fBc\fR from the context \fBctx\fR and
marks it as non-resumable. \fBSSL_SESSION_free\fR\|(3) is called once for \fBc\fR.
.SH "NOTES"
.IX Header "NOTES"
When adding a new session to the internal session cache, it is examined
whether a session with the same session id already exists. In this case
it is assumed that both sessions are identical. If the same session is
stored in a different \s-1SSL_SESSION\s0 object, The old session is
removed and replaced by the new session. If the session is actually
identical (the \s-1SSL_SESSION\s0 object is identical), \fBSSL_CTX_add_session()\fR
is a no-op, and the return value is 0.
.PP
If a server \s-1SSL_CTX\s0 is configured with the \s-1SSL_SESS_CACHE_NO_INTERNAL_STORE\s0
flag then the internal cache will not be populated automatically by new
sessions negotiated by the \s-1SSL/TLS\s0 implementation, even though the internal
cache will be searched automatically for session-resume requests (the
latter can be suppressed by \s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0). So the
application can use \fBSSL_CTX_add_session()\fR directly to have full control
over the sessions that can be resumed if desired.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following values are returned by all functions:
.IP "0" 4
The operation failed. In case of the add operation, it was tried to add
the same (identical) session twice. In case of the remove operation, the
session was not found in the cache.
.IP "1" 4
.IX Item "1"
The operation succeeded.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
\&\fBSSL_SESSION_free\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_config.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_config.3
index 0dba01b1f27e..9a1d4bd045e0 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_config.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_config.3
@@ -1,224 +1,224 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_CONFIG 3"
-.TH SSL_CTX_CONFIG 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_CONFIG 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_config, SSL_config \- configure SSL_CTX or SSL structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_config(SSL_CTX *ctx, const char *name);
\& int SSL_config(SSL *s, const char *name);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The functions \fBSSL_CTX_config()\fR and \fBSSL_config()\fR configure an \fB\s-1SSL_CTX\s0\fR or
\&\fB\s-1SSL\s0\fR structure using the configuration \fBname\fR.
.SH "NOTES"
.IX Header "NOTES"
By calling \fBSSL_CTX_config()\fR or \fBSSL_config()\fR an application can perform many
complex tasks based on the contents of the configuration file: greatly
simplifying application configuration code. A degree of future proofing
can also be achieved: an application can support configuration features
in newer versions of OpenSSL automatically.
.PP
A configuration file must have been previously loaded, for example using
\&\fBCONF_modules_load_file()\fR. See \fBconfig\fR\|(5) for details of the configuration
file syntax.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_config()\fR and \fBSSL_config()\fR return 1 for success or 0 if an error
occurred.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
If the file \*(L"config.cnf\*(R" contains the following:
.PP
.Vb 1
\& testapp = test_sect
\&
\& [test_sect]
\& # list of configuration modules
\&
\& ssl_conf = ssl_sect
\&
\& [ssl_sect]
\& server = server_section
\&
\& [server_section]
\& RSA.Certificate = server\-rsa.pem
\& ECDSA.Certificate = server\-ecdsa.pem
\& Ciphers = ALL:!RC4
.Ve
.PP
An application could call:
.PP
.Vb 4
\& if (CONF_modules_load_file("config.cnf", "testapp", 0) <= 0) {
\& fprintf(stderr, "Error processing config file\en");
\& goto err;
\& }
\&
\& ctx = SSL_CTX_new(TLS_server_method());
\&
\& if (SSL_CTX_config(ctx, "server") == 0) {
\& fprintf(stderr, "Error configuring server.\en");
\& goto err;
\& }
.Ve
.PP
In this example two certificates and the cipher list are configured without
the need for any additional application code.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBconfig\fR\|(5),
\&\fBSSL_CONF_cmd\fR\|(3),
\&\fBCONF_modules_load_file\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_CTX_config()\fR and \fBSSL_config()\fR functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3
index e9a52d0a15ce..ea5f643461de 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_ctrl.3
@@ -1,175 +1,175 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_CTRL 3"
-.TH SSL_CTX_CTRL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_CTRL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_ctrl, SSL_CTX_callback_ctrl, SSL_ctrl, SSL_callback_ctrl \- internal handling functions for SSL_CTX and SSL objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
\& long SSL_CTX_callback_ctrl(SSL_CTX *, int cmd, void (*fp)());
\&
\& long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
\& long SSL_callback_ctrl(SSL *, int cmd, void (*fp)());
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The SSL_*\fB_ctrl()\fR family of functions is used to manipulate settings of
the \s-1SSL_CTX\s0 and \s-1SSL\s0 objects. Depending on the command \fBcmd\fR the arguments
\&\fBlarg\fR, \fBparg\fR, or \fBfp\fR are evaluated. These functions should never
be called directly. All functionalities needed are made available via
other functions or macros.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The return values of the SSL*\fB_ctrl()\fR functions depend on the command
supplied via the \fBcmd\fR parameter.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3
index 9b0b450f4573..ae8308a75893 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_dane_enable.3
@@ -1,508 +1,508 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_DANE_ENABLE 3"
-.TH SSL_CTX_DANE_ENABLE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_DANE_ENABLE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_dane_enable, SSL_CTX_dane_mtype_set, SSL_dane_enable, SSL_dane_tlsa_add, SSL_get0_dane_authority, SSL_get0_dane_tlsa, SSL_CTX_dane_set_flags, SSL_CTX_dane_clear_flags, SSL_dane_set_flags, SSL_dane_clear_flags \&\- enable DANE TLS authentication of the remote TLS server in the local TLS client
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_dane_enable(SSL_CTX *ctx);
\& int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md,
\& uint8_t mtype, uint8_t ord);
\& int SSL_dane_enable(SSL *s, const char *basedomain);
\& int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
\& uint8_t mtype, unsigned const char *data, size_t dlen);
\& int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki);
\& int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
\& uint8_t *mtype, unsigned const char **data,
\& size_t *dlen);
\& unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags);
\& unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags);
\& unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags);
\& unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions implement support for \s-1DANE TLSA\s0 (\s-1RFC6698\s0 and \s-1RFC7671\s0)
peer authentication.
.PP
\&\fBSSL_CTX_dane_enable()\fR must be called first to initialize the shared state
required for \s-1DANE\s0 support.
Individual connections associated with the context can then enable
per-connection \s-1DANE\s0 support as appropriate.
\&\s-1DANE\s0 authentication is implemented in the \fBX509_verify_cert\fR\|(3) function, and
applications that override \fBX509_verify_cert\fR\|(3) via
\&\fBSSL_CTX_set_cert_verify_callback\fR\|(3) are responsible to authenticate the peer
chain in whatever manner they see fit.
.PP
\&\fBSSL_CTX_dane_mtype_set()\fR may then be called zero or more times to adjust the
supported digest algorithms.
This must be done before any \s-1SSL\s0 handles are created for the context.
.PP
The \fBmtype\fR argument specifies a \s-1DANE TLSA\s0 matching type and the \fBmd\fR
argument specifies the associated digest algorithm handle.
The \fBord\fR argument specifies a strength ordinal.
Algorithms with a larger strength ordinal are considered more secure.
Strength ordinals are used to implement \s-1RFC7671\s0 digest algorithm agility.
Specifying a \fB\s-1NULL\s0\fR digest algorithm for a matching type disables
support for that matching type.
Matching type \fBFull\fR\|(0) cannot be modified or disabled.
.PP
By default, matching type \f(CW\*(C`SHA2\-256(1)\*(C'\fR (see \s-1RFC7218\s0 for definitions
of the \s-1DANE TLSA\s0 parameter acronyms) is mapped to \f(CW\*(C`EVP_sha256()\*(C'\fR
with a strength ordinal of \f(CW1\fR and matching type \f(CW\*(C`SHA2\-512(2)\*(C'\fR
is mapped to \f(CW\*(C`EVP_sha512()\*(C'\fR with a strength ordinal of \f(CW2\fR.
.PP
\&\fBSSL_dane_enable()\fR must be called before the \s-1SSL\s0 handshake is initiated with
\&\fBSSL_connect\fR\|(3) if (and only if) you want to enable \s-1DANE\s0 for that connection.
(The connection must be associated with a DANE-enabled \s-1SSL\s0 context).
The \fBbasedomain\fR argument specifies the \s-1RFC7671 TLSA\s0 base domain,
which will be the primary peer reference identifier for certificate
name checks.
Additional server names can be specified via \fBSSL_add1_host\fR\|(3).
The \fBbasedomain\fR is used as the default \s-1SNI\s0 hint if none has yet been
specified via \fBSSL_set_tlsext_host_name\fR\|(3).
.PP
\&\fBSSL_dane_tlsa_add()\fR may then be called one or more times, to load each of the
\&\s-1TLSA\s0 records that apply to the remote \s-1TLS\s0 peer.
(This too must be done prior to the beginning of the \s-1SSL\s0 handshake).
The arguments specify the fields of the \s-1TLSA\s0 record.
The \fBdata\fR field is provided in binary (wire \s-1RDATA\s0) form, not the hexadecimal
\&\s-1ASCII\s0 presentation form, with an explicit length passed via \fBdlen\fR.
The library takes a copy of the \fBdata\fR buffer contents and the caller may
free the original \fBdata\fR buffer when convenient.
A return value of 0 indicates that \*(L"unusable\*(R" \s-1TLSA\s0 records (with invalid or
unsupported parameters) were provided.
A negative return value indicates an internal error in processing the record.
.PP
The caller is expected to check the return value of each \fBSSL_dane_tlsa_add()\fR
call and take appropriate action if none are usable or an internal error
is encountered in processing some records.
.PP
If no \s-1TLSA\s0 records are added successfully, \s-1DANE\s0 authentication is not enabled,
and authentication will be based on any configured traditional trust-anchors;
authentication success in this case does not mean that the peer was
DANE-authenticated.
.PP
\&\fBSSL_get0_dane_authority()\fR can be used to get more detailed information about
the matched \s-1DANE\s0 trust-anchor after successful connection completion.
The return value is negative if \s-1DANE\s0 verification failed (or was not enabled),
0 if an \s-1EE TLSA\s0 record directly matched the leaf certificate, or a positive
number indicating the depth at which a \s-1TA\s0 record matched an issuer certificate.
The complete verified chain can be retrieved via \fBSSL_get0_verified_chain\fR\|(3).
The return value is an index into this verified chain, rather than the list of
certificates sent by the peer as returned by \fBSSL_get_peer_cert_chain\fR\|(3).
.PP
If the \fBmcert\fR argument is not \fB\s-1NULL\s0\fR and a \s-1TLSA\s0 record matched a chain
certificate, a pointer to the matching certificate is returned via \fBmcert\fR.
The returned address is a short-term internal reference to the certificate and
must not be freed by the application.
Applications that want to retain access to the certificate can call
\&\fBX509_up_ref\fR\|(3) to obtain a long-term reference which must then be freed via
\&\fBX509_free\fR\|(3) once no longer needed.
.PP
If no \s-1TLSA\s0 records directly matched any elements of the certificate chain, but
a \s-1\fBDANE\-TA\s0\fR\|(2) \s-1\fBSPKI\s0\fR\|(1) \fBFull\fR\|(0) record provided the public key that signed an
element of the chain, then that key is returned via \fBmspki\fR argument (if not
\&\s-1NULL\s0).
In this case the return value is the depth of the top-most element of the
validated certificate chain.
As with \fBmcert\fR this is a short-term internal reference, and
\&\fBEVP_PKEY_up_ref\fR\|(3) and \fBEVP_PKEY_free\fR\|(3) can be used to acquire and
release long-term references respectively.
.PP
\&\fBSSL_get0_dane_tlsa()\fR can be used to retrieve the fields of the \s-1TLSA\s0 record that
matched the peer certificate chain.
The return value indicates the match depth or failure to match just as with
\&\fBSSL_get0_dane_authority()\fR.
When the return value is nonnegative, the storage pointed to by the \fBusage\fR,
\&\fBselector\fR, \fBmtype\fR and \fBdata\fR parameters is updated to the corresponding
\&\s-1TLSA\s0 record fields.
The \fBdata\fR field is in binary wire form, and is therefore not NUL-terminated,
its length is returned via the \fBdlen\fR parameter.
If any of these parameters is \s-1NULL,\s0 the corresponding field is not returned.
The \fBdata\fR parameter is set to a short-term internal-copy of the associated
data field and must not be freed by the application.
Applications that need long-term access to this field need to copy the content.
.PP
\&\fBSSL_CTX_dane_set_flags()\fR and \fBSSL_dane_set_flags()\fR can be used to enable
optional \s-1DANE\s0 verification features.
\&\fBSSL_CTX_dane_clear_flags()\fR and \fBSSL_dane_clear_flags()\fR can be used to disable
the same features.
The \fBflags\fR argument is a bit mask of the features to enable or disable.
The \fBflags\fR set for an \fB\s-1SSL_CTX\s0\fR context are copied to each \fB\s-1SSL\s0\fR handle
associated with that context at the time the handle is created.
Subsequent changes in the context's \fBflags\fR have no effect on the \fBflags\fR set
for the handle.
.PP
At present, the only available option is \fB\s-1DANE_FLAG_NO_DANE_EE_NAMECHECKS\s0\fR
which can be used to disable server name checks when authenticating via
\&\s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records.
For some applications, primarily web browsers, it is not safe to disable name
checks due to \*(L"unknown key share\*(R" attacks, in which a malicious server can
convince a client that a connection to a victim server is instead a secure
connection to the malicious server.
The malicious server may then be able to violate cross-origin scripting
restrictions.
Thus, despite the text of \s-1RFC7671,\s0 name checks are by default enabled for
\&\s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records, and can be disabled in applications where it is safe
to do so.
In particular, \s-1SMTP\s0 and \s-1XMPP\s0 clients should set this option as \s-1SRV\s0 and \s-1MX\s0
records already make it possible for a remote domain to redirect client
connections to any server of its choice, and in any case \s-1SMTP\s0 and \s-1XMPP\s0 clients
do not execute scripts downloaded from remote servers.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The functions \fBSSL_CTX_dane_enable()\fR, \fBSSL_CTX_dane_mtype_set()\fR,
\&\fBSSL_dane_enable()\fR and \fBSSL_dane_tlsa_add()\fR return a positive value on success.
Negative return values indicate resource problems (out of memory, etc.) in the
\&\s-1SSL\s0 library, while a return value of \fB0\fR indicates incorrect usage or invalid
input, such as an unsupported \s-1TLSA\s0 record certificate usage, selector or
matching type.
Invalid input also includes malformed data, either a digest length that does
not match the digest algorithm, or a \f(CWFull(0)\fR (binary \s-1ASN.1 DER\s0 form)
certificate or a public key that fails to parse.
.PP
The functions \fBSSL_get0_dane_authority()\fR and \fBSSL_get0_dane_tlsa()\fR return a
negative value when \s-1DANE\s0 authentication failed or was not enabled, a
nonnegative value indicates the chain depth at which the \s-1TLSA\s0 record matched a
chain certificate, or the depth of the top-most certificate, when the \s-1TLSA\s0
record is a full public key that is its signer.
.PP
The functions \fBSSL_CTX_dane_set_flags()\fR, \fBSSL_CTX_dane_clear_flags()\fR,
\&\fBSSL_dane_set_flags()\fR and \fBSSL_dane_clear_flags()\fR return the \fBflags\fR in effect
before they were called.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Suppose \*(L"smtp.example.com\*(R" is the \s-1MX\s0 host of the domain \*(L"example.com\*(R", and has
DNSSEC-validated \s-1TLSA\s0 records.
The calls below will perform \s-1DANE\s0 authentication and arrange to match either
the \s-1MX\s0 hostname or the destination domain name in the \s-1SMTP\s0 server certificate.
Wildcards are supported, but must match the entire label.
The actual name matched in the certificate (which might be a wildcard) is
retrieved, and must be copied by the application if it is to be retained beyond
the lifetime of the \s-1SSL\s0 connection.
.PP
.Vb 7
\& SSL_CTX *ctx;
\& SSL *ssl;
\& int (*verify_cb)(int ok, X509_STORE_CTX *sctx) = NULL;
\& int num_usable = 0;
\& const char *nexthop_domain = "example.com";
\& const char *dane_tlsa_domain = "smtp.example.com";
\& uint8_t usage, selector, mtype;
\&
\& if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL)
\& /* error */
\& if (SSL_CTX_dane_enable(ctx) <= 0)
\& /* error */
\& if ((ssl = SSL_new(ctx)) == NULL)
\& /* error */
\& if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0)
\& /* error */
\&
\& /*
\& * For many applications it is safe to skip DANE\-EE(3) namechecks. Do not
\& * disable the checks unless "unknown key share" attacks pose no risk for
\& * your application.
\& */
\& SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
\&
\& if (!SSL_add1_host(ssl, nexthop_domain))
\& /* error */
\& SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
\&
\& for (... each TLSA record ...) {
\& unsigned char *data;
\& size_t len;
\& int ret;
\&
\& /* set usage, selector, mtype, data, len */
\&
\& /*
\& * Opportunistic DANE TLS clients support only DANE\-TA(2) or DANE\-EE(3).
\& * They treat all other certificate usages, and in particular PKIX\-TA(0)
\& * and PKIX\-EE(1), as unusable.
\& */
\& switch (usage) {
\& default:
\& case 0: /* PKIX\-TA(0) */
\& case 1: /* PKIX\-EE(1) */
\& continue;
\& case 2: /* DANE\-TA(2) */
\& case 3: /* DANE\-EE(3) */
\& break;
\& }
\&
\& ret = SSL_dane_tlsa_add(ssl, usage, selector, mtype, data, len);
\& /* free data as appropriate */
\&
\& if (ret < 0)
\& /* handle SSL library internal error */
\& else if (ret == 0)
\& /* handle unusable TLSA record */
\& else
\& ++num_usable;
\& }
\&
\& /*
\& * At this point, the verification mode is still the default SSL_VERIFY_NONE.
\& * Opportunistic DANE clients use unauthenticated TLS when all TLSA records
\& * are unusable, so continue the handshake even if authentication fails.
\& */
\& if (num_usable == 0) {
\& /* Log all records unusable? */
\&
\& /* Optionally set verify_cb to a suitable non\-NULL callback. */
\& SSL_set_verify(ssl, SSL_VERIFY_NONE, verify_cb);
\& } else {
\& /* At least one usable record. We expect to verify the peer */
\&
\& /* Optionally set verify_cb to a suitable non\-NULL callback. */
\&
\& /*
\& * Below we elect to fail the handshake when peer verification fails.
\& * Alternatively, use the permissive SSL_VERIFY_NONE verification mode,
\& * complete the handshake, check the verification status, and if not
\& * verified disconnect gracefully at the application layer, especially if
\& * application protocol supports informing the server that authentication
\& * failed.
\& */
\& SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);
\& }
\&
\& /*
\& * Load any saved session for resumption, making sure that the previous
\& * session applied the same security and authentication requirements that
\& * would be expected of a fresh connection.
\& */
\&
\& /* Perform SSL_connect() handshake and handle errors here */
\&
\& if (SSL_session_reused(ssl)) {
\& if (SSL_get_verify_result(ssl) == X509_V_OK) {
\& /*
\& * Resumed session was originally verified, this connection is
\& * authenticated.
\& */
\& } else {
\& /*
\& * Resumed session was not originally verified, this connection is not
\& * authenticated.
\& */
\& }
\& } else if (SSL_get_verify_result(ssl) == X509_V_OK) {
\& const char *peername = SSL_get0_peername(ssl);
\& EVP_PKEY *mspki = NULL;
\&
\& int depth = SSL_get0_dane_authority(ssl, NULL, &mspki);
\& if (depth >= 0) {
\& (void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, NULL);
\& printf("DANE TLSA %d %d %d %s at depth %d\en", usage, selector, mtype,
\& (mspki != NULL) ? "TA public key verified certificate" :
\& depth ? "matched TA certificate" : "matched EE certificate",
\& depth);
\& }
\& if (peername != NULL) {
\& /* Name checks were in scope and matched the peername */
\& printf("Verified peername: %s\en", peername);
\& }
\& } else {
\& /*
\& * Not authenticated, presumably all TLSA rrs unusable, but possibly a
\& * callback suppressed connection termination despite the presence of
\& * usable TLSA RRs none of which matched. Do whatever is appropriate for
\& * fresh unauthenticated connections.
\& */
\& }
.Ve
.SH "NOTES"
.IX Header "NOTES"
It is expected that the majority of clients employing \s-1DANE TLS\s0 will be doing
\&\*(L"opportunistic \s-1DANE TLS\*(R"\s0 in the sense of \s-1RFC7672\s0 and \s-1RFC7435.\s0
That is, they will use \s-1DANE\s0 authentication when DNSSEC-validated \s-1TLSA\s0 records
are published for a given peer, and otherwise will use unauthenticated \s-1TLS\s0 or
even cleartext.
.PP
Such applications should generally treat any \s-1TLSA\s0 records published by the peer
with usages \s-1\fBPKIX\-TA\s0\fR\|(0) and \s-1\fBPKIX\-EE\s0\fR\|(1) as \*(L"unusable\*(R", and should not include
them among the \s-1TLSA\s0 records used to authenticate peer connections.
In addition, some \s-1TLSA\s0 records with supported usages may be \*(L"unusable\*(R" as a
result of invalid or unsupported parameters.
.PP
When a peer has \s-1TLSA\s0 records, but none are \*(L"usable\*(R", an opportunistic
application must avoid cleartext, but cannot authenticate the peer,
and so should generally proceed with an unauthenticated connection.
Opportunistic applications need to note the return value of each
call to \fBSSL_dane_tlsa_add()\fR, and if all return 0 (due to invalid
or unsupported parameters) disable peer authentication by calling
\&\fBSSL_set_verify\fR\|(3) with \fBmode\fR equal to \fB\s-1SSL_VERIFY_NONE\s0\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_new\fR\|(3),
\&\fBSSL_add1_host\fR\|(3),
\&\fBSSL_set_hostflags\fR\|(3),
\&\fBSSL_set_tlsext_host_name\fR\|(3),
\&\fBSSL_set_verify\fR\|(3),
\&\fBSSL_CTX_set_cert_verify_callback\fR\|(3),
\&\fBSSL_get0_verified_chain\fR\|(3),
\&\fBSSL_get_peer_cert_chain\fR\|(3),
\&\fBSSL_get_verify_result\fR\|(3),
\&\fBSSL_connect\fR\|(3),
\&\fBSSL_get0_peername\fR\|(3),
\&\fBX509_verify_cert\fR\|(3),
\&\fBX509_up_ref\fR\|(3),
\&\fBX509_free\fR\|(3),
\&\fBEVP_get_digestbyname\fR\|(3),
\&\fBEVP_PKEY_up_ref\fR\|(3),
\&\fBEVP_PKEY_free\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3
index b994164c11c2..faa7c9cbba6b 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_flush_sessions.3
@@ -1,188 +1,188 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_FLUSH_SESSIONS 3"
-.TH SSL_CTX_FLUSH_SESSIONS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_FLUSH_SESSIONS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_flush_sessions \- remove expired sessions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_flush_sessions()\fR causes a run through the session cache of
\&\fBctx\fR to remove sessions expired at time \fBtm\fR.
.SH "NOTES"
.IX Header "NOTES"
If enabled, the internal session cache will collect all sessions established
up to the specified maximum number (see \fBSSL_CTX_sess_set_cache_size()\fR).
As sessions will not be reused ones they are expired, they should be
removed from the cache to save resources. This can either be done
automatically whenever 255 new sessions were established (see
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3))
or manually by calling \fBSSL_CTX_flush_sessions()\fR.
.PP
The parameter \fBtm\fR specifies the time which should be used for the
expiration test, in most cases the actual time given by \fBtime\fR\|(0)
will be used.
.PP
\&\fBSSL_CTX_flush_sessions()\fR will only check sessions stored in the internal
cache. When a session is found and removed, the remove_session_cb is however
called to synchronize with the external cache (see
\&\fBSSL_CTX_sess_set_get_cb\fR\|(3)).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_flush_sessions()\fR does not return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
\&\fBSSL_CTX_set_timeout\fR\|(3),
\&\fBSSL_CTX_sess_set_get_cb\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_free.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_free.3
index e76ad4dd658e..e805bc101b0a 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_free.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_free.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_FREE 3"
-.TH SSL_CTX_FREE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_FREE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_free \- free an allocated SSL_CTX object
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_free(SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_free()\fR decrements the reference count of \fBctx\fR, and removes the
\&\s-1SSL_CTX\s0 object pointed to by \fBctx\fR and frees up the allocated memory if the reference count has reached 0.
.PP
It also calls the \fBfree()\fRing procedures for indirectly affected items, if
applicable: the session cache, the list of ciphers, the list of Client CAs,
the certificates and keys.
.PP
If \fBctx\fR is \s-1NULL\s0 nothing is done.
.SH "WARNINGS"
.IX Header "WARNINGS"
If a session-remove callback is set (\fBSSL_CTX_sess_set_remove_cb()\fR), this
callback will be called for each session being freed from \fBctx\fR's
session cache. This implies, that all corresponding sessions from an
external session cache are removed as well. If this is not desired, the user
should explicitly unset the callback by calling
SSL_CTX_sess_set_remove_cb(\fBctx\fR, \s-1NULL\s0) prior to calling \fBSSL_CTX_free()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_free()\fR does not provide diagnostic information.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_new\fR\|(3), \fBssl\fR\|(7),
\&\fBSSL_CTX_sess_set_get_cb\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3
index 5d45cb042eeb..60222dd9a71b 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_get0_param.3
@@ -1,194 +1,194 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_GET0_PARAM 3"
-.TH SSL_CTX_GET0_PARAM 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_GET0_PARAM 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_get0_param, SSL_get0_param, SSL_CTX_set1_param, SSL_set1_param \- get and set verification parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
\& X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
\& int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
\& int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_get0_param()\fR and \fBSSL_get0_param()\fR retrieve an internal pointer to
the verification parameters for \fBctx\fR or \fBssl\fR respectively. The returned
pointer must not be freed by the calling application.
.PP
\&\fBSSL_CTX_set1_param()\fR and \fBSSL_set1_param()\fR set the verification parameters
to \fBvpm\fR for \fBctx\fR or \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
Typically parameters are retrieved from an \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR structure
using \fBSSL_CTX_get0_param()\fR or \fBSSL_get0_param()\fR and an application modifies
them to suit its needs: for example to add a hostname check.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_get0_param()\fR and \fBSSL_get0_param()\fR return a pointer to an
\&\fBX509_VERIFY_PARAM\fR structure.
.PP
\&\fBSSL_CTX_set1_param()\fR and \fBSSL_set1_param()\fR return 1 for success and 0
for failure.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Check hostname matches \*(L"www.foo.com\*(R" in peer certificate:
.PP
.Vb 2
\& X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl);
\& X509_VERIFY_PARAM_set1_host(vpm, "www.foo.com", 0);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_VERIFY_PARAM_set_flags\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3
index 9c76ff3eaa1f..2579b2698fd8 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_get_verify_mode.3
@@ -1,191 +1,191 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_GET_VERIFY_MODE 3"
-.TH SSL_CTX_GET_VERIFY_MODE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_GET_VERIFY_MODE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_get_verify_mode, SSL_get_verify_mode, SSL_CTX_get_verify_depth, SSL_get_verify_depth, SSL_get_verify_callback, SSL_CTX_get_verify_callback \- get currently set verification parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
\& int SSL_get_verify_mode(const SSL *ssl);
\& int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
\& int SSL_get_verify_depth(const SSL *ssl);
\& int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *);
\& int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_get_verify_mode()\fR returns the verification mode currently set in
\&\fBctx\fR.
.PP
\&\fBSSL_get_verify_mode()\fR returns the verification mode currently set in
\&\fBssl\fR.
.PP
\&\fBSSL_CTX_get_verify_depth()\fR returns the verification depth limit currently set
in \fBctx\fR. If no limit has been explicitly set, \-1 is returned and the
default value will be used.
.PP
\&\fBSSL_get_verify_depth()\fR returns the verification depth limit currently set
in \fBssl\fR. If no limit has been explicitly set, \-1 is returned and the
default value will be used.
.PP
\&\fBSSL_CTX_get_verify_callback()\fR returns a function pointer to the verification
callback currently set in \fBctx\fR. If no callback was explicitly set, the
\&\s-1NULL\s0 pointer is returned and the default callback will be used.
.PP
\&\fBSSL_get_verify_callback()\fR returns a function pointer to the verification
callback currently set in \fBssl\fR. If no callback was explicitly set, the
\&\s-1NULL\s0 pointer is returned and the default callback will be used.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
See \s-1DESCRIPTION\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_CTX_set_verify\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3
index f20d1cff6de3..78f63f232bbe 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_has_client_custom_ext.3
@@ -1,168 +1,168 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3"
-.TH SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_has_client_custom_ext \- check whether a handler exists for a particular client extension type
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx, unsigned int ext_type);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_has_client_custom_ext()\fR checks whether a handler has been set for a
client extension of type \fBext_type\fR using \fBSSL_CTX_add_client_custom_ext()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Returns 1 if a handler has been set, 0 otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_add_client_custom_ext\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3
index 0ceff157341c..a1b06d72e292 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_load_verify_locations.3
@@ -1,287 +1,287 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_LOAD_VERIFY_LOCATIONS 3"
-.TH SSL_CTX_LOAD_VERIFY_LOCATIONS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_LOAD_VERIFY_LOCATIONS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_load_verify_locations, SSL_CTX_set_default_verify_paths, SSL_CTX_set_default_verify_dir, SSL_CTX_set_default_verify_file \- set default locations for trusted CA certificates
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
\& const char *CApath);
\&
\& int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
\&
\& int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx);
\&
\& int SSL_CTX_set_default_verify_file(SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_load_verify_locations()\fR specifies the locations for \fBctx\fR, at
which \s-1CA\s0 certificates for verification purposes are located. The certificates
available via \fBCAfile\fR and \fBCApath\fR are trusted.
.PP
\&\fBSSL_CTX_set_default_verify_paths()\fR specifies that the default locations from
which \s-1CA\s0 certificates are loaded should be used. There is one default directory
and one default file. The default \s-1CA\s0 certificates directory is called \*(L"certs\*(R" in
the default OpenSSL directory. Alternatively the \s-1SSL_CERT_DIR\s0 environment
variable can be defined to override this location. The default \s-1CA\s0 certificates
file is called \*(L"cert.pem\*(R" in the default OpenSSL directory. Alternatively the
\&\s-1SSL_CERT_FILE\s0 environment variable can be defined to override this location.
.PP
\&\fBSSL_CTX_set_default_verify_dir()\fR is similar to
\&\fBSSL_CTX_set_default_verify_paths()\fR except that just the default directory is
used.
.PP
\&\fBSSL_CTX_set_default_verify_file()\fR is similar to
\&\fBSSL_CTX_set_default_verify_paths()\fR except that just the default file is
used.
.SH "NOTES"
.IX Header "NOTES"
If \fBCAfile\fR is not \s-1NULL,\s0 it points to a file of \s-1CA\s0 certificates in \s-1PEM\s0
format. The file can contain several \s-1CA\s0 certificates identified by
.PP
.Vb 3
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& ... (CA certificate in base64 encoding) ...
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.Ve
.PP
sequences. Before, between, and after the certificates text is allowed
which can be used e.g. for descriptions of the certificates.
.PP
The \fBCAfile\fR is processed on execution of the \fBSSL_CTX_load_verify_locations()\fR
function.
.PP
If \fBCApath\fR is not \s-1NULL,\s0 it points to a directory containing \s-1CA\s0 certificates
in \s-1PEM\s0 format. The files each contain one \s-1CA\s0 certificate. The files are
looked up by the \s-1CA\s0 subject name hash value, which must hence be available.
If more than one \s-1CA\s0 certificate with the same name hash value exist, the
extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
is performed in the ordering of the extension number, regardless of other
properties of the certificates.
Use the \fBc_rehash\fR utility to create the necessary links.
.PP
The certificates in \fBCApath\fR are only looked up when required, e.g. when
building the certificate chain or when actually performing the verification
of a peer certificate.
.PP
When looking up \s-1CA\s0 certificates, the OpenSSL library will first search the
certificates in \fBCAfile\fR, then those in \fBCApath\fR. Certificate matching
is done based on the subject name, the key identifier (if present), and the
serial number as taken from the certificate to be verified. If these data
do not match, the next certificate will be tried. If a first certificate
matching the parameters is found, the verification process will be performed;
no other certificates for the same parameters will be searched in case of
failure.
.PP
In server mode, when requesting a client certificate, the server must send
the list of CAs of which it will accept client certificates. This list
is not influenced by the contents of \fBCAfile\fR or \fBCApath\fR and must
explicitly be set using the
\&\fBSSL_CTX_set_client_CA_list\fR\|(3)
family of functions.
.PP
When building its own certificate chain, an OpenSSL client/server will
try to fill in missing certificates from \fBCAfile\fR/\fBCApath\fR, if the
certificate chain was not explicitly specified (see
\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3),
\&\fBSSL_CTX_use_certificate\fR\|(3).
.SH "WARNINGS"
.IX Header "WARNINGS"
If several \s-1CA\s0 certificates matching the name, key identifier, and serial
number condition are available, only the first one will be examined. This
may lead to unexpected results if the same \s-1CA\s0 certificate is available
with different expiration dates. If a \*(L"certificate expired\*(R" verification
error occurs, no other certificate will be searched. Make sure to not
have expired certificates mixed with valid ones.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
For SSL_CTX_load_verify_locations the following return values can occur:
.IP "0" 4
The operation failed because \fBCAfile\fR and \fBCApath\fR are \s-1NULL\s0 or the
processing at one of the locations specified failed. Check the error
stack to find out the reason.
.IP "1" 4
.IX Item "1"
The operation succeeded.
.PP
\&\fBSSL_CTX_set_default_verify_paths()\fR, \fBSSL_CTX_set_default_verify_dir()\fR and
\&\fBSSL_CTX_set_default_verify_file()\fR all return 1 on success or 0 on failure. A
missing default location is still treated as a success.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Generate a \s-1CA\s0 certificate file with descriptive text from the \s-1CA\s0 certificates
ca1.pem ca2.pem ca3.pem:
.PP
.Vb 5
\& #!/bin/sh
\& rm CAfile.pem
\& for i in ca1.pem ca2.pem ca3.pem ; do
\& openssl x509 \-in $i \-text >> CAfile.pem
\& done
.Ve
.PP
Prepare the directory /some/where/certs containing several \s-1CA\s0 certificates
for use as \fBCApath\fR:
.PP
.Vb 2
\& cd /some/where/certs
\& c_rehash .
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_set_client_CA_list\fR\|(3),
\&\fBSSL_get_client_CA_list\fR\|(3),
\&\fBSSL_CTX_use_certificate\fR\|(3),
\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3),
\&\fBSSL_CTX_set_cert_store\fR\|(3),
\&\fBSSL_CTX_set_client_CA_list\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_new.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_new.3
index 6306bf1d0855..9ec431d5bcd8 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_new.3
@@ -1,326 +1,326 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_NEW 3"
-.TH SSL_CTX_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
TLSv1_2_method, TLSv1_2_server_method, TLSv1_2_client_method, SSL_CTX_new, SSL_CTX_up_ref, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method, DTLS_method, DTLS_server_method, DTLS_client_method, DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method, DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method \&\- create a new SSL_CTX object as framework for TLS/SSL or DTLS enabled functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
\& int SSL_CTX_up_ref(SSL_CTX *ctx);
\&
\& const SSL_METHOD *TLS_method(void);
\& const SSL_METHOD *TLS_server_method(void);
\& const SSL_METHOD *TLS_client_method(void);
\&
\& const SSL_METHOD *SSLv23_method(void);
\& const SSL_METHOD *SSLv23_server_method(void);
\& const SSL_METHOD *SSLv23_client_method(void);
\&
\& #ifndef OPENSSL_NO_SSL3_METHOD
\& const SSL_METHOD *SSLv3_method(void);
\& const SSL_METHOD *SSLv3_server_method(void);
\& const SSL_METHOD *SSLv3_client_method(void);
\& #endif
\&
\& #ifndef OPENSSL_NO_TLS1_METHOD
\& const SSL_METHOD *TLSv1_method(void);
\& const SSL_METHOD *TLSv1_server_method(void);
\& const SSL_METHOD *TLSv1_client_method(void);
\& #endif
\&
\& #ifndef OPENSSL_NO_TLS1_1_METHOD
\& const SSL_METHOD *TLSv1_1_method(void);
\& const SSL_METHOD *TLSv1_1_server_method(void);
\& const SSL_METHOD *TLSv1_1_client_method(void);
\& #endif
\&
\& #ifndef OPENSSL_NO_TLS1_2_METHOD
\& const SSL_METHOD *TLSv1_2_method(void);
\& const SSL_METHOD *TLSv1_2_server_method(void);
\& const SSL_METHOD *TLSv1_2_client_method(void);
\& #endif
\&
\& const SSL_METHOD *DTLS_method(void);
\& const SSL_METHOD *DTLS_server_method(void);
\& const SSL_METHOD *DTLS_client_method(void);
\&
\& #ifndef OPENSSL_NO_DTLS1_METHOD
\& const SSL_METHOD *DTLSv1_method(void);
\& const SSL_METHOD *DTLSv1_server_method(void);
\& const SSL_METHOD *DTLSv1_client_method(void);
\& #endif
\&
\& #ifndef OPENSSL_NO_DTLS1_2_METHOD
\& const SSL_METHOD *DTLSv1_2_method(void);
\& const SSL_METHOD *DTLSv1_2_server_method(void);
\& const SSL_METHOD *DTLSv1_2_client_method(void);
\& #endif
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_new()\fR creates a new \fB\s-1SSL_CTX\s0\fR object as framework to
establish \s-1TLS/SSL\s0 or \s-1DTLS\s0 enabled connections. An \fB\s-1SSL_CTX\s0\fR object is
reference counted. Creating an \fB\s-1SSL_CTX\s0\fR object for the first time increments
the reference count. Freeing it (using SSL_CTX_free) decrements it. When the
reference count drops to zero, any memory or resources allocated to the
\&\fB\s-1SSL_CTX\s0\fR object are freed. \fBSSL_CTX_up_ref()\fR increments the reference count for
an existing \fB\s-1SSL_CTX\s0\fR structure.
.SH "NOTES"
.IX Header "NOTES"
The \s-1SSL_CTX\s0 object uses \fBmethod\fR as connection method.
The methods exist in a generic type (for client and server use), a server only
type, and a client only type.
\&\fBmethod\fR can be of the following types:
.IP "\fBTLS_method()\fR, \fBTLS_server_method()\fR, \fBTLS_client_method()\fR" 4
.IX Item "TLS_method(), TLS_server_method(), TLS_client_method()"
These are the general-purpose \fIversion-flexible\fR \s-1SSL/TLS\s0 methods.
The actual protocol version used will be negotiated to the highest version
mutually supported by the client and the server.
The supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3.
Applications should use these methods, and avoid the version-specific
methods described below, which are deprecated.
.IP "\fBSSLv23_method()\fR, \fBSSLv23_server_method()\fR, \fBSSLv23_client_method()\fR" 4
.IX Item "SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()"
These functions do not exist anymore, they have been renamed to
\&\fBTLS_method()\fR, \fBTLS_server_method()\fR and \fBTLS_client_method()\fR respectively.
Currently, the old function calls are renamed to the corresponding new
ones by preprocessor macros, to ensure that existing code which uses the
old function names still compiles. However, using the old function names
is deprecated and new code should call the new functions instead.
.IP "\fBTLSv1_2_method()\fR, \fBTLSv1_2_server_method()\fR, \fBTLSv1_2_client_method()\fR" 4
.IX Item "TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()"
A \s-1TLS/SSL\s0 connection established with these methods will only understand the
TLSv1.2 protocol. These methods are deprecated.
.IP "\fBTLSv1_1_method()\fR, \fBTLSv1_1_server_method()\fR, \fBTLSv1_1_client_method()\fR" 4
.IX Item "TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method()"
A \s-1TLS/SSL\s0 connection established with these methods will only understand the
TLSv1.1 protocol. These methods are deprecated.
.IP "\fBTLSv1_method()\fR, \fBTLSv1_server_method()\fR, \fBTLSv1_client_method()\fR" 4
.IX Item "TLSv1_method(), TLSv1_server_method(), TLSv1_client_method()"
A \s-1TLS/SSL\s0 connection established with these methods will only understand the
TLSv1 protocol. These methods are deprecated.
.IP "\fBSSLv3_method()\fR, \fBSSLv3_server_method()\fR, \fBSSLv3_client_method()\fR" 4
.IX Item "SSLv3_method(), SSLv3_server_method(), SSLv3_client_method()"
A \s-1TLS/SSL\s0 connection established with these methods will only understand the
SSLv3 protocol.
The SSLv3 protocol is deprecated and should not be used.
.IP "\fBDTLS_method()\fR, \fBDTLS_server_method()\fR, \fBDTLS_client_method()\fR" 4
.IX Item "DTLS_method(), DTLS_server_method(), DTLS_client_method()"
These are the version-flexible \s-1DTLS\s0 methods.
Currently supported protocols are \s-1DTLS 1.0\s0 and \s-1DTLS 1.2.\s0
.IP "\fBDTLSv1_2_method()\fR, \fBDTLSv1_2_server_method()\fR, \fBDTLSv1_2_client_method()\fR" 4
.IX Item "DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method()"
These are the version-specific methods for DTLSv1.2.
These methods are deprecated.
.IP "\fBDTLSv1_method()\fR, \fBDTLSv1_server_method()\fR, \fBDTLSv1_client_method()\fR" 4
.IX Item "DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method()"
These are the version-specific methods for DTLSv1.
These methods are deprecated.
.PP
\&\fBSSL_CTX_new()\fR initializes the list of ciphers, the session cache setting, the
callbacks, the keys and certificates and the options to their default values.
.PP
\&\fBTLS_method()\fR, \fBTLS_server_method()\fR, \fBTLS_client_method()\fR, \fBDTLS_method()\fR,
\&\fBDTLS_server_method()\fR and \fBDTLS_client_method()\fR are the \fIversion-flexible\fR
methods.
All other methods only support one specific protocol version.
Use the \fIversion-flexible\fR methods instead of the version specific methods.
.PP
If you want to limit the supported protocols for the version flexible
methods you can use \fBSSL_CTX_set_min_proto_version\fR\|(3),
\&\fBSSL_set_min_proto_version\fR\|(3), \fBSSL_CTX_set_max_proto_version\fR\|(3) and
\&\fBSSL_set_max_proto_version\fR\|(3) functions.
Using these functions it is possible to choose e.g. \fBTLS_server_method()\fR
and be able to negotiate with all possible clients, but to only
allow newer protocols like \s-1TLS 1.0, TLS 1.1, TLS 1.2\s0 or \s-1TLS 1.3.\s0
.PP
The list of protocols available can also be limited using the
\&\fBSSL_OP_NO_SSLv3\fR, \fBSSL_OP_NO_TLSv1\fR, \fBSSL_OP_NO_TLSv1_1\fR,
\&\fBSSL_OP_NO_TLSv1_3\fR, \fBSSL_OP_NO_TLSv1_2\fR and \fBSSL_OP_NO_TLSv1_3\fR
options of the
\&\fBSSL_CTX_set_options\fR\|(3) or \fBSSL_set_options\fR\|(3) functions, but this approach
is not recommended. Clients should avoid creating \*(L"holes\*(R" in the set of
protocols they support. When disabling a protocol, make sure that you also
disable either all previous or all subsequent protocol versions.
In clients, when a protocol version is disabled without disabling \fIall\fR
previous protocol versions, the effect is to also disable all subsequent
protocol versions.
.PP
The SSLv3 protocol is deprecated and should generally not be used.
Applications should typically use \fBSSL_CTX_set_min_proto_version\fR\|(3) to set
the minimum protocol to at least \fB\s-1TLS1_VERSION\s0\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "\s-1NULL\s0" 4
.IX Item "NULL"
The creation of a new \s-1SSL_CTX\s0 object failed. Check the error stack to find out
the reason.
.IP "Pointer to an \s-1SSL_CTX\s0 object" 4
.IX Item "Pointer to an SSL_CTX object"
The return value points to an allocated \s-1SSL_CTX\s0 object.
.Sp
\&\fBSSL_CTX_up_ref()\fR returns 1 for success and 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_set_options\fR\|(3), \fBSSL_CTX_free\fR\|(3), \fBSSL_accept\fR\|(3),
\&\fBSSL_CTX_set_min_proto_version\fR\|(3), \fBssl\fR\|(7), \fBSSL_set_connect_state\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
Support for SSLv2 and the corresponding \fBSSLv2_method()\fR,
\&\fBSSLv2_server_method()\fR and \fBSSLv2_client_method()\fR functions where
removed in OpenSSL 1.1.0.
.PP
\&\fBSSLv23_method()\fR, \fBSSLv23_server_method()\fR and \fBSSLv23_client_method()\fR
were deprecated and the preferred \fBTLS_method()\fR, \fBTLS_server_method()\fR
and \fBTLS_client_method()\fR functions were added in OpenSSL 1.1.0.
.PP
All version-specific methods were deprecated in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3
index bd8453cedb1d..ee65e0b4db9e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_number.3
@@ -1,217 +1,217 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SESS_NUMBER 3"
-.TH SSL_CTX_SESS_NUMBER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SESS_NUMBER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_sess_number, SSL_CTX_sess_connect, SSL_CTX_sess_connect_good, SSL_CTX_sess_connect_renegotiate, SSL_CTX_sess_accept, SSL_CTX_sess_accept_good, SSL_CTX_sess_accept_renegotiate, SSL_CTX_sess_hits, SSL_CTX_sess_cb_hits, SSL_CTX_sess_misses, SSL_CTX_sess_timeouts, SSL_CTX_sess_cache_full \- obtain session cache statistics
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_sess_number(SSL_CTX *ctx);
\& long SSL_CTX_sess_connect(SSL_CTX *ctx);
\& long SSL_CTX_sess_connect_good(SSL_CTX *ctx);
\& long SSL_CTX_sess_connect_renegotiate(SSL_CTX *ctx);
\& long SSL_CTX_sess_accept(SSL_CTX *ctx);
\& long SSL_CTX_sess_accept_good(SSL_CTX *ctx);
\& long SSL_CTX_sess_accept_renegotiate(SSL_CTX *ctx);
\& long SSL_CTX_sess_hits(SSL_CTX *ctx);
\& long SSL_CTX_sess_cb_hits(SSL_CTX *ctx);
\& long SSL_CTX_sess_misses(SSL_CTX *ctx);
\& long SSL_CTX_sess_timeouts(SSL_CTX *ctx);
\& long SSL_CTX_sess_cache_full(SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_sess_number()\fR returns the current number of sessions in the internal
session cache.
.PP
\&\fBSSL_CTX_sess_connect()\fR returns the number of started \s-1SSL/TLS\s0 handshakes in
client mode.
.PP
\&\fBSSL_CTX_sess_connect_good()\fR returns the number of successfully established
\&\s-1SSL/TLS\s0 sessions in client mode.
.PP
\&\fBSSL_CTX_sess_connect_renegotiate()\fR returns the number of started renegotiations
in client mode.
.PP
\&\fBSSL_CTX_sess_accept()\fR returns the number of started \s-1SSL/TLS\s0 handshakes in
server mode.
.PP
\&\fBSSL_CTX_sess_accept_good()\fR returns the number of successfully established
\&\s-1SSL/TLS\s0 sessions in server mode.
.PP
\&\fBSSL_CTX_sess_accept_renegotiate()\fR returns the number of started renegotiations
in server mode.
.PP
\&\fBSSL_CTX_sess_hits()\fR returns the number of successfully reused sessions.
In client mode a session set with \fBSSL_set_session\fR\|(3)
successfully reused is counted as a hit. In server mode a session successfully
retrieved from internal or external cache is counted as a hit.
.PP
\&\fBSSL_CTX_sess_cb_hits()\fR returns the number of successfully retrieved sessions
from the external session cache in server mode.
.PP
\&\fBSSL_CTX_sess_misses()\fR returns the number of sessions proposed by clients
that were not found in the internal session cache in server mode.
.PP
\&\fBSSL_CTX_sess_timeouts()\fR returns the number of sessions proposed by clients
and either found in the internal or external session cache in server mode,
but that were invalid due to timeout. These sessions are not included in
the \fBSSL_CTX_sess_hits()\fR count.
.PP
\&\fBSSL_CTX_sess_cache_full()\fR returns the number of sessions that were removed
because the maximum session cache size was exceeded.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The functions return the values indicated in the \s-1DESCRIPTION\s0 section.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_set_session\fR\|(3),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3)
\&\fBSSL_CTX_sess_set_cache_size\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3
index adad38cd70fa..9be5cf410929 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_cache_size.3
@@ -1,193 +1,193 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SESS_SET_CACHE_SIZE 3"
-.TH SSL_CTX_SESS_SET_CACHE_SIZE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SESS_SET_CACHE_SIZE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_sess_set_cache_size, SSL_CTX_sess_get_cache_size \- manipulate session cache size
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, long t);
\& long SSL_CTX_sess_get_cache_size(SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_sess_set_cache_size()\fR sets the size of the internal session cache
of context \fBctx\fR to \fBt\fR.
This value is a hint and not an absolute; see the notes below.
.PP
\&\fBSSL_CTX_sess_get_cache_size()\fR returns the currently valid session cache size.
.SH "NOTES"
.IX Header "NOTES"
The internal session cache size is \s-1SSL_SESSION_CACHE_MAX_SIZE_DEFAULT,\s0
currently 1024*20, so that up to 20000 sessions can be held. This size
can be modified using the \fBSSL_CTX_sess_set_cache_size()\fR call. A special
case is the size 0, which is used for unlimited size.
.PP
If adding the session makes the cache exceed its size, then unused
sessions are dropped from the end of the cache.
Cache space may also be reclaimed by calling
\&\fBSSL_CTX_flush_sessions\fR\|(3) to remove
expired sessions.
.PP
If the size of the session cache is reduced and more sessions are already
in the session cache, old session will be removed at the next time a
session shall be added. This removal is not synchronized with the
expiration of sessions.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_sess_set_cache_size()\fR returns the previously valid size.
.PP
\&\fBSSL_CTX_sess_get_cache_size()\fR returns the currently valid size.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
\&\fBSSL_CTX_sess_number\fR\|(3),
\&\fBSSL_CTX_flush_sessions\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3
index b268e4538a48..79afa92623f0 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sess_set_get_cb.3
@@ -1,254 +1,254 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SESS_SET_GET_CB 3"
-.TH SSL_CTX_SESS_SET_GET_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SESS_SET_GET_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SSL_CTX_sess_get_new_cb, SSL_CTX_sess_get_remove_cb, SSL_CTX_sess_get_get_cb \- provide callback functions for server side external session caching
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
\& int (*new_session_cb)(SSL *, SSL_SESSION *));
\& void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
\& void (*remove_session_cb)(SSL_CTX *ctx,
\& SSL_SESSION *));
\& void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
\& SSL_SESSION (*get_session_cb)(SSL *,
\& const unsigned char *,
\& int, int *));
\&
\& int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
\& SSL_SESSION *sess);
\& void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx,
\& SSL_SESSION *sess);
\& SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
\& const unsigned char *data,
\& int len, int *copy);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_sess_set_new_cb()\fR sets the callback function that is
called whenever a new session was negotiated.
.PP
\&\fBSSL_CTX_sess_set_remove_cb()\fR sets the callback function that is
called whenever a session is removed by the \s-1SSL\s0 engine. For example,
this can occur because a session is considered faulty or has become obsolete
because of exceeding the timeout value.
.PP
\&\fBSSL_CTX_sess_set_get_cb()\fR sets the callback function that is called
whenever a \s-1TLS\s0 client proposed to resume a session but the session
could not be found in the internal session cache (see
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3)).
(\s-1TLS\s0 server only.)
.PP
\&\fBSSL_CTX_sess_get_new_cb()\fR, \fBSSL_CTX_sess_get_remove_cb()\fR, and
\&\fBSSL_CTX_sess_get_get_cb()\fR retrieve the function pointers set by the
corresponding set callback functions. If a callback function has not been
set, the \s-1NULL\s0 pointer is returned.
.SH "NOTES"
.IX Header "NOTES"
In order to allow external session caching, synchronization with the internal
session cache is realized via callback functions. Inside these callback
functions, session can be saved to disk or put into a database using the
\&\fBd2i_SSL_SESSION\fR\|(3) interface.
.PP
The \fBnew_session_cb()\fR is called whenever a new session has been negotiated and
session caching is enabled (see \fBSSL_CTX_set_session_cache_mode\fR\|(3)). The
\&\fBnew_session_cb()\fR is passed the \fBssl\fR connection and the nascent
ssl session \fBsess\fR.
Since sessions are reference-counted objects, the reference count on the
session is incremented before the callback, on behalf of the application. If
the callback returns \fB0\fR, the session will be immediately removed from the
internal cache and the reference count released. If the callback returns \fB1\fR,
the application retains the reference (for an entry in the
application-maintained \*(L"external session cache\*(R"), and is responsible for
calling \fBSSL_SESSION_free()\fR when the session reference is no longer in use.
.PP
Note that in TLSv1.3, sessions are established after the main
handshake has completed. The server decides when to send the client the session
information and this may occur some time after the end of the handshake (or not
at all). This means that applications should expect the \fBnew_session_cb()\fR
function to be invoked during the handshake (for <= TLSv1.2) or after the
handshake (for TLSv1.3). It is also possible in TLSv1.3 for multiple sessions to
be established with a single connection. In these case the \fBnew_session_cb()\fR
function will be invoked multiple times.
.PP
In TLSv1.3 it is recommended that each \s-1SSL_SESSION\s0 object is only used for
resumption once. One way of enforcing that is for applications to call
\&\fBSSL_CTX_remove_session\fR\|(3) after a session has been used.
.PP
The \fBremove_session_cb()\fR is called whenever the \s-1SSL\s0 engine removes a session
from the internal cache. This can happen when the session is removed because
it is expired or when a connection was not shutdown cleanly. It also happens
for all sessions in the internal session cache when
\&\fBSSL_CTX_free\fR\|(3) is called. The \fBremove_session_cb()\fR is passed
the \fBctx\fR and the ssl session \fBsess\fR. It does not provide any feedback.
.PP
The \fBget_session_cb()\fR is only called on \s-1SSL/TLS\s0 servers, and is given
the session id
proposed by the client. The \fBget_session_cb()\fR is always called, even when
session caching was disabled. The \fBget_session_cb()\fR is passed the
\&\fBssl\fR connection and the session id of length \fBlength\fR at the memory location
\&\fBdata\fR. By setting the parameter \fBcopy\fR to \fB1\fR, the callback can require the
\&\s-1SSL\s0 engine to increment the reference count of the \s-1SSL_SESSION\s0 object;
setting \fBcopy\fR to \fB0\fR causes the reference count to remain unchanged.
If the \fBget_session_cb()\fR does not write to \fBcopy\fR, the reference count
is incremented and the session must be explicitly freed with
\&\fBSSL_SESSION_free\fR\|(3).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_sess_get_new_cb()\fR, \fBSSL_CTX_sess_get_remove_cb()\fR and \fBSSL_CTX_sess_get_get_cb()\fR
return different callback function pointers respectively.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBd2i_SSL_SESSION\fR\|(3),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
\&\fBSSL_CTX_flush_sessions\fR\|(3),
\&\fBSSL_SESSION_free\fR\|(3),
\&\fBSSL_CTX_free\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3
index 71d69d318675..b8af696df222 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_sessions.3
@@ -1,178 +1,178 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SESSIONS 3"
-.TH SSL_CTX_SESSIONS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SESSIONS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_sessions \- access internal session cache
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_sessions()\fR returns a pointer to the lhash databases containing the
internal session cache for \fBctx\fR.
.SH "NOTES"
.IX Header "NOTES"
The sessions in the internal session cache are kept in an
\&\s-1\fBLHASH\s0\fR\|(3) type database. It is possible to directly
access this database e.g. for searching. In parallel, the sessions
form a linked list which is maintained separately from the
\&\s-1\fBLHASH\s0\fR\|(3) operations, so that the database must not be
modified directly but by using the
\&\fBSSL_CTX_add_session\fR\|(3) family of functions.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_sessions()\fR returns a pointer to the lhash of \fB\s-1SSL_SESSION\s0\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \s-1\fBLHASH\s0\fR\|(3),
\&\fBSSL_CTX_add_session\fR\|(3),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3
index 353d03409669..7d00bb09308a 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set0_CA_list.3
@@ -1,307 +1,307 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET0_CA_LIST 3"
-.TH SSL_CTX_SET0_CA_LIST 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET0_CA_LIST 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_get_client_CA_list, SSL_CTX_get_client_CA_list, SSL_CTX_add_client_CA, SSL_add_client_CA, SSL_set0_CA_list, SSL_CTX_set0_CA_list, SSL_get0_CA_list, SSL_CTX_get0_CA_list, SSL_add1_to_CA_list, SSL_CTX_add1_to_CA_list, SSL_get0_peer_CA_list \&\- get or set CA list
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
\& void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
\& STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
\& STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
\& int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
\& int SSL_add_client_CA(SSL *ssl, X509 *cacert);
\&
\& void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
\& void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
\& const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx);
\& const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s);
\& int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x);
\& int SSL_add1_to_CA_list(SSL *ssl, const X509 *x);
\&
\& const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The functions described here set and manage the list of \s-1CA\s0 names that are sent
between two communicating peers.
.PP
For \s-1TLS\s0 versions 1.2 and earlier the list of \s-1CA\s0 names is only sent from the
server to the client when requesting a client certificate. So any list of \s-1CA\s0
names set is never sent from client to server and the list of \s-1CA\s0 names retrieved
by \fBSSL_get0_peer_CA_list()\fR is always \fB\s-1NULL\s0\fR.
.PP
For \s-1TLS 1.3\s0 the list of \s-1CA\s0 names is sent using the \fBcertificate_authorities\fR
extension and may be sent by a client (in the ClientHello message) or by
a server (when requesting a certificate).
.PP
In most cases it is not necessary to set \s-1CA\s0 names on the client side. The list
of \s-1CA\s0 names that are acceptable to the client will be sent in plaintext to the
server. This has privacy implications and may also have performance implications
if the list is large. This optional capability was introduced as part of TLSv1.3
and therefore setting \s-1CA\s0 names on the client side will have no impact if that
protocol version has been disabled. Most servers do not need this and so this
should be avoided unless required.
.PP
The \*(L"client \s-1CA\s0 list\*(R" functions below only have an effect when called on the
server side.
.PP
\&\fBSSL_CTX_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
requesting a client certificate for \fBctx\fR. Ownership of \fBlist\fR is transferred
to \fBctx\fR and it should not be freed by the caller.
.PP
\&\fBSSL_set_client_CA_list()\fR sets the \fBlist\fR of CAs sent to the client when
requesting a client certificate for the chosen \fBssl\fR, overriding the
setting valid for \fBssl\fR's \s-1SSL_CTX\s0 object. Ownership of \fBlist\fR is transferred
to \fBs\fR and it should not be freed by the caller.
.PP
\&\fBSSL_CTX_get_client_CA_list()\fR returns the list of client CAs explicitly set for
\&\fBctx\fR using \fBSSL_CTX_set_client_CA_list()\fR. The returned list should not be freed
by the caller.
.PP
\&\fBSSL_get_client_CA_list()\fR returns the list of client CAs explicitly
set for \fBssl\fR using \fBSSL_set_client_CA_list()\fR or \fBssl\fR's \s-1SSL_CTX\s0 object with
\&\fBSSL_CTX_set_client_CA_list()\fR, when in server mode. In client mode,
SSL_get_client_CA_list returns the list of client CAs sent from the server, if
any. The returned list should not be freed by the caller.
.PP
\&\fBSSL_CTX_add_client_CA()\fR adds the \s-1CA\s0 name extracted from \fBcacert\fR to the
list of CAs sent to the client when requesting a client certificate for
\&\fBctx\fR.
.PP
\&\fBSSL_add_client_CA()\fR adds the \s-1CA\s0 name extracted from \fBcacert\fR to the
list of CAs sent to the client when requesting a client certificate for
the chosen \fBssl\fR, overriding the setting valid for \fBssl\fR's \s-1SSL_CTX\s0 object.
.PP
\&\fBSSL_get0_peer_CA_list()\fR retrieves the list of \s-1CA\s0 names (if any) the peer
has sent. This can be called on either the server or the client side. The
returned list should not be freed by the caller.
.PP
The \*(L"generic \s-1CA\s0 list\*(R" functions below are very similar to the \*(L"client \s-1CA\s0
list\*(R" functions except that they have an effect on both the server and client
sides. The lists of \s-1CA\s0 names managed are separate \- so you cannot (for example)
set \s-1CA\s0 names using the \*(L"client \s-1CA\s0 list\*(R" functions and then get them using the
\&\*(L"generic \s-1CA\s0 list\*(R" functions. Where a mix of the two types of functions has been
used on the server side then the \*(L"client \s-1CA\s0 list\*(R" functions take precedence.
Typically, on the server side, the \*(L"client \s-1CA\s0 list \*(R" functions should be used in
preference. As noted above in most cases it is not necessary to set \s-1CA\s0 names on
the client side.
.PP
\&\fBSSL_CTX_set0_CA_list()\fR sets the list of CAs to be sent to the peer to
\&\fBname_list\fR. Ownership of \fBname_list\fR is transferred to \fBctx\fR and
it should not be freed by the caller.
.PP
\&\fBSSL_set0_CA_list()\fR sets the list of CAs to be sent to the peer to \fBname_list\fR
overriding any list set in the parent \fB\s-1SSL_CTX\s0\fR of \fBs\fR. Ownership of
\&\fBname_list\fR is transferred to \fBs\fR and it should not be freed by the caller.
.PP
\&\fBSSL_CTX_get0_CA_list()\fR retrieves any previously set list of CAs set for
\&\fBctx\fR. The returned list should not be freed by the caller.
.PP
\&\fBSSL_get0_CA_list()\fR retrieves any previously set list of CAs set for
\&\fBs\fR or if none are set the list from the parent \fB\s-1SSL_CTX\s0\fR is retrieved. The
returned list should not be freed by the caller.
.PP
\&\fBSSL_CTX_add1_to_CA_list()\fR appends the \s-1CA\s0 subject name extracted from \fBx\fR to the
list of CAs sent to peer for \fBctx\fR.
.PP
\&\fBSSL_add1_to_CA_list()\fR appends the \s-1CA\s0 subject name extracted from \fBx\fR to the
list of CAs sent to the peer for \fBs\fR, overriding the setting in the parent
\&\fB\s-1SSL_CTX\s0\fR.
.SH "NOTES"
.IX Header "NOTES"
When a \s-1TLS/SSL\s0 server requests a client certificate (see
\&\fB\fBSSL_CTX_set_verify\fB\|(3)\fR), it sends a list of CAs, for which it will accept
certificates, to the client.
.PP
This list must explicitly be set using \fBSSL_CTX_set_client_CA_list()\fR or
\&\fBSSL_CTX_set0_CA_list()\fR for \fBctx\fR and \fBSSL_set_client_CA_list()\fR or
\&\fBSSL_set0_CA_list()\fR for the specific \fBssl\fR. The list specified
overrides the previous setting. The CAs listed do not become trusted (\fBlist\fR
only contains the names, not the complete certificates); use
\&\fBSSL_CTX_load_verify_locations\fR\|(3) to additionally load them for verification.
.PP
If the list of acceptable CAs is compiled in a file, the
\&\fBSSL_load_client_CA_file\fR\|(3) function can be used to help to import the
necessary data.
.PP
\&\fBSSL_CTX_add_client_CA()\fR, \fBSSL_CTX_add1_to_CA_list()\fR, \fBSSL_add_client_CA()\fR and
\&\fBSSL_add1_to_CA_list()\fR can be used to add additional items the list of CAs. If no
list was specified before using \fBSSL_CTX_set_client_CA_list()\fR,
\&\fBSSL_CTX_set0_CA_list()\fR, \fBSSL_set_client_CA_list()\fR or \fBSSL_set0_CA_list()\fR, a
new \s-1CA\s0 list for \fBctx\fR or \fBssl\fR (as appropriate) is opened.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_client_CA_list()\fR, \fBSSL_set_client_CA_list()\fR,
\&\fBSSL_CTX_set_client_CA_list()\fR, \fBSSL_set_client_CA_list()\fR, \fBSSL_CTX_set0_CA_list()\fR
and \fBSSL_set0_CA_list()\fR do not return a value.
.PP
\&\fBSSL_CTX_get_client_CA_list()\fR, \fBSSL_get_client_CA_list()\fR, \fBSSL_CTX_get0_CA_list()\fR
and \fBSSL_get0_CA_list()\fR return a stack of \s-1CA\s0 names or \fB\s-1NULL\s0\fR is no \s-1CA\s0 names are
set.
.PP
\&\fBSSL_CTX_add_client_CA()\fR,\fBSSL_add_client_CA()\fR, \fBSSL_CTX_add1_to_CA_list()\fR and
\&\fBSSL_add1_to_CA_list()\fR return 1 for success and 0 for failure.
.PP
\&\fBSSL_get0_peer_CA_list()\fR returns a stack of \s-1CA\s0 names sent by the peer or
\&\fB\s-1NULL\s0\fR or an empty stack if no list was sent.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Scan all certificates in \fBCAfile\fR and list them as acceptable CAs:
.PP
.Vb 1
\& SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_load_client_CA_file\fR\|(3),
\&\fBSSL_CTX_load_verify_locations\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3
index 17fd207917f4..c157b78b5fad 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3
@@ -1,238 +1,238 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET1_CURVES 3"
-.TH SSL_CTX_SET1_CURVES 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET1_CURVES 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set1_groups, SSL_CTX_set1_groups_list, SSL_set1_groups, SSL_set1_groups_list, SSL_get1_groups, SSL_get_shared_group, SSL_CTX_set1_curves, SSL_CTX_set1_curves_list, SSL_set1_curves, SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve \&\- EC supported curve functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_set1_groups(SSL_CTX *ctx, int *glist, int glistlen);
\& int SSL_CTX_set1_groups_list(SSL_CTX *ctx, char *list);
\&
\& int SSL_set1_groups(SSL *ssl, int *glist, int glistlen);
\& int SSL_set1_groups_list(SSL *ssl, char *list);
\&
\& int SSL_get1_groups(SSL *ssl, int *groups);
\& int SSL_get_shared_group(SSL *s, int n);
\&
\& int SSL_CTX_set1_curves(SSL_CTX *ctx, int *clist, int clistlen);
\& int SSL_CTX_set1_curves_list(SSL_CTX *ctx, char *list);
\&
\& int SSL_set1_curves(SSL *ssl, int *clist, int clistlen);
\& int SSL_set1_curves_list(SSL *ssl, char *list);
\&
\& int SSL_get1_curves(SSL *ssl, int *curves);
\& int SSL_get_shared_curve(SSL *s, int n);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
For all of the functions below that set the supported groups there must be at
least one group in the list.
.PP
\&\fBSSL_CTX_set1_groups()\fR sets the supported groups for \fBctx\fR to \fBglistlen\fR
groups in the array \fBglist\fR. The array consist of all NIDs of groups in
preference order. For a \s-1TLS\s0 client the groups are used directly in the
supported groups extension. For a \s-1TLS\s0 server the groups are used to
determine the set of shared groups.
.PP
\&\fBSSL_CTX_set1_groups_list()\fR sets the supported groups for \fBctx\fR to
string \fBlist\fR. The string is a colon separated list of group NIDs or
names, for example \*(L"P\-521:P\-384:P\-256\*(R".
.PP
\&\fBSSL_set1_groups()\fR and \fBSSL_set1_groups_list()\fR are similar except they set
supported groups for the \s-1SSL\s0 structure \fBssl\fR.
.PP
\&\fBSSL_get1_groups()\fR returns the set of supported groups sent by a client
in the supported groups extension. It returns the total number of
supported groups. The \fBgroups\fR parameter can be \fB\s-1NULL\s0\fR to simply
return the number of groups for memory allocation purposes. The
\&\fBgroups\fR array is in the form of a set of group NIDs in preference
order. It can return zero if the client did not send a supported groups
extension.
.PP
\&\fBSSL_get_shared_group()\fR returns shared group \fBn\fR for a server-side
\&\s-1SSL\s0 \fBssl\fR. If \fBn\fR is \-1 then the total number of shared groups is
returned, which may be zero. Other than for diagnostic purposes,
most applications will only be interested in the first shared group
so \fBn\fR is normally set to zero. If the value \fBn\fR is out of range,
NID_undef is returned.
.PP
All these functions are implemented as macros.
.PP
The curve functions are synonyms for the equivalently named group functions and
are identical in every respect. They exist because, prior to \s-1TLS1.3,\s0 there was
only the concept of supported curves. In \s-1TLS1.3\s0 this was renamed to supported
groups, and extended to include Diffie Hellman groups. The group functions
should be used in preference.
.SH "NOTES"
.IX Header "NOTES"
If an application wishes to make use of several of these functions for
configuration purposes either on a command line or in a file it should
consider using the \s-1SSL_CONF\s0 interface instead of manually parsing options.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set1_groups()\fR, \fBSSL_CTX_set1_groups_list()\fR, \fBSSL_set1_groups()\fR and
\&\fBSSL_set1_groups_list()\fR, return 1 for success and 0 for failure.
.PP
\&\fBSSL_get1_groups()\fR returns the number of groups, which may be zero.
.PP
\&\fBSSL_get_shared_group()\fR returns the \s-1NID\s0 of shared group \fBn\fR or NID_undef if there
is no shared group \fBn\fR; or the total number of shared groups if \fBn\fR
is \-1.
.PP
When called on a client \fBssl\fR, \fBSSL_get_shared_group()\fR has no meaning and
returns \-1.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The curve functions were added in OpenSSL 1.0.2. The equivalent group
functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3
index 4f98ead15246..385558e002d5 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_sigalgs.3
@@ -1,249 +1,249 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET1_SIGALGS 3"
-.TH SSL_CTX_SET1_SIGALGS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET1_SIGALGS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set1_sigalgs, SSL_set1_sigalgs, SSL_CTX_set1_sigalgs_list, SSL_set1_sigalgs_list, SSL_CTX_set1_client_sigalgs, SSL_set1_client_sigalgs, SSL_CTX_set1_client_sigalgs_list, SSL_set1_client_sigalgs_list \- set supported signature algorithms
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_set1_sigalgs(SSL_CTX *ctx, const int *slist, long slistlen);
\& long SSL_set1_sigalgs(SSL *ssl, const int *slist, long slistlen);
\& long SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str);
\& long SSL_set1_sigalgs_list(SSL *ssl, const char *str);
\&
\& long SSL_CTX_set1_client_sigalgs(SSL_CTX *ctx, const int *slist, long slistlen);
\& long SSL_set1_client_sigalgs(SSL *ssl, const int *slist, long slistlen);
\& long SSL_CTX_set1_client_sigalgs_list(SSL_CTX *ctx, const char *str);
\& long SSL_set1_client_sigalgs_list(SSL *ssl, const char *str);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set1_sigalgs()\fR and \fBSSL_set1_sigalgs()\fR set the supported signature
algorithms for \fBctx\fR or \fBssl\fR. The array \fBslist\fR of length \fBslistlen\fR
must consist of pairs of NIDs corresponding to digest and public key
algorithms.
.PP
\&\fBSSL_CTX_set1_sigalgs_list()\fR and \fBSSL_set1_sigalgs_list()\fR set the supported
signature algorithms for \fBctx\fR or \fBssl\fR. The \fBstr\fR parameter
must be a null terminated string consisting of a colon separated list of
elements, where each element is either a combination of a public key
algorithm and a digest separated by \fB+\fR, or a \s-1TLS 1\s0.3\-style named
SignatureScheme such as rsa_pss_pss_sha256.
.PP
\&\fBSSL_CTX_set1_client_sigalgs()\fR, \fBSSL_set1_client_sigalgs()\fR,
\&\fBSSL_CTX_set1_client_sigalgs_list()\fR and \fBSSL_set1_client_sigalgs_list()\fR set
signature algorithms related to client authentication, otherwise they are
identical to \fBSSL_CTX_set1_sigalgs()\fR, \fBSSL_set1_sigalgs()\fR,
\&\fBSSL_CTX_set1_sigalgs_list()\fR and \fBSSL_set1_sigalgs_list()\fR.
.PP
All these functions are implemented as macros. The signature algorithm
parameter (integer array or string) is not freed: the application should
free it, if necessary.
.SH "NOTES"
.IX Header "NOTES"
If an application wishes to allow the setting of signature algorithms
as one of many user configurable options it should consider using the more
flexible \s-1SSL_CONF API\s0 instead.
.PP
The signature algorithms set by a client are used directly in the supported
signature algorithm in the client hello message.
.PP
The supported signature algorithms set by a server are not sent to the
client but are used to determine the set of shared signature algorithms
and (if server preferences are set with \s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0)
their order.
.PP
The client authentication signature algorithms set by a server are sent
in a certificate request message if client authentication is enabled,
otherwise they are unused.
.PP
Similarly client authentication signature algorithms set by a client are
used to determined the set of client authentication shared signature
algorithms.
.PP
Signature algorithms will neither be advertised nor used if the security level
prohibits them (for example \s-1SHA1\s0 if the security level is 4 or more).
.PP
Currently the NID_md5, NID_sha1, NID_sha224, NID_sha256, NID_sha384 and
NID_sha512 digest NIDs are supported and the public key algorithm NIDs
\&\s-1EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_DSA\s0 and \s-1EVP_PKEY_EC.\s0
.PP
The short or long name values for digests can be used in a string (for
example \*(L"\s-1MD5\*(R", \*(L"SHA1\*(R", \*(L"SHA224\*(R", \*(L"SHA256\*(R", \*(L"SHA384\*(R", \*(L"SHA512\*(R"\s0) and
the public key algorithm strings \*(L"\s-1RSA\*(R",\s0 \*(L"RSA-PSS\*(R", \*(L"\s-1DSA\*(R"\s0 or \*(L"\s-1ECDSA\*(R".\s0
.PP
The \s-1TLS 1.3\s0 signature scheme names (such as \*(L"rsa_pss_pss_sha256\*(R") can also
be used with the \fB_list\fR forms of the \s-1API.\s0
.PP
The use of \s-1MD5\s0 as a digest is strongly discouraged due to security weaknesses.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All these functions return 1 for success and 0 for failure.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Set supported signature algorithms to \s-1SHA256\s0 with \s-1ECDSA\s0 and \s-1SHA256\s0 with \s-1RSA\s0
using an array:
.PP
.Vb 1
\& const int slist[] = {NID_sha256, EVP_PKEY_EC, NID_sha256, EVP_PKEY_RSA};
\&
\& SSL_CTX_set1_sigalgs(ctx, slist, 4);
.Ve
.PP
Set supported signature algorithms to \s-1SHA256\s0 with \s-1ECDSA\s0 and \s-1SHA256\s0 with \s-1RSA\s0
using a string:
.PP
.Vb 1
\& SSL_CTX_set1_sigalgs_list(ctx, "ECDSA+SHA256:RSA+SHA256");
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_get_shared_sigalgs\fR\|(3),
\&\fBSSL_CONF_CTX_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3
index 10d76d218f0f..0f882ad4815b 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set1_verify_cert_store.3
@@ -1,226 +1,226 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET1_VERIFY_CERT_STORE 3"
-.TH SSL_CTX_SET1_VERIFY_CERT_STORE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET1_VERIFY_CERT_STORE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set0_verify_cert_store, SSL_CTX_set1_verify_cert_store, SSL_CTX_set0_chain_cert_store, SSL_CTX_set1_chain_cert_store, SSL_set0_verify_cert_store, SSL_set1_verify_cert_store, SSL_set0_chain_cert_store, SSL_set1_chain_cert_store \- set certificate verification or chain store
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *st);
\& int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *st);
\& int SSL_CTX_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);
\& int SSL_CTX_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st);
\&
\& int SSL_set0_verify_cert_store(SSL *ctx, X509_STORE *st);
\& int SSL_set1_verify_cert_store(SSL *ctx, X509_STORE *st);
\& int SSL_set0_chain_cert_store(SSL *ctx, X509_STORE *st);
\& int SSL_set1_chain_cert_store(SSL *ctx, X509_STORE *st);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set0_verify_cert_store()\fR and \fBSSL_CTX_set1_verify_cert_store()\fR
set the certificate store used for certificate verification to \fBst\fR.
.PP
\&\fBSSL_CTX_set0_chain_cert_store()\fR and \fBSSL_CTX_set1_chain_cert_store()\fR
set the certificate store used for certificate chain building to \fBst\fR.
.PP
\&\fBSSL_set0_verify_cert_store()\fR, \fBSSL_set1_verify_cert_store()\fR,
\&\fBSSL_set0_chain_cert_store()\fR and \fBSSL_set1_chain_cert_store()\fR are similar
except they apply to \s-1SSL\s0 structure \fBssl\fR.
.PP
All these functions are implemented as macros. Those containing a \fB1\fR
increment the reference count of the supplied store so it must
be freed at some point after the operation. Those containing a \fB0\fR do
not increment reference counts and the supplied store \fB\s-1MUST NOT\s0\fR be freed
after the operation.
.SH "NOTES"
.IX Header "NOTES"
The stores pointers associated with an \s-1SSL_CTX\s0 structure are copied to any \s-1SSL\s0
structures when \fBSSL_new()\fR is called. As a result \s-1SSL\s0 structures will not be
affected if the parent \s-1SSL_CTX\s0 store pointer is set to a new value.
.PP
The verification store is used to verify the certificate chain sent by the
peer: that is an \s-1SSL/TLS\s0 client will use the verification store to verify
the server's certificate chain and a \s-1SSL/TLS\s0 server will use it to verify
any client certificate chain.
.PP
The chain store is used to build the certificate chain.
.PP
If the mode \fB\s-1SSL_MODE_NO_AUTO_CHAIN\s0\fR is set or a certificate chain is
configured already (for example using the functions such as
\&\fBSSL_CTX_add1_chain_cert\fR\|(3) or
\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)) then
automatic chain building is disabled.
.PP
If the mode \fB\s-1SSL_MODE_NO_AUTO_CHAIN\s0\fR is set then automatic chain building
is disabled.
.PP
If the chain or the verification store is not set then the store associated
with the parent \s-1SSL_CTX\s0 is used instead to retain compatibility with previous
versions of OpenSSL.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All these functions return 1 for success and 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)
\&\fBSSL_CTX_set0_chain\fR\|(3)
\&\fBSSL_CTX_set1_chain\fR\|(3)
\&\fBSSL_CTX_add0_chain_cert\fR\|(3)
\&\fBSSL_CTX_add1_chain_cert\fR\|(3)
\&\fBSSL_set0_chain\fR\|(3)
\&\fBSSL_set1_chain\fR\|(3)
\&\fBSSL_add0_chain_cert\fR\|(3)
\&\fBSSL_add1_chain_cert\fR\|(3)
\&\fBSSL_CTX_build_cert_chain\fR\|(3)
\&\fBSSL_build_cert_chain\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3
index ecc4d11d623a..86998ed0a5ab 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_alpn_select_cb.3
@@ -1,314 +1,314 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_ALPN_SELECT_CB 3"
-.TH SSL_CTX_SET_ALPN_SELECT_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_ALPN_SELECT_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_alpn_protos, SSL_set_alpn_protos, SSL_CTX_set_alpn_select_cb, SSL_CTX_set_next_proto_select_cb, SSL_CTX_set_next_protos_advertised_cb, SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated \&\- handle application layer protocol negotiation (ALPN)
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
\& unsigned int protos_len);
\& int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
\& unsigned int protos_len);
\& void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
\& int (*cb) (SSL *ssl,
\& const unsigned char **out,
\& unsigned char *outlen,
\& const unsigned char *in,
\& unsigned int inlen,
\& void *arg), void *arg);
\& void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
\& unsigned int *len);
\&
\& void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx,
\& int (*cb)(SSL *ssl,
\& const unsigned char **out,
\& unsigned int *outlen,
\& void *arg),
\& void *arg);
\& void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx,
\& int (*cb)(SSL *s,
\& unsigned char **out,
\& unsigned char *outlen,
\& const unsigned char *in,
\& unsigned int inlen,
\& void *arg),
\& void *arg);
\& int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
\& const unsigned char *server,
\& unsigned int server_len,
\& const unsigned char *client,
\& unsigned int client_len)
\& void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
\& unsigned *len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_alpn_protos()\fR and \fBSSL_set_alpn_protos()\fR are used by the client to
set the list of protocols available to be negotiated. The \fBprotos\fR must be in
protocol-list format, described below. The length of \fBprotos\fR is specified in
\&\fBprotos_len\fR.
.PP
\&\fBSSL_CTX_set_alpn_select_cb()\fR sets the application callback \fBcb\fR used by a
server to select which protocol to use for the incoming connection. When \fBcb\fR
is \s-1NULL, ALPN\s0 is not used. The \fBarg\fR value is a pointer which is passed to
the application callback.
.PP
\&\fBcb\fR is the application defined callback. The \fBin\fR, \fBinlen\fR parameters are a
vector in protocol-list format. The value of the \fBout\fR, \fBoutlen\fR vector
should be set to the value of a single protocol selected from the \fBin\fR,
\&\fBinlen\fR vector. The \fBout\fR buffer may point directly into \fBin\fR, or to a
buffer that outlives the handshake. The \fBarg\fR parameter is the pointer set via
\&\fBSSL_CTX_set_alpn_select_cb()\fR.
.PP
\&\fBSSL_select_next_proto()\fR is a helper function used to select protocols. It
implements the standard protocol selection. It is expected that this function
is called from the application callback \fBcb\fR. The protocol data in \fBserver\fR,
\&\fBserver_len\fR and \fBclient\fR, \fBclient_len\fR must be in the protocol-list format
described below. The first item in the \fBserver\fR, \fBserver_len\fR list that
matches an item in the \fBclient\fR, \fBclient_len\fR list is selected, and returned
in \fBout\fR, \fBoutlen\fR. The \fBout\fR value will point into either \fBserver\fR or
\&\fBclient\fR, so it should be copied immediately. If no match is found, the first
item in \fBclient\fR, \fBclient_len\fR is returned in \fBout\fR, \fBoutlen\fR. This
function can also be used in the \s-1NPN\s0 callback.
.PP
\&\fBSSL_CTX_set_next_proto_select_cb()\fR sets a callback \fBcb\fR that is called when a
client needs to select a protocol from the server's provided list, and a
user-defined pointer argument \fBarg\fR which will be passed to this callback.
For the callback itself, \fBout\fR
must be set to point to the selected protocol (which may be within \fBin\fR).
The length of the protocol name must be written into \fBoutlen\fR. The
server's advertised protocols are provided in \fBin\fR and \fBinlen\fR. The
callback can assume that \fBin\fR is syntactically valid. The client must
select a protocol. It is fatal to the connection if this callback returns
a value other than \fB\s-1SSL_TLSEXT_ERR_OK\s0\fR. The \fBarg\fR parameter is the pointer
set via \fBSSL_CTX_set_next_proto_select_cb()\fR.
.PP
\&\fBSSL_CTX_set_next_protos_advertised_cb()\fR sets a callback \fBcb\fR that is called
when a \s-1TLS\s0 server needs a list of supported protocols for Next Protocol
Negotiation. The returned list must be in protocol-list format, described
below. The list is
returned by setting \fBout\fR to point to it and \fBoutlen\fR to its length. This
memory will not be modified, but the \fB\s-1SSL\s0\fR does keep a
reference to it. The callback should return \fB\s-1SSL_TLSEXT_ERR_OK\s0\fR if it
wishes to advertise. Otherwise, no such extension will be included in the
ServerHello.
.PP
\&\fBSSL_get0_alpn_selected()\fR returns a pointer to the selected protocol in \fBdata\fR
with length \fBlen\fR. It is not NUL-terminated. \fBdata\fR is set to \s-1NULL\s0 and \fBlen\fR
is set to 0 if no protocol has been selected. \fBdata\fR must not be freed.
.PP
\&\fBSSL_get0_next_proto_negotiated()\fR sets \fBdata\fR and \fBlen\fR to point to the
client's requested protocol for this connection. If the client did not
request any protocol or \s-1NPN\s0 is not enabled, then \fBdata\fR is set to \s-1NULL\s0 and
\&\fBlen\fR to 0. Note that
the client can request any protocol it chooses. The value returned from
this function need not be a member of the list of supported protocols
provided by the callback.
.SH "NOTES"
.IX Header "NOTES"
The protocol-lists must be in wire-format, which is defined as a vector of
nonempty, 8\-bit length-prefixed, byte strings. The length-prefix byte is not
included in the length. Each string is limited to 255 bytes. A byte-string
length of 0 is invalid. A truncated byte-string is invalid. The length of the
vector is not in the vector itself, but in a separate variable.
.PP
Example:
.PP
.Vb 5
\& unsigned char vector[] = {
\& 6, \*(Aqs\*(Aq, \*(Aqp\*(Aq, \*(Aqd\*(Aq, \*(Aqy\*(Aq, \*(Aq/\*(Aq, \*(Aq1\*(Aq,
\& 8, \*(Aqh\*(Aq, \*(Aqt\*(Aq, \*(Aqt\*(Aq, \*(Aqp\*(Aq, \*(Aq/\*(Aq, \*(Aq1\*(Aq, \*(Aq.\*(Aq, \*(Aq1\*(Aq
\& };
\& unsigned int length = sizeof(vector);
.Ve
.PP
The \s-1ALPN\s0 callback is executed after the servername callback; as that servername
callback may update the \s-1SSL_CTX,\s0 and subsequently, the \s-1ALPN\s0 callback.
.PP
If there is no \s-1ALPN\s0 proposed in the ClientHello, the \s-1ALPN\s0 callback is not
invoked.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_alpn_protos()\fR and \fBSSL_set_alpn_protos()\fR return 0 on success, and
non\-0 on failure. \s-1WARNING:\s0 these functions reverse the return value convention.
.PP
\&\fBSSL_select_next_proto()\fR returns one of the following:
.IP "\s-1OPENSSL_NPN_NEGOTIATED\s0" 4
.IX Item "OPENSSL_NPN_NEGOTIATED"
A match was found and is returned in \fBout\fR, \fBoutlen\fR.
.IP "\s-1OPENSSL_NPN_NO_OVERLAP\s0" 4
.IX Item "OPENSSL_NPN_NO_OVERLAP"
No match was found. The first item in \fBclient\fR, \fBclient_len\fR is returned in
\&\fBout\fR, \fBoutlen\fR.
.PP
The \s-1ALPN\s0 select callback \fBcb\fR, must return one of the following:
.IP "\s-1SSL_TLSEXT_ERR_OK\s0" 4
.IX Item "SSL_TLSEXT_ERR_OK"
\&\s-1ALPN\s0 protocol selected.
.IP "\s-1SSL_TLSEXT_ERR_ALERT_FATAL\s0" 4
.IX Item "SSL_TLSEXT_ERR_ALERT_FATAL"
There was no overlap between the client's supplied list and the server
configuration.
.IP "\s-1SSL_TLSEXT_ERR_NOACK\s0" 4
.IX Item "SSL_TLSEXT_ERR_NOACK"
\&\s-1ALPN\s0 protocol not selected, e.g., because no \s-1ALPN\s0 protocols are configured for
this connection.
.PP
The callback set using \fBSSL_CTX_set_next_proto_select_cb()\fR should return
\&\fB\s-1SSL_TLSEXT_ERR_OK\s0\fR if successful. Any other value is fatal to the connection.
.PP
The callback set using \fBSSL_CTX_set_next_protos_advertised_cb()\fR should return
\&\fB\s-1SSL_TLSEXT_ERR_OK\s0\fR if it wishes to advertise. Otherwise, no such extension
will be included in the ServerHello.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_CTX_set_tlsext_servername_callback\fR\|(3),
\&\fBSSL_CTX_set_tlsext_servername_arg\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3
index 510a70d8010e..4f6f7aa34dbd 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_cb.3
@@ -1,213 +1,213 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_CERT_CB 3"
-.TH SSL_CTX_SET_CERT_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_CERT_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_cert_cb, SSL_set_cert_cb \- handle certificate callback function
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cert_cb)(SSL *ssl, void *arg),
\& void *arg);
\& void SSL_set_cert_cb(SSL *s, int (*cert_cb)(SSL *ssl, void *arg), void *arg);
\&
\& int (*cert_cb)(SSL *ssl, void *arg);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_cert_cb()\fR and \fBSSL_set_cert_cb()\fR sets the \fBcert_cb()\fR callback,
\&\fBarg\fR value is pointer which is passed to the application callback.
.PP
When \fBcert_cb()\fR is \s-1NULL,\s0 no callback function is used.
.PP
\&\fBcert_cb()\fR is the application defined callback. It is called before a
certificate will be used by a client or server. The callback can then inspect
the passed \fBssl\fR structure and set or clear any appropriate certificates. If
the callback is successful it \fB\s-1MUST\s0\fR return 1 even if no certificates have
been set. A zero is returned on error which will abort the handshake with a
fatal internal error alert. A negative return value will suspend the handshake
and the handshake function will return immediately.
\&\fBSSL_get_error\fR\|(3) will return \s-1SSL_ERROR_WANT_X509_LOOKUP\s0 to
indicate, that the handshake was suspended. The next call to the handshake
function will again lead to the call of \fBcert_cb()\fR. It is the job of the
\&\fBcert_cb()\fR to store information about the state of the last call,
if required to continue.
.SH "NOTES"
.IX Header "NOTES"
An application will typically call \fBSSL_use_certificate()\fR and
\&\fBSSL_use_PrivateKey()\fR to set the end entity certificate and private key.
It can add intermediate and optionally the root \s-1CA\s0 certificates using
\&\fBSSL_add1_chain_cert()\fR.
.PP
It might also call \fBSSL_certs_clear()\fR to delete any certificates associated
with the \fB\s-1SSL\s0\fR object.
.PP
The certificate callback functionality supersedes the (largely broken)
functionality provided by the old client certificate callback interface.
It is \fBalways\fR called even is a certificate is already set so the callback
can modify or delete the existing certificate.
.PP
A more advanced callback might examine the handshake parameters and set
whatever chain is appropriate. For example a legacy client supporting only
TLSv1.0 might receive a certificate chain signed using \s-1SHA1\s0 whereas a
TLSv1.2 or later client which advertises support for \s-1SHA256\s0 could receive a
chain using \s-1SHA256.\s0
.PP
Normal server sanity checks are performed on any certificates set
by the callback. So if an \s-1EC\s0 chain is set for a curve the client does not
support it will \fBnot\fR be used.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_cert_cb()\fR and \fBSSL_set_cert_cb()\fR do not return values.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_use_certificate\fR\|(3),
\&\fBSSL_add1_chain_cert\fR\|(3),
\&\fBSSL_get_client_CA_list\fR\|(3),
\&\fBSSL_clear\fR\|(3), \fBSSL_free\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2014\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3
index 748dd7983aff..e3f3c2a3f170 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_store.3
@@ -1,219 +1,219 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_CERT_STORE 3"
-.TH SSL_CTX_SET_CERT_STORE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_CERT_STORE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_cert_store, SSL_CTX_set1_cert_store, SSL_CTX_get_cert_store \- manipulate X509 certificate verification storage
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
\& void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
\& X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_cert_store()\fR sets/replaces the certificate verification storage
of \fBctx\fR to/with \fBstore\fR. If another X509_STORE object is currently
set in \fBctx\fR, it will be \fBX509_STORE_free()\fRed.
.PP
\&\fBSSL_CTX_set1_cert_store()\fR sets/replaces the certificate verification storage
of \fBctx\fR to/with \fBstore\fR. The \fBstore\fR's reference count is incremented.
If another X509_STORE object is currently set in \fBctx\fR, it will be \fBX509_STORE_free()\fRed.
.PP
\&\fBSSL_CTX_get_cert_store()\fR returns a pointer to the current certificate
verification storage.
.SH "NOTES"
.IX Header "NOTES"
In order to verify the certificates presented by the peer, trusted \s-1CA\s0
certificates must be accessed. These \s-1CA\s0 certificates are made available
via lookup methods, handled inside the X509_STORE. From the X509_STORE
the X509_STORE_CTX used when verifying certificates is created.
.PP
Typically the trusted certificate store is handled indirectly via using
\&\fBSSL_CTX_load_verify_locations\fR\|(3).
Using the \fBSSL_CTX_set_cert_store()\fR and \fBSSL_CTX_get_cert_store()\fR functions
it is possible to manipulate the X509_STORE object beyond the
\&\fBSSL_CTX_load_verify_locations\fR\|(3)
call.
.PP
Currently no detailed documentation on how to use the X509_STORE
object is available. Not all members of the X509_STORE are used when
the verification takes place. So will e.g. the \fBverify_callback()\fR be
overridden with the \fBverify_callback()\fR set via the
\&\fBSSL_CTX_set_verify\fR\|(3) family of functions.
This document must therefore be updated when documentation about the
X509_STORE object and its handling becomes available.
.PP
\&\fBSSL_CTX_set_cert_store()\fR does not increment the \fBstore\fR's reference
count, so it should not be used to assign an X509_STORE that is owned
by another \s-1SSL_CTX.\s0
.PP
To share X509_STOREs between two SSL_CTXs, use \fBSSL_CTX_get_cert_store()\fR
to get the X509_STORE from the first \s-1SSL_CTX,\s0 and then use
\&\fBSSL_CTX_set1_cert_store()\fR to assign to the second \s-1SSL_CTX\s0 and
increment the reference count of the X509_STORE.
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
The X509_STORE structure used by an \s-1SSL_CTX\s0 is used for verifying peer
certificates and building certificate chains, it is also shared by
every child \s-1SSL\s0 structure. Applications wanting finer control can use
functions such as \fBSSL_CTX_set1_verify_cert_store()\fR instead.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_cert_store()\fR does not return diagnostic output.
.PP
\&\fBSSL_CTX_set1_cert_store()\fR does not return diagnostic output.
.PP
\&\fBSSL_CTX_get_cert_store()\fR returns the current setting.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_load_verify_locations\fR\|(3),
\&\fBSSL_CTX_set_verify\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3
index 1b3f88e7863d..3052850749e9 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cert_verify_callback.3
@@ -1,209 +1,209 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_CERT_VERIFY_CALLBACK 3"
-.TH SSL_CTX_SET_CERT_VERIFY_CALLBACK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_CERT_VERIFY_CALLBACK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_cert_verify_callback \- set peer certificate verification procedure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
\& int (*callback)(X509_STORE_CTX *, void *),
\& void *arg);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_cert_verify_callback()\fR sets the verification callback function for
\&\fIctx\fR. \s-1SSL\s0 objects that are created from \fIctx\fR inherit the setting valid at
the time when \fBSSL_new\fR\|(3) is called.
.SH "NOTES"
.IX Header "NOTES"
Whenever a certificate is verified during a \s-1SSL/TLS\s0 handshake, a verification
function is called. If the application does not explicitly specify a
verification callback function, the built-in verification function is used.
If a verification callback \fIcallback\fR is specified via
\&\fBSSL_CTX_set_cert_verify_callback()\fR, the supplied callback function is called
instead. By setting \fIcallback\fR to \s-1NULL,\s0 the default behaviour is restored.
.PP
When the verification must be performed, \fIcallback\fR will be called with
the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The
argument \fIarg\fR is specified by the application when setting \fIcallback\fR.
.PP
\&\fIcallback\fR should return 1 to indicate verification success and 0 to
indicate verification failure. If \s-1SSL_VERIFY_PEER\s0 is set and \fIcallback\fR
returns 0, the handshake will fail. As the verification procedure may
allow the connection to continue in the case of failure (by always
returning 1) the verification result must be set in any case using the
\&\fBerror\fR member of \fIx509_store_ctx\fR so that the calling application
will be informed about the detailed result of the verification procedure!
.PP
Within \fIx509_store_ctx\fR, \fIcallback\fR has access to the \fIverify_callback\fR
function set using \fBSSL_CTX_set_verify\fR\|(3).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_cert_verify_callback()\fR does not return a value.
.SH "WARNINGS"
.IX Header "WARNINGS"
Do not mix the verification callback described in this function with the
\&\fBverify_callback\fR function called during the verification process. The
latter is set using the \fBSSL_CTX_set_verify\fR\|(3)
family of functions.
.PP
Providing a complete verification procedure including certificate purpose
settings etc is a complex task. The built-in procedure is quite powerful
and in most cases it should be sufficient to modify its behaviour using
the \fBverify_callback\fR function.
.SH "BUGS"
.IX Header "BUGS"
\&\fBSSL_CTX_set_cert_verify_callback()\fR does not provide diagnostic information.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_CTX_set_verify\fR\|(3),
\&\fBSSL_get_verify_result\fR\|(3),
\&\fBSSL_CTX_load_verify_locations\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3
index b2395cc89404..62856e2e2a6c 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_cipher_list.3
@@ -1,237 +1,237 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_CIPHER_LIST 3"
-.TH SSL_CTX_SET_CIPHER_LIST 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_CIPHER_LIST 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_cipher_list, SSL_set_cipher_list, SSL_CTX_set_ciphersuites, SSL_set_ciphersuites \&\- choose list of available SSL_CIPHERs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
\& int SSL_set_cipher_list(SSL *ssl, const char *str);
\&
\& int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str);
\& int SSL_set_ciphersuites(SSL *s, const char *str);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_cipher_list()\fR sets the list of available ciphers (TLSv1.2 and below)
for \fBctx\fR using the control string \fBstr\fR. The format of the string is described
in \fBciphers\fR\|(1). The list of ciphers is inherited by all
\&\fBssl\fR objects created from \fBctx\fR. This function does not impact TLSv1.3
ciphersuites. Use \fBSSL_CTX_set_ciphersuites()\fR to configure those.
.PP
\&\fBSSL_set_cipher_list()\fR sets the list of ciphers (TLSv1.2 and below) only for
\&\fBssl\fR.
.PP
\&\fBSSL_CTX_set_ciphersuites()\fR is used to configure the available TLSv1.3
ciphersuites for \fBctx\fR. This is a simple colon (\*(L":\*(R") separated list of TLSv1.3
ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are:
.IP "\s-1TLS_AES_128_GCM_SHA256\s0" 4
.IX Item "TLS_AES_128_GCM_SHA256"
.PD 0
.IP "\s-1TLS_AES_256_GCM_SHA384\s0" 4
.IX Item "TLS_AES_256_GCM_SHA384"
.IP "\s-1TLS_CHACHA20_POLY1305_SHA256\s0" 4
.IX Item "TLS_CHACHA20_POLY1305_SHA256"
.IP "\s-1TLS_AES_128_CCM_SHA256\s0" 4
.IX Item "TLS_AES_128_CCM_SHA256"
.IP "\s-1TLS_AES_128_CCM_8_SHA256\s0" 4
.IX Item "TLS_AES_128_CCM_8_SHA256"
.PD
.PP
An empty list is permissible. The default value for the this setting is:
.PP
\&\*(L"\s-1TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256\*(R"\s0
.PP
\&\fBSSL_set_ciphersuites()\fR is the same as \fBSSL_CTX_set_ciphersuites()\fR except it
configures the ciphersuites for \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
The control string \fBstr\fR for \fBSSL_CTX_set_cipher_list()\fR and
\&\fBSSL_set_cipher_list()\fR should be universally usable and not depend
on details of the library configuration (ciphers compiled in). Thus no
syntax checking takes place. Items that are not recognized, because the
corresponding ciphers are not compiled in or because they are mistyped,
are simply ignored. Failure is only flagged if no ciphers could be collected
at all.
.PP
It should be noted, that inclusion of a cipher to be used into the list is
a necessary condition. On the client side, the inclusion into the list is
also sufficient unless the security level excludes it. On the server side,
additional restrictions apply. All ciphers have additional requirements.
\&\s-1ADH\s0 ciphers don't need a certificate, but DH-parameters must have been set.
All other ciphers need a corresponding certificate and key.
.PP
A \s-1RSA\s0 cipher can only be chosen, when a \s-1RSA\s0 certificate is available.
\&\s-1RSA\s0 ciphers using \s-1DHE\s0 need a certificate and key and additional DH-parameters
(see \fBSSL_CTX_set_tmp_dh_callback\fR\|(3)).
.PP
A \s-1DSA\s0 cipher can only be chosen, when a \s-1DSA\s0 certificate is available.
\&\s-1DSA\s0 ciphers always use \s-1DH\s0 key exchange and therefore need DH-parameters
(see \fBSSL_CTX_set_tmp_dh_callback\fR\|(3)).
.PP
When these conditions are not met for any cipher in the list (e.g. a
client only supports export \s-1RSA\s0 ciphers with an asymmetric key length
of 512 bits and the server is not configured to use temporary \s-1RSA\s0
keys), the \*(L"no shared cipher\*(R" (\s-1SSL_R_NO_SHARED_CIPHER\s0) error is generated
and the handshake will fail.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_cipher_list()\fR and \fBSSL_set_cipher_list()\fR return 1 if any cipher
could be selected and 0 on complete failure.
.PP
\&\fBSSL_CTX_set_ciphersuites()\fR and \fBSSL_set_ciphersuites()\fR return 1 if the requested
ciphersuite list was configured, and 0 otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_get_ciphers\fR\|(3),
\&\fBSSL_CTX_use_certificate\fR\|(3),
\&\fBSSL_CTX_set_tmp_dh_callback\fR\|(3),
\&\fBciphers\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3
index 754e1900b320..fe03659536af 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_cert_cb.3
@@ -1,241 +1,241 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_CLIENT_CERT_CB 3"
-.TH SSL_CTX_SET_CLIENT_CERT_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_CLIENT_CERT_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb \- handle client certificate callback function
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
\& int (*client_cert_cb)(SSL *ssl, X509 **x509,
\& EVP_PKEY **pkey));
\& int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509,
\& EVP_PKEY **pkey);
\& int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_client_cert_cb()\fR sets the \fBclient_cert_cb()\fR callback, that is
called when a client certificate is requested by a server and no certificate
was yet set for the \s-1SSL\s0 object.
.PP
When \fBclient_cert_cb()\fR is \s-1NULL,\s0 no callback function is used.
.PP
\&\fBSSL_CTX_get_client_cert_cb()\fR returns a pointer to the currently set callback
function.
.PP
\&\fBclient_cert_cb()\fR is the application defined callback. If it wants to
set a certificate, a certificate/private key combination must be set
using the \fBx509\fR and \fBpkey\fR arguments and \*(L"1\*(R" must be returned. The
certificate will be installed into \fBssl\fR, see the \s-1NOTES\s0 and \s-1BUGS\s0 sections.
If no certificate should be set, \*(L"0\*(R" has to be returned and no certificate
will be sent. A negative return value will suspend the handshake and the
handshake function will return immediately. \fBSSL_get_error\fR\|(3)
will return \s-1SSL_ERROR_WANT_X509_LOOKUP\s0 to indicate, that the handshake was
suspended. The next call to the handshake function will again lead to the call
of \fBclient_cert_cb()\fR. It is the job of the \fBclient_cert_cb()\fR to store information
about the state of the last call, if required to continue.
.SH "NOTES"
.IX Header "NOTES"
During a handshake (or renegotiation) a server may request a certificate
from the client. A client certificate must only be sent, when the server
did send the request.
.PP
When a certificate was set using the
\&\fBSSL_CTX_use_certificate\fR\|(3) family of functions,
it will be sent to the server. The \s-1TLS\s0 standard requires that only a
certificate is sent, if it matches the list of acceptable CAs sent by the
server. This constraint is violated by the default behavior of the OpenSSL
library. Using the callback function it is possible to implement a proper
selection routine or to allow a user interaction to choose the certificate to
be sent.
.PP
If a callback function is defined and no certificate was yet defined for the
\&\s-1SSL\s0 object, the callback function will be called.
If the callback function returns a certificate, the OpenSSL library
will try to load the private key and certificate data into the \s-1SSL\s0
object using the \fBSSL_use_certificate()\fR and \fBSSL_use_private_key()\fR functions.
Thus it will permanently install the certificate and key for this \s-1SSL\s0
object. It will not be reset by calling \fBSSL_clear\fR\|(3).
If the callback returns no certificate, the OpenSSL library will not send
a certificate.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_get_client_cert_cb()\fR returns function pointer of \fBclient_cert_cb()\fR or
\&\s-1NULL\s0 if the callback is not set.
.SH "BUGS"
.IX Header "BUGS"
The \fBclient_cert_cb()\fR cannot return a complete certificate chain, it can
only return one client certificate. If the chain only has a length of 2,
the root \s-1CA\s0 certificate may be omitted according to the \s-1TLS\s0 standard and
thus a standard conforming answer can be sent to the server. For a
longer chain, the client must send the complete chain (with the option
to leave out the root \s-1CA\s0 certificate). This can only be accomplished by
either adding the intermediate \s-1CA\s0 certificates into the trusted
certificate store for the \s-1SSL_CTX\s0 object (resulting in having to add
\&\s-1CA\s0 certificates that otherwise maybe would not be trusted), or by adding
the chain certificates using the
\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)
function, which is only available for the \s-1SSL_CTX\s0 object as a whole and that
therefore probably can only apply for one client certificate, making
the concept of the callback function (to allow the choice from several
certificates) questionable.
.PP
Once the \s-1SSL\s0 object has been used in conjunction with the callback function,
the certificate will be set for the \s-1SSL\s0 object and will not be cleared
even when \fBSSL_clear\fR\|(3) is being called. It is therefore
mandatory to destroy the \s-1SSL\s0 object using \fBSSL_free\fR\|(3)
and create a new one to return to the previous state.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_CTX_use_certificate\fR\|(3),
\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3),
\&\fBSSL_get_client_CA_list\fR\|(3),
\&\fBSSL_clear\fR\|(3), \fBSSL_free\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3
index 76df56c3e43f..c56b6b32541e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_client_hello_cb.3
@@ -1,262 +1,262 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_CLIENT_HELLO_CB 3"
-.TH SSL_CTX_SET_CLIENT_HELLO_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_CLIENT_HELLO_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_client_hello_cb, SSL_client_hello_cb_fn, SSL_client_hello_isv2, SSL_client_hello_get0_legacy_version, SSL_client_hello_get0_random, SSL_client_hello_get0_session_id, SSL_client_hello_get0_ciphers, SSL_client_hello_get0_compression_methods, SSL_client_hello_get1_extensions_present, SSL_client_hello_get0_ext \- callback functions for early server\-side ClientHello processing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 10
\& typedef int (*SSL_client_hello_cb_fn)(SSL *s, int *al, void *arg);
\& void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn *f,
\& void *arg);
\& int SSL_client_hello_isv2(SSL *s);
\& unsigned int SSL_client_hello_get0_legacy_version(SSL *s);
\& size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out);
\& size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out);
\& size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out);
\& size_t SSL_client_hello_get0_compression_methods(SSL *s,
\& const unsigned char **out);
\& int SSL_client_hello_get1_extensions_present(SSL *s, int **out,
\& size_t *outlen);
\& int SSL_client_hello_get0_ext(SSL *s, int type, const unsigned char **out,
\& size_t *outlen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_client_hello_cb()\fR sets the callback function, which is automatically
called during the early stages of ClientHello processing on the server.
The argument supplied when setting the callback is passed back to the
callback at runtime. A callback that returns failure (0) will cause the
connection to terminate, and callbacks returning failure should indicate
what alert value is to be sent in the \fBal\fR parameter. A callback may
also return a negative value to suspend the handshake, and the handshake
function will return immediately. \fBSSL_get_error\fR\|(3) will return
\&\s-1SSL_ERROR_WANT_CLIENT_HELLO_CB\s0 to indicate that the handshake was suspended.
It is the job of the ClientHello callback to store information about the state
of the last call if needed to continue. On the next call into the handshake
function, the ClientHello callback will be called again, and, if it returns
success, normal handshake processing will continue from that point.
.PP
\&\fBSSL_client_hello_isv2()\fR indicates whether the ClientHello was carried in a
SSLv2 record and is in the SSLv2 format. The SSLv2 format has substantial
differences from the normal SSLv3 format, including using three bytes per
cipher suite, and not allowing extensions. Additionally, the SSLv2 format
\&'challenge' field is exposed via \fBSSL_client_hello_get0_random()\fR, padded to
\&\s-1SSL3_RANDOM_SIZE\s0 bytes with zeros if needed. For SSLv2 format ClientHellos,
\&\fBSSL_client_hello_get0_compression_methods()\fR returns a dummy list that only includes
the null compression method, since the SSLv2 format does not include a
mechanism by which to negotiate compression.
.PP
\&\fBSSL_client_hello_get0_random()\fR, \fBSSL_client_hello_get0_session_id()\fR,
\&\fBSSL_client_hello_get0_ciphers()\fR, and
\&\fBSSL_client_hello_get0_compression_methods()\fR provide access to the corresponding
ClientHello fields, returning the field length and optionally setting an out
pointer to the octets of that field.
.PP
Similarly, \fBSSL_client_hello_get0_ext()\fR provides access to individual extensions
from the ClientHello on a per-extension basis. For the provided wire
protocol extension type value, the extension value and length are returned
in the output parameters (if present).
.PP
\&\fBSSL_client_hello_get1_extensions_present()\fR can be used prior to
\&\fBSSL_client_hello_get0_ext()\fR, to determine which extensions are present in the
ClientHello before querying for them. The \fBout\fR and \fBoutlen\fR parameters are
both required, and on success the caller must release the storage allocated for
\&\fB*out\fR using \fBOPENSSL_free()\fR. The contents of \fB*out\fR is an array of integers
holding the numerical value of the \s-1TLS\s0 extension types in the order they appear
in the ClientHello. \fB*outlen\fR contains the number of elements in the array.
In situations when the ClientHello has no extensions, the function will return
success with \fB*out\fR set to \s-1NULL\s0 and \fB*outlen\fR set to 0.
.SH "NOTES"
.IX Header "NOTES"
The ClientHello callback provides a vast window of possibilities for application
code to affect the \s-1TLS\s0 handshake. A primary use of the callback is to
allow the server to examine the server name indication extension provided
by the client in order to select an appropriate certificate to present,
and make other configuration adjustments relevant to that server name
and its configuration. Such configuration changes can include swapping out
the associated \s-1SSL_CTX\s0 pointer, modifying the server's list of permitted \s-1TLS\s0
versions, changing the server's cipher list in response to the client's
cipher list, etc.
.PP
It is also recommended that applications utilize a ClientHello callback and
not use a servername callback, in order to avoid unexpected behavior that
occurs due to the relative order of processing between things like session
resumption and the historical servername callback.
.PP
The SSL_client_hello_* family of functions may only be called from code executing
within a ClientHello callback.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The application's supplied ClientHello callback returns
\&\s-1SSL_CLIENT_HELLO_SUCCESS\s0 on success, \s-1SSL_CLIENT_HELLO_ERROR\s0 on failure, and
\&\s-1SSL_CLIENT_HELLO_RETRY\s0 to suspend processing.
.PP
\&\fBSSL_client_hello_isv2()\fR returns 1 for SSLv2\-format ClientHellos and 0 otherwise.
.PP
\&\fBSSL_client_hello_get0_random()\fR, \fBSSL_client_hello_get0_session_id()\fR,
\&\fBSSL_client_hello_get0_ciphers()\fR, and
\&\fBSSL_client_hello_get0_compression_methods()\fR return the length of the
corresponding ClientHello fields. If zero is returned, the output pointer
should not be assumed to be valid.
.PP
\&\fBSSL_client_hello_get0_ext()\fR returns 1 if the extension of type 'type' is present, and
0 otherwise.
.PP
\&\fBSSL_client_hello_get1_extensions_present()\fR returns 1 on success and 0 on failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_CTX_set_tlsext_servername_callback\fR\|(3),
SSL_bytes_to_cipher_list
.SH "HISTORY"
.IX Header "HISTORY"
The \s-1SSL\s0 ClientHello callback, \fBSSL_client_hello_isv2()\fR,
\&\fBSSL_client_hello_get0_random()\fR, \fBSSL_client_hello_get0_session_id()\fR,
\&\fBSSL_client_hello_get0_ciphers()\fR, \fBSSL_client_hello_get0_compression_methods()\fR,
\&\fBSSL_client_hello_get0_ext()\fR, and \fBSSL_client_hello_get1_extensions_present()\fR
were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3
index 3bf6fdf4ea50..1f1c3391c3dd 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ct_validation_callback.3
@@ -1,271 +1,271 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_CT_VALIDATION_CALLBACK 3"
-.TH SSL_CTX_SET_CT_VALIDATION_CALLBACK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_CT_VALIDATION_CALLBACK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ssl_ct_validation_cb, SSL_enable_ct, SSL_CTX_enable_ct, SSL_disable_ct, SSL_CTX_disable_ct, SSL_set_ct_validation_callback, SSL_CTX_set_ct_validation_callback, SSL_ct_is_enabled, SSL_CTX_ct_is_enabled \- control Certificate Transparency policy
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& typedef int (*ssl_ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx,
\& const STACK_OF(SCT) *scts, void *arg);
\&
\& int SSL_enable_ct(SSL *s, int validation_mode);
\& int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode);
\& int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
\& void *arg);
\& int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
\& ssl_ct_validation_cb callback,
\& void *arg);
\& void SSL_disable_ct(SSL *s);
\& void SSL_CTX_disable_ct(SSL_CTX *ctx);
\& int SSL_ct_is_enabled(const SSL *s);
\& int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_enable_ct()\fR and \fBSSL_CTX_enable_ct()\fR enable the processing of signed
certificate timestamps (SCTs) either for a given \s-1SSL\s0 connection or for all
connections that share the given \s-1SSL\s0 context, respectively.
This is accomplished by setting a built-in \s-1CT\s0 validation callback.
The behaviour of the callback is determined by the \fBvalidation_mode\fR argument,
which can be either of \fB\s-1SSL_CT_VALIDATION_PERMISSIVE\s0\fR or
\&\fB\s-1SSL_CT_VALIDATION_STRICT\s0\fR as described below.
.PP
If \fBvalidation_mode\fR is equal to \fB\s-1SSL_CT_VALIDATION_STRICT\s0\fR, then in a full
\&\s-1TLS\s0 handshake with the verification mode set to \fB\s-1SSL_VERIFY_PEER\s0\fR, if the peer
presents no valid SCTs the handshake will be aborted.
If the verification mode is \fB\s-1SSL_VERIFY_NONE\s0\fR, the handshake will continue
despite lack of valid SCTs.
However, in that case if the verification status before the built-in callback
was \fBX509_V_OK\fR it will be set to \fBX509_V_ERR_NO_VALID_SCTS\fR after the
callback.
Applications can call \fBSSL_get_verify_result\fR\|(3) to check the status at
handshake completion, even after session resumption since the verification
status is part of the saved session state.
See \fBSSL_set_verify\fR\|(3), <\fBSSL_get_verify_result\fR\|(3)>, \fBSSL_session_reused\fR\|(3).
.PP
If \fBvalidation_mode\fR is equal to \fB\s-1SSL_CT_VALIDATION_PERMISSIVE\s0\fR, then the
handshake continues, and the verification status is not modified, regardless of
the validation status of any SCTs.
The application can still inspect the validation status of the SCTs at
handshake completion.
Note that with session resumption there will not be any SCTs presented during
the handshake.
Therefore, in applications that delay \s-1SCT\s0 policy enforcement until after
handshake completion, such delayed \s-1SCT\s0 checks should only be performed when the
session is not resumed.
.PP
\&\fBSSL_set_ct_validation_callback()\fR and \fBSSL_CTX_set_ct_validation_callback()\fR
register a custom callback that may implement a different policy than either of
the above.
This callback can examine the peer's SCTs and determine whether they are
sufficient to allow the connection to continue.
The \s-1TLS\s0 handshake is aborted if the verification mode is not \fB\s-1SSL_VERIFY_NONE\s0\fR
and the callback returns a non-positive result.
.PP
An arbitrary callback context argument, \fBarg\fR, can be passed in when setting
the callback.
This will be passed to the callback whenever it is invoked.
Ownership of this context remains with the caller.
.PP
If no callback is set, SCTs will not be requested and Certificate Transparency
validation will not occur.
.PP
No callback will be invoked when the peer presents no certificate, e.g. by
employing an anonymous (aNULL) cipher suite.
In that case the handshake continues as it would had no callback been
requested.
Callbacks are also not invoked when the peer certificate chain is invalid or
validated via \s-1\fBDANE\-TA\s0\fR\|(2) or \s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records which use a private X.509
\&\s-1PKI,\s0 or no X.509 \s-1PKI\s0 at all, respectively.
Clients that require SCTs are expected to not have enabled any aNULL ciphers
nor to have specified server verification via \s-1\fBDANE\-TA\s0\fR\|(2) or \s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0
records.
.PP
\&\fBSSL_disable_ct()\fR and \fBSSL_CTX_disable_ct()\fR turn off \s-1CT\s0 processing, whether
enabled via the built-in or the custom callbacks, by setting a \s-1NULL\s0 callback.
These may be implemented as macros.
.PP
\&\fBSSL_ct_is_enabled()\fR and \fBSSL_CTX_ct_is_enabled()\fR return 1 if \s-1CT\s0 processing is
enabled via either \fBSSL_enable_ct()\fR or a non-null custom callback, and 0
otherwise.
.SH "NOTES"
.IX Header "NOTES"
When \s-1SCT\s0 processing is enabled, \s-1OCSP\s0 stapling will be enabled. This is because
one possible source of SCTs is the \s-1OCSP\s0 response from a server.
.PP
The time returned by \fBSSL_SESSION_get_time()\fR will be used to evaluate whether any
presented SCTs have timestamps that are in the future (and therefore invalid).
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
Certificate Transparency validation cannot be enabled and so a callback cannot
be set if a custom client extension handler has been registered to handle \s-1SCT\s0
extensions (\fBTLSEXT_TYPE_signed_certificate_timestamp\fR).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_enable_ct()\fR, \fBSSL_CTX_enable_ct()\fR, \fBSSL_CTX_set_ct_validation_callback()\fR and
\&\fBSSL_set_ct_validation_callback()\fR return 1 if the \fBcallback\fR is successfully
set.
They return 0 if an error occurs, e.g. a custom client extension handler has
been setup to handle SCTs.
.PP
\&\fBSSL_disable_ct()\fR and \fBSSL_CTX_disable_ct()\fR do not return a result.
.PP
\&\fBSSL_CTX_ct_is_enabled()\fR and \fBSSL_ct_is_enabled()\fR return a 1 if a non-null \s-1CT\s0
validation callback is set, or 0 if no callback (or equivalently a \s-1NULL\s0
callback) is set.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
<\fBSSL_get_verify_result\fR\|(3)>,
\&\fBSSL_session_reused\fR\|(3),
\&\fBSSL_set_verify\fR\|(3),
\&\fBSSL_CTX_set_verify\fR\|(3),
\&\fBSSL_SESSION_get_time\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3
index eecfbb552da1..7013bf188e36 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ctlog_list_file.3
@@ -1,183 +1,183 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_CTLOG_LIST_FILE 3"
-.TH SSL_CTX_SET_CTLOG_LIST_FILE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_CTLOG_LIST_FILE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_default_ctlog_list_file, SSL_CTX_set_ctlog_list_file \- load a Certificate Transparency log list from a file
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx);
\& int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_default_ctlog_list_file()\fR loads a list of Certificate Transparency
(\s-1CT\s0) logs from the default file location, \*(L"ct_log_list.cnf\*(R", found in the
directory where OpenSSL is installed.
.PP
\&\fBSSL_CTX_set_ctlog_list_file()\fR loads a list of \s-1CT\s0 logs from a specific path.
See \fBCTLOG_STORE_new\fR\|(3) for the file format.
.SH "NOTES"
.IX Header "NOTES"
These functions will not clear the existing \s-1CT\s0 log list \- it will be appended
to. To replace the existing list, use SSL_CTX_set0_ctlog_store first.
.PP
If an error occurs whilst parsing a particular log entry in the file, that log
entry will be skipped.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_default_ctlog_list_file()\fR and \fBSSL_CTX_set_ctlog_list_file()\fR
return 1 if the log list is successfully loaded, and 0 if an error occurs. In
the case of an error, the log list may have been partially loaded.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_set_ct_validation_callback\fR\|(3),
\&\fBCTLOG_STORE_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3
index 841d5ff2b996..c40f38531a69 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_default_passwd_cb.3
@@ -1,240 +1,240 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_DEFAULT_PASSWD_CB 3"
-.TH SSL_CTX_SET_DEFAULT_PASSWD_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_DEFAULT_PASSWD_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata, SSL_CTX_get_default_passwd_cb, SSL_CTX_get_default_passwd_cb_userdata, SSL_set_default_passwd_cb, SSL_set_default_passwd_cb_userdata, SSL_get_default_passwd_cb, SSL_get_default_passwd_cb_userdata \- set or get passwd callback for encrypted PEM file handling
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
\& void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
\& pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx);
\& void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx);
\&
\& void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
\& void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
\& pem_password_cb *SSL_get_default_passwd_cb(SSL *s);
\& void *SSL_get_default_passwd_cb_userdata(SSL *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_default_passwd_cb()\fR sets the default password callback called
when loading/storing a \s-1PEM\s0 certificate with encryption.
.PP
\&\fBSSL_CTX_set_default_passwd_cb_userdata()\fR sets a pointer to userdata, \fBu\fR,
which will be provided to the password callback on invocation.
.PP
\&\fBSSL_CTX_get_default_passwd_cb()\fR returns a function pointer to the password
callback currently set in \fBctx\fR. If no callback was explicitly set, the
\&\s-1NULL\s0 pointer is returned.
.PP
\&\fBSSL_CTX_get_default_passwd_cb_userdata()\fR returns a pointer to the userdata
currently set in \fBctx\fR. If no userdata was explicitly set, the \s-1NULL\s0 pointer
is returned.
.PP
\&\fBSSL_set_default_passwd_cb()\fR, \fBSSL_set_default_passwd_cb_userdata()\fR,
\&\fBSSL_get_default_passwd_cb()\fR and \fBSSL_get_default_passwd_cb_userdata()\fR perform
the same function as their \s-1SSL_CTX\s0 counterparts, but using an \s-1SSL\s0 object.
.PP
The password callback, which must be provided by the application, hands back the
password to be used during decryption.
On invocation a pointer to userdata
is provided. The function must store the password into the provided buffer
\&\fBbuf\fR which is of size \fBsize\fR. The actual length of the password must
be returned to the calling function. \fBrwflag\fR indicates whether the
callback is used for reading/decryption (rwflag=0) or writing/encryption
(rwflag=1).
For more details, see \fBpem_password_cb\fR\|(3).
.SH "NOTES"
.IX Header "NOTES"
When loading or storing private keys, a password might be supplied to
protect the private key. The way this password can be supplied may depend
on the application. If only one private key is handled, it can be practical
to have the callback handle the password dialog interactively. If several
keys have to be handled, it can be practical to ask for the password once,
then keep it in memory and use it several times. In the last case, the
password could be stored into the userdata storage and the
callback only returns the password already stored.
.PP
When asking for the password interactively, the callback can use
\&\fBrwflag\fR to check, whether an item shall be encrypted (rwflag=1).
In this case the password dialog may ask for the same password twice
for comparison in order to catch typos, that would make decryption
impossible.
.PP
Other items in \s-1PEM\s0 formatting (certificates) can also be encrypted, it is
however not usual, as certificate information is considered public.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions do not provide diagnostic information.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The following example returns the password provided as userdata to the
calling function. The password is considered to be a '\e0' terminated
string. If the password does not fit into the buffer, the password is
truncated.
.PP
.Vb 6
\& int my_cb(char *buf, int size, int rwflag, void *u)
\& {
\& strncpy(buf, (char *)u, size);
\& buf[size \- 1] = \*(Aq\e0\*(Aq;
\& return strlen(buf);
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_use_certificate\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBSSL_CTX_get_default_passwd_cb()\fR, \fBSSL_CTX_get_default_passwd_cb_userdata()\fR,
\&\fBSSL_set_default_passwd_cb()\fR and \fBSSL_set_default_passwd_cb_userdata()\fR were
added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ex_data.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ex_data.3
index 4f5eb5c984cf..6063c010a528 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ex_data.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ex_data.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_EX_DATA 3"
-.TH SSL_CTX_SET_EX_DATA 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_EX_DATA 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_get_ex_data, SSL_CTX_set_ex_data, SSL_get_ex_data, SSL_set_ex_data \&\- Store and retrieve extra data from the SSL_CTX, SSL or SSL_SESSION
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx);
\&
\& int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg);
\&
\& void *SSL_get_ex_data(const SSL *s, int idx);
\&
\& int SSL_set_ex_data(SSL *s, int idx, void *arg);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
SSL*\fB_set_ex_data()\fR functions can be used to store arbitrary user data into the
\&\fB\s-1SSL_CTX\s0\fR, or \fB\s-1SSL\s0\fR object. The user must supply a unique index
which they can subsequently use to retrieve the data using SSL*\fB_get_ex_data()\fR.
.PP
For more detailed information see \fBCRYPTO_get_ex_data\fR\|(3) and
\&\fBCRYPTO_set_ex_data\fR\|(3) which implement these functions and
\&\fBCRYPTO_get_ex_new_index\fR\|(3) for generating a unique index.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The SSL*\fB_set_ex_data()\fR functions return 1 if the item is successfully stored
and 0 if it is not.
The SSL*\fB_get_ex_data()\fR functions return the ex_data pointer if successful,
otherwise \s-1NULL.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBCRYPTO_get_ex_data\fR\|(3), \fBCRYPTO_set_ex_data\fR\|(3),
\&\fBCRYPTO_get_ex_new_index\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3
index 7edf42900692..ede226466097 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_generate_session_id.3
@@ -1,267 +1,267 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_GENERATE_SESSION_ID 3"
-.TH SSL_CTX_SET_GENERATE_SESSION_ID 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_GENERATE_SESSION_ID 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_generate_session_id, SSL_set_generate_session_id, SSL_has_matching_session_id, GEN_SESSION_CB \&\- manipulate generation of SSL session IDs (server only)
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& typedef int (*GEN_SESSION_CB)(SSL *ssl, unsigned char *id,
\& unsigned int *id_len);
\&
\& int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb);
\& int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB, cb);
\& int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
\& unsigned int id_len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_generate_session_id()\fR sets the callback function for generating
new session ids for \s-1SSL/TLS\s0 sessions for \fBctx\fR to be \fBcb\fR.
.PP
\&\fBSSL_set_generate_session_id()\fR sets the callback function for generating
new session ids for \s-1SSL/TLS\s0 sessions for \fBssl\fR to be \fBcb\fR.
.PP
\&\fBSSL_has_matching_session_id()\fR checks, whether a session with id \fBid\fR
(of length \fBid_len\fR) is already contained in the internal session cache
of the parent context of \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
When a new session is established between client and server, the server
generates a session id. The session id is an arbitrary sequence of bytes.
The length of the session id is between 1 and 32 bytes. The session id is not
security critical but must be unique for the server. Additionally, the session id is
transmitted in the clear when reusing the session so it must not contain
sensitive information.
.PP
Without a callback being set, an OpenSSL server will generate a unique
session id from pseudo random numbers of the maximum possible length.
Using the callback function, the session id can be changed to contain
additional information like e.g. a host id in order to improve load balancing
or external caching techniques.
.PP
The callback function receives a pointer to the memory location to put
\&\fBid\fR into and a pointer to the maximum allowed length \fBid_len\fR. The
buffer at location \fBid\fR is only guaranteed to have the size \fBid_len\fR.
The callback is only allowed to generate a shorter id and reduce \fBid_len\fR;
the callback \fBmust never\fR increase \fBid_len\fR or write to the location
\&\fBid\fR exceeding the given limit.
.PP
The location \fBid\fR is filled with 0x00 before the callback is called, so the
callback may only fill part of the possible length and leave \fBid_len\fR
untouched while maintaining reproducibility.
.PP
Since the sessions must be distinguished, session ids must be unique.
Without the callback a random number is used, so that the probability
of generating the same session id is extremely small (2^256 for SSLv3/TLSv1).
In order to assure the uniqueness of the generated session id, the callback must call
\&\fBSSL_has_matching_session_id()\fR and generate another id if a conflict occurs.
If an id conflict is not resolved, the handshake will fail.
If the application codes e.g. a unique host id, a unique process number, and
a unique sequence number into the session id, uniqueness could easily be
achieved without randomness added (it should however be taken care that
no confidential information is leaked this way). If the application can not
guarantee uniqueness, it is recommended to use the maximum \fBid_len\fR and
fill in the bytes not used to code special information with random data
to avoid collisions.
.PP
\&\fBSSL_has_matching_session_id()\fR will only query the internal session cache,
not the external one. Since the session id is generated before the
handshake is completed, it is not immediately added to the cache. If
another thread is using the same internal session cache, a race condition
can occur in that another thread generates the same session id.
Collisions can also occur when using an external session cache, since
the external cache is not tested with \fBSSL_has_matching_session_id()\fR
and the same race condition applies.
.PP
The callback must return 0 if it cannot generate a session id for whatever
reason and return 1 on success.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_generate_session_id()\fR and \fBSSL_set_generate_session_id()\fR
always return 1.
.PP
\&\fBSSL_has_matching_session_id()\fR returns 1 if another session with the
same id is already in the cache.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The callback function listed will generate a session id with the
server id given, and will fill the rest with pseudo random bytes:
.PP
.Vb 1
\& const char session_id_prefix = "www\-18";
\&
\& #define MAX_SESSION_ID_ATTEMPTS 10
\& static int generate_session_id(SSL *ssl, unsigned char *id,
\& unsigned int *id_len)
\& {
\& unsigned int count = 0;
\&
\& do {
\& RAND_pseudo_bytes(id, *id_len);
\& /*
\& * Prefix the session_id with the required prefix. NB: If our
\& * prefix is too long, clip it \- but there will be worse effects
\& * anyway, e.g. the server could only possibly create 1 session
\& * ID (i.e. the prefix!) so all future session negotiations will
\& * fail due to conflicts.
\& */
\& memcpy(id, session_id_prefix, strlen(session_id_prefix) < *id_len ?
\& strlen(session_id_prefix) : *id_len);
\& } while (SSL_has_matching_session_id(ssl, id, *id_len)
\& && ++count < MAX_SESSION_ID_ATTEMPTS);
\& if (count >= MAX_SESSION_ID_ATTEMPTS)
\& return 0;
\& return 1;
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_get_version\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3
index ce96cdca2240..3a5f58b383eb 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_info_callback.3
@@ -1,285 +1,285 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_INFO_CALLBACK 3"
-.TH SSL_CTX_SET_INFO_CALLBACK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_INFO_CALLBACK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL_get_info_callback \&\- handle information callback for SSL connections
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)());
\& void (*SSL_CTX_get_info_callback(const SSL_CTX *ctx))();
\&
\& void SSL_set_info_callback(SSL *ssl, void (*callback)());
\& void (*SSL_get_info_callback(const SSL *ssl))();
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_info_callback()\fR sets the \fBcallback\fR function, that can be used to
obtain state information for \s-1SSL\s0 objects created from \fBctx\fR during connection
setup and use. The setting for \fBctx\fR is overridden from the setting for
a specific \s-1SSL\s0 object, if specified.
When \fBcallback\fR is \s-1NULL,\s0 no callback function is used.
.PP
\&\fBSSL_set_info_callback()\fR sets the \fBcallback\fR function, that can be used to
obtain state information for \fBssl\fR during connection setup and use.
When \fBcallback\fR is \s-1NULL,\s0 the callback setting currently valid for
\&\fBctx\fR is used.
.PP
\&\fBSSL_CTX_get_info_callback()\fR returns a pointer to the currently set information
callback function for \fBctx\fR.
.PP
\&\fBSSL_get_info_callback()\fR returns a pointer to the currently set information
callback function for \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
When setting up a connection and during use, it is possible to obtain state
information from the \s-1SSL/TLS\s0 engine. When set, an information callback function
is called whenever a significant event occurs such as: the state changes,
an alert appears, or an error occurs.
.PP
The callback function is called as \fBcallback(\s-1SSL\s0 *ssl, int where, int ret)\fR.
The \fBwhere\fR argument specifies information about where (in which context)
the callback function was called. If \fBret\fR is 0, an error condition occurred.
If an alert is handled, \s-1SSL_CB_ALERT\s0 is set and \fBret\fR specifies the alert
information.
.PP
\&\fBwhere\fR is a bit mask made up of the following bits:
.IP "\s-1SSL_CB_LOOP\s0" 4
.IX Item "SSL_CB_LOOP"
Callback has been called to indicate state change or some other significant
state machine event. This may mean that the callback gets invoked more than once
per state in some situations.
.IP "\s-1SSL_CB_EXIT\s0" 4
.IX Item "SSL_CB_EXIT"
Callback has been called to indicate exit of a handshake function. This will
happen after the end of a handshake, but may happen at other times too such as
on error or when \s-1IO\s0 might otherwise block and nonblocking is being used.
.IP "\s-1SSL_CB_READ\s0" 4
.IX Item "SSL_CB_READ"
Callback has been called during read operation.
.IP "\s-1SSL_CB_WRITE\s0" 4
.IX Item "SSL_CB_WRITE"
Callback has been called during write operation.
.IP "\s-1SSL_CB_ALERT\s0" 4
.IX Item "SSL_CB_ALERT"
Callback has been called due to an alert being sent or received.
.IP "\s-1SSL_CB_READ_ALERT\s0 (SSL_CB_ALERT|SSL_CB_READ)" 4
.IX Item "SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)"
.PD 0
.IP "\s-1SSL_CB_WRITE_ALERT\s0 (SSL_CB_ALERT|SSL_CB_WRITE)" 4
.IX Item "SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)"
.IP "\s-1SSL_CB_ACCEPT_LOOP\s0 (SSL_ST_ACCEPT|SSL_CB_LOOP)" 4
.IX Item "SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)"
.IP "\s-1SSL_CB_ACCEPT_EXIT\s0 (SSL_ST_ACCEPT|SSL_CB_EXIT)" 4
.IX Item "SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)"
.IP "\s-1SSL_CB_CONNECT_LOOP\s0 (SSL_ST_CONNECT|SSL_CB_LOOP)" 4
.IX Item "SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)"
.IP "\s-1SSL_CB_CONNECT_EXIT\s0 (SSL_ST_CONNECT|SSL_CB_EXIT)" 4
.IX Item "SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)"
.IP "\s-1SSL_CB_HANDSHAKE_START\s0" 4
.IX Item "SSL_CB_HANDSHAKE_START"
.PD
Callback has been called because a new handshake is started. It also occurs when
resuming a handshake following a pause to handle early data.
.IP "\s-1SSL_CB_HANDSHAKE_DONE\s0" 4
.IX Item "SSL_CB_HANDSHAKE_DONE"
Callback has been called because a handshake is finished. It also occurs if the
handshake is paused to allow the exchange of early data.
.PP
The current state information can be obtained using the
\&\fBSSL_state_string\fR\|(3) family of functions.
.PP
The \fBret\fR information can be evaluated using the
\&\fBSSL_alert_type_string\fR\|(3) family of functions.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_set_info_callback()\fR does not provide diagnostic information.
.PP
\&\fBSSL_get_info_callback()\fR returns the current setting.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The following example callback function prints state strings, information
about alerts being handled and error messages to the \fBbio_err\fR \s-1BIO.\s0
.PP
.Vb 4
\& void apps_ssl_info_callback(SSL *s, int where, int ret)
\& {
\& const char *str;
\& int w = where & ~SSL_ST_MASK;
\&
\& if (w & SSL_ST_CONNECT)
\& str = "SSL_connect";
\& else if (w & SSL_ST_ACCEPT)
\& str = "SSL_accept";
\& else
\& str = "undefined";
\&
\& if (where & SSL_CB_LOOP) {
\& BIO_printf(bio_err, "%s:%s\en", str, SSL_state_string_long(s));
\& } else if (where & SSL_CB_ALERT) {
\& str = (where & SSL_CB_READ) ? "read" : "write";
\& BIO_printf(bio_err, "SSL3 alert %s:%s:%s\en", str,
\& SSL_alert_type_string_long(ret),
\& SSL_alert_desc_string_long(ret));
\& } else if (where & SSL_CB_EXIT) {
\& if (ret == 0) {
\& BIO_printf(bio_err, "%s:failed in %s\en",
\& str, SSL_state_string_long(s));
\& } else if (ret < 0) {
\& BIO_printf(bio_err, "%s:error in %s\en",
\& str, SSL_state_string_long(s));
\& }
\& }
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_state_string\fR\|(3),
\&\fBSSL_alert_type_string\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3
index 0923cfa1a3e6..efddd4c318a8 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_keylog_callback.3
@@ -1,183 +1,183 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_KEYLOG_CALLBACK 3"
-.TH SSL_CTX_SET_KEYLOG_CALLBACK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_KEYLOG_CALLBACK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_keylog_callback, SSL_CTX_get_keylog_callback, SSL_CTX_keylog_cb_func \- logging TLS key material
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& typedef void (*SSL_CTX_keylog_cb_func)(const SSL *ssl, const char *line);
\&
\& void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb);
\& SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_keylog_callback()\fR sets the \s-1TLS\s0 key logging callback. This callback
is called whenever \s-1TLS\s0 key material is generated or received, in order to allow
applications to store this keying material for debugging purposes.
.PP
\&\fBSSL_CTX_get_keylog_callback()\fR retrieves the previously set \s-1TLS\s0 key logging
callback. If no callback has been set, this will return \s-1NULL.\s0 When there is no
key logging callback, or if SSL_CTX_set_keylog_callback is called with \s-1NULL\s0 as
the value of cb, no logging of key material will be done.
.PP
The key logging callback is called with two items: the \fBssl\fR object associated
with the connection, and \fBline\fR, a string containing the key material in the
format used by \s-1NSS\s0 for its \fB\s-1SSLKEYLOGFILE\s0\fR debugging output. To recreate that
file, the key logging callback should log \fBline\fR, followed by a newline.
\&\fBline\fR will always be a NULL-terminated string.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_get_keylog_callback()\fR returns a pointer to \fBSSL_CTX_keylog_cb_func\fR or
\&\s-1NULL\s0 if the callback is not set.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3
index 70300cfb1e1b..a91daeb4b02e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_max_cert_list.3
@@ -1,213 +1,213 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_MAX_CERT_LIST 3"
-.TH SSL_CTX_SET_MAX_CERT_LIST 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_MAX_CERT_LIST 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list \- manipulate allowed size for the peer's certificate chain
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_set_max_cert_list(SSL_CTX *ctx, long size);
\& long SSL_CTX_get_max_cert_list(SSL_CTX *ctx);
\&
\& long SSL_set_max_cert_list(SSL *ssl, long size);
\& long SSL_get_max_cert_list(SSL *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_max_cert_list()\fR sets the maximum size allowed for the peer's
certificate chain for all \s-1SSL\s0 objects created from \fBctx\fR to be <size> bytes.
The \s-1SSL\s0 objects inherit the setting valid for \fBctx\fR at the time
\&\fBSSL_new\fR\|(3) is being called.
.PP
\&\fBSSL_CTX_get_max_cert_list()\fR returns the currently set maximum size for \fBctx\fR.
.PP
\&\fBSSL_set_max_cert_list()\fR sets the maximum size allowed for the peer's
certificate chain for \fBssl\fR to be <size> bytes. This setting stays valid
until a new value is set.
.PP
\&\fBSSL_get_max_cert_list()\fR returns the currently set maximum size for \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
During the handshake process, the peer may send a certificate chain.
The \s-1TLS/SSL\s0 standard does not give any maximum size of the certificate chain.
The OpenSSL library handles incoming data by a dynamically allocated buffer.
In order to prevent this buffer from growing without bounds due to data
received from a faulty or malicious peer, a maximum size for the certificate
chain is set.
.PP
The default value for the maximum certificate chain size is 100kB (30kB
on the 16\-bit \s-1DOS\s0 platform). This should be sufficient for usual certificate
chains (OpenSSL's default maximum chain length is 10, see
\&\fBSSL_CTX_set_verify\fR\|(3), and certificates
without special extensions have a typical size of 1\-2kB).
.PP
For special applications it can be necessary to extend the maximum certificate
chain size allowed to be sent by the peer, see e.g. the work on
\&\*(L"Internet X.509 Public Key Infrastructure Proxy Certificate Profile\*(R"
and \*(L"\s-1TLS\s0 Delegation Protocol\*(R" at http://www.ietf.org/ and
http://www.globus.org/ .
.PP
Under normal conditions it should never be necessary to set a value smaller
than the default, as the buffer is handled dynamically and only uses the
memory actually required by the data sent by the peer.
.PP
If the maximum certificate chain size allowed is exceeded, the handshake will
fail with a \s-1SSL_R_EXCESSIVE_MESSAGE_SIZE\s0 error.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_max_cert_list()\fR and \fBSSL_set_max_cert_list()\fR return the previously
set value.
.PP
\&\fBSSL_CTX_get_max_cert_list()\fR and \fBSSL_get_max_cert_list()\fR return the currently
set value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_new\fR\|(3),
\&\fBSSL_CTX_set_verify\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3
index ba131bfa9824..38bcaf01e334 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_min_proto_version.3
@@ -1,199 +1,199 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_MIN_PROTO_VERSION 3"
-.TH SSL_CTX_SET_MIN_PROTO_VERSION 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_MIN_PROTO_VERSION 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_min_proto_version, SSL_CTX_set_max_proto_version, SSL_CTX_get_min_proto_version, SSL_CTX_get_max_proto_version, SSL_set_min_proto_version, SSL_set_max_proto_version, SSL_get_min_proto_version, SSL_get_max_proto_version \- Get and set minimum and maximum supported protocol version
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
\& int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
\& int SSL_CTX_get_min_proto_version(SSL_CTX *ctx);
\& int SSL_CTX_get_max_proto_version(SSL_CTX *ctx);
\&
\& int SSL_set_min_proto_version(SSL *ssl, int version);
\& int SSL_set_max_proto_version(SSL *ssl, int version);
\& int SSL_get_min_proto_version(SSL *ssl);
\& int SSL_get_max_proto_version(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The functions get or set the minimum and maximum supported protocol versions
for the \fBctx\fR or \fBssl\fR.
This works in combination with the options set via
\&\fBSSL_CTX_set_options\fR\|(3) that also make it possible to disable
specific protocol versions.
Use these functions instead of disabling specific protocol versions.
.PP
Setting the minimum or maximum version to 0, will enable protocol
versions down to the lowest version, or up to the highest version
supported by the library, respectively.
.PP
Getters return 0 in case \fBctx\fR or \fBssl\fR have been configured to
automatically use the lowest or highest version supported by the library.
.PP
Currently supported versions are \fB\s-1SSL3_VERSION\s0\fR, \fB\s-1TLS1_VERSION\s0\fR,
\&\fB\s-1TLS1_1_VERSION\s0\fR, \fB\s-1TLS1_2_VERSION\s0\fR, \fB\s-1TLS1_3_VERSION\s0\fR for \s-1TLS\s0 and
\&\fB\s-1DTLS1_VERSION\s0\fR, \fB\s-1DTLS1_2_VERSION\s0\fR for \s-1DTLS.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These setter functions return 1 on success and 0 on failure. The getter
functions return the configured version or 0 for auto-configuration of
lowest or highest protocol, respectively.
.SH "NOTES"
.IX Header "NOTES"
All these functions are implemented using macros.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_set_options\fR\|(3), \fBSSL_CONF_cmd\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The setter functions were added in OpenSSL 1.1.0. The getter functions
were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3
index f1ae3a2e49ed..849fc7bc8925 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_mode.3
@@ -1,266 +1,266 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_MODE 3"
-.TH SSL_CTX_SET_MODE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_MODE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_mode, SSL_CTX_clear_mode, SSL_set_mode, SSL_clear_mode, SSL_CTX_get_mode, SSL_get_mode \- manipulate SSL engine mode
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_set_mode(SSL_CTX *ctx, long mode);
\& long SSL_CTX_clear_mode(SSL_CTX *ctx, long mode);
\& long SSL_set_mode(SSL *ssl, long mode);
\& long SSL_clear_mode(SSL *ssl, long mode);
\&
\& long SSL_CTX_get_mode(SSL_CTX *ctx);
\& long SSL_get_mode(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_mode()\fR adds the mode set via bit mask in \fBmode\fR to \fBctx\fR.
Options already set before are not cleared.
\&\fBSSL_CTX_clear_mode()\fR removes the mode set via bit mask in \fBmode\fR from \fBctx\fR.
.PP
\&\fBSSL_set_mode()\fR adds the mode set via bit mask in \fBmode\fR to \fBssl\fR.
Options already set before are not cleared.
\&\fBSSL_clear_mode()\fR removes the mode set via bit mask in \fBmode\fR from \fBssl\fR.
.PP
\&\fBSSL_CTX_get_mode()\fR returns the mode set for \fBctx\fR.
.PP
\&\fBSSL_get_mode()\fR returns the mode set for \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
The following mode changes are available:
.IP "\s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0" 4
.IX Item "SSL_MODE_ENABLE_PARTIAL_WRITE"
Allow SSL_write_ex(..., n, &r) to return with 0 < r < n (i.e. report success
when just a single record has been written). This works in a similar way for
\&\fBSSL_write()\fR. When not set (the default), \fBSSL_write_ex()\fR or \fBSSL_write()\fR will only
report success once the complete chunk was written. Once \fBSSL_write_ex()\fR or
\&\fBSSL_write()\fR returns successful, \fBr\fR bytes have been written and the next call
to \fBSSL_write_ex()\fR or \fBSSL_write()\fR must only send the n\-r bytes left, imitating
the behaviour of \fBwrite()\fR.
.IP "\s-1SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER\s0" 4
.IX Item "SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER"
Make it possible to retry \fBSSL_write_ex()\fR or \fBSSL_write()\fR with changed buffer
location (the buffer contents must stay the same). This is not the default to
avoid the misconception that nonblocking \fBSSL_write()\fR behaves like
nonblocking \fBwrite()\fR.
.IP "\s-1SSL_MODE_AUTO_RETRY\s0" 4
.IX Item "SSL_MODE_AUTO_RETRY"
During normal operations, non-application data records might need to be sent or
received that the application is not aware of.
If a non-application data record was processed,
\&\fBSSL_read_ex\fR\|(3) and \fBSSL_read\fR\|(3) can return with a failure and indicate the
need to retry with \fB\s-1SSL_ERROR_WANT_READ\s0\fR.
If such a non-application data record was processed, the flag
\&\fB\s-1SSL_MODE_AUTO_RETRY\s0\fR causes it to try to process the next record instead of
returning.
.Sp
In a nonblocking environment applications must be prepared to handle
incomplete read/write operations.
Setting \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR for a nonblocking \fB\s-1BIO\s0\fR will process
non-application data records until either no more data is available or
an application data record has been processed.
.Sp
In a blocking environment, applications are not always prepared to
deal with the functions returning intermediate reports such as retry
requests, and setting the \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR flag will cause the functions
to only return after successfully processing an application data record or a
failure.
.Sp
Turning off \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR can be useful with blocking \fB\s-1BIO\s0\fRs in case
they are used in combination with something like \fBselect()\fR or \fBpoll()\fR.
Otherwise the call to \fBSSL_read()\fR or \fBSSL_read_ex()\fR might hang when a
non-application record was sent and no application data was sent.
.IP "\s-1SSL_MODE_RELEASE_BUFFERS\s0" 4
.IX Item "SSL_MODE_RELEASE_BUFFERS"
When we no longer need a read buffer or a write buffer for a given \s-1SSL,\s0
then release the memory we were using to hold it.
Using this flag can
save around 34k per idle \s-1SSL\s0 connection.
This flag has no effect on \s-1SSL\s0 v2 connections, or on \s-1DTLS\s0 connections.
.IP "\s-1SSL_MODE_SEND_FALLBACK_SCSV\s0" 4
.IX Item "SSL_MODE_SEND_FALLBACK_SCSV"
Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello.
To be set only by applications that reconnect with a downgraded protocol
version; see draft\-ietf\-tls\-downgrade\-scsv\-00 for details.
.Sp
\&\s-1DO NOT ENABLE THIS\s0 if your application attempts a normal handshake.
Only use this in explicit fallback retries, following the guidance
in draft\-ietf\-tls\-downgrade\-scsv\-00.
.IP "\s-1SSL_MODE_ASYNC\s0" 4
.IX Item "SSL_MODE_ASYNC"
Enable asynchronous processing. \s-1TLS I/O\s0 operations may indicate a retry with
\&\s-1SSL_ERROR_WANT_ASYNC\s0 with this mode set if an asynchronous capable engine is
used to perform cryptographic operations. See \fBSSL_get_error\fR\|(3).
.IP "\s-1SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG\s0" 4
.IX Item "SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG"
Older versions of OpenSSL had a bug in the computation of the label length
used for computing the endpoint-pair shared secret. The bug was that the
terminating zero was included in the length of the label. Setting this option
enables this behaviour to allow interoperability with such broken
implementations. Please note that setting this option breaks interoperability
with correct implementations. This option only applies to \s-1DTLS\s0 over \s-1SCTP.\s0
.PP
All modes are off by default except for \s-1SSL_MODE_AUTO_RETRY\s0 which is on by
default since 1.1.1.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_mode()\fR and \fBSSL_set_mode()\fR return the new mode bit mask
after adding \fBmode\fR.
.PP
\&\fBSSL_CTX_get_mode()\fR and \fBSSL_get_mode()\fR return the current bit mask.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_write_ex\fR\|(3) or
\&\fBSSL_write\fR\|(3), \fBSSL_get_error\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\s-1SSL_MODE_ASYNC\s0 was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3
index 67ba00a6989c..526075f97abb 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_msg_callback.3
@@ -1,252 +1,252 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_MSG_CALLBACK 3"
-.TH SSL_CTX_SET_MSG_CALLBACK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_MSG_CALLBACK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_msg_callback, SSL_CTX_set_msg_callback_arg, SSL_set_msg_callback, SSL_set_msg_callback_arg \&\- install callback for observing protocol messages
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
\& void (*cb)(int write_p, int version,
\& int content_type, const void *buf,
\& size_t len, SSL *ssl, void *arg));
\& void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
\&
\& void SSL_set_msg_callback(SSL *ssl,
\& void (*cb)(int write_p, int version,
\& int content_type, const void *buf,
\& size_t len, SSL *ssl, void *arg));
\& void SSL_set_msg_callback_arg(SSL *ssl, void *arg);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_msg_callback()\fR or \fBSSL_set_msg_callback()\fR can be used to
define a message callback function \fIcb\fR for observing all \s-1SSL/TLS\s0
protocol messages (such as handshake messages) that are received or
sent, as well as other events that occur during processing.
\&\fBSSL_CTX_set_msg_callback_arg()\fR and \fBSSL_set_msg_callback_arg()\fR
can be used to set argument \fIarg\fR to the callback function, which is
available for arbitrary application use.
.PP
\&\fBSSL_CTX_set_msg_callback()\fR and \fBSSL_CTX_set_msg_callback_arg()\fR specify
default settings that will be copied to new \fB\s-1SSL\s0\fR objects by
\&\fBSSL_new\fR\|(3). \fBSSL_set_msg_callback()\fR and
\&\fBSSL_set_msg_callback_arg()\fR modify the actual settings of an \fB\s-1SSL\s0\fR
object. Using a \fB\s-1NULL\s0\fR pointer for \fIcb\fR disables the message callback.
.PP
When \fIcb\fR is called by the \s-1SSL/TLS\s0 library the function arguments have the
following meaning:
.IP "\fIwrite_p\fR" 4
.IX Item "write_p"
This flag is \fB0\fR when a protocol message has been received and \fB1\fR
when a protocol message has been sent.
.IP "\fIversion\fR" 4
.IX Item "version"
The protocol version according to which the protocol message is
interpreted by the library such as \fB\s-1TLS1_3_VERSION\s0\fR, \fB\s-1TLS1_2_VERSION\s0\fR etc.
This is set to 0 for the \s-1SSL3_RT_HEADER\s0 pseudo content type (see \s-1NOTES\s0 below).
.IP "\fIcontent_type\fR" 4
.IX Item "content_type"
This is one of the content type values defined in the protocol specification
(\fB\s-1SSL3_RT_CHANGE_CIPHER_SPEC\s0\fR, \fB\s-1SSL3_RT_ALERT\s0\fR, \fB\s-1SSL3_RT_HANDSHAKE\s0\fR; but never
\&\fB\s-1SSL3_RT_APPLICATION_DATA\s0\fR because the callback will only be called for protocol
messages). Alternatively it may be a \*(L"pseudo\*(R" content type. These pseudo
content types are used to signal some other event in the processing of data (see
\&\s-1NOTES\s0 below).
.IP "\fIbuf\fR, \fIlen\fR" 4
.IX Item "buf, len"
\&\fIbuf\fR points to a buffer containing the protocol message or other data (in the
case of pseudo content types), which consists of \fIlen\fR bytes. The buffer is no
longer valid after the callback function has returned.
.IP "\fIssl\fR" 4
.IX Item "ssl"
The \fB\s-1SSL\s0\fR object that received or sent the message.
.IP "\fIarg\fR" 4
.IX Item "arg"
The user-defined argument optionally defined by
\&\fBSSL_CTX_set_msg_callback_arg()\fR or \fBSSL_set_msg_callback_arg()\fR.
.SH "NOTES"
.IX Header "NOTES"
Protocol messages are passed to the callback function after decryption
and fragment collection where applicable. (Thus record boundaries are
not visible.)
.PP
If processing a received protocol message results in an error,
the callback function may not be called. For example, the callback
function will never see messages that are considered too large to be
processed.
.PP
Due to automatic protocol version negotiation, \fIversion\fR is not
necessarily the protocol version used by the sender of the message: If
a \s-1TLS 1.0\s0 ClientHello message is received by an \s-1SSL 3\s0.0\-only server,
\&\fIversion\fR will be \fB\s-1SSL3_VERSION\s0\fR.
.PP
Pseudo content type values may be sent at various points during the processing
of data. The following pseudo content types are currently defined:
.IP "\fB\s-1SSL3_RT_HEADER\s0\fR" 4
.IX Item "SSL3_RT_HEADER"
Used when a record is sent or received. The \fBbuf\fR contains the record header
bytes only.
.IP "\fB\s-1SSL3_RT_INNER_CONTENT_TYPE\s0\fR" 4
.IX Item "SSL3_RT_INNER_CONTENT_TYPE"
Used when an encrypted TLSv1.3 record is sent or received. In encrypted TLSv1.3
records the content type in the record header is always
\&\s-1SSL3_RT_APPLICATION_DATA.\s0 The real content type for the record is contained in
an \*(L"inner\*(R" content type. \fBbuf\fR contains the encoded \*(L"inner\*(R" content type byte.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_msg_callback()\fR, \fBSSL_CTX_set_msg_callback_arg()\fR, \fBSSL_set_msg_callback()\fR
and \fBSSL_set_msg_callback_arg()\fR do not return values.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The pseudo content type \fB\s-1SSL3_RT_INNER_CONTENT_TYPE\s0\fR was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3
index ef5f9e0ed729..0d6d67f8de57 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_num_tickets.3
@@ -1,196 +1,196 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_NUM_TICKETS 3"
-.TH SSL_CTX_SET_NUM_TICKETS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_NUM_TICKETS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_set_num_tickets, SSL_get_num_tickets, SSL_CTX_set_num_tickets, SSL_CTX_get_num_tickets \&\- control the number of TLSv1.3 session tickets that are issued
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_set_num_tickets(SSL *s, size_t num_tickets);
\& size_t SSL_get_num_tickets(SSL *s);
\& int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
\& size_t SSL_CTX_get_num_tickets(SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_num_tickets()\fR and \fBSSL_set_num_tickets()\fR can be called for a server
application and set the number of TLSv1.3 session tickets that will be sent to
the client after a full handshake. Set the desired value (which could be 0) in
the \fBnum_tickets\fR argument. Typically these functions should be called before
the start of the handshake.
.PP
The default number of tickets is 2. Following a resumption the number of tickets
issued will never be more than 1 regardless of the value set via
\&\fBSSL_set_num_tickets()\fR or \fBSSL_CTX_set_num_tickets()\fR. If \fBnum_tickets\fR is set to
0 then no tickets will be issued for either a normal connection or a resumption.
.PP
Tickets are also issued on receipt of a post-handshake certificate from the
client following a request by the server using
\&\fBSSL_verify_client_post_handshake\fR\|(3). These new tickets will be associated
with the updated client identity (i.e. including their certificate and
verification status). The number of tickets issued will normally be the same as
was used for the initial handshake. If the initial handshake was a full
handshake then \fBSSL_set_num_tickets()\fR can be called again prior to calling
\&\fBSSL_verify_client_post_handshake()\fR to update the number of tickets that will be
sent.
.PP
\&\fBSSL_CTX_get_num_tickets()\fR and \fBSSL_get_num_tickets()\fR return the number of
tickets set by a previous call to \fBSSL_CTX_set_num_tickets()\fR or
\&\fBSSL_set_num_tickets()\fR, or 2 if no such call has been made.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_num_tickets()\fR and \fBSSL_set_num_tickets()\fR return 1 on success or 0 on
failure.
.PP
\&\fBSSL_CTX_get_num_tickets()\fR and \fBSSL_get_num_tickets()\fR return the number of tickets
that have been previously set.
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2018\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3
index 3933701076e8..b771d14b0521 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_options.3
@@ -1,493 +1,493 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_OPTIONS 3"
-.TH SSL_CTX_SET_OPTIONS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_OPTIONS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support \- manipulate SSL options
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_set_options(SSL_CTX *ctx, long options);
\& long SSL_set_options(SSL *ssl, long options);
\&
\& long SSL_CTX_clear_options(SSL_CTX *ctx, long options);
\& long SSL_clear_options(SSL *ssl, long options);
\&
\& long SSL_CTX_get_options(SSL_CTX *ctx);
\& long SSL_get_options(SSL *ssl);
\&
\& long SSL_get_secure_renegotiation_support(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_options()\fR adds the options set via bit mask in \fBoptions\fR to \fBctx\fR.
Options already set before are not cleared!
.PP
\&\fBSSL_set_options()\fR adds the options set via bit mask in \fBoptions\fR to \fBssl\fR.
Options already set before are not cleared!
.PP
\&\fBSSL_CTX_clear_options()\fR clears the options set via bit mask in \fBoptions\fR
to \fBctx\fR.
.PP
\&\fBSSL_clear_options()\fR clears the options set via bit mask in \fBoptions\fR to \fBssl\fR.
.PP
\&\fBSSL_CTX_get_options()\fR returns the options set for \fBctx\fR.
.PP
\&\fBSSL_get_options()\fR returns the options set for \fBssl\fR.
.PP
\&\fBSSL_get_secure_renegotiation_support()\fR indicates whether the peer supports
secure renegotiation.
Note, this is implemented via a macro.
.SH "NOTES"
.IX Header "NOTES"
The behaviour of the \s-1SSL\s0 library can be changed by setting several options.
The options are coded as bit masks and can be combined by a bitwise \fBor\fR
operation (|).
.PP
\&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR affect the (external)
protocol behaviour of the \s-1SSL\s0 library. The (internal) behaviour of
the \s-1API\s0 can be changed by using the similar
\&\fBSSL_CTX_set_mode\fR\|(3) and \fBSSL_set_mode()\fR functions.
.PP
During a handshake, the option settings of the \s-1SSL\s0 object are used. When
a new \s-1SSL\s0 object is created from a context using \fBSSL_new()\fR, the current
option setting is copied. Changes to \fBctx\fR do not affect already created
\&\s-1SSL\s0 objects. \fBSSL_clear()\fR does not affect the settings.
.PP
The following \fBbug workaround\fR options are available:
.IP "\s-1SSL_OP_SAFARI_ECDHE_ECDSA_BUG\s0" 4
.IX Item "SSL_OP_SAFARI_ECDHE_ECDSA_BUG"
Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on \s-1OS X.
OS X 10.8..10.8.3\s0 has broken support for ECDHE-ECDSA ciphers.
.IP "\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0" 4
.IX Item "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS"
Disables a countermeasure against a \s-1SSL 3.0/TLS 1.0\s0 protocol
vulnerability affecting \s-1CBC\s0 ciphers, which cannot be handled by some
broken \s-1SSL\s0 implementations. This option has no effect for connections
using other ciphers.
.IP "\s-1SSL_OP_TLSEXT_PADDING\s0" 4
.IX Item "SSL_OP_TLSEXT_PADDING"
Adds a padding extension to ensure the ClientHello size is never between
256 and 511 bytes in length. This is needed as a workaround for some
implementations.
.IP "\s-1SSL_OP_ALL\s0" 4
.IX Item "SSL_OP_ALL"
All of the above bug workarounds plus \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR as
mentioned below.
.PP
It is usually safe to use \fB\s-1SSL_OP_ALL\s0\fR to enable the bug workaround
options if compatibility with somewhat broken implementations is
desired.
.PP
The following \fBmodifying\fR options are available:
.IP "\s-1SSL_OP_TLS_ROLLBACK_BUG\s0" 4
.IX Item "SSL_OP_TLS_ROLLBACK_BUG"
Disable version rollback attack detection.
.Sp
During the client key exchange, the client must send the same information
about acceptable \s-1SSL/TLS\s0 protocol levels as during the first hello. Some
clients violate this rule by adapting to the server's answer. (Example:
the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server
only understands up to SSLv3. In this case the client must still use the
same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect
to the server's answer and violate the version rollback protection.)
.IP "\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0" 4
.IX Item "SSL_OP_CIPHER_SERVER_PREFERENCE"
When choosing a cipher, use the server's preferences instead of the client
preferences. When not set, the \s-1SSL\s0 server will always follow the clients
preferences. When set, the \s-1SSL/TLS\s0 server will choose following its
own preferences.
.IP "SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2" 4
.IX Item "SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2"
These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol
versions with \s-1TLS\s0 or the DTLSv1, DTLSv1.2 versions with \s-1DTLS,\s0
respectively.
As of OpenSSL 1.1.0, these options are deprecated, use
\&\fBSSL_CTX_set_min_proto_version\fR\|(3) and
\&\fBSSL_CTX_set_max_proto_version\fR\|(3) instead.
.IP "\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0" 4
.IX Item "SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION"
When performing renegotiation as a server, always start a new session
(i.e., session resumption requests are only accepted in the initial
handshake). This option is not needed for clients.
.IP "\s-1SSL_OP_NO_COMPRESSION\s0" 4
.IX Item "SSL_OP_NO_COMPRESSION"
Do not use compression even if it is supported.
.IP "\s-1SSL_OP_NO_QUERY_MTU\s0" 4
.IX Item "SSL_OP_NO_QUERY_MTU"
Do not query the \s-1MTU.\s0 Only affects \s-1DTLS\s0 connections.
.IP "\s-1SSL_OP_COOKIE_EXCHANGE\s0" 4
.IX Item "SSL_OP_COOKIE_EXCHANGE"
Turn on Cookie Exchange as described in \s-1RFC4347\s0 Section 4.2.1. Only affects
\&\s-1DTLS\s0 connections.
.IP "\s-1SSL_OP_NO_TICKET\s0" 4
.IX Item "SSL_OP_NO_TICKET"
\&\s-1SSL/TLS\s0 supports two mechanisms for resuming sessions: session ids and stateless
session tickets.
.Sp
When using session ids a copy of the session information is
cached on the server and a unique id is sent to the client. When the client
wishes to resume it provides the unique id so that the server can retrieve the
session information from its cache.
.Sp
When using stateless session tickets the server uses a session ticket encryption
key to encrypt the session information. This encrypted data is sent to the
client as a \*(L"ticket\*(R". When the client wishes to resume it sends the encrypted
data back to the server. The server uses its key to decrypt the data and resume
the session. In this way the server can operate statelessly \- no session
information needs to be cached locally.
.Sp
The TLSv1.3 protocol only supports tickets and does not directly support session
ids. However, OpenSSL allows two modes of ticket operation in TLSv1.3: stateful
and stateless. Stateless tickets work the same way as in TLSv1.2 and below.
Stateful tickets mimic the session id behaviour available in TLSv1.2 and below.
The session information is cached on the server and the session id is wrapped up
in a ticket and sent back to the client. When the client wishes to resume, it
presents a ticket in the same way as for stateless tickets. The server can then
extract the session id from the ticket and retrieve the session information from
its cache.
.Sp
By default OpenSSL will use stateless tickets. The \s-1SSL_OP_NO_TICKET\s0 option will
cause stateless tickets to not be issued. In TLSv1.2 and below this means no
ticket gets sent to the client at all. In TLSv1.3 a stateful ticket will be
sent. This is a server-side option only.
.Sp
In TLSv1.3 it is possible to suppress all tickets (stateful and stateless) from
being sent by calling \fBSSL_CTX_set_num_tickets\fR\|(3) or
\&\fBSSL_set_num_tickets\fR\|(3).
.IP "\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0" 4
.IX Item "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION"
Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
servers. See the \fB\s-1SECURE RENEGOTIATION\s0\fR section for more details.
.IP "\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0" 4
.IX Item "SSL_OP_LEGACY_SERVER_CONNECT"
Allow legacy insecure renegotiation between OpenSSL and unpatched servers
\&\fBonly\fR: this option is currently set by default. See the
\&\fB\s-1SECURE RENEGOTIATION\s0\fR section for more details.
.IP "\s-1SSL_OP_NO_ENCRYPT_THEN_MAC\s0" 4
.IX Item "SSL_OP_NO_ENCRYPT_THEN_MAC"
Normally clients and servers will transparently attempt to negotiate the
\&\s-1RFC7366\s0 Encrypt-then-MAC option on \s-1TLS\s0 and \s-1DTLS\s0 connection.
.Sp
If this option is set, Encrypt-then-MAC is disabled. Clients will not
propose, and servers will not accept the extension.
.IP "\s-1SSL_OP_NO_RENEGOTIATION\s0" 4
.IX Item "SSL_OP_NO_RENEGOTIATION"
Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest
messages, and ignore renegotiation requests via ClientHello.
.IP "\s-1SSL_OP_ALLOW_NO_DHE_KEX\s0" 4
.IX Item "SSL_OP_ALLOW_NO_DHE_KEX"
In TLSv1.3 allow a non\-(ec)dhe based key exchange mode on resumption. This means
that there will be no forward secrecy for the resumed session.
.IP "\s-1SSL_OP_PRIORITIZE_CHACHA\s0" 4
.IX Item "SSL_OP_PRIORITIZE_CHACHA"
When \s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0 is set, temporarily reprioritize
ChaCha20\-Poly1305 ciphers to the top of the server cipher list if a
ChaCha20\-Poly1305 cipher is at the top of the client cipher list. This helps
those clients (e.g. mobile) use ChaCha20\-Poly1305 if that cipher is anywhere
in the server cipher list; but still allows other clients to use \s-1AES\s0 and other
ciphers. Requires \fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR.
.IP "\s-1SSL_OP_ENABLE_MIDDLEBOX_COMPAT\s0" 4
.IX Item "SSL_OP_ENABLE_MIDDLEBOX_COMPAT"
If set then dummy Change Cipher Spec (\s-1CCS\s0) messages are sent in TLSv1.3. This
has the effect of making TLSv1.3 look more like TLSv1.2 so that middleboxes that
do not understand TLSv1.3 will not drop the connection. Regardless of whether
this option is set or not \s-1CCS\s0 messages received from the peer will always be
ignored in TLSv1.3. This option is set by default. To switch it off use
\&\fBSSL_clear_options()\fR. A future version of OpenSSL may not set this by default.
.IP "\s-1SSL_OP_NO_ANTI_REPLAY\s0" 4
.IX Item "SSL_OP_NO_ANTI_REPLAY"
By default, when a server is configured for early data (i.e., max_early_data > 0),
OpenSSL will switch on replay protection. See \fBSSL_read_early_data\fR\|(3) for a
description of the replay protection feature. Anti-replay measures are required
to comply with the TLSv1.3 specification. Some applications may be able to
mitigate the replay risks in other ways and in such cases the built in OpenSSL
functionality is not required. Those applications can turn this feature off by
setting this option. This is a server-side opton only. It is ignored by
clients.
.IP "\s-1SSL_OP_ENABLE_KTLS\s0" 4
.IX Item "SSL_OP_ENABLE_KTLS"
Enable the use of kernel \s-1TLS.\s0 In order to benefit from kernel \s-1TLS\s0 OpenSSL must
have been compiled with support for it, and it must be supported by the
negotiated ciphersuites and extensions. The specific ciphersuites and extensions
that are supported may vary by platform and kernel version.
.Sp
The kernel \s-1TLS\s0 data-path implements the record layer, and the encryption
algorithm. The kernel will utilize the best hardware
available for encryption. Using the kernel data-path should reduce the memory
footprint of OpenSSL because no buffering is required. Also, the throughput
should improve because data copy is avoided when user data is encrypted into
kernel memory instead of the usual encrypt then copy to kernel.
.Sp
Kernel \s-1TLS\s0 might not support all the features of OpenSSL. For instance,
renegotiation, and setting the maximum fragment size is not possible as of
Linux 4.20.
.Sp
Note that with kernel \s-1TLS\s0 enabled some cryptographic operations are performed
by the kernel directly and not via any available OpenSSL Providers. This might
be undesirable if, for example, the application requires all cryptographic
operations to be performed by the \s-1FIPS\s0 provider.
.PP
The following options no longer have any effect but their identifiers are
retained for compatibility purposes:
.IP "\s-1SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\s0" 4
.IX Item "SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG"
.PD 0
.IP "\s-1SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER\s0" 4
.IX Item "SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER"
.IP "\s-1SSL_OP_SSLEAY_080_CLIENT_DH_BUG\s0" 4
.IX Item "SSL_OP_SSLEAY_080_CLIENT_DH_BUG"
.IP "\s-1SSL_OP_TLS_D5_BUG\s0" 4
.IX Item "SSL_OP_TLS_D5_BUG"
.IP "\s-1SSL_OP_TLS_BLOCK_PADDING_BUG\s0" 4
.IX Item "SSL_OP_TLS_BLOCK_PADDING_BUG"
.IP "\s-1SSL_OP_MSIE_SSLV2_RSA_PADDING\s0" 4
.IX Item "SSL_OP_MSIE_SSLV2_RSA_PADDING"
.IP "\s-1SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG\s0" 4
.IX Item "SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG"
.IP "\s-1SSL_OP_MICROSOFT_SESS_ID_BUG\s0" 4
.IX Item "SSL_OP_MICROSOFT_SESS_ID_BUG"
.IP "\s-1SSL_OP_NETSCAPE_CHALLENGE_BUG\s0" 4
.IX Item "SSL_OP_NETSCAPE_CHALLENGE_BUG"
.IP "\s-1SSL_OP_PKCS1_CHECK_1\s0" 4
.IX Item "SSL_OP_PKCS1_CHECK_1"
.IP "\s-1SSL_OP_PKCS1_CHECK_2\s0" 4
.IX Item "SSL_OP_PKCS1_CHECK_2"
.IP "\s-1SSL_OP_SINGLE_DH_USE\s0" 4
.IX Item "SSL_OP_SINGLE_DH_USE"
.IP "\s-1SSL_OP_SINGLE_ECDH_USE\s0" 4
.IX Item "SSL_OP_SINGLE_ECDH_USE"
.IP "\s-1SSL_OP_EPHEMERAL_RSA\s0" 4
.IX Item "SSL_OP_EPHEMERAL_RSA"
.PD
.SH "SECURE RENEGOTIATION"
.IX Header "SECURE RENEGOTIATION"
OpenSSL always attempts to use secure renegotiation as
described in \s-1RFC5746.\s0 This counters the prefix attack described in
\&\s-1CVE\-2009\-3555\s0 and elsewhere.
.PP
This attack has far reaching consequences which application writers should be
aware of. In the description below an implementation supporting secure
renegotiation is referred to as \fIpatched\fR. A server not supporting secure
renegotiation is referred to as \fIunpatched\fR.
.PP
The following sections describe the operations permitted by OpenSSL's secure
renegotiation implementation.
.SS "Patched client and server"
.IX Subsection "Patched client and server"
Connections and renegotiation are always permitted by OpenSSL implementations.
.SS "Unpatched client and patched OpenSSL server"
.IX Subsection "Unpatched client and patched OpenSSL server"
The initial connection succeeds but client renegotiation is denied by the
server with a \fBno_renegotiation\fR warning alert if \s-1TLS\s0 v1.0 is used or a fatal
\&\fBhandshake_failure\fR alert in \s-1SSL\s0 v3.0.
.PP
If the patched OpenSSL server attempts to renegotiate a fatal
\&\fBhandshake_failure\fR alert is sent. This is because the server code may be
unaware of the unpatched nature of the client.
.PP
If the option \fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR is set then
renegotiation \fBalways\fR succeeds.
.SS "Patched OpenSSL client and unpatched server."
.IX Subsection "Patched OpenSSL client and unpatched server."
If the option \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR or
\&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR is set then initial connections
and renegotiation between patched OpenSSL clients and unpatched servers
succeeds. If neither option is set then initial connections to unpatched
servers will fail.
.PP
The option \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR is currently set by default even
though it has security implications: otherwise it would be impossible to
connect to unpatched servers (i.e. all of them initially) and this is clearly
not acceptable. Renegotiation is permitted because this does not add any
additional security issues: during an attack clients do not see any
renegotiations anyway.
.PP
As more servers become patched the option \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR will
\&\fBnot\fR be set by default in a future version of OpenSSL.
.PP
OpenSSL client applications wishing to ensure they can connect to unpatched
servers should always \fBset\fR \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR
.PP
OpenSSL client applications that want to ensure they can \fBnot\fR connect to
unpatched servers (and thus avoid any security issues) should always \fBclear\fR
\&\fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR using \fBSSL_CTX_clear_options()\fR or
\&\fBSSL_clear_options()\fR.
.PP
The difference between the \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR and
\&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR options is that
\&\fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR enables initial connections and secure
renegotiation between OpenSSL clients and unpatched servers \fBonly\fR, while
\&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR allows initial connections
and renegotiation between OpenSSL and unpatched clients or servers.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_options()\fR and \fBSSL_set_options()\fR return the new options bit mask
after adding \fBoptions\fR.
.PP
\&\fBSSL_CTX_clear_options()\fR and \fBSSL_clear_options()\fR return the new options bit mask
after clearing \fBoptions\fR.
.PP
\&\fBSSL_CTX_get_options()\fR and \fBSSL_get_options()\fR return the current bit mask.
.PP
\&\fBSSL_get_secure_renegotiation_support()\fR returns 1 is the peer supports
secure renegotiation and 0 if it does not.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_new\fR\|(3), \fBSSL_clear\fR\|(3),
\&\fBSSL_CTX_set_tmp_dh_callback\fR\|(3),
\&\fBSSL_CTX_set_min_proto_version\fR\|(3),
\&\fBdhparam\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The attempt to always try to use secure renegotiation was added in
OpenSSL 0.9.8m.
.PP
The \fB\s-1SSL_OP_PRIORITIZE_CHACHA\s0\fR and \fB\s-1SSL_OP_NO_RENEGOTIATION\s0\fR options
were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3
index d8cabc8f346a..5c75e418dc4c 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_psk_client_callback.3
@@ -1,294 +1,294 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_PSK_CLIENT_CALLBACK 3"
-.TH SSL_CTX_SET_PSK_CLIENT_CALLBACK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_PSK_CLIENT_CALLBACK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_psk_client_cb_func, SSL_psk_use_session_cb_func, SSL_CTX_set_psk_client_callback, SSL_set_psk_client_callback, SSL_CTX_set_psk_use_session_callback, SSL_set_psk_use_session_callback \&\- set PSK client callback
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md,
\& const unsigned char **id,
\& size_t *idlen,
\& SSL_SESSION **sess);
\&
\&
\& void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx,
\& SSL_psk_use_session_cb_func cb);
\& void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb);
\&
\&
\& typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl,
\& const char *hint,
\& char *identity,
\& unsigned int max_identity_len,
\& unsigned char *psk,
\& unsigned int max_psk_len);
\&
\& void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb);
\& void SSL_set_psk_client_callback(SSL *ssl, SSL_psk_client_cb_func cb);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A client application wishing to use TLSv1.3 PSKs should use either
\&\fBSSL_CTX_set_psk_use_session_callback()\fR or \fBSSL_set_psk_use_session_callback()\fR as
appropriate. These functions cannot be used for TLSv1.2 and below PSKs.
.PP
The callback function is given a pointer to the \s-1SSL\s0 connection in \fBssl\fR.
.PP
The first time the callback is called for a connection the \fBmd\fR parameter is
\&\s-1NULL.\s0 In some circumstances the callback will be called a second time. In that
case the server will have specified a ciphersuite to use already and the \s-1PSK\s0
must be compatible with the digest for that ciphersuite. The digest will be
given in \fBmd\fR. The \s-1PSK\s0 returned by the callback is allowed to be different
between the first and second time it is called.
.PP
On successful completion the callback must store a pointer to an identifier for
the \s-1PSK\s0 in \fB*id\fR. The identifier length in bytes should be stored in \fB*idlen\fR.
The memory pointed to by \fB*id\fR remains owned by the application and should
be freed by it as required at any point after the handshake is complete.
.PP
Additionally the callback should store a pointer to an \s-1SSL_SESSION\s0 object in
\&\fB*sess\fR. This is used as the basis for the \s-1PSK,\s0 and should, at a minimum, have
the following fields set:
.IP "The master key" 4
.IX Item "The master key"
This can be set via a call to \fBSSL_SESSION_set1_master_key\fR\|(3).
.IP "A ciphersuite" 4
.IX Item "A ciphersuite"
Only the handshake digest associated with the ciphersuite is relevant for the
\&\s-1PSK\s0 (the server may go on to negotiate any ciphersuite which is compatible with
the digest). The application can use any TLSv1.3 ciphersuite. If \fBmd\fR is
not \s-1NULL\s0 the handshake digest for the ciphersuite should be the same.
The ciphersuite can be set via a call to <\fBSSL_SESSION_set_cipher\fR\|(3)>. The
handshake digest of an \s-1SSL_CIPHER\s0 object can be checked using
<\fBSSL_CIPHER_get_handshake_digest\fR\|(3)>.
.IP "The protocol version" 4
.IX Item "The protocol version"
This can be set via a call to \fBSSL_SESSION_set_protocol_version\fR\|(3) and should
be \s-1TLS1_3_VERSION.\s0
.PP
Additionally the maximum early data value should be set via a call to
\&\fBSSL_SESSION_set_max_early_data\fR\|(3) if the \s-1PSK\s0 will be used for sending early
data.
.PP
Alternatively an \s-1SSL_SESSION\s0 created from a previous non-PSK handshake may also
be used as the basis for a \s-1PSK.\s0
.PP
Ownership of the \s-1SSL_SESSION\s0 object is passed to the OpenSSL library and so it
should not be freed by the application.
.PP
It is also possible for the callback to succeed but not supply a \s-1PSK.\s0 In this
case no \s-1PSK\s0 will be sent to the server but the handshake will continue. To do
this the callback should return successfully and ensure that \fB*sess\fR is
\&\s-1NULL.\s0 The contents of \fB*id\fR and \fB*idlen\fR will be ignored.
.PP
A client application wishing to use \s-1PSK\s0 ciphersuites for TLSv1.2 and below must
provide a different callback function. This function will be called when the
client is sending the ClientKeyExchange message to the server.
.PP
The purpose of the callback function is to select the \s-1PSK\s0 identity and
the pre-shared key to use during the connection setup phase.
.PP
The callback is set using functions \fBSSL_CTX_set_psk_client_callback()\fR
or \fBSSL_set_psk_client_callback()\fR. The callback function is given the
connection in parameter \fBssl\fR, a \fB\s-1NULL\s0\fR\-terminated \s-1PSK\s0 identity hint
sent by the server in parameter \fBhint\fR, a buffer \fBidentity\fR of
length \fBmax_identity_len\fR bytes where the resulting
\&\fB\s-1NUL\s0\fR\-terminated identity is to be stored, and a buffer \fBpsk\fR of
length \fBmax_psk_len\fR bytes where the resulting pre-shared key is to
be stored.
.PP
The callback for use in TLSv1.2 will also work in TLSv1.3 although it is
recommended to use \fBSSL_CTX_set_psk_use_session_callback()\fR
or \fBSSL_set_psk_use_session_callback()\fR for this purpose instead. If TLSv1.3 has
been negotiated then OpenSSL will first check to see if a callback has been set
via \fBSSL_CTX_set_psk_use_session_callback()\fR or \fBSSL_set_psk_use_session_callback()\fR
and it will use that in preference. If no such callback is present then it will
check to see if a callback has been set via \fBSSL_CTX_set_psk_client_callback()\fR or
\&\fBSSL_set_psk_client_callback()\fR and use that. In this case the \fBhint\fR value will
always be \s-1NULL\s0 and the handshake digest will default to \s-1SHA\-256\s0 for any returned
\&\s-1PSK.\s0 TLSv1.3 early data exchanges are possible in \s-1PSK\s0 connections only with the
\&\fBSSL_psk_use_session_cb_func\fR callback, and are not possible with the
\&\fBSSL_psk_client_cb_func\fR callback.
.SH "NOTES"
.IX Header "NOTES"
Note that parameter \fBhint\fR given to the callback may be \fB\s-1NULL\s0\fR.
.PP
A connection established via a TLSv1.3 \s-1PSK\s0 will appear as if session resumption
has occurred so that \fBSSL_session_reused\fR\|(3) will return true.
.PP
There are no known security issues with sharing the same \s-1PSK\s0 between TLSv1.2 (or
below) and TLSv1.3. However, the \s-1RFC\s0 has this note of caution:
.PP
\&\*(L"While there is no known way in which the same \s-1PSK\s0 might produce related output
in both versions, only limited analysis has been done. Implementations can
ensure safety from cross-protocol related output by not reusing PSKs between
\&\s-1TLS 1.3\s0 and \s-1TLS 1.2.\*(R"\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Return values from the \fBSSL_psk_client_cb_func\fR callback are interpreted as
follows:
.PP
On success (callback found a \s-1PSK\s0 identity and a pre-shared key to use)
the length (> 0) of \fBpsk\fR in bytes is returned.
.PP
Otherwise or on errors the callback should return 0. In this case
the connection setup fails.
.PP
The SSL_psk_use_session_cb_func callback should return 1 on success or 0 on
failure. In the event of failure the connection setup fails.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_set_psk_find_session_callback\fR\|(3),
\&\fBSSL_set_psk_find_session_callback\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBSSL_CTX_set_psk_use_session_callback()\fR and \fBSSL_set_psk_use_session_callback()\fR
were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3
index 61833ed41ec9..ad28f0000d59 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_quiet_shutdown.3
@@ -1,203 +1,203 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_QUIET_SHUTDOWN 3"
-.TH SSL_CTX_SET_QUIET_SHUTDOWN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_QUIET_SHUTDOWN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_quiet_shutdown, SSL_CTX_get_quiet_shutdown, SSL_set_quiet_shutdown, SSL_get_quiet_shutdown \- manipulate shutdown behaviour
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
\& int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
\&
\& void SSL_set_quiet_shutdown(SSL *ssl, int mode);
\& int SSL_get_quiet_shutdown(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_quiet_shutdown()\fR sets the \*(L"quiet shutdown\*(R" flag for \fBctx\fR to be
\&\fBmode\fR. \s-1SSL\s0 objects created from \fBctx\fR inherit the \fBmode\fR valid at the time
\&\fBSSL_new\fR\|(3) is called. \fBmode\fR may be 0 or 1.
.PP
\&\fBSSL_CTX_get_quiet_shutdown()\fR returns the \*(L"quiet shutdown\*(R" setting of \fBctx\fR.
.PP
\&\fBSSL_set_quiet_shutdown()\fR sets the \*(L"quiet shutdown\*(R" flag for \fBssl\fR to be
\&\fBmode\fR. The setting stays valid until \fBssl\fR is removed with
\&\fBSSL_free\fR\|(3) or \fBSSL_set_quiet_shutdown()\fR is called again.
It is not changed when \fBSSL_clear\fR\|(3) is called.
\&\fBmode\fR may be 0 or 1.
.PP
\&\fBSSL_get_quiet_shutdown()\fR returns the \*(L"quiet shutdown\*(R" setting of \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
Normally when a \s-1SSL\s0 connection is finished, the parties must send out
close_notify alert messages using \fBSSL_shutdown\fR\|(3)
for a clean shutdown.
.PP
When setting the \*(L"quiet shutdown\*(R" flag to 1, \fBSSL_shutdown\fR\|(3)
will set the internal flags to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.
(\fBSSL_shutdown\fR\|(3) then behaves like
\&\fBSSL_set_shutdown\fR\|(3) called with
SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.)
The session is thus considered to be shutdown, but no close_notify alert
is sent to the peer. This behaviour violates the \s-1TLS\s0 standard.
.PP
The default is normal shutdown behaviour as described by the \s-1TLS\s0 standard.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_quiet_shutdown()\fR and \fBSSL_set_quiet_shutdown()\fR do not return
diagnostic information.
.PP
\&\fBSSL_CTX_get_quiet_shutdown()\fR and SSL_get_quiet_shutdown return the current
setting.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_shutdown\fR\|(3),
\&\fBSSL_set_shutdown\fR\|(3), \fBSSL_new\fR\|(3),
\&\fBSSL_clear\fR\|(3), \fBSSL_free\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3
index 586036233606..d9c9236a0546 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_read_ahead.3
@@ -1,202 +1,202 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_READ_AHEAD 3"
-.TH SSL_CTX_SET_READ_AHEAD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_READ_AHEAD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_read_ahead, SSL_CTX_get_read_ahead, SSL_set_read_ahead, SSL_get_read_ahead, SSL_CTX_get_default_read_ahead \&\- manage whether to read as many input bytes as possible
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_set_read_ahead(SSL *s, int yes);
\& int SSL_get_read_ahead(const SSL *s);
\&
\& SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes);
\& long SSL_CTX_get_read_ahead(SSL_CTX *ctx);
\& long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_read_ahead()\fR and \fBSSL_set_read_ahead()\fR set whether we should read as
many input bytes as possible (for nonblocking reads) or not. For example if
\&\fBx\fR bytes are currently required by OpenSSL, but \fBy\fR bytes are available from
the underlying \s-1BIO\s0 (where \fBy\fR > \fBx\fR), then OpenSSL will read all \fBy\fR bytes
into its buffer (providing that the buffer is large enough) if reading ahead is
on, or \fBx\fR bytes otherwise.
Setting the parameter \fByes\fR to 0 turns reading ahead is off, other values turn
it on.
\&\fBSSL_CTX_set_default_read_ahead()\fR is identical to \fBSSL_CTX_set_read_ahead()\fR.
.PP
\&\fBSSL_CTX_get_read_ahead()\fR and \fBSSL_get_read_ahead()\fR indicate whether reading
ahead has been set or not.
\&\fBSSL_CTX_get_default_read_ahead()\fR is identical to \fBSSL_CTX_get_read_ahead()\fR.
.SH "NOTES"
.IX Header "NOTES"
These functions have no impact when used with \s-1DTLS.\s0 The return values for
\&\fBSSL_CTX_get_read_head()\fR and \fBSSL_get_read_ahead()\fR are undefined for \s-1DTLS.\s0 Setting
\&\fBread_ahead\fR can impact the behaviour of the \fBSSL_pending()\fR function
(see \fBSSL_pending\fR\|(3)).
.PP
Since \fBSSL_read()\fR can return \fB\s-1SSL_ERROR_WANT_READ\s0\fR for non-application data
records, and \fBSSL_has_pending()\fR can't tell the difference between processed and
unprocessed data, it's recommended that if read ahead is turned on that
\&\fB\s-1SSL_MODE_AUTO_RETRY\s0\fR is not turned off using \fBSSL_CTX_clear_mode()\fR.
That will prevent getting \fB\s-1SSL_ERROR_WANT_READ\s0\fR when there is still a complete
record available that hasn't been processed.
.PP
If the application wants to continue to use the underlying transport (e.g. \s-1TCP\s0
connection) after the \s-1SSL\s0 connection is finished using \fBSSL_shutdown()\fR reading
ahead should be turned off.
Otherwise the \s-1SSL\s0 structure might read data that it shouldn't.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_get_read_ahead()\fR and \fBSSL_CTX_get_read_ahead()\fR return 0 if reading ahead is off,
and non zero otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_pending\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3
index c21231ecafa2..ff31fb622d90 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_record_padding_callback.3
@@ -1,227 +1,227 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_RECORD_PADDING_CALLBACK 3"
-.TH SSL_CTX_SET_RECORD_PADDING_CALLBACK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_RECORD_PADDING_CALLBACK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_record_padding_callback, SSL_set_record_padding_callback, SSL_CTX_set_record_padding_callback_arg, SSL_set_record_padding_callback_arg, SSL_CTX_get_record_padding_callback_arg, SSL_get_record_padding_callback_arg, SSL_CTX_set_block_padding, SSL_set_block_padding \- install callback to specify TLS 1.3 record padding
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, size_t (*cb)(SSL *s, int type, size_t len, void *arg));
\& int SSL_set_record_padding_callback(SSL *ssl, size_t (*cb)(SSL *s, int type, size_t len, void *arg));
\&
\& void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg);
\& void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx);
\&
\& void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg);
\& void *SSL_get_record_padding_callback_arg(const SSL *ssl);
\&
\& int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size);
\& int SSL_set_block_padding(SSL *ssl, size_t block_size);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_record_padding_callback()\fR or \fBSSL_set_record_padding_callback()\fR
can be used to assign a callback function \fIcb\fR to specify the padding
for \s-1TLS 1.3\s0 records. The value set in \fBctx\fR is copied to a new \s-1SSL\s0 by \fBSSL_new()\fR.
Kernel \s-1TLS\s0 is not possible if the record padding callback is set, and the callback
function cannot be set if Kernel \s-1TLS\s0 is already configured for the current \s-1SSL\s0 object.
.PP
\&\fBSSL_CTX_set_record_padding_callback_arg()\fR and \fBSSL_set_record_padding_callback_arg()\fR
assign a value \fBarg\fR that is passed to the callback when it is invoked. The value
set in \fBctx\fR is copied to a new \s-1SSL\s0 by \fBSSL_new()\fR.
.PP
\&\fBSSL_CTX_get_record_padding_callback_arg()\fR and \fBSSL_get_record_padding_callback_arg()\fR
retrieve the \fBarg\fR value that is passed to the callback.
.PP
\&\fBSSL_CTX_set_block_padding()\fR and \fBSSL_set_block_padding()\fR pads the record to a multiple
of the \fBblock_size\fR. A \fBblock_size\fR of 0 or 1 disables block padding. The limit of
\&\fBblock_size\fR is \s-1SSL3_RT_MAX_PLAIN_LENGTH.\s0
.PP
The callback is invoked for every record before encryption.
The \fBtype\fR parameter is the \s-1TLS\s0 record type that is being processed; may be
one of \s-1SSL3_RT_APPLICATION_DATA, SSL3_RT_HANDSHAKE,\s0 or \s-1SSL3_RT_ALERT.\s0
The \fBlen\fR parameter is the current plaintext length of the record before encryption.
The \fBarg\fR parameter is the value set via \fBSSL_CTX_set_record_padding_callback_arg()\fR
or \fBSSL_set_record_padding_callback_arg()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The \fBSSL_CTX_get_record_padding_callback_arg()\fR and \fBSSL_get_record_padding_callback_arg()\fR
functions return the \fBarg\fR value assigned in the corresponding set functions.
.PP
The \fBSSL_CTX_set_block_padding()\fR and \fBSSL_set_block_padding()\fR functions return 1 on success
or 0 if \fBblock_size\fR is too large.
.PP
The \fBcb\fR returns the number of padding bytes to add to the record. A return of 0
indicates no padding will be added. A return value that causes the record to
exceed the maximum record size (\s-1SSL3_RT_MAX_PLAIN_LENGTH\s0) will pad out to the
maximum record size.
.PP
The \fBSSL_CTX_get_record_padding_callback_arg()\fR function returns 1 on success or 0 if
the callback function is not set because Kernel \s-1TLS\s0 is configured for the \s-1SSL\s0 object.
.SH "NOTES"
.IX Header "NOTES"
The default behavior is to add no padding to the record.
.PP
A user-supplied padding callback function will override the behavior set by
\&\fBSSL_set_block_padding()\fR or \fBSSL_CTX_set_block_padding()\fR. Setting the user-supplied
callback to \s-1NULL\s0 will restore the configured block padding behavior.
.PP
These functions only apply to \s-1TLS 1.3\s0 records being written.
.PP
Padding bytes are not added in constant-time.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The record padding \s-1API\s0 was added for \s-1TLS 1.3\s0 support in OpenSSL 1.1.1.
.PP
The return type of \fBSSL_CTX_set_record_padding_callback()\fR function was
changed to int in OpenSSL 3.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3
index 5118bdbb06ed..8d984390bdbf 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_security_level.3
@@ -1,303 +1,303 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_SECURITY_LEVEL 3"
-.TH SSL_CTX_SET_SECURITY_LEVEL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_SECURITY_LEVEL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_security_level, SSL_set_security_level, SSL_CTX_get_security_level, SSL_get_security_level, SSL_CTX_set_security_callback, SSL_set_security_callback, SSL_CTX_get_security_callback, SSL_get_security_callback, SSL_CTX_set0_security_ex_data, SSL_set0_security_ex_data, SSL_CTX_get0_security_ex_data, SSL_get0_security_ex_data \- SSL/TLS security framework
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
\& void SSL_set_security_level(SSL *s, int level);
\&
\& int SSL_CTX_get_security_level(const SSL_CTX *ctx);
\& int SSL_get_security_level(const SSL *s);
\&
\& void SSL_CTX_set_security_callback(SSL_CTX *ctx,
\& int (*cb)(SSL *s, SSL_CTX *ctx, int op,
\& int bits, int nid,
\& void *other, void *ex));
\&
\& void SSL_set_security_callback(SSL *s, int (*cb)(SSL *s, SSL_CTX *ctx, int op,
\& int bits, int nid,
\& void *other, void *ex));
\&
\& int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx))(SSL *s, SSL_CTX *ctx, int op,
\& int bits, int nid, void *other,
\& void *ex);
\& int (*SSL_get_security_callback(const SSL *s))(SSL *s, SSL_CTX *ctx, int op,
\& int bits, int nid, void *other,
\& void *ex);
\&
\& void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex);
\& void SSL_set0_security_ex_data(SSL *s, void *ex);
\&
\& void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx);
\& void *SSL_get0_security_ex_data(const SSL *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The functions \fBSSL_CTX_set_security_level()\fR and \fBSSL_set_security_level()\fR set
the security level to \fBlevel\fR. If not set the library default security level
is used.
.PP
The functions \fBSSL_CTX_get_security_level()\fR and \fBSSL_get_security_level()\fR
retrieve the current security level.
.PP
\&\fBSSL_CTX_set_security_callback()\fR, \fBSSL_set_security_callback()\fR,
\&\fBSSL_CTX_get_security_callback()\fR and \fBSSL_get_security_callback()\fR get or set
the security callback associated with \fBctx\fR or \fBs\fR. If not set a default
security callback is used. The meaning of the parameters and the behaviour
of the default callbacks is described below.
.PP
\&\fBSSL_CTX_set0_security_ex_data()\fR, \fBSSL_set0_security_ex_data()\fR,
\&\fBSSL_CTX_get0_security_ex_data()\fR and \fBSSL_get0_security_ex_data()\fR set the
extra data pointer passed to the \fBex\fR parameter of the callback. This
value is passed to the callback verbatim and can be set to any convenient
application specific value.
.SH "DEFAULT CALLBACK BEHAVIOUR"
.IX Header "DEFAULT CALLBACK BEHAVIOUR"
If an application doesn't set its own security callback the default
callback is used. It is intended to provide sane defaults. The meaning
of each level is described below.
.IP "\fBLevel 0\fR" 4
.IX Item "Level 0"
Everything is permitted. This retains compatibility with previous versions of
OpenSSL.
.IP "\fBLevel 1\fR" 4
.IX Item "Level 1"
The security level corresponds to a minimum of 80 bits of security. Any
parameters offering below 80 bits of security are excluded. As a result \s-1RSA,
DSA\s0 and \s-1DH\s0 keys shorter than 1024 bits and \s-1ECC\s0 keys shorter than 160 bits
are prohibited. All export cipher suites are prohibited since they all offer
less than 80 bits of security. \s-1SSL\s0 version 2 is prohibited. Any cipher suite
using \s-1MD5\s0 for the \s-1MAC\s0 is also prohibited.
.IP "\fBLevel 2\fR" 4
.IX Item "Level 2"
Security level set to 112 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys
shorter than 2048 bits and \s-1ECC\s0 keys shorter than 224 bits are prohibited.
In addition to the level 1 exclusions any cipher suite using \s-1RC4\s0 is also
prohibited. \s-1SSL\s0 version 3 is also not allowed. Compression is disabled.
.IP "\fBLevel 3\fR" 4
.IX Item "Level 3"
Security level set to 128 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys
shorter than 3072 bits and \s-1ECC\s0 keys shorter than 256 bits are prohibited.
In addition to the level 2 exclusions cipher suites not offering forward
secrecy are prohibited. \s-1TLS\s0 versions below 1.1 are not permitted. Session
tickets are disabled.
.IP "\fBLevel 4\fR" 4
.IX Item "Level 4"
Security level set to 192 bits of security. As a result \s-1RSA, DSA\s0 and
\&\s-1DH\s0 keys shorter than 7680 bits and \s-1ECC\s0 keys shorter than 384 bits are
prohibited. Cipher suites using \s-1SHA1\s0 for the \s-1MAC\s0 are prohibited. \s-1TLS\s0
versions below 1.2 are not permitted.
.IP "\fBLevel 5\fR" 4
.IX Item "Level 5"
Security level set to 256 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys
shorter than 15360 bits and \s-1ECC\s0 keys shorter than 512 bits are prohibited.
.SH "APPLICATION DEFINED SECURITY CALLBACKS"
.IX Header "APPLICATION DEFINED SECURITY CALLBACKS"
\&\fIDocumentation to be provided.\fR
.SH "NOTES"
.IX Header "NOTES"
The default security level can be configured when OpenSSL is compiled by
setting \fB\-DOPENSSL_TLS_SECURITY_LEVEL=level\fR. If not set then 1 is used.
.PP
The security framework disables or reject parameters inconsistent with the
set security level. In the past this was difficult as applications had to set
a number of distinct parameters (supported ciphers, supported curves supported
signature algorithms) to achieve this end and some cases (\s-1DH\s0 parameter size
for example) could not be checked at all.
.PP
By setting an appropriate security level much of this complexity can be
avoided.
.PP
The bits of security limits affect all relevant parameters including
cipher suite encryption algorithms, supported \s-1ECC\s0 curves, supported
signature algorithms, \s-1DH\s0 parameter sizes, certificate key sizes and
signature algorithms. This limit applies no matter what other custom
settings an application has set: so if the cipher suite is set to \fB\s-1ALL\s0\fR
then only cipher suites consistent with the security level are permissible.
.PP
See \s-1SP800\-57\s0 for how the security limits are related to individual
algorithms.
.PP
Some security levels require large key sizes for non-ECC public key
algorithms which can severely degrade performance. For example 256 bits
of security requires the use of \s-1RSA\s0 keys of at least 15360 bits in size.
.PP
Some restrictions can be gracefully handled: for example cipher suites
offering insufficient security are not sent by the client and will not
be selected by the server. Other restrictions such as the peer certificate
key size or the \s-1DH\s0 parameter size will abort the handshake with a fatal
alert.
.PP
Attempts to set certificates or parameters with insufficient security are
also blocked. For example trying to set a certificate using a 512 bit \s-1RSA\s0
key using \fBSSL_CTX_use_certificate()\fR at level 1. Applications which do not
check the return values for errors will misbehave: for example it might
appear that a certificate is not set at all because it had been rejected.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_security_level()\fR and \fBSSL_set_security_level()\fR do not return values.
.PP
\&\fBSSL_CTX_get_security_level()\fR and \fBSSL_get_security_level()\fR return a integer that
represents the security level with \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR, respectively.
.PP
\&\fBSSL_CTX_set_security_callback()\fR and \fBSSL_set_security_callback()\fR do not return
values.
.PP
\&\fBSSL_CTX_get_security_callback()\fR and \fBSSL_get_security_callback()\fR return the pointer
to the security callback or \s-1NULL\s0 if the callback is not set.
.PP
\&\fBSSL_CTX_get0_security_ex_data()\fR and \fBSSL_get0_security_ex_data()\fR return the extra
data pointer or \s-1NULL\s0 if the ex data is not set.
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2014\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3
index dec63bd18fe2..51455305ee30 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_cache_mode.3
@@ -1,258 +1,258 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_SESSION_CACHE_MODE 3"
-.TH SSL_CTX_SET_SESSION_CACHE_MODE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_SESSION_CACHE_MODE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_session_cache_mode, SSL_CTX_get_session_cache_mode \- enable/disable session caching
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_set_session_cache_mode(SSL_CTX ctx, long mode);
\& long SSL_CTX_get_session_cache_mode(SSL_CTX ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_session_cache_mode()\fR enables/disables session caching
by setting the operational mode for \fBctx\fR to <mode>.
.PP
\&\fBSSL_CTX_get_session_cache_mode()\fR returns the currently used cache mode.
.SH "NOTES"
.IX Header "NOTES"
The OpenSSL library can store/retrieve \s-1SSL/TLS\s0 sessions for later reuse.
The sessions can be held in memory for each \fBctx\fR, if more than one
\&\s-1SSL_CTX\s0 object is being maintained, the sessions are unique for each \s-1SSL_CTX\s0
object.
.PP
In order to reuse a session, a client must send the session's id to the
server. It can only send exactly one id. The server then either
agrees to reuse the session or it starts a full handshake (to create a new
session).
.PP
A server will look up the session in its internal session storage. If the
session is not found in internal storage or lookups for the internal storage
have been deactivated (\s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0), the server will try
the external storage if available.
.PP
Since a client may try to reuse a session intended for use in a different
context, the session id context must be set by the server (see
\&\fBSSL_CTX_set_session_id_context\fR\|(3)).
.PP
The following session cache modes and modifiers are available:
.IP "\s-1SSL_SESS_CACHE_OFF\s0" 4
.IX Item "SSL_SESS_CACHE_OFF"
No session caching for client or server takes place.
.IP "\s-1SSL_SESS_CACHE_CLIENT\s0" 4
.IX Item "SSL_SESS_CACHE_CLIENT"
Client sessions are added to the session cache. As there is no reliable way
for the OpenSSL library to know whether a session should be reused or which
session to choose (due to the abstract \s-1BIO\s0 layer the \s-1SSL\s0 engine does not
have details about the connection), the application must select the session
to be reused by using the \fBSSL_set_session\fR\|(3)
function. This option is not activated by default.
.IP "\s-1SSL_SESS_CACHE_SERVER\s0" 4
.IX Item "SSL_SESS_CACHE_SERVER"
Server sessions are added to the session cache. When a client proposes a
session to be reused, the server looks for the corresponding session in (first)
the internal session cache (unless \s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0 is set),
then (second) in the external cache if available. If the session is found, the
server will try to reuse the session. This is the default.
.IP "\s-1SSL_SESS_CACHE_BOTH\s0" 4
.IX Item "SSL_SESS_CACHE_BOTH"
Enable both \s-1SSL_SESS_CACHE_CLIENT\s0 and \s-1SSL_SESS_CACHE_SERVER\s0 at the same time.
.IP "\s-1SSL_SESS_CACHE_NO_AUTO_CLEAR\s0" 4
.IX Item "SSL_SESS_CACHE_NO_AUTO_CLEAR"
Normally the session cache is checked for expired sessions every
255 connections using the
\&\fBSSL_CTX_flush_sessions\fR\|(3) function. Since
this may lead to a delay which cannot be controlled, the automatic
flushing may be disabled and
\&\fBSSL_CTX_flush_sessions\fR\|(3) can be called
explicitly by the application.
.IP "\s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0" 4
.IX Item "SSL_SESS_CACHE_NO_INTERNAL_LOOKUP"
By setting this flag, session-resume operations in an \s-1SSL/TLS\s0 server will not
automatically look up sessions in the internal cache, even if sessions are
automatically stored there. If external session caching callbacks are in use,
this flag guarantees that all lookups are directed to the external cache.
As automatic lookup only applies for \s-1SSL/TLS\s0 servers, the flag has no effect on
clients.
.IP "\s-1SSL_SESS_CACHE_NO_INTERNAL_STORE\s0" 4
.IX Item "SSL_SESS_CACHE_NO_INTERNAL_STORE"
Depending on the presence of \s-1SSL_SESS_CACHE_CLIENT\s0 and/or \s-1SSL_SESS_CACHE_SERVER,\s0
sessions negotiated in an \s-1SSL/TLS\s0 handshake may be cached for possible reuse.
Normally a new session is added to the internal cache as well as any external
session caching (callback) that is configured for the \s-1SSL_CTX.\s0 This flag will
prevent sessions being stored in the internal cache (though the application can
add them manually using \fBSSL_CTX_add_session\fR\|(3)). Note:
in any \s-1SSL/TLS\s0 servers where external caching is configured, any successful
session lookups in the external cache (i.e. for session-resume requests) would
normally be copied into the local cache before processing continues \- this flag
prevents these additions to the internal cache as well.
.IP "\s-1SSL_SESS_CACHE_NO_INTERNAL\s0" 4
.IX Item "SSL_SESS_CACHE_NO_INTERNAL"
Enable both \s-1SSL_SESS_CACHE_NO_INTERNAL_LOOKUP\s0 and
\&\s-1SSL_SESS_CACHE_NO_INTERNAL_STORE\s0 at the same time.
.PP
The default mode is \s-1SSL_SESS_CACHE_SERVER.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_session_cache_mode()\fR returns the previously set cache mode.
.PP
\&\fBSSL_CTX_get_session_cache_mode()\fR returns the currently set cache mode.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_set_session\fR\|(3),
\&\fBSSL_session_reused\fR\|(3),
\&\fBSSL_CTX_add_session\fR\|(3),
\&\fBSSL_CTX_sess_number\fR\|(3),
\&\fBSSL_CTX_sess_set_cache_size\fR\|(3),
\&\fBSSL_CTX_sess_set_get_cb\fR\|(3),
\&\fBSSL_CTX_set_session_id_context\fR\|(3),
\&\fBSSL_CTX_set_timeout\fR\|(3),
\&\fBSSL_CTX_flush_sessions\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3
index 054048e6c4af..26d3ed00af86 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_id_context.3
@@ -1,215 +1,215 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_SESSION_ID_CONTEXT 3"
-.TH SSL_CTX_SET_SESSION_ID_CONTEXT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_SESSION_ID_CONTEXT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_session_id_context, SSL_set_session_id_context \- set context within which session can be reused (server side only)
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
\& unsigned int sid_ctx_len);
\& int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
\& unsigned int sid_ctx_len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_session_id_context()\fR sets the context \fBsid_ctx\fR of length
\&\fBsid_ctx_len\fR within which a session can be reused for the \fBctx\fR object.
.PP
\&\fBSSL_set_session_id_context()\fR sets the context \fBsid_ctx\fR of length
\&\fBsid_ctx_len\fR within which a session can be reused for the \fBssl\fR object.
.SH "NOTES"
.IX Header "NOTES"
Sessions are generated within a certain context. When exporting/importing
sessions with \fBi2d_SSL_SESSION\fR/\fBd2i_SSL_SESSION\fR it would be possible,
to re-import a session generated from another context (e.g. another
application), which might lead to malfunctions. Therefore, each application
must set its own session id context \fBsid_ctx\fR which is used to distinguish
the contexts and is stored in exported sessions. The \fBsid_ctx\fR can be
any kind of binary data with a given length, it is therefore possible
to use e.g. the name of the application and/or the hostname and/or service
name ...
.PP
The session id context becomes part of the session. The session id context
is set by the \s-1SSL/TLS\s0 server. The \fBSSL_CTX_set_session_id_context()\fR and
\&\fBSSL_set_session_id_context()\fR functions are therefore only useful on the
server side.
.PP
OpenSSL clients will check the session id context returned by the server
when reusing a session.
.PP
The maximum length of the \fBsid_ctx\fR is limited to
\&\fB\s-1SSL_MAX_SID_CTX_LENGTH\s0\fR.
.SH "WARNINGS"
.IX Header "WARNINGS"
If the session id context is not set on an \s-1SSL/TLS\s0 server and client
certificates are used, stored sessions
will not be reused but a fatal error will be flagged and the handshake
will fail.
.PP
If a server returns a different session id context to an OpenSSL client
when reusing a session, an error will be flagged and the handshake will
fail. OpenSSL servers will always return the correct session id context,
as an OpenSSL server checks the session id context itself before reusing
a session as described above.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_session_id_context()\fR and \fBSSL_set_session_id_context()\fR
return the following values:
.IP "0" 4
The length \fBsid_ctx_len\fR of the session id context \fBsid_ctx\fR exceeded
the maximum allowed length of \fB\s-1SSL_MAX_SID_CTX_LENGTH\s0\fR. The error
is logged to the error stack.
.IP "1" 4
.IX Item "1"
The operation succeeded.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3
index d4f3b113b206..4d9f5fb352d3 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_session_ticket_cb.3
@@ -1,301 +1,301 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_SESSION_TICKET_CB 3"
-.TH SSL_CTX_SET_SESSION_TICKET_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_SESSION_TICKET_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_session_ticket_cb, SSL_SESSION_get0_ticket_appdata, SSL_SESSION_set1_ticket_appdata, SSL_CTX_generate_session_ticket_fn, SSL_CTX_decrypt_session_ticket_fn \- manage session ticket application data
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& typedef int (*SSL_CTX_generate_session_ticket_fn)(SSL *s, void *arg);
\& typedef SSL_TICKET_RETURN (*SSL_CTX_decrypt_session_ticket_fn)(SSL *s, SSL_SESSION *ss,
\& const unsigned char *keyname,
\& size_t keyname_len,
\& SSL_TICKET_STATUS status,
\& void *arg);
\& int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx,
\& SSL_CTX_generate_session_ticket_fn gen_cb,
\& SSL_CTX_decrypt_session_ticket_fn dec_cb,
\& void *arg);
\& int SSL_SESSION_set1_ticket_appdata(SSL_SESSION *ss, const void *data, size_t len);
\& int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_set_session_ticket_cb()\fR sets the application callbacks \fBgen_cb\fR
and \fBdec_cb\fR that are used by a server to set and get application data stored
with a session, and placed into a session ticket. Either callback function may
be set to \s-1NULL.\s0 The value of \fBarg\fR is passed to the callbacks.
.PP
\&\fBgen_cb\fR is the application defined callback invoked when a session ticket is
about to be created. The application can call \fBSSL_SESSION_set1_ticket_appdata()\fR
at this time to add application data to the session ticket. The value of \fBarg\fR
is the same as that given to \fBSSL_CTX_set_session_ticket_cb()\fR. The \fBgen_cb\fR
callback is defined as type \fBSSL_CTX_generate_session_ticket_fn\fR.
.PP
\&\fBdec_cb\fR is the application defined callback invoked after session ticket
decryption has been attempted and any session ticket application data is
available. If ticket decryption was successful then the \fBss\fR argument contains
the session data. The \fBkeyname\fR and \fBkeyname_len\fR arguments identify the key
used to decrypt the session ticket. The \fBstatus\fR argument is the result of the
ticket decryption. See the \s-1NOTES\s0 section below for further details. The value
of \fBarg\fR is the same as that given to \fBSSL_CTX_set_session_ticket_cb()\fR. The
\&\fBdec_cb\fR callback is defined as type \fBSSL_CTX_decrypt_session_ticket_fn\fR.
.PP
\&\fBSSL_SESSION_set1_ticket_appdata()\fR sets the application data specified by
\&\fBdata\fR and \fBlen\fR into \fBss\fR which is then placed into any generated session
tickets. It can be called at any time before a session ticket is created to
update the data placed into the session ticket. However, given that sessions
and tickets are created by the handshake, the \fBgen_cb\fR is provided to notify
the application that a session ticket is about to be generated.
.PP
\&\fBSSL_SESSION_get0_ticket_appdata()\fR assigns \fBdata\fR to the session ticket
application data and assigns \fBlen\fR to the length of the session ticket
application data from \fBss\fR. The application data can be set via
\&\fBSSL_SESSION_set1_ticket_appdata()\fR or by a session ticket. \s-1NULL\s0 will be assigned
to \fBdata\fR and 0 will be assigned to \fBlen\fR if there is no session ticket
application data. \fBSSL_SESSION_get0_ticket_appdata()\fR can be called any time
after a session has been created. The \fBdec_cb\fR is provided to notify the
application that a session ticket has just been decrypted.
.SH "NOTES"
.IX Header "NOTES"
When the \fBdec_cb\fR callback is invoked, the \s-1SSL_SESSION\s0 \fBss\fR has not yet been
assigned to the \s-1SSL\s0 \fBs\fR. The \fBstatus\fR indicates the result of the ticket
decryption. The callback must check the \fBstatus\fR value before performing any
action, as it is called even if ticket decryption fails.
.PP
The \fBkeyname\fR and \fBkeyname_len\fR arguments to \fBdec_cb\fR may be used to identify
the key that was used to encrypt the session ticket.
.PP
The \fBstatus\fR argument can be any of these values:
.IP "\s-1SSL_TICKET_EMPTY\s0" 4
.IX Item "SSL_TICKET_EMPTY"
Empty ticket present. No ticket data will be used and a new ticket should be
sent to the client. This only occurs in TLSv1.2 or below. In TLSv1.3 it is not
valid for a client to send an empty ticket.
.IP "\s-1SSL_TICKET_NO_DECRYPT\s0" 4
.IX Item "SSL_TICKET_NO_DECRYPT"
The ticket couldn't be decrypted. No ticket data will be used and a new ticket
should be sent to the client.
.IP "\s-1SSL_TICKET_SUCCESS\s0" 4
.IX Item "SSL_TICKET_SUCCESS"
A ticket was successfully decrypted, any session ticket application data should
be available. A new ticket should not be sent to the client.
.IP "\s-1SSL_TICKET_SUCCESS_RENEW\s0" 4
.IX Item "SSL_TICKET_SUCCESS_RENEW"
Same as \fB\s-1SSL_TICKET_SUCCESS\s0\fR, but a new ticket should be sent to the client.
.PP
The return value can be any of these values:
.IP "\s-1SSL_TICKET_RETURN_ABORT\s0" 4
.IX Item "SSL_TICKET_RETURN_ABORT"
The handshake should be aborted, either because of an error or because of some
policy. Note that in TLSv1.3 a client may send more than one ticket in a single
handshake. Therefore, just because one ticket is unacceptable it does not mean
that all of them are. For this reason this option should be used with caution.
.IP "\s-1SSL_TICKET_RETURN_IGNORE\s0" 4
.IX Item "SSL_TICKET_RETURN_IGNORE"
Do not use a ticket (if one was available). Do not send a renewed ticket to the
client.
.IP "\s-1SSL_TICKET_RETURN_IGNORE_RENEW\s0" 4
.IX Item "SSL_TICKET_RETURN_IGNORE_RENEW"
Do not use a ticket (if one was available). Send a renewed ticket to the client.
.Sp
If the callback does not wish to change the default ticket behaviour then it
should return this value if \fBstatus\fR is \fB\s-1SSL_TICKET_EMPTY\s0\fR or
\&\fB\s-1SSL_TICKET_NO_DECRYPT\s0\fR.
.IP "\s-1SSL_TICKET_RETURN_USE\s0" 4
.IX Item "SSL_TICKET_RETURN_USE"
Use the ticket. Do not send a renewed ticket to the client. It is an error for
the callback to return this value if \fBstatus\fR has a value other than
\&\fB\s-1SSL_TICKET_SUCCESS\s0\fR or \fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR.
.Sp
If the callback does not wish to change the default ticket behaviour then it
should return this value if \fBstatus\fR is \fB\s-1SSL_TICKET_SUCCESS\s0\fR.
.IP "\s-1SSL_TICKET_RETURN_USE_RENEW\s0" 4
.IX Item "SSL_TICKET_RETURN_USE_RENEW"
Use the ticket. Send a renewed ticket to the client. It is an error for the
callback to return this value if \fBstatus\fR has a value other than
\&\fB\s-1SSL_TICKET_SUCCESS\s0\fR or \fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR.
.Sp
If the callback does not wish to change the default ticket behaviour then it
should return this value if \fBstatus\fR is \fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR.
.PP
If \fBstatus\fR has the value \fB\s-1SSL_TICKET_EMPTY\s0\fR or \fB\s-1SSL_TICKET_NO_DECRYPT\s0\fR then
no session data will be available and the callback must not use the \fBss\fR
argument. If \fBstatus\fR has the value \fB\s-1SSL_TICKET_SUCCESS\s0\fR or
\&\fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR then the application can call
\&\fBSSL_SESSION_get0_ticket_appdata()\fR using the session provided in the \fBss\fR
argument to retrieve the application data.
.PP
When the \fBgen_cb\fR callback is invoked, the \fBSSL_get_session()\fR function can be
used to retrieve the \s-1SSL_SESSION\s0 for \fBSSL_SESSION_set1_ticket_appdata()\fR.
.PP
By default, in TLSv1.2 and below, a new session ticket is not issued on a
successful resumption and therefore \fBgen_cb\fR will not be called. In TLSv1.3 the
default behaviour is to always issue a new ticket on resumption. In both cases
this behaviour can be changed if a ticket key callback is in use (see
\&\fBSSL_CTX_set_tlsext_ticket_key_cb\fR\|(3)).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The \fBSSL_CTX_set_session_ticket_cb()\fR, \fBSSL_SESSION_set1_ticket_appdata()\fR and
\&\fBSSL_SESSION_get0_ticket_appdata()\fR functions return 1 on success and 0 on
failure.
.PP
The \fBgen_cb\fR callback must return 1 to continue the connection. A return of 0
will terminate the connection with an \s-1INTERNAL_ERROR\s0 alert.
.PP
The \fBdec_cb\fR callback must return a value as described in \s-1NOTES\s0 above.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_get_session\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_CTX_set_session_ticket_cb()\fR, \fBSSL_SESSION_set1_ticket_appdata()\fR
and \fBSSL_SESSION_get_ticket_appdata()\fR functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3
index 3c818f296c9d..ca4f02a04777 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_split_send_fragment.3
@@ -1,303 +1,303 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3"
-.TH SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_max_send_fragment, SSL_set_max_send_fragment, SSL_CTX_set_split_send_fragment, SSL_set_split_send_fragment, SSL_CTX_set_max_pipelines, SSL_set_max_pipelines, SSL_CTX_set_default_read_buffer_len, SSL_set_default_read_buffer_len, SSL_CTX_set_tlsext_max_fragment_length, SSL_set_tlsext_max_fragment_length, SSL_SESSION_get_max_fragment_length \- Control fragment size settings and pipelining operations
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, long);
\& long SSL_set_max_send_fragment(SSL *ssl, long m);
\&
\& long SSL_CTX_set_max_pipelines(SSL_CTX *ctx, long m);
\& long SSL_set_max_pipelines(SSL_CTX *ssl, long m);
\&
\& long SSL_CTX_set_split_send_fragment(SSL_CTX *ctx, long m);
\& long SSL_set_split_send_fragment(SSL *ssl, long m);
\&
\& void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len);
\& void SSL_set_default_read_buffer_len(SSL *s, size_t len);
\&
\& int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode);
\& int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode);
\& uint8_t SSL_SESSION_get_max_fragment_length(SSL_SESSION *session);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Some engines are able to process multiple simultaneous crypto operations. This
capability could be utilised to parallelise the processing of a single
connection. For example a single write can be split into multiple records and
each one encrypted independently and in parallel. Note: this will only work in
\&\s-1TLS1.1+.\s0 There is no support in SSLv3, TLSv1.0 or \s-1DTLS\s0 (any version). This
capability is known as \*(L"pipelining\*(R" within OpenSSL.
.PP
In order to benefit from the pipelining capability. You need to have an engine
that provides ciphers that support this. The OpenSSL \*(L"dasync\*(R" engine provides
\&\s-1AES128\-SHA\s0 based ciphers that have this capability. However, these are for
development and test purposes only.
.PP
\&\fBSSL_CTX_set_max_send_fragment()\fR and \fBSSL_set_max_send_fragment()\fR set the
\&\fBmax_send_fragment\fR parameter for \s-1SSL_CTX\s0 and \s-1SSL\s0 objects respectively. This
value restricts the amount of plaintext bytes that will be sent in any one
\&\s-1SSL/TLS\s0 record. By default its value is \s-1SSL3_RT_MAX_PLAIN_LENGTH\s0 (16384). These
functions will only accept a value in the range 512 \- \s-1SSL3_RT_MAX_PLAIN_LENGTH.\s0
.PP
\&\fBSSL_CTX_set_max_pipelines()\fR and \fBSSL_set_max_pipelines()\fR set the maximum number
of pipelines that will be used at any one time. This value applies to both
\&\*(L"read\*(R" pipelining and \*(L"write\*(R" pipelining. By default only one pipeline will be
used (i.e. normal non-parallel operation). The number of pipelines set must be
in the range 1 \- \s-1SSL_MAX_PIPELINES\s0 (32). Setting this to a value > 1 will also
automatically turn on \*(L"read_ahead\*(R" (see \fBSSL_CTX_set_read_ahead\fR\|(3)). This is
explained further below. OpenSSL will only every use more than one pipeline if
a cipher suite is negotiated that uses a pipeline capable cipher provided by an
engine.
.PP
Pipelining operates slightly differently for reading encrypted data compared to
writing encrypted data. \fBSSL_CTX_set_split_send_fragment()\fR and
\&\fBSSL_set_split_send_fragment()\fR define how data is split up into pipelines when
writing encrypted data. The number of pipelines used will be determined by the
amount of data provided to the \fBSSL_write_ex()\fR or \fBSSL_write()\fR call divided by
\&\fBsplit_send_fragment\fR.
.PP
For example if \fBsplit_send_fragment\fR is set to 2000 and \fBmax_pipelines\fR is 4
then:
.PP
SSL_write/SSL_write_ex called with 0\-2000 bytes == 1 pipeline used
.PP
SSL_write/SSL_write_ex called with 2001\-4000 bytes == 2 pipelines used
.PP
SSL_write/SSL_write_ex called with 4001\-6000 bytes == 3 pipelines used
.PP
SSL_write/SSL_write_ex called with 6001+ bytes == 4 pipelines used
.PP
\&\fBsplit_send_fragment\fR must always be less than or equal to
\&\fBmax_send_fragment\fR. By default it is set to be equal to \fBmax_send_fragment\fR.
This will mean that the same number of records will always be created as would
have been created in the non-parallel case, although the data will be
apportioned differently. In the parallel case data will be spread equally
between the pipelines.
.PP
Read pipelining is controlled in a slightly different way than with write
pipelining. While reading we are constrained by the number of records that the
peer (and the network) can provide to us in one go. The more records we can get
in one go the more opportunity we have to parallelise the processing. As noted
above when setting \fBmax_pipelines\fR to a value greater than one, \fBread_ahead\fR
is automatically set. The \fBread_ahead\fR parameter causes OpenSSL to attempt to
read as much data into the read buffer as the network can provide and will fit
into the buffer. Without this set data is read into the read buffer one record
at a time. The more data that can be read, the more opportunity there is for
parallelising the processing at the cost of increased memory overhead per
connection. Setting \fBread_ahead\fR can impact the behaviour of the \fBSSL_pending()\fR
function (see \fBSSL_pending\fR\|(3)).
.PP
The \fBSSL_CTX_set_default_read_buffer_len()\fR and \fBSSL_set_default_read_buffer_len()\fR
functions control the size of the read buffer that will be used. The \fBlen\fR
parameter sets the size of the buffer. The value will only be used if it is
greater than the default that would have been used anyway. The normal default
value depends on a number of factors but it will be at least
\&\s-1SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD\s0 (16704) bytes.
.PP
\&\fBSSL_CTX_set_tlsext_max_fragment_length()\fR sets the default maximum fragment
length negotiation mode via value \fBmode\fR to \fBctx\fR.
This setting affects only \s-1SSL\s0 instances created after this function is called.
It affects the client-side as only its side may initiate this extension use.
.PP
\&\fBSSL_set_tlsext_max_fragment_length()\fR sets the maximum fragment length
negotiation mode via value \fBmode\fR to \fBssl\fR.
This setting will be used during a handshake when extensions are exchanged
between client and server.
So it only affects \s-1SSL\s0 sessions created after this function is called.
It affects the client-side as only its side may initiate this extension use.
.PP
\&\fBSSL_SESSION_get_max_fragment_length()\fR gets the maximum fragment length
negotiated in \fBsession\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All non-void functions return 1 on success and 0 on failure.
.SH "NOTES"
.IX Header "NOTES"
The Maximum Fragment Length extension support is optional on the server side.
If the server does not support this extension then
\&\fBSSL_SESSION_get_max_fragment_length()\fR will return:
TLSEXT_max_fragment_length_DISABLED.
.PP
The following modes are available:
.IP "TLSEXT_max_fragment_length_DISABLED" 4
.IX Item "TLSEXT_max_fragment_length_DISABLED"
Disables Maximum Fragment Length Negotiation (default).
.IP "TLSEXT_max_fragment_length_512" 4
.IX Item "TLSEXT_max_fragment_length_512"
Sets Maximum Fragment Length to 512 bytes.
.IP "TLSEXT_max_fragment_length_1024" 4
.IX Item "TLSEXT_max_fragment_length_1024"
Sets Maximum Fragment Length to 1024.
.IP "TLSEXT_max_fragment_length_2048" 4
.IX Item "TLSEXT_max_fragment_length_2048"
Sets Maximum Fragment Length to 2048.
.IP "TLSEXT_max_fragment_length_4096" 4
.IX Item "TLSEXT_max_fragment_length_4096"
Sets Maximum Fragment Length to 4096.
.PP
With the exception of \fBSSL_CTX_set_default_read_buffer_len()\fR
\&\fBSSL_set_default_read_buffer_len()\fR, \fBSSL_CTX_set_tlsext_max_fragment_length()\fR,
\&\fBSSL_set_tlsext_max_fragment_length()\fR and \fBSSL_SESSION_get_max_fragment_length()\fR
all these functions are implemented using macros.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_set_read_ahead\fR\|(3), \fBSSL_pending\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_CTX_set_max_pipelines()\fR, \fBSSL_set_max_pipelines()\fR,
\&\fBSSL_CTX_set_split_send_fragment()\fR, \fBSSL_set_split_send_fragment()\fR,
\&\fBSSL_CTX_set_default_read_buffer_len()\fR and \fBSSL_set_default_read_buffer_len()\fR
functions were added in OpenSSL 1.1.0.
.PP
The \fBSSL_CTX_set_tlsext_max_fragment_length()\fR, \fBSSL_set_tlsext_max_fragment_length()\fR
and \fBSSL_SESSION_get_max_fragment_length()\fR functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3
index 30e1b85bbcc4..a3ca5ed09581 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_ssl_version.3
@@ -1,193 +1,193 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_SSL_VERSION 3"
-.TH SSL_CTX_SET_SSL_VERSION 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_SSL_VERSION 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method \&\- choose a new TLS/SSL method
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *method);
\& int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
\& const SSL_METHOD *SSL_get_ssl_method(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_ssl_version()\fR sets a new default \s-1TLS/SSL\s0 \fBmethod\fR for \s-1SSL\s0 objects
newly created from this \fBctx\fR. \s-1SSL\s0 objects already created with
\&\fBSSL_new\fR\|(3) are not affected, except when
\&\fBSSL_clear\fR\|(3) is being called.
.PP
\&\fBSSL_set_ssl_method()\fR sets a new \s-1TLS/SSL\s0 \fBmethod\fR for a particular \fBssl\fR
object. It may be reset, when \fBSSL_clear()\fR is called.
.PP
\&\fBSSL_get_ssl_method()\fR returns a function pointer to the \s-1TLS/SSL\s0 method
set in \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
The available \fBmethod\fR choices are described in
\&\fBSSL_CTX_new\fR\|(3).
.PP
When \fBSSL_clear\fR\|(3) is called and no session is connected to
an \s-1SSL\s0 object, the method of the \s-1SSL\s0 object is reset to the method currently
set in the corresponding \s-1SSL_CTX\s0 object.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur for \fBSSL_CTX_set_ssl_version()\fR
and \fBSSL_set_ssl_method()\fR:
.IP "0" 4
The new choice failed, check the error stack to find out the reason.
.IP "1" 4
.IX Item "1"
The operation succeeded.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_new\fR\|(3), \fBSSL_new\fR\|(3),
\&\fBSSL_clear\fR\|(3), \fBssl\fR\|(7),
\&\fBSSL_set_connect_state\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3
index 96d218d326fc..29fc612a5094 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_stateless_cookie_generate_cb.3
@@ -1,222 +1,222 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3"
-.TH SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_stateless_cookie_generate_cb, SSL_CTX_set_stateless_cookie_verify_cb, SSL_CTX_set_cookie_generate_cb, SSL_CTX_set_cookie_verify_cb \&\- Callback functions for stateless TLS1.3 cookies
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_stateless_cookie_generate_cb(
\& SSL_CTX *ctx,
\& int (*gen_stateless_cookie_cb) (SSL *ssl,
\& unsigned char *cookie,
\& size_t *cookie_len));
\& void SSL_CTX_set_stateless_cookie_verify_cb(
\& SSL_CTX *ctx,
\& int (*verify_stateless_cookie_cb) (SSL *ssl,
\& const unsigned char *cookie,
\& size_t cookie_len));
\&
\& void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
\& int (*app_gen_cookie_cb) (SSL *ssl,
\& unsigned char
\& *cookie,
\& unsigned int
\& *cookie_len));
\& void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
\& int (*app_verify_cookie_cb) (SSL *ssl,
\& const unsigned
\& char *cookie,
\& unsigned int
\& cookie_len));
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_stateless_cookie_generate_cb()\fR sets the callback used by
\&\fBSSL_stateless\fR\|(3) to generate the application-controlled portion of the cookie
provided to clients in the HelloRetryRequest transmitted as a response to a
ClientHello with a missing or invalid cookie. \fBgen_stateless_cookie_cb()\fR must
write at most \s-1SSL_COOKIE_LENGTH\s0 bytes into \fBcookie\fR, and must write the number
of bytes written to \fBcookie_len\fR. If a cookie cannot be generated, a zero
return value can be used to abort the handshake.
.PP
\&\fBSSL_CTX_set_stateless_cookie_verify_cb()\fR sets the callback used by
\&\fBSSL_stateless\fR\|(3) to determine whether the application-controlled portion of a
ClientHello cookie is valid. The cookie data is pointed to by \fBcookie\fR and is of
length \fBcookie_len\fR. A nonzero return value from \fBverify_stateless_cookie_cb()\fR
communicates that the cookie is valid. The integrity of the entire cookie,
including the application-controlled portion, is automatically verified by \s-1HMAC\s0
before \fBverify_stateless_cookie_cb()\fR is called.
.PP
\&\fBSSL_CTX_set_cookie_generate_cb()\fR sets the callback used by \fBDTLSv1_listen\fR\|(3)
to generate the cookie provided to clients in the HelloVerifyRequest transmitted
as a response to a ClientHello with a missing or invalid cookie.
\&\fBapp_gen_cookie_cb()\fR must write at most \s-1DTLS1_COOKIE_LENGTH\s0 bytes into
\&\fBcookie\fR, and must write the number of bytes written to \fBcookie_len\fR. If a
cookie cannot be generated, a zero return value can be used to abort the
handshake.
.PP
\&\fBSSL_CTX_set_cookie_verify_cb()\fR sets the callback used by \fBDTLSv1_listen\fR\|(3) to
determine whether the cookie in a ClientHello is valid. The cookie data is
pointed to by \fBcookie\fR and is of length \fBcookie_len\fR. A nonzero return value
from \fBapp_verify_cookie_cb()\fR communicates that the cookie is valid. The
integrity of the cookie is not verified by OpenSSL. This is an application
responsibility.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Neither function returns a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_stateless\fR\|(3),
\&\fBDTLSv1_listen\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBSSL_CTX_set_stateless_cookie_generate_cb()\fR and
\&\fBSSL_CTX_set_stateless_cookie_verify_cb()\fR were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3
index adeb73d471a7..4197f8013829 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_timeout.3
@@ -1,199 +1,199 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_TIMEOUT 3"
-.TH SSL_CTX_SET_TIMEOUT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_TIMEOUT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_timeout, SSL_CTX_get_timeout \- manipulate timeout values for session caching
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
\& long SSL_CTX_get_timeout(SSL_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_timeout()\fR sets the timeout for newly created sessions for
\&\fBctx\fR to \fBt\fR. The timeout value \fBt\fR must be given in seconds.
.PP
\&\fBSSL_CTX_get_timeout()\fR returns the currently set timeout value for \fBctx\fR.
.SH "NOTES"
.IX Header "NOTES"
Whenever a new session is created, it is assigned a maximum lifetime. This
lifetime is specified by storing the creation time of the session and the
timeout value valid at this time. If the actual time is later than creation
time plus timeout, the session is not reused.
.PP
Due to this realization, all sessions behave according to the timeout value
valid at the time of the session negotiation. Changes of the timeout value
do not affect already established sessions.
.PP
The expiration time of a single session can be modified using the
\&\fBSSL_SESSION_get_time\fR\|(3) family of functions.
.PP
Expired sessions are removed from the internal session cache, whenever
\&\fBSSL_CTX_flush_sessions\fR\|(3) is called, either
directly by the application or automatically (see
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3))
.PP
The default value for session timeout is decided on a per protocol
basis, see \fBSSL_get_default_timeout\fR\|(3).
All currently supported protocols have the same default timeout value
of 300 seconds.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_timeout()\fR returns the previously set timeout value.
.PP
\&\fBSSL_CTX_get_timeout()\fR returns the currently set timeout value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
\&\fBSSL_SESSION_get_time\fR\|(3),
\&\fBSSL_CTX_flush_sessions\fR\|(3),
\&\fBSSL_get_default_timeout\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3
index eaaac186830c..f17f58d871f1 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_servername_callback.3
@@ -1,285 +1,285 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3"
-.TH SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_tlsext_servername_callback, SSL_CTX_set_tlsext_servername_arg, SSL_get_servername_type, SSL_get_servername, SSL_set_tlsext_host_name \- handle server name indication (SNI)
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_CTX_set_tlsext_servername_callback(SSL_CTX *ctx,
\& int (*cb)(SSL *s, int *al, void *arg));
\& long SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg);
\&
\& const char *SSL_get_servername(const SSL *s, const int type);
\& int SSL_get_servername_type(const SSL *s);
\&
\& int SSL_set_tlsext_host_name(const SSL *s, const char *name);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The functionality provided by the servername callback is mostly superseded by
the ClientHello callback, which can be set using \fBSSL_CTX_set_client_hello_cb()\fR.
However, even where the ClientHello callback is used, the servername callback is
still necessary in order to acknowledge the servername requested by the client.
.PP
\&\fBSSL_CTX_set_tlsext_servername_callback()\fR sets the application callback \fBcb\fR
used by a server to perform any actions or configuration required based on
the servername extension received in the incoming connection. When \fBcb\fR
is \s-1NULL, SNI\s0 is not used.
.PP
The servername callback should return one of the following values:
.IP "\s-1SSL_TLSEXT_ERR_OK\s0" 4
.IX Item "SSL_TLSEXT_ERR_OK"
This is used to indicate that the servername requested by the client has been
accepted. Typically a server will call \fBSSL_set_SSL_CTX()\fR in the callback to set
up a different configuration for the selected servername in this case.
.IP "\s-1SSL_TLSEXT_ERR_ALERT_FATAL\s0" 4
.IX Item "SSL_TLSEXT_ERR_ALERT_FATAL"
In this case the servername requested by the client is not accepted and the
handshake will be aborted. The value of the alert to be used should be stored in
the location pointed to by the \fBal\fR parameter to the callback. By default this
value is initialised to \s-1SSL_AD_UNRECOGNIZED_NAME.\s0
.IP "\s-1SSL_TLSEXT_ERR_ALERT_WARNING\s0" 4
.IX Item "SSL_TLSEXT_ERR_ALERT_WARNING"
If this value is returned then the servername is not accepted by the server.
However, the handshake will continue and send a warning alert instead. The value
of the alert should be stored in the location pointed to by the \fBal\fR parameter
as for \s-1SSL_TLSEXT_ERR_ALERT_FATAL\s0 above. Note that TLSv1.3 does not support
warning alerts, so if TLSv1.3 has been negotiated then this return value is
treated the same way as \s-1SSL_TLSEXT_ERR_NOACK.\s0
.IP "\s-1SSL_TLSEXT_ERR_NOACK\s0" 4
.IX Item "SSL_TLSEXT_ERR_NOACK"
This return value indicates that the servername is not accepted by the server.
No alerts are sent and the server will not acknowledge the requested servername.
.PP
\&\fBSSL_CTX_set_tlsext_servername_arg()\fR sets a context-specific argument to be
passed into the callback (via the \fBarg\fR parameter) for this \fB\s-1SSL_CTX\s0\fR.
.PP
The behaviour of \fBSSL_get_servername()\fR depends on a number of different factors.
In particular note that in TLSv1.3 the servername is negotiated in every
handshake. In TLSv1.2 the servername is only negotiated on initial handshakes
and not on resumption handshakes.
.IP "On the client, before the handshake" 4
.IX Item "On the client, before the handshake"
If a servername has been set via a call to \fBSSL_set_tlsext_host_name()\fR then it
will return that servername.
.Sp
If one has not been set, but a TLSv1.2 resumption is being attempted and the
session from the original handshake had a servername accepted by the server then
it will return that servername.
.Sp
Otherwise it returns \s-1NULL.\s0
.IP "On the client, during or after the handshake and a TLSv1.2 (or below) resumption occurred" 4
.IX Item "On the client, during or after the handshake and a TLSv1.2 (or below) resumption occurred"
If the session from the original handshake had a servername accepted by the
server then it will return that servername.
.Sp
Otherwise it returns the servername set via \fBSSL_set_tlsext_host_name()\fR or \s-1NULL\s0
if it was not called.
.IP "On the client, during or after the handshake and a TLSv1.2 (or below) resumption did not occur" 4
.IX Item "On the client, during or after the handshake and a TLSv1.2 (or below) resumption did not occur"
It will return the servername set via \fBSSL_set_tlsext_host_name()\fR or \s-1NULL\s0 if it
was not called.
.IP "On the server, before the handshake" 4
.IX Item "On the server, before the handshake"
The function will always return \s-1NULL\s0 before the handshake
.IP "On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption occurred" 4
.IX Item "On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption occurred"
If a servername was accepted by the server in the original handshake then it
will return that servername, or \s-1NULL\s0 otherwise.
.IP "On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption did not occur" 4
.IX Item "On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption did not occur"
The function will return the servername requested by the client in this
handshake or \s-1NULL\s0 if none was requested.
.PP
Note that the ClientHello callback occurs before a servername extension from the
client is processed. The servername, certificate and \s-1ALPN\s0 callbacks occur after
a servername extension from the client is processed.
.PP
\&\fBSSL_get_servername_type()\fR returns the servername type or \-1 if no servername
is present. Currently the only supported type (defined in \s-1RFC3546\s0) is
\&\fBTLSEXT_NAMETYPE_host_name\fR.
.PP
\&\fBSSL_set_tlsext_host_name()\fR sets the server name indication ClientHello extension
to contain the value \fBname\fR. The type of server name indication extension is set
to \fBTLSEXT_NAMETYPE_host_name\fR (defined in \s-1RFC3546\s0).
.SH "NOTES"
.IX Header "NOTES"
Several callbacks are executed during ClientHello processing, including
the ClientHello, \s-1ALPN,\s0 and servername callbacks. The ClientHello callback is
executed first, then the servername callback, followed by the \s-1ALPN\s0 callback.
.PP
The \fBSSL_set_tlsext_host_name()\fR function should only be called on \s-1SSL\s0 objects
that will act as clients; otherwise the configured \fBname\fR will be ignored.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_tlsext_servername_callback()\fR and
\&\fBSSL_CTX_set_tlsext_servername_arg()\fR both always return 1 indicating success.
\&\fBSSL_set_tlsext_host_name()\fR returns 1 on success, 0 in case of error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_CTX_set_alpn_select_cb\fR\|(3),
\&\fBSSL_get0_alpn_selected\fR\|(3), \fBSSL_CTX_set_client_hello_cb\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBSSL_get_servername()\fR historically provided some unexpected results in certain
corner cases. This has been fixed from OpenSSL 1.1.1e.
.PP
Prior to 1.1.1e, when the client requested a servername in an initial TLSv1.2
handshake, the server accepted it, and then the client successfully resumed but
set a different explicit servername in the second handshake then when called by
the client it returned the servername from the second handshake. This has now
been changed to return the servername requested in the original handshake.
.PP
Also prior to 1.1.1e, if the client sent a servername in the first handshake but
the server did not accept it, and then a second handshake occurred where TLSv1.2
resumption was successful then when called by the server it returned the
servername requested in the original handshake. This has now been changed to
\&\s-1NULL.\s0
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3
index a4231e0baee6..f46d32944582 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_status_cb.3
@@ -1,245 +1,245 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_TLSEXT_STATUS_CB 3"
-.TH SSL_CTX_SET_TLSEXT_STATUS_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_TLSEXT_STATUS_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_tlsext_status_cb, SSL_CTX_get_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg, SSL_CTX_get_tlsext_status_arg, SSL_CTX_set_tlsext_status_type, SSL_CTX_get_tlsext_status_type, SSL_set_tlsext_status_type, SSL_get_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp, SSL_set_tlsext_status_ocsp_resp \&\- OCSP Certificate Status Request functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/tls1.h>
\&
\& long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, int (*callback)(SSL *, void *));
\& long SSL_CTX_get_tlsext_status_cb(SSL_CTX *ctx, int (**callback)(SSL *, void *));
\&
\& long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
\& long SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg);
\&
\& long SSL_CTX_set_tlsext_status_type(SSL_CTX *ctx, int type);
\& long SSL_CTX_get_tlsext_status_type(SSL_CTX *ctx);
\&
\& long SSL_set_tlsext_status_type(SSL *s, int type);
\& long SSL_get_tlsext_status_type(SSL *s);
\&
\& long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
\& long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A client application may request that a server send back an \s-1OCSP\s0 status response
(also known as \s-1OCSP\s0 stapling). To do so the client should call the
\&\fBSSL_CTX_set_tlsext_status_type()\fR function prior to the creation of any \s-1SSL\s0
objects. Alternatively an application can call the \fBSSL_set_tlsext_status_type()\fR
function on an individual \s-1SSL\s0 object prior to the start of the handshake.
Currently the only supported type is \fBTLSEXT_STATUSTYPE_ocsp\fR. This value
should be passed in the \fBtype\fR argument. Calling
\&\fBSSL_CTX_get_tlsext_status_type()\fR will return the type \fBTLSEXT_STATUSTYPE_ocsp\fR
previously set via \fBSSL_CTX_set_tlsext_status_type()\fR or \-1 if not set.
.PP
The client should additionally provide a callback function to decide what to do
with the returned \s-1OCSP\s0 response by calling \fBSSL_CTX_set_tlsext_status_cb()\fR. The
callback function should determine whether the returned \s-1OCSP\s0 response is
acceptable or not. The callback will be passed as an argument the value
previously set via a call to \fBSSL_CTX_set_tlsext_status_arg()\fR. Note that the
callback will not be called in the event of a handshake where session resumption
occurs (because there are no Certificates exchanged in such a handshake).
The callback previously set via \fBSSL_CTX_set_tlsext_status_cb()\fR can be retrieved
by calling \fBSSL_CTX_get_tlsext_status_cb()\fR, and the argument by calling
\&\fBSSL_CTX_get_tlsext_status_arg()\fR.
.PP
On the client side \fBSSL_get_tlsext_status_type()\fR can be used to determine whether
the client has previously called \fBSSL_set_tlsext_status_type()\fR. It will return
\&\fBTLSEXT_STATUSTYPE_ocsp\fR if it has been called or \-1 otherwise. On the server
side \fBSSL_get_tlsext_status_type()\fR can be used to determine whether the client
requested \s-1OCSP\s0 stapling. If the client requested it then this function will
return \fBTLSEXT_STATUSTYPE_ocsp\fR, or \-1 otherwise.
.PP
The response returned by the server can be obtained via a call to
\&\fBSSL_get_tlsext_status_ocsp_resp()\fR. The value \fB*resp\fR will be updated to point
to the \s-1OCSP\s0 response data and the return value will be the length of that data.
Typically a callback would obtain an \s-1OCSP_RESPONSE\s0 object from this data via a
call to the \fBd2i_OCSP_RESPONSE()\fR function. If the server has not provided any
response data then \fB*resp\fR will be \s-1NULL\s0 and the return value from
\&\fBSSL_get_tlsext_status_ocsp_resp()\fR will be \-1.
.PP
A server application must also call the \fBSSL_CTX_set_tlsext_status_cb()\fR function
if it wants to be able to provide clients with \s-1OCSP\s0 Certificate Status
responses. Typically the server callback would obtain the server certificate
that is being sent back to the client via a call to \fBSSL_get_certificate()\fR;
obtain the \s-1OCSP\s0 response to be sent back; and then set that response data by
calling \fBSSL_set_tlsext_status_ocsp_resp()\fR. A pointer to the response data should
be provided in the \fBresp\fR argument, and the length of that data should be in
the \fBlen\fR argument.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The callback when used on the client side should return a negative value on
error; 0 if the response is not acceptable (in which case the handshake will
fail) or a positive value if it is acceptable.
.PP
The callback when used on the server side should return with either
\&\s-1SSL_TLSEXT_ERR_OK\s0 (meaning that the \s-1OCSP\s0 response that has been set should be
returned), \s-1SSL_TLSEXT_ERR_NOACK\s0 (meaning that an \s-1OCSP\s0 response should not be
returned) or \s-1SSL_TLSEXT_ERR_ALERT_FATAL\s0 (meaning that a fatal error has
occurred).
.PP
\&\fBSSL_CTX_set_tlsext_status_cb()\fR, \fBSSL_CTX_set_tlsext_status_arg()\fR,
\&\fBSSL_CTX_set_tlsext_status_type()\fR, \fBSSL_set_tlsext_status_type()\fR and
\&\fBSSL_set_tlsext_status_ocsp_resp()\fR return 0 on error or 1 on success.
.PP
\&\fBSSL_CTX_get_tlsext_status_type()\fR returns the value previously set by
\&\fBSSL_CTX_set_tlsext_status_type()\fR, or \-1 if not set.
.PP
\&\fBSSL_get_tlsext_status_ocsp_resp()\fR returns the length of the \s-1OCSP\s0 response data
or \-1 if there is no \s-1OCSP\s0 response data.
.PP
\&\fBSSL_get_tlsext_status_type()\fR returns \fBTLSEXT_STATUSTYPE_ocsp\fR on the client
side if \fBSSL_set_tlsext_status_type()\fR was previously called, or on the server
side if the client requested \s-1OCSP\s0 stapling. Otherwise \-1 is returned.
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_get_tlsext_status_type()\fR, \fBSSL_CTX_get_tlsext_status_type()\fR
and \fBSSL_CTX_set_tlsext_status_type()\fR functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3
index 36fbf7f1b4aa..6e1816830e50 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_ticket_key_cb.3
@@ -1,326 +1,326 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3"
-.TH SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_tlsext_ticket_key_cb \- set a callback for session ticket processing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/tls1.h>
\&
\& long SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX sslctx,
\& int (*cb)(SSL *s, unsigned char key_name[16],
\& unsigned char iv[EVP_MAX_IV_LENGTH],
\& EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc));
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_tlsext_ticket_key_cb()\fR sets a callback function \fIcb\fR for handling
session tickets for the ssl context \fIsslctx\fR. Session tickets, defined in
\&\s-1RFC5077\s0 provide an enhanced session resumption capability where the server
implementation is not required to maintain per session state. It only applies
to \s-1TLS\s0 and there is no SSLv3 implementation.
.PP
The callback function \fIcb\fR will be called for every client instigated \s-1TLS\s0
session when session ticket extension is presented in the \s-1TLS\s0 hello
message. It is the responsibility of this function to create or retrieve the
cryptographic parameters and to maintain their state.
.PP
The OpenSSL library uses your callback function to help implement a common \s-1TLS\s0
ticket construction state according to \s-1RFC5077\s0 Section 4 such that per session
state is unnecessary and a small set of cryptographic variables needs to be
maintained by the callback function implementation.
.PP
In order to reuse a session, a \s-1TLS\s0 client must send the a session ticket
extension to the server. The client can only send exactly one session ticket.
The server, through the callback function, either agrees to reuse the session
ticket information or it starts a full \s-1TLS\s0 handshake to create a new session
ticket.
.PP
Before the callback function is started \fIctx\fR and \fIhctx\fR have been
initialised with \fBEVP_CIPHER_CTX_reset\fR\|(3) and \fBHMAC_CTX_reset\fR\|(3) respectively.
.PP
For new sessions tickets, when the client doesn't present a session ticket, or
an attempted retrieval of the ticket failed, or a renew option was indicated,
the callback function will be called with \fIenc\fR equal to 1. The OpenSSL
library expects that the function will set an arbitrary \fIname\fR, initialize
\&\fIiv\fR, and set the cipher context \fIctx\fR and the hash context \fIhctx\fR.
.PP
The \fIname\fR is 16 characters long and is used as a key identifier.
.PP
The \fIiv\fR length is the length of the \s-1IV\s0 of the corresponding cipher. The
maximum \s-1IV\s0 length is \fB\s-1EVP_MAX_IV_LENGTH\s0\fR bytes defined in \fBevp.h\fR.
.PP
The initialization vector \fIiv\fR should be a random value. The cipher context
\&\fIctx\fR should use the initialisation vector \fIiv\fR. The cipher context can be
set using \fBEVP_EncryptInit_ex\fR\|(3). The hmac context can be set using
\&\fBHMAC_Init_ex\fR\|(3).
.PP
When the client presents a session ticket, the callback function with be called
with \fIenc\fR set to 0 indicating that the \fIcb\fR function should retrieve a set
of parameters. In this case \fIname\fR and \fIiv\fR have already been parsed out of
the session ticket. The OpenSSL library expects that the \fIname\fR will be used
to retrieve a cryptographic parameters and that the cryptographic context
\&\fIctx\fR will be set with the retrieved parameters and the initialization vector
\&\fIiv\fR. using a function like \fBEVP_DecryptInit_ex\fR\|(3). The \fIhctx\fR needs to be
set using \fBHMAC_Init_ex\fR\|(3).
.PP
If the \fIname\fR is still valid but a renewal of the ticket is required the
callback function should return 2. The library will call the callback again
with an argument of enc equal to 1 to set the new ticket.
.PP
The return value of the \fIcb\fR function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:
.IP "2" 4
.IX Item "2"
This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can
continue on those parameters. Additionally it indicates that the session
ticket is in a renewal period and should be replaced. The OpenSSL library will
call \fIcb\fR again with an enc argument of 1 to set the new ticket (see \s-1RFC5077
3.3\s0 paragraph 2).
.IP "1" 4
.IX Item "1"
This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can
continue on those parameters.
.IP "0" 4
This indicates that it was not possible to set/retrieve a session ticket and
the \s-1SSL/TLS\s0 session will continue by negotiating a set of cryptographic
parameters or using the alternate \s-1SSL/TLS\s0 resumption mechanism, session ids.
.Sp
If called with enc equal to 0 the library will call the \fIcb\fR again to get
a new set of parameters.
.IP "less than 0" 4
.IX Item "less than 0"
This indicates an error.
.SH "NOTES"
.IX Header "NOTES"
Session resumption shortcuts the \s-1TLS\s0 so that the client certificate
negotiation don't occur. It makes up for this by storing client certificate
an all other negotiated state information encrypted within the ticket. In a
resumed session the applications will have all this state information available
exactly as if a full negotiation had occurred.
.PP
If an attacker can obtain the key used to encrypt a session ticket, they can
obtain the master secret for any ticket using that key and decrypt any traffic
using that session: even if the cipher suite supports forward secrecy. As
a result applications may wish to use multiple keys and avoid using long term
keys stored in files.
.PP
Applications can use longer keys to maintain a consistent level of security.
For example if a cipher suite uses 256 bit ciphers but only a 128 bit ticket key
the overall security is only 128 bits because breaking the ticket key will
enable an attacker to obtain the session keys.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Returns 1 to indicate the callback function was set and 0 otherwise.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Reference Implementation:
.PP
.Vb 2
\& SSL_CTX_set_tlsext_ticket_key_cb(SSL, ssl_tlsext_ticket_key_cb);
\& ...
\&
\& static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16],
\& unsigned char *iv, EVP_CIPHER_CTX *ctx,
\& HMAC_CTX *hctx, int enc)
\& {
\& your_type_t *key; /* something that you need to implement */
\&
\& if (enc) { /* create new session */
\& if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
\& return \-1; /* insufficient random */
\&
\& key = currentkey(); /* something that you need to implement */
\& if (key == NULL) {
\& /* current key doesn\*(Aqt exist or isn\*(Aqt valid */
\& key = createkey(); /*
\& * Something that you need to implement.
\& * createkey needs to initialise a name,
\& * an aes_key, a hmac_key and optionally
\& * an expire time.
\& */
\& if (key == NULL) /* key couldn\*(Aqt be created */
\& return 0;
\& }
\& memcpy(key_name, key\->name, 16);
\&
\& EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key\->aes_key, iv);
\& HMAC_Init_ex(&hctx, key\->hmac_key, 32, EVP_sha256(), NULL);
\&
\& return 1;
\&
\& } else { /* retrieve session */
\& time_t t = time(NULL);
\& key = findkey(key_name); /* something that you need to implement */
\&
\& if (key == NULL || key\->expire < t)
\& return 0;
\&
\& HMAC_Init_ex(&hctx, key\->hmac_key, 32, EVP_sha256(), NULL);
\& EVP_DecryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key\->aes_key, iv);
\&
\& if (key\->expire < t \- RENEW_TIME) { /* RENEW_TIME: implement */
\& /*
\& * return 2 \- This session will get a new ticket even though the
\& * current one is still valid.
\& */
\& return 2;
\& }
\& return 1;
\& }
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_set_session\fR\|(3),
\&\fBSSL_session_reused\fR\|(3),
\&\fBSSL_CTX_add_session\fR\|(3),
\&\fBSSL_CTX_sess_number\fR\|(3),
\&\fBSSL_CTX_sess_set_get_cb\fR\|(3),
\&\fBSSL_CTX_set_session_id_context\fR\|(3),
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2014\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3
index d58d714a8076..2db35351e28f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tlsext_use_srtp.3
@@ -1,231 +1,231 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_TLSEXT_USE_SRTP 3"
-.TH SSL_CTX_SET_TLSEXT_USE_SRTP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_TLSEXT_USE_SRTP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_tlsext_use_srtp, SSL_set_tlsext_use_srtp, SSL_get_srtp_profiles, SSL_get_selected_srtp_profile \&\- Configure and query SRTP support
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/srtp.h>
\&
\& int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles);
\& int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles);
\&
\& STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl);
\& SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1SRTP\s0 is the Secure Real-Time Transport Protocol. OpenSSL implements support for
the \*(L"use_srtp\*(R" \s-1DTLS\s0 extension defined in \s-1RFC5764.\s0 This provides a mechanism for
establishing \s-1SRTP\s0 keying material, algorithms and parameters using \s-1DTLS.\s0 This
capability may be used as part of an implementation that conforms to \s-1RFC5763.\s0
OpenSSL does not implement \s-1SRTP\s0 itself or \s-1RFC5763.\s0 Note that OpenSSL does not
support the use of \s-1SRTP\s0 Master Key Identifiers (MKIs). Also note that this
extension is only supported in \s-1DTLS.\s0 Any \s-1SRTP\s0 configuration will be ignored if a
\&\s-1TLS\s0 connection is attempted.
.PP
An OpenSSL client wishing to send the \*(L"use_srtp\*(R" extension should call
\&\fBSSL_CTX_set_tlsext_use_srtp()\fR to set its use for all \s-1SSL\s0 objects subsequently
created from an \s-1SSL_CTX.\s0 Alternatively a client may call
\&\fBSSL_set_tlsext_use_srtp()\fR to set its use for an individual \s-1SSL\s0 object. The
\&\fBprofiles\fR parameters should point to a NUL-terminated, colon delimited list of
\&\s-1SRTP\s0 protection profile names.
.PP
The currently supported protection profile names are:
.IP "\s-1SRTP_AES128_CM_SHA1_80\s0" 4
.IX Item "SRTP_AES128_CM_SHA1_80"
This corresponds to \s-1SRTP_AES128_CM_HMAC_SHA1_80\s0 defined in \s-1RFC5764.\s0
.IP "\s-1SRTP_AES128_CM_SHA1_32\s0" 4
.IX Item "SRTP_AES128_CM_SHA1_32"
This corresponds to \s-1SRTP_AES128_CM_HMAC_SHA1_32\s0 defined in \s-1RFC5764.\s0
.IP "\s-1SRTP_AEAD_AES_128_GCM\s0" 4
.IX Item "SRTP_AEAD_AES_128_GCM"
This corresponds to the profile of the same name defined in \s-1RFC7714.\s0
.IP "\s-1SRTP_AEAD_AES_256_GCM\s0" 4
.IX Item "SRTP_AEAD_AES_256_GCM"
This corresponds to the profile of the same name defined in \s-1RFC7714.\s0
.PP
Supplying an unrecognised protection profile name will result in an error.
.PP
An OpenSSL server wishing to support the \*(L"use_srtp\*(R" extension should also call
\&\fBSSL_CTX_set_tlsext_use_srtp()\fR or \fBSSL_set_tlsext_use_srtp()\fR to indicate the
protection profiles that it is willing to negotiate.
.PP
The currently configured list of protection profiles for either a client or a
server can be obtained by calling \fBSSL_get_srtp_profiles()\fR. This returns a stack
of \s-1SRTP_PROTECTION_PROFILE\s0 objects. The memory pointed to in the return value of
this function should not be freed by the caller.
.PP
After a handshake has been completed the negotiated \s-1SRTP\s0 protection profile (if
any) can be obtained (on the client or the server) by calling
\&\fBSSL_get_selected_srtp_profile()\fR. This function will return \s-1NULL\s0 if no \s-1SRTP\s0
protection profile was negotiated. The memory returned from this function should
not be freed by the caller.
.PP
If an \s-1SRTP\s0 protection profile has been successfully negotiated then the \s-1SRTP\s0
keying material (on both the client and server) should be obtained via a call to
\&\fBSSL_export_keying_material\fR\|(3). This call should provide a label value of
\&\*(L"EXTRACTOR\-dtls_srtp\*(R" and a \s-1NULL\s0 context value (use_context is 0). The total
length of keying material obtained should be equal to two times the sum of the
master key length and the salt length as defined for the protection profile in
use. This provides the client write master key, the server write master key, the
client write master salt and the server write master salt in that order.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_tlsext_use_srtp()\fR and \fBSSL_set_tlsext_use_srtp()\fR return 0 on success
or 1 on error.
.PP
\&\fBSSL_get_srtp_profiles()\fR returns a stack of \s-1SRTP_PROTECTION_PROFILE\s0 objects on
success or \s-1NULL\s0 on error or if no protection profiles have been configured.
.PP
\&\fBSSL_get_selected_srtp_profile()\fR returns a pointer to an \s-1SRTP_PROTECTION_PROFILE\s0
object if one has been negotiated or \s-1NULL\s0 otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_export_keying_material\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3
index 79baf3a8e73f..949a09282024 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_tmp_dh_callback.3
@@ -1,269 +1,269 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_TMP_DH_CALLBACK 3"
-.TH SSL_CTX_SET_TMP_DH_CALLBACK 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_TMP_DH_CALLBACK 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh, SSL_set_tmp_dh_callback, SSL_set_tmp_dh \- handle DH keys for ephemeral key exchange
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
\& DH *(*tmp_dh_callback)(SSL *ssl, int is_export,
\& int keylength));
\& long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh);
\&
\& void SSL_set_tmp_dh_callback(SSL *ctx,
\& DH *(*tmp_dh_callback)(SSL *ssl, int is_export,
\& int keylength));
\& long SSL_set_tmp_dh(SSL *ssl, DH *dh)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_tmp_dh_callback()\fR sets the callback function for \fBctx\fR to be
used when a \s-1DH\s0 parameters are required to \fBtmp_dh_callback\fR.
The callback is inherited by all \fBssl\fR objects created from \fBctx\fR.
.PP
\&\fBSSL_CTX_set_tmp_dh()\fR sets \s-1DH\s0 parameters to be used to be \fBdh\fR.
The key is inherited by all \fBssl\fR objects created from \fBctx\fR.
.PP
\&\fBSSL_set_tmp_dh_callback()\fR sets the callback only for \fBssl\fR.
.PP
\&\fBSSL_set_tmp_dh()\fR sets the parameters only for \fBssl\fR.
.PP
These functions apply to \s-1SSL/TLS\s0 servers only.
.SH "NOTES"
.IX Header "NOTES"
When using a cipher with \s-1RSA\s0 authentication, an ephemeral \s-1DH\s0 key exchange
can take place. Ciphers with \s-1DSA\s0 keys always use ephemeral \s-1DH\s0 keys as well.
In these cases, the session data are negotiated using the
ephemeral/temporary \s-1DH\s0 key and the key supplied and certified
by the certificate chain is only used for signing.
Anonymous ciphers (without a permanent server key) also use ephemeral \s-1DH\s0 keys.
.PP
Using ephemeral \s-1DH\s0 key exchange yields forward secrecy, as the connection
can only be decrypted, when the \s-1DH\s0 key is known. By generating a temporary
\&\s-1DH\s0 key inside the server application that is lost when the application
is left, it becomes impossible for an attacker to decrypt past sessions,
even if he gets hold of the normal (certified) key, as this key was
only used for signing.
.PP
In order to perform a \s-1DH\s0 key exchange the server must use a \s-1DH\s0 group
(\s-1DH\s0 parameters) and generate a \s-1DH\s0 key. The server will always generate
a new \s-1DH\s0 key during the negotiation.
.PP
As generating \s-1DH\s0 parameters is extremely time consuming, an application
should not generate the parameters on the fly but supply the parameters.
\&\s-1DH\s0 parameters can be reused, as the actual key is newly generated during
the negotiation. The risk in reusing \s-1DH\s0 parameters is that an attacker
may specialize on a very often used \s-1DH\s0 group. Applications should therefore
generate their own \s-1DH\s0 parameters during the installation process using the
openssl \fBdhparam\fR\|(1) application. This application
guarantees that \*(L"strong\*(R" primes are used.
.PP
Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current
version of the OpenSSL distribution contain the '\s-1SKIP\s0' \s-1DH\s0 parameters,
which use safe primes and were generated verifiably pseudo-randomly.
These files can be converted into C code using the \fB\-C\fR option of the
\&\fBdhparam\fR\|(1) application. Generation of custom \s-1DH\s0
parameters during installation should still be preferred to stop an
attacker from specializing on a commonly used group. File dh1024.pem
contains old parameters that must not be used by applications.
.PP
An application may either directly specify the \s-1DH\s0 parameters or
can supply the \s-1DH\s0 parameters via a callback function.
.PP
Previous versions of the callback used \fBis_export\fR and \fBkeylength\fR
parameters to control parameter generation for export and non-export
cipher suites. Modern servers that do not support export cipher suites
are advised to either use \fBSSL_CTX_set_tmp_dh()\fR or alternatively, use
the callback but ignore \fBkeylength\fR and \fBis_export\fR and simply
supply at least 2048\-bit parameters in the callback.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_set_tmp_dh_callback()\fR and \fBSSL_set_tmp_dh_callback()\fR do not return
diagnostic output.
.PP
\&\fBSSL_CTX_set_tmp_dh()\fR and \fBSSL_set_tmp_dh()\fR do return 1 on success and 0
on failure. Check the error queue to find out the reason of failure.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Setup \s-1DH\s0 parameters with a key length of 2048 bits. (Error handling
partly left out.)
.PP
Command-line parameter generation:
.PP
.Vb 1
\& $ openssl dhparam \-out dh_param_2048.pem 2048
.Ve
.PP
Code for setting up parameters during server initialization:
.PP
.Vb 1
\& SSL_CTX ctx = SSL_CTX_new();
\&
\& DH *dh_2048 = NULL;
\& FILE *paramfile = fopen("dh_param_2048.pem", "r");
\&
\& if (paramfile) {
\& dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
\& fclose(paramfile);
\& } else {
\& /* Error. */
\& }
\& if (dh_2048 == NULL)
\& /* Error. */
\& if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1)
\& /* Error. */
\& ...
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_CTX_set_cipher_list\fR\|(3),
\&\fBSSL_CTX_set_options\fR\|(3),
\&\fBciphers\fR\|(1), \fBdhparam\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3
index dc60495e1b49..90d19e4569a7 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_set_verify.3
@@ -1,472 +1,472 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_SET_VERIFY 3"
-.TH SSL_CTX_SET_VERIFY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_SET_VERIFY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_ex_data_X509_STORE_CTX_idx, SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth, SSL_verify_cb, SSL_verify_client_post_handshake, SSL_set_post_handshake_auth, SSL_CTX_set_post_handshake_auth \&\- set peer certificate verification parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
\&
\& void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb verify_callback);
\& void SSL_set_verify(SSL *ssl, int mode, SSL_verify_cb verify_callback);
\& SSL_get_ex_data_X509_STORE_CTX_idx(void);
\&
\& void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
\& void SSL_set_verify_depth(SSL *ssl, int depth);
\&
\& int SSL_verify_client_post_handshake(SSL *ssl);
\& void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
\& void SSL_set_post_handshake_auth(SSL *ssl, int val);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_set_verify()\fR sets the verification flags for \fBctx\fR to be \fBmode\fR and
specifies the \fBverify_callback\fR function to be used. If no callback function
shall be specified, the \s-1NULL\s0 pointer can be used for \fBverify_callback\fR.
.PP
\&\fBSSL_set_verify()\fR sets the verification flags for \fBssl\fR to be \fBmode\fR and
specifies the \fBverify_callback\fR function to be used. If no callback function
shall be specified, the \s-1NULL\s0 pointer can be used for \fBverify_callback\fR. In
this case last \fBverify_callback\fR set specifically for this \fBssl\fR remains. If
no special \fBcallback\fR was set before, the default callback for the underlying
\&\fBctx\fR is used, that was valid at the time \fBssl\fR was created with
\&\fBSSL_new\fR\|(3). Within the callback function,
\&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR can be called to get the data index
of the current \s-1SSL\s0 object that is doing the verification.
.PP
\&\fBSSL_CTX_set_verify_depth()\fR sets the maximum \fBdepth\fR for the certificate chain
verification that shall be allowed for \fBctx\fR.
.PP
\&\fBSSL_set_verify_depth()\fR sets the maximum \fBdepth\fR for the certificate chain
verification that shall be allowed for \fBssl\fR.
.PP
\&\fBSSL_CTX_set_post_handshake_auth()\fR and \fBSSL_set_post_handshake_auth()\fR enable the
Post-Handshake Authentication extension to be added to the ClientHello such that
post-handshake authentication can be requested by the server. If \fBval\fR is 0
then the extension is not sent, otherwise it is. By default the extension is not
sent. A certificate callback will need to be set via
\&\fBSSL_CTX_set_client_cert_cb()\fR if no certificate is provided at initialization.
.PP
\&\fBSSL_verify_client_post_handshake()\fR causes a CertificateRequest message to be
sent by a server on the given \fBssl\fR connection. The \s-1SSL_VERIFY_PEER\s0 flag must
be set; the \s-1SSL_VERIFY_POST_HANDSHAKE\s0 flag is optional.
.SH "NOTES"
.IX Header "NOTES"
The verification of certificates can be controlled by a set of logically
or'ed \fBmode\fR flags:
.IP "\s-1SSL_VERIFY_NONE\s0" 4
.IX Item "SSL_VERIFY_NONE"
\&\fBServer mode:\fR the server will not send a client certificate request to the
client, so the client will not send a certificate.
.Sp
\&\fBClient mode:\fR if not using an anonymous cipher (by default disabled), the
server will send a certificate which will be checked. The result of the
certificate verification process can be checked after the \s-1TLS/SSL\s0 handshake
using the \fBSSL_get_verify_result\fR\|(3) function.
The handshake will be continued regardless of the verification result.
.IP "\s-1SSL_VERIFY_PEER\s0" 4
.IX Item "SSL_VERIFY_PEER"
\&\fBServer mode:\fR the server sends a client certificate request to the client.
The certificate returned (if any) is checked. If the verification process
fails, the \s-1TLS/SSL\s0 handshake is
immediately terminated with an alert message containing the reason for
the verification failure.
The behaviour can be controlled by the additional
\&\s-1SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE\s0 and
\&\s-1SSL_VERIFY_POST_HANDSHAKE\s0 flags.
.Sp
\&\fBClient mode:\fR the server certificate is verified. If the verification process
fails, the \s-1TLS/SSL\s0 handshake is
immediately terminated with an alert message containing the reason for
the verification failure. If no server certificate is sent, because an
anonymous cipher is used, \s-1SSL_VERIFY_PEER\s0 is ignored.
.IP "\s-1SSL_VERIFY_FAIL_IF_NO_PEER_CERT\s0" 4
.IX Item "SSL_VERIFY_FAIL_IF_NO_PEER_CERT"
\&\fBServer mode:\fR if the client did not return a certificate, the \s-1TLS/SSL\s0
handshake is immediately terminated with a \*(L"handshake failure\*(R" alert.
This flag must be used together with \s-1SSL_VERIFY_PEER.\s0
.Sp
\&\fBClient mode:\fR ignored (see \s-1BUGS\s0)
.IP "\s-1SSL_VERIFY_CLIENT_ONCE\s0" 4
.IX Item "SSL_VERIFY_CLIENT_ONCE"
\&\fBServer mode:\fR only request a client certificate once during the
connection. Do not ask for a client certificate again during
renegotiation or post-authentication if a certificate was requested
during the initial handshake. This flag must be used together with
\&\s-1SSL_VERIFY_PEER.\s0
.Sp
\&\fBClient mode:\fR ignored (see \s-1BUGS\s0)
.IP "\s-1SSL_VERIFY_POST_HANDSHAKE\s0" 4
.IX Item "SSL_VERIFY_POST_HANDSHAKE"
\&\fBServer mode:\fR the server will not send a client certificate request
during the initial handshake, but will send the request via
\&\fBSSL_verify_client_post_handshake()\fR. This allows the \s-1SSL_CTX\s0 or \s-1SSL\s0
to be configured for post-handshake peer verification before the
handshake occurs. This flag must be used together with
\&\s-1SSL_VERIFY_PEER.\s0 TLSv1.3 only; no effect on pre\-TLSv1.3 connections.
.Sp
\&\fBClient mode:\fR ignored (see \s-1BUGS\s0)
.PP
If the \fBmode\fR is \s-1SSL_VERIFY_NONE\s0 none of the other flags may be set.
.PP
The actual verification procedure is performed either using the built-in
verification procedure or using another application provided verification
function set with
\&\fBSSL_CTX_set_cert_verify_callback\fR\|(3).
The following descriptions apply in the case of the built-in procedure. An
application provided procedure also has access to the verify depth information
and the \fBverify_callback()\fR function, but the way this information is used
may be different.
.PP
\&\fBSSL_CTX_set_verify_depth()\fR and \fBSSL_set_verify_depth()\fR set a limit on the
number of certificates between the end-entity and trust-anchor certificates.
Neither the
end-entity nor the trust-anchor certificates count against \fBdepth\fR. If the
certificate chain needed to reach a trusted issuer is longer than \fBdepth+2\fR,
X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued.
The depth count is \*(L"level 0:peer certificate\*(R", \*(L"level 1: \s-1CA\s0 certificate\*(R",
\&\*(L"level 2: higher level \s-1CA\s0 certificate\*(R", and so on. Setting the maximum
depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the
trust-anchor).
The default depth limit is 100,
allowing for the peer certificate, at most 100 intermediate \s-1CA\s0 certificates and
a final trust anchor certificate.
.PP
The \fBverify_callback\fR function is used to control the behaviour when the
\&\s-1SSL_VERIFY_PEER\s0 flag is set. It must be supplied by the application and
receives two arguments: \fBpreverify_ok\fR indicates, whether the verification of
the certificate in question was passed (preverify_ok=1) or not
(preverify_ok=0). \fBx509_ctx\fR is a pointer to the complete context used
for the certificate chain verification.
.PP
The certificate chain is checked starting with the deepest nesting level
(the root \s-1CA\s0 certificate) and worked upward to the peer's certificate.
At each level signatures and issuer attributes are checked. Whenever
a verification error is found, the error number is stored in \fBx509_ctx\fR
and \fBverify_callback\fR is called with \fBpreverify_ok\fR=0. By applying
X509_CTX_store_* functions \fBverify_callback\fR can locate the certificate
in question and perform additional steps (see \s-1EXAMPLES\s0). If no error is
found for a certificate, \fBverify_callback\fR is called with \fBpreverify_ok\fR=1
before advancing to the next level.
.PP
The return value of \fBverify_callback\fR controls the strategy of the further
verification process. If \fBverify_callback\fR returns 0, the verification
process is immediately stopped with \*(L"verification failed\*(R" state. If
\&\s-1SSL_VERIFY_PEER\s0 is set, a verification failure alert is sent to the peer and
the \s-1TLS/SSL\s0 handshake is terminated. If \fBverify_callback\fR returns 1,
the verification process is continued. If \fBverify_callback\fR always returns
1, the \s-1TLS/SSL\s0 handshake will not be terminated with respect to verification
failures and the connection will be established. The calling process can
however retrieve the error code of the last verification error using
\&\fBSSL_get_verify_result\fR\|(3) or by maintaining its
own error storage managed by \fBverify_callback\fR.
.PP
If no \fBverify_callback\fR is specified, the default callback will be used.
Its return value is identical to \fBpreverify_ok\fR, so that any verification
failure will lead to a termination of the \s-1TLS/SSL\s0 handshake with an
alert message, if \s-1SSL_VERIFY_PEER\s0 is set.
.PP
After calling \fBSSL_set_post_handshake_auth()\fR, the client will need to add a
certificate or certificate callback to its configuration before it can
successfully authenticate. This must be called before \fBSSL_connect()\fR.
.PP
\&\fBSSL_verify_client_post_handshake()\fR requires that verify flags have been
previously set, and that a client sent the post-handshake authentication
extension. When the client returns a certificate the verify callback will be
invoked. A write operation must take place for the Certificate Request to be
sent to the client, this can be done with \fBSSL_do_handshake()\fR or \fBSSL_write_ex()\fR.
Only one certificate request may be outstanding at any time.
.PP
When post-handshake authentication occurs, a refreshed NewSessionTicket
message is sent to the client.
.SH "BUGS"
.IX Header "BUGS"
In client mode, it is not checked whether the \s-1SSL_VERIFY_PEER\s0 flag
is set, but whether any flags other than \s-1SSL_VERIFY_NONE\s0 are set. This can
lead to unexpected behaviour if \s-1SSL_VERIFY_PEER\s0 and other flags are not used as
required.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The SSL*_set_verify*() functions do not provide diagnostic information.
.PP
The \fBSSL_verify_client_post_handshake()\fR function returns 1 if the request
succeeded, and 0 if the request failed. The error stack can be examined
to determine the failure reason.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The following code sequence realizes an example \fBverify_callback\fR function
that will always continue the \s-1TLS/SSL\s0 handshake regardless of verification
failure, if wished. The callback realizes a verification depth limit with
more informational output.
.PP
All verification errors are printed; information about the certificate chain
is printed on request.
The example is realized for a server that does allow but not require client
certificates.
.PP
The example makes use of the ex_data technique to store application data
into/retrieve application data from the \s-1SSL\s0 structure
(see \fBCRYPTO_get_ex_new_index\fR\|(3),
\&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3)).
.PP
.Vb 7
\& ...
\& typedef struct {
\& int verbose_mode;
\& int verify_depth;
\& int always_continue;
\& } mydata_t;
\& int mydata_index;
\&
\& ...
\& static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
\& {
\& char buf[256];
\& X509 *err_cert;
\& int err, depth;
\& SSL *ssl;
\& mydata_t *mydata;
\&
\& err_cert = X509_STORE_CTX_get_current_cert(ctx);
\& err = X509_STORE_CTX_get_error(ctx);
\& depth = X509_STORE_CTX_get_error_depth(ctx);
\&
\& /*
\& * Retrieve the pointer to the SSL of the connection currently treated
\& * and the application specific data stored into the SSL object.
\& */
\& ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
\& mydata = SSL_get_ex_data(ssl, mydata_index);
\&
\& X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
\&
\& /*
\& * Catch a too long certificate chain. The depth limit set using
\& * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so
\& * that whenever the "depth>verify_depth" condition is met, we
\& * have violated the limit and want to log this error condition.
\& * We must do it here, because the CHAIN_TOO_LONG error would not
\& * be found explicitly; only errors introduced by cutting off the
\& * additional certificates would be logged.
\& */
\& if (depth > mydata\->verify_depth) {
\& preverify_ok = 0;
\& err = X509_V_ERR_CERT_CHAIN_TOO_LONG;
\& X509_STORE_CTX_set_error(ctx, err);
\& }
\& if (!preverify_ok) {
\& printf("verify error:num=%d:%s:depth=%d:%s\en", err,
\& X509_verify_cert_error_string(err), depth, buf);
\& } else if (mydata\->verbose_mode) {
\& printf("depth=%d:%s\en", depth, buf);
\& }
\&
\& /*
\& * At this point, err contains the last verification error. We can use
\& * it for something special
\& */
\& if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) {
\& X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256);
\& printf("issuer= %s\en", buf);
\& }
\&
\& if (mydata\->always_continue)
\& return 1;
\& else
\& return preverify_ok;
\& }
\& ...
\&
\& mydata_t mydata;
\&
\& ...
\& mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL);
\&
\& ...
\& SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
\& verify_callback);
\&
\& /*
\& * Let the verify_callback catch the verify_depth error so that we get
\& * an appropriate error in the logfile.
\& */
\& SSL_CTX_set_verify_depth(verify_depth + 1);
\&
\& /*
\& * Set up the SSL specific data into "mydata" and store it into th SSL
\& * structure.
\& */
\& mydata.verify_depth = verify_depth; ...
\& SSL_set_ex_data(ssl, mydata_index, &mydata);
\&
\& ...
\& SSL_accept(ssl); /* check of success left out for clarity */
\& if (peer = SSL_get_peer_certificate(ssl)) {
\& if (SSL_get_verify_result(ssl) == X509_V_OK) {
\& /* The client sent a certificate which verified OK */
\& }
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_new\fR\|(3),
\&\fBSSL_CTX_get_verify_mode\fR\|(3),
\&\fBSSL_get_verify_result\fR\|(3),
\&\fBSSL_CTX_load_verify_locations\fR\|(3),
\&\fBSSL_get_peer_certificate\fR\|(3),
\&\fBSSL_CTX_set_cert_verify_callback\fR\|(3),
\&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3),
\&\fBSSL_CTX_set_client_cert_cb\fR\|(3),
\&\fBCRYPTO_get_ex_new_index\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \s-1SSL_VERIFY_POST_HANDSHAKE\s0 option, and the \fBSSL_verify_client_post_handshake()\fR
and \fBSSL_set_post_handshake_auth()\fR functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3
index e02323f0342c..bd2374b3c94a 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_certificate.3
@@ -1,324 +1,324 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_USE_CERTIFICATE 3"
-.TH SSL_CTX_USE_CERTIFICATE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_USE_CERTIFICATE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_file, SSL_use_certificate, SSL_use_certificate_ASN1, SSL_use_certificate_file, SSL_CTX_use_certificate_chain_file, SSL_use_certificate_chain_file, SSL_CTX_use_PrivateKey, SSL_CTX_use_PrivateKey_ASN1, SSL_CTX_use_PrivateKey_file, SSL_CTX_use_RSAPrivateKey, SSL_CTX_use_RSAPrivateKey_ASN1, SSL_CTX_use_RSAPrivateKey_file, SSL_use_PrivateKey_file, SSL_use_PrivateKey_ASN1, SSL_use_PrivateKey, SSL_use_RSAPrivateKey, SSL_use_RSAPrivateKey_ASN1, SSL_use_RSAPrivateKey_file, SSL_CTX_check_private_key, SSL_check_private_key, SSL_CTX_use_cert_and_key, SSL_use_cert_and_key \&\- load certificate and key data
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
\& int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
\& int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
\& int SSL_use_certificate(SSL *ssl, X509 *x);
\& int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
\& int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
\&
\& int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
\& int SSL_use_certificate_chain_file(SSL *ssl, const char *file);
\&
\& int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
\& int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d,
\& long len);
\& int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
\& int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
\& int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
\& int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
\& int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
\& int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, unsigned char *d, long len);
\& int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
\& int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
\& int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
\& int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
\&
\& int SSL_CTX_check_private_key(const SSL_CTX *ctx);
\& int SSL_check_private_key(const SSL *ssl);
\&
\& int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);
\& int SSL_use_cert_and_key(SSL *ssl, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions load the certificates and private keys into the \s-1SSL_CTX\s0
or \s-1SSL\s0 object, respectively.
.PP
The SSL_CTX_* class of functions loads the certificates and keys into the
\&\s-1SSL_CTX\s0 object \fBctx\fR. The information is passed to \s-1SSL\s0 objects \fBssl\fR
created from \fBctx\fR with \fBSSL_new\fR\|(3) by copying, so that
changes applied to \fBctx\fR do not propagate to already existing \s-1SSL\s0 objects.
.PP
The SSL_* class of functions only loads certificates and keys into a
specific \s-1SSL\s0 object. The specific information is kept, when
\&\fBSSL_clear\fR\|(3) is called for this \s-1SSL\s0 object.
.PP
\&\fBSSL_CTX_use_certificate()\fR loads the certificate \fBx\fR into \fBctx\fR,
\&\fBSSL_use_certificate()\fR loads \fBx\fR into \fBssl\fR. The rest of the
certificates needed to form the complete certificate chain can be
specified using the
\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)
function.
.PP
\&\fBSSL_CTX_use_certificate_ASN1()\fR loads the \s-1ASN1\s0 encoded certificate from
the memory location \fBd\fR (with length \fBlen\fR) into \fBctx\fR,
\&\fBSSL_use_certificate_ASN1()\fR loads the \s-1ASN1\s0 encoded certificate into \fBssl\fR.
.PP
\&\fBSSL_CTX_use_certificate_file()\fR loads the first certificate stored in \fBfile\fR
into \fBctx\fR. The formatting \fBtype\fR of the certificate must be specified
from the known types \s-1SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.\s0
\&\fBSSL_use_certificate_file()\fR loads the certificate from \fBfile\fR into \fBssl\fR.
See the \s-1NOTES\s0 section on why \fBSSL_CTX_use_certificate_chain_file()\fR
should be preferred.
.PP
\&\fBSSL_CTX_use_certificate_chain_file()\fR loads a certificate chain from
\&\fBfile\fR into \fBctx\fR. The certificates must be in \s-1PEM\s0 format and must
be sorted starting with the subject's certificate (actual client or server
certificate), followed by intermediate \s-1CA\s0 certificates if applicable, and
ending at the highest level (root) \s-1CA.\s0 \fBSSL_use_certificate_chain_file()\fR is
similar except it loads the certificate chain into \fBssl\fR.
.PP
\&\fBSSL_CTX_use_PrivateKey()\fR adds \fBpkey\fR as private key to \fBctx\fR.
\&\fBSSL_CTX_use_RSAPrivateKey()\fR adds the private key \fBrsa\fR of type \s-1RSA\s0
to \fBctx\fR. \fBSSL_use_PrivateKey()\fR adds \fBpkey\fR as private key to \fBssl\fR;
\&\fBSSL_use_RSAPrivateKey()\fR adds \fBrsa\fR as private key of type \s-1RSA\s0 to \fBssl\fR.
If a certificate has already been set and the private does not belong
to the certificate an error is returned. To change a certificate, private
key pair the new certificate needs to be set with \fBSSL_use_certificate()\fR
or \fBSSL_CTX_use_certificate()\fR before setting the private key with
\&\fBSSL_CTX_use_PrivateKey()\fR or \fBSSL_use_PrivateKey()\fR.
.PP
\&\fBSSL_CTX_use_cert_and_key()\fR and \fBSSL_use_cert_and_key()\fR assign the X.509
certificate \fBx\fR, private key \fBkey\fR, and certificate \fBchain\fR onto the
corresponding \fBssl\fR or \fBctx\fR. The \fBpkey\fR argument must be the private
key of the X.509 certificate \fBx\fR. If the \fBoverride\fR argument is 0, then
\&\fBx\fR, \fBpkey\fR and \fBchain\fR are set only if all were not previously set.
If \fBoverride\fR is non\-0, then the certificate, private key and chain certs
are always set. If \fBpkey\fR is \s-1NULL,\s0 then the public key of \fBx\fR is used as
the private key. This is intended to be used with hardware (via the \s-1ENGINE\s0
interface) that stores the private key securely, such that it cannot be
accessed by OpenSSL. The reference count of the public key is incremented
(twice if there is no private key); it is not copied nor duplicated. This
allows all private key validations checks to succeed without an actual
private key being assigned via \fBSSL_CTX_use_PrivateKey()\fR, etc.
.PP
\&\fBSSL_CTX_use_PrivateKey_ASN1()\fR adds the private key of type \fBpk\fR
stored at memory location \fBd\fR (length \fBlen\fR) to \fBctx\fR.
\&\fBSSL_CTX_use_RSAPrivateKey_ASN1()\fR adds the private key of type \s-1RSA\s0
stored at memory location \fBd\fR (length \fBlen\fR) to \fBctx\fR.
\&\fBSSL_use_PrivateKey_ASN1()\fR and \fBSSL_use_RSAPrivateKey_ASN1()\fR add the private
key to \fBssl\fR.
.PP
\&\fBSSL_CTX_use_PrivateKey_file()\fR adds the first private key found in
\&\fBfile\fR to \fBctx\fR. The formatting \fBtype\fR of the private key must be specified
from the known types \s-1SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.\s0
\&\fBSSL_CTX_use_RSAPrivateKey_file()\fR adds the first private \s-1RSA\s0 key found in
\&\fBfile\fR to \fBctx\fR. \fBSSL_use_PrivateKey_file()\fR adds the first private key found
in \fBfile\fR to \fBssl\fR; \fBSSL_use_RSAPrivateKey_file()\fR adds the first private
\&\s-1RSA\s0 key found to \fBssl\fR.
.PP
\&\fBSSL_CTX_check_private_key()\fR checks the consistency of a private key with
the corresponding certificate loaded into \fBctx\fR. If more than one
key/certificate pair (\s-1RSA/DSA\s0) is installed, the last item installed will
be checked. If e.g. the last item was a \s-1RSA\s0 certificate or key, the \s-1RSA\s0
key/certificate pair will be checked. \fBSSL_check_private_key()\fR performs
the same check for \fBssl\fR. If no key/certificate was explicitly added for
this \fBssl\fR, the last item added into \fBctx\fR will be checked.
.SH "NOTES"
.IX Header "NOTES"
The internal certificate store of OpenSSL can hold several private
key/certificate pairs at a time. The certificate used depends on the
cipher selected, see also \fBSSL_CTX_set_cipher_list\fR\|(3).
.PP
When reading certificates and private keys from file, files of type
\&\s-1SSL_FILETYPE_ASN1\s0 (also known as \fB\s-1DER\s0\fR, binary encoding) can only contain
one certificate or private key, consequently
\&\fBSSL_CTX_use_certificate_chain_file()\fR is only applicable to \s-1PEM\s0 formatting.
Files of type \s-1SSL_FILETYPE_PEM\s0 can contain more than one item.
.PP
\&\fBSSL_CTX_use_certificate_chain_file()\fR adds the first certificate found
in the file to the certificate store. The other certificates are added
to the store of chain certificates using \fBSSL_CTX_add1_chain_cert\fR\|(3). Note: versions of OpenSSL before 1.0.2 only had a single
certificate chain store for all certificate types, OpenSSL 1.0.2 and later
have a separate chain store for each type. \fBSSL_CTX_use_certificate_chain_file()\fR
should be used instead of the \fBSSL_CTX_use_certificate_file()\fR function in order
to allow the use of complete certificate chains even when no trusted \s-1CA\s0
storage is used or when the \s-1CA\s0 issuing the certificate shall not be added to
the trusted \s-1CA\s0 storage.
.PP
If additional certificates are needed to complete the chain during the
\&\s-1TLS\s0 negotiation, \s-1CA\s0 certificates are additionally looked up in the
locations of trusted \s-1CA\s0 certificates, see
\&\fBSSL_CTX_load_verify_locations\fR\|(3).
.PP
The private keys loaded from file can be encrypted. In order to successfully
load encrypted keys, a function returning the passphrase must have been
supplied, see
\&\fBSSL_CTX_set_default_passwd_cb\fR\|(3).
(Certificate files might be encrypted as well from the technical point
of view, it however does not make sense as the data in the certificate
is considered public anyway.)
.PP
All of the functions to set a new certificate will replace any existing
certificate of the same type that has already been set. Similarly all of the
functions to set a new private key will replace any private key that has already
been set. Applications should call \fBSSL_CTX_check_private_key\fR\|(3) or
\&\fBSSL_check_private_key\fR\|(3) as appropriate after loading a new certificate and
private key to confirm that the certificate and key match.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
On success, the functions return 1.
Otherwise check out the error stack to find out the reason.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_new\fR\|(3), \fBSSL_clear\fR\|(3),
\&\fBSSL_CTX_load_verify_locations\fR\|(3),
\&\fBSSL_CTX_set_default_passwd_cb\fR\|(3),
\&\fBSSL_CTX_set_cipher_list\fR\|(3),
\&\fBSSL_CTX_set_client_CA_list\fR\|(3),
\&\fBSSL_CTX_set_client_cert_cb\fR\|(3),
\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3
index 6c2eb24533ad..1f02560b890e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_psk_identity_hint.3
@@ -1,271 +1,271 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_USE_PSK_IDENTITY_HINT 3"
-.TH SSL_CTX_USE_PSK_IDENTITY_HINT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_USE_PSK_IDENTITY_HINT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_psk_server_cb_func, SSL_psk_find_session_cb_func, SSL_CTX_use_psk_identity_hint, SSL_use_psk_identity_hint, SSL_CTX_set_psk_server_callback, SSL_set_psk_server_callback, SSL_CTX_set_psk_find_session_callback, SSL_set_psk_find_session_callback \&\- set PSK identity hint to use
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& typedef int (*SSL_psk_find_session_cb_func)(SSL *ssl,
\& const unsigned char *identity,
\& size_t identity_len,
\& SSL_SESSION **sess);
\&
\&
\& void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx,
\& SSL_psk_find_session_cb_func cb);
\& void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb);
\&
\& typedef unsigned int (*SSL_psk_server_cb_func)(SSL *ssl,
\& const char *identity,
\& unsigned char *psk,
\& unsigned int max_psk_len);
\&
\& int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint);
\& int SSL_use_psk_identity_hint(SSL *ssl, const char *hint);
\&
\& void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb);
\& void SSL_set_psk_server_callback(SSL *ssl, SSL_psk_server_cb_func cb);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A server application wishing to use TLSv1.3 PSKs should set a callback
using either \fBSSL_CTX_set_psk_find_session_callback()\fR or
\&\fBSSL_set_psk_find_session_callback()\fR as appropriate.
.PP
The callback function is given a pointer to the \s-1SSL\s0 connection in \fBssl\fR and
an identity in \fBidentity\fR of length \fBidentity_len\fR. The callback function
should identify an \s-1SSL_SESSION\s0 object that provides the \s-1PSK\s0 details and store it
in \fB*sess\fR. The \s-1SSL_SESSION\s0 object should, as a minimum, set the master key,
the ciphersuite and the protocol version. See
\&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3) for details.
.PP
It is also possible for the callback to succeed but not supply a \s-1PSK.\s0 In this
case no \s-1PSK\s0 will be used but the handshake will continue. To do this the
callback should return successfully and ensure that \fB*sess\fR is
\&\s-1NULL.\s0
.PP
Identity hints are not relevant for TLSv1.3. A server application wishing to use
\&\s-1PSK\s0 ciphersuites for TLSv1.2 and below may call \fBSSL_CTX_use_psk_identity_hint()\fR
to set the given \fB\s-1NUL\s0\fR\-terminated \s-1PSK\s0 identity hint \fBhint\fR for \s-1SSL\s0 context
object \fBctx\fR. \fBSSL_use_psk_identity_hint()\fR sets the given \fB\s-1NUL\s0\fR\-terminated \s-1PSK\s0
identity hint \fBhint\fR for the \s-1SSL\s0 connection object \fBssl\fR. If \fBhint\fR is
\&\fB\s-1NULL\s0\fR the current hint from \fBctx\fR or \fBssl\fR is deleted.
.PP
In the case where \s-1PSK\s0 identity hint is \fB\s-1NULL\s0\fR, the server does not send the
ServerKeyExchange message to the client.
.PP
A server application wishing to use PSKs for TLSv1.2 and below must provide a
callback function which is called when the server receives the
ClientKeyExchange message from the client. The purpose of the callback function
is to validate the received \s-1PSK\s0 identity and to fetch the pre-shared key used
during the connection setup phase. The callback is set using the functions
\&\fBSSL_CTX_set_psk_server_callback()\fR or \fBSSL_set_psk_server_callback()\fR. The callback
function is given the connection in parameter \fBssl\fR, \fB\s-1NUL\s0\fR\-terminated \s-1PSK\s0
identity sent by the client in parameter \fBidentity\fR, and a buffer \fBpsk\fR of
length \fBmax_psk_len\fR bytes where the pre-shared key is to be stored.
.PP
The callback for use in TLSv1.2 will also work in TLSv1.3 although it is
recommended to use \fBSSL_CTX_set_psk_find_session_callback()\fR
or \fBSSL_set_psk_find_session_callback()\fR for this purpose instead. If TLSv1.3 has
been negotiated then OpenSSL will first check to see if a callback has been set
via \fBSSL_CTX_set_psk_find_session_callback()\fR or \fBSSL_set_psk_find_session_callback()\fR
and it will use that in preference. If no such callback is present then it will
check to see if a callback has been set via \fBSSL_CTX_set_psk_server_callback()\fR or
\&\fBSSL_set_psk_server_callback()\fR and use that. In this case the handshake digest
will default to \s-1SHA\-256\s0 for any returned \s-1PSK.\s0 TLSv1.3 early data exchanges are
possible in \s-1PSK\s0 connections only with the \fBSSL_psk_find_session_cb_func\fR
callback, and are not possible with the \fBSSL_psk_server_cb_func\fR callback.
.SH "NOTES"
.IX Header "NOTES"
A connection established via a TLSv1.3 \s-1PSK\s0 will appear as if session resumption
has occurred so that \fBSSL_session_reused\fR\|(3) will return true.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fB\fBSSL_CTX_use_psk_identity_hint()\fB\fR and \fB\fBSSL_use_psk_identity_hint()\fB\fR return
1 on success, 0 otherwise.
.PP
Return values from the TLSv1.2 and below server callback are interpreted as
follows:
.IP "0" 4
\&\s-1PSK\s0 identity was not found. An \*(L"unknown_psk_identity\*(R" alert message
will be sent and the connection setup fails.
.IP ">0" 4
.IX Item ">0"
\&\s-1PSK\s0 identity was found and the server callback has provided the \s-1PSK\s0
successfully in parameter \fBpsk\fR. Return value is the length of
\&\fBpsk\fR in bytes. It is an error to return a value greater than
\&\fBmax_psk_len\fR.
.Sp
If the \s-1PSK\s0 identity was not found but the callback instructs the
protocol to continue anyway, the callback must provide some random
data to \fBpsk\fR and return the length of the random data, so the
connection will fail with decryption_error before it will be finished
completely.
.PP
The \fBSSL_psk_find_session_cb_func\fR callback should return 1 on success or 0 on
failure. In the event of failure the connection setup fails.
.SH "NOTES"
.IX Header "NOTES"
There are no known security issues with sharing the same \s-1PSK\s0 between TLSv1.2 (or
below) and TLSv1.3. However, the \s-1RFC\s0 has this note of caution:
.PP
\&\*(L"While there is no known way in which the same \s-1PSK\s0 might produce related output
in both versions, only limited analysis has been done. Implementations can
ensure safety from cross-protocol related output by not reusing PSKs between
\&\s-1TLS 1.3\s0 and \s-1TLS 1.2.\*(R"\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3),
\&\fBSSL_set_psk_use_session_callback\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBSSL_CTX_set_psk_find_session_callback()\fR and \fBSSL_set_psk_find_session_callback()\fR
were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3 b/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3
index 5af1077c974a..8d3900c7a766 100644
--- a/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3
+++ b/secure/lib/libcrypto/man/man3/SSL_CTX_use_serverinfo.3
@@ -1,215 +1,215 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CTX_USE_SERVERINFO 3"
-.TH SSL_CTX_USE_SERVERINFO 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CTX_USE_SERVERINFO 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_CTX_use_serverinfo_ex, SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file \&\- use serverinfo extension
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version,
\& const unsigned char *serverinfo,
\& size_t serverinfo_length);
\&
\& int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
\& size_t serverinfo_length);
\&
\& int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions load \*(L"serverinfo\*(R" \s-1TLS\s0 extensions into the \s-1SSL_CTX. A\s0
\&\*(L"serverinfo\*(R" extension is returned in response to an empty ClientHello
Extension.
.PP
\&\fBSSL_CTX_use_serverinfo_ex()\fR loads one or more serverinfo extensions from
a byte array into \fBctx\fR. The \fBversion\fR parameter specifies the format of the
byte array provided in \fB*serverinfo\fR which is of length \fBserverinfo_length\fR.
.PP
If \fBversion\fR is \fB\s-1SSL_SERVERINFOV2\s0\fR then the extensions in the array must
consist of a 4\-byte context, a 2\-byte Extension Type, a 2\-byte length, and then
length bytes of extension_data. The context and type values have the same
meaning as for \fBSSL_CTX_add_custom_ext\fR\|(3). If serverinfo is being loaded for
extensions to be added to a Certificate message, then the extension will only
be added for the first certificate in the message (which is always the
end-entity certificate).
.PP
If \fBversion\fR is \fB\s-1SSL_SERVERINFOV1\s0\fR then the extensions in the array must
consist of a 2\-byte Extension Type, a 2\-byte length, and then length bytes of
extension_data. The type value has the same meaning as for
\&\fBSSL_CTX_add_custom_ext\fR\|(3). The following default context value will be used
in this case:
.PP
.Vb 2
\& SSL_EXT_TLS1_2_AND_BELOW_ONLY | SSL_EXT_CLIENT_HELLO
\& | SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_IGNORE_ON_RESUMPTION
.Ve
.PP
\&\fBSSL_CTX_use_serverinfo()\fR does the same thing as \fBSSL_CTX_use_serverinfo_ex()\fR
except that there is no \fBversion\fR parameter so a default version of
\&\s-1SSL_SERVERINFOV1\s0 is used instead.
.PP
\&\fBSSL_CTX_use_serverinfo_file()\fR loads one or more serverinfo extensions from
\&\fBfile\fR into \fBctx\fR. The extensions must be in \s-1PEM\s0 format. Each extension
must be in a format as described above for \fBSSL_CTX_use_serverinfo_ex()\fR. Each
\&\s-1PEM\s0 extension name must begin with the phrase \*(L"\s-1BEGIN SERVERINFOV2 FOR \*(R"\s0 for
\&\s-1SSL_SERVERINFOV2\s0 data or \*(L"\s-1BEGIN SERVERINFO FOR \*(R"\s0 for \s-1SSL_SERVERINFOV1\s0 data.
.PP
If more than one certificate (\s-1RSA/DSA\s0) is installed using
\&\fBSSL_CTX_use_certificate()\fR, the serverinfo extension will be loaded into the
last certificate installed. If e.g. the last item was a \s-1RSA\s0 certificate, the
loaded serverinfo extension data will be loaded for that certificate. To
use the serverinfo extension for multiple certificates,
\&\fBSSL_CTX_use_serverinfo()\fR needs to be called multiple times, once \fBafter\fR
each time a certificate is loaded via a call to \fBSSL_CTX_use_certificate()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
On success, the functions return 1.
On failure, the functions return 0. Check out the error stack to find out
the reason.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2013\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3
index cc9d04892f96..53ff652d7261 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_free.3
@@ -1,214 +1,214 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_FREE 3"
-.TH SSL_SESSION_FREE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_FREE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_new, SSL_SESSION_dup, SSL_SESSION_up_ref, SSL_SESSION_free \- create, free and manage SSL_SESSION structures
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& SSL_SESSION *SSL_SESSION_new(void);
\& SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src);
\& int SSL_SESSION_up_ref(SSL_SESSION *ses);
\& void SSL_SESSION_free(SSL_SESSION *session);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_SESSION_new()\fR creates a new \s-1SSL_SESSION\s0 structure and returns a pointer to
it.
.PP
\&\fBSSL_SESSION_dup()\fR copies the contents of the \s-1SSL_SESSION\s0 structure in \fBsrc\fR
and returns a pointer to it.
.PP
\&\fBSSL_SESSION_up_ref()\fR increments the reference count on the given \s-1SSL_SESSION\s0
structure.
.PP
\&\fBSSL_SESSION_free()\fR decrements the reference count of \fBsession\fR and removes
the \fB\s-1SSL_SESSION\s0\fR structure pointed to by \fBsession\fR and frees up the allocated
memory, if the reference count has reached 0.
If \fBsession\fR is \s-1NULL\s0 nothing is done.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1SSL_SESSION\s0 objects are allocated, when a \s-1TLS/SSL\s0 handshake operation
is successfully completed. Depending on the settings, see
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
the \s-1SSL_SESSION\s0 objects are internally referenced by the \s-1SSL_CTX\s0 and
linked into its session cache. \s-1SSL\s0 objects may be using the \s-1SSL_SESSION\s0 object;
as a session may be reused, several \s-1SSL\s0 objects may be using one \s-1SSL_SESSION\s0
object at the same time. It is therefore crucial to keep the reference
count (usage information) correct and not delete a \s-1SSL_SESSION\s0 object
that is still used, as this may lead to program failures due to
dangling pointers. These failures may also appear delayed, e.g.
when an \s-1SSL_SESSION\s0 object was completely freed as the reference count
incorrectly became 0, but it is still referenced in the internal
session cache and the cache list is processed during a
\&\fBSSL_CTX_flush_sessions\fR\|(3) operation.
.PP
\&\fBSSL_SESSION_free()\fR must only be called for \s-1SSL_SESSION\s0 objects, for
which the reference count was explicitly incremented (e.g.
by calling \fBSSL_get1_session()\fR, see \fBSSL_get_session\fR\|(3))
or when the \s-1SSL_SESSION\s0 object was generated outside a \s-1TLS\s0 handshake
operation, e.g. by using \fBd2i_SSL_SESSION\fR\|(3).
It must not be called on other \s-1SSL_SESSION\s0 objects, as this would cause
incorrect reference counts and therefore program failures.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
SSL_SESSION_new returns a pointer to the newly allocated \s-1SSL_SESSION\s0 structure
or \s-1NULL\s0 on error.
.PP
SSL_SESSION_up_ref returns 1 on success or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_get_session\fR\|(3),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
\&\fBSSL_CTX_flush_sessions\fR\|(3),
\&\fBd2i_SSL_SESSION\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_SESSION_dup()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3
index 310077118c47..994b75dcdca3 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_cipher.3
@@ -1,187 +1,187 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_GET0_CIPHER 3"
-.TH SSL_SESSION_GET0_CIPHER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_GET0_CIPHER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_get0_cipher, SSL_SESSION_set_cipher \&\- set and retrieve the SSL cipher associated with a session
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *s);
\& int SSL_SESSION_set_cipher(SSL_SESSION *s, const SSL_CIPHER *cipher);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_SESSION_get0_cipher()\fR retrieves the cipher that was used by the
connection when the session was created, or \s-1NULL\s0 if it cannot be determined.
.PP
The value returned is a pointer to an object maintained within \fBs\fR and
should not be released.
.PP
\&\fBSSL_SESSION_set_cipher()\fR can be used to set the ciphersuite associated with the
\&\s-1SSL_SESSION\s0 \fBs\fR to \fBcipher\fR. For example, this could be used to set up a
session based \s-1PSK\s0 (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_get0_cipher()\fR returns the \s-1SSL_CIPHER\s0 associated with the \s-1SSL_SESSION\s0
or \s-1NULL\s0 if it cannot be determined.
.PP
\&\fBSSL_SESSION_set_cipher()\fR returns 1 on success or 0 on failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBd2i_SSL_SESSION\fR\|(3),
\&\fBSSL_SESSION_get_time\fR\|(3),
\&\fBSSL_SESSION_get0_hostname\fR\|(3),
\&\fBSSL_SESSION_free\fR\|(3),
\&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_SESSION_get0_cipher()\fR function was added in OpenSSL 1.1.0.
The \fBSSL_SESSION_set_cipher()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3
index f421c3188340..74d555c84138 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_hostname.3
@@ -1,204 +1,204 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_GET0_HOSTNAME 3"
-.TH SSL_SESSION_GET0_HOSTNAME 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_GET0_HOSTNAME 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_get0_hostname, SSL_SESSION_set1_hostname, SSL_SESSION_get0_alpn_selected, SSL_SESSION_set1_alpn_selected \&\- get and set SNI and ALPN data associated with a session
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& const char *SSL_SESSION_get0_hostname(const SSL_SESSION *s);
\& int SSL_SESSION_set1_hostname(SSL_SESSION *s, const char *hostname);
\&
\& void SSL_SESSION_get0_alpn_selected(const SSL_SESSION *s,
\& const unsigned char **alpn,
\& size_t *len);
\& int SSL_SESSION_set1_alpn_selected(SSL_SESSION *s, const unsigned char *alpn,
\& size_t len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_SESSION_get0_hostname()\fR retrieves the \s-1SNI\s0 value that was sent by the
client when the session was created if it was accepted by the server and TLSv1.2
or below was negotiated. Otherwise \s-1NULL\s0 is returned. Note that in TLSv1.3 the
\&\s-1SNI\s0 hostname is negotiated with each handshake including resumption handshakes
and is therefore never associated with the session.
.PP
The value returned is a pointer to memory maintained within \fBs\fR and
should not be free'd.
.PP
\&\fBSSL_SESSION_set1_hostname()\fR sets the \s-1SNI\s0 value for the hostname to a copy of
the string provided in hostname.
.PP
\&\fBSSL_SESSION_get0_alpn_selected()\fR retrieves the selected \s-1ALPN\s0 protocol for this
session and its associated length in bytes. The returned value of \fB*alpn\fR is a
pointer to memory maintained within \fBs\fR and should not be free'd.
.PP
\&\fBSSL_SESSION_set1_alpn_selected()\fR sets the \s-1ALPN\s0 protocol for this session to the
value in \fBalpn\fR which should be of length \fBlen\fR bytes. A copy of the input
value is made, and the caller retains ownership of the memory pointed to by
\&\fBalpn\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_get0_hostname()\fR returns either a string or \s-1NULL\s0 based on if there
is the \s-1SNI\s0 value sent by client.
.PP
\&\fBSSL_SESSION_set1_hostname()\fR returns 1 on success or 0 on error.
.PP
\&\fBSSL_SESSION_set1_alpn_selected()\fR returns 1 on success or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBd2i_SSL_SESSION\fR\|(3),
\&\fBSSL_SESSION_get_time\fR\|(3),
\&\fBSSL_SESSION_free\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_SESSION_set1_hostname()\fR, \fBSSL_SESSION_get0_alpn_selected()\fR and
\&\fBSSL_SESSION_set1_alpn_selected()\fR functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3
index a8ccede07cf0..f9880af77a87 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_id_context.3
@@ -1,185 +1,185 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_GET0_ID_CONTEXT 3"
-.TH SSL_SESSION_GET0_ID_CONTEXT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_GET0_ID_CONTEXT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_get0_id_context, SSL_SESSION_set1_id_context \&\- get and set the SSL ID context associated with a session
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s,
\& unsigned int *len)
\& int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
\& unsigned int sid_ctx_len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
See \fBSSL_CTX_set_session_id_context\fR\|(3) for further details on session \s-1ID\s0
contexts.
.PP
\&\fBSSL_SESSION_get0_id_context()\fR returns the \s-1ID\s0 context associated with
the \s-1SSL/TLS\s0 session \fBs\fR. The length of the \s-1ID\s0 context is written to
\&\fB*len\fR if \fBlen\fR is not \s-1NULL.\s0
.PP
The value returned is a pointer to an object maintained within \fBs\fR and
should not be released.
.PP
\&\fBSSL_SESSION_set1_id_context()\fR takes a copy of the provided \s-1ID\s0 context given in
\&\fBsid_ctx\fR and associates it with the session \fBs\fR. The length of the \s-1ID\s0 context
is given by \fBsid_ctx_len\fR which must not exceed \s-1SSL_MAX_SID_CTX_LENGTH\s0 bytes.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_set1_id_context()\fR returns 1 on success or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_set_session_id_context\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_SESSION_get0_id_context()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3
index a72f84c56e7a..0d2768423a65 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get0_peer.3
@@ -1,169 +1,169 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_GET0_PEER 3"
-.TH SSL_SESSION_GET0_PEER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_GET0_PEER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_get0_peer \&\- get details about peer's certificate for a session
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_SESSION_get0_peer()\fR returns the peer certificate associated with the session
\&\fBs\fR or \s-1NULL\s0 if no peer certificate is available. The caller should not free the
returned value (unless \fBX509_up_ref\fR\|(3) has also been called).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_get0_peer()\fR returns a pointer to the peer certificate or \s-1NULL\s0 if
no peer certificate is available.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3
index 411862ded242..d373b4b3962b 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_compress_id.3
@@ -1,170 +1,170 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_GET_COMPRESS_ID 3"
-.TH SSL_SESSION_GET_COMPRESS_ID 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_GET_COMPRESS_ID 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_get_compress_id \&\- get details about the compression associated with a session
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
If compression has been negotiated for an ssl session then
\&\fBSSL_SESSION_get_compress_id()\fR will return the id for the compression method or
0 otherwise. The only built-in supported compression method is zlib which has an
id of 1.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_get_compress_id()\fR returns the id of the compression method or 0 if
none.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_ex_data.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_ex_data.3
index 7b6bafa13967..cec6fa36e1b6 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_ex_data.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_ex_data.3
@@ -1,177 +1,177 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_GET_EX_DATA 3"
-.TH SSL_SESSION_GET_EX_DATA 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_GET_EX_DATA 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data \&\- get and set application specific data on a session
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_SESSION_set_ex_data(SSL_SESSION *ss, int idx, void *data);
\& void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_SESSION_set_ex_data()\fR enables an application to store arbitrary application
specific data \fBdata\fR in an \s-1SSL_SESSION\s0 structure \fBss\fR. The index \fBidx\fR should
be a value previously returned from a call to \fBCRYPTO_get_ex_new_index\fR\|(3).
.PP
\&\fBSSL_SESSION_get_ex_data()\fR retrieves application specific data previously stored
in an \s-1SSL_SESSION\s0 structure \fBs\fR. The \fBidx\fR value should be the same as that
used when originally storing the data.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_set_ex_data()\fR returns 1 for success or 0 for failure.
.PP
\&\fBSSL_SESSION_get_ex_data()\fR returns the previously stored value or \s-1NULL\s0 on
failure. \s-1NULL\s0 may also be a valid value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBCRYPTO_get_ex_new_index\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3
index c40cb0e68f27..023af4ae15dd 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_protocol_version.3
@@ -1,185 +1,185 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_GET_PROTOCOL_VERSION 3"
-.TH SSL_SESSION_GET_PROTOCOL_VERSION 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_GET_PROTOCOL_VERSION 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_get_protocol_version, SSL_SESSION_set_protocol_version \&\- get and set the session protocol version
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_SESSION_get_protocol_version(const SSL_SESSION *s);
\& int SSL_SESSION_set_protocol_version(SSL_SESSION *s, int version);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_SESSION_get_protocol_version()\fR returns the protocol version number used
by session \fBs\fR.
.PP
\&\fBSSL_SESSION_set_protocol_version()\fR sets the protocol version associated with the
\&\s-1SSL_SESSION\s0 object \fBs\fR to the value \fBversion\fR. This value should be a version
constant such as \fB\s-1TLS1_3_VERSION\s0\fR etc. For example, this could be used to set
up a session based \s-1PSK\s0 (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_get_protocol_version()\fR returns a number indicating the protocol
version used for the session; this number matches the constants \fIe.g.\fR
\&\fB\s-1TLS1_VERSION\s0\fR, \fB\s-1TLS1_2_VERSION\s0\fR or \fB\s-1TLS1_3_VERSION\s0\fR.
.PP
Note that the \fBSSL_SESSION_get_protocol_version()\fR function
does \fBnot\fR perform a null check on the provided session \fBs\fR pointer.
.PP
\&\fBSSL_SESSION_set_protocol_version()\fR returns 1 on success or 0 on failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_SESSION_get_protocol_version()\fR function was added in OpenSSL 1.1.0.
The \fBSSL_SESSION_set_protocol_version()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3
index 38cbf3c5af7f..17d7968ab24e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_get_time.3
@@ -1,204 +1,204 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_GET_TIME 3"
-.TH SSL_SESSION_GET_TIME 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_GET_TIME 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION_set_timeout, SSL_get_time, SSL_set_time, SSL_get_timeout, SSL_set_timeout \&\- retrieve and manipulate session time and timeout settings
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_SESSION_get_time(const SSL_SESSION *s);
\& long SSL_SESSION_set_time(SSL_SESSION *s, long tm);
\& long SSL_SESSION_get_timeout(const SSL_SESSION *s);
\& long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm);
\&
\& long SSL_get_time(const SSL_SESSION *s);
\& long SSL_set_time(SSL_SESSION *s, long tm);
\& long SSL_get_timeout(const SSL_SESSION *s);
\& long SSL_set_timeout(SSL_SESSION *s, long tm);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_SESSION_get_time()\fR returns the time at which the session \fBs\fR was
established. The time is given in seconds since the Epoch and therefore
compatible to the time delivered by the \fBtime()\fR call.
.PP
\&\fBSSL_SESSION_set_time()\fR replaces the creation time of the session \fBs\fR with
the chosen value \fBtm\fR.
.PP
\&\fBSSL_SESSION_get_timeout()\fR returns the timeout value set for session \fBs\fR
in seconds.
.PP
\&\fBSSL_SESSION_set_timeout()\fR sets the timeout value for session \fBs\fR in seconds
to \fBtm\fR.
.PP
The \fBSSL_get_time()\fR, \fBSSL_set_time()\fR, \fBSSL_get_timeout()\fR, and \fBSSL_set_timeout()\fR
functions are synonyms for the SSL_SESSION_*() counterparts.
.SH "NOTES"
.IX Header "NOTES"
Sessions are expired by examining the creation time and the timeout value.
Both are set at creation time of the session to the actual time and the
default timeout value at creation, respectively, as set by
\&\fBSSL_CTX_set_timeout\fR\|(3).
Using these functions it is possible to extend or shorten the lifetime
of the session.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_get_time()\fR and \fBSSL_SESSION_get_timeout()\fR return the currently
valid values.
.PP
\&\fBSSL_SESSION_set_time()\fR and \fBSSL_SESSION_set_timeout()\fR return 1 on success.
.PP
If any of the function is passed the \s-1NULL\s0 pointer for the session \fBs\fR,
0 is returned.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_set_timeout\fR\|(3),
\&\fBSSL_get_default_timeout\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3
index 7f25476daa19..cfab7703b428 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_has_ticket.3
@@ -1,188 +1,188 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_HAS_TICKET 3"
-.TH SSL_SESSION_HAS_TICKET 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_HAS_TICKET 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_get0_ticket, SSL_SESSION_has_ticket, SSL_SESSION_get_ticket_lifetime_hint \&\- get details about the ticket associated with a session
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_SESSION_has_ticket(const SSL_SESSION *s);
\& unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s);
\& void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick,
\& size_t *len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_SESSION_has_ticket()\fR returns 1 if there is a Session Ticket associated with
this session, and 0 otherwise.
.PP
SSL_SESSION_get_ticket_lifetime_hint returns the lifetime hint in seconds
associated with the session ticket.
.PP
SSL_SESSION_get0_ticket obtains a pointer to the ticket associated with a
session. The length of the ticket is written to \fB*len\fR. If \fBtick\fR is non
\&\s-1NULL\s0 then a pointer to the ticket is written to \fB*tick\fR. The pointer is only
valid while the connection is in use. The session (and hence the ticket pointer)
may also become invalid as a result of a call to \fBSSL_CTX_flush_sessions()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_has_ticket()\fR returns 1 if session ticket exists or 0 otherwise.
.PP
\&\fBSSL_SESSION_get_ticket_lifetime_hint()\fR returns the number of seconds.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBd2i_SSL_SESSION\fR\|(3),
\&\fBSSL_SESSION_get_time\fR\|(3),
\&\fBSSL_SESSION_free\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_SESSION_has_ticket()\fR, \fBSSL_SESSION_get_ticket_lifetime_hint()\fR
and \fBSSL_SESSION_get0_ticket()\fR functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3
index a52076c8b50a..d78c87142327 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_is_resumable.3
@@ -1,174 +1,174 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_IS_RESUMABLE 3"
-.TH SSL_SESSION_IS_RESUMABLE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_IS_RESUMABLE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_is_resumable \&\- determine whether an SSL_SESSION object can be used for resumption
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_SESSION_is_resumable(const SSL_SESSION *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_SESSION_is_resumable()\fR determines whether an \s-1SSL_SESSION\s0 object can be used
to resume a session or not. Returns 1 if it can or 0 if not. Note that
attempting to resume with a non-resumable session will result in a full
handshake.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_is_resumable()\fR returns 1 if the session is resumable or 0 otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_get_session\fR\|(3),
\&\fBSSL_CTX_sess_set_new_cb\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_SESSION_is_resumable()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3
index 872fa2db952b..6341da6fa720 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_print.3
@@ -1,176 +1,176 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_PRINT 3"
-.TH SSL_SESSION_PRINT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_PRINT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_print, SSL_SESSION_print_fp, SSL_SESSION_print_keylog \&\- printf information about a session
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
\& int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
\& int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_SESSION_print()\fR prints summary information about the session provided in
\&\fBses\fR to the \s-1BIO\s0 \fBfp\fR.
.PP
\&\fBSSL_SESSION_print_fp()\fR does the same as \fBSSL_SESSION_print()\fR except it prints it
to the \s-1FILE\s0 \fBfp\fR.
.PP
\&\fBSSL_SESSION_print_keylog()\fR prints session information to the provided \s-1BIO\s0 <bp>
in \s-1NSS\s0 keylog format.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_print()\fR, \fBSSL_SESSION_print_fp()\fR and SSL_SESSION_print_keylog return
1 on success or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3 b/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3
index de4ce71c063e..a0a2d20129f4 100644
--- a/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3
+++ b/secure/lib/libcrypto/man/man3/SSL_SESSION_set1_id.3
@@ -1,179 +1,179 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_SET1_ID 3"
-.TH SSL_SESSION_SET1_ID 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_SET1_ID 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_SESSION_get_id, SSL_SESSION_set1_id \&\- get and set the SSL session ID
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
\& unsigned int *len)
\& int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
\& unsigned int sid_len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_SESSION_get_id()\fR returns a pointer to the internal session id value for the
session \fBs\fR. The length of the id in bytes is stored in \fB*len\fR. The length may
be 0. The caller should not free the returned pointer directly.
.PP
\&\fBSSL_SESSION_set1_id()\fR sets the session \s-1ID\s0 for the \fBssl\fR \s-1SSL/TLS\s0 session
to \fBsid\fR of length \fBsid_len\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_get_id()\fR returns a pointer to the session id value.
\&\fBSSL_SESSION_set1_id()\fR returns 1 for success and 0 for failure, for example
if the supplied session \s-1ID\s0 length exceeds \fB\s-1SSL_MAX_SSL_SESSION_ID_LENGTH\s0\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_SESSION_set1_id()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_accept.3 b/secure/lib/libcrypto/man/man3/SSL_accept.3
index 4ea58c4c2c1d..bd77dbe71000 100644
--- a/secure/lib/libcrypto/man/man3/SSL_accept.3
+++ b/secure/lib/libcrypto/man/man3/SSL_accept.3
@@ -1,205 +1,205 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_ACCEPT 3"
-.TH SSL_ACCEPT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_ACCEPT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_accept \- wait for a TLS/SSL client to initiate a TLS/SSL handshake
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_accept(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_accept()\fR waits for a \s-1TLS/SSL\s0 client to initiate the \s-1TLS/SSL\s0 handshake.
The communication channel must already have been set and assigned to the
\&\fBssl\fR by setting an underlying \fB\s-1BIO\s0\fR.
.SH "NOTES"
.IX Header "NOTES"
The behaviour of \fBSSL_accept()\fR depends on the underlying \s-1BIO.\s0
.PP
If the underlying \s-1BIO\s0 is \fBblocking\fR, \fBSSL_accept()\fR will only return once the
handshake has been finished or an error occurred.
.PP
If the underlying \s-1BIO\s0 is \fBnonblocking\fR, \fBSSL_accept()\fR will also return
when the underlying \s-1BIO\s0 could not satisfy the needs of \fBSSL_accept()\fR
to continue the handshake, indicating the problem by the return value \-1.
In this case a call to \fBSSL_get_error()\fR with the
return value of \fBSSL_accept()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
taking appropriate action to satisfy the needs of \fBSSL_accept()\fR.
The action depends on the underlying \s-1BIO.\s0 When using a nonblocking socket,
nothing is to be done, but \fBselect()\fR can be used to check for the required
condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
into or retrieved out of the \s-1BIO\s0 before being able to continue.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "0" 4
The \s-1TLS/SSL\s0 handshake was not successful but was shut down controlled and
by the specifications of the \s-1TLS/SSL\s0 protocol. Call \fBSSL_get_error()\fR with the
return value \fBret\fR to find out the reason.
.IP "1" 4
.IX Item "1"
The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
established.
.IP "<0" 4
.IX Item "<0"
The \s-1TLS/SSL\s0 handshake was not successful because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
not clean. It can also occur if action is needed to continue the operation
for nonblocking BIOs. Call \fBSSL_get_error()\fR with the return value \fBret\fR
to find out the reason.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_get_error\fR\|(3), \fBSSL_connect\fR\|(3),
\&\fBSSL_shutdown\fR\|(3), \fBssl\fR\|(7), \fBbio\fR\|(7),
\&\fBSSL_set_connect_state\fR\|(3),
\&\fBSSL_do_handshake\fR\|(3),
\&\fBSSL_CTX_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3 b/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3
index 976d40cedc38..887ad4bb4019 100644
--- a/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3
+++ b/secure/lib/libcrypto/man/man3/SSL_alert_type_string.3
@@ -1,369 +1,369 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_ALERT_TYPE_STRING 3"
-.TH SSL_ALERT_TYPE_STRING 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_ALERT_TYPE_STRING 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_alert_type_string, SSL_alert_type_string_long, SSL_alert_desc_string, SSL_alert_desc_string_long \- get textual description of alert information
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& const char *SSL_alert_type_string(int value);
\& const char *SSL_alert_type_string_long(int value);
\&
\& const char *SSL_alert_desc_string(int value);
\& const char *SSL_alert_desc_string_long(int value);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_alert_type_string()\fR returns a one letter string indicating the
type of the alert specified by \fBvalue\fR.
.PP
\&\fBSSL_alert_type_string_long()\fR returns a string indicating the type of the alert
specified by \fBvalue\fR.
.PP
\&\fBSSL_alert_desc_string()\fR returns a two letter string as a short form
describing the reason of the alert specified by \fBvalue\fR.
.PP
\&\fBSSL_alert_desc_string_long()\fR returns a string describing the reason
of the alert specified by \fBvalue\fR.
.SH "NOTES"
.IX Header "NOTES"
When one side of an \s-1SSL/TLS\s0 communication wants to inform the peer about
a special situation, it sends an alert. The alert is sent as a special message
and does not influence the normal data stream (unless its contents results
in the communication being canceled).
.PP
A warning alert is sent, when a non-fatal error condition occurs. The
\&\*(L"close notify\*(R" alert is sent as a warning alert. Other examples for
non-fatal errors are certificate errors (\*(L"certificate expired\*(R",
\&\*(L"unsupported certificate\*(R"), for which a warning alert may be sent.
(The sending party may however decide to send a fatal error.) The
receiving side may cancel the connection on reception of a warning
alert on it discretion.
.PP
Several alert messages must be sent as fatal alert messages as specified
by the \s-1TLS RFC. A\s0 fatal alert always leads to a connection abort.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following strings can occur for \fBSSL_alert_type_string()\fR or
\&\fBSSL_alert_type_string_long()\fR:
.ie n .IP """W""/""warning""" 4
.el .IP "``W''/``warning''" 4
.IX Item "W/warning"
.PD 0
.ie n .IP """F""/""fatal""" 4
.el .IP "``F''/``fatal''" 4
.IX Item "F/fatal"
.ie n .IP """U""/""unknown""" 4
.el .IP "``U''/``unknown''" 4
.IX Item "U/unknown"
.PD
This indicates that no support is available for this alert type.
Probably \fBvalue\fR does not contain a correct alert message.
.PP
The following strings can occur for \fBSSL_alert_desc_string()\fR or
\&\fBSSL_alert_desc_string_long()\fR:
.ie n .IP """\s-1CN""/\s0""close notify""" 4
.el .IP "``\s-1CN''/\s0``close notify''" 4
.IX Item "CN/close notify"
The connection shall be closed. This is a warning alert.
.ie n .IP """\s-1UM""/\s0""unexpected message""" 4
.el .IP "``\s-1UM''/\s0``unexpected message''" 4
.IX Item "UM/unexpected message"
An inappropriate message was received. This alert is always fatal
and should never be observed in communication between proper
implementations.
.ie n .IP """\s-1BM""/\s0""bad record mac""" 4
.el .IP "``\s-1BM''/\s0``bad record mac''" 4
.IX Item "BM/bad record mac"
This alert is returned if a record is received with an incorrect
\&\s-1MAC.\s0 This message is always fatal.
.ie n .IP """\s-1DF""/\s0""decompression failure""" 4
.el .IP "``\s-1DF''/\s0``decompression failure''" 4
.IX Item "DF/decompression failure"
The decompression function received improper input (e.g. data
that would expand to excessive length). This message is always
fatal.
.ie n .IP """\s-1HF""/\s0""handshake failure""" 4
.el .IP "``\s-1HF''/\s0``handshake failure''" 4
.IX Item "HF/handshake failure"
Reception of a handshake_failure alert message indicates that the
sender was unable to negotiate an acceptable set of security
parameters given the options available. This is a fatal error.
.ie n .IP """\s-1NC""/\s0""no certificate""" 4
.el .IP "``\s-1NC''/\s0``no certificate''" 4
.IX Item "NC/no certificate"
A client, that was asked to send a certificate, does not send a certificate
(SSLv3 only).
.ie n .IP """\s-1BC""/\s0""bad certificate""" 4
.el .IP "``\s-1BC''/\s0``bad certificate''" 4
.IX Item "BC/bad certificate"
A certificate was corrupt, contained signatures that did not
verify correctly, etc
.ie n .IP """\s-1UC""/\s0""unsupported certificate""" 4
.el .IP "``\s-1UC''/\s0``unsupported certificate''" 4
.IX Item "UC/unsupported certificate"
A certificate was of an unsupported type.
.ie n .IP """\s-1CR""/\s0""certificate revoked""" 4
.el .IP "``\s-1CR''/\s0``certificate revoked''" 4
.IX Item "CR/certificate revoked"
A certificate was revoked by its signer.
.ie n .IP """\s-1CE""/\s0""certificate expired""" 4
.el .IP "``\s-1CE''/\s0``certificate expired''" 4
.IX Item "CE/certificate expired"
A certificate has expired or is not currently valid.
.ie n .IP """\s-1CU""/\s0""certificate unknown""" 4
.el .IP "``\s-1CU''/\s0``certificate unknown''" 4
.IX Item "CU/certificate unknown"
Some other (unspecified) issue arose in processing the
certificate, rendering it unacceptable.
.ie n .IP """\s-1IP""/\s0""illegal parameter""" 4
.el .IP "``\s-1IP''/\s0``illegal parameter''" 4
.IX Item "IP/illegal parameter"
A field in the handshake was out of range or inconsistent with
other fields. This is always fatal.
.ie n .IP """\s-1DC""/\s0""decryption failed""" 4
.el .IP "``\s-1DC''/\s0``decryption failed''" 4
.IX Item "DC/decryption failed"
A TLSCiphertext decrypted in an invalid way: either it wasn't an
even multiple of the block length or its padding values, when
checked, weren't correct. This message is always fatal.
.ie n .IP """\s-1RO""/\s0""record overflow""" 4
.el .IP "``\s-1RO''/\s0``record overflow''" 4
.IX Item "RO/record overflow"
A TLSCiphertext record was received which had a length more than
2^14+2048 bytes, or a record decrypted to a TLSCompressed record
with more than 2^14+1024 bytes. This message is always fatal.
.ie n .IP """\s-1CA""/\s0""unknown \s-1CA""\s0" 4
.el .IP "``\s-1CA''/\s0``unknown \s-1CA''\s0" 4
.IX Item "CA/unknown CA"
A valid certificate chain or partial chain was received, but the
certificate was not accepted because the \s-1CA\s0 certificate could not
be located or couldn't be matched with a known, trusted \s-1CA.\s0 This
message is always fatal.
.ie n .IP """\s-1AD""/\s0""access denied""" 4
.el .IP "``\s-1AD''/\s0``access denied''" 4
.IX Item "AD/access denied"
A valid certificate was received, but when access control was
applied, the sender decided not to proceed with negotiation.
This message is always fatal.
.ie n .IP """\s-1DE""/\s0""decode error""" 4
.el .IP "``\s-1DE''/\s0``decode error''" 4
.IX Item "DE/decode error"
A message could not be decoded because some field was out of the
specified range or the length of the message was incorrect. This
message is always fatal.
.ie n .IP """\s-1CY""/\s0""decrypt error""" 4
.el .IP "``\s-1CY''/\s0``decrypt error''" 4
.IX Item "CY/decrypt error"
A handshake cryptographic operation failed, including being
unable to correctly verify a signature, decrypt a key exchange,
or validate a finished message.
.ie n .IP """\s-1ER""/\s0""export restriction""" 4
.el .IP "``\s-1ER''/\s0``export restriction''" 4
.IX Item "ER/export restriction"
A negotiation not in compliance with export restrictions was
detected; for example, attempting to transfer a 1024 bit
ephemeral \s-1RSA\s0 key for the \s-1RSA_EXPORT\s0 handshake method. This
message is always fatal.
.ie n .IP """\s-1PV""/\s0""protocol version""" 4
.el .IP "``\s-1PV''/\s0``protocol version''" 4
.IX Item "PV/protocol version"
The protocol version the client has attempted to negotiate is
recognized, but not supported. (For example, old protocol
versions might be avoided for security reasons). This message is
always fatal.
.ie n .IP """\s-1IS""/\s0""insufficient security""" 4
.el .IP "``\s-1IS''/\s0``insufficient security''" 4
.IX Item "IS/insufficient security"
Returned instead of handshake_failure when a negotiation has
failed specifically because the server requires ciphers more
secure than those supported by the client. This message is always
fatal.
.ie n .IP """\s-1IE""/\s0""internal error""" 4
.el .IP "``\s-1IE''/\s0``internal error''" 4
.IX Item "IE/internal error"
An internal error unrelated to the peer or the correctness of the
protocol makes it impossible to continue (such as a memory
allocation failure). This message is always fatal.
.ie n .IP """\s-1US""/\s0""user canceled""" 4
.el .IP "``\s-1US''/\s0``user canceled''" 4
.IX Item "US/user canceled"
This handshake is being canceled for some reason unrelated to a
protocol failure. If the user cancels an operation after the
handshake is complete, just closing the connection by sending a
close_notify is more appropriate. This alert should be followed
by a close_notify. This message is generally a warning.
.ie n .IP """\s-1NR""/\s0""no renegotiation""" 4
.el .IP "``\s-1NR''/\s0``no renegotiation''" 4
.IX Item "NR/no renegotiation"
Sent by the client in response to a hello request or by the
server in response to a client hello after initial handshaking.
Either of these would normally lead to renegotiation; when that
is not appropriate, the recipient should respond with this alert;
at that point, the original requester can decide whether to
proceed with the connection. One case where this would be
appropriate would be where a server has spawned a process to
satisfy a request; the process might receive security parameters
(key length, authentication, etc.) at startup and it might be
difficult to communicate changes to these parameters after that
point. This message is always a warning.
.ie n .IP """\s-1UP""/\s0""unknown \s-1PSK\s0 identity""" 4
.el .IP "``\s-1UP''/\s0``unknown \s-1PSK\s0 identity''" 4
.IX Item "UP/unknown PSK identity"
Sent by the server to indicate that it does not recognize a \s-1PSK\s0
identity or an \s-1SRP\s0 identity.
.ie n .IP """\s-1UK""/\s0""unknown""" 4
.el .IP "``\s-1UK''/\s0``unknown''" 4
.IX Item "UK/unknown"
This indicates that no description is available for this alert type.
Probably \fBvalue\fR does not contain a correct alert message.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_CTX_set_info_callback\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3 b/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3
index ba412f7cf289..6bcfaf1b956e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3
+++ b/secure/lib/libcrypto/man/man3/SSL_alloc_buffers.3
@@ -1,193 +1,193 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_ALLOC_BUFFERS 3"
-.TH SSL_ALLOC_BUFFERS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_ALLOC_BUFFERS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_free_buffers, SSL_alloc_buffers \- manage SSL structure buffers
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_free_buffers(SSL *ssl);
\& int SSL_alloc_buffers(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_free_buffers()\fR frees the read and write buffers of the given \fBssl\fR.
\&\fBSSL_alloc_buffers()\fR allocates the read and write buffers of the given \fBssl\fR.
.PP
The \fB\s-1SSL_MODE_RELEASE_BUFFERS\s0\fR mode releases read or write buffers whenever
the buffers have been drained. These functions allow applications to manually
control when buffers are freed and allocated.
.PP
After freeing the buffers, the buffers are automatically reallocated upon a
new read or write. The \fBSSL_alloc_buffers()\fR does not need to be called, but
can be used to make sure the buffers are preallocated. This can be used to
avoid allocation during data processing or with \fBCRYPTO_set_mem_functions()\fR
to control where and how buffers are allocated.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "0 (Failure)" 4
.IX Item "0 (Failure)"
The \fBSSL_free_buffers()\fR function returns 0 when there is pending data to be
read or written. The \fBSSL_alloc_buffers()\fR function returns 0 when there is
an allocation failure.
.IP "1 (Success)" 4
.IX Item "1 (Success)"
The \fBSSL_free_buffers()\fR function returns 1 if the buffers have been freed. This
value is also returned if the buffers had been freed before calling
\&\fBSSL_free_buffers()\fR.
The \fBSSL_alloc_buffers()\fR function returns 1 if the buffers have been allocated.
This value is also returned if the buffers had been allocated before calling
\&\fBSSL_alloc_buffers()\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_free\fR\|(3), \fBSSL_clear\fR\|(3),
\&\fBSSL_new\fR\|(3), \fBSSL_CTX_set_mode\fR\|(3),
CRYPTO_set_mem_functions
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_check_chain.3 b/secure/lib/libcrypto/man/man3/SSL_check_chain.3
index 9e593c5633f8..996de7a874b4 100644
--- a/secure/lib/libcrypto/man/man3/SSL_check_chain.3
+++ b/secure/lib/libcrypto/man/man3/SSL_check_chain.3
@@ -1,225 +1,225 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CHECK_CHAIN 3"
-.TH SSL_CHECK_CHAIN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CHECK_CHAIN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_check_chain \- check certificate chain suitability
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_check_chain()\fR checks whether certificate \fBx\fR, private key \fBpk\fR and
certificate chain \fBchain\fR is suitable for use with the current session
\&\fBs\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_check_chain()\fR returns a bitmap of flags indicating the validity of the
chain.
.PP
\&\fB\s-1CERT_PKEY_VALID\s0\fR: the chain can be used with the current session.
If this flag is \fBnot\fR set then the certificate will never be used even
if the application tries to set it because it is inconsistent with the
peer preferences.
.PP
\&\fB\s-1CERT_PKEY_SIGN\s0\fR: the \s-1EE\s0 key can be used for signing.
.PP
\&\fB\s-1CERT_PKEY_EE_SIGNATURE\s0\fR: the signature algorithm of the \s-1EE\s0 certificate is
acceptable.
.PP
\&\fB\s-1CERT_PKEY_CA_SIGNATURE\s0\fR: the signature algorithms of all \s-1CA\s0 certificates
are acceptable.
.PP
\&\fB\s-1CERT_PKEY_EE_PARAM\s0\fR: the parameters of the end entity certificate are
acceptable (e.g. it is a supported curve).
.PP
\&\fB\s-1CERT_PKEY_CA_PARAM\s0\fR: the parameters of all \s-1CA\s0 certificates are acceptable.
.PP
\&\fB\s-1CERT_PKEY_EXPLICIT_SIGN\s0\fR: the end entity certificate algorithm
can be used explicitly for signing (i.e. it is mentioned in the signature
algorithms extension).
.PP
\&\fB\s-1CERT_PKEY_ISSUER_NAME\s0\fR: the issuer name is acceptable. This is only
meaningful for client authentication.
.PP
\&\fB\s-1CERT_PKEY_CERT_TYPE\s0\fR: the certificate type is acceptable. Only meaningful
for client authentication.
.PP
\&\fB\s-1CERT_PKEY_SUITEB\s0\fR: chain is suitable for Suite B use.
.SH "NOTES"
.IX Header "NOTES"
\&\fBSSL_check_chain()\fR must be called in servers after a client hello message or in
clients after a certificate request message. It will typically be called
in the certificate callback.
.PP
An application wishing to support multiple certificate chains may call this
function on each chain in turn: starting with the one it considers the
most secure. It could then use the chain of the first set which returns
suitable flags.
.PP
As a minimum the flag \fB\s-1CERT_PKEY_VALID\s0\fR must be set for a chain to be
usable. An application supporting multiple chains with different \s-1CA\s0 signature
algorithms may also wish to check \fB\s-1CERT_PKEY_CA_SIGNATURE\s0\fR too. If no
chain is suitable a server should fall back to the most secure chain which
sets \fB\s-1CERT_PKEY_VALID\s0\fR.
.PP
The validity of a chain is determined by checking if it matches a supported
signature algorithm, supported curves and in the case of client authentication
certificate types and issuer names.
.PP
Since the supported signature algorithms extension is only used in \s-1TLS 1.2,
TLS 1.3\s0 and \s-1DTLS 1.2\s0 the results for earlier versions of \s-1TLS\s0 and \s-1DTLS\s0 may not
be very useful. Applications may wish to specify a different \*(L"legacy\*(R" chain
for earlier versions of \s-1TLS\s0 or \s-1DTLS.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_set_cert_cb\fR\|(3),
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_clear.3 b/secure/lib/libcrypto/man/man3/SSL_clear.3
index 5ab32c67a295..0705cb958d01 100644
--- a/secure/lib/libcrypto/man/man3/SSL_clear.3
+++ b/secure/lib/libcrypto/man/man3/SSL_clear.3
@@ -1,208 +1,208 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CLEAR 3"
-.TH SSL_CLEAR 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CLEAR 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_clear \- reset SSL object to allow another connection
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_clear(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Reset \fBssl\fR to allow another connection. All settings (method, ciphers,
BIOs) are kept.
.SH "NOTES"
.IX Header "NOTES"
SSL_clear is used to prepare an \s-1SSL\s0 object for a new connection. While all
settings are kept, a side effect is the handling of the current \s-1SSL\s0 session.
If a session is still \fBopen\fR, it is considered bad and will be removed
from the session cache, as required by \s-1RFC2246. A\s0 session is considered open,
if \fBSSL_shutdown\fR\|(3) was not called for the connection
or at least \fBSSL_set_shutdown\fR\|(3) was used to
set the \s-1SSL_SENT_SHUTDOWN\s0 state.
.PP
If a session was closed cleanly, the session object will be kept and all
settings corresponding. This explicitly means, that e.g. the special method
used during the session will be kept for the next handshake. So if the
session was a TLSv1 session, a \s-1SSL\s0 client object will use a TLSv1 client
method for the next handshake and a \s-1SSL\s0 server object will use a TLSv1
server method, even if TLS_*_methods were chosen on startup. This
will might lead to connection failures (see \fBSSL_new\fR\|(3))
for a description of the method's properties.
.SH "WARNINGS"
.IX Header "WARNINGS"
\&\fBSSL_clear()\fR resets the \s-1SSL\s0 object to allow for another connection. The
reset operation however keeps several settings of the last sessions
(some of these settings were made automatically during the last
handshake). It only makes sense for a new connection with the exact
same peer that shares these settings, and may fail if that peer
changes its settings between connections. Use the sequence
\&\fBSSL_get_session\fR\|(3);
\&\fBSSL_new\fR\|(3);
\&\fBSSL_set_session\fR\|(3);
\&\fBSSL_free\fR\|(3)
instead to avoid such failures
(or simply \fBSSL_free\fR\|(3); \fBSSL_new\fR\|(3)
if session reuse is not desired).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "0" 4
The \fBSSL_clear()\fR operation could not be performed. Check the error stack to
find out the reason.
.IP "1" 4
.IX Item "1"
The \fBSSL_clear()\fR operation was successful.
.PP
\&\fBSSL_new\fR\|(3), \fBSSL_free\fR\|(3),
\&\fBSSL_shutdown\fR\|(3), \fBSSL_set_shutdown\fR\|(3),
\&\fBSSL_CTX_set_options\fR\|(3), \fBssl\fR\|(7),
\&\fBSSL_CTX_set_client_cert_cb\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_connect.3 b/secure/lib/libcrypto/man/man3/SSL_connect.3
index 412d1a139fda..0fec81a870f5 100644
--- a/secure/lib/libcrypto/man/man3/SSL_connect.3
+++ b/secure/lib/libcrypto/man/man3/SSL_connect.3
@@ -1,220 +1,220 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_CONNECT 3"
-.TH SSL_CONNECT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_CONNECT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_connect \- initiate the TLS/SSL handshake with an TLS/SSL server
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_connect(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_connect()\fR initiates the \s-1TLS/SSL\s0 handshake with a server. The communication
channel must already have been set and assigned to the \fBssl\fR by setting an
underlying \fB\s-1BIO\s0\fR.
.SH "NOTES"
.IX Header "NOTES"
The behaviour of \fBSSL_connect()\fR depends on the underlying \s-1BIO.\s0
.PP
If the underlying \s-1BIO\s0 is \fBblocking\fR, \fBSSL_connect()\fR will only return once the
handshake has been finished or an error occurred.
.PP
If the underlying \s-1BIO\s0 is \fBnonblocking\fR, \fBSSL_connect()\fR will also return
when the underlying \s-1BIO\s0 could not satisfy the needs of \fBSSL_connect()\fR
to continue the handshake, indicating the problem by the return value \-1.
In this case a call to \fBSSL_get_error()\fR with the
return value of \fBSSL_connect()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
taking appropriate action to satisfy the needs of \fBSSL_connect()\fR.
The action depends on the underlying \s-1BIO.\s0 When using a nonblocking socket,
nothing is to be done, but \fBselect()\fR can be used to check for the required
condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
into or retrieved out of the \s-1BIO\s0 before being able to continue.
.PP
Many systems implement Nagle's algorithm by default which means that it will
buffer outgoing \s-1TCP\s0 data if a \s-1TCP\s0 packet has already been sent for which no
corresponding \s-1ACK\s0 has been received yet from the peer. This can have performance
impacts after a successful TLSv1.3 handshake or a successful TLSv1.2 (or below)
resumption handshake, because the last peer to communicate in the handshake is
the client. If the client is also the first to send application data (as is
typical for many protocols) then this data could be buffered until an \s-1ACK\s0 has
been received for the final handshake message.
.PP
The \fB\s-1TCP_NODELAY\s0\fR socket option is often available to disable Nagle's
algorithm. If an application opts to disable Nagle's algorithm consideration
should be given to turning it back on again later if appropriate. The helper
function \fBBIO_set_tcp_ndelay()\fR can be used to turn on or off the \fB\s-1TCP_NODELAY\s0\fR
option.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "0" 4
The \s-1TLS/SSL\s0 handshake was not successful but was shut down controlled and
by the specifications of the \s-1TLS/SSL\s0 protocol. Call \fBSSL_get_error()\fR with the
return value \fBret\fR to find out the reason.
.IP "1" 4
.IX Item "1"
The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
established.
.IP "<0" 4
.IX Item "<0"
The \s-1TLS/SSL\s0 handshake was not successful, because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
not clean. It can also occur if action is needed to continue the operation
for nonblocking BIOs. Call \fBSSL_get_error()\fR with the return value \fBret\fR
to find out the reason.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_get_error\fR\|(3), \fBSSL_accept\fR\|(3),
\&\fBSSL_shutdown\fR\|(3), \fBssl\fR\|(7), \fBbio\fR\|(7),
\&\fBSSL_set_connect_state\fR\|(3),
\&\fBSSL_do_handshake\fR\|(3),
\&\fBSSL_CTX_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_do_handshake.3 b/secure/lib/libcrypto/man/man3/SSL_do_handshake.3
index 7dbe837be921..00b3c64159eb 100644
--- a/secure/lib/libcrypto/man/man3/SSL_do_handshake.3
+++ b/secure/lib/libcrypto/man/man3/SSL_do_handshake.3
@@ -1,204 +1,204 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_DO_HANDSHAKE 3"
-.TH SSL_DO_HANDSHAKE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_DO_HANDSHAKE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_do_handshake \- perform a TLS/SSL handshake
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_do_handshake(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_do_handshake()\fR will wait for a \s-1SSL/TLS\s0 handshake to take place. If the
connection is in client mode, the handshake will be started. The handshake
routines may have to be explicitly set in advance using either
\&\fBSSL_set_connect_state\fR\|(3) or
\&\fBSSL_set_accept_state\fR\|(3).
.SH "NOTES"
.IX Header "NOTES"
The behaviour of \fBSSL_do_handshake()\fR depends on the underlying \s-1BIO.\s0
.PP
If the underlying \s-1BIO\s0 is \fBblocking\fR, \fBSSL_do_handshake()\fR will only return
once the handshake has been finished or an error occurred.
.PP
If the underlying \s-1BIO\s0 is \fBnonblocking\fR, \fBSSL_do_handshake()\fR will also return
when the underlying \s-1BIO\s0 could not satisfy the needs of \fBSSL_do_handshake()\fR
to continue the handshake. In this case a call to \fBSSL_get_error()\fR with the
return value of \fBSSL_do_handshake()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
taking appropriate action to satisfy the needs of \fBSSL_do_handshake()\fR.
The action depends on the underlying \s-1BIO.\s0 When using a nonblocking socket,
nothing is to be done, but \fBselect()\fR can be used to check for the required
condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
into or retrieved out of the \s-1BIO\s0 before being able to continue.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "0" 4
The \s-1TLS/SSL\s0 handshake was not successful but was shut down controlled and
by the specifications of the \s-1TLS/SSL\s0 protocol. Call \fBSSL_get_error()\fR with the
return value \fBret\fR to find out the reason.
.IP "1" 4
.IX Item "1"
The \s-1TLS/SSL\s0 handshake was successfully completed, a \s-1TLS/SSL\s0 connection has been
established.
.IP "<0" 4
.IX Item "<0"
The \s-1TLS/SSL\s0 handshake was not successful because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
not clean. It can also occur if action is needed to continue the operation
for nonblocking BIOs. Call \fBSSL_get_error()\fR with the return value \fBret\fR
to find out the reason.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_get_error\fR\|(3), \fBSSL_connect\fR\|(3),
\&\fBSSL_accept\fR\|(3), \fBssl\fR\|(7), \fBbio\fR\|(7),
\&\fBSSL_set_connect_state\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3 b/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3
index 6a919a9fbb60..de27baf90a56 100644
--- a/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3
+++ b/secure/lib/libcrypto/man/man3/SSL_export_keying_material.3
@@ -1,217 +1,217 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_EXPORT_KEYING_MATERIAL 3"
-.TH SSL_EXPORT_KEYING_MATERIAL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_EXPORT_KEYING_MATERIAL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_export_keying_material, SSL_export_keying_material_early \&\- obtain keying material for application use
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
\& const char *label, size_t llen,
\& const unsigned char *context,
\& size_t contextlen, int use_context);
\&
\& int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
\& const char *label, size_t llen,
\& const unsigned char *context,
\& size_t contextlen);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
During the creation of a \s-1TLS\s0 or \s-1DTLS\s0 connection shared keying material is
established between the two endpoints. The functions
\&\fBSSL_export_keying_material()\fR and \fBSSL_export_keying_material_early()\fR enable an
application to use some of this keying material for its own purposes in
accordance with \s-1RFC5705\s0 (for TLSv1.2 and below) or \s-1RFC8446\s0 (for TLSv1.3).
.PP
\&\fBSSL_export_keying_material()\fR derives keying material using
the \fIexporter_master_secret\fR established in the handshake.
.PP
\&\fBSSL_export_keying_material_early()\fR is only usable with TLSv1.3, and derives
keying material using the \fIearly_exporter_master_secret\fR (as defined in the
\&\s-1TLS 1.3 RFC\s0). For the client, the \fIearly_exporter_master_secret\fR is only
available when the client attempts to send 0\-RTT data. For the server, it is
only available when the server accepts 0\-RTT data.
.PP
An application may need to securely establish the context within which this
keying material will be used. For example this may include identifiers for the
application session, application algorithms or parameters, or the lifetime of
the context. The context value is left to the application but must be the same
on both sides of the communication.
.PP
For a given \s-1SSL\s0 connection \fBs\fR, \fBolen\fR bytes of data will be written to
\&\fBout\fR. The application specific context should be supplied in the location
pointed to by \fBcontext\fR and should be \fBcontextlen\fR bytes long. Provision of
a context is optional. If the context should be omitted entirely then
\&\fBuse_context\fR should be set to 0. Otherwise it should be any other value. If
\&\fBuse_context\fR is 0 then the values of \fBcontext\fR and \fBcontextlen\fR are ignored.
Note that in TLSv1.2 and below a zero length context is treated differently from
no context at all, and will result in different keying material being returned.
In TLSv1.3 a zero length context is that same as no context at all and will
result in the same keying material being returned.
.PP
An application specific label should be provided in the location pointed to by
\&\fBlabel\fR and should be \fBllen\fR bytes long. Typically this will be a value from
the \s-1IANA\s0 Exporter Label Registry
(<https://www.iana.org/assignments/tls\-parameters/tls\-parameters.xhtml#exporter\-labels>).
Alternatively labels beginning with \*(L"\s-1EXPERIMENTAL\*(R"\s0 are permitted by the standard
to be used without registration. TLSv1.3 imposes a maximum label length of
249 bytes.
.PP
Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and
above. Attempting to use it in SSLv3 will result in an error.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_export_keying_material()\fR returns 0 or \-1 on failure or 1 on success.
.PP
\&\fBSSL_export_keying_material_early()\fR returns 0 on failure or 1 on success.
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_export_keying_material_early()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_extension_supported.3 b/secure/lib/libcrypto/man/man3/SSL_extension_supported.3
index 9b16988d5143..9bee5a13436f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_extension_supported.3
+++ b/secure/lib/libcrypto/man/man3/SSL_extension_supported.3
@@ -1,399 +1,399 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_EXTENSION_SUPPORTED 3"
-.TH SSL_EXTENSION_SUPPORTED 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_EXTENSION_SUPPORTED 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_extension_supported, SSL_CTX_add_custom_ext, SSL_CTX_add_client_custom_ext, SSL_CTX_add_server_custom_ext, custom_ext_add_cb, custom_ext_free_cb, custom_ext_parse_cb \&\- custom TLS extension handling
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& typedef int (*SSL_custom_ext_add_cb_ex) (SSL *s, unsigned int ext_type,
\& unsigned int context,
\& const unsigned char **out,
\& size_t *outlen, X509 *x,
\& size_t chainidx, int *al,
\& void *add_arg);
\&
\& typedef void (*SSL_custom_ext_free_cb_ex) (SSL *s, unsigned int ext_type,
\& unsigned int context,
\& const unsigned char *out,
\& void *add_arg);
\&
\& typedef int (*SSL_custom_ext_parse_cb_ex) (SSL *s, unsigned int ext_type,
\& unsigned int context,
\& const unsigned char *in,
\& size_t inlen, X509 *x,
\& size_t chainidx, int *al,
\& void *parse_arg);
\&
\& int SSL_CTX_add_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
\& unsigned int context,
\& SSL_custom_ext_add_cb_ex add_cb,
\& SSL_custom_ext_free_cb_ex free_cb,
\& void *add_arg,
\& SSL_custom_ext_parse_cb_ex parse_cb,
\& void *parse_arg);
\&
\& typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type,
\& const unsigned char **out,
\& size_t *outlen, int *al,
\& void *add_arg);
\&
\& typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type,
\& const unsigned char *out,
\& void *add_arg);
\&
\& typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type,
\& const unsigned char *in,
\& size_t inlen, int *al,
\& void *parse_arg);
\&
\& int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
\& custom_ext_add_cb add_cb,
\& custom_ext_free_cb free_cb, void *add_arg,
\& custom_ext_parse_cb parse_cb,
\& void *parse_arg);
\&
\& int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
\& custom_ext_add_cb add_cb,
\& custom_ext_free_cb free_cb, void *add_arg,
\& custom_ext_parse_cb parse_cb,
\& void *parse_arg);
\&
\& int SSL_extension_supported(unsigned int ext_type);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_CTX_add_custom_ext()\fR adds a custom extension for a \s-1TLS/DTLS\s0 client or server
for all supported protocol versions with extension type \fBext_type\fR and
callbacks \fBadd_cb\fR, \fBfree_cb\fR and \fBparse_cb\fR (see the
\&\*(L"\s-1EXTENSION CALLBACKS\*(R"\s0 section below). The \fBcontext\fR value determines
which messages and under what conditions the extension will be added/parsed (see
the \*(L"\s-1EXTENSION CONTEXTS\*(R"\s0 section below).
.PP
\&\fBSSL_CTX_add_client_custom_ext()\fR adds a custom extension for a \s-1TLS/DTLS\s0 client
with extension type \fBext_type\fR and callbacks \fBadd_cb\fR, \fBfree_cb\fR and
\&\fBparse_cb\fR. This function is similar to \fBSSL_CTX_add_custom_ext()\fR except it only
applies to clients, uses the older style of callbacks, and implicitly sets the
\&\fBcontext\fR value to:
.PP
.Vb 2
\& SSL_EXT_TLS1_2_AND_BELOW_ONLY | SSL_EXT_CLIENT_HELLO
\& | SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_IGNORE_ON_RESUMPTION
.Ve
.PP
\&\fBSSL_CTX_add_server_custom_ext()\fR adds a custom extension for a \s-1TLS/DTLS\s0 server
with extension type \fBext_type\fR and callbacks \fBadd_cb\fR, \fBfree_cb\fR and
\&\fBparse_cb\fR. This function is similar to \fBSSL_CTX_add_custom_ext()\fR except it
only applies to servers, uses the older style of callbacks, and implicitly sets
the \fBcontext\fR value to the same as for \fBSSL_CTX_add_client_custom_ext()\fR above.
.PP
The \fBext_type\fR parameter corresponds to the \fBextension_type\fR field of
\&\s-1RFC5246\s0 et al. It is \fBnot\fR a \s-1NID.\s0 In all cases the extension type must not be
handled by OpenSSL internally or an error occurs.
.PP
\&\fBSSL_extension_supported()\fR returns 1 if the extension \fBext_type\fR is handled
internally by OpenSSL and 0 otherwise.
.SH "EXTENSION CALLBACKS"
.IX Header "EXTENSION CALLBACKS"
The callback \fBadd_cb\fR is called to send custom extension data to be
included in various \s-1TLS\s0 messages. The \fBext_type\fR parameter is set to the
extension type which will be added and \fBadd_arg\fR to the value set when the
extension handler was added. When using the new style callbacks the \fBcontext\fR
parameter will indicate which message is currently being constructed e.g. for
the ClientHello it will be set to \fB\s-1SSL_EXT_CLIENT_HELLO\s0\fR.
.PP
If the application wishes to include the extension \fBext_type\fR it should
set \fB*out\fR to the extension data, set \fB*outlen\fR to the length of the
extension data and return 1.
.PP
If the \fBadd_cb\fR does not wish to include the extension it must return 0.
.PP
If \fBadd_cb\fR returns \-1 a fatal handshake error occurs using the \s-1TLS\s0
alert value specified in \fB*al\fR.
.PP
When constructing the ClientHello, if \fBadd_cb\fR is set to \s-1NULL\s0 a zero length
extension is added for \fBext_type\fR. For all other messages if \fBadd_cb\fR is set
to \s-1NULL\s0 then no extension is added.
.PP
When constructing a Certificate message the callback will be called for each
certificate in the message. The \fBx\fR parameter will indicate the
current certificate and the \fBchainidx\fR parameter will indicate the position
of the certificate in the message. The first certificate is always the end
entity certificate and has a \fBchainidx\fR value of 0. The certificates are in the
order that they were received in the Certificate message.
.PP
For all messages except the ServerHello and EncryptedExtensions every
registered \fBadd_cb\fR is always called to see if the application wishes to add an
extension (as long as all requirements of the specified \fBcontext\fR are met).
.PP
For the ServerHello and EncryptedExtension messages every registered \fBadd_cb\fR
is called once if and only if the requirements of the specified \fBcontext\fR are
met and the corresponding extension was received in the ClientHello. That is, if
no corresponding extension was received in the ClientHello then \fBadd_cb\fR will
not be called.
.PP
If an extension is added (that is \fBadd_cb\fR returns 1) \fBfree_cb\fR is called
(if it is set) with the value of \fBout\fR set by the add callback. It can be
used to free up any dynamic extension data set by \fBadd_cb\fR. Since \fBout\fR is
constant (to permit use of constant data in \fBadd_cb\fR) applications may need to
cast away const to free the data.
.PP
The callback \fBparse_cb\fR receives data for \s-1TLS\s0 extensions. The callback is only
called if the extension is present and relevant for the context (see
\&\*(L"\s-1EXTENSION CONTEXTS\*(R"\s0 below).
.PP
The extension data consists of \fBinlen\fR bytes in the buffer \fBin\fR for the
extension \fBext_type\fR.
.PP
If the message being parsed is a TLSv1.3 compatible Certificate message then
\&\fBparse_cb\fR will be called for each certificate contained within the message.
The \fBx\fR parameter will indicate the current certificate and the \fBchainidx\fR
parameter will indicate the position of the certificate in the message. The
first certificate is always the end entity certificate and has a \fBchainidx\fR
value of 0.
.PP
If the \fBparse_cb\fR considers the extension data acceptable it must return
1. If it returns 0 or a negative value a fatal handshake error occurs
using the \s-1TLS\s0 alert value specified in \fB*al\fR.
.PP
The buffer \fBin\fR is a temporary internal buffer which will not be valid after
the callback returns.
.SH "EXTENSION CONTEXTS"
.IX Header "EXTENSION CONTEXTS"
An extension context defines which messages and under which conditions an
extension should be added or expected. The context is built up by performing
a bitwise \s-1OR\s0 of multiple pre-defined values together. The valid context values
are:
.IP "\s-1SSL_EXT_TLS_ONLY\s0" 4
.IX Item "SSL_EXT_TLS_ONLY"
The extension is only allowed in \s-1TLS\s0
.IP "\s-1SSL_EXT_DTLS_ONLY\s0" 4
.IX Item "SSL_EXT_DTLS_ONLY"
The extension is only allowed in \s-1DTLS\s0
.IP "\s-1SSL_EXT_TLS_IMPLEMENTATION_ONLY\s0" 4
.IX Item "SSL_EXT_TLS_IMPLEMENTATION_ONLY"
The extension is allowed in \s-1DTLS,\s0 but there is only a \s-1TLS\s0 implementation
available (so it is ignored in \s-1DTLS\s0).
.IP "\s-1SSL_EXT_SSL3_ALLOWED\s0" 4
.IX Item "SSL_EXT_SSL3_ALLOWED"
Extensions are not typically defined for SSLv3. Setting this value will allow
the extension in SSLv3. Applications will not typically need to use this.
.IP "\s-1SSL_EXT_TLS1_2_AND_BELOW_ONLY\s0" 4
.IX Item "SSL_EXT_TLS1_2_AND_BELOW_ONLY"
The extension is only defined for TLSv1.2/DTLSv1.2 and below. Servers will
ignore this extension if it is present in the ClientHello and TLSv1.3 is
negotiated.
.IP "\s-1SSL_EXT_TLS1_3_ONLY\s0" 4
.IX Item "SSL_EXT_TLS1_3_ONLY"
The extension is only defined for \s-1TLS1.3\s0 and above. Servers will ignore this
extension if it is present in the ClientHello and TLSv1.2 or below is
negotiated.
.IP "\s-1SSL_EXT_IGNORE_ON_RESUMPTION\s0" 4
.IX Item "SSL_EXT_IGNORE_ON_RESUMPTION"
The extension will be ignored during parsing if a previous session is being
successfully resumed.
.IP "\s-1SSL_EXT_CLIENT_HELLO\s0" 4
.IX Item "SSL_EXT_CLIENT_HELLO"
The extension may be present in the ClientHello message.
.IP "\s-1SSL_EXT_TLS1_2_SERVER_HELLO\s0" 4
.IX Item "SSL_EXT_TLS1_2_SERVER_HELLO"
The extension may be present in a TLSv1.2 or below compatible ServerHello
message.
.IP "\s-1SSL_EXT_TLS1_3_SERVER_HELLO\s0" 4
.IX Item "SSL_EXT_TLS1_3_SERVER_HELLO"
The extension may be present in a TLSv1.3 compatible ServerHello message.
.IP "\s-1SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS\s0" 4
.IX Item "SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS"
The extension may be present in an EncryptedExtensions message.
.IP "\s-1SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST\s0" 4
.IX Item "SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST"
The extension may be present in a HelloRetryRequest message.
.IP "\s-1SSL_EXT_TLS1_3_CERTIFICATE\s0" 4
.IX Item "SSL_EXT_TLS1_3_CERTIFICATE"
The extension may be present in a TLSv1.3 compatible Certificate message.
.IP "\s-1SSL_EXT_TLS1_3_NEW_SESSION_TICKET\s0" 4
.IX Item "SSL_EXT_TLS1_3_NEW_SESSION_TICKET"
The extension may be present in a TLSv1.3 compatible NewSessionTicket message.
.IP "\s-1SSL_EXT_TLS1_3_CERTIFICATE_REQUEST\s0" 4
.IX Item "SSL_EXT_TLS1_3_CERTIFICATE_REQUEST"
The extension may be present in a TLSv1.3 compatible CertificateRequest message.
.PP
The context must include at least one message value (otherwise the extension
will never be used).
.SH "NOTES"
.IX Header "NOTES"
The \fBadd_arg\fR and \fBparse_arg\fR parameters can be set to arbitrary values
which will be passed to the corresponding callbacks. They can, for example,
be used to store the extension data received in a convenient structure or
pass the extension data to be added or freed when adding extensions.
.PP
If the same custom extension type is received multiple times a fatal
\&\fBdecode_error\fR alert is sent and the handshake aborts. If a custom extension
is received in a ServerHello/EncryptedExtensions message which was not sent in
the ClientHello a fatal \fBunsupported_extension\fR alert is sent and the
handshake is aborted. The ServerHello/EncryptedExtensions \fBadd_cb\fR callback is
only called if the corresponding extension was received in the ClientHello. This
is compliant with the \s-1TLS\s0 specifications. This behaviour ensures that each
callback is called at most once and that an application can never send
unsolicited extensions.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_CTX_add_custom_ext()\fR, \fBSSL_CTX_add_client_custom_ext()\fR and
\&\fBSSL_CTX_add_server_custom_ext()\fR return 1 for success and 0 for failure. A
failure can occur if an attempt is made to add the same \fBext_type\fR more than
once, if an attempt is made to use an extension type handled internally by
OpenSSL or if an internal error occurs (for example a memory allocation
failure).
.PP
\&\fBSSL_extension_supported()\fR returns 1 if the extension \fBext_type\fR is handled
internally by OpenSSL and 0 otherwise.
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_CTX_add_custom_ext()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2014\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_free.3 b/secure/lib/libcrypto/man/man3/SSL_free.3
index 8eb5bb67eeaf..b8124e9bbc3b 100644
--- a/secure/lib/libcrypto/man/man3/SSL_free.3
+++ b/secure/lib/libcrypto/man/man3/SSL_free.3
@@ -1,186 +1,186 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_FREE 3"
-.TH SSL_FREE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_FREE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_free \- free an allocated SSL structure
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_free(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_free()\fR decrements the reference count of \fBssl\fR, and removes the \s-1SSL\s0
structure pointed to by \fBssl\fR and frees up the allocated memory if the
reference count has reached 0.
If \fBssl\fR is \s-1NULL\s0 nothing is done.
.SH "NOTES"
.IX Header "NOTES"
\&\fBSSL_free()\fR also calls the \fBfree()\fRing procedures for indirectly affected items, if
applicable: the buffering \s-1BIO,\s0 the read and write BIOs,
cipher lists specially created for this \fBssl\fR, the \fB\s-1SSL_SESSION\s0\fR.
Do not explicitly free these indirectly freed up items before or after
calling \fBSSL_free()\fR, as trying to free things twice may lead to program
failure.
.PP
The ssl session has reference counts from two users: the \s-1SSL\s0 object, for
which the reference count is removed by \fBSSL_free()\fR and the internal
session cache. If the session is considered bad, because
\&\fBSSL_shutdown\fR\|(3) was not called for the connection
and \fBSSL_set_shutdown\fR\|(3) was not used to set the
\&\s-1SSL_SENT_SHUTDOWN\s0 state, the session will also be removed
from the session cache as required by \s-1RFC2246.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_free()\fR does not provide diagnostic information.
.PP
\&\fBSSL_new\fR\|(3), \fBSSL_clear\fR\|(3),
\&\fBSSL_shutdown\fR\|(3), \fBSSL_set_shutdown\fR\|(3),
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3 b/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3
index 4ccb2c341c0a..1b4815e56591 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get0_peer_scts.3
@@ -1,176 +1,176 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET0_PEER_SCTS 3"
-.TH SSL_GET0_PEER_SCTS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET0_PEER_SCTS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get0_peer_scts \- get SCTs received
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get0_peer_scts()\fR returns the signed certificate timestamps (SCTs) that have
been received. If this is the first time that this function has been called for
a given \fB\s-1SSL\s0\fR instance, it will examine the \s-1TLS\s0 extensions, \s-1OCSP\s0 response and
the peer's certificate for SCTs. Future calls will return the same SCTs.
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
If no Certificate Transparency validation callback has been set (using
\&\fBSSL_CTX_set_ct_validation_callback\fR or \fBSSL_set_ct_validation_callback\fR),
this function is not guaranteed to return all of the SCTs that the peer is
capable of sending.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_get0_peer_scts()\fR returns a list of SCTs found, or \s-1NULL\s0 if an error occurs.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_set_ct_validation_callback\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3 b/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3
index 3de987b1bd58..7b75d130e8fb 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_SSL_CTX.3
@@ -1,167 +1,167 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_SSL_CTX 3"
-.TH SSL_GET_SSL_CTX 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_SSL_CTX 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_SSL_CTX \- get the SSL_CTX from which an SSL is created
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_SSL_CTX()\fR returns a pointer to the \s-1SSL_CTX\s0 object, from which
\&\fBssl\fR was created with \fBSSL_new\fR\|(3).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The pointer to the \s-1SSL_CTX\s0 object is returned.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_new\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3 b/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3
index 23fc69a263fc..f354a52fcf9a 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_all_async_fds.3
@@ -1,213 +1,213 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_ALL_ASYNC_FDS 3"
-.TH SSL_GET_ALL_ASYNC_FDS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_ALL_ASYNC_FDS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_waiting_for_async, SSL_get_all_async_fds, SSL_get_changed_async_fds \&\- manage asynchronous operations
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 2
\& #include <openssl/async.h>
\& #include <openssl/ssl.h>
\&
\& int SSL_waiting_for_async(SSL *s);
\& int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fd, size_t *numfds);
\& int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds,
\& OSSL_ASYNC_FD *delfd, size_t *numdelfds);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_waiting_for_async()\fR determines whether an \s-1SSL\s0 connection is currently
waiting for asynchronous operations to complete (see the \s-1SSL_MODE_ASYNC\s0 mode in
\&\fBSSL_CTX_set_mode\fR\|(3)).
.PP
\&\fBSSL_get_all_async_fds()\fR returns a list of file descriptor which can be used in a
call to \fBselect()\fR or \fBpoll()\fR to determine whether the current asynchronous
operation has completed or not. A completed operation will result in data
appearing as \*(L"read ready\*(R" on the file descriptor (no actual data should be read
from the file descriptor). This function should only be called if the \s-1SSL\s0 object
is currently waiting for asynchronous work to complete (i.e.
\&\s-1SSL_ERROR_WANT_ASYNC\s0 has been received \- see \fBSSL_get_error\fR\|(3)). Typically the
list will only contain one file descriptor. However, if multiple asynchronous
capable engines are in use then more than one is possible. The number of file
descriptors returned is stored in \fB*numfds\fR and the file descriptors themselves
are in \fB*fds\fR. The \fBfds\fR parameter may be \s-1NULL\s0 in which case no file
descriptors are returned but \fB*numfds\fR is still populated. It is the callers
responsibility to ensure sufficient memory is allocated at \fB*fds\fR so typically
this function is called twice (once with a \s-1NULL\s0 \fBfds\fR parameter and once
without).
.PP
\&\fBSSL_get_changed_async_fds()\fR returns a list of the asynchronous file descriptors
that have been added and a list that have been deleted since the last
\&\s-1SSL_ERROR_WANT_ASYNC\s0 was received (or since the \s-1SSL\s0 object was created if no
\&\s-1SSL_ERROR_WANT_ASYNC\s0 has been received). Similar to \fBSSL_get_all_async_fds()\fR it
is the callers responsibility to ensure that \fB*addfd\fR and \fB*delfd\fR have
sufficient memory allocated, although they may be \s-1NULL.\s0 The number of added fds
and the number of deleted fds are stored in \fB*numaddfds\fR and \fB*numdelfds\fR
respectively.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_waiting_for_async()\fR will return 1 if the current \s-1SSL\s0 operation is waiting
for an async operation to complete and 0 otherwise.
.PP
\&\fBSSL_get_all_async_fds()\fR and \fBSSL_get_changed_async_fds()\fR return 1 on success or
0 on error.
.SH "NOTES"
.IX Header "NOTES"
On Windows platforms the openssl/async.h header is dependent on some
of the types customarily made available by including windows.h. The
application developer is likely to require control over when the latter
is included, commonly as one of the first included headers. Therefore,
it is defined as an application developer's responsibility to include
windows.h prior to async.h.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_get_error\fR\|(3), \fBSSL_CTX_set_mode\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_waiting_for_async()\fR, \fBSSL_get_all_async_fds()\fR
and \fBSSL_get_changed_async_fds()\fR functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3 b/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3
index 44c89dd3561d..55d3854093d8 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_ciphers.3
@@ -1,241 +1,241 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_CIPHERS 3"
-.TH SSL_GET_CIPHERS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_CIPHERS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get1_supported_ciphers, SSL_get_client_ciphers, SSL_get_ciphers, SSL_CTX_get_ciphers, SSL_bytes_to_cipher_list, SSL_get_cipher_list, SSL_get_shared_ciphers \&\- get list of available SSL_CIPHERs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl);
\& STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
\& STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s);
\& STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *ssl);
\& int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
\& int isv2format, STACK_OF(SSL_CIPHER) **sk,
\& STACK_OF(SSL_CIPHER) **scsvs);
\& const char *SSL_get_cipher_list(const SSL *ssl, int priority);
\& char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_ciphers()\fR returns the stack of available SSL_CIPHERs for \fBssl\fR,
sorted by preference. If \fBssl\fR is \s-1NULL\s0 or no ciphers are available, \s-1NULL\s0
is returned.
.PP
\&\fBSSL_CTX_get_ciphers()\fR returns the stack of available SSL_CIPHERs for \fBctx\fR.
.PP
\&\fBSSL_get1_supported_ciphers()\fR returns the stack of enabled SSL_CIPHERs for
\&\fBssl\fR as would be sent in a ClientHello (that is, sorted by preference).
The list depends on settings like the cipher list, the supported protocol
versions, the security level, and the enabled signature algorithms.
\&\s-1SRP\s0 and \s-1PSK\s0 ciphers are only enabled if the appropriate callbacks or settings
have been applied.
The list of ciphers that would be sent in a ClientHello can differ from
the list of ciphers that would be acceptable when acting as a server.
For example, additional ciphers may be usable by a server if there is
a gap in the list of supported protocols, and some ciphers may not be
usable by a server if there is not a suitable certificate configured.
If \fBssl\fR is \s-1NULL\s0 or no ciphers are available, \s-1NULL\s0 is returned.
.PP
\&\fBSSL_get_client_ciphers()\fR returns the stack of available SSL_CIPHERs matching the
list received from the client on \fBssl\fR. If \fBssl\fR is \s-1NULL,\s0 no ciphers are
available, or \fBssl\fR is not operating in server mode, \s-1NULL\s0 is returned.
.PP
\&\fBSSL_bytes_to_cipher_list()\fR treats the supplied \fBlen\fR octets in \fBbytes\fR
as a wire-protocol cipher suite specification (in the three-octet-per-cipher
SSLv2 wire format if \fBisv2format\fR is nonzero; otherwise the two-octet
SSLv3/TLS wire format), and parses the cipher suites supported by the library
into the returned stacks of \s-1SSL_CIPHER\s0 objects sk and Signalling Cipher-Suite
Values scsvs. Unsupported cipher suites are ignored. Returns 1 on success
and 0 on failure.
.PP
\&\fBSSL_get_cipher_list()\fR returns a pointer to the name of the \s-1SSL_CIPHER\s0
listed for \fBssl\fR with \fBpriority\fR. If \fBssl\fR is \s-1NULL,\s0 no ciphers are
available, or there are less ciphers than \fBpriority\fR available, \s-1NULL\s0
is returned.
.PP
\&\fBSSL_get_shared_ciphers()\fR creates a colon separated and \s-1NUL\s0 terminated list of
\&\s-1SSL_CIPHER\s0 names that are available in both the client and the server. \fBbuf\fR is
the buffer that should be populated with the list of names and \fBsize\fR is the
size of that buffer. A pointer to \fBbuf\fR is returned on success or \s-1NULL\s0 on
error. If the supplied buffer is not large enough to contain the complete list
of names then a truncated list of names will be returned. Note that just because
a ciphersuite is available (i.e. it is configured in the cipher list) and shared
by both the client and the server it does not mean that it is enabled (see the
description of \fBSSL_get1_supported_ciphers()\fR above). This function will return
available shared ciphersuites whether or not they are enabled. This is a server
side function only and must only be called after the completion of the initial
handshake.
.SH "NOTES"
.IX Header "NOTES"
The details of the ciphers obtained by \fBSSL_get_ciphers()\fR, \fBSSL_CTX_get_ciphers()\fR
\&\fBSSL_get1_supported_ciphers()\fR and \fBSSL_get_client_ciphers()\fR can be obtained using
the \fBSSL_CIPHER_get_name\fR\|(3) family of functions.
.PP
Call \fBSSL_get_cipher_list()\fR with \fBpriority\fR starting from 0 to obtain the
sorted list of available ciphers, until \s-1NULL\s0 is returned.
.PP
Note: \fBSSL_get_ciphers()\fR, \fBSSL_CTX_get_ciphers()\fR and \fBSSL_get_client_ciphers()\fR
return a pointer to an internal cipher stack, which will be freed later on when
the \s-1SSL\s0 or \s-1SSL_SESSION\s0 object is freed. Therefore, the calling code \fB\s-1MUST NOT\s0\fR
free the return value itself.
.PP
The stack returned by \fBSSL_get1_supported_ciphers()\fR should be freed using
\&\fBsk_SSL_CIPHER_free()\fR.
.PP
The stacks returned by \fBSSL_bytes_to_cipher_list()\fR should be freed using
\&\fBsk_SSL_CIPHER_free()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
See \s-1DESCRIPTION\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_CTX_set_cipher_list\fR\|(3),
\&\fBSSL_CIPHER_get_name\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_client_random.3 b/secure/lib/libcrypto/man/man3/SSL_get_client_random.3
index 0f5c350bd907..dcf4dc282d1b 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_client_random.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_client_random.3
@@ -1,229 +1,229 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_CLIENT_RANDOM 3"
-.TH SSL_GET_CLIENT_RANDOM 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_CLIENT_RANDOM 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_client_random, SSL_get_server_random, SSL_SESSION_get_master_key, SSL_SESSION_set1_master_key \&\- get internal TLS/SSL random values and get/set master key
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen);
\& size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen);
\& size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
\& unsigned char *out, size_t outlen);
\& int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in,
\& size_t len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_client_random()\fR extracts the random value sent from the client
to the server during the initial \s-1SSL/TLS\s0 handshake. It copies as many
bytes as it can of this value into the buffer provided in \fBout\fR,
which must have at least \fBoutlen\fR bytes available. It returns the
total number of bytes that were actually copied. If \fBoutlen\fR is
zero, \fBSSL_get_client_random()\fR copies nothing, and returns the
total size of the client_random value.
.PP
\&\fBSSL_get_server_random()\fR behaves the same, but extracts the random value
sent from the server to the client during the initial \s-1SSL/TLS\s0 handshake.
.PP
\&\fBSSL_SESSION_get_master_key()\fR behaves the same, but extracts the master
secret used to guarantee the security of the \s-1SSL/TLS\s0 session. This one
can be dangerous if misused; see \s-1NOTES\s0 below.
.PP
\&\fBSSL_SESSION_set1_master_key()\fR sets the master key value associated with the
\&\s-1SSL_SESSION\s0 \fBsess\fR. For example, this could be used to set up a session based
\&\s-1PSK\s0 (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)). The master key of length
\&\fBlen\fR should be provided at \fBin\fR. The supplied master key is copied by the
function, so the caller is responsible for freeing and cleaning any memory
associated with \fBin\fR. The caller must ensure that the length of the key is
suitable for the ciphersuite associated with the \s-1SSL_SESSION.\s0
.SH "NOTES"
.IX Header "NOTES"
You probably shouldn't use these functions.
.PP
These functions expose internal values from the \s-1TLS\s0 handshake, for
use in low-level protocols. You probably should not use them, unless
you are implementing something that needs access to the internal protocol
details.
.PP
Despite the names of \fBSSL_get_client_random()\fR and \fBSSL_get_server_random()\fR, they
\&\s-1ARE NOT\s0 random number generators. Instead, they return the mostly-random values that
were already generated and used in the \s-1TLS\s0 protocol. Using them
in place of \fBRAND_bytes()\fR would be grossly foolish.
.PP
The security of your \s-1TLS\s0 session depends on keeping the master key secret:
do not expose it, or any information about it, to anybody.
If you need to calculate another secret value that depends on the master
secret, you should probably use \fBSSL_export_keying_material()\fR instead, and
forget that you ever saw these functions.
.PP
In current versions of the \s-1TLS\s0 protocols, the length of client_random
(and also server_random) is always \s-1SSL3_RANDOM_SIZE\s0 bytes. Support for
other outlen arguments to the SSL_get_*\fB_random()\fR functions is provided
in case of the unlikely event that a future version or variant of \s-1TLS\s0
uses some other length there.
.PP
Finally, though the \*(L"client_random\*(R" and \*(L"server_random\*(R" values are called
\&\*(L"random\*(R", many \s-1TLS\s0 implementations will generate four bytes of those
values based on their view of the current time.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_SESSION_set1_master_key()\fR returns 1 on success or 0 on failure.
.PP
For the other functions, if \fBoutlen\fR is greater than 0 then these functions
return the number of bytes actually copied, which will be less than or equal to
\&\fBoutlen\fR. If \fBoutlen\fR is 0 then these functions return the maximum number
of bytes they would copy \*(-- that is, the length of the underlying field.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBRAND_bytes\fR\|(3),
\&\fBSSL_export_keying_material\fR\|(3),
\&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3 b/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3
index 19cda847c7d3..583175bbe422 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_current_cipher.3
@@ -1,200 +1,200 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_CURRENT_CIPHER 3"
-.TH SSL_GET_CURRENT_CIPHER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_CURRENT_CIPHER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_current_cipher, SSL_get_cipher_name, SSL_get_cipher, SSL_get_cipher_bits, SSL_get_cipher_version, SSL_get_pending_cipher \- get SSL_CIPHER of a connection
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl);
\& SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl);
\&
\& const char *SSL_get_cipher_name(const SSL *s);
\& const char *SSL_get_cipher(const SSL *s);
\& int SSL_get_cipher_bits(const SSL *s, int *np);
\& const char *SSL_get_cipher_version(const SSL *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_current_cipher()\fR returns a pointer to an \s-1SSL_CIPHER\s0 object containing
the description of the actually used cipher of a connection established with
the \fBssl\fR object.
See \fBSSL_CIPHER_get_name\fR\|(3) for more details.
.PP
\&\fBSSL_get_cipher_name()\fR obtains the
name of the currently used cipher.
\&\fBSSL_get_cipher()\fR is identical to \fBSSL_get_cipher_name()\fR.
\&\fBSSL_get_cipher_bits()\fR is a
macro to obtain the number of secret/algorithm bits used and
\&\fBSSL_get_cipher_version()\fR returns the protocol name.
.PP
\&\fBSSL_get_pending_cipher()\fR returns a pointer to an \s-1SSL_CIPHER\s0 object containing
the description of the cipher (if any) that has been negotiated for future use
on the connection established with the \fBssl\fR object, but is not yet in use.
This may be the case during handshake processing, when control flow can be
returned to the application via any of several callback methods. The internal
sequencing of handshake processing and callback invocation is not guaranteed
to be stable from release to release, and at present only the callback set
by \fBSSL_CTX_set_alpn_select_cb()\fR is guaranteed to have a non-NULL return value.
Other callbacks may be added to this list over time.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_get_current_cipher()\fR returns the cipher actually used, or \s-1NULL\s0 if
no session has been established.
.PP
\&\fBSSL_get_pending_cipher()\fR returns the cipher to be used at the next change
of cipher suite, or \s-1NULL\s0 if no such cipher is known.
.SH "NOTES"
.IX Header "NOTES"
SSL_get_cipher, SSL_get_cipher_bits, SSL_get_cipher_version, and
SSL_get_cipher_name are implemented as macros.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_CIPHER_get_name\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3 b/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3
index 00e5e42f115f..b800604f77d0 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_default_timeout.3
@@ -1,181 +1,181 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_DEFAULT_TIMEOUT 3"
-.TH SSL_GET_DEFAULT_TIMEOUT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_DEFAULT_TIMEOUT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_default_timeout \- get default session timeout value
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_get_default_timeout(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_default_timeout()\fR returns the default timeout value assigned to
\&\s-1SSL_SESSION\s0 objects negotiated for the protocol valid for \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
Whenever a new session is negotiated, it is assigned a timeout value,
after which it will not be accepted for session reuse. If the timeout
value was not explicitly set using
\&\fBSSL_CTX_set_timeout\fR\|(3), the hardcoded default
timeout for the protocol will be used.
.PP
\&\fBSSL_get_default_timeout()\fR return this hardcoded value, which is 300 seconds
for all currently supported protocols.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
See description.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
\&\fBSSL_SESSION_get_time\fR\|(3),
\&\fBSSL_CTX_flush_sessions\fR\|(3),
\&\fBSSL_get_default_timeout\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_error.3 b/secure/lib/libcrypto/man/man3/SSL_get_error.3
index 574784b21400..b6a9a6607711 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_error.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_error.3
@@ -1,304 +1,304 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_ERROR 3"
-.TH SSL_GET_ERROR 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_ERROR 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_error \- obtain result code for TLS/SSL I/O operation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_get_error(const SSL *ssl, int ret);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_error()\fR returns a result code (suitable for the C \*(L"switch\*(R"
statement) for a preceding call to \fBSSL_connect()\fR, \fBSSL_accept()\fR, \fBSSL_do_handshake()\fR,
\&\fBSSL_read_ex()\fR, \fBSSL_read()\fR, \fBSSL_peek_ex()\fR, \fBSSL_peek()\fR, \fBSSL_shutdown()\fR,
\&\fBSSL_write_ex()\fR or \fBSSL_write()\fR on \fBssl\fR. The value returned by that \s-1TLS/SSL I/O\s0
function must be passed to \fBSSL_get_error()\fR in parameter \fBret\fR.
.PP
In addition to \fBssl\fR and \fBret\fR, \fBSSL_get_error()\fR inspects the
current thread's OpenSSL error queue. Thus, \fBSSL_get_error()\fR must be
used in the same thread that performed the \s-1TLS/SSL I/O\s0 operation, and no
other OpenSSL function calls should appear in between. The current
thread's error queue must be empty before the \s-1TLS/SSL I/O\s0 operation is
attempted, or \fBSSL_get_error()\fR will not work reliably.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can currently occur:
.IP "\s-1SSL_ERROR_NONE\s0" 4
.IX Item "SSL_ERROR_NONE"
The \s-1TLS/SSL I/O\s0 operation completed. This result code is returned
if and only if \fBret > 0\fR.
.IP "\s-1SSL_ERROR_ZERO_RETURN\s0" 4
.IX Item "SSL_ERROR_ZERO_RETURN"
The \s-1TLS/SSL\s0 peer has closed the connection for writing by sending the
close_notify alert.
No more data can be read.
Note that \fB\s-1SSL_ERROR_ZERO_RETURN\s0\fR does not necessarily
indicate that the underlying transport has been closed.
.IP "\s-1SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE\s0" 4
.IX Item "SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE"
The operation did not complete and can be retried later.
.Sp
\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR is returned when the last operation was a read
operation from a nonblocking \fB\s-1BIO\s0\fR.
It means that not enough data was available at this time to complete the
operation.
If at a later time the underlying \fB\s-1BIO\s0\fR has data available for reading the same
function can be called again.
.Sp
\&\fBSSL_read()\fR and \fBSSL_read_ex()\fR can also set \fB\s-1SSL_ERROR_WANT_READ\s0\fR when there is
still unprocessed data available at either the \fB\s-1SSL\s0\fR or the \fB\s-1BIO\s0\fR layer, even
for a blocking \fB\s-1BIO\s0\fR.
See \fBSSL_read\fR\|(3) for more information.
.Sp
\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR is returned when the last operation was a write
to a nonblocking \fB\s-1BIO\s0\fR and it was unable to sent all data to the \fB\s-1BIO\s0\fR.
When the \fB\s-1BIO\s0\fR is writable again, the same function can be called again.
.Sp
Note that the retry may again lead to an \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR condition.
There is no fixed upper limit for the number of iterations that
may be necessary until progress becomes visible at application
protocol level.
.Sp
It is safe to call \fBSSL_read()\fR or \fBSSL_read_ex()\fR when more data is available
even when the call that set this error was an \fBSSL_write()\fR or \fBSSL_write_ex()\fR.
However, if the call was an \fBSSL_write()\fR or \fBSSL_write_ex()\fR, it should be called
again to continue sending the application data.
.Sp
For socket \fB\s-1BIO\s0\fRs (e.g. when \fBSSL_set_fd()\fR was used), \fBselect()\fR or
\&\fBpoll()\fR on the underlying socket can be used to find out when the
\&\s-1TLS/SSL I/O\s0 function should be retried.
.Sp
Caveat: Any \s-1TLS/SSL I/O\s0 function can lead to either of
\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR and \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR.
In particular,
\&\fBSSL_read_ex()\fR, \fBSSL_read()\fR, \fBSSL_peek_ex()\fR, or \fBSSL_peek()\fR may want to write data
and \fBSSL_write()\fR or \fBSSL_write_ex()\fR may want to read data.
This is mainly because
\&\s-1TLS/SSL\s0 handshakes may occur at any time during the protocol (initiated by
either the client or the server); \fBSSL_read_ex()\fR, \fBSSL_read()\fR, \fBSSL_peek_ex()\fR,
\&\fBSSL_peek()\fR, \fBSSL_write_ex()\fR, and \fBSSL_write()\fR will handle any pending handshakes.
.IP "\s-1SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT\s0" 4
.IX Item "SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT"
The operation did not complete; the same \s-1TLS/SSL I/O\s0 function should be
called again later. The underlying \s-1BIO\s0 was not connected yet to the peer
and the call would block in \fBconnect()\fR/\fBaccept()\fR. The \s-1SSL\s0 function should be
called again when the connection is established. These messages can only
appear with a \fBBIO_s_connect()\fR or \fBBIO_s_accept()\fR \s-1BIO,\s0 respectively.
In order to find out, when the connection has been successfully established,
on many platforms \fBselect()\fR or \fBpoll()\fR for writing on the socket file descriptor
can be used.
.IP "\s-1SSL_ERROR_WANT_X509_LOOKUP\s0" 4
.IX Item "SSL_ERROR_WANT_X509_LOOKUP"
The operation did not complete because an application callback set by
\&\fBSSL_CTX_set_client_cert_cb()\fR has asked to be called again.
The \s-1TLS/SSL I/O\s0 function should be called again later.
Details depend on the application.
.IP "\s-1SSL_ERROR_WANT_ASYNC\s0" 4
.IX Item "SSL_ERROR_WANT_ASYNC"
The operation did not complete because an asynchronous engine is still
processing data. This will only occur if the mode has been set to \s-1SSL_MODE_ASYNC\s0
using \fBSSL_CTX_set_mode\fR\|(3) or \fBSSL_set_mode\fR\|(3) and an asynchronous capable
engine is being used. An application can determine whether the engine has
completed its processing using \fBselect()\fR or \fBpoll()\fR on the asynchronous wait file
descriptor. This file descriptor is available by calling
\&\fBSSL_get_all_async_fds\fR\|(3) or \fBSSL_get_changed_async_fds\fR\|(3). The \s-1TLS/SSL I/O\s0
function should be called again later. The function \fBmust\fR be called from the
same thread that the original call was made from.
.IP "\s-1SSL_ERROR_WANT_ASYNC_JOB\s0" 4
.IX Item "SSL_ERROR_WANT_ASYNC_JOB"
The asynchronous job could not be started because there were no async jobs
available in the pool (see \fBASYNC_init_thread\fR\|(3)). This will only occur if the
mode has been set to \s-1SSL_MODE_ASYNC\s0 using \fBSSL_CTX_set_mode\fR\|(3) or
\&\fBSSL_set_mode\fR\|(3) and a maximum limit has been set on the async job pool
through a call to \fBASYNC_init_thread\fR\|(3). The application should retry the
operation after a currently executing asynchronous operation for the current
thread has completed.
.IP "\s-1SSL_ERROR_WANT_CLIENT_HELLO_CB\s0" 4
.IX Item "SSL_ERROR_WANT_CLIENT_HELLO_CB"
The operation did not complete because an application callback set by
\&\fBSSL_CTX_set_client_hello_cb()\fR has asked to be called again.
The \s-1TLS/SSL I/O\s0 function should be called again later.
Details depend on the application.
.IP "\s-1SSL_ERROR_SYSCALL\s0" 4
.IX Item "SSL_ERROR_SYSCALL"
Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may
contain more information on the error. For socket I/O on Unix systems, consult
\&\fBerrno\fR for details. If this error occurs then no further I/O operations should
be performed on the connection and \fBSSL_shutdown()\fR must not be called.
.Sp
This value can also be returned for other errors, check the error queue for
details.
.IP "\s-1SSL_ERROR_SSL\s0" 4
.IX Item "SSL_ERROR_SSL"
A non-recoverable, fatal error in the \s-1SSL\s0 library occurred, usually a protocol
error. The OpenSSL error queue contains more information on the error. If this
error occurs then no further I/O operations should be performed on the
connection and \fBSSL_shutdown()\fR must not be called.
.SH "BUGS"
.IX Header "BUGS"
The \fB\s-1SSL_ERROR_SYSCALL\s0\fR with \fBerrno\fR value of 0 indicates unexpected \s-1EOF\s0 from
the peer. This will be properly reported as \fB\s-1SSL_ERROR_SSL\s0\fR with reason
code \fB\s-1SSL_R_UNEXPECTED_EOF_WHILE_READING\s0\fR in the OpenSSL 3.0 release because
it is truly a \s-1TLS\s0 protocol error to terminate the connection without
a \fBSSL_shutdown()\fR.
.PP
The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications
which choose to ignore this protocol error depend on the existing way of
reporting the error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \s-1SSL_ERROR_WANT_ASYNC\s0 error code was added in OpenSSL 1.1.0.
The \s-1SSL_ERROR_WANT_CLIENT_HELLO_CB\s0 error code was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3 b/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3
index becef5757900..186bfadca291 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_extms_support.3
@@ -1,172 +1,172 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_EXTMS_SUPPORT 3"
-.TH SSL_GET_EXTMS_SUPPORT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_EXTMS_SUPPORT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_extms_support \- extended master secret support
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_get_extms_support(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_extms_support()\fR indicates whether the current session used extended
master secret.
.PP
This function is implemented as a macro.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_get_extms_support()\fR returns 1 if the current session used extended
master secret, 0 if it did not and \-1 if a handshake is currently in
progress i.e. it is not possible to determine if extended master secret
was used.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_fd.3 b/secure/lib/libcrypto/man/man3/SSL_get_fd.3
index 53e316accd5e..d7bfa8418666 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_fd.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_fd.3
@@ -1,179 +1,179 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_FD 3"
-.TH SSL_GET_FD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_FD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_fd, SSL_get_rfd, SSL_get_wfd \- get file descriptor linked to an SSL object
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_get_fd(const SSL *ssl);
\& int SSL_get_rfd(const SSL *ssl);
\& int SSL_get_wfd(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_fd()\fR returns the file descriptor which is linked to \fBssl\fR.
\&\fBSSL_get_rfd()\fR and \fBSSL_get_wfd()\fR return the file descriptors for the
read or the write channel, which can be different. If the read and the
write channel are different, \fBSSL_get_fd()\fR will return the file descriptor
of the read channel.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "\-1" 4
.IX Item "-1"
The operation failed, because the underlying \s-1BIO\s0 is not of the correct type
(suitable for file descriptors).
.IP ">=0" 4
.IX Item ">=0"
The file descriptor linked to \fBssl\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_set_fd\fR\|(3), \fBssl\fR\|(7) , \fBbio\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3
index caa0777d297d..ad703463e1b6 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_cert_chain.3
@@ -1,201 +1,201 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_PEER_CERT_CHAIN 3"
-.TH SSL_GET_PEER_CERT_CHAIN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_PEER_CERT_CHAIN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_peer_cert_chain, SSL_get0_verified_chain \- get the X509 certificate chain of the peer
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
\& STACK_OF(X509) *SSL_get0_verified_chain(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_peer_cert_chain()\fR returns a pointer to \s-1STACK_OF\s0(X509) certificates
forming the certificate chain sent by the peer. If called on the client side,
the stack also contains the peer's certificate; if called on the server
side, the peer's certificate must be obtained separately using
\&\fBSSL_get_peer_certificate\fR\|(3).
If the peer did not present a certificate, \s-1NULL\s0 is returned.
.PP
\&\s-1NB:\s0 \fBSSL_get_peer_cert_chain()\fR returns the peer chain as sent by the peer: it
only consists of certificates the peer has sent (in the order the peer
has sent them) it is \fBnot\fR a verified chain.
.PP
\&\fBSSL_get0_verified_chain()\fR returns the \fBverified\fR certificate chain
of the peer including the peer's end entity certificate. It must be called
after a session has been successfully established. If peer verification was
not successful (as indicated by \fBSSL_get_verify_result()\fR not returning
X509_V_OK) the chain may be incomplete or invalid.
.SH "NOTES"
.IX Header "NOTES"
If the session is resumed peers do not send certificates so a \s-1NULL\s0 pointer
is returned by these functions. Applications can call \fBSSL_session_reused()\fR
to determine whether a session is resumed.
.PP
The reference count of each certificate in the returned \s-1STACK_OF\s0(X509) object
is not incremented and the returned stack may be invalidated by renegotiation.
If applications wish to use any certificates in the returned chain
indefinitely they must increase the reference counts using \fBX509_up_ref()\fR or
obtain a copy of the whole chain with \fBX509_chain_up_ref()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "\s-1NULL\s0" 4
.IX Item "NULL"
No certificate was presented by the peer or no connection was established
or the certificate chain is no longer available when a session is reused.
.IP "Pointer to a \s-1STACK_OF\s0(X509)" 4
.IX Item "Pointer to a STACK_OF(X509)"
The return value points to the certificate chain presented by the peer.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_get_peer_certificate\fR\|(3), \fBX509_up_ref\fR\|(3),
\&\fBX509_chain_up_ref\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3
index 5ecffe564fe0..68c673995a3f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_certificate.3
@@ -1,189 +1,189 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_PEER_CERTIFICATE 3"
-.TH SSL_GET_PEER_CERTIFICATE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_PEER_CERTIFICATE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_peer_certificate \- get the X509 certificate of the peer
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& X509 *SSL_get_peer_certificate(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_peer_certificate()\fR returns a pointer to the X509 certificate the
peer presented. If the peer did not present a certificate, \s-1NULL\s0 is returned.
.SH "NOTES"
.IX Header "NOTES"
Due to the protocol definition, a \s-1TLS/SSL\s0 server will always send a
certificate, if present. A client will only send a certificate when
explicitly requested to do so by the server (see
\&\fBSSL_CTX_set_verify\fR\|(3)). If an anonymous cipher
is used, no certificates are sent.
.PP
That a certificate is returned does not indicate information about the
verification state, use \fBSSL_get_verify_result\fR\|(3)
to check the verification state.
.PP
The reference count of the X509 object is incremented by one, so that it
will not be destroyed when the session containing the peer certificate is
freed. The X509 object must be explicitly freed using \fBX509_free()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "\s-1NULL\s0" 4
.IX Item "NULL"
No certificate was presented by the peer or no connection was established.
.IP "Pointer to an X509 certificate" 4
.IX Item "Pointer to an X509 certificate"
The return value points to the certificate presented by the peer.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_get_verify_result\fR\|(3),
\&\fBSSL_CTX_set_verify\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3
index 3a15aa00cd8b..4eccb0142fcc 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_signature_nid.3
@@ -1,183 +1,183 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_PEER_SIGNATURE_NID 3"
-.TH SSL_GET_PEER_SIGNATURE_NID 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_PEER_SIGNATURE_NID 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid, SSL_get_signature_nid, SSL_get_signature_type_nid \- get TLS message signing types
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_get_peer_signature_nid(SSL *ssl, int *psig_nid);
\& int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid);
\& int SSL_get_signature_nid(SSL *ssl, int *psig_nid);
\& int SSL_get_signature_type_nid(const SSL *ssl, int *psigtype_nid);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_peer_signature_nid()\fR sets \fB*psig_nid\fR to the \s-1NID\s0 of the digest used
by the peer to sign \s-1TLS\s0 messages. It is implemented as a macro.
.PP
\&\fBSSL_get_peer_signature_type_nid()\fR sets \fB*psigtype_nid\fR to the signature
type used by the peer to sign \s-1TLS\s0 messages. Currently the signature type
is the \s-1NID\s0 of the public key type used for signing except for \s-1PSS\s0 signing
where it is \fB\s-1EVP_PKEY_RSA_PSS\s0\fR. To differentiate between
\&\fBrsa_pss_rsae_*\fR and \fBrsa_pss_pss_*\fR signatures, it's necessary to check
the type of public key in the peer's certificate.
.PP
\&\fBSSL_get_signature_nid()\fR and \fBSSL_get_signature_type_nid()\fR return the equivalent
information for the local end of the connection.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
These functions return 1 for success and 0 for failure. There are several
possible reasons for failure: the cipher suite has no signature (e.g. it
uses \s-1RSA\s0 key exchange or is anonymous), the \s-1TLS\s0 version is below 1.2 or
the functions were called too early, e.g. before the peer signed a message.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_get_peer_certificate\fR\|(3),
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3 b/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3
index efb91c4293a0..d22f9c154c89 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_peer_tmp_key.3
@@ -1,183 +1,183 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_PEER_TMP_KEY 3"
-.TH SSL_GET_PEER_TMP_KEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_PEER_TMP_KEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_peer_tmp_key, SSL_get_server_tmp_key, SSL_get_tmp_key \- get information about temporary keys used during a handshake
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_get_peer_tmp_key(SSL *ssl, EVP_PKEY **key);
\& long SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **key);
\& long SSL_get_tmp_key(SSL *ssl, EVP_PKEY **key);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_peer_tmp_key()\fR returns the temporary key provided by the peer and
used during key exchange. For example, if \s-1ECDHE\s0 is in use, then this represents
the peer's public \s-1ECDHE\s0 key. On success a pointer to the key is stored in
\&\fB*key\fR. It is the caller's responsibility to free this key after use using
\&\fBEVP_PKEY_free\fR\|(3).
.PP
\&\fBSSL_get_server_tmp_key()\fR is a backwards compatibility alias for
\&\fBSSL_get_peer_tmp_key()\fR.
Under that name it worked just on the client side of the connection, its
behaviour on the server end is release-dependent.
.PP
\&\fBSSL_get_tmp_key()\fR returns the equivalent information for the local
end of the connection.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All these functions return 1 on success and 0 otherwise.
.SH "NOTES"
.IX Header "NOTES"
This function is implemented as a macro.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBEVP_PKEY_free\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3 b/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3
index bb72fd9a3565..667418be50ba 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_psk_identity.3
@@ -1,173 +1,173 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_PSK_IDENTITY 3"
-.TH SSL_GET_PSK_IDENTITY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_PSK_IDENTITY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_psk_identity, SSL_get_psk_identity_hint \- get PSK client identity and hint
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& const char *SSL_get_psk_identity_hint(const SSL *ssl);
\& const char *SSL_get_psk_identity(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_psk_identity_hint()\fR is used to retrieve the \s-1PSK\s0 identity hint
used during the connection setup related to \s-1SSL\s0 object
\&\fBssl\fR. Similarly, \fBSSL_get_psk_identity()\fR is used to retrieve the \s-1PSK\s0
identity used during the connection setup.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
If non\-\fB\s-1NULL\s0\fR, \fBSSL_get_psk_identity_hint()\fR returns the \s-1PSK\s0 identity
hint and \fBSSL_get_psk_identity()\fR returns the \s-1PSK\s0 identity. Both are
\&\fB\s-1NULL\s0\fR\-terminated. \fBSSL_get_psk_identity_hint()\fR may return \fB\s-1NULL\s0\fR if
no \s-1PSK\s0 identity hint was used during the connection setup.
.PP
Note that the return value is valid only during the lifetime of the
\&\s-1SSL\s0 object \fBssl\fR.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_rbio.3 b/secure/lib/libcrypto/man/man3/SSL_get_rbio.3
index cc1868c88f97..e5f34346d014 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_rbio.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_rbio.3
@@ -1,175 +1,175 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_RBIO 3"
-.TH SSL_GET_RBIO 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_RBIO 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_rbio, SSL_get_wbio \- get BIO linked to an SSL object
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& BIO *SSL_get_rbio(SSL *ssl);
\& BIO *SSL_get_wbio(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_rbio()\fR and \fBSSL_get_wbio()\fR return pointers to the BIOs for the
read or the write channel, which can be different. The reference count
of the \s-1BIO\s0 is not incremented.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "\s-1NULL\s0" 4
.IX Item "NULL"
No \s-1BIO\s0 was connected to the \s-1SSL\s0 object
.IP "Any other pointer" 4
.IX Item "Any other pointer"
The \s-1BIO\s0 linked to \fBssl\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_set_bio\fR\|(3), \fBssl\fR\|(7) , \fBbio\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_session.3 b/secure/lib/libcrypto/man/man3/SSL_get_session.3
index 907e4982d337..fe2355d68f7c 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_session.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_session.3
@@ -1,238 +1,238 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_SESSION 3"
-.TH SSL_GET_SESSION 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_SESSION 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_session, SSL_get0_session, SSL_get1_session \- retrieve TLS/SSL session data
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& SSL_SESSION *SSL_get_session(const SSL *ssl);
\& SSL_SESSION *SSL_get0_session(const SSL *ssl);
\& SSL_SESSION *SSL_get1_session(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_session()\fR returns a pointer to the \fB\s-1SSL_SESSION\s0\fR actually used in
\&\fBssl\fR. The reference count of the \fB\s-1SSL_SESSION\s0\fR is not incremented, so
that the pointer can become invalid by other operations.
.PP
\&\fBSSL_get0_session()\fR is the same as \fBSSL_get_session()\fR.
.PP
\&\fBSSL_get1_session()\fR is the same as \fBSSL_get_session()\fR, but the reference
count of the \fB\s-1SSL_SESSION\s0\fR is incremented by one.
.SH "NOTES"
.IX Header "NOTES"
The ssl session contains all information required to re-establish the
connection without a full handshake for \s-1SSL\s0 versions up to and including
TLSv1.2. In TLSv1.3 the same is true, but sessions are established after the
main handshake has occurred. The server will send the session information to the
client at a time of its choosing, which may be some while after the initial
connection is established (or never). Calling these functions on the client side
in TLSv1.3 before the session has been established will still return an
\&\s-1SSL_SESSION\s0 object but that object cannot be used for resuming the session. See
\&\fBSSL_SESSION_is_resumable\fR\|(3) for information on how to determine whether an
\&\s-1SSL_SESSION\s0 object can be used for resumption or not.
.PP
Additionally, in TLSv1.3, a server can send multiple messages that establish a
session for a single connection. In that case, on the client side, the above
functions will only return information on the last session that was received. On
the server side they will only return information on the last session that was
sent, or if no session tickets were sent then the session for the current
connection.
.PP
The preferred way for applications to obtain a resumable \s-1SSL_SESSION\s0 object is
to use a new session callback as described in \fBSSL_CTX_sess_set_new_cb\fR\|(3).
The new session callback is only invoked when a session is actually established,
so this avoids the problem described above where an application obtains an
\&\s-1SSL_SESSION\s0 object that cannot be used for resumption in TLSv1.3. It also
enables applications to obtain information about all sessions sent by the
server.
.PP
A session will be automatically removed from the session cache and marked as
non-resumable if the connection is not closed down cleanly, e.g. if a fatal
error occurs on the connection or \fBSSL_shutdown\fR\|(3) is not called prior to
\&\fBSSL_free\fR\|(3).
.PP
In TLSv1.3 it is recommended that each \s-1SSL_SESSION\s0 object is only used for
resumption once.
.PP
\&\fBSSL_get0_session()\fR returns a pointer to the actual session. As the
reference counter is not incremented, the pointer is only valid while
the connection is in use. If \fBSSL_clear\fR\|(3) or
\&\fBSSL_free\fR\|(3) is called, the session may be removed completely
(if considered bad), and the pointer obtained will become invalid. Even
if the session is valid, it can be removed at any time due to timeout
during \fBSSL_CTX_flush_sessions\fR\|(3).
.PP
If the data is to be kept, \fBSSL_get1_session()\fR will increment the reference
count, so that the session will not be implicitly removed by other operations
but stays in memory. In order to remove the session
\&\fBSSL_SESSION_free\fR\|(3) must be explicitly called once
to decrement the reference count again.
.PP
\&\s-1SSL_SESSION\s0 objects keep internal link information about the session cache
list, when being inserted into one \s-1SSL_CTX\s0 object's session cache.
One \s-1SSL_SESSION\s0 object, regardless of its reference count, must therefore
only be used with one \s-1SSL_CTX\s0 object (and the \s-1SSL\s0 objects created
from this \s-1SSL_CTX\s0 object).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "\s-1NULL\s0" 4
.IX Item "NULL"
There is no session available in \fBssl\fR.
.IP "Pointer to an \s-1SSL_SESSION\s0" 4
.IX Item "Pointer to an SSL_SESSION"
The return value points to the data of an \s-1SSL\s0 session.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_free\fR\|(3),
\&\fBSSL_clear\fR\|(3),
\&\fBSSL_SESSION_free\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3 b/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3
index 1b89385b79e0..d01f1c174d9b 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_shared_sigalgs.3
@@ -1,219 +1,219 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_SHARED_SIGALGS 3"
-.TH SSL_GET_SHARED_SIGALGS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_SHARED_SIGALGS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_shared_sigalgs, SSL_get_sigalgs \- get supported signature algorithms
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_get_shared_sigalgs(SSL *s, int idx,
\& int *psign, int *phash, int *psignhash,
\& unsigned char *rsig, unsigned char *rhash);
\&
\& int SSL_get_sigalgs(SSL *s, int idx,
\& int *psign, int *phash, int *psignhash,
\& unsigned char *rsig, unsigned char *rhash);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_shared_sigalgs()\fR returns information about the shared signature
algorithms supported by peer \fBs\fR. The parameter \fBidx\fR indicates the index
of the shared signature algorithm to return starting from zero. The signature
algorithm \s-1NID\s0 is written to \fB*psign\fR, the hash \s-1NID\s0 to \fB*phash\fR and the
sign and hash \s-1NID\s0 to \fB*psignhash\fR. The raw signature and hash values
are written to \fB*rsig\fR and \fB*rhash\fR.
.PP
\&\fBSSL_get_sigalgs()\fR is similar to \fBSSL_get_shared_sigalgs()\fR except it returns
information about all signature algorithms supported by \fBs\fR in the order
they were sent by the peer.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_get_shared_sigalgs()\fR and \fBSSL_get_sigalgs()\fR return the number of
signature algorithms or \fB0\fR if the \fBidx\fR parameter is out of range.
.SH "NOTES"
.IX Header "NOTES"
These functions are typically called for debugging purposes (to report
the peer's preferences) or where an application wants finer control over
certificate selection. Most applications will rely on internal handling
and will not need to call them.
.PP
If an application is only interested in the highest preference shared
signature algorithm it can just set \fBidx\fR to zero.
.PP
Any or all of the parameters \fBpsign\fR, \fBphash\fR, \fBpsignhash\fR, \fBrsig\fR or
\&\fBrhash\fR can be set to \fB\s-1NULL\s0\fR if the value is not required. By setting
them all to \fB\s-1NULL\s0\fR and setting \fBidx\fR to zero the total number of
signature algorithms can be determined: which can be zero.
.PP
These functions must be called after the peer has sent a list of supported
signature algorithms: after a client hello (for servers) or a certificate
request (for clients). They can (for example) be called in the certificate
callback.
.PP
Only \s-1TLS 1.2, TLS 1.3\s0 and \s-1DTLS 1.2\s0 currently support signature algorithms.
If these
functions are called on an earlier version of \s-1TLS\s0 or \s-1DTLS\s0 zero is returned.
.PP
The shared signature algorithms returned by \fBSSL_get_shared_sigalgs()\fR are
ordered according to configuration and peer preferences.
.PP
The raw values correspond to the on the wire form as defined by \s-1RFC5246\s0 et al.
The NIDs are OpenSSL equivalents. For example if the peer sent \fBsha256\fR\|(4) and
\&\fBrsa\fR\|(1) then \fB*rhash\fR would be 4, \fB*rsign\fR 1, \fB*phash\fR NID_sha256, \fB*psig\fR
NID_rsaEncryption and \fB*psighash\fR NID_sha256WithRSAEncryption.
.PP
If a signature algorithm is not recognised the corresponding NIDs
will be set to \fBNID_undef\fR. This may be because the value is not supported,
is not an appropriate combination (for example \s-1MD5\s0 and \s-1DSA\s0) or the
signature algorithm does not use a hash (for example Ed25519).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CTX_set_cert_cb\fR\|(3),
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3 b/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3
index 7d41069ae8cc..d66648ce1f75 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_verify_result.3
@@ -1,190 +1,190 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_VERIFY_RESULT 3"
-.TH SSL_GET_VERIFY_RESULT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_VERIFY_RESULT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_get_verify_result \- get result of peer certificate verification
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& long SSL_get_verify_result(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_get_verify_result()\fR returns the result of the verification of the
X509 certificate presented by the peer, if any.
.SH "NOTES"
.IX Header "NOTES"
\&\fBSSL_get_verify_result()\fR can only return one error code while the verification
of a certificate can fail because of many reasons at the same time. Only
the last verification error that occurred during the processing is available
from \fBSSL_get_verify_result()\fR.
.PP
The verification result is part of the established session and is restored
when a session is reused.
.SH "BUGS"
.IX Header "BUGS"
If no peer certificate was presented, the returned result code is
X509_V_OK. This is because no verification error occurred, it does however
not indicate success. \fBSSL_get_verify_result()\fR is only useful in connection
with \fBSSL_get_peer_certificate\fR\|(3).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can currently occur:
.IP "X509_V_OK" 4
.IX Item "X509_V_OK"
The verification succeeded or no peer certificate was presented.
.IP "Any other value" 4
.IX Item "Any other value"
Documented in \fBverify\fR\|(1).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_set_verify_result\fR\|(3),
\&\fBSSL_get_peer_certificate\fR\|(3),
\&\fBverify\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_get_version.3 b/secure/lib/libcrypto/man/man3/SSL_get_version.3
index aece55105e37..4f306478c36f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_get_version.3
+++ b/secure/lib/libcrypto/man/man3/SSL_get_version.3
@@ -1,221 +1,221 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_GET_VERSION 3"
-.TH SSL_GET_VERSION 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_GET_VERSION 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_client_version, SSL_get_version, SSL_is_dtls, SSL_version \- get the protocol information of a connection
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_client_version(const SSL *s);
\&
\& const char *SSL_get_version(const SSL *ssl);
\&
\& int SSL_is_dtls(const SSL *ssl);
\&
\& int SSL_version(const SSL *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_client_version()\fR returns the numeric protocol version advertised by the
client in the legacy_version field of the ClientHello when initiating the
connection. Note that, for \s-1TLS,\s0 this value will never indicate a version greater
than TLSv1.2 even if TLSv1.3 is subsequently negotiated. \fBSSL_get_version()\fR
returns the name of the protocol used for the connection. \fBSSL_version()\fR returns
the numeric protocol version used for the connection. They should only be called
after the initial handshake has been completed. Prior to that the results
returned from these functions may be unreliable.
.PP
\&\fBSSL_is_dtls()\fR returns one if the connection is using \s-1DTLS,\s0 zero if not.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_get_version()\fR returns one of the following strings:
.IP "SSLv3" 4
.IX Item "SSLv3"
The connection uses the SSLv3 protocol.
.IP "TLSv1" 4
.IX Item "TLSv1"
The connection uses the TLSv1.0 protocol.
.IP "TLSv1.1" 4
.IX Item "TLSv1.1"
The connection uses the TLSv1.1 protocol.
.IP "TLSv1.2" 4
.IX Item "TLSv1.2"
The connection uses the TLSv1.2 protocol.
.IP "TLSv1.3" 4
.IX Item "TLSv1.3"
The connection uses the TLSv1.3 protocol.
.IP "unknown" 4
.IX Item "unknown"
This indicates an unknown protocol version.
.PP
\&\fBSSL_version()\fR and \fBSSL_client_version()\fR return an integer which could include any
of the following:
.IP "\s-1SSL3_VERSION\s0" 4
.IX Item "SSL3_VERSION"
The connection uses the SSLv3 protocol.
.IP "\s-1TLS1_VERSION\s0" 4
.IX Item "TLS1_VERSION"
The connection uses the TLSv1.0 protocol.
.IP "\s-1TLS1_1_VERSION\s0" 4
.IX Item "TLS1_1_VERSION"
The connection uses the TLSv1.1 protocol.
.IP "\s-1TLS1_2_VERSION\s0" 4
.IX Item "TLS1_2_VERSION"
The connection uses the TLSv1.2 protocol.
.IP "\s-1TLS1_3_VERSION\s0" 4
.IX Item "TLS1_3_VERSION"
The connection uses the TLSv1.3 protocol (never returned for
\&\fBSSL_client_version()\fR).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_is_dtls()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_in_init.3 b/secure/lib/libcrypto/man/man3/SSL_in_init.3
index 08d0dbc80455..c40760f5509f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_in_init.3
+++ b/secure/lib/libcrypto/man/man3/SSL_in_init.3
@@ -1,227 +1,227 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_IN_INIT 3"
-.TH SSL_IN_INIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_IN_INIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_in_before, SSL_in_init, SSL_is_init_finished, SSL_in_connect_init, SSL_in_accept_init, SSL_get_state \&\- retrieve information about the handshake state machine
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_in_init(const SSL *s);
\& int SSL_in_before(const SSL *s);
\& int SSL_is_init_finished(const SSL *s);
\&
\& int SSL_in_connect_init(SSL *s);
\& int SSL_in_accept_init(SSL *s);
\&
\& OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_in_init()\fR returns 1 if the \s-1SSL/TLS\s0 state machine is currently processing or
awaiting handshake messages, or 0 otherwise.
.PP
\&\fBSSL_in_before()\fR returns 1 if no \s-1SSL/TLS\s0 handshake has yet been initiated, or 0
otherwise.
.PP
\&\fBSSL_is_init_finished()\fR returns 1 if the \s-1SSL/TLS\s0 connection is in a state where
fully protected application data can be transferred or 0 otherwise.
.PP
Note that in some circumstances (such as when early data is being transferred)
\&\fBSSL_in_init()\fR, \fBSSL_in_before()\fR and \fBSSL_is_init_finished()\fR can all return 0.
.PP
\&\fBSSL_in_connect_init()\fR returns 1 if \fBs\fR is acting as a client and \fBSSL_in_init()\fR
would return 1, or 0 otherwise.
.PP
\&\fBSSL_in_accept_init()\fR returns 1 if \fBs\fR is acting as a server and \fBSSL_in_init()\fR
would return 1, or 0 otherwise.
.PP
\&\fBSSL_in_connect_init()\fR and \fBSSL_in_accept_init()\fR are implemented as macros.
.PP
\&\fBSSL_get_state()\fR returns a value indicating the current state of the handshake
state machine. \s-1OSSL_HANDSHAKE_STATE\s0 is an enumerated type where each value
indicates a discrete state machine state. Note that future versions of OpenSSL
may define more states so applications should expect to receive unrecognised
state values. The naming format is made up of a number of elements as follows:
.PP
\&\fBprotocol\fR_ST_\fBrole\fR_\fBmessage\fR
.PP
\&\fBprotocol\fR is one of \s-1TLS\s0 or \s-1DTLS. DTLS\s0 is used where a state is specific to the
\&\s-1DTLS\s0 protocol. Otherwise \s-1TLS\s0 is used.
.PP
\&\fBrole\fR is one of \s-1CR, CW, SR\s0 or \s-1SW\s0 to indicate \*(L"client reading\*(R",
\&\*(L"client writing\*(R", \*(L"server reading\*(R" or \*(L"server writing\*(R" respectively.
.PP
\&\fBmessage\fR is the name of a handshake message that is being or has been sent, or
is being or has been processed.
.PP
Additionally there are some special states that do not conform to the above
format. These are:
.IP "\s-1TLS_ST_BEFORE\s0" 4
.IX Item "TLS_ST_BEFORE"
No handshake messages have yet been been sent or received.
.IP "\s-1TLS_ST_OK\s0" 4
.IX Item "TLS_ST_OK"
Handshake message sending/processing has completed.
.IP "\s-1TLS_ST_EARLY_DATA\s0" 4
.IX Item "TLS_ST_EARLY_DATA"
Early data is being processed
.IP "\s-1TLS_ST_PENDING_EARLY_DATA_END\s0" 4
.IX Item "TLS_ST_PENDING_EARLY_DATA_END"
Awaiting the end of early data processing
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_in_init()\fR, \fBSSL_in_before()\fR, \fBSSL_is_init_finished()\fR, \fBSSL_in_connect_init()\fR
and \fBSSL_in_accept_init()\fR return values as indicated above.
.PP
\&\fBSSL_get_state()\fR returns the current handshake state.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_read_early_data\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_key_update.3 b/secure/lib/libcrypto/man/man3/SSL_key_update.3
index 87115f3f9f58..500b1ea11a21 100644
--- a/secure/lib/libcrypto/man/man3/SSL_key_update.3
+++ b/secure/lib/libcrypto/man/man3/SSL_key_update.3
@@ -1,236 +1,236 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_KEY_UPDATE 3"
-.TH SSL_KEY_UPDATE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_KEY_UPDATE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_key_update, SSL_get_key_update_type, SSL_renegotiate, SSL_renegotiate_abbreviated, SSL_renegotiate_pending \&\- initiate and obtain information about updating connection keys
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_key_update(SSL *s, int updatetype);
\& int SSL_get_key_update_type(const SSL *s);
\&
\& int SSL_renegotiate(SSL *s);
\& int SSL_renegotiate_abbreviated(SSL *s);
\& int SSL_renegotiate_pending(const SSL *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_key_update()\fR schedules an update of the keys for the current \s-1TLS\s0 connection.
If the \fBupdatetype\fR parameter is set to \fB\s-1SSL_KEY_UPDATE_NOT_REQUESTED\s0\fR then
the sending keys for this connection will be updated and the peer will be
informed of the change. If the \fBupdatetype\fR parameter is set to
\&\fB\s-1SSL_KEY_UPDATE_REQUESTED\s0\fR then the sending keys for this connection will be
updated and the peer will be informed of the change along with a request for the
peer to additionally update its sending keys. It is an error if \fBupdatetype\fR is
set to \fB\s-1SSL_KEY_UPDATE_NONE\s0\fR.
.PP
\&\fBSSL_key_update()\fR must only be called after the initial handshake has been
completed and TLSv1.3 has been negotiated. The key update will not take place
until the next time an \s-1IO\s0 operation such as \fBSSL_read_ex()\fR or \fBSSL_write_ex()\fR
takes place on the connection. Alternatively \fBSSL_do_handshake()\fR can be called to
force the update to take place immediately.
.PP
\&\fBSSL_get_key_update_type()\fR can be used to determine whether a key update
operation has been scheduled but not yet performed. The type of the pending key
update operation will be returned if there is one, or \s-1SSL_KEY_UPDATE_NONE\s0
otherwise.
.PP
\&\fBSSL_renegotiate()\fR and \fBSSL_renegotiate_abbreviated()\fR should only be called for
connections that have negotiated TLSv1.2 or less. Calling them on any other
connection will result in an error.
.PP
When called from the client side, \fBSSL_renegotiate()\fR schedules a completely new
handshake over an existing \s-1SSL/TLS\s0 connection. The next time an \s-1IO\s0 operation
such as \fBSSL_read_ex()\fR or \fBSSL_write_ex()\fR takes place on the connection a check
will be performed to confirm that it is a suitable time to start a
renegotiation. If so, then it will be initiated immediately. OpenSSL will not
attempt to resume any session associated with the connection in the new
handshake.
.PP
When called from the client side, \fBSSL_renegotiate_abbreviated()\fR works in the
same was as \fBSSL_renegotiate()\fR except that OpenSSL will attempt to resume the
session associated with the current connection in the new handshake.
.PP
When called from the server side, \fBSSL_renegotiate()\fR and
\&\fBSSL_renegotiate_abbreviated()\fR behave identically. They both schedule a request
for a new handshake to be sent to the client. The next time an \s-1IO\s0 operation is
performed then the same checks as on the client side are performed and then, if
appropriate, the request is sent. The client may or may not respond with a new
handshake and it may or may not attempt to resume an existing session. If
a new handshake is started then this will be handled transparently by calling
any OpenSSL \s-1IO\s0 function.
.PP
If an OpenSSL client receives a renegotiation request from a server then again
this will be handled transparently through calling any OpenSSL \s-1IO\s0 function. For
a \s-1TLS\s0 connection the client will attempt to resume the current session in the
new handshake. For historical reasons, \s-1DTLS\s0 clients will not attempt to resume
the session in the new handshake.
.PP
The \fBSSL_renegotiate_pending()\fR function returns 1 if a renegotiation or
renegotiation request has been scheduled but not yet acted on, or 0 otherwise.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_key_update()\fR, \fBSSL_renegotiate()\fR and \fBSSL_renegotiate_abbreviated()\fR return 1
on success or 0 on error.
.PP
\&\fBSSL_get_key_update_type()\fR returns the update type of the pending key update
operation or \s-1SSL_KEY_UPDATE_NONE\s0 if there is none.
.PP
\&\fBSSL_renegotiate_pending()\fR returns 1 if a renegotiation or renegotiation request
has been scheduled but not yet acted on, or 0 otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_read_ex\fR\|(3),
\&\fBSSL_write_ex\fR\|(3),
\&\fBSSL_do_handshake\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_key_update()\fR and \fBSSL_get_key_update_type()\fR functions were added in
OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_library_init.3 b/secure/lib/libcrypto/man/man3/SSL_library_init.3
index 804c914b1042..5cd5abebbd02 100644
--- a/secure/lib/libcrypto/man/man3/SSL_library_init.3
+++ b/secure/lib/libcrypto/man/man3/SSL_library_init.3
@@ -1,185 +1,185 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_LIBRARY_INIT 3"
-.TH SSL_LIBRARY_INIT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_LIBRARY_INIT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_library_init, OpenSSL_add_ssl_algorithms \&\- initialize SSL library by registering algorithms
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_library_init(void);
\&
\& int OpenSSL_add_ssl_algorithms(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_library_init()\fR registers the available \s-1SSL/TLS\s0 ciphers and digests.
.PP
\&\fBOpenSSL_add_ssl_algorithms()\fR is a synonym for \fBSSL_library_init()\fR and is
implemented as a macro.
.SH "NOTES"
.IX Header "NOTES"
\&\fBSSL_library_init()\fR must be called before any other action takes place.
\&\fBSSL_library_init()\fR is not reentrant.
.SH "WARNINGS"
.IX Header "WARNINGS"
\&\fBSSL_library_init()\fR adds ciphers and digests used directly and indirectly by
\&\s-1SSL/TLS.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_library_init()\fR always returns \*(L"1\*(R", so it is safe to discard the return
value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBRAND_add\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_library_init()\fR and \fBOpenSSL_add_ssl_algorithms()\fR functions were
deprecated in OpenSSL 1.1.0 by \fBOPENSSL_init_ssl()\fR.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3 b/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3
index 2726e73c7cf9..2e4cec34e823 100644
--- a/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3
+++ b/secure/lib/libcrypto/man/man3/SSL_load_client_CA_file.3
@@ -1,209 +1,209 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_LOAD_CLIENT_CA_FILE 3"
-.TH SSL_LOAD_CLIENT_CA_FILE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_LOAD_CLIENT_CA_FILE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_load_client_CA_file, SSL_add_file_cert_subjects_to_stack, SSL_add_dir_cert_subjects_to_stack \&\- load certificate names
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
\&
\& int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
\& const char *file)
\& int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
\& const char *dir)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_load_client_CA_file()\fR reads certificates from \fIfile\fR and returns
a \s-1STACK_OF\s0(X509_NAME) with the subject names found.
.PP
\&\fBSSL_add_file_cert_subjects_to_stack()\fR reads certificates from \fIfile\fR,
and adds their subject name to the already existing \fIstack\fR.
.PP
\&\fBSSL_add_dir_cert_subjects_to_stack()\fR reads certificates from every
file in the directory \fIdir\fR, and adds their subject name to the
already existing \fIstack\fR.
.SH "NOTES"
.IX Header "NOTES"
\&\fBSSL_load_client_CA_file()\fR reads a file of \s-1PEM\s0 formatted certificates and
extracts the X509_NAMES of the certificates found. While the name suggests
the specific usage as support function for
\&\fBSSL_CTX_set_client_CA_list\fR\|(3),
it is not limited to \s-1CA\s0 certificates.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "\s-1NULL\s0" 4
.IX Item "NULL"
The operation failed, check out the error stack for the reason.
.IP "Pointer to \s-1STACK_OF\s0(X509_NAME)" 4
.IX Item "Pointer to STACK_OF(X509_NAME)"
Pointer to the subject names of the successfully read certificates.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Load names of CAs from file and use it as a client \s-1CA\s0 list:
.PP
.Vb 2
\& SSL_CTX *ctx;
\& STACK_OF(X509_NAME) *cert_names;
\&
\& ...
\& cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem");
\& if (cert_names != NULL)
\& SSL_CTX_set_client_CA_list(ctx, cert_names);
\& else
\& /* error */
\& ...
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7),
\&\fBSSL_CTX_set_client_CA_list\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_new.3 b/secure/lib/libcrypto/man/man3/SSL_new.3
index d1546eefd94b..bb97375c407d 100644
--- a/secure/lib/libcrypto/man/man3/SSL_new.3
+++ b/secure/lib/libcrypto/man/man3/SSL_new.3
@@ -1,252 +1,252 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_NEW 3"
-.TH SSL_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_dup, SSL_new, SSL_up_ref \- create an SSL structure for a connection
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& SSL *SSL_dup(SSL *s);
\& SSL *SSL_new(SSL_CTX *ctx);
\& int SSL_up_ref(SSL *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_new()\fR creates a new \fB\s-1SSL\s0\fR structure which is needed to hold the
data for a \s-1TLS/SSL\s0 connection. The new structure inherits the settings
of the underlying context \fBctx\fR: connection method,
options, verification settings, timeout settings. An \fB\s-1SSL\s0\fR structure is
reference counted. Creating an \fB\s-1SSL\s0\fR structure for the first time increments
the reference count. Freeing it (using SSL_free) decrements it. When the
reference count drops to zero, any memory or resources allocated to the \fB\s-1SSL\s0\fR
structure are freed.
.PP
\&\fBSSL_up_ref()\fR increments the reference count for an
existing \fB\s-1SSL\s0\fR structure.
.PP
The function \fBSSL_dup()\fR creates and returns a new \fB\s-1SSL\s0\fR structure from the same
\&\fB\s-1SSL_CTX\s0\fR that was used to create \fIs\fR. It additionally duplicates a subset of
the settings in \fIs\fR into the new \fB\s-1SSL\s0\fR object.
.PP
For \fBSSL_dup()\fR to work, the connection \s-1MUST\s0 be in its initial state and
\&\s-1MUST NOT\s0 have yet started the \s-1SSL\s0 handshake. For connections that are not in
their initial state \fBSSL_dup()\fR just increments an internal
reference count and returns the \fIsame\fR handle. It may be possible to
use \fBSSL_clear\fR\|(3) to recycle an \s-1SSL\s0 handle that is not in its initial
state for re-use, but this is best avoided. Instead, save and restore
the session, if desired, and construct a fresh handle for each connection.
.PP
The subset of settings in \fIs\fR that are duplicated are:
.IP "any session data if configured (including the session_id_context)" 4
.IX Item "any session data if configured (including the session_id_context)"
.PD 0
.IP "any tmp_dh settings set via \fBSSL_set_tmp_dh\fR\|(3), \fBSSL_set_tmp_dh_callback\fR\|(3), or \fBSSL_set_dh_auto\fR\|(3)" 4
.IX Item "any tmp_dh settings set via SSL_set_tmp_dh, SSL_set_tmp_dh_callback, or SSL_set_dh_auto"
.IP "any configured certificates, private keys or certificate chains" 4
.IX Item "any configured certificates, private keys or certificate chains"
.IP "any configured signature algorithms, or client signature algorithms" 4
.IX Item "any configured signature algorithms, or client signature algorithms"
.IP "any \s-1DANE\s0 settings" 4
.IX Item "any DANE settings"
.IP "any Options set via \fBSSL_set_options\fR\|(3)" 4
.IX Item "any Options set via SSL_set_options"
.IP "any Mode set via \fBSSL_set_mode\fR\|(3)" 4
.IX Item "any Mode set via SSL_set_mode"
.IP "any minimum or maximum protocol settings set via \fBSSL_set_min_proto_version\fR\|(3) or \fBSSL_set_max_proto_version\fR\|(3) (Note: Only from OpenSSL 1.1.1h and above)" 4
.IX Item "any minimum or maximum protocol settings set via SSL_set_min_proto_version or SSL_set_max_proto_version (Note: Only from OpenSSL 1.1.1h and above)"
.IP "any Verify mode, callback or depth set via \fBSSL_set_verify\fR\|(3) or \fBSSL_set_verify_depth\fR\|(3) or any configured X509 verification parameters" 4
.IX Item "any Verify mode, callback or depth set via SSL_set_verify or SSL_set_verify_depth or any configured X509 verification parameters"
.IP "any msg callback or info callback set via \fBSSL_set_msg_callback\fR\|(3) or \fBSSL_set_info_callback\fR\|(3)" 4
.IX Item "any msg callback or info callback set via SSL_set_msg_callback or SSL_set_info_callback"
.IP "any default password callback set via \fBSSL_set_default_passwd_cb\fR\|(3)" 4
.IX Item "any default password callback set via SSL_set_default_passwd_cb"
.IP "any session id generation callback set via \fBSSL_set_generate_session_id\fR\|(3)" 4
.IX Item "any session id generation callback set via SSL_set_generate_session_id"
.IP "any configured Cipher List" 4
.IX Item "any configured Cipher List"
.IP "initial accept (server) or connect (client) state" 4
.IX Item "initial accept (server) or connect (client) state"
.IP "the max cert list value set via \fBSSL_set_max_cert_list\fR\|(3)" 4
.IX Item "the max cert list value set via SSL_set_max_cert_list"
.IP "the read_ahead value set via \fBSSL_set_read_ahead\fR\|(3)" 4
.IX Item "the read_ahead value set via SSL_set_read_ahead"
.IP "application specific data set via \fBSSL_set_ex_data\fR\|(3)" 4
.IX Item "application specific data set via SSL_set_ex_data"
.IP "any \s-1CA\s0 list or client \s-1CA\s0 list set via \fBSSL_set0_CA_list\fR\|(3), \fBSSL_set0_client_CA_list()\fR or similar functions" 4
.IX Item "any CA list or client CA list set via SSL_set0_CA_list, SSL_set0_client_CA_list() or similar functions"
.IP "any security level settings or callbacks" 4
.IX Item "any security level settings or callbacks"
.IP "any configured serverinfo data" 4
.IX Item "any configured serverinfo data"
.IP "any configured \s-1PSK\s0 identity hint" 4
.IX Item "any configured PSK identity hint"
.IP "any configured custom extensions" 4
.IX Item "any configured custom extensions"
.IP "any client certificate types configured via SSL_set1_client_certificate_types" 4
.IX Item "any client certificate types configured via SSL_set1_client_certificate_types"
.PD
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "\s-1NULL\s0" 4
.IX Item "NULL"
The creation of a new \s-1SSL\s0 structure failed. Check the error stack to
find out the reason.
.IP "Pointer to an \s-1SSL\s0 structure" 4
.IX Item "Pointer to an SSL structure"
The return value points to an allocated \s-1SSL\s0 structure.
.Sp
\&\fBSSL_up_ref()\fR returns 1 for success and 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_free\fR\|(3), \fBSSL_clear\fR\|(3),
\&\fBSSL_CTX_set_options\fR\|(3),
\&\fBSSL_get_SSL_CTX\fR\|(3),
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_pending.3 b/secure/lib/libcrypto/man/man3/SSL_pending.3
index 6d16437de0d1..8a82593fc11e 100644
--- a/secure/lib/libcrypto/man/man3/SSL_pending.3
+++ b/secure/lib/libcrypto/man/man3/SSL_pending.3
@@ -1,199 +1,199 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_PENDING 3"
-.TH SSL_PENDING 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_PENDING 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_pending, SSL_has_pending \- check for readable bytes buffered in an SSL object
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_pending(const SSL *ssl);
\& int SSL_has_pending(const SSL *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Data is received in whole blocks known as records from the peer. A whole record
is processed (e.g. decrypted) in one go and is buffered by OpenSSL until it is
read by the application via a call to \fBSSL_read_ex\fR\|(3) or \fBSSL_read\fR\|(3).
.PP
\&\fBSSL_pending()\fR returns the number of bytes which have been processed, buffered
and are available inside \fBssl\fR for immediate read.
.PP
If the \fB\s-1SSL\s0\fR object's \fIread_ahead\fR flag is set (see
\&\fBSSL_CTX_set_read_ahead\fR\|(3)), additional protocol bytes (beyond the current
record) may have been read containing more \s-1TLS/SSL\s0 records. This also applies to
\&\s-1DTLS\s0 and pipelining (see \fBSSL_CTX_set_split_send_fragment\fR\|(3)). These
additional bytes will be buffered by OpenSSL but will remain unprocessed until
they are needed. As these bytes are still in an unprocessed state \fBSSL_pending()\fR
will ignore them. Therefore, it is possible for no more bytes to be readable from
the underlying \s-1BIO\s0 (because OpenSSL has already read them) and for \fBSSL_pending()\fR
to return 0, even though readable application data bytes are available (because
the data is in unprocessed buffered records).
.PP
\&\fBSSL_has_pending()\fR returns 1 if \fBs\fR has buffered data (whether processed or
unprocessed) and 0 otherwise. Note that it is possible for \fBSSL_has_pending()\fR to
return 1, and then a subsequent call to \fBSSL_read_ex()\fR or \fBSSL_read()\fR to return no
data because the unprocessed buffered data when processed yielded no application
data (for example this can happen during renegotiation). It is also possible in
this scenario for \fBSSL_has_pending()\fR to continue to return 1 even after an
\&\fBSSL_read_ex()\fR or \fBSSL_read()\fR call because the buffered and unprocessed data is
not yet processable (e.g. because OpenSSL has only received a partial record so
far).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_pending()\fR returns the number of buffered and processed application data
bytes that are pending and are available for immediate read. \fBSSL_has_pending()\fR
returns 1 if there is buffered record data in the \s-1SSL\s0 object and 0 otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_CTX_set_read_ahead\fR\|(3),
\&\fBSSL_CTX_set_split_send_fragment\fR\|(3), \fBssl\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_has_pending()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_read.3 b/secure/lib/libcrypto/man/man3/SSL_read.3
index d975ab6485bf..a0b19713f074 100644
--- a/secure/lib/libcrypto/man/man3/SSL_read.3
+++ b/secure/lib/libcrypto/man/man3/SSL_read.3
@@ -1,275 +1,275 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_READ 3"
-.TH SSL_READ 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_READ 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_read_ex, SSL_read, SSL_peek_ex, SSL_peek \&\- read bytes from a TLS/SSL connection
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
\& int SSL_read(SSL *ssl, void *buf, int num);
\&
\& int SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
\& int SSL_peek(SSL *ssl, void *buf, int num);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_read_ex()\fR and \fBSSL_read()\fR try to read \fBnum\fR bytes from the specified \fBssl\fR
into the buffer \fBbuf\fR. On success \fBSSL_read_ex()\fR will store the number of bytes
actually read in \fB*readbytes\fR.
.PP
\&\fBSSL_peek_ex()\fR and \fBSSL_peek()\fR are identical to \fBSSL_read_ex()\fR and \fBSSL_read()\fR
respectively except no bytes are actually removed from the underlying \s-1BIO\s0 during
the read, so that a subsequent call to \fBSSL_read_ex()\fR or \fBSSL_read()\fR will yield
at least the same bytes.
.SH "NOTES"
.IX Header "NOTES"
In the paragraphs below a \*(L"read function\*(R" is defined as one of \fBSSL_read_ex()\fR,
\&\fBSSL_read()\fR, \fBSSL_peek_ex()\fR or \fBSSL_peek()\fR.
.PP
If necessary, a read function will negotiate a \s-1TLS/SSL\s0 session, if not already
explicitly performed by \fBSSL_connect\fR\|(3) or \fBSSL_accept\fR\|(3). If the
peer requests a re-negotiation, it will be performed transparently during
the read function operation. The behaviour of the read functions depends on the
underlying \s-1BIO.\s0
.PP
For the transparent negotiation to succeed, the \fBssl\fR must have been
initialized to client or server mode. This is being done by calling
\&\fBSSL_set_connect_state\fR\|(3) or \fBSSL_set_accept_state()\fR before the first
invocation of a read function.
.PP
The read functions work based on the \s-1SSL/TLS\s0 records. The data are received in
records (with a maximum record size of 16kB). Only when a record has been
completely received, can it be processed (decryption and check of integrity).
Therefore, data that was not retrieved at the last read call can still be
buffered inside the \s-1SSL\s0 layer and will be retrieved on the next read
call. If \fBnum\fR is higher than the number of bytes buffered then the read
functions will return with the bytes buffered. If no more bytes are in the
buffer, the read functions will trigger the processing of the next record.
Only when the record has been received and processed completely will the read
functions return reporting success. At most the contents of one record will
be returned. As the size of an \s-1SSL/TLS\s0 record may exceed the maximum packet size
of the underlying transport (e.g. \s-1TCP\s0), it may be necessary to read several
packets from the transport layer before the record is complete and the read call
can succeed.
.PP
If \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR has been switched off and a non-application data
record has been processed, the read function can return and set the error to
\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR.
In this case there might still be unprocessed data available in the \fB\s-1BIO\s0\fR.
If read ahead was set using \fBSSL_CTX_set_read_ahead\fR\|(3), there might also still
be unprocessed data available in the \fB\s-1SSL\s0\fR.
This behaviour can be controlled using the \fBSSL_CTX_set_mode\fR\|(3) call.
.PP
If the underlying \s-1BIO\s0 is \fBblocking\fR, a read function will only return once the
read operation has been finished or an error occurred, except when a
non-application data record has been processed and \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR is
not set.
Note that if \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR is set and only non-application data is
available the call will hang.
.PP
If the underlying \s-1BIO\s0 is \fBnonblocking\fR, a read function will also return when
the underlying \s-1BIO\s0 could not satisfy the needs of the function to continue the
operation.
In this case a call to \fBSSL_get_error\fR\|(3) with the
return value of the read function will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR.
As at any time it's possible that non-application data needs to be sent,
a read function can also cause write operations.
The calling process then must repeat the call after taking appropriate action
to satisfy the needs of the read function.
The action depends on the underlying \s-1BIO.\s0
When using a nonblocking socket, nothing is to be done, but \fBselect()\fR can be
used to check for the required condition.
When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written into or
retrieved out of the \s-1BIO\s0 before being able to continue.
.PP
\&\fBSSL_pending\fR\|(3) can be used to find out whether there
are buffered bytes available for immediate retrieval.
In this case the read function can be called without blocking or actually
receiving new data from the underlying socket.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_read_ex()\fR and \fBSSL_peek_ex()\fR will return 1 for success or 0 for failure.
Success means that 1 or more application data bytes have been read from the \s-1SSL\s0
connection.
Failure means that no bytes could be read from the \s-1SSL\s0 connection.
Failures can be retryable (e.g. we are waiting for more bytes to
be delivered by the network) or non-retryable (e.g. a fatal network error).
In the event of a failure call \fBSSL_get_error\fR\|(3) to find out the reason which
indicates whether the call is retryable or not.
.PP
For \fBSSL_read()\fR and \fBSSL_peek()\fR the following return values can occur:
.IP "> 0" 4
.IX Item "> 0"
The read operation was successful.
The return value is the number of bytes actually read from the \s-1TLS/SSL\s0
connection.
.IP "<= 0" 4
.IX Item "<= 0"
The read operation was not successful, because either the connection was closed,
an error occurred or action must be taken by the calling process.
Call \fBSSL_get_error\fR\|(3) with the return value \fBret\fR to find out the reason.
.Sp
Old documentation indicated a difference between 0 and \-1, and that \-1 was
retryable.
You should instead call \fBSSL_get_error()\fR to find out if it's retryable.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_get_error\fR\|(3), \fBSSL_write_ex\fR\|(3),
\&\fBSSL_CTX_set_mode\fR\|(3), \fBSSL_CTX_new\fR\|(3),
\&\fBSSL_connect\fR\|(3), \fBSSL_accept\fR\|(3)
\&\fBSSL_set_connect_state\fR\|(3),
\&\fBSSL_pending\fR\|(3),
\&\fBSSL_shutdown\fR\|(3), \fBSSL_set_shutdown\fR\|(3),
\&\fBssl\fR\|(7), \fBbio\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_read_ex()\fR and \fBSSL_peek_ex()\fR functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_read_early_data.3 b/secure/lib/libcrypto/man/man3/SSL_read_early_data.3
index fe0de2f82f7d..5016759f7b0f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_read_early_data.3
+++ b/secure/lib/libcrypto/man/man3/SSL_read_early_data.3
@@ -1,481 +1,481 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_READ_EARLY_DATA 3"
-.TH SSL_READ_EARLY_DATA 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_READ_EARLY_DATA 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_set_max_early_data, SSL_CTX_set_max_early_data, SSL_get_max_early_data, SSL_CTX_get_max_early_data, SSL_set_recv_max_early_data, SSL_CTX_set_recv_max_early_data, SSL_get_recv_max_early_data, SSL_CTX_get_recv_max_early_data, SSL_SESSION_get_max_early_data, SSL_SESSION_set_max_early_data, SSL_write_early_data, SSL_read_early_data, SSL_get_early_data_status, SSL_allow_early_data_cb_fn, SSL_CTX_set_allow_early_data_cb, SSL_set_allow_early_data_cb \&\- functions for sending and receiving early data
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data);
\& uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx);
\& int SSL_set_max_early_data(SSL *s, uint32_t max_early_data);
\& uint32_t SSL_get_max_early_data(const SSL *s);
\&
\& int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data);
\& uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx);
\& int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data);
\& uint32_t SSL_get_recv_max_early_data(const SSL *s);
\&
\& uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *s);
\& int SSL_SESSION_set_max_early_data(SSL_SESSION *s, uint32_t max_early_data);
\&
\& int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written);
\&
\& int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes);
\&
\& int SSL_get_early_data_status(const SSL *s);
\&
\&
\& typedef int (*SSL_allow_early_data_cb_fn)(SSL *s, void *arg);
\&
\& void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
\& SSL_allow_early_data_cb_fn cb,
\& void *arg);
\& void SSL_set_allow_early_data_cb(SSL *s,
\& SSL_allow_early_data_cb_fn cb,
\& void *arg);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions are used to send and receive early data where TLSv1.3 has been
negotiated. Early data can be sent by the client immediately after its initial
ClientHello without having to wait for the server to complete the handshake.
Early data can be sent if a session has previously been established with the
server or when establishing a new session using an out-of-band \s-1PSK,\s0 and only
when the server is known to support it. Additionally these functions can be used
to send data from the server to the client when the client has not yet completed
the authentication stage of the handshake.
.PP
Early data has weaker security properties than other data sent over an \s-1SSL/TLS\s0
connection. In particular the data does not have forward secrecy. There are also
additional considerations around replay attacks (see \*(L"\s-1REPLAY PROTECTION\*(R"\s0
below). For these reasons extreme care should be exercised when using early
data. For specific details, consult the \s-1TLS 1.3\s0 specification.
.PP
When a server receives early data it may opt to immediately respond by sending
application data back to the client. Data sent by the server at this stage is
done before the full handshake has been completed. Specifically the client's
authentication messages have not yet been received, i.e. the client is
unauthenticated at this point and care should be taken when using this
capability.
.PP
A server or client can determine whether the full handshake has been completed
or not by calling \fBSSL_is_init_finished\fR\|(3).
.PP
On the client side, the function \fBSSL_SESSION_get_max_early_data()\fR can be used to
determine if a session established with a server can be used to send early data.
If the session cannot be used then this function will return 0. Otherwise it
will return the maximum number of early data bytes that can be sent.
.PP
The function \fBSSL_SESSION_set_max_early_data()\fR sets the maximum number of early
data bytes that can be sent for a session. This would typically be used when
creating a \s-1PSK\s0 session file (see \fBSSL_CTX_set_psk_use_session_callback\fR\|(3)). If
using a ticket based \s-1PSK\s0 then this is set automatically to the value provided by
the server.
.PP
A client uses the function \fBSSL_write_early_data()\fR to send early data. This
function is similar to the \fBSSL_write_ex\fR\|(3) function, but with the following
differences. See \fBSSL_write_ex\fR\|(3) for information on how to write bytes to
the underlying connection, and how to handle any errors that may arise. This
page describes the differences between \fBSSL_write_early_data()\fR and
\&\fBSSL_write_ex\fR\|(3).
.PP
When called by a client, \fBSSL_write_early_data()\fR must be the first \s-1IO\s0 function
called on a new connection, i.e. it must occur before any calls to
\&\fBSSL_write_ex\fR\|(3), \fBSSL_read_ex\fR\|(3), \fBSSL_connect\fR\|(3), \fBSSL_do_handshake\fR\|(3)
or other similar functions. It may be called multiple times to stream data to
the server, but the total number of bytes written must not exceed the value
returned from \fBSSL_SESSION_get_max_early_data()\fR. Once the initial
\&\fBSSL_write_early_data()\fR call has completed successfully the client may interleave
calls to \fBSSL_read_ex\fR\|(3) and \fBSSL_read\fR\|(3) with calls to
\&\fBSSL_write_early_data()\fR as required.
.PP
If \fBSSL_write_early_data()\fR fails you should call \fBSSL_get_error\fR\|(3) to determine
the correct course of action, as for \fBSSL_write_ex\fR\|(3).
.PP
When the client no longer wishes to send any more early data then it should
complete the handshake by calling a function such as \fBSSL_connect\fR\|(3) or
\&\fBSSL_do_handshake\fR\|(3). Alternatively you can call a standard write function
such as \fBSSL_write_ex\fR\|(3), which will transparently complete the connection and
write the requested data.
.PP
A server may choose to ignore early data that has been sent to it. Once the
connection has been completed you can determine whether the server accepted or
rejected the early data by calling \fBSSL_get_early_data_status()\fR. This will return
\&\s-1SSL_EARLY_DATA_ACCEPTED\s0 if the data was accepted, \s-1SSL_EARLY_DATA_REJECTED\s0 if it
was rejected or \s-1SSL_EARLY_DATA_NOT_SENT\s0 if no early data was sent. This function
may be called by either the client or the server.
.PP
A server uses the \fBSSL_read_early_data()\fR function to receive early data on a
connection for which early data has been enabled using
\&\fBSSL_CTX_set_max_early_data()\fR or \fBSSL_set_max_early_data()\fR. As for
\&\fBSSL_write_early_data()\fR, this must be the first \s-1IO\s0 function
called on a connection, i.e. it must occur before any calls to
\&\fBSSL_write_ex\fR\|(3), \fBSSL_read_ex\fR\|(3), \fBSSL_accept\fR\|(3), \fBSSL_do_handshake\fR\|(3),
or other similar functions.
.PP
\&\fBSSL_read_early_data()\fR is similar to \fBSSL_read_ex\fR\|(3) with the following
differences. Refer to \fBSSL_read_ex\fR\|(3) for full details.
.PP
\&\fBSSL_read_early_data()\fR may return 3 possible values:
.IP "\s-1SSL_READ_EARLY_DATA_ERROR\s0" 4
.IX Item "SSL_READ_EARLY_DATA_ERROR"
This indicates an \s-1IO\s0 or some other error occurred. This should be treated in the
same way as a 0 return value from \fBSSL_read_ex\fR\|(3).
.IP "\s-1SSL_READ_EARLY_DATA_SUCCESS\s0" 4
.IX Item "SSL_READ_EARLY_DATA_SUCCESS"
This indicates that early data was successfully read. This should be treated in
the same way as a 1 return value from \fBSSL_read_ex\fR\|(3). You should continue to
call \fBSSL_read_early_data()\fR to read more data.
.IP "\s-1SSL_READ_EARLY_DATA_FINISH\s0" 4
.IX Item "SSL_READ_EARLY_DATA_FINISH"
This indicates that no more early data can be read. It may be returned on the
first call to \fBSSL_read_early_data()\fR if the client has not sent any early data,
or if the early data was rejected.
.PP
Once the initial \fBSSL_read_early_data()\fR call has completed successfully (i.e. it
has returned \s-1SSL_READ_EARLY_DATA_SUCCESS\s0 or \s-1SSL_READ_EARLY_DATA_FINISH\s0) then the
server may choose to write data immediately to the unauthenticated client using
\&\fBSSL_write_early_data()\fR. If \fBSSL_read_early_data()\fR returned
\&\s-1SSL_READ_EARLY_DATA_FINISH\s0 then in some situations (e.g. if the client only
supports TLSv1.2) the handshake may have already been completed and calls
to \fBSSL_write_early_data()\fR are not allowed. Call \fBSSL_is_init_finished\fR\|(3) to
determine whether the handshake has completed or not. If the handshake is still
in progress then the server may interleave calls to \fBSSL_write_early_data()\fR with
calls to \fBSSL_read_early_data()\fR as required.
.PP
Servers must not call \fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_write_ex\fR\|(3) or
\&\fBSSL_write\fR\|(3) until \fBSSL_read_early_data()\fR has returned with
\&\s-1SSL_READ_EARLY_DATA_FINISH.\s0 Once it has done so the connection to the client
still needs to be completed. Complete the connection by calling a function such
as \fBSSL_accept\fR\|(3) or \fBSSL_do_handshake\fR\|(3). Alternatively you can call a
standard read function such as \fBSSL_read_ex\fR\|(3), which will transparently
complete the connection and read the requested data. Note that it is an error to
attempt to complete the connection before \fBSSL_read_early_data()\fR has returned
\&\s-1SSL_READ_EARLY_DATA_FINISH.\s0
.PP
Only servers may call \fBSSL_read_early_data()\fR.
.PP
Calls to \fBSSL_read_early_data()\fR may, in certain circumstances, complete the
connection immediately without further need to call a function such as
\&\fBSSL_accept\fR\|(3). This can happen if the client is using a protocol version less
than TLSv1.3. Applications can test for this by calling
\&\fBSSL_is_init_finished\fR\|(3). Alternatively, applications may choose to call
\&\fBSSL_accept\fR\|(3) anyway. Such a call will successfully return immediately with no
further action taken.
.PP
When a session is created between a server and a client the server will specify
the maximum amount of any early data that it will accept on any future
connection attempt. By default the server does not accept early data; a
server may indicate support for early data by calling
\&\fBSSL_CTX_set_max_early_data()\fR or
\&\fBSSL_set_max_early_data()\fR to set it for the whole \s-1SSL_CTX\s0 or an individual \s-1SSL\s0
object respectively. The \fBmax_early_data\fR parameter specifies the maximum
amount of early data in bytes that is permitted to be sent on a single
connection. Similarly the \fBSSL_CTX_get_max_early_data()\fR and
\&\fBSSL_get_max_early_data()\fR functions can be used to obtain the current maximum
early data settings for the \s-1SSL_CTX\s0 and \s-1SSL\s0 objects respectively. Generally a
server application will either use both of \fBSSL_read_early_data()\fR and
\&\fBSSL_CTX_set_max_early_data()\fR (or \fBSSL_set_max_early_data()\fR), or neither of them,
since there is no practical benefit from using only one of them. If the maximum
early data setting for a server is nonzero then replay protection is
automatically enabled (see \*(L"\s-1REPLAY PROTECTION\*(R"\s0 below).
.PP
If the server rejects the early data sent by a client then it will skip over
the data that is sent. The maximum amount of received early data that is skipped
is controlled by the recv_max_early_data setting. If a client sends more than
this then the connection will abort. This value can be set by calling
\&\fBSSL_CTX_set_recv_max_early_data()\fR or \fBSSL_set_recv_max_early_data()\fR. The current
value for this setting can be obtained by calling
\&\fBSSL_CTX_get_recv_max_early_data()\fR or \fBSSL_get_recv_max_early_data()\fR. The default
value for this setting is 16,384 bytes.
.PP
The recv_max_early_data value also has an impact on early data that is accepted.
The amount of data that is accepted will always be the lower of the
max_early_data for the session and the recv_max_early_data setting for the
server. If a client sends more data than this then the connection will abort.
.PP
The configured value for max_early_data on a server may change over time as
required. However, clients may have tickets containing the previously configured
max_early_data value. The recv_max_early_data should always be equal to or
higher than any recently configured max_early_data value in order to avoid
aborted connections. The recv_max_early_data should never be set to less than
the current configured max_early_data value.
.PP
Some server applications may wish to have more control over whether early data
is accepted or not, for example to mitigate replay risks (see \*(L"\s-1REPLAY PROTECTION\*(R"\s0
below) or to decline early_data when the server is heavily loaded. The functions
\&\fBSSL_CTX_set_allow_early_data_cb()\fR and \fBSSL_set_allow_early_data_cb()\fR set a
callback which is called at a point in the handshake immediately before a
decision is made to accept or reject early data. The callback is provided with a
pointer to the user data argument that was provided when the callback was first
set. Returning 1 from the callback will allow early data and returning 0 will
reject it. Note that the OpenSSL library may reject early data for other reasons
in which case this callback will not get called. Notably, the built-in replay
protection feature will still be used even if a callback is present unless it
has been explicitly disabled using the \s-1SSL_OP_NO_ANTI_REPLAY\s0 option. See
\&\*(L"\s-1REPLAY PROTECTION\*(R"\s0 below.
.SH "NOTES"
.IX Header "NOTES"
The whole purpose of early data is to enable a client to start sending data to
the server before a full round trip of network traffic has occurred. Application
developers should ensure they consider optimisation of the underlying \s-1TCP\s0 socket
to obtain a performant solution. For example Nagle's algorithm is commonly used
by operating systems in an attempt to avoid lots of small \s-1TCP\s0 packets. In many
scenarios this is beneficial for performance, but it does not work well with the
early data solution as implemented in OpenSSL. In Nagle's algorithm the \s-1OS\s0 will
buffer outgoing \s-1TCP\s0 data if a \s-1TCP\s0 packet has already been sent which we have not
yet received an \s-1ACK\s0 for from the peer. The buffered data will only be
transmitted if enough data to fill an entire \s-1TCP\s0 packet is accumulated, or if
the \s-1ACK\s0 is received from the peer. The initial ClientHello will be sent in the
first \s-1TCP\s0 packet along with any data from the first call to
\&\fBSSL_write_early_data()\fR. If the amount of data written will exceed the size of a
single \s-1TCP\s0 packet, or if there are more calls to \fBSSL_write_early_data()\fR then
that additional data will be sent in subsequent \s-1TCP\s0 packets which will be
buffered by the \s-1OS\s0 and not sent until an \s-1ACK\s0 is received for the first packet
containing the ClientHello. This means the early data is not actually
sent until a complete round trip with the server has occurred which defeats the
objective of early data.
.PP
In many operating systems the \s-1TCP_NODELAY\s0 socket option is available to disable
Nagle's algorithm. If an application opts to disable Nagle's algorithm
consideration should be given to turning it back on again after the handshake is
complete if appropriate.
.PP
In rare circumstances, it may be possible for a client to have a session that
reports a max early data value greater than 0, but where the server does not
support this. For example, this can occur if a server has had its configuration
changed to accept a lower max early data value such as by calling
\&\fBSSL_CTX_set_recv_max_early_data()\fR. Another example is if a server used to
support TLSv1.3 but was later downgraded to TLSv1.2. Sending early data to such
a server will cause the connection to abort. Clients that encounter an aborted
connection while sending early data may want to retry the connection without
sending early data as this does not happen automatically. A client will have to
establish a new transport layer connection to the server and attempt the \s-1SSL/TLS\s0
connection again but without sending early data. Note that it is inadvisable to
retry with a lower maximum protocol version.
.SH "REPLAY PROTECTION"
.IX Header "REPLAY PROTECTION"
When early data is in use the \s-1TLS\s0 protocol provides no security guarantees that
the same early data was not replayed across multiple connections. As a
mitigation for this issue OpenSSL automatically enables replay protection if the
server is configured with a nonzero max early data value. With replay
protection enabled sessions are forced to be single use only. If a client
attempts to reuse a session ticket more than once, then the second and
subsequent attempts will fall back to a full handshake (and any early data that
was submitted will be ignored). Note that single use tickets are enforced even
if a client does not send any early data.
.PP
The replay protection mechanism relies on the internal OpenSSL server session
cache (see \fBSSL_CTX_set_session_cache_mode\fR\|(3)). When replay protection is
being used the server will operate as if the \s-1SSL_OP_NO_TICKET\s0 option had been
selected (see \fBSSL_CTX_set_options\fR\|(3)). Sessions will be added to the cache
whenever a session ticket is issued. When a client attempts to resume the
session, OpenSSL will check for its presence in the internal cache. If it exists
then the resumption is allowed and the session is removed from the cache. If it
does not exist then the resumption is not allowed and a full handshake will
occur.
.PP
Note that some applications may maintain an external cache of sessions (see
\&\fBSSL_CTX_sess_set_new_cb\fR\|(3) and similar functions). It is the application's
responsibility to ensure that any sessions in the external cache are also
populated in the internal cache and that once removed from the internal cache
they are similarly removed from the external cache. Failing to do this could
result in an application becoming vulnerable to replay attacks. Note that
OpenSSL will lock the internal cache while a session is removed but that lock is
not held when the remove session callback (see \fBSSL_CTX_sess_set_remove_cb\fR\|(3))
is called. This could result in a small amount of time where the session has
been removed from the internal cache but is still available in the external
cache. Applications should be designed with this in mind in order to minimise
the possibility of replay attacks.
.PP
The OpenSSL replay protection does not apply to external Pre Shared Keys (PSKs)
(e.g. see \fBSSL_CTX_set_psk_find_session_callback\fR\|(3)). Therefore, extreme caution
should be applied when combining external PSKs with early data.
.PP
Some applications may mitigate the replay risks in other ways. For those
applications it is possible to turn off the built-in replay protection feature
using the \fB\s-1SSL_OP_NO_ANTI_REPLAY\s0\fR option. See \fBSSL_CTX_set_options\fR\|(3) for
details. Applications can also set a callback to make decisions about accepting
early data or not. See \fBSSL_CTX_set_allow_early_data_cb()\fR above for details.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_write_early_data()\fR returns 1 for success or 0 for failure. In the event of a
failure call \fBSSL_get_error\fR\|(3) to determine the correct course of action.
.PP
\&\fBSSL_read_early_data()\fR returns \s-1SSL_READ_EARLY_DATA_ERROR\s0 for failure,
\&\s-1SSL_READ_EARLY_DATA_SUCCESS\s0 for success with more data to read and
\&\s-1SSL_READ_EARLY_DATA_FINISH\s0 for success with no more to data be read. In the
event of a failure call \fBSSL_get_error\fR\|(3) to determine the correct course of
action.
.PP
\&\fBSSL_get_max_early_data()\fR, \fBSSL_CTX_get_max_early_data()\fR and
\&\fBSSL_SESSION_get_max_early_data()\fR return the maximum number of early data bytes
that may be sent.
.PP
\&\fBSSL_set_max_early_data()\fR, \fBSSL_CTX_set_max_early_data()\fR and
\&\fBSSL_SESSION_set_max_early_data()\fR return 1 for success or 0 for failure.
.PP
\&\fBSSL_get_early_data_status()\fR returns \s-1SSL_EARLY_DATA_ACCEPTED\s0 if early data was
accepted by the server, \s-1SSL_EARLY_DATA_REJECTED\s0 if early data was rejected by
the server, or \s-1SSL_EARLY_DATA_NOT_SENT\s0 if no early data was sent.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_get_error\fR\|(3),
\&\fBSSL_write_ex\fR\|(3),
\&\fBSSL_read_ex\fR\|(3),
\&\fBSSL_connect\fR\|(3),
\&\fBSSL_accept\fR\|(3),
\&\fBSSL_do_handshake\fR\|(3),
\&\fBSSL_CTX_set_psk_use_session_callback\fR\|(3),
\&\fBssl\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
All of the functions described above were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_rstate_string.3 b/secure/lib/libcrypto/man/man3/SSL_rstate_string.3
index 39ecf21d4e9c..392c8256aa15 100644
--- a/secure/lib/libcrypto/man/man3/SSL_rstate_string.3
+++ b/secure/lib/libcrypto/man/man3/SSL_rstate_string.3
@@ -1,195 +1,195 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_RSTATE_STRING 3"
-.TH SSL_RSTATE_STRING 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_RSTATE_STRING 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_rstate_string, SSL_rstate_string_long \- get textual description of state of an SSL object during read operation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& const char *SSL_rstate_string(SSL *ssl);
\& const char *SSL_rstate_string_long(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_rstate_string()\fR returns a 2 letter string indicating the current read state
of the \s-1SSL\s0 object \fBssl\fR.
.PP
\&\fBSSL_rstate_string_long()\fR returns a string indicating the current read state of
the \s-1SSL\s0 object \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
When performing a read operation, the \s-1SSL/TLS\s0 engine must parse the record,
consisting of header and body. When working in a blocking environment,
SSL_rstate_string[_long]() should always return \*(L"\s-1RD\*(R"/\s0\*(L"read done\*(R".
.PP
This function should only seldom be needed in applications.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_rstate_string()\fR and \fBSSL_rstate_string_long()\fR can return the following
values:
.ie n .IP """\s-1RH""/\s0""read header""" 4
.el .IP "``\s-1RH''/\s0``read header''" 4
.IX Item "RH/read header"
The header of the record is being evaluated.
.ie n .IP """\s-1RB""/\s0""read body""" 4
.el .IP "``\s-1RB''/\s0``read body''" 4
.IX Item "RB/read body"
The body of the record is being evaluated.
.ie n .IP """\s-1RD""/\s0""read done""" 4
.el .IP "``\s-1RD''/\s0``read done''" 4
.IX Item "RD/read done"
The record has been completely processed.
.ie n .IP """unknown""/""unknown""" 4
.el .IP "``unknown''/``unknown''" 4
.IX Item "unknown/unknown"
The read state is unknown. This should never happen.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_session_reused.3 b/secure/lib/libcrypto/man/man3/SSL_session_reused.3
index 37374bcfecdb..622902978b10 100644
--- a/secure/lib/libcrypto/man/man3/SSL_session_reused.3
+++ b/secure/lib/libcrypto/man/man3/SSL_session_reused.3
@@ -1,178 +1,178 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SESSION_REUSED 3"
-.TH SSL_SESSION_REUSED 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SESSION_REUSED 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_session_reused \- query whether a reused session was negotiated during handshake
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_session_reused(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Query, whether a reused session was negotiated during the handshake.
.SH "NOTES"
.IX Header "NOTES"
During the negotiation, a client can propose to reuse a session. The server
then looks up the session in its cache. If both client and server agree
on the session, it will be reused and a flag is being set that can be
queried by the application.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "0" 4
A new session was negotiated.
.IP "1" 4
.IX Item "1"
A session was reused.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_set_session\fR\|(3),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set1_host.3 b/secure/lib/libcrypto/man/man3/SSL_set1_host.3
index 7224f837b5ed..b16c0e65372a 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set1_host.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set1_host.3
@@ -1,249 +1,249 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SET1_HOST 3"
-.TH SSL_SET1_HOST 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SET1_HOST 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername \- SSL server verification parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_set1_host(SSL *s, const char *hostname);
\& int SSL_add1_host(SSL *s, const char *hostname);
\& void SSL_set_hostflags(SSL *s, unsigned int flags);
\& const char *SSL_get0_peername(SSL *s);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions configure server hostname checks in the \s-1SSL\s0 client.
.PP
\&\fBSSL_set1_host()\fR sets the expected \s-1DNS\s0 hostname to \fBname\fR clearing
any previously specified hostname or names. If \fBname\fR is \s-1NULL,\s0
or the empty string the list of hostnames is cleared, and name
checks are not performed on the peer certificate. When a nonempty
\&\fBname\fR is specified, certificate verification automatically checks
the peer hostname via \fBX509_check_host\fR\|(3) with \fBflags\fR as specified
via \fBSSL_set_hostflags()\fR. Clients that enable \s-1DANE TLSA\s0 authentication
via \fBSSL_dane_enable\fR\|(3) should leave it to that function to set
the primary reference identifier of the peer, and should not call
\&\fBSSL_set1_host()\fR.
.PP
\&\fBSSL_add1_host()\fR adds \fBname\fR as an additional reference identifier
that can match the peer's certificate. Any previous names set via
\&\fBSSL_set1_host()\fR or \fBSSL_add1_host()\fR are retained, no change is made
if \fBname\fR is \s-1NULL\s0 or empty. When multiple names are configured,
the peer is considered verified when any name matches. This function
is required for \s-1DANE TLSA\s0 in the presence of service name indirection
via \s-1CNAME, MX\s0 or \s-1SRV\s0 records as specified in \s-1RFC7671, RFC7672\s0 or
\&\s-1RFC7673.\s0
.PP
\&\fBSSL_set_hostflags()\fR sets the \fBflags\fR that will be passed to
\&\fBX509_check_host\fR\|(3) when name checks are applicable, by default
the \fBflags\fR value is 0. See \fBX509_check_host\fR\|(3) for the list
of available flags and their meaning.
.PP
\&\fBSSL_get0_peername()\fR returns the \s-1DNS\s0 hostname or subject CommonName
from the peer certificate that matched one of the reference
identifiers. When wildcard matching is not disabled, the name
matched in the peer certificate may be a wildcard name. When one
of the reference identifiers configured via \fBSSL_set1_host()\fR or
\&\fBSSL_add1_host()\fR starts with \*(L".\*(R", which indicates a parent domain prefix
rather than a fixed name, the matched peer name may be a sub-domain
of the reference identifier. The returned string is allocated by
the library and is no longer valid once the associated \fBssl\fR handle
is cleared or freed, or a renegotiation takes place. Applications
must not free the return value.
.PP
\&\s-1SSL\s0 clients are advised to use these functions in preference to
explicitly calling \fBX509_check_host\fR\|(3). Hostname checks may be out
of scope with the \s-1RFC7671 \fBDANE\-EE\s0\fR\|(3) certificate usage, and the
internal check will be suppressed as appropriate when \s-1DANE\s0 is
enabled.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_set1_host()\fR and \fBSSL_add1_host()\fR return 1 for success and 0 for
failure.
.PP
\&\fBSSL_get0_peername()\fR returns \s-1NULL\s0 if peername verification is not
applicable (as with \s-1RFC7671 \fBDANE\-EE\s0\fR\|(3)), or no trusted peername was
matched. Otherwise, it returns the matched peername. To determine
whether verification succeeded call \fBSSL_get_verify_result\fR\|(3).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Suppose \*(L"smtp.example.com\*(R" is the \s-1MX\s0 host of the domain \*(L"example.com\*(R".
The calls below will arrange to match either the \s-1MX\s0 hostname or the
destination domain name in the \s-1SMTP\s0 server certificate. Wildcards
are supported, but must match the entire label. The actual name
matched in the certificate (which might be a wildcard) is retrieved,
and must be copied by the application if it is to be retained beyond
the lifetime of the \s-1SSL\s0 connection.
.PP
.Vb 5
\& SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
\& if (!SSL_set1_host(ssl, "smtp.example.com"))
\& /* error */
\& if (!SSL_add1_host(ssl, "example.com"))
\& /* error */
\&
\& /* XXX: Perform SSL_connect() handshake and handle errors here */
\&
\& if (SSL_get_verify_result(ssl) == X509_V_OK) {
\& const char *peername = SSL_get0_peername(ssl);
\&
\& if (peername != NULL)
\& /* Name checks were in scope and matched the peername */
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_check_host\fR\|(3),
\&\fBSSL_get_verify_result\fR\|(3).
\&\fBSSL_dane_enable\fR\|(3).
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_bio.3 b/secure/lib/libcrypto/man/man3/SSL_set_bio.3
index 338250c89604..6f30f36bb992 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_bio.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_bio.3
@@ -1,227 +1,227 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SET_BIO 3"
-.TH SSL_SET_BIO 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SET_BIO 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_set_bio, SSL_set0_rbio, SSL_set0_wbio \- connect the SSL object with a BIO
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);
\& void SSL_set0_rbio(SSL *s, BIO *rbio);
\& void SSL_set0_wbio(SSL *s, BIO *wbio);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_set0_rbio()\fR connects the \s-1BIO\s0 \fBrbio\fR for the read operations of the \fBssl\fR
object. The \s-1SSL\s0 engine inherits the behaviour of \fBrbio\fR. If the \s-1BIO\s0 is
nonblocking then the \fBssl\fR object will also have nonblocking behaviour. This
function transfers ownership of \fBrbio\fR to \fBssl\fR. It will be automatically
freed using \fBBIO_free_all\fR\|(3) when the \fBssl\fR is freed. On calling this
function, any existing \fBrbio\fR that was previously set will also be freed via a
call to \fBBIO_free_all\fR\|(3) (this includes the case where the \fBrbio\fR is set to
the same value as previously).
.PP
\&\fBSSL_set0_wbio()\fR works in the same as \fBSSL_set0_rbio()\fR except that it connects
the \s-1BIO\s0 \fBwbio\fR for the write operations of the \fBssl\fR object. Note that if the
rbio and wbio are the same then \fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR each take
ownership of one reference. Therefore, it may be necessary to increment the
number of references available using \fBBIO_up_ref\fR\|(3) before calling the set0
functions.
.PP
\&\fBSSL_set_bio()\fR is similar to \fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR except
that it connects both the \fBrbio\fR and the \fBwbio\fR at the same time, and
transfers the ownership of \fBrbio\fR and \fBwbio\fR to \fBssl\fR according to
the following set of rules:
.IP "\(bu" 2
If neither the \fBrbio\fR or \fBwbio\fR have changed from their previous values
then nothing is done.
.IP "\(bu" 2
If the \fBrbio\fR and \fBwbio\fR parameters are different and both are different
to their
previously set values then one reference is consumed for the rbio and one
reference is consumed for the wbio.
.IP "\(bu" 2
If the \fBrbio\fR and \fBwbio\fR parameters are the same and the \fBrbio\fR is not
the same as the previously set value then one reference is consumed.
.IP "\(bu" 2
If the \fBrbio\fR and \fBwbio\fR parameters are the same and the \fBrbio\fR is the
same as the previously set value, then no additional references are consumed.
.IP "\(bu" 2
If the \fBrbio\fR and \fBwbio\fR parameters are different and the \fBrbio\fR is the
same as the
previously set value then one reference is consumed for the \fBwbio\fR and no
references are consumed for the \fBrbio\fR.
.IP "\(bu" 2
If the \fBrbio\fR and \fBwbio\fR parameters are different and the \fBwbio\fR is the
same as the previously set value and the old \fBrbio\fR and \fBwbio\fR values
were the same as each other then one reference is consumed for the \fBrbio\fR
and no references are consumed for the \fBwbio\fR.
.IP "\(bu" 2
If the \fBrbio\fR and \fBwbio\fR parameters are different and the \fBwbio\fR
is the same as the
previously set value and the old \fBrbio\fR and \fBwbio\fR values were different
to each
other then one reference is consumed for the \fBrbio\fR and one reference
is consumed
for the \fBwbio\fR.
.PP
Because of this complexity, this function should be avoided;
use \fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR instead.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_set_bio()\fR, \fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR cannot fail.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_get_rbio\fR\|(3),
\&\fBSSL_connect\fR\|(3), \fBSSL_accept\fR\|(3),
\&\fBSSL_shutdown\fR\|(3), \fBssl\fR\|(7), \fBbio\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBSSL_set0_rbio()\fR and \fBSSL_set0_wbio()\fR were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3 b/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3
index 60a54db4a7c9..f2f9f9aab03f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_connect_state.3
@@ -1,207 +1,207 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SET_CONNECT_STATE 3"
-.TH SSL_SET_CONNECT_STATE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SET_CONNECT_STATE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_set_connect_state, SSL_set_accept_state, SSL_is_server \&\- functions for manipulating and examining the client or server mode of an SSL object
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_set_connect_state(SSL *ssl);
\&
\& void SSL_set_accept_state(SSL *ssl);
\&
\& int SSL_is_server(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_set_connect_state()\fR sets \fBssl\fR to work in client mode.
.PP
\&\fBSSL_set_accept_state()\fR sets \fBssl\fR to work in server mode.
.PP
\&\fBSSL_is_server()\fR checks if \fBssl\fR is working in server mode.
.SH "NOTES"
.IX Header "NOTES"
When the \s-1SSL_CTX\s0 object was created with \fBSSL_CTX_new\fR\|(3),
it was either assigned a dedicated client method, a dedicated server
method, or a generic method, that can be used for both client and
server connections. (The method might have been changed with
\&\fBSSL_CTX_set_ssl_version\fR\|(3) or
\&\fBSSL_set_ssl_method\fR\|(3).)
.PP
When beginning a new handshake, the \s-1SSL\s0 engine must know whether it must
call the connect (client) or accept (server) routines. Even though it may
be clear from the method chosen, whether client or server mode was
requested, the handshake routines must be explicitly set.
.PP
When using the \fBSSL_connect\fR\|(3) or
\&\fBSSL_accept\fR\|(3) routines, the correct handshake
routines are automatically set. When performing a transparent negotiation
using \fBSSL_write_ex\fR\|(3), \fBSSL_write\fR\|(3), \fBSSL_read_ex\fR\|(3), or \fBSSL_read\fR\|(3),
the handshake routines must be explicitly set in advance using either
\&\fBSSL_set_connect_state()\fR or \fBSSL_set_accept_state()\fR.
.PP
If \fBSSL_is_server()\fR is called before \fBSSL_set_connect_state()\fR or
\&\fBSSL_set_accept_state()\fR is called (either automatically or explicitly),
the result depends on what method was used when \s-1SSL_CTX\s0 was created with
\&\fBSSL_CTX_new\fR\|(3). If a generic method or a dedicated server method was
passed to \fBSSL_CTX_new\fR\|(3), \fBSSL_is_server()\fR returns 1; otherwise, it returns 0.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_set_connect_state()\fR and \fBSSL_set_accept_state()\fR do not return diagnostic
information.
.PP
\&\fBSSL_is_server()\fR returns 1 if \fBssl\fR is working in server mode or 0 for client mode.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_new\fR\|(3), \fBSSL_CTX_new\fR\|(3),
\&\fBSSL_connect\fR\|(3), \fBSSL_accept\fR\|(3),
\&\fBSSL_write_ex\fR\|(3), \fBSSL_write\fR\|(3), \fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3),
\&\fBSSL_do_handshake\fR\|(3),
\&\fBSSL_CTX_set_ssl_version\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_fd.3 b/secure/lib/libcrypto/man/man3/SSL_set_fd.3
index 7d980ad09c75..02ab8e388e65 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_fd.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_fd.3
@@ -1,197 +1,197 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SET_FD 3"
-.TH SSL_SET_FD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SET_FD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_set_fd, SSL_set_rfd, SSL_set_wfd \- connect the SSL object with a file descriptor
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_set_fd(SSL *ssl, int fd);
\& int SSL_set_rfd(SSL *ssl, int fd);
\& int SSL_set_wfd(SSL *ssl, int fd);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_set_fd()\fR sets the file descriptor \fBfd\fR as the input/output facility
for the \s-1TLS/SSL\s0 (encrypted) side of \fBssl\fR. \fBfd\fR will typically be the
socket file descriptor of a network connection.
.PP
When performing the operation, a \fBsocket \s-1BIO\s0\fR is automatically created to
interface between the \fBssl\fR and \fBfd\fR. The \s-1BIO\s0 and hence the \s-1SSL\s0 engine
inherit the behaviour of \fBfd\fR. If \fBfd\fR is nonblocking, the \fBssl\fR will
also have nonblocking behaviour.
.PP
If there was already a \s-1BIO\s0 connected to \fBssl\fR, \fBBIO_free()\fR will be called
(for both the reading and writing side, if different).
.PP
\&\fBSSL_set_rfd()\fR and \fBSSL_set_wfd()\fR perform the respective action, but only
for the read channel or the write channel, which can be set independently.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "0" 4
The operation failed. Check the error stack to find out why.
.IP "1" 4
.IX Item "1"
The operation succeeded.
.SH "NOTES"
.IX Header "NOTES"
On Windows, a socket handle is a 64\-bit data type (\s-1UINT_PTR\s0), which leads to a
compiler warning (conversion from '\s-1SOCKET\s0' to 'int', possible loss of data) when
passing the socket handle to SSL_set_*\fBfd()\fR. For the time being, this warning can
safely be ignored, because although the Microsoft documentation claims that the
upper limit is \s-1INVALID_SOCKET\-1\s0 (2^64 \- 2), in practice the current \fBsocket()\fR
implementation returns an index into the kernel handle table, the size of which
is limited to 2^24.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_get_fd\fR\|(3), \fBSSL_set_bio\fR\|(3),
\&\fBSSL_connect\fR\|(3), \fBSSL_accept\fR\|(3),
\&\fBSSL_shutdown\fR\|(3), \fBssl\fR\|(7) , \fBbio\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_session.3 b/secure/lib/libcrypto/man/man3/SSL_set_session.3
index bc535eadd25e..f3de8cc06041 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_session.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_session.3
@@ -1,194 +1,194 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SET_SESSION 3"
-.TH SSL_SET_SESSION 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SET_SESSION 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_set_session \- set a TLS/SSL session to be used during TLS/SSL connect
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_set_session(SSL *ssl, SSL_SESSION *session);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_set_session()\fR sets \fBsession\fR to be used when the \s-1TLS/SSL\s0 connection
is to be established. \fBSSL_set_session()\fR is only useful for \s-1TLS/SSL\s0 clients.
When the session is set, the reference count of \fBsession\fR is incremented
by 1. If the session is not reused, the reference count is decremented
again during \fBSSL_connect()\fR. Whether the session was reused can be queried
with the \fBSSL_session_reused\fR\|(3) call.
.PP
If there is already a session set inside \fBssl\fR (because it was set with
\&\fBSSL_set_session()\fR before or because the same \fBssl\fR was already used for
a connection), \fBSSL_SESSION_free()\fR will be called for that session. If that old
session is still \fBopen\fR, it is considered bad and will be removed from the
session cache (if used). A session is considered open, if \fBSSL_shutdown\fR\|(3) was
not called for the connection (or at least \fBSSL_set_shutdown\fR\|(3) was used to
set the \s-1SSL_SENT_SHUTDOWN\s0 state).
.SH "NOTES"
.IX Header "NOTES"
\&\s-1SSL_SESSION\s0 objects keep internal link information about the session cache
list, when being inserted into one \s-1SSL_CTX\s0 object's session cache.
One \s-1SSL_SESSION\s0 object, regardless of its reference count, must therefore
only be used with one \s-1SSL_CTX\s0 object (and the \s-1SSL\s0 objects created
from this \s-1SSL_CTX\s0 object).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "0" 4
The operation failed; check the error stack to find out the reason.
.IP "1" 4
.IX Item "1"
The operation succeeded.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_SESSION_free\fR\|(3),
\&\fBSSL_get_session\fR\|(3),
\&\fBSSL_session_reused\fR\|(3),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3
index f3e762f4d1e4..eefafcada09f 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_shutdown.3
@@ -1,204 +1,204 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SET_SHUTDOWN 3"
-.TH SSL_SET_SHUTDOWN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SET_SHUTDOWN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_set_shutdown, SSL_get_shutdown \- manipulate shutdown state of an SSL connection
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_set_shutdown(SSL *ssl, int mode);
\&
\& int SSL_get_shutdown(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_set_shutdown()\fR sets the shutdown state of \fBssl\fR to \fBmode\fR.
.PP
\&\fBSSL_get_shutdown()\fR returns the shutdown mode of \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
The shutdown state of an ssl connection is a bit mask of:
.IP "0" 4
No shutdown setting, yet.
.IP "\s-1SSL_SENT_SHUTDOWN\s0" 4
.IX Item "SSL_SENT_SHUTDOWN"
A close_notify shutdown alert was sent to the peer, the connection is being
considered closed and the session is closed and correct.
.IP "\s-1SSL_RECEIVED_SHUTDOWN\s0" 4
.IX Item "SSL_RECEIVED_SHUTDOWN"
A shutdown alert was received form the peer, either a normal close_notify
or a fatal error.
.PP
\&\s-1SSL_SENT_SHUTDOWN\s0 and \s-1SSL_RECEIVED_SHUTDOWN\s0 can be set at the same time.
.PP
The shutdown state of the connection is used to determine the state of
the ssl session. If the session is still open, when
\&\fBSSL_clear\fR\|(3) or \fBSSL_free\fR\|(3) is called,
it is considered bad and removed according to \s-1RFC2246.\s0
The actual condition for a correctly closed session is \s-1SSL_SENT_SHUTDOWN\s0
(according to the \s-1TLS RFC,\s0 it is acceptable to only send the close_notify
alert but to not wait for the peer's answer, when the underlying connection
is closed).
\&\fBSSL_set_shutdown()\fR can be used to set this state without sending a
close alert to the peer (see \fBSSL_shutdown\fR\|(3)).
.PP
If a close_notify was received, \s-1SSL_RECEIVED_SHUTDOWN\s0 will be set,
for setting \s-1SSL_SENT_SHUTDOWN\s0 the application must however still call
\&\fBSSL_shutdown\fR\|(3) or \fBSSL_set_shutdown()\fR itself.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_set_shutdown()\fR does not return diagnostic information.
.PP
\&\fBSSL_get_shutdown()\fR returns the current setting.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_shutdown\fR\|(3),
\&\fBSSL_CTX_set_quiet_shutdown\fR\|(3),
\&\fBSSL_clear\fR\|(3), \fBSSL_free\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3 b/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3
index 624155c0b0b2..3abdfa7311a9 100644
--- a/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3
+++ b/secure/lib/libcrypto/man/man3/SSL_set_verify_result.3
@@ -1,178 +1,178 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SET_VERIFY_RESULT 3"
-.TH SSL_SET_VERIFY_RESULT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SET_VERIFY_RESULT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_set_verify_result \- override result of peer certificate verification
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& void SSL_set_verify_result(SSL *ssl, long verify_result);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_set_verify_result()\fR sets \fBverify_result\fR of the object \fBssl\fR to be the
result of the verification of the X509 certificate presented by the peer,
if any.
.SH "NOTES"
.IX Header "NOTES"
\&\fBSSL_set_verify_result()\fR overrides the verification result. It only changes
the verification result of the \fBssl\fR object. It does not become part of the
established session, so if the session is to be reused later, the original
value will reappear.
.PP
The valid codes for \fBverify_result\fR are documented in \fBverify\fR\|(1).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_set_verify_result()\fR does not provide a return value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_get_verify_result\fR\|(3),
\&\fBSSL_get_peer_certificate\fR\|(3),
\&\fBverify\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_shutdown.3 b/secure/lib/libcrypto/man/man3/SSL_shutdown.3
index 9205677f0ba9..fd7d12706b54 100644
--- a/secure/lib/libcrypto/man/man3/SSL_shutdown.3
+++ b/secure/lib/libcrypto/man/man3/SSL_shutdown.3
@@ -1,299 +1,299 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_SHUTDOWN 3"
-.TH SSL_SHUTDOWN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_SHUTDOWN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_shutdown \- shut down a TLS/SSL connection
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_shutdown(SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_shutdown()\fR shuts down an active \s-1TLS/SSL\s0 connection. It sends the
close_notify shutdown alert to the peer.
.SH "NOTES"
.IX Header "NOTES"
\&\fBSSL_shutdown()\fR tries to send the close_notify shutdown alert to the peer.
Whether the operation succeeds or not, the \s-1SSL_SENT_SHUTDOWN\s0 flag is set and
a currently open session is considered closed and good and will be kept in the
session cache for further reuse.
.PP
Note that \fBSSL_shutdown()\fR must not be called if a previous fatal error has
occurred on a connection i.e. if \fBSSL_get_error()\fR has returned \s-1SSL_ERROR_SYSCALL\s0
or \s-1SSL_ERROR_SSL.\s0
.PP
The shutdown procedure consists of two steps: sending of the close_notify
shutdown alert, and reception of the peer's close_notify shutdown alert.
The order of those two steps depends on the application.
.PP
It is acceptable for an application to only send its shutdown alert and
then close the underlying connection without waiting for the peer's response.
This way resources can be saved, as the process can already terminate or
serve another connection.
This should only be done when it is known that the other side will not send more
data, otherwise there is a risk of a truncation attack.
.PP
When a client only writes and never reads from the connection, and the server
has sent a session ticket to establish a session, the client might not be able
to resume the session because it did not received and process the session ticket
from the server.
In case the application wants to be able to resume the session, it is recommended to
do a complete shutdown procedure (bidirectional close_notify alerts).
.PP
When the underlying connection shall be used for more communications, the
complete shutdown procedure must be performed, so that the peers stay
synchronized.
.PP
\&\fBSSL_shutdown()\fR only closes the write direction.
It is not possible to call \fBSSL_write()\fR after calling \fBSSL_shutdown()\fR.
The read direction is closed by the peer.
.SS "First to close the connection"
.IX Subsection "First to close the connection"
When the application is the first party to send the close_notify
alert, \fBSSL_shutdown()\fR will only send the alert and then set the
\&\s-1SSL_SENT_SHUTDOWN\s0 flag (so that the session is considered good and will
be kept in the cache).
If successful, \fBSSL_shutdown()\fR will return 0.
.PP
If a unidirectional shutdown is enough (the underlying connection shall be
closed anyway), this first successful call to \fBSSL_shutdown()\fR is sufficient.
.PP
In order to complete the bidirectional shutdown handshake, the peer needs
to send back a close_notify alert.
The \s-1SSL_RECEIVED_SHUTDOWN\s0 flag will be set after receiving and processing
it.
.PP
The peer is still allowed to send data after receiving the close_notify
event.
When it is done sending data, it will send the close_notify alert.
\&\fBSSL_read()\fR should be called until all data is received.
\&\fBSSL_read()\fR will indicate the end of the peer data by returning <= 0
and \fBSSL_get_error()\fR returning \s-1SSL_ERROR_ZERO_RETURN.\s0
.SS "Peer closes the connection"
.IX Subsection "Peer closes the connection"
If the peer already sent the close_notify alert \fBand\fR it was
already processed implicitly inside another function
(\fBSSL_read\fR\|(3)), the \s-1SSL_RECEIVED_SHUTDOWN\s0 flag is set.
\&\fBSSL_read()\fR will return <= 0 in that case, and \fBSSL_get_error()\fR will return
\&\s-1SSL_ERROR_ZERO_RETURN.\s0
\&\fBSSL_shutdown()\fR will send the close_notify alert, set the \s-1SSL_SENT_SHUTDOWN\s0
flag.
If successful, \fBSSL_shutdown()\fR will return 1.
.PP
Whether \s-1SSL_RECEIVED_SHUTDOWN\s0 is already set can be checked using the
\&\fBSSL_get_shutdown()\fR (see also \fBSSL_set_shutdown\fR\|(3) call.
.SH "NOTES"
.IX Header "NOTES"
The behaviour of \fBSSL_shutdown()\fR additionally depends on the underlying \s-1BIO.\s0
If the underlying \s-1BIO\s0 is \fBblocking\fR, \fBSSL_shutdown()\fR will only return once the
handshake step has been finished or an error occurred.
.PP
If the underlying \s-1BIO\s0 is \fBnonblocking\fR, \fBSSL_shutdown()\fR will also return
when the underlying \s-1BIO\s0 could not satisfy the needs of \fBSSL_shutdown()\fR
to continue the handshake. In this case a call to \fBSSL_get_error()\fR with the
return value of \fBSSL_shutdown()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or
\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. The calling process then must repeat the call after
taking appropriate action to satisfy the needs of \fBSSL_shutdown()\fR.
The action depends on the underlying \s-1BIO.\s0 When using a nonblocking socket,
nothing is to be done, but \fBselect()\fR can be used to check for the required
condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written
into or retrieved out of the \s-1BIO\s0 before being able to continue.
.PP
After \fBSSL_shutdown()\fR returned 0, it is possible to call \fBSSL_shutdown()\fR again
to wait for the peer's close_notify alert.
\&\fBSSL_shutdown()\fR will return 1 in that case.
However, it is recommended to wait for it using \fBSSL_read()\fR instead.
.PP
\&\fBSSL_shutdown()\fR can be modified to only set the connection to \*(L"shutdown\*(R"
state but not actually send the close_notify alert messages,
see \fBSSL_CTX_set_quiet_shutdown\fR\|(3).
When \*(L"quiet shutdown\*(R" is enabled, \fBSSL_shutdown()\fR will always succeed
and return 1.
Note that this is not standard compliant behaviour.
It should only be done when the peer has a way to make sure all
data has been received and doesn't wait for the close_notify alert
message, otherwise an unexpected \s-1EOF\s0 will be reported.
.PP
There are implementations that do not send the required close_notify alert.
If there is a need to communicate with such an implementation, and it's clear
that all data has been received, do not wait for the peer's close_notify alert.
Waiting for the close_notify alert when the peer just closes the connection will
result in an error being generated.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can occur:
.IP "0" 4
The shutdown is not yet finished: the close_notify was sent but the peer
did not send it back yet.
Call \fBSSL_read()\fR to do a bidirectional shutdown.
.Sp
Unlike most other function, returning 0 does not indicate an error.
\&\fBSSL_get_error\fR\|(3) should not get called, it may misleadingly
indicate an error even though no error occurred.
.IP "1" 4
.IX Item "1"
The shutdown was successfully completed. The close_notify alert was sent
and the peer's close_notify alert was received.
.IP "<0" 4
.IX Item "<0"
The shutdown was not successful.
Call \fBSSL_get_error\fR\|(3) with the return value \fBret\fR to find out the reason.
It can occur if an action is needed to continue the operation for nonblocking
BIOs.
.Sp
It can also occur when not all data was read using \fBSSL_read()\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_get_error\fR\|(3), \fBSSL_connect\fR\|(3),
\&\fBSSL_accept\fR\|(3), \fBSSL_set_shutdown\fR\|(3),
\&\fBSSL_CTX_set_quiet_shutdown\fR\|(3),
\&\fBSSL_clear\fR\|(3), \fBSSL_free\fR\|(3),
\&\fBssl\fR\|(7), \fBbio\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_state_string.3 b/secure/lib/libcrypto/man/man3/SSL_state_string.3
index cb268733635e..e7cace8e5a78 100644
--- a/secure/lib/libcrypto/man/man3/SSL_state_string.3
+++ b/secure/lib/libcrypto/man/man3/SSL_state_string.3
@@ -1,185 +1,185 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_STATE_STRING 3"
-.TH SSL_STATE_STRING 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_STATE_STRING 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_state_string, SSL_state_string_long \- get textual description of state of an SSL object
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& const char *SSL_state_string(const SSL *ssl);
\& const char *SSL_state_string_long(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_state_string()\fR returns a 6 letter string indicating the current state
of the \s-1SSL\s0 object \fBssl\fR.
.PP
\&\fBSSL_state_string_long()\fR returns a string indicating the current state of
the \s-1SSL\s0 object \fBssl\fR.
.SH "NOTES"
.IX Header "NOTES"
During its use, an \s-1SSL\s0 objects passes several states. The state is internally
maintained. Querying the state information is not very informative before
or when a connection has been established. It however can be of significant
interest during the handshake.
.PP
When using nonblocking sockets, the function call performing the handshake
may return with \s-1SSL_ERROR_WANT_READ\s0 or \s-1SSL_ERROR_WANT_WRITE\s0 condition,
so that SSL_state_string[_long]() may be called.
.PP
For both blocking or nonblocking sockets, the details state information
can be used within the info_callback function set with the
\&\fBSSL_set_info_callback()\fR call.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Detailed description of possible states to be included later.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_CTX_set_info_callback\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_want.3 b/secure/lib/libcrypto/man/man3/SSL_want.3
index 98c9f62646a9..3b4185e1bbef 100644
--- a/secure/lib/libcrypto/man/man3/SSL_want.3
+++ b/secure/lib/libcrypto/man/man3/SSL_want.3
@@ -1,233 +1,233 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_WANT 3"
-.TH SSL_WANT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_WANT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup, SSL_want_async, SSL_want_async_job, SSL_want_client_hello_cb \- obtain state information TLS/SSL I/O operation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& int SSL_want(const SSL *ssl);
\& int SSL_want_nothing(const SSL *ssl);
\& int SSL_want_read(const SSL *ssl);
\& int SSL_want_write(const SSL *ssl);
\& int SSL_want_x509_lookup(const SSL *ssl);
\& int SSL_want_async(const SSL *ssl);
\& int SSL_want_async_job(const SSL *ssl);
\& int SSL_want_client_hello_cb(const SSL *ssl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_want()\fR returns state information for the \s-1SSL\s0 object \fBssl\fR.
.PP
The other SSL_want_*() calls are shortcuts for the possible states returned
by \fBSSL_want()\fR.
.SH "NOTES"
.IX Header "NOTES"
\&\fBSSL_want()\fR examines the internal state information of the \s-1SSL\s0 object. Its
return values are similar to that of \fBSSL_get_error\fR\|(3).
Unlike \fBSSL_get_error\fR\|(3), which also evaluates the
error queue, the results are obtained by examining an internal state flag
only. The information must therefore only be used for normal operation under
nonblocking I/O. Error conditions are not handled and must be treated
using \fBSSL_get_error\fR\|(3).
.PP
The result returned by \fBSSL_want()\fR should always be consistent with
the result of \fBSSL_get_error\fR\|(3).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The following return values can currently occur for \fBSSL_want()\fR:
.IP "\s-1SSL_NOTHING\s0" 4
.IX Item "SSL_NOTHING"
There is no data to be written or to be read.
.IP "\s-1SSL_WRITING\s0" 4
.IX Item "SSL_WRITING"
There are data in the \s-1SSL\s0 buffer that must be written to the underlying
\&\fB\s-1BIO\s0\fR layer in order to complete the actual SSL_*() operation.
A call to \fBSSL_get_error\fR\|(3) should return
\&\s-1SSL_ERROR_WANT_WRITE.\s0
.IP "\s-1SSL_READING\s0" 4
.IX Item "SSL_READING"
More data must be read from the underlying \fB\s-1BIO\s0\fR layer in order to
complete the actual SSL_*() operation.
A call to \fBSSL_get_error\fR\|(3) should return
\&\s-1SSL_ERROR_WANT_READ.\s0
.IP "\s-1SSL_X509_LOOKUP\s0" 4
.IX Item "SSL_X509_LOOKUP"
The operation did not complete because an application callback set by
\&\fBSSL_CTX_set_client_cert_cb()\fR has asked to be called again.
A call to \fBSSL_get_error\fR\|(3) should return
\&\s-1SSL_ERROR_WANT_X509_LOOKUP.\s0
.IP "\s-1SSL_ASYNC_PAUSED\s0" 4
.IX Item "SSL_ASYNC_PAUSED"
An asynchronous operation partially completed and was then paused. See
\&\fBSSL_get_all_async_fds\fR\|(3). A call to \fBSSL_get_error\fR\|(3) should return
\&\s-1SSL_ERROR_WANT_ASYNC.\s0
.IP "\s-1SSL_ASYNC_NO_JOBS\s0" 4
.IX Item "SSL_ASYNC_NO_JOBS"
The asynchronous job could not be started because there were no async jobs
available in the pool (see \fBASYNC_init_thread\fR\|(3)). A call to \fBSSL_get_error\fR\|(3)
should return \s-1SSL_ERROR_WANT_ASYNC_JOB.\s0
.IP "\s-1SSL_CLIENT_HELLO_CB\s0" 4
.IX Item "SSL_CLIENT_HELLO_CB"
The operation did not complete because an application callback set by
\&\fBSSL_CTX_set_client_hello_cb()\fR has asked to be called again.
A call to \fBSSL_get_error\fR\|(3) should return
\&\s-1SSL_ERROR_WANT_CLIENT_HELLO_CB.\s0
.PP
\&\fBSSL_want_nothing()\fR, \fBSSL_want_read()\fR, \fBSSL_want_write()\fR, \fBSSL_want_x509_lookup()\fR,
\&\fBSSL_want_async()\fR, \fBSSL_want_async_job()\fR, and \fBSSL_want_client_hello_cb()\fR return
1, when the corresponding condition is true or 0 otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_get_error\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_want_client_hello_cb()\fR function and the \s-1SSL_CLIENT_HELLO_CB\s0 return value
were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/SSL_write.3 b/secure/lib/libcrypto/man/man3/SSL_write.3
index 9b7c0bf9e571..0e6777816d17 100644
--- a/secure/lib/libcrypto/man/man3/SSL_write.3
+++ b/secure/lib/libcrypto/man/man3/SSL_write.3
@@ -1,273 +1,273 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL_WRITE 3"
-.TH SSL_WRITE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL_WRITE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SSL_write_ex, SSL_write, SSL_sendfile \- write bytes to a TLS/SSL connection
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size, int flags);
\& int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written);
\& int SSL_write(SSL *ssl, const void *buf, int num);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBSSL_write_ex()\fR and \fBSSL_write()\fR write \fBnum\fR bytes from the buffer \fBbuf\fR into
the specified \fBssl\fR connection. On success \fBSSL_write_ex()\fR will store the number
of bytes written in \fB*written\fR.
.PP
\&\fBSSL_sendfile()\fR writes \fBsize\fR bytes from offset \fBoffset\fR in the file
descriptor \fBfd\fR to the specified \s-1SSL\s0 connection \fBs\fR. This function provides
efficient zero-copy semantics. \fBSSL_sendfile()\fR is available only when
Kernel \s-1TLS\s0 is enabled, which can be checked by calling \fBBIO_get_ktls_send()\fR.
It is provided here to allow users to maintain the same interface.
The meaning of \fBflags\fR is platform dependent.
Currently, under Linux it is ignored.
.SH "NOTES"
.IX Header "NOTES"
In the paragraphs below a \*(L"write function\*(R" is defined as one of either
\&\fBSSL_write_ex()\fR, or \fBSSL_write()\fR.
.PP
If necessary, a write function will negotiate a \s-1TLS/SSL\s0 session, if not already
explicitly performed by \fBSSL_connect\fR\|(3) or \fBSSL_accept\fR\|(3). If the peer
requests a re-negotiation, it will be performed transparently during
the write function operation. The behaviour of the write functions depends on the
underlying \s-1BIO.\s0
.PP
For the transparent negotiation to succeed, the \fBssl\fR must have been
initialized to client or server mode. This is being done by calling
\&\fBSSL_set_connect_state\fR\|(3) or \fBSSL_set_accept_state()\fR
before the first call to a write function.
.PP
If the underlying \s-1BIO\s0 is \fBblocking\fR, the write functions will only return, once
the write operation has been finished or an error occurred.
.PP
If the underlying \s-1BIO\s0 is \fBnonblocking\fR the write functions will also return
when the underlying \s-1BIO\s0 could not satisfy the needs of the function to continue
the operation. In this case a call to \fBSSL_get_error\fR\|(3) with the
return value of the write function will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR
or \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. As at any time a re-negotiation is possible, a
call to a write function can also cause read operations! The calling process
then must repeat the call after taking appropriate action to satisfy the needs
of the write function. The action depends on the underlying \s-1BIO.\s0 When using a
nonblocking socket, nothing is to be done, but \fBselect()\fR can be used to check
for the required condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data
must be written into or retrieved out of the \s-1BIO\s0 before being able to continue.
.PP
The write functions will only return with success when the complete contents of
\&\fBbuf\fR of length \fBnum\fR has been written. This default behaviour can be changed
with the \s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 option of \fBSSL_CTX_set_mode\fR\|(3). When
this flag is set the write functions will also return with success when a
partial write has been successfully completed. In this case the write function
operation is considered completed. The bytes are sent and a new write call with
a new buffer (with the already sent bytes removed) must be started. A partial
write is performed with the size of a message block, which is 16kB.
.SH "WARNINGS"
.IX Header "WARNINGS"
When a write function call has to be repeated because \fBSSL_get_error\fR\|(3)
returned \fB\s-1SSL_ERROR_WANT_READ\s0\fR or \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR, it must be repeated
with the same arguments.
The data that was passed might have been partially processed.
When \fB\s-1SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER\s0\fR was set using \fBSSL_CTX_set_mode\fR\|(3)
the pointer can be different, but the data and length should still be the same.
.PP
You should not call \fBSSL_write()\fR with num=0, it will return an error.
\&\fBSSL_write_ex()\fR can be called with num=0, but will not send application data to
the peer.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBSSL_write_ex()\fR will return 1 for success or 0 for failure. Success means that
all requested application data bytes have been written to the \s-1SSL\s0 connection or,
if \s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 is in use, at least 1 application data byte has
been written to the \s-1SSL\s0 connection. Failure means that not all the requested
bytes have been written yet (if \s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 is not in use) or
no bytes could be written to the \s-1SSL\s0 connection (if
\&\s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 is in use). Failures can be retryable (e.g. the
network write buffer has temporarily filled up) or non-retryable (e.g. a fatal
network error). In the event of a failure call \fBSSL_get_error\fR\|(3) to find out
the reason which indicates whether the call is retryable or not.
.PP
For \fBSSL_write()\fR the following return values can occur:
.IP "> 0" 4
.IX Item "> 0"
The write operation was successful, the return value is the number of
bytes actually written to the \s-1TLS/SSL\s0 connection.
.IP "<= 0" 4
.IX Item "<= 0"
The write operation was not successful, because either the connection was
closed, an error occurred or action must be taken by the calling process.
Call \fBSSL_get_error()\fR with the return value \fBret\fR to find out the reason.
.Sp
Old documentation indicated a difference between 0 and \-1, and that \-1 was
retryable.
You should instead call \fBSSL_get_error()\fR to find out if it's retryable.
.PP
For \fBSSL_sendfile()\fR, the following return values can occur:
.IP ">= 0" 4
.IX Item ">= 0"
The write operation was successful, the return value is the number
of bytes of the file written to the \s-1TLS/SSL\s0 connection. The return
value can be less than \fBsize\fR for a partial write.
.IP "< 0" 4
.IX Item "< 0"
The write operation was not successful, because either the connection was
closed, an error occured or action must be taken by the calling process.
Call \fBSSL_get_error()\fR with the return value to find out the reason.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_get_error\fR\|(3), \fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3)
\&\fBSSL_CTX_set_mode\fR\|(3), \fBSSL_CTX_new\fR\|(3),
\&\fBSSL_connect\fR\|(3), \fBSSL_accept\fR\|(3)
\&\fBSSL_set_connect_state\fR\|(3), \fBBIO_ctrl\fR\|(3),
\&\fBssl\fR\|(7), \fBbio\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBSSL_write_ex()\fR function was added in OpenSSL 1.1.1.
The \fBSSL_sendfile()\fR function was added in OpenSSL 3.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/UI_STRING.3 b/secure/lib/libcrypto/man/man3/UI_STRING.3
index 5f03205bd7ec..8b832cda1463 100644
--- a/secure/lib/libcrypto/man/man3/UI_STRING.3
+++ b/secure/lib/libcrypto/man/man3/UI_STRING.3
@@ -1,274 +1,274 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "UI_STRING 3"
-.TH UI_STRING 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH UI_STRING 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
UI_STRING, UI_string_types, UI_get_string_type, UI_get_input_flags, UI_get0_output_string, UI_get0_action_string, UI_get0_result_string, UI_get_result_string_length, UI_get0_test_string, UI_get_result_minsize, UI_get_result_maxsize, UI_set_result, UI_set_result_ex \&\- User interface string parsing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ui.h>
\&
\& typedef struct ui_string_st UI_STRING;
\&
\& enum UI_string_types {
\& UIT_NONE = 0,
\& UIT_PROMPT, /* Prompt for a string */
\& UIT_VERIFY, /* Prompt for a string and verify */
\& UIT_BOOLEAN, /* Prompt for a yes/no response */
\& UIT_INFO, /* Send info to the user */
\& UIT_ERROR /* Send an error message to the user */
\& };
\&
\& enum UI_string_types UI_get_string_type(UI_STRING *uis);
\& int UI_get_input_flags(UI_STRING *uis);
\& const char *UI_get0_output_string(UI_STRING *uis);
\& const char *UI_get0_action_string(UI_STRING *uis);
\& const char *UI_get0_result_string(UI_STRING *uis);
\& int UI_get_result_string_length(UI_STRING *uis);
\& const char *UI_get0_test_string(UI_STRING *uis);
\& int UI_get_result_minsize(UI_STRING *uis);
\& int UI_get_result_maxsize(UI_STRING *uis);
\& int UI_set_result(UI *ui, UI_STRING *uis, const char *result);
\& int UI_set_result_ex(UI *ui, UI_STRING *uis, const char *result, int len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1UI_STRING\s0\fR gets created internally and added to a \fB\s-1UI\s0\fR whenever
one of the functions \fBUI_add_input_string()\fR, \fBUI_dup_input_string()\fR,
\&\fBUI_add_verify_string()\fR, \fBUI_dup_verify_string()\fR,
\&\fBUI_add_input_boolean()\fR, \fBUI_dup_input_boolean()\fR, \fBUI_add_info_string()\fR,
\&\fBUI_dup_info_string()\fR, \fBUI_add_error_string()\fR or \fBUI_dup_error_string()\fR
is called.
For a \fB\s-1UI_METHOD\s0\fR user, there's no need to know more.
For a \fB\s-1UI_METHOD\s0\fR creator, it is of interest to fetch text from these
\&\fB\s-1UI_STRING\s0\fR objects as well as adding results to some of them.
.PP
\&\fBUI_get_string_type()\fR is used to retrieve the type of the given
\&\fB\s-1UI_STRING\s0\fR.
.PP
\&\fBUI_get_input_flags()\fR is used to retrieve the flags associated with the
given \fB\s-1UI_STRING\s0\fR.
.PP
\&\fBUI_get0_output_string()\fR is used to retrieve the actual string to
output (prompt, info, error, ...).
.PP
\&\fBUI_get0_action_string()\fR is used to retrieve the action description
associated with a \fB\s-1UIT_BOOLEAN\s0\fR type \fB\s-1UI_STRING\s0\fR.
For all other \fB\s-1UI_STRING\s0\fR types, \s-1NULL\s0 is returned.
See \fBUI_add_input_boolean\fR\|(3).
.PP
\&\fBUI_get0_result_string()\fR and \fBUI_get_result_string_length()\fR are used to
retrieve the result of a prompt and its length.
This is only useful for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings.
For all other \fB\s-1UI_STRING\s0\fR types, \fBUI_get0_result_string()\fR returns \s-1NULL\s0
and \fBUI_get_result_string_length()\fR returns \-1.
.PP
\&\fBUI_get0_test_string()\fR is used to retrieve the string to compare the
prompt result with.
This is only useful for \fB\s-1UIT_VERIFY\s0\fR type strings.
For all other \fB\s-1UI_STRING\s0\fR types, \s-1NULL\s0 is returned.
.PP
\&\fBUI_get_result_minsize()\fR and \fBUI_get_result_maxsize()\fR are used to
retrieve the minimum and maximum required size of the result.
This is only useful for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings.
For all other \fB\s-1UI_STRING\s0\fR types, \-1 is returned.
.PP
\&\fBUI_set_result_ex()\fR is used to set the result value of a prompt and its length.
For \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings, this sets the
result retrievable with \fBUI_get0_result_string()\fR by copying the
contents of \fBresult\fR if its length fits the minimum and maximum size
requirements.
For \fB\s-1UIT_BOOLEAN\s0\fR type \s-1UI\s0 strings, this sets the first character of
the result retrievable with \fBUI_get0_result_string()\fR to the first
\&\fBok_char\fR given with \fBUI_add_input_boolean()\fR or \fBUI_dup_input_boolean()\fR
if the \fBresult\fR matched any of them, or the first of the
\&\fBcancel_chars\fR if the \fBresult\fR matched any of them, otherwise it's
set to the \s-1NUL\s0 char \f(CW\*(C`\e0\*(C'\fR.
See \fBUI_add_input_boolean\fR\|(3) for more information on \fBok_chars\fR and
\&\fBcancel_chars\fR.
.PP
\&\fBUI_set_result()\fR does the same thing as \fBUI_set_result_ex()\fR, but calculates
its length internally.
It expects the string to be terminated with a \s-1NUL\s0 byte, and is therefore
only useful with normal C strings.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBUI_get_string_type()\fR returns the \s-1UI\s0 string type.
.PP
\&\fBUI_get_input_flags()\fR returns the \s-1UI\s0 string flags.
.PP
\&\fBUI_get0_output_string()\fR returns the \s-1UI\s0 string output string.
.PP
\&\fBUI_get0_action_string()\fR returns the \s-1UI\s0 string action description
string for \fB\s-1UIT_BOOLEAN\s0\fR type \s-1UI\s0 strings, \s-1NULL\s0 for any other type.
.PP
\&\fBUI_get0_result_string()\fR returns the \s-1UI\s0 string result buffer for
\&\fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings, \s-1NULL\s0 for any other
type.
.PP
\&\fBUI_get_result_string_length()\fR returns the \s-1UI\s0 string result buffer's
content length for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings,
\&\-1 for any other type.
.PP
\&\fBUI_get0_test_string()\fR returns the \s-1UI\s0 string action description
string for \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings, \s-1NULL\s0 for any other type.
.PP
\&\fBUI_get_result_minsize()\fR returns the minimum allowed result size for
the \s-1UI\s0 string for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings,
\&\-1 for any other type.
.PP
\&\fBUI_get_result_maxsize()\fR returns the minimum allowed result size for
the \s-1UI\s0 string for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings,
\&\-1 for any other type.
.PP
\&\fBUI_set_result()\fR returns 0 on success or when the \s-1UI\s0 string is of any
type other than \fB\s-1UIT_PROMPT\s0\fR, \fB\s-1UIT_VERIFY\s0\fR or \fB\s-1UIT_BOOLEAN\s0\fR, \-1 on
error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\s-1\fBUI\s0\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3 b/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3
index 69405381a2aa..bef4206c522a 100644
--- a/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3
+++ b/secure/lib/libcrypto/man/man3/UI_UTIL_read_pw.3
@@ -1,202 +1,202 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "UI_UTIL_READ_PW 3"
-.TH UI_UTIL_READ_PW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH UI_UTIL_READ_PW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
UI_UTIL_read_pw_string, UI_UTIL_read_pw, UI_UTIL_wrap_read_pem_callback \- user interface utilities
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ui.h>
\&
\& int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt,
\& int verify);
\& int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt,
\& int verify);
\& UI_METHOD *UI_UTIL_wrap_read_pem_callback(pem_password_cb *cb, int rwflag);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBUI_UTIL_read_pw_string()\fR asks for a passphrase, using \fBprompt\fR as a
prompt, and stores it in \fBbuf\fR.
The maximum allowed size is given with \fBlength\fR, including the
terminating \s-1NUL\s0 byte.
If \fBverify\fR is nonzero, the password will be verified as well.
.PP
\&\fBUI_UTIL_read_pw()\fR does the same as \fBUI_UTIL_read_pw_string()\fR, the
difference is that you can give it an external buffer \fBbuff\fR for the
verification passphrase.
.PP
\&\fBUI_UTIL_wrap_read_pem_callback()\fR can be used to create a temporary
\&\fB\s-1UI_METHOD\s0\fR that wraps a given \s-1PEM\s0 password callback \fBcb\fR.
\&\fBrwflag\fR is used to specify if this method will be used for
passphrase entry without (0) or with (1) verification.
When not used any more, the returned method should be freed with
\&\fBUI_destroy_method()\fR.
.SH "NOTES"
.IX Header "NOTES"
\&\fBUI_UTIL_read_pw_string()\fR and \fBUI_UTIL_read_pw()\fR use default
\&\fB\s-1UI_METHOD\s0\fR.
See \fBUI_get_default_method\fR\|(3) and friends for more information.
.PP
The result from the \fB\s-1UI_METHOD\s0\fR created by
\&\fBUI_UTIL_wrap_read_pem_callback()\fR will generate password strings in the
encoding that the given password callback generates.
The default password prompting functions (apart from
\&\fBUI_UTIL_read_pw_string()\fR and \fBUI_UTIL_read_pw()\fR, there is
\&\fBPEM_def_callback()\fR, \fBEVP_read_pw_string()\fR and \fBEVP_read_pw_string_min()\fR)
all use the default \fB\s-1UI_METHOD\s0\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBUI_UTIL_read_pw_string()\fR and \fBUI_UTIL_read_pw()\fR return 0 on success or a negative
value on error.
.PP
\&\fBUI_UTIL_wrap_read_pem_callback()\fR returns a valid \fB\s-1UI_METHOD\s0\fR structure or \s-1NULL\s0
if an error occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBUI_get_default_method\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/UI_create_method.3 b/secure/lib/libcrypto/man/man3/UI_create_method.3
index 9c752b816de2..ed0f25e5564f 100644
--- a/secure/lib/libcrypto/man/man3/UI_create_method.3
+++ b/secure/lib/libcrypto/man/man3/UI_create_method.3
@@ -1,319 +1,319 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "UI_CREATE_METHOD 3"
-.TH UI_CREATE_METHOD 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH UI_CREATE_METHOD 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
UI_METHOD, UI_create_method, UI_destroy_method, UI_method_set_opener, UI_method_set_writer, UI_method_set_flusher, UI_method_set_reader, UI_method_set_closer, UI_method_set_data_duplicator, UI_method_set_prompt_constructor, UI_method_set_ex_data, UI_method_get_opener, UI_method_get_writer, UI_method_get_flusher, UI_method_get_reader, UI_method_get_closer, UI_method_get_data_duplicator, UI_method_get_data_destructor, UI_method_get_prompt_constructor, UI_method_get_ex_data \- user interface method creation and destruction
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ui.h>
\&
\& typedef struct ui_method_st UI_METHOD;
\&
\& UI_METHOD *UI_create_method(const char *name);
\& void UI_destroy_method(UI_METHOD *ui_method);
\& int UI_method_set_opener(UI_METHOD *method, int (*opener) (UI *ui));
\& int UI_method_set_writer(UI_METHOD *method,
\& int (*writer) (UI *ui, UI_STRING *uis));
\& int UI_method_set_flusher(UI_METHOD *method, int (*flusher) (UI *ui));
\& int UI_method_set_reader(UI_METHOD *method,
\& int (*reader) (UI *ui, UI_STRING *uis));
\& int UI_method_set_closer(UI_METHOD *method, int (*closer) (UI *ui));
\& int UI_method_set_data_duplicator(UI_METHOD *method,
\& void *(*duplicator) (UI *ui, void *ui_data),
\& void (*destructor)(UI *ui, void *ui_data));
\& int UI_method_set_prompt_constructor(UI_METHOD *method,
\& char *(*prompt_constructor) (UI *ui,
\& const char
\& *object_desc,
\& const char
\& *object_name));
\& int UI_method_set_ex_data(UI_METHOD *method, int idx, void *data);
\& int (*UI_method_get_opener(const UI_METHOD *method)) (UI *);
\& int (*UI_method_get_writer(const UI_METHOD *method)) (UI *, UI_STRING *);
\& int (*UI_method_get_flusher(const UI_METHOD *method)) (UI *);
\& int (*UI_method_get_reader(const UI_METHOD *method)) (UI *, UI_STRING *);
\& int (*UI_method_get_closer(const UI_METHOD *method)) (UI *);
\& char *(*UI_method_get_prompt_constructor(const UI_METHOD *method))
\& (UI *, const char *, const char *);
\& void *(*UI_method_get_data_duplicator(const UI_METHOD *method)) (UI *, void *);
\& void (*UI_method_get_data_destructor(const UI_METHOD *method)) (UI *, void *);
\& const void *UI_method_get_ex_data(const UI_METHOD *method, int idx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A method contains a few functions that implement the low-level of the
User Interface.
These functions are:
.IP "an opener" 4
.IX Item "an opener"
This function takes a reference to a \s-1UI\s0 and starts a session, for
example by opening a channel to a tty, or by creating a dialog box.
.IP "a writer" 4
.IX Item "a writer"
This function takes a reference to a \s-1UI\s0 and a \s-1UI\s0 String, and writes
the string where appropriate, maybe to the tty, maybe added as a field
label in a dialog box.
Note that this gets fed all strings associated with a \s-1UI,\s0 one after
the other, so care must be taken which ones it actually uses.
.IP "a flusher" 4
.IX Item "a flusher"
This function takes a reference to a \s-1UI,\s0 and flushes everything that
has been output so far.
For example, if the method builds up a dialog box, this can be used to
actually display it and accepting input ended with a pressed button.
.IP "a reader" 4
.IX Item "a reader"
This function takes a reference to a \s-1UI\s0 and a \s-1UI\s0 string and reads off
the given prompt, maybe from the tty, maybe from a field in a dialog
box.
Note that this gets fed all strings associated with a \s-1UI,\s0 one after
the other, so care must be taken which ones it actually uses.
.IP "a closer" 4
.IX Item "a closer"
This function takes a reference to a \s-1UI,\s0 and closes the session, maybe
by closing the channel to the tty, maybe by destroying a dialog box.
.PP
All of these functions are expected to return 0 on error, 1 on
success, or \-1 on out-off-band events, for example if some prompting
has been cancelled (by pressing Ctrl-C, for example).
Only the flusher or the reader are expected to return \-1.
If returned by another of the functions, it's treated as if 0 was
returned.
.PP
Regarding the writer and the reader, don't assume the former should
only write and don't assume the latter should only read.
This depends on the needs of the method.
.PP
For example, a typical tty reader wouldn't write the prompts in the
write, but would rather do so in the reader, because of the sequential
nature of prompting on a tty.
This is how the \fBUI_OpenSSL()\fR method does it.
.PP
In contrast, a method that builds up a dialog box would add all prompt
text in the writer, have all input read in the flusher and store the
results in some temporary buffer, and finally have the reader just
fetch those results.
.PP
The central function that uses these method functions is \fBUI_process()\fR,
and it does it in five steps:
.IP "1." 4
Open the session using the opener function if that one's defined.
If an error occurs, jump to 5.
.IP "2." 4
For every \s-1UI\s0 String associated with the \s-1UI,\s0 call the writer function
if that one's defined.
If an error occurs, jump to 5.
.IP "3." 4
Flush everything using the flusher function if that one's defined.
If an error occurs, jump to 5.
.IP "4." 4
For every \s-1UI\s0 String associated with the \s-1UI,\s0 call the reader function
if that one's defined.
If an error occurs, jump to 5.
.IP "5." 4
Close the session using the closer function if that one's defined.
.PP
\&\fBUI_create_method()\fR creates a new \s-1UI\s0 method with a given \fBname\fR.
.PP
\&\fBUI_destroy_method()\fR destroys the given \s-1UI\s0 method \fBui_method\fR.
.PP
\&\fBUI_method_set_opener()\fR, \fBUI_method_set_writer()\fR,
\&\fBUI_method_set_flusher()\fR, \fBUI_method_set_reader()\fR and
\&\fBUI_method_set_closer()\fR set the five main method function to the given
function pointer.
.PP
\&\fBUI_method_set_data_duplicator()\fR sets the user data duplicator and destructor.
See \fBUI_dup_user_data\fR\|(3).
.PP
\&\fBUI_method_set_prompt_constructor()\fR sets the prompt constructor.
See \fBUI_construct_prompt\fR\|(3).
.PP
\&\fBUI_method_set_ex_data()\fR sets application specific data with a given
\&\s-1EX_DATA\s0 index.
See \fBCRYPTO_get_ex_new_index\fR\|(3) for general information on how to
get that index.
.PP
\&\fBUI_method_get_opener()\fR, \fBUI_method_get_writer()\fR,
\&\fBUI_method_get_flusher()\fR, \fBUI_method_get_reader()\fR,
\&\fBUI_method_get_closer()\fR, \fBUI_method_get_data_duplicator()\fR,
\&\fBUI_method_get_data_destructor()\fR and \fBUI_method_get_prompt_constructor()\fR
return the different method functions.
.PP
\&\fBUI_method_get_ex_data()\fR returns the application data previously stored
with \fBUI_method_set_ex_data()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBUI_create_method()\fR returns a \s-1UI_METHOD\s0 pointer on success, \s-1NULL\s0 on
error.
.PP
\&\fBUI_method_set_opener()\fR, \fBUI_method_set_writer()\fR,
\&\fBUI_method_set_flusher()\fR, \fBUI_method_set_reader()\fR,
\&\fBUI_method_set_closer()\fR, \fBUI_method_set_data_duplicator()\fR and
\&\fBUI_method_set_prompt_constructor()\fR
return 0 on success, \-1 if the given \fBmethod\fR is \s-1NULL.\s0
.PP
\&\fBUI_method_set_ex_data()\fR returns 1 on success and 0 on error (because
\&\fBCRYPTO_set_ex_data()\fR does so).
.PP
\&\fBUI_method_get_opener()\fR, \fBUI_method_get_writer()\fR,
\&\fBUI_method_get_flusher()\fR, \fBUI_method_get_reader()\fR,
\&\fBUI_method_get_closer()\fR, \fBUI_method_get_data_duplicator()\fR,
\&\fBUI_method_get_data_destructor()\fR and \fBUI_method_get_prompt_constructor()\fR
return the requested function pointer if it's set in the method,
otherwise \s-1NULL.\s0
.PP
\&\fBUI_method_get_ex_data()\fR returns a pointer to the application specific
data associated with the method.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\s-1\fBUI\s0\fR\|(3), \fBCRYPTO_get_ex_data\fR\|(3), \s-1\fBUI_STRING\s0\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBUI_method_set_data_duplicator()\fR, \fBUI_method_get_data_duplicator()\fR
and \fBUI_method_get_data_destructor()\fR functions were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/UI_new.3 b/secure/lib/libcrypto/man/man3/UI_new.3
index 77b56a279cff..3a6715b61b88 100644
--- a/secure/lib/libcrypto/man/man3/UI_new.3
+++ b/secure/lib/libcrypto/man/man3/UI_new.3
@@ -1,376 +1,376 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "UI_NEW 3"
-.TH UI_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH UI_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
UI, UI_new, UI_new_method, UI_free, UI_add_input_string, UI_dup_input_string, UI_add_verify_string, UI_dup_verify_string, UI_add_input_boolean, UI_dup_input_boolean, UI_add_info_string, UI_dup_info_string, UI_add_error_string, UI_dup_error_string, UI_construct_prompt, UI_add_user_data, UI_dup_user_data, UI_get0_user_data, UI_get0_result, UI_get_result_length, UI_process, UI_ctrl, UI_set_default_method, UI_get_default_method, UI_get_method, UI_set_method, UI_OpenSSL, UI_null \- user interface
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ui.h>
\&
\& typedef struct ui_st UI;
\&
\& UI *UI_new(void);
\& UI *UI_new_method(const UI_METHOD *method);
\& void UI_free(UI *ui);
\&
\& int UI_add_input_string(UI *ui, const char *prompt, int flags,
\& char *result_buf, int minsize, int maxsize);
\& int UI_dup_input_string(UI *ui, const char *prompt, int flags,
\& char *result_buf, int minsize, int maxsize);
\& int UI_add_verify_string(UI *ui, const char *prompt, int flags,
\& char *result_buf, int minsize, int maxsize,
\& const char *test_buf);
\& int UI_dup_verify_string(UI *ui, const char *prompt, int flags,
\& char *result_buf, int minsize, int maxsize,
\& const char *test_buf);
\& int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc,
\& const char *ok_chars, const char *cancel_chars,
\& int flags, char *result_buf);
\& int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc,
\& const char *ok_chars, const char *cancel_chars,
\& int flags, char *result_buf);
\& int UI_add_info_string(UI *ui, const char *text);
\& int UI_dup_info_string(UI *ui, const char *text);
\& int UI_add_error_string(UI *ui, const char *text);
\& int UI_dup_error_string(UI *ui, const char *text);
\&
\& char *UI_construct_prompt(UI *ui_method,
\& const char *object_desc, const char *object_name);
\&
\& void *UI_add_user_data(UI *ui, void *user_data);
\& int UI_dup_user_data(UI *ui, void *user_data);
\& void *UI_get0_user_data(UI *ui);
\&
\& const char *UI_get0_result(UI *ui, int i);
\& int UI_get_result_length(UI *ui, int i);
\&
\& int UI_process(UI *ui);
\&
\& int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)());
\&
\& void UI_set_default_method(const UI_METHOD *meth);
\& const UI_METHOD *UI_get_default_method(void);
\& const UI_METHOD *UI_get_method(UI *ui);
\& const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth);
\&
\& UI_METHOD *UI_OpenSSL(void);
\& const UI_METHOD *UI_null(void);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\s-1UI\s0 stands for User Interface, and is general purpose set of routines to
prompt the user for text-based information. Through user-written methods
(see \fBUI_create_method\fR\|(3)), prompting can be done in any way
imaginable, be it plain text prompting, through dialog boxes or from a
cell phone.
.PP
All the functions work through a context of the type \s-1UI.\s0 This context
contains all the information needed to prompt correctly as well as a
reference to a \s-1UI_METHOD,\s0 which is an ordered vector of functions that
carry out the actual prompting.
.PP
The first thing to do is to create a \s-1UI\s0 with \fBUI_new()\fR or \fBUI_new_method()\fR,
then add information to it with the UI_add or UI_dup functions. Also,
user-defined random data can be passed down to the underlying method
through calls to \fBUI_add_user_data()\fR or \fBUI_dup_user_data()\fR. The default
\&\s-1UI\s0 method doesn't care about these data, but other methods might. Finally,
use \fBUI_process()\fR to actually perform the prompting and \fBUI_get0_result()\fR
and \fBUI_get_result_length()\fR to find the result to the prompt and its length.
.PP
A \s-1UI\s0 can contain more than one prompt, which are performed in the given
sequence. Each prompt gets an index number which is returned by the
UI_add and UI_dup functions, and has to be used to get the corresponding
result with \fBUI_get0_result()\fR and \fBUI_get_result_length()\fR.
.PP
\&\fBUI_process()\fR can be called more than once on the same \s-1UI,\s0 thereby allowing
a \s-1UI\s0 to have a long lifetime, but can just as well have a short lifetime.
.PP
The functions are as follows:
.PP
\&\fBUI_new()\fR creates a new \s-1UI\s0 using the default \s-1UI\s0 method. When done with
this \s-1UI,\s0 it should be freed using \fBUI_free()\fR.
.PP
\&\fBUI_new_method()\fR creates a new \s-1UI\s0 using the given \s-1UI\s0 method. When done with
this \s-1UI,\s0 it should be freed using \fBUI_free()\fR.
.PP
\&\fBUI_OpenSSL()\fR returns the built-in \s-1UI\s0 method (note: not necessarily the
default one, since the default can be changed. See further on). This
method is the most machine/OS dependent part of OpenSSL and normally
generates the most problems when porting.
.PP
\&\fBUI_null()\fR returns a \s-1UI\s0 method that does nothing. Its use is to avoid
getting internal defaults for passed \s-1UI_METHOD\s0 pointers.
.PP
\&\fBUI_free()\fR removes a \s-1UI\s0 from memory, along with all other pieces of memory
that's connected to it, like duplicated input strings, results and others.
If \fBui\fR is \s-1NULL\s0 nothing is done.
.PP
\&\fBUI_add_input_string()\fR and \fBUI_add_verify_string()\fR add a prompt to the \s-1UI,\s0
as well as flags and a result buffer and the desired minimum and maximum
sizes of the result, not counting the final \s-1NUL\s0 character. The given
information is used to prompt for information, for example a password,
and to verify a password (i.e. having the user enter it twice and check
that the same string was entered twice). \fBUI_add_verify_string()\fR takes
and extra argument that should be a pointer to the result buffer of the
input string that it's supposed to verify, or verification will fail.
.PP
\&\fBUI_add_input_boolean()\fR adds a prompt to the \s-1UI\s0 that's supposed to be answered
in a boolean way, with a single character for yes and a different character
for no. A set of characters that can be used to cancel the prompt is given
as well. The prompt itself is divided in two, one part being the
descriptive text (given through the \fIprompt\fR argument) and one describing
the possible answers (given through the \fIaction_desc\fR argument).
.PP
\&\fBUI_add_info_string()\fR and \fBUI_add_error_string()\fR add strings that are shown at
the same time as the prompt for extra information or to show an error string.
The difference between the two is only conceptual. With the builtin method,
there's no technical difference between them. Other methods may make a
difference between them, however.
.PP
The flags currently supported are \fB\s-1UI_INPUT_FLAG_ECHO\s0\fR, which is relevant for
\&\fBUI_add_input_string()\fR and will have the users response be echoed (when
prompting for a password, this flag should obviously not be used, and
\&\fB\s-1UI_INPUT_FLAG_DEFAULT_PWD\s0\fR, which means that a default password of some
sort will be used (completely depending on the application and the \s-1UI\s0
method).
.PP
\&\fBUI_dup_input_string()\fR, \fBUI_dup_verify_string()\fR, \fBUI_dup_input_boolean()\fR,
\&\fBUI_dup_info_string()\fR and \fBUI_dup_error_string()\fR are basically the same
as their UI_add counterparts, except that they make their own copies
of all strings.
.PP
\&\fBUI_construct_prompt()\fR is a helper function that can be used to create
a prompt from two pieces of information: an description and a name.
The default constructor (if there is none provided by the method used)
creates a string "Enter \fIdescription\fR for \fIname\fR:\*(L". With the
description \*(R"pass phrase\*(L" and the filename \*(R"foo.key\*(L", that becomes
\&\*(R"Enter pass phrase for foo.key:". Other methods may create whatever
string and may include encodings that will be processed by the other
method functions.
.PP
\&\fBUI_add_user_data()\fR adds a user data pointer for the method to use at any
time. The builtin \s-1UI\s0 method doesn't care about this info. Note that several
calls to this function doesn't add data, it replaces the previous blob
with the one given as argument.
.PP
\&\fBUI_dup_user_data()\fR duplicates the user data and works as an alternative
to \fBUI_add_user_data()\fR when the user data needs to be preserved for a longer
duration, perhaps even the lifetime of the application. The \s-1UI\s0 object takes
ownership of this duplicate and will free it whenever it gets replaced or
the \s-1UI\s0 is destroyed. \fBUI_dup_user_data()\fR returns 0 on success, or \-1 on memory
allocation failure or if the method doesn't have a duplicator function.
.PP
\&\fBUI_get0_user_data()\fR retrieves the data that has last been given to the
\&\s-1UI\s0 with \fBUI_add_user_data()\fR or UI_dup_user_data.
.PP
\&\fBUI_get0_result()\fR returns a pointer to the result buffer associated with
the information indexed by \fIi\fR.
.PP
\&\fBUI_get_result_length()\fR returns the length of the result buffer associated with
the information indexed by \fIi\fR.
.PP
\&\fBUI_process()\fR goes through the information given so far, does all the printing
and prompting and returns the final status, which is \-2 on out-of-band events
(Interrupt, Cancel, ...), \-1 on error and 0 on success.
.PP
\&\fBUI_ctrl()\fR adds extra control for the application author. For now, it
understands two commands: \fB\s-1UI_CTRL_PRINT_ERRORS\s0\fR, which makes \fBUI_process()\fR
print the OpenSSL error stack as part of processing the \s-1UI,\s0 and
\&\fB\s-1UI_CTRL_IS_REDOABLE\s0\fR, which returns a flag saying if the used \s-1UI\s0 can
be used again or not.
.PP
\&\fBUI_set_default_method()\fR changes the default \s-1UI\s0 method to the one given.
This function is not thread-safe and should not be called at the same time
as other OpenSSL functions.
.PP
\&\fBUI_get_default_method()\fR returns a pointer to the current default \s-1UI\s0 method.
.PP
\&\fBUI_get_method()\fR returns the \s-1UI\s0 method associated with a given \s-1UI.\s0
.PP
\&\fBUI_set_method()\fR changes the \s-1UI\s0 method associated with a given \s-1UI.\s0
.SH "NOTES"
.IX Header "NOTES"
The resulting strings that the built in method \fBUI_OpenSSL()\fR generate
are assumed to be encoded according to the current locale or (for
Windows) code page.
For applications having different demands, these strings need to be
converted appropriately by the caller.
For Windows, if the \s-1OPENSSL_WIN32_UTF8\s0 environment variable is set,
the built-in method \fBUI_OpenSSL()\fR will produce \s-1UTF\-8\s0 encoded strings
instead.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBUI_new()\fR and \fBUI_new_method()\fR return a valid \fB\s-1UI\s0\fR structure or \s-1NULL\s0 if an error
occurred.
.PP
\&\fBUI_add_input_string()\fR, \fBUI_dup_input_string()\fR, \fBUI_add_verify_string()\fR,
\&\fBUI_dup_verify_string()\fR, \fBUI_add_input_boolean()\fR, \fBUI_dup_input_boolean()\fR,
\&\fBUI_add_info_string()\fR, \fBUI_dup_info_string()\fR, \fBUI_add_error_string()\fR
and \fBUI_dup_error_string()\fR return a positive number on success or a value which
is less than or equal to 0 otherwise.
.PP
\&\fBUI_construct_prompt()\fR returns a string or \s-1NULL\s0 if an error occurred.
.PP
\&\fBUI_dup_user_data()\fR returns 0 on success or \-1 on error.
.PP
\&\fBUI_get0_result()\fR returns a string or \s-1NULL\s0 on error.
.PP
\&\fBUI_get_result_length()\fR returns a positive integer or 0 on success; otherwise it
returns \-1 on error.
.PP
\&\fBUI_process()\fR returns 0 on success or a negative value on error.
.PP
\&\fBUI_ctrl()\fR returns a mask on success or \-1 on error.
.PP
\&\fBUI_get_default_method()\fR, \fBUI_get_method()\fR, \fBUI_OpenSSL()\fR, \fBUI_null()\fR and
\&\fBUI_set_method()\fR return either a valid \fB\s-1UI_METHOD\s0\fR structure or \s-1NULL\s0
respectively.
.SH "HISTORY"
.IX Header "HISTORY"
The \fBUI_dup_user_data()\fR function was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3 b/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3
index 0aaf8076e1d3..cf13454800db 100644
--- a/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3
+++ b/secure/lib/libcrypto/man/man3/X509V3_get_d2i.3
@@ -1,375 +1,375 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509V3_GET_D2I 3"
-.TH X509V3_GET_D2I 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509V3_GET_D2I 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_get0_extensions, X509_CRL_get0_extensions, X509_REVOKED_get0_extensions, X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d, X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d \- X509 extension decode and encode functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509v3.h>
\&
\& void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
\& int *idx);
\& int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
\& int crit, unsigned long flags);
\&
\& void *X509V3_EXT_d2i(X509_EXTENSION *ext);
\& X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext);
\&
\& void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
\& int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
\& unsigned long flags);
\&
\& void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx);
\& int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit,
\& unsigned long flags);
\&
\& void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx);
\& int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit,
\& unsigned long flags);
\&
\& const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
\& const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
\& const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509V3_get_ext_d2i()\fR looks for an extension with \s-1OID\s0 \fBnid\fR in the extensions
\&\fBx\fR and, if found, decodes it. If \fBidx\fR is \fB\s-1NULL\s0\fR then only one
occurrence of an extension is permissible otherwise the first extension after
index \fB*idx\fR is returned and \fB*idx\fR updated to the location of the extension.
If \fBcrit\fR is not \fB\s-1NULL\s0\fR then \fB*crit\fR is set to a status value: \-2 if the
extension occurs multiple times (this is only returned if \fBidx\fR is \fB\s-1NULL\s0\fR),
\&\-1 if the extension could not be found, 0 if the extension is found and is
not critical and 1 if critical. A pointer to an extension specific structure
or \fB\s-1NULL\s0\fR is returned.
.PP
\&\fBX509V3_add1_i2d()\fR adds extension \fBvalue\fR to \s-1STACK\s0 \fB*x\fR (allocating a new
\&\s-1STACK\s0 if necessary) using \s-1OID\s0 \fBnid\fR and criticality \fBcrit\fR according
to \fBflags\fR.
.PP
\&\fBX509V3_EXT_d2i()\fR attempts to decode the \s-1ASN.1\s0 data contained in extension
\&\fBext\fR and returns a pointer to an extension specific structure or \fB\s-1NULL\s0\fR
if the extension could not be decoded (invalid syntax or not supported).
.PP
\&\fBX509V3_EXT_i2d()\fR encodes the extension specific structure \fBext\fR
with \s-1OID\s0 \fBext_nid\fR and criticality \fBcrit\fR.
.PP
\&\fBX509_get_ext_d2i()\fR and \fBX509_add1_ext_i2d()\fR operate on the extensions of
certificate \fBx\fR, they are otherwise identical to \fBX509V3_get_d2i()\fR and
\&\fBX509V3_add_i2d()\fR.
.PP
\&\fBX509_CRL_get_ext_d2i()\fR and \fBX509_CRL_add1_ext_i2d()\fR operate on the extensions
of \s-1CRL\s0 \fBcrl\fR, they are otherwise identical to \fBX509V3_get_d2i()\fR and
\&\fBX509V3_add_i2d()\fR.
.PP
\&\fBX509_REVOKED_get_ext_d2i()\fR and \fBX509_REVOKED_add1_ext_i2d()\fR operate on the
extensions of \fBX509_REVOKED\fR structure \fBr\fR (i.e for \s-1CRL\s0 entry extensions),
they are otherwise identical to \fBX509V3_get_d2i()\fR and \fBX509V3_add_i2d()\fR.
.PP
\&\fBX509_get0_extensions()\fR, \fBX509_CRL_get0_extensions()\fR and
\&\fBX509_REVOKED_get0_extensions()\fR return a stack of all the extensions
of a certificate a \s-1CRL\s0 or a \s-1CRL\s0 entry respectively.
.SH "NOTES"
.IX Header "NOTES"
In almost all cases an extension can occur at most once and multiple
occurrences is an error. Therefore, the \fBidx\fR parameter is usually \fB\s-1NULL\s0\fR.
.PP
The \fBflags\fR parameter may be one of the following values.
.PP
\&\fBX509V3_ADD_DEFAULT\fR appends a new extension only if the extension does
not already exist. An error is returned if the extension does already
exist.
.PP
\&\fBX509V3_ADD_APPEND\fR appends a new extension, ignoring whether the extension
already exists.
.PP
\&\fBX509V3_ADD_REPLACE\fR replaces an extension if it exists otherwise appends
a new extension.
.PP
\&\fBX509V3_ADD_REPLACE_EXISTING\fR replaces an existing extension if it exists
otherwise returns an error.
.PP
\&\fBX509V3_ADD_KEEP_EXISTING\fR appends a new extension only if the extension does
not already exist. An error \fBis not\fR returned if the extension does already
exist.
.PP
\&\fBX509V3_ADD_DELETE\fR extension \fBnid\fR is deleted: no new extension is added.
.PP
If \fBX509V3_ADD_SILENT\fR is ored with \fBflags\fR: any error returned will not
be added to the error queue.
.PP
The function \fBX509V3_get_d2i()\fR will return \fB\s-1NULL\s0\fR if the extension is not
found, occurs multiple times or cannot be decoded. It is possible to
determine the precise reason by checking the value of \fB*crit\fR.
.SH "SUPPORTED EXTENSIONS"
.IX Header "SUPPORTED EXTENSIONS"
The following sections contain a list of all supported extensions
including their name and \s-1NID.\s0
.SS "\s-1PKIX\s0 Certificate Extensions"
.IX Subsection "PKIX Certificate Extensions"
The following certificate extensions are defined in \s-1PKIX\s0 standards such as
\&\s-1RFC5280.\s0
.PP
.Vb 3
\& Basic Constraints NID_basic_constraints
\& Key Usage NID_key_usage
\& Extended Key Usage NID_ext_key_usage
\&
\& Subject Key Identifier NID_subject_key_identifier
\& Authority Key Identifier NID_authority_key_identifier
\&
\& Private Key Usage Period NID_private_key_usage_period
\&
\& Subject Alternative Name NID_subject_alt_name
\& Issuer Alternative Name NID_issuer_alt_name
\&
\& Authority Information Access NID_info_access
\& Subject Information Access NID_sinfo_access
\&
\& Name Constraints NID_name_constraints
\&
\& Certificate Policies NID_certificate_policies
\& Policy Mappings NID_policy_mappings
\& Policy Constraints NID_policy_constraints
\& Inhibit Any Policy NID_inhibit_any_policy
\&
\& TLS Feature NID_tlsfeature
.Ve
.SS "Netscape Certificate Extensions"
.IX Subsection "Netscape Certificate Extensions"
The following are (largely obsolete) Netscape certificate extensions.
.PP
.Vb 8
\& Netscape Cert Type NID_netscape_cert_type
\& Netscape Base Url NID_netscape_base_url
\& Netscape Revocation Url NID_netscape_revocation_url
\& Netscape CA Revocation Url NID_netscape_ca_revocation_url
\& Netscape Renewal Url NID_netscape_renewal_url
\& Netscape CA Policy Url NID_netscape_ca_policy_url
\& Netscape SSL Server Name NID_netscape_ssl_server_name
\& Netscape Comment NID_netscape_comment
.Ve
.SS "Miscellaneous Certificate Extensions"
.IX Subsection "Miscellaneous Certificate Extensions"
.Vb 2
\& Strong Extranet ID NID_sxnet
\& Proxy Certificate Information NID_proxyCertInfo
.Ve
.SS "\s-1PKIX CRL\s0 Extensions"
.IX Subsection "PKIX CRL Extensions"
The following are \s-1CRL\s0 extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0
.PP
.Vb 6
\& CRL Number NID_crl_number
\& CRL Distribution Points NID_crl_distribution_points
\& Delta CRL Indicator NID_delta_crl
\& Freshest CRL NID_freshest_crl
\& Invalidity Date NID_invalidity_date
\& Issuing Distribution Point NID_issuing_distribution_point
.Ve
.PP
The following are \s-1CRL\s0 entry extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0
.PP
.Vb 2
\& CRL Reason Code NID_crl_reason
\& Certificate Issuer NID_certificate_issuer
.Ve
.SS "\s-1OCSP\s0 Extensions"
.IX Subsection "OCSP Extensions"
.Vb 7
\& OCSP Nonce NID_id_pkix_OCSP_Nonce
\& OCSP CRL ID NID_id_pkix_OCSP_CrlID
\& Acceptable OCSP Responses NID_id_pkix_OCSP_acceptableResponses
\& OCSP No Check NID_id_pkix_OCSP_noCheck
\& OCSP Archive Cutoff NID_id_pkix_OCSP_archiveCutoff
\& OCSP Service Locator NID_id_pkix_OCSP_serviceLocator
\& Hold Instruction Code NID_hold_instruction_code
.Ve
.SS "Certificate Transparency Extensions"
.IX Subsection "Certificate Transparency Extensions"
The following extensions are used by certificate transparency, \s-1RFC6962\s0
.PP
.Vb 2
\& CT Precertificate SCTs NID_ct_precert_scts
\& CT Certificate SCTs NID_ct_cert_scts
.Ve
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509V3_EXT_d2i()\fR and *\fBX509V3_get_d2i()\fR return a pointer to an extension
specific structure of \fB\s-1NULL\s0\fR if an error occurs.
.PP
\&\fBX509V3_EXT_i2d()\fR returns a pointer to an \fBX509_EXTENSION\fR structure
or \fB\s-1NULL\s0\fR if an error occurs.
.PP
\&\fBX509V3_add1_i2d()\fR returns 1 if the operation is successful and 0 if it
fails due to a non-fatal error (extension not found, already exists,
cannot be encoded) or \-1 due to a fatal error such as a memory allocation
failure.
.PP
\&\fBX509_get0_extensions()\fR, \fBX509_CRL_get0_extensions()\fR and
\&\fBX509_REVOKED_get0_extensions()\fR return a stack of extensions. They return
\&\s-1NULL\s0 if no extensions are present.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\fBX509_CRL_get0_by_serial\fR\|(3),
\&\fBX509_get0_signature\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
\&\fBX509_get_subject_name\fR\|(3),
\&\fBX509_get_version\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_new\fR\|(3),
\&\fBX509_sign\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3 b/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3
index fe181e5cfb7d..e5ffd4d4ea96 100644
--- a/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3
+++ b/secure/lib/libcrypto/man/man3/X509_ALGOR_dup.3
@@ -1,200 +1,200 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_ALGOR_DUP 3"
-.TH X509_ALGOR_DUP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_ALGOR_DUP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_ALGOR_dup, X509_ALGOR_set0, X509_ALGOR_get0, X509_ALGOR_set_md, X509_ALGOR_cmp, X509_ALGOR_copy \- AlgorithmIdentifier functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *alg);
\& int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
\& void X509_ALGOR_get0(const ASN1_OBJECT **paobj, int *pptype,
\& const void **ppval, const X509_ALGOR *alg);
\& void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
\& int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
\& int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR *src);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_ALGOR_dup()\fR returns a copy of \fBalg\fR.
.PP
\&\fBX509_ALGOR_set0()\fR sets the algorithm \s-1OID\s0 of \fBalg\fR to \fBaobj\fR and the
associated parameter type to \fBptype\fR with value \fBpval\fR. If \fBptype\fR is
\&\fBV_ASN1_UNDEF\fR the parameter is omitted, otherwise \fBptype\fR and \fBpval\fR have
the same meaning as the \fBtype\fR and \fBvalue\fR parameters to \fBASN1_TYPE_set()\fR.
All the supplied parameters are used internally so must \fB\s-1NOT\s0\fR be freed after
this call.
.PP
\&\fBX509_ALGOR_get0()\fR is the inverse of \fBX509_ALGOR_set0()\fR: it returns the
algorithm \s-1OID\s0 in \fB*paobj\fR and the associated parameter in \fB*pptype\fR
and \fB*ppval\fR from the \fBAlgorithmIdentifier\fR \fBalg\fR.
.PP
\&\fBX509_ALGOR_set_md()\fR sets the \fBAlgorithmIdentifier\fR \fBalg\fR to appropriate
values for the message digest \fBmd\fR.
.PP
\&\fBX509_ALGOR_cmp()\fR compares \fBa\fR and \fBb\fR and returns 0 if they have identical
encodings and nonzero otherwise.
.PP
\&\fBX509_ALGOR_copy()\fR copies the source values into the dest structs; making
a duplicate of each (and free any thing pointed to from within *dest).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_ALGOR_dup()\fR returns a valid \fBX509_ALGOR\fR structure or \s-1NULL\s0 if an error
occurred.
.PP
\&\fBX509_ALGOR_set0()\fR and \fBX509_ALGOR_copy()\fR return 1 on success or 0 on error.
.PP
\&\fBX509_ALGOR_get0()\fR and \fBX509_ALGOR_set_md()\fR return no values.
.PP
\&\fBX509_ALGOR_cmp()\fR returns 0 if the two parameters have identical encodings and
nonzero otherwise.
.SH "HISTORY"
.IX Header "HISTORY"
The \fBX509_ALGOR_copy()\fR was added in 1.1.1e.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3 b/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3
index abf970def111..bf067702e92f 100644
--- a/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3
+++ b/secure/lib/libcrypto/man/man3/X509_CRL_get0_by_serial.3
@@ -1,242 +1,242 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_CRL_GET0_BY_SERIAL 3"
-.TH X509_CRL_GET0_BY_SERIAL 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_CRL_GET0_BY_SERIAL 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_CRL_get0_by_serial, X509_CRL_get0_by_cert, X509_CRL_get_REVOKED, X509_REVOKED_get0_serialNumber, X509_REVOKED_get0_revocationDate, X509_REVOKED_set_serialNumber, X509_REVOKED_set_revocationDate, X509_CRL_add0_revoked, X509_CRL_sort \- CRL revoked entry utility functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509_CRL_get0_by_serial(X509_CRL *crl,
\& X509_REVOKED **ret, ASN1_INTEGER *serial);
\& int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
\&
\& STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
\&
\& const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *r);
\& const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *r);
\&
\& int X509_REVOKED_set_serialNumber(X509_REVOKED *r, ASN1_INTEGER *serial);
\& int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
\&
\& int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
\&
\& int X509_CRL_sort(X509_CRL *crl);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_CRL_get0_by_serial()\fR attempts to find a revoked entry in \fBcrl\fR for
serial number \fBserial\fR. If it is successful it sets \fB*ret\fR to the internal
pointer of the matching entry, as a result \fB*ret\fR must not be freed up
after the call.
.PP
\&\fBX509_CRL_get0_by_cert()\fR is similar to \fBX509_get0_by_serial()\fR except it
looks for a revoked entry using the serial number of certificate \fBx\fR.
.PP
\&\fBX509_CRL_get_REVOKED()\fR returns an internal pointer to a stack of all
revoked entries for \fBcrl\fR.
.PP
\&\fBX509_REVOKED_get0_serialNumber()\fR returns an internal pointer to the
serial number of \fBr\fR.
.PP
\&\fBX509_REVOKED_get0_revocationDate()\fR returns an internal pointer to the
revocation date of \fBr\fR.
.PP
\&\fBX509_REVOKED_set_serialNumber()\fR sets the serial number of \fBr\fR to \fBserial\fR.
The supplied \fBserial\fR pointer is not used internally so it should be
freed up after use.
.PP
\&\fBX509_REVOKED_set_revocationDate()\fR sets the revocation date of \fBr\fR to
\&\fBtm\fR. The supplied \fBtm\fR pointer is not used internally so it should be
freed up after use.
.PP
\&\fBX509_CRL_add0_revoked()\fR appends revoked entry \fBrev\fR to \s-1CRL\s0 \fBcrl\fR. The
pointer \fBrev\fR is used internally so it must not be freed up after the call:
it is freed when the parent \s-1CRL\s0 is freed.
.PP
\&\fBX509_CRL_sort()\fR sorts the revoked entries of \fBcrl\fR into ascending serial
number order.
.SH "NOTES"
.IX Header "NOTES"
Applications can determine the number of revoked entries returned by
\&\fBX509_CRL_get_revoked()\fR using \fBsk_X509_REVOKED_num()\fR and examine each one
in turn using \fBsk_X509_REVOKED_value()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_CRL_get0_by_serial()\fR and \fBX509_CRL_get0_by_cert()\fR return 0 for failure,
1 on success except if the revoked entry has the reason \f(CW\*(C`removeFromCRL\*(C'\fR (8),
in which case 2 is returned.
.PP
\&\fBX509_REVOKED_set_serialNumber()\fR, \fBX509_REVOKED_set_revocationDate()\fR,
\&\fBX509_CRL_add0_revoked()\fR and \fBX509_CRL_sort()\fR return 1 for success and 0 for
failure.
.PP
\&\fBX509_REVOKED_get0_serialNumber()\fR returns an \fB\s-1ASN1_INTEGER\s0\fR pointer.
.PP
\&\fBX509_REVOKED_get0_revocationDate()\fR returns an \fB\s-1ASN1_TIME\s0\fR value.
.PP
\&\fBX509_CRL_get_REVOKED()\fR returns a \s-1STACK\s0 of revoked entries.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\fBX509_get0_signature\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
\&\fBX509_get_subject_name\fR\|(3),
\&\fBX509_get_version\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_new\fR\|(3),
\&\fBX509_sign\fR\|(3),
\&\fBX509V3_get_d2i\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3 b/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3
index 528cb749bab1..b6a2608c5e5e 100644
--- a/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3
+++ b/secure/lib/libcrypto/man/man3/X509_EXTENSION_set_object.3
@@ -1,223 +1,223 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_EXTENSION_SET_OBJECT 3"
-.TH X509_EXTENSION_SET_OBJECT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_EXTENSION_SET_OBJECT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_EXTENSION_set_object, X509_EXTENSION_set_critical, X509_EXTENSION_set_data, X509_EXTENSION_create_by_NID, X509_EXTENSION_create_by_OBJ, X509_EXTENSION_get_object, X509_EXTENSION_get_critical, X509_EXTENSION_get_data \- extension utility functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 3
\& int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj);
\& int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
\& int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data);
\&
\& X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
\& int nid, int crit,
\& ASN1_OCTET_STRING *data);
\& X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
\& const ASN1_OBJECT *obj, int crit,
\& ASN1_OCTET_STRING *data);
\&
\& ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex);
\& int X509_EXTENSION_get_critical(const X509_EXTENSION *ex);
\& ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_EXTENSION_set_object()\fR sets the extension type of \fBex\fR to \fBobj\fR. The
\&\fBobj\fR pointer is duplicated internally so \fBobj\fR should be freed up after use.
.PP
\&\fBX509_EXTENSION_set_critical()\fR sets the criticality of \fBex\fR to \fBcrit\fR. If
\&\fBcrit\fR is zero the extension in non-critical otherwise it is critical.
.PP
\&\fBX509_EXTENSION_set_data()\fR sets the data in extension \fBex\fR to \fBdata\fR. The
\&\fBdata\fR pointer is duplicated internally.
.PP
\&\fBX509_EXTENSION_create_by_NID()\fR creates an extension of type \fBnid\fR,
criticality \fBcrit\fR using data \fBdata\fR. The created extension is returned and
written to \fB*ex\fR reusing or allocating a new extension if necessary so \fB*ex\fR
should either be \fB\s-1NULL\s0\fR or a valid \fBX509_EXTENSION\fR structure it must
\&\fBnot\fR be an uninitialised pointer.
.PP
\&\fBX509_EXTENSION_create_by_OBJ()\fR is identical to \fBX509_EXTENSION_create_by_NID()\fR
except it creates and extension using \fBobj\fR instead of a \s-1NID.\s0
.PP
\&\fBX509_EXTENSION_get_object()\fR returns the extension type of \fBex\fR as an
\&\fB\s-1ASN1_OBJECT\s0\fR pointer. The returned pointer is an internal value which must
not be freed up.
.PP
\&\fBX509_EXTENSION_get_critical()\fR returns the criticality of extension \fBex\fR it
returns \fB1\fR for critical and \fB0\fR for non-critical.
.PP
\&\fBX509_EXTENSION_get_data()\fR returns the data of extension \fBex\fR. The returned
pointer is an internal value which must not be freed up.
.SH "NOTES"
.IX Header "NOTES"
These functions manipulate the contents of an extension directly. Most
applications will want to parse or encode and add an extension: they should
use the extension encode and decode functions instead such as
\&\fBX509_add1_ext_i2d()\fR and \fBX509_get_ext_d2i()\fR.
.PP
The \fBdata\fR associated with an extension is the extension encoding in an
\&\fB\s-1ASN1_OCTET_STRING\s0\fR structure.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_EXTENSION_set_object()\fR \fBX509_EXTENSION_set_critical()\fR and
\&\fBX509_EXTENSION_set_data()\fR return \fB1\fR for success and \fB0\fR for failure.
.PP
\&\fBX509_EXTENSION_create_by_NID()\fR and \fBX509_EXTENSION_create_by_OBJ()\fR return
an \fBX509_EXTENSION\fR pointer or \fB\s-1NULL\s0\fR if an error occurs.
.PP
\&\fBX509_EXTENSION_get_object()\fR returns an \fB\s-1ASN1_OBJECT\s0\fR pointer.
.PP
\&\fBX509_EXTENSION_get_critical()\fR returns \fB0\fR for non-critical and \fB1\fR for
critical.
.PP
\&\fBX509_EXTENSION_get_data()\fR returns an \fB\s-1ASN1_OCTET_STRING\s0\fR pointer.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509V3_get_d2i\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP.3
index b88074b809d8..7e1de4ea7d31 100644
--- a/secure/lib/libcrypto/man/man3/X509_LOOKUP.3
+++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP.3
@@ -1,310 +1,310 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_LOOKUP 3"
-.TH X509_LOOKUP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_LOOKUP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_LOOKUP, X509_LOOKUP_TYPE, X509_LOOKUP_new, X509_LOOKUP_free, X509_LOOKUP_init, X509_LOOKUP_shutdown, X509_LOOKUP_set_method_data, X509_LOOKUP_get_method_data, X509_LOOKUP_ctrl, X509_LOOKUP_load_file, X509_LOOKUP_add_dir, X509_LOOKUP_get_store, X509_LOOKUP_by_subject, X509_LOOKUP_by_issuer_serial, X509_LOOKUP_by_fingerprint, X509_LOOKUP_by_alias \&\- OpenSSL certificate lookup mechanisms
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509_vfy.h>
\&
\& typedef x509_lookup_st X509_LOOKUP;
\&
\& typedef enum X509_LOOKUP_TYPE;
\&
\& X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method);
\& int X509_LOOKUP_init(X509_LOOKUP *ctx);
\& int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
\& void X509_LOOKUP_free(X509_LOOKUP *ctx);
\&
\& int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data);
\& void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx);
\&
\& int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
\& long argl, char **ret);
\& int X509_LOOKUP_load_file(X509_LOOKUP *ctx, char *name, long type);
\& int X509_LOOKUP_add_dir(X509_LOOKUP *ctx, char *name, long type);
\&
\& X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx);
\&
\& int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
\& X509_NAME *name, X509_OBJECT *ret);
\& int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
\& X509_NAME *name, ASN1_INTEGER *serial,
\& X509_OBJECT *ret);
\& int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
\& const unsigned char *bytes, int len,
\& X509_OBJECT *ret);
\& int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
\& const char *str, int len, X509_OBJECT *ret);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBX509_LOOKUP\fR structure holds the information needed to look up
certificates and CRLs according to an associated \fBX509_LOOKUP_METHOD\fR\|(3).
Multiple \fBX509_LOOKUP\fR instances can be added to an \fBX509_STORE\fR\|(3)
to enable lookup in that store.
.PP
\&\fBX509_LOOKUP_new()\fR creates a new \fBX509_LOOKUP\fR using the given lookup
\&\fImethod\fR.
It can also be created by calling \fBX509_STORE_add_lookup\fR\|(3), which
will associate an \fBX509_STORE\fR with the lookup mechanism.
.PP
\&\fBX509_LOOKUP_init()\fR initializes the internal state and resources as
needed by the given \fBX509_LOOKUP\fR to do its work.
.PP
\&\fBX509_LOOKUP_shutdown()\fR tears down the internal state and resources of
the given \fBX509_LOOKUP\fR.
.PP
\&\fBX509_LOOKUP_free()\fR destructs the given \fBX509_LOOKUP\fR.
.PP
\&\fBX509_LOOKUP_set_method_data()\fR associates a pointer to application data
to the given \fBX509_LOOKUP\fR.
.PP
\&\fBX509_LOOKUP_get_method_data()\fR retrieves a pointer to application data
from the given \fBX509_LOOKUP\fR.
.PP
\&\fBX509_LOOKUP_ctrl()\fR is used to set or get additional data to or from an
\&\fBX509_LOOKUP\fR structure or its associated \fBX509_LOOKUP_METHOD\fR\|(3).
The arguments of the control command are passed via \fIargc\fR and \fIargl\fR,
its return value via \fI*ret\fR.
The meaning of the arguments depends on the \fIcmd\fR number of the
control command. In general, this function is not called directly, but
wrapped by a macro call, see below.
The control \fIcmd\fRs known to OpenSSL are discussed in more depth
in \*(L"Control Commands\*(R".
.PP
\&\fBX509_LOOKUP_load_file()\fR passes a filename to be loaded immediately
into the associated \fBX509_STORE\fR.
\&\fItype\fR indicates what type of object is expected.
This can only be used with a lookup using the implementation
\&\fBX509_LOOKUP_file\fR\|(3).
.PP
\&\fBX509_LOOKUP_add_dir()\fR passes a directory specification from which
certificates and CRLs are loaded on demand into the associated
\&\fBX509_STORE\fR.
\&\fItype\fR indicates what type of object is expected.
This can only be used with a lookup using the implementation
\&\fBX509_LOOKUP_hash_dir\fR\|(3).
.PP
\&\fBX509_LOOKUP_load_file()\fR, \fBX509_LOOKUP_add_dir()\fR,
\&\fBX509_LOOKUP_add_store()\fR, and \fBX509_LOOKUP_load_store()\fR are implemented
as macros that use \fBX509_LOOKUP_ctrl()\fR.
.PP
\&\fBX509_LOOKUP_by_subject()\fR, \fBX509_LOOKUP_by_issuer_serial()\fR,
\&\fBX509_LOOKUP_by_fingerprint()\fR, and \fBX509_LOOKUP_by_alias()\fR look up
certificates and CRLs in the \fBX509_STORE\fR\|(3) associated with the
\&\fBX509_LOOKUP\fR using different criteria, where the looked up object is
stored in \fIret\fR.
Some of the underlying \fBX509_LOOKUP_METHOD\fRs will also cache objects
matching the criteria in the associated \fBX509_STORE\fR, which makes it
possible to handle cases where the criteria have more than one hit.
.SS "File Types"
.IX Subsection "File Types"
\&\fBX509_LOOKUP_load_file()\fR and \fBX509_LOOKUP_add_dir()\fR take a \fItype\fR,
which can be one of the following:
.IP "\fBX509_FILETYPE_PEM\fR" 4
.IX Item "X509_FILETYPE_PEM"
The file or files that are loaded are expected to be in \s-1PEM\s0 format.
.IP "\fBX509_FILETYPE_ASN1\fR" 4
.IX Item "X509_FILETYPE_ASN1"
The file or files that are loaded are expected to be in raw \s-1DER\s0 format.
.IP "\fBX509_FILETYPE_DEFAULT\fR" 4
.IX Item "X509_FILETYPE_DEFAULT"
The default certificate file or directory is used. In this case,
\&\fIname\fR is ignored.
.SS "Control Commands"
.IX Subsection "Control Commands"
The \fBX509_LOOKUP_METHOD\fRs built into OpenSSL recognise the following
\&\fBX509_LOOKUP_ctrl()\fR \fIcmd\fRs:
.IP "\fBX509_L_FILE_LOAD\fR" 4
.IX Item "X509_L_FILE_LOAD"
This is the command that \fBX509_LOOKUP_load_file()\fR uses.
The filename is passed in \fIargc\fR, and the type in \fIargl\fR.
.IP "\fBX509_L_ADD_DIR\fR" 4
.IX Item "X509_L_ADD_DIR"
This is the command that \fBX509_LOOKUP_add_dir()\fR uses.
The directory specification is passed in \fIargc\fR, and the type in
\&\fIargl\fR.
.IP "\fBX509_L_ADD_STORE\fR" 4
.IX Item "X509_L_ADD_STORE"
This is the command that \fBX509_LOOKUP_add_store()\fR uses.
The \s-1URI\s0 is passed in \fIargc\fR.
.IP "\fBX509_L_LOAD_STORE\fR" 4
.IX Item "X509_L_LOAD_STORE"
This is the command that \fBX509_LOOKUP_load_store()\fR uses.
The \s-1URI\s0 is passed in \fIargc\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_LOOKUP_new()\fR returns an \fBX509_LOOKUP\fR pointer when successful,
or \s-1NULL\s0 on error.
.PP
\&\fBX509_LOOKUP_init()\fR and \fBX509_LOOKUP_shutdown()\fR return 1 on success, or
0 on error.
.PP
\&\fBX509_LOOKUP_ctrl()\fR returns \-1 if the \fBX509_LOOKUP\fR doesn't have an
associated \fBX509_LOOKUP_METHOD\fR, or 1 if the
doesn't have a control function.
Otherwise, it returns what the control function in the
\&\fBX509_LOOKUP_METHOD\fR returns, which is usually 1 on success and 0 in
error.
.IX Xref "509_LOOKUP_METHOD"
.PP
\&\fBX509_LOOKUP_get_store()\fR returns an \fBX509_STORE\fR pointer if there is
one, otherwise \s-1NULL.\s0
.PP
\&\fBX509_LOOKUP_by_subject()\fR, \fBX509_LOOKUP_by_issuer_serial()\fR,
\&\fBX509_LOOKUP_by_fingerprint()\fR, and \fBX509_LOOKUP_by_alias()\fR all return 0
if there is no \fBX509_LOOKUP_METHOD\fR or that method doesn't implement
the corresponding function.
Otherwise, it returns what the corresponding function in the
\&\fBX509_LOOKUP_METHOD\fR returns, which is usually 1 on success and 0 in
error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_LOOKUP_METHOD\fR\|(3), \fBX509_STORE\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3
index caea0d28f92f..376d9aa1de47 100644
--- a/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3
+++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP_hash_dir.3
@@ -1,264 +1,264 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_LOOKUP_HASH_DIR 3"
-.TH X509_LOOKUP_HASH_DIR 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_LOOKUP_HASH_DIR 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_LOOKUP_hash_dir, X509_LOOKUP_file, X509_load_cert_file, X509_load_crl_file, X509_load_cert_crl_file \- Default OpenSSL certificate lookup methods
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509_vfy.h>
\&
\& X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
\& X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
\&
\& int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
\& int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
\& int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_LOOKUP_hash_dir\fR and \fBX509_LOOKUP_file\fR are two certificate
lookup methods to use with \fBX509_STORE\fR, provided by OpenSSL library.
.PP
Users of the library typically do not need to create instances of these
methods manually, they would be created automatically by
\&\fBX509_STORE_load_locations\fR\|(3) or
\&\fBSSL_CTX_load_verify_locations\fR\|(3)
functions.
.PP
Internally loading of certificates and CRLs is implemented via functions
\&\fBX509_load_cert_crl_file\fR, \fBX509_load_cert_file\fR and
\&\fBX509_load_crl_file\fR. These functions support parameter \fItype\fR, which
can be one of constants \fB\s-1FILETYPE_PEM\s0\fR, \fB\s-1FILETYPE_ASN1\s0\fR and
\&\fB\s-1FILETYPE_DEFAULT\s0\fR. They load certificates and/or CRLs from specified
file into memory cache of \fBX509_STORE\fR objects which given \fBctx\fR
parameter is associated with.
.PP
Functions \fBX509_load_cert_file\fR and
\&\fBX509_load_crl_file\fR can load both \s-1PEM\s0 and \s-1DER\s0 formats depending of
type value. Because \s-1DER\s0 format cannot contain more than one certificate
or \s-1CRL\s0 object (while \s-1PEM\s0 can contain several concatenated \s-1PEM\s0 objects)
\&\fBX509_load_cert_crl_file\fR with \fB\s-1FILETYPE_ASN1\s0\fR is equivalent to
\&\fBX509_load_cert_file\fR.
.PP
Constant \fB\s-1FILETYPE_DEFAULT\s0\fR with \s-1NULL\s0 filename causes these functions
to load default certificate store file (see
\&\fBX509_STORE_set_default_paths\fR\|(3).
.PP
Functions return number of objects loaded from file or 0 in case of
error.
.PP
Both methods support adding several certificate locations into one
\&\fBX509_STORE\fR.
.PP
This page documents certificate store formats used by these methods and
caching policy.
.SS "File Method"
.IX Subsection "File Method"
The \fBX509_LOOKUP_file\fR method loads all the certificates or CRLs
present in a file into memory at the time the file is added as a
lookup source.
.PP
File format is \s-1ASCII\s0 text which contains concatenated \s-1PEM\s0 certificates
and CRLs.
.PP
This method should be used by applications which work with a small
set of CAs.
.SS "Hashed Directory Method"
.IX Subsection "Hashed Directory Method"
\&\fBX509_LOOKUP_hash_dir\fR is a more advanced method, which loads
certificates and CRLs on demand, and caches them in memory once
they are loaded. As of OpenSSL 1.0.0, it also checks for newer CRLs
upon each lookup, so that newer CRLs are as soon as they appear in
the directory.
.PP
The directory should contain one certificate or \s-1CRL\s0 per file in \s-1PEM\s0 format,
with a filename of the form \fIhash\fR.\fIN\fR for a certificate, or
\&\fIhash\fR.\fBr\fR\fIN\fR for a \s-1CRL.\s0
The \fIhash\fR is the value returned by the \fBX509_NAME_hash\fR\|(3) function applied
to the subject name for certificates or issuer name for CRLs.
The hash can also be obtained via the \fB\-hash\fR option of the \fBx509\fR\|(1) or
\&\fBcrl\fR\|(1) commands.
.PP
The .\fIN\fR or .\fBr\fR\fIN\fR suffix is a sequence number that starts at zero, and is
incremented consecutively for each certificate or \s-1CRL\s0 with the same \fIhash\fR
value.
Gaps in the sequence numbers are not supported, it is assumed that there are no
more objects with the same hash beyond the first missing number in the
sequence.
.PP
Sequence numbers make it possible for the directory to contain multiple
certificates with same subject name hash value.
For example, it is possible to have in the store several certificates with same
subject or several CRLs with same issuer (and, for example, different validity
period).
.PP
When checking for new CRLs once one \s-1CRL\s0 for given hash value is
loaded, hash_dir lookup method checks only for certificates with
sequence number greater than that of the already cached \s-1CRL.\s0
.PP
Note that the hash algorithm used for subject name hashing changed in OpenSSL
1.0.0, and all certificate stores have to be rehashed when moving from OpenSSL
0.9.8 to 1.0.0.
.PP
OpenSSL includes a \fBrehash\fR\|(1) utility which creates symlinks with correct
hashed names for all files with .pem suffix in a given directory.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_LOOKUP_hash_dir()\fR and \fBX509_LOOKUP_file()\fR always return a valid
\&\fBX509_LOOKUP_METHOD\fR structure.
.PP
\&\fBX509_load_cert_file()\fR, \fBX509_load_crl_file()\fR and \fBX509_load_cert_crl_file()\fR return
the number of loaded objects or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBPEM_read_PrivateKey\fR\|(3),
\&\fBX509_STORE_load_locations\fR\|(3),
\&\fBX509_store_add_lookup\fR\|(3),
\&\fBSSL_CTX_load_verify_locations\fR\|(3),
\&\fBX509_LOOKUP_meth_new\fR\|(3),
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3 b/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3
index 2058f679fae9..49cba5a8f96e 100644
--- a/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3
+++ b/secure/lib/libcrypto/man/man3/X509_LOOKUP_meth_new.3
@@ -1,310 +1,310 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_LOOKUP_METH_NEW 3"
-.TH X509_LOOKUP_METH_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_LOOKUP_METH_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_LOOKUP_METHOD, X509_LOOKUP_meth_new, X509_LOOKUP_meth_free, X509_LOOKUP_meth_set_new_item, X509_LOOKUP_meth_get_new_item, X509_LOOKUP_meth_set_free, X509_LOOKUP_meth_get_free, X509_LOOKUP_meth_set_init, X509_LOOKUP_meth_get_init, X509_LOOKUP_meth_set_shutdown, X509_LOOKUP_meth_get_shutdown, X509_LOOKUP_ctrl_fn, X509_LOOKUP_meth_set_ctrl, X509_LOOKUP_meth_get_ctrl, X509_LOOKUP_get_by_subject_fn, X509_LOOKUP_meth_set_get_by_subject, X509_LOOKUP_meth_get_get_by_subject, X509_LOOKUP_get_by_issuer_serial_fn, X509_LOOKUP_meth_set_get_by_issuer_serial, X509_LOOKUP_meth_get_get_by_issuer_serial, X509_LOOKUP_get_by_fingerprint_fn, X509_LOOKUP_meth_set_get_by_fingerprint, X509_LOOKUP_meth_get_get_by_fingerprint, X509_LOOKUP_get_by_alias_fn, X509_LOOKUP_meth_set_get_by_alias, X509_LOOKUP_meth_get_get_by_alias, X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL \&\- Routines to build up X509_LOOKUP methods
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509_vfy.h>
\&
\& typedef x509_lookup_method_st X509_LOOKUP_METHOD;
\&
\& X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name);
\& void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method);
\&
\& int X509_LOOKUP_meth_set_new_item(X509_LOOKUP_METHOD *method,
\& int (*new_item) (X509_LOOKUP *ctx));
\& int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method))
\& (X509_LOOKUP *ctx);
\&
\& int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method,
\& void (*free) (X509_LOOKUP *ctx));
\& void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method))
\& (X509_LOOKUP *ctx);
\&
\& int X509_LOOKUP_meth_set_init(X509_LOOKUP_METHOD *method,
\& int (*init) (X509_LOOKUP *ctx));
\& int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD* method))
\& (X509_LOOKUP *ctx);
\&
\& int X509_LOOKUP_meth_set_shutdown(X509_LOOKUP_METHOD *method,
\& int (*shutdown) (X509_LOOKUP *ctx));
\& int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD* method))
\& (X509_LOOKUP *ctx);
\&
\& typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc,
\& long argl, char **ret);
\& int X509_LOOKUP_meth_set_ctrl(X509_LOOKUP_METHOD *method,
\& X509_LOOKUP_ctrl_fn ctrl_fn);
\& X509_LOOKUP_ctrl_fn X509_LOOKUP_meth_get_ctrl(const X509_LOOKUP_METHOD *method);
\&
\& typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx,
\& X509_LOOKUP_TYPE type,
\& X509_NAME *name,
\& X509_OBJECT *ret);
\& int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method,
\& X509_LOOKUP_get_by_subject_fn fn);
\& X509_LOOKUP_get_by_subject_fn X509_LOOKUP_meth_get_get_by_subject(
\& const X509_LOOKUP_METHOD *method);
\&
\& typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx,
\& X509_LOOKUP_TYPE type,
\& X509_NAME *name,
\& ASN1_INTEGER *serial,
\& X509_OBJECT *ret);
\& int X509_LOOKUP_meth_set_get_by_issuer_serial(
\& X509_LOOKUP_METHOD *method, X509_LOOKUP_get_by_issuer_serial_fn fn);
\& X509_LOOKUP_get_by_issuer_serial_fn X509_LOOKUP_meth_get_get_by_issuer_serial(
\& const X509_LOOKUP_METHOD *method);
\&
\& typedef int (*X509_LOOKUP_get_by_fingerprint_fn)(X509_LOOKUP *ctx,
\& X509_LOOKUP_TYPE type,
\& const unsigned char* bytes,
\& int len,
\& X509_OBJECT *ret);
\& int X509_LOOKUP_meth_set_get_by_fingerprint(X509_LOOKUP_METHOD *method,
\& X509_LOOKUP_get_by_fingerprint_fn fn);
\& X509_LOOKUP_get_by_fingerprint_fn X509_LOOKUP_meth_get_get_by_fingerprint(
\& const X509_LOOKUP_METHOD *method);
\&
\& typedef int (*X509_LOOKUP_get_by_alias_fn)(X509_LOOKUP *ctx,
\& X509_LOOKUP_TYPE type,
\& const char *str,
\& int len,
\& X509_OBJECT *ret);
\& int X509_LOOKUP_meth_set_get_by_alias(X509_LOOKUP_METHOD *method,
\& X509_LOOKUP_get_by_alias_fn fn);
\& X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias(
\& const X509_LOOKUP_METHOD *method);
\&
\& int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj);
\& int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBX509_LOOKUP_METHOD\fR type is a structure used for the implementation of new
X509_LOOKUP types. It provides a set of functions used by OpenSSL for the
implementation of various X509 and X509_CRL lookup capabilities. One instance
of an X509_LOOKUP_METHOD can be associated to many instantiations of an
\&\fBX509_LOOKUP\fR structure.
.PP
\&\fBX509_LOOKUP_meth_new()\fR creates a new \fBX509_LOOKUP_METHOD\fR structure. It should
be given a human-readable string containing a brief description of the lookup
method.
.PP
\&\fBX509_LOOKUP_meth_free()\fR destroys a \fBX509_LOOKUP_METHOD\fR structure.
.PP
\&\fBX509_LOOKUP_get_new_item()\fR and \fBX509_LOOKUP_set_new_item()\fR get and set the
function that is called when an \fBX509_LOOKUP\fR object is created with
\&\fBX509_LOOKUP_new()\fR. If an X509_LOOKUP_METHOD requires any per\-X509_LOOKUP
specific data, the supplied new_item function should allocate this data and
invoke \fBX509_LOOKUP_set_method_data\fR\|(3).
.PP
\&\fBX509_LOOKUP_get_free()\fR and \fBX509_LOOKUP_set_free()\fR get and set the function
that is used to free any method data that was allocated and set from within
new_item function.
.PP
\&\fBX509_LOOKUP_meth_get_init()\fR and \fBX509_LOOKUP_meth_set_init()\fR get and set the
function that is used to initialize the method data that was set with
\&\fBX509_LOOKUP_set_method_data\fR\|(3) as part of the new_item routine.
.PP
\&\fBX509_LOOKUP_meth_get_shutdown()\fR and \fBX509_LOOKUP_meth_set_shutdown()\fR get and set
the function that is used to shut down the method data whose state was
previously initialized in the init function.
.PP
\&\fBX509_LOOKUP_meth_get_ctrl()\fR and \fBX509_LOOKUP_meth_set_ctrl()\fR get and set a
function to be used to handle arbitrary control commands issued by
\&\fBX509_LOOKUP_ctrl()\fR. The control function is given the X509_LOOKUP
\&\fBctx\fR, along with the arguments passed by X509_LOOKUP_ctrl. \fBcmd\fR is
an arbitrary integer that defines some operation. \fBargc\fR is a pointer
to an array of characters. \fBargl\fR is an integer. \fBret\fR, if set,
points to a location where any return data should be written to. How
\&\fBargc\fR and \fBargl\fR are used depends entirely on the control function.
.PP
\&\fBX509_LOOKUP_set_get_by_subject()\fR, \fBX509_LOOKUP_set_get_by_issuer_serial()\fR,
\&\fBX509_LOOKUP_set_get_by_fingerprint()\fR, \fBX509_LOOKUP_set_get_by_alias()\fR set
the functions used to retrieve an X509 or X509_CRL object by the object's
subject, issuer, fingerprint, and alias respectively. These functions are given
the X509_LOOKUP context, the type of the X509_OBJECT being requested, parameters
related to the lookup, and an X509_OBJECT that will receive the requested
object.
.PP
Implementations must add objects they find to the \fBX509_STORE\fR object
using \fBX509_STORE_add_cert()\fR or \fBX509_STORE_add_crl()\fR. This increments
its reference count. However, the \fBX509_STORE_CTX_get_by_subject()\fR
function also increases the reference count which leads to one too
many references being held. Therefore, applications should
additionally call \fBX509_free()\fR or \fBX509_CRL_free()\fR to decrement the
reference count again.
.PP
Implementations should also use either \fBX509_OBJECT_set1_X509()\fR or
\&\fBX509_OBJECT_set1_X509_CRL()\fR to set the result. Note that this also
increments the result's reference count.
.PP
Any method data that was created as a result of the new_item function
set by \fBX509_LOOKUP_meth_set_new_item()\fR can be accessed with
\&\fBX509_LOOKUP_get_method_data\fR\|(3). The \fBX509_STORE\fR object that owns the
X509_LOOKUP may be accessed with \fBX509_LOOKUP_get_store\fR\|(3). Successful
lookups should return 1, and unsuccessful lookups should return 0.
.PP
\&\fBX509_LOOKUP_get_get_by_subject()\fR, \fBX509_LOOKUP_get_get_by_issuer_serial()\fR,
\&\fBX509_LOOKUP_get_get_by_fingerprint()\fR, \fBX509_LOOKUP_get_get_by_alias()\fR retrieve
the function set by the corresponding setter.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The \fBX509_LOOKUP_meth_set\fR functions return 1 on success or 0 on error.
.PP
The \fBX509_LOOKUP_meth_get\fR functions return the corresponding function
pointers.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_STORE_new\fR\|(3), \fBSSL_CTX_set_cert_store\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The functions described here were added in OpenSSL 1.1.0i.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2018\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3 b/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3
index 2c9a3f9218a3..1aa777b6260f 100644
--- a/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3
+++ b/secure/lib/libcrypto/man/man3/X509_NAME_ENTRY_get_object.3
@@ -1,224 +1,224 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_NAME_ENTRY_GET_OBJECT 3"
-.TH X509_NAME_ENTRY_GET_OBJECT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_NAME_ENTRY_GET_OBJECT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_NAME_ENTRY_get_object, X509_NAME_ENTRY_get_data, X509_NAME_ENTRY_set_object, X509_NAME_ENTRY_set_data, X509_NAME_ENTRY_create_by_txt, X509_NAME_ENTRY_create_by_NID, X509_NAME_ENTRY_create_by_OBJ \- X509_NAME_ENTRY utility functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& ASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne);
\& ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne);
\&
\& int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, const ASN1_OBJECT *obj);
\& int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
\& const unsigned char *bytes, int len);
\&
\& X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field,
\& int type, const unsigned char *bytes,
\& int len);
\& X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
\& int type, const unsigned char *bytes,
\& int len);
\& X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
\& const ASN1_OBJECT *obj, int type,
\& const unsigned char *bytes, int len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_NAME_ENTRY_get_object()\fR retrieves the field name of \fBne\fR in
and \fB\s-1ASN1_OBJECT\s0\fR structure.
.PP
\&\fBX509_NAME_ENTRY_get_data()\fR retrieves the field value of \fBne\fR in
and \fB\s-1ASN1_STRING\s0\fR structure.
.PP
\&\fBX509_NAME_ENTRY_set_object()\fR sets the field name of \fBne\fR to \fBobj\fR.
.PP
\&\fBX509_NAME_ENTRY_set_data()\fR sets the field value of \fBne\fR to string type
\&\fBtype\fR and value determined by \fBbytes\fR and \fBlen\fR.
.PP
\&\fBX509_NAME_ENTRY_create_by_txt()\fR, \fBX509_NAME_ENTRY_create_by_NID()\fR
and \fBX509_NAME_ENTRY_create_by_OBJ()\fR create and return an
\&\fBX509_NAME_ENTRY\fR structure.
.SH "NOTES"
.IX Header "NOTES"
\&\fBX509_NAME_ENTRY_get_object()\fR and \fBX509_NAME_ENTRY_get_data()\fR can be
used to examine an \fBX509_NAME_ENTRY\fR function as returned by
\&\fBX509_NAME_get_entry()\fR for example.
.PP
\&\fBX509_NAME_ENTRY_create_by_txt()\fR, \fBX509_NAME_ENTRY_create_by_OBJ()\fR,
\&\fBX509_NAME_ENTRY_create_by_NID()\fR and \fBX509_NAME_ENTRY_set_data()\fR
are seldom used in practice because \fBX509_NAME_ENTRY\fR structures
are almost always part of \fBX509_NAME\fR structures and the
corresponding \fBX509_NAME\fR functions are typically used to
create and add new entries in a single operation.
.PP
The arguments of these functions support similar options to the similarly
named ones of the corresponding \fBX509_NAME\fR functions such as
\&\fBX509_NAME_add_entry_by_txt()\fR. So for example \fBtype\fR can be set to
\&\fB\s-1MBSTRING_ASC\s0\fR but in the case of \fBX509_set_data()\fR the field name must be
set first so the relevant field information can be looked up internally.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_NAME_ENTRY_get_object()\fR returns a valid \fB\s-1ASN1_OBJECT\s0\fR structure if it is
set or \s-1NULL\s0 if an error occurred.
.PP
\&\fBX509_NAME_ENTRY_get_data()\fR returns a valid \fB\s-1ASN1_STRING\s0\fR structure if it is set
or \s-1NULL\s0 if an error occurred.
.PP
\&\fBX509_NAME_ENTRY_set_object()\fR and \fBX509_NAME_ENTRY_set_data()\fR return 1 on success
or 0 on error.
.PP
\&\fBX509_NAME_ENTRY_create_by_txt()\fR, \fBX509_NAME_ENTRY_create_by_NID()\fR and
\&\fBX509_NAME_ENTRY_create_by_OBJ()\fR return a valid \fBX509_NAME_ENTRY\fR on success or
\&\s-1NULL\s0 if an error occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBd2i_X509_NAME\fR\|(3),
\&\fBOBJ_nid2obj\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3 b/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3
index 1d759ac271dd..cd3105a1589d 100644
--- a/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3
+++ b/secure/lib/libcrypto/man/man3/X509_NAME_add_entry_by_txt.3
@@ -1,257 +1,257 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_NAME_ADD_ENTRY_BY_TXT 3"
-.TH X509_NAME_ADD_ENTRY_BY_TXT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_NAME_ADD_ENTRY_BY_TXT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_NAME_add_entry_by_txt, X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID, X509_NAME_add_entry, X509_NAME_delete_entry \- X509_NAME modification functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
\& const unsigned char *bytes, int len, int loc, int set);
\&
\& int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type,
\& const unsigned char *bytes, int len, int loc, int set);
\&
\& int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
\& const unsigned char *bytes, int len, int loc, int set);
\&
\& int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, int set);
\&
\& X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_NAME_add_entry_by_txt()\fR, \fBX509_NAME_add_entry_by_OBJ()\fR and
\&\fBX509_NAME_add_entry_by_NID()\fR add a field whose name is defined
by a string \fBfield\fR, an object \fBobj\fR or a \s-1NID\s0 \fBnid\fR respectively.
The field value to be added is in \fBbytes\fR of length \fBlen\fR. If
\&\fBlen\fR is \-1 then the field length is calculated internally using
strlen(bytes).
.PP
The type of field is determined by \fBtype\fR which can either be a
definition of the type of \fBbytes\fR (such as \fB\s-1MBSTRING_ASC\s0\fR) or a
standard \s-1ASN1\s0 type (such as \fBV_ASN1_IA5STRING\fR). The new entry is
added to a position determined by \fBloc\fR and \fBset\fR.
.PP
\&\fBX509_NAME_add_entry()\fR adds a copy of \fBX509_NAME_ENTRY\fR structure \fBne\fR
to \fBname\fR. The new entry is added to a position determined by \fBloc\fR
and \fBset\fR. Since a copy of \fBne\fR is added \fBne\fR must be freed up after
the call.
.PP
\&\fBX509_NAME_delete_entry()\fR deletes an entry from \fBname\fR at position
\&\fBloc\fR. The deleted entry is returned and must be freed up.
.SH "NOTES"
.IX Header "NOTES"
The use of string types such as \fB\s-1MBSTRING_ASC\s0\fR or \fB\s-1MBSTRING_UTF8\s0\fR
is strongly recommended for the \fBtype\fR parameter. This allows the
internal code to correctly determine the type of the field and to
apply length checks according to the relevant standards. This is
done using \fBASN1_STRING_set_by_NID()\fR.
.PP
If instead an \s-1ASN1\s0 type is used no checks are performed and the
supplied data in \fBbytes\fR is used directly.
.PP
In \fBX509_NAME_add_entry_by_txt()\fR the \fBfield\fR string represents
the field name using OBJ_txt2obj(field, 0).
.PP
The \fBloc\fR and \fBset\fR parameters determine where a new entry should
be added. For almost all applications \fBloc\fR can be set to \-1 and \fBset\fR
to 0. This adds a new entry to the end of \fBname\fR as a single valued
RelativeDistinguishedName (\s-1RDN\s0).
.PP
\&\fBloc\fR actually determines the index where the new entry is inserted:
if it is \-1 it is appended.
.PP
\&\fBset\fR determines how the new type is added. If it is zero a
new \s-1RDN\s0 is created.
.PP
If \fBset\fR is \-1 or 1 it is added to the previous or next \s-1RDN\s0
structure respectively. This will then be a multivalued \s-1RDN:\s0
since multivalues RDNs are very seldom used \fBset\fR is almost
always set to zero.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_NAME_add_entry_by_txt()\fR, \fBX509_NAME_add_entry_by_OBJ()\fR,
\&\fBX509_NAME_add_entry_by_NID()\fR and \fBX509_NAME_add_entry()\fR return 1 for
success of 0 if an error occurred.
.PP
\&\fBX509_NAME_delete_entry()\fR returns either the deleted \fBX509_NAME_ENTRY\fR
structure of \fB\s-1NULL\s0\fR if an error occurred.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create an \fBX509_NAME\fR structure:
.PP
\&\*(L"C=UK, O=Disorganized Organization, CN=Joe Bloggs\*(R"
.PP
.Vb 1
\& X509_NAME *nm;
\&
\& nm = X509_NAME_new();
\& if (nm == NULL)
\& /* Some error */
\& if (!X509_NAME_add_entry_by_txt(nm, "C", MBSTRING_ASC,
\& "UK", \-1, \-1, 0))
\& /* Error */
\& if (!X509_NAME_add_entry_by_txt(nm, "O", MBSTRING_ASC,
\& "Disorganized Organization", \-1, \-1, 0))
\& /* Error */
\& if (!X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC,
\& "Joe Bloggs", \-1, \-1, 0))
\& /* Error */
.Ve
.SH "BUGS"
.IX Header "BUGS"
\&\fBtype\fR can still be set to \fBV_ASN1_APP_CHOOSE\fR to use a
different algorithm to determine field types. Since this form does
not understand multicharacter types, performs no length checks and
can result in invalid field types its use is strongly discouraged.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBd2i_X509_NAME\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3 b/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3
index b1bc1428a910..cdc34cc4a1d3 100644
--- a/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3
+++ b/secure/lib/libcrypto/man/man3/X509_NAME_get0_der.3
@@ -1,171 +1,171 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_NAME_GET0_DER 3"
-.TH X509_NAME_GET0_DER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_NAME_GET0_DER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_NAME_get0_der \- get X509_NAME DER encoding
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder,
\& size_t *pderlen)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The function \fBX509_NAME_get0_der()\fR returns an internal pointer to the
encoding of an \fBX509_NAME\fR structure in \fB*pder\fR and consisting of
\&\fB*pderlen\fR bytes. It is useful for applications that wish to examine
the encoding of an \fBX509_NAME\fR structure without copying it.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The function \fBX509_NAME_get0_der()\fR returns 1 for success and 0 if an error
occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3 b/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3
index de3662886b67..2089f9bbd8aa 100644
--- a/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3
+++ b/secure/lib/libcrypto/man/man3/X509_NAME_get_index_by_NID.3
@@ -1,254 +1,254 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_NAME_GET_INDEX_BY_NID 3"
-.TH X509_NAME_GET_INDEX_BY_NID 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_NAME_GET_INDEX_BY_NID 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_NAME_get_index_by_NID, X509_NAME_get_index_by_OBJ, X509_NAME_get_entry, X509_NAME_entry_count, X509_NAME_get_text_by_NID, X509_NAME_get_text_by_OBJ \- X509_NAME lookup and enumeration functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos);
\& int X509_NAME_get_index_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int lastpos);
\&
\& int X509_NAME_entry_count(const X509_NAME *name);
\& X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc);
\&
\& int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len);
\& int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf, int len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions allow an \fBX509_NAME\fR structure to be examined. The
\&\fBX509_NAME\fR structure is the same as the \fBName\fR type defined in
\&\s-1RFC2459\s0 (and elsewhere) and used for example in certificate subject
and issuer names.
.PP
\&\fBX509_NAME_get_index_by_NID()\fR and \fBX509_NAME_get_index_by_OBJ()\fR retrieve
the next index matching \fBnid\fR or \fBobj\fR after \fBlastpos\fR. \fBlastpos\fR
should initially be set to \-1. If there are no more entries \-1 is returned.
If \fBnid\fR is invalid (doesn't correspond to a valid \s-1OID\s0) then \-2 is returned.
.PP
\&\fBX509_NAME_entry_count()\fR returns the total number of entries in \fBname\fR.
.PP
\&\fBX509_NAME_get_entry()\fR retrieves the \fBX509_NAME_ENTRY\fR from \fBname\fR
corresponding to index \fBloc\fR. Acceptable values for \fBloc\fR run from
0 to (X509_NAME_entry_count(name) \- 1). The value returned is an
internal pointer which must not be freed.
.PP
\&\fBX509_NAME_get_text_by_NID()\fR, \fBX509_NAME_get_text_by_OBJ()\fR retrieve
the \*(L"text\*(R" from the first entry in \fBname\fR which matches \fBnid\fR or
\&\fBobj\fR, if no such entry exists \-1 is returned. At most \fBlen\fR bytes
will be written and the text written to \fBbuf\fR will be null
terminated. The length of the output string written is returned
excluding the terminating null. If \fBbuf\fR is <\s-1NULL\s0> then the amount
of space needed in \fBbuf\fR (excluding the final null) is returned.
.SH "NOTES"
.IX Header "NOTES"
\&\fBX509_NAME_get_text_by_NID()\fR and \fBX509_NAME_get_text_by_OBJ()\fR should be
considered deprecated because they
have various limitations which make them
of minimal use in practice. They can only find the first matching
entry and will copy the contents of the field verbatim: this can
be highly confusing if the target is a multicharacter string type
like a BMPString or a UTF8String.
.PP
For a more general solution \fBX509_NAME_get_index_by_NID()\fR or
\&\fBX509_NAME_get_index_by_OBJ()\fR should be used followed by
\&\fBX509_NAME_get_entry()\fR on any matching indices and then the
various \fBX509_NAME_ENTRY\fR utility functions on the result.
.PP
The list of all relevant \fBNID_*\fR and \fBOBJ_* codes\fR can be found in
the source code header files <openssl/obj_mac.h> and/or
<openssl/objects.h>.
.PP
Applications which could pass invalid NIDs to \fBX509_NAME_get_index_by_NID()\fR
should check for the return value of \-2. Alternatively the \s-1NID\s0 validity
can be determined first by checking OBJ_nid2obj(nid) is not \s-1NULL.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_NAME_get_index_by_NID()\fR and \fBX509_NAME_get_index_by_OBJ()\fR
return the index of the next matching entry or \-1 if not found.
\&\fBX509_NAME_get_index_by_NID()\fR can also return \-2 if the supplied
\&\s-1NID\s0 is invalid.
.PP
\&\fBX509_NAME_entry_count()\fR returns the total number of entries.
.PP
\&\fBX509_NAME_get_entry()\fR returns an \fBX509_NAME\fR pointer to the
requested entry or \fB\s-1NULL\s0\fR if the index is invalid.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Process all entries:
.PP
.Vb 2
\& int i;
\& X509_NAME_ENTRY *e;
\&
\& for (i = 0; i < X509_NAME_entry_count(nm); i++) {
\& e = X509_NAME_get_entry(nm, i);
\& /* Do something with e */
\& }
.Ve
.PP
Process all commonName entries:
.PP
.Vb 2
\& int lastpos = \-1;
\& X509_NAME_ENTRY *e;
\&
\& for (;;) {
\& lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos);
\& if (lastpos == \-1)
\& break;
\& e = X509_NAME_get_entry(nm, lastpos);
\& /* Do something with e */
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBd2i_X509_NAME\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3 b/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3
index 8e23b07c3ffd..fd8bb918265d 100644
--- a/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3
+++ b/secure/lib/libcrypto/man/man3/X509_NAME_print_ex.3
@@ -1,252 +1,252 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_NAME_PRINT_EX 3"
-.TH X509_NAME_PRINT_EX 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_NAME_PRINT_EX 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_NAME_print_ex, X509_NAME_print_ex_fp, X509_NAME_print, X509_NAME_oneline \- X509_NAME printing routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, unsigned long flags);
\& int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent, unsigned long flags);
\& char *X509_NAME_oneline(const X509_NAME *a, char *buf, int size);
\& int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_NAME_print_ex()\fR prints a human readable version of \fBnm\fR to \s-1BIO\s0 \fBout\fR. Each
line (for multiline formats) is indented by \fBindent\fR spaces. The output format
can be extensively customised by use of the \fBflags\fR parameter.
.PP
\&\fBX509_NAME_print_ex_fp()\fR is identical to \fBX509_NAME_print_ex()\fR except the output is
written to \s-1FILE\s0 pointer \fBfp\fR.
.PP
\&\fBX509_NAME_oneline()\fR prints an \s-1ASCII\s0 version of \fBa\fR to \fBbuf\fR.
If \fBbuf\fR is \fB\s-1NULL\s0\fR then a buffer is dynamically allocated and returned, and
\&\fBsize\fR is ignored.
Otherwise, at most \fBsize\fR bytes will be written, including the ending '\e0',
and \fBbuf\fR is returned.
.PP
\&\fBX509_NAME_print()\fR prints out \fBname\fR to \fBbp\fR indenting each line by \fBobase\fR
characters. Multiple lines are used if the output (including indent) exceeds
80 characters.
.SH "NOTES"
.IX Header "NOTES"
The functions \fBX509_NAME_oneline()\fR and \fBX509_NAME_print()\fR
produce a non standard output form, they don't handle multi character fields and
have various quirks and inconsistencies.
Their use is strongly discouraged in new applications and they could
be deprecated in a future release.
.PP
Although there are a large number of possible flags for most purposes
\&\fB\s-1XN_FLAG_ONELINE\s0\fR, \fB\s-1XN_FLAG_MULTILINE\s0\fR or \fB\s-1XN_FLAG_RFC2253\s0\fR will suffice.
As noted on the \fBASN1_STRING_print_ex\fR\|(3) manual page
for \s-1UTF8\s0 terminals the \fB\s-1ASN1_STRFLGS_ESC_MSB\s0\fR should be unset: so for example
\&\fB\s-1XN_FLAG_ONELINE &\s0 ~ASN1_STRFLGS_ESC_MSB\fR would be used.
.PP
The complete set of the flags supported by \fBX509_NAME_print_ex()\fR is listed below.
.PP
Several options can be ored together.
.PP
The options \fB\s-1XN_FLAG_SEP_COMMA_PLUS\s0\fR, \fB\s-1XN_FLAG_SEP_CPLUS_SPC\s0\fR,
\&\fB\s-1XN_FLAG_SEP_SPLUS_SPC\s0\fR and \fB\s-1XN_FLAG_SEP_MULTILINE\s0\fR determine the field separators
to use. Two distinct separators are used between distinct RelativeDistinguishedName
components and separate values in the same \s-1RDN\s0 for a multi-valued \s-1RDN.\s0 Multi-valued
RDNs are currently very rare so the second separator will hardly ever be used.
.PP
\&\fB\s-1XN_FLAG_SEP_COMMA_PLUS\s0\fR uses comma and plus as separators. \fB\s-1XN_FLAG_SEP_CPLUS_SPC\s0\fR
uses comma and plus with spaces: this is more readable that plain comma and plus.
\&\fB\s-1XN_FLAG_SEP_SPLUS_SPC\s0\fR uses spaced semicolon and plus. \fB\s-1XN_FLAG_SEP_MULTILINE\s0\fR uses
spaced newline and plus respectively.
.PP
If \fB\s-1XN_FLAG_DN_REV\s0\fR is set the whole \s-1DN\s0 is printed in reversed order.
.PP
The fields \fB\s-1XN_FLAG_FN_SN\s0\fR, \fB\s-1XN_FLAG_FN_LN\s0\fR, \fB\s-1XN_FLAG_FN_OID\s0\fR,
\&\fB\s-1XN_FLAG_FN_NONE\s0\fR determine how a field name is displayed. It will
use the short name (e.g. \s-1CN\s0) the long name (e.g. commonName) always
use \s-1OID\s0 numerical form (normally OIDs are only used if the field name is not
recognised) and no field name respectively.
.PP
If \fB\s-1XN_FLAG_SPC_EQ\s0\fR is set then spaces will be placed around the '=' character
separating field names and values.
.PP
If \fB\s-1XN_FLAG_DUMP_UNKNOWN_FIELDS\s0\fR is set then the encoding of unknown fields is
printed instead of the values.
.PP
If \fB\s-1XN_FLAG_FN_ALIGN\s0\fR is set then field names are padded to 20 characters: this
is only of use for multiline format.
.PP
Additionally all the options supported by \fBASN1_STRING_print_ex()\fR can be used to
control how each field value is displayed.
.PP
In addition a number options can be set for commonly used formats.
.PP
\&\fB\s-1XN_FLAG_RFC2253\s0\fR sets options which produce an output compatible with \s-1RFC2253\s0 it
is equivalent to:
\fB\s-1ASN1_STRFLGS_RFC2253\s0 | \s-1XN_FLAG_SEP_COMMA_PLUS\s0 | \s-1XN_FLAG_DN_REV\s0 | \s-1XN_FLAG_FN_SN\s0 | \s-1XN_FLAG_DUMP_UNKNOWN_FIELDS\s0\fR
.PP
\&\fB\s-1XN_FLAG_ONELINE\s0\fR is a more readable one line format which is the same as:
\fB\s-1ASN1_STRFLGS_RFC2253\s0 | \s-1ASN1_STRFLGS_ESC_QUOTE\s0 | \s-1XN_FLAG_SEP_CPLUS_SPC\s0 | \s-1XN_FLAG_SPC_EQ\s0 | \s-1XN_FLAG_FN_SN\s0\fR
.PP
\&\fB\s-1XN_FLAG_MULTILINE\s0\fR is a multiline format which is the same as:
\fB\s-1ASN1_STRFLGS_ESC_CTRL\s0 | \s-1ASN1_STRFLGS_ESC_MSB\s0 | \s-1XN_FLAG_SEP_MULTILINE\s0 | \s-1XN_FLAG_SPC_EQ\s0 | \s-1XN_FLAG_FN_LN\s0 | \s-1XN_FLAG_FN_ALIGN\s0\fR
.PP
\&\fB\s-1XN_FLAG_COMPAT\s0\fR uses a format identical to \fBX509_NAME_print()\fR: in fact it calls \fBX509_NAME_print()\fR internally.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_NAME_oneline()\fR returns a valid string on success or \s-1NULL\s0 on error.
.PP
\&\fBX509_NAME_print()\fR returns 1 on success or 0 on error.
.PP
\&\fBX509_NAME_print_ex()\fR and \fBX509_NAME_print_ex_fp()\fR return 1 on success or 0 on error
if the \fB\s-1XN_FLAG_COMPAT\s0\fR is set, which is the same as \fBX509_NAME_print()\fR. Otherwise,
it returns \-1 on error or other values on success.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBASN1_STRING_print_ex\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3 b/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3
index 4231fa682886..f41bf16287e7 100644
--- a/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3
+++ b/secure/lib/libcrypto/man/man3/X509_PUBKEY_new.3
@@ -1,248 +1,248 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_PUBKEY_NEW 3"
-.TH X509_PUBKEY_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_PUBKEY_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_PUBKEY_new, X509_PUBKEY_free, X509_PUBKEY_set, X509_PUBKEY_get0, X509_PUBKEY_get, d2i_PUBKEY, i2d_PUBKEY, d2i_PUBKEY_bio, d2i_PUBKEY_fp, i2d_PUBKEY_fp, i2d_PUBKEY_bio, X509_PUBKEY_set0_param, X509_PUBKEY_get0_param \- SubjectPublicKeyInfo public key functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& X509_PUBKEY *X509_PUBKEY_new(void);
\& void X509_PUBKEY_free(X509_PUBKEY *a);
\&
\& int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
\& EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key);
\& EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key);
\&
\& EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp, long length);
\& int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp);
\&
\& EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
\& EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
\&
\& int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
\& int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);
\&
\& int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
\& int ptype, void *pval,
\& unsigned char *penc, int penclen);
\& int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg,
\& const unsigned char **pk, int *ppklen,
\& X509_ALGOR **pa, X509_PUBKEY *pub);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBX509_PUBKEY\fR structure represents the \s-1ASN.1\s0 \fBSubjectPublicKeyInfo\fR
structure defined in \s-1RFC5280\s0 and used in certificates and certificate requests.
.PP
\&\fBX509_PUBKEY_new()\fR allocates and initializes an \fBX509_PUBKEY\fR structure.
.PP
\&\fBX509_PUBKEY_free()\fR frees up \fBX509_PUBKEY\fR structure \fBa\fR. If \fBa\fR is \s-1NULL\s0
nothing is done.
.PP
\&\fBX509_PUBKEY_set()\fR sets the public key in \fB*x\fR to the public key contained
in the \fB\s-1EVP_PKEY\s0\fR structure \fBpkey\fR. If \fB*x\fR is not \s-1NULL\s0 any existing
public key structure will be freed.
.PP
\&\fBX509_PUBKEY_get0()\fR returns the public key contained in \fBkey\fR. The returned
value is an internal pointer which \fB\s-1MUST NOT\s0\fR be freed after use.
.PP
\&\fBX509_PUBKEY_get()\fR is similar to \fBX509_PUBKEY_get0()\fR except the reference
count on the returned key is incremented so it \fB\s-1MUST\s0\fR be freed using
\&\fBEVP_PKEY_free()\fR after use.
.PP
\&\fBd2i_PUBKEY()\fR and \fBi2d_PUBKEY()\fR decode and encode an \fB\s-1EVP_PKEY\s0\fR structure
using \fBSubjectPublicKeyInfo\fR format. They otherwise follow the conventions of
other \s-1ASN.1\s0 functions such as \fBd2i_X509()\fR.
.PP
\&\fBd2i_PUBKEY_bio()\fR, \fBd2i_PUBKEY_fp()\fR, \fBi2d_PUBKEY_bio()\fR and \fBi2d_PUBKEY_fp()\fR are
similar to \fBd2i_PUBKEY()\fR and \fBi2d_PUBKEY()\fR except they decode or encode using a
\&\fB\s-1BIO\s0\fR or \fB\s-1FILE\s0\fR pointer.
.PP
\&\fBX509_PUBKEY_set0_param()\fR sets the public key parameters of \fBpub\fR. The
\&\s-1OID\s0 associated with the algorithm is set to \fBaobj\fR. The type of the
algorithm parameters is set to \fBtype\fR using the structure \fBpval\fR.
The encoding of the public key itself is set to the \fBpenclen\fR
bytes contained in buffer \fBpenc\fR. On success ownership of all the supplied
parameters is passed to \fBpub\fR so they must not be freed after the
call.
.PP
\&\fBX509_PUBKEY_get0_param()\fR retrieves the public key parameters from \fBpub\fR,
\&\fB*ppkalg\fR is set to the associated \s-1OID\s0 and the encoding consists of
\&\fB*ppklen\fR bytes at \fB*pk\fR, \fB*pa\fR is set to the associated
AlgorithmIdentifier for the public key. If the value of any of these
parameters is not required it can be set to \fB\s-1NULL\s0\fR. All of the
retrieved pointers are internal and must not be freed after the
call.
.SH "NOTES"
.IX Header "NOTES"
The \fBX509_PUBKEY\fR functions can be used to encode and decode public keys
in a standard format.
.PP
In many cases applications will not call the \fBX509_PUBKEY\fR functions
directly: they will instead call wrapper functions such as \fBX509_get0_pubkey()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
If the allocation fails, \fBX509_PUBKEY_new()\fR returns \fB\s-1NULL\s0\fR and sets an error
code that can be obtained by \fBERR_get_error\fR\|(3).
.PP
Otherwise it returns a pointer to the newly allocated structure.
.PP
\&\fBX509_PUBKEY_free()\fR does not return a value.
.PP
\&\fBX509_PUBKEY_get0()\fR and \fBX509_PUBKEY_get()\fR return a pointer to an \fB\s-1EVP_PKEY\s0\fR
structure or \fB\s-1NULL\s0\fR if an error occurs.
.PP
\&\fBX509_PUBKEY_set()\fR, \fBX509_PUBKEY_set0_param()\fR and \fBX509_PUBKEY_get0_param()\fR
return 1 for success and 0 if an error occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_SIG_get0.3 b/secure/lib/libcrypto/man/man3/X509_SIG_get0.3
index 373f63b7dec2..90f507b21058 100644
--- a/secure/lib/libcrypto/man/man3/X509_SIG_get0.3
+++ b/secure/lib/libcrypto/man/man3/X509_SIG_get0.3
@@ -1,172 +1,172 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_SIG_GET0 3"
-.TH X509_SIG_GET0 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_SIG_GET0 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_SIG_get0, X509_SIG_getm \- DigestInfo functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **palg,
\& const ASN1_OCTET_STRING **pdigest);
\& void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
\& ASN1_OCTET_STRING **pdigest,
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_SIG_get0()\fR returns pointers to the algorithm identifier and digest
value in \fBsig\fR. \fBX509_SIG_getm()\fR is identical to \fBX509_SIG_get0()\fR
except the pointers returned are not constant and can be modified:
for example to initialise them.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_SIG_get0()\fR and \fBX509_SIG_getm()\fR return no values.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3
index 2902632583b2..988002bca345 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_get_error.3
@@ -1,416 +1,416 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_STORE_CTX_GET_ERROR 3"
-.TH X509_STORE_CTX_GET_ERROR 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_STORE_CTX_GET_ERROR 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_set_error_depth, X509_STORE_CTX_get_current_cert, X509_STORE_CTX_set_current_cert, X509_STORE_CTX_get0_cert, X509_STORE_CTX_get1_chain, X509_verify_cert_error_string \- get or set certificate verification status information
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
\& void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
\& int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
\& void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
\& X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
\& void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
\& X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx);
\&
\& STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
\&
\& const char *X509_verify_cert_error_string(long n);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions are typically called after \fBX509_verify_cert()\fR has indicated
an error or in a verification callback to determine the nature of an error.
.PP
\&\fBX509_STORE_CTX_get_error()\fR returns the error code of \fBctx\fR, see
the \fB\s-1ERROR CODES\s0\fR section for a full description of all error codes.
.PP
\&\fBX509_STORE_CTX_set_error()\fR sets the error code of \fBctx\fR to \fBs\fR. For example
it might be used in a verification callback to set an error based on additional
checks.
.PP
\&\fBX509_STORE_CTX_get_error_depth()\fR returns the \fBdepth\fR of the error. This is a
nonnegative integer representing where in the certificate chain the error
occurred. If it is zero it occurred in the end entity certificate, one if
it is the certificate which signed the end entity certificate and so on.
.PP
\&\fBX509_STORE_CTX_set_error_depth()\fR sets the error \fBdepth\fR.
This can be used in combination with \fBX509_STORE_CTX_set_error()\fR to set the
depth at which an error condition was detected.
.PP
\&\fBX509_STORE_CTX_get_current_cert()\fR returns the certificate in \fBctx\fR which
caused the error or \fB\s-1NULL\s0\fR if no certificate is relevant.
.PP
\&\fBX509_STORE_CTX_set_current_cert()\fR sets the certificate \fBx\fR in \fBctx\fR which
caused the error.
This value is not intended to remain valid for very long, and remains owned by
the caller.
It may be examined by a verification callback invoked to handle each error
encountered during chain verification and is no longer required after such a
callback.
If a callback wishes the save the certificate for use after it returns, it
needs to increment its reference count via \fBX509_up_ref\fR\|(3).
Once such a \fIsaved\fR certificate is no longer needed it can be freed with
\&\fBX509_free\fR\|(3).
.PP
\&\fBX509_STORE_CTX_get0_cert()\fR retrieves an internal pointer to the
certificate being verified by the \fBctx\fR.
.PP
\&\fBX509_STORE_CTX_get1_chain()\fR returns a complete validate chain if a previous
call to \fBX509_verify_cert()\fR is successful. If the call to \fBX509_verify_cert()\fR
is \fBnot\fR successful the returned chain may be incomplete or invalid. The
returned chain persists after the \fBctx\fR structure is freed, when it is
no longer needed it should be free up using:
.PP
.Vb 1
\& sk_X509_pop_free(chain, X509_free);
.Ve
.PP
\&\fBX509_verify_cert_error_string()\fR returns a human readable error string for
verification error \fBn\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_STORE_CTX_get_error()\fR returns \fBX509_V_OK\fR or an error code.
.PP
\&\fBX509_STORE_CTX_get_error_depth()\fR returns a nonnegative error depth.
.PP
\&\fBX509_STORE_CTX_get_current_cert()\fR returns the certificate which caused the
error or \fB\s-1NULL\s0\fR if no certificate is relevant to the error.
.PP
\&\fBX509_verify_cert_error_string()\fR returns a human readable error string for
verification error \fBn\fR.
.SH "ERROR CODES"
.IX Header "ERROR CODES"
A list of error codes and messages is shown below. Some of the
error codes are defined but currently never returned: these are described as
\&\*(L"unused\*(R".
.IP "\fBX509_V_OK: ok\fR" 4
.IX Item "X509_V_OK: ok"
the operation was successful.
.IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate"
the issuer certificate of a locally looked up certificate could not be found.
This normally means the list of trusted certificates is not complete.
.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate \s-1CRL\s0\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL"
the \s-1CRL\s0 of a certificate could not be found.
.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature"
the certificate signature could not be decrypted. This means that the actual
signature value could not be determined rather than it not matching the
expected value, this is only meaningful for \s-1RSA\s0 keys.
.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature"
the \s-1CRL\s0 signature could not be decrypted: this means that the actual signature
value could not be determined rather than it not matching the expected value.
Unused.
.IP "\fBX509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key"
the public key in the certificate SubjectPublicKeyInfo could not be read.
.IP "\fBX509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4
.IX Item "X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure"
the signature of the certificate is invalid.
.IP "\fBX509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4
.IX Item "X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure"
the signature of the certificate is invalid.
.IP "\fBX509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4
.IX Item "X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid"
the certificate is not yet valid: the notBefore date is after the current time.
.IP "\fBX509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR" 4
.IX Item "X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired"
the certificate has expired: that is the notAfter date is before the current time.
.IP "\fBX509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4
.IX Item "X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid"
the \s-1CRL\s0 is not yet valid.
.IP "\fBX509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4
.IX Item "X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired"
the \s-1CRL\s0 has expired.
.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4
.IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field"
the certificate notBefore field contains an invalid time.
.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4
.IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field"
the certificate notAfter field contains an invalid time.
.IP "\fBX509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4
.IX Item "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field"
the \s-1CRL\s0 lastUpdate field contains an invalid time.
.IP "\fBX509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4
.IX Item "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field"
the \s-1CRL\s0 nextUpdate field contains an invalid time.
.IP "\fBX509_V_ERR_OUT_OF_MEM: out of memory\fR" 4
.IX Item "X509_V_ERR_OUT_OF_MEM: out of memory"
an error occurred trying to allocate memory. This should never happen.
.IP "\fBX509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR" 4
.IX Item "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate"
the passed certificate is self signed and the same certificate cannot be found
in the list of trusted certificates.
.IP "\fBX509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR" 4
.IX Item "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain"
the certificate chain could be built up using the untrusted certificates but
the root could not be found locally.
.IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate"
the issuer certificate could not be found: this occurs if the issuer certificate
of an untrusted certificate cannot be found.
.IP "\fBX509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate"
no signatures could be verified because the chain contains only one certificate
and it is not self signed.
.IP "\fBX509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4
.IX Item "X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long"
the certificate chain length is greater than the supplied maximum depth. Unused.
.IP "\fBX509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4
.IX Item "X509_V_ERR_CERT_REVOKED: certificate revoked"
the certificate has been revoked.
.IP "\fBX509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4
.IX Item "X509_V_ERR_INVALID_CA: invalid CA certificate"
a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not
consistent with the supplied purpose.
.IP "\fBX509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4
.IX Item "X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded"
the basicConstraints path-length parameter has been exceeded.
.IP "\fBX509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4
.IX Item "X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose"
the supplied certificate cannot be used for the specified purpose.
.IP "\fBX509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4
.IX Item "X509_V_ERR_CERT_UNTRUSTED: certificate not trusted"
the root \s-1CA\s0 is not marked as trusted for the specified purpose.
.IP "\fBX509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4
.IX Item "X509_V_ERR_CERT_REJECTED: certificate rejected"
the root \s-1CA\s0 is marked to reject the specified purpose.
.IP "\fBX509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4
.IX Item "X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch"
the current candidate issuer certificate was rejected because its subject name
did not match the issuer name of the current certificate. This is only set
if issuer check debugging is enabled it is used for status notification and
is \fBnot\fR in itself an error.
.IP "\fBX509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR" 4
.IX Item "X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch"
the current candidate issuer certificate was rejected because its subject key
identifier was present and did not match the authority key identifier current
certificate. This is only set if issuer check debugging is enabled it is used
for status notification and is \fBnot\fR in itself an error.
.IP "\fBX509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR" 4
.IX Item "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch"
the current candidate issuer certificate was rejected because its issuer name
and serial number was present and did not match the authority key identifier of
the current certificate. This is only set if issuer check debugging is enabled
it is used for status notification and is \fBnot\fR in itself an error.
.IP "\fBX509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR" 4
.IX Item "X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing"
the current candidate issuer certificate was rejected because its keyUsage
extension does not permit certificate signing. This is only set if issuer check
debugging is enabled it is used for status notification and is \fBnot\fR in itself
an error.
.IP "\fBX509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension\fR" 4
.IX Item "X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension"
A certificate extension had an invalid value (for example an incorrect
encoding) or some value inconsistent with other extensions.
.IP "\fBX509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension\fR" 4
.IX Item "X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension"
A certificate policies extension had an invalid value (for example an incorrect
encoding) or some value inconsistent with other extensions. This error only
occurs if policy processing is enabled.
.IP "\fBX509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy\fR" 4
.IX Item "X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy"
The verification flags were set to require and explicit policy but none was
present.
.IP "\fBX509_V_ERR_DIFFERENT_CRL_SCOPE: Different \s-1CRL\s0 scope\fR" 4
.IX Item "X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope"
The only CRLs that could be found did not match the scope of the certificate.
.IP "\fBX509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature\fR" 4
.IX Item "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature"
Some feature of a certificate extension is not supported. Unused.
.IP "\fBX509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation\fR" 4
.IX Item "X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation"
A name constraint violation occurred in the permitted subtrees.
.IP "\fBX509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation\fR" 4
.IX Item "X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation"
A name constraint violation occurred in the excluded subtrees.
.IP "\fBX509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported\fR" 4
.IX Item "X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported"
A certificate name constraints extension included a minimum or maximum field:
this is not supported.
.IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type\fR" 4
.IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type"
An unsupported name constraint type was encountered. OpenSSL currently only
supports directory name, \s-1DNS\s0 name, email and \s-1URI\s0 types.
.IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax\fR" 4
.IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax"
The format of the name constraint is not recognised: for example an email
address format of a form not mentioned in \s-1RFC3280.\s0 This could be caused by
a garbage extension or some new feature not currently supported.
.IP "\fBX509_V_ERR_CRL_PATH_VALIDATION_ERROR: \s-1CRL\s0 path validation error\fR" 4
.IX Item "X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error"
An error occurred when attempting to verify the \s-1CRL\s0 path. This error can only
happen if extended \s-1CRL\s0 checking is enabled.
.IP "\fBX509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR" 4
.IX Item "X509_V_ERR_APPLICATION_VERIFICATION: application verification failure"
an application specific error. This will never be returned unless explicitly
set by an application.
.SH "NOTES"
.IX Header "NOTES"
The above functions should be used instead of directly referencing the fields
in the \fBX509_VERIFY_CTX\fR structure.
.PP
In versions of OpenSSL before 1.0 the current certificate returned by
\&\fBX509_STORE_CTX_get_current_cert()\fR was never \fB\s-1NULL\s0\fR. Applications should
check the return value before printing out any debugging information relating
to the current certificate.
.PP
If an unrecognised error code is passed to \fBX509_verify_cert_error_string()\fR the
numerical value of the unknown code is returned in a static buffer. This is not
thread safe but will never happen unless an invalid code is passed.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_verify_cert\fR\|(3),
\&\fBX509_up_ref\fR\|(3),
\&\fBX509_free\fR\|(3).
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2009\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3
index d1b116b83d0f..fb7ee48d1c14 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_new.3
@@ -1,295 +1,359 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_STORE_CTX_NEW 3"
-.TH X509_STORE_CTX_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_STORE_CTX_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
-X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_set0_trusted_stack, X509_STORE_CTX_set_cert, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain, X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param, X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted, X509_STORE_CTX_get_num_untrusted, X509_STORE_CTX_set_default, X509_STORE_CTX_set_verify, X509_STORE_CTX_verify_fn \&\- X509_STORE_CTX initialisation
+X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_set0_trusted_stack, X509_STORE_CTX_set_cert, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain, X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param, X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted, X509_STORE_CTX_get_num_untrusted, X509_STORE_CTX_set_default, X509_STORE_CTX_set_verify, X509_STORE_CTX_verify_fn, X509_STORE_CTX_set_purpose, X509_STORE_CTX_set_trust, X509_STORE_CTX_purpose_inherit \&\- X509_STORE_CTX initialisation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509_vfy.h>
\&
\& X509_STORE_CTX *X509_STORE_CTX_new(void);
\& void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
\& void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
\&
\& int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
\& X509 *x509, STACK_OF(X509) *chain);
\&
\& void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
\&
\& void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x);
\& STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx);
\& void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *chain);
\& void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
\&
\& X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx);
\& void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
\& int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
\&
\& STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx);
\& void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
\&
\& int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx);
\&
\& typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
\& void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify);
+\&
+\& int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
+\& int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
+\& int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
+\& int purpose, int trust);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions initialise an \fBX509_STORE_CTX\fR structure for subsequent use
by \fBX509_verify_cert()\fR.
.PP
\&\fBX509_STORE_CTX_new()\fR returns a newly initialised \fBX509_STORE_CTX\fR structure.
.PP
\&\fBX509_STORE_CTX_cleanup()\fR internally cleans up an \fBX509_STORE_CTX\fR structure.
The context can then be reused with a new call to \fBX509_STORE_CTX_init()\fR.
.PP
\&\fBX509_STORE_CTX_free()\fR completely frees up \fBctx\fR. After this call \fBctx\fR
is no longer valid.
If \fBctx\fR is \s-1NULL\s0 nothing is done.
.PP
\&\fBX509_STORE_CTX_init()\fR sets up \fBctx\fR for a subsequent verification operation.
It must be called before each call to \fBX509_verify_cert()\fR, i.e. a \fBctx\fR is only
good for one call to \fBX509_verify_cert()\fR; if you want to verify a second
certificate with the same \fBctx\fR then you must call \fBX509_STORE_CTX_cleanup()\fR
and then \fBX509_STORE_CTX_init()\fR again before the second call to
\&\fBX509_verify_cert()\fR. The trusted certificate store is set to \fBstore\fR, the end
entity certificate to be verified is set to \fBx509\fR and a set of additional
certificates (which will be untrusted but may be used to build the chain) in
\&\fBchain\fR. Any or all of the \fBstore\fR, \fBx509\fR and \fBchain\fR parameters can be
\&\fB\s-1NULL\s0\fR.
.PP
\&\fBX509_STORE_CTX_set0_trusted_stack()\fR sets the set of trusted certificates of
\&\fBctx\fR to \fBsk\fR. This is an alternative way of specifying trusted certificates
instead of using an \fBX509_STORE\fR.
.PP
\&\fBX509_STORE_CTX_set_cert()\fR sets the certificate to be verified in \fBctx\fR to
\&\fBx\fR.
.PP
\&\fBX509_STORE_CTX_set0_verified_chain()\fR sets the validated chain used
by \fBctx\fR to be \fBchain\fR.
Ownership of the chain is transferred to \fBctx\fR and should not be
free'd by the caller.
\&\fBX509_STORE_CTX_get0_chain()\fR returns the internal pointer used by the
\&\fBctx\fR that contains the validated chain.
.PP
\&\fBX509_STORE_CTX_set0_crls()\fR sets a set of CRLs to use to aid certificate
verification to \fBsk\fR. These CRLs will only be used if \s-1CRL\s0 verification is
enabled in the associated \fBX509_VERIFY_PARAM\fR structure. This might be
used where additional \*(L"useful\*(R" CRLs are supplied as part of a protocol,
for example in a PKCS#7 structure.
.PP
\&\fBX509_STORE_CTX_get0_param()\fR retrieves an internal pointer
to the verification parameters associated with \fBctx\fR.
.PP
\&\fBX509_STORE_CTX_get0_untrusted()\fR retrieves an internal pointer to the
stack of untrusted certificates associated with \fBctx\fR.
.PP
\&\fBX509_STORE_CTX_set0_untrusted()\fR sets the internal point to the stack
of untrusted certificates associated with \fBctx\fR to \fBsk\fR.
.PP
\&\fBX509_STORE_CTX_set0_param()\fR sets the internal verification parameter pointer
to \fBparam\fR. After this call \fBparam\fR should not be used.
.PP
\&\fBX509_STORE_CTX_set_default()\fR looks up and sets the default verification
method to \fBname\fR. This uses the function \fBX509_VERIFY_PARAM_lookup()\fR to
find an appropriate set of parameters from \fBname\fR.
.PP
\&\fBX509_STORE_CTX_get_num_untrusted()\fR returns the number of untrusted certificates
that were used in building the chain following a call to \fBX509_verify_cert()\fR.
.PP
\&\fBX509_STORE_CTX_set_verify()\fR provides the capability for overriding the default
verify function. This function is responsible for verifying chain signatures and
expiration times.
.PP
A verify function is defined as an X509_STORE_CTX_verify type which has the
following signature:
.PP
.Vb 1
\& int (*verify)(X509_STORE_CTX *);
.Ve
.PP
This function should receive the current X509_STORE_CTX as a parameter and
return 1 on success or 0 on failure.
+.PP
+X509 certificates may contain information about what purposes keys contained
+within them can be used for. For example \*(L"\s-1TLS WWW\s0 Server Authentication\*(R" or
+\&\*(L"Email Protection\*(R". This \*(L"key usage\*(R" information is held internally to the
+certificate itself. In addition the trust store containing trusted certificates
+can declare what purposes we trust different certificates for. This \*(L"trust\*(R"
+information is not held within the certificate itself but is \*(L"meta\*(R" information
+held alongside it. This \*(L"meta\*(R" information is associated with the certificate
+after it is issued and could be determined by a system administrator. For
+example a certificate might declare that it is suitable for use for both
+\&\*(L"\s-1TLS WWW\s0 Server Authentication\*(R" and \*(L"\s-1TLS\s0 Client Authentication\*(R", but a system
+administrator might only trust it for the former. An X.509 certificate extension
+exists that can record extended key usage information to supplement the purpose
+information described above. This extended mechanism is arbitrarily extensible
+and not well suited for a generic library \s-1API\s0; applications that need to
+validate extended key usage information in certifiates will need to define a
+custom \*(L"purpose\*(R" (see below) or supply a nondefault verification callback
+(\fBX509_STORE_set_verify_cb_func\fR\|(3)).
+.PP
+\&\fBX509_STORE_CTX_set_purpose()\fR sets the purpose for the target certificate being
+verified in the \fIctx\fR. Built-in available values for the \fIpurpose\fR argument
+are \fBX509_PURPOSE_SSL_CLIENT\fR, \fBX509_PURPOSE_SSL_SERVER\fR,
+\&\fBX509_PURPOSE_NS_SSL_SERVER\fR, \fBX509_PURPOSE_SMIME_SIGN\fR,
+\&\fBX509_PURPOSE_SMIME_ENCRYPT\fR, \fBX509_PURPOSE_CRL_SIGN\fR, \fBX509_PURPOSE_ANY\fR,
+\&\fBX509_PURPOSE_OCSP_HELPER\fR and \fBX509_PURPOSE_TIMESTAMP_SIGN\fR. It is also
+possible to create a custom purpose value. Setting a purpose will ensure that
+the key usage declared within certificates in the chain being verified is
+consistent with that purpose as well as, potentially, other checks. Every
+purpose also has an associated default trust value which will also be set at the
+same time. During verification this trust setting will be verified to check it
+is consistent with the trust set by the system administrator for certificates in
+the chain.
+.PP
+\&\fBX509_STORE_CTX_set_trust()\fR sets the trust value for the target certificate
+being verified in the \fIctx\fR. Built-in available values for the \fItrust\fR
+argument are \fBX509_TRUST_COMPAT\fR, \fBX509_TRUST_SSL_CLIENT\fR,
+\&\fBX509_TRUST_SSL_SERVER\fR, \fBX509_TRUST_EMAIL\fR, \fBX509_TRUST_OBJECT_SIGN\fR,
+\&\fBX509_TRUST_OCSP_SIGN\fR, \fBX509_TRUST_OCSP_REQUEST\fR and \fBX509_TRUST_TSA\fR. It is
+also possible to create a custom trust value. Since \fBX509_STORE_CTX_set_purpose()\fR
+also sets the trust value it is normally sufficient to only call that function.
+If both are called then \fBX509_STORE_CTX_set_trust()\fR should be called after
+\&\fBX509_STORE_CTX_set_purpose()\fR since the trust setting of the last call will be
+used.
+.PP
+It should not normally be necessary for end user applications to call
+\&\fBX509_STORE_CTX_purpose_inherit()\fR directly. Typically applications should call
+\&\fBX509_STORE_CTX_set_purpose()\fR or \fBX509_STORE_CTX_set_trust()\fR instead. Using this
+function it is possible to set the purpose and trust values for the \fIctx\fR at
+the same time. The \fIdef_purpose\fR and \fIpurpose\fR arguments can have the same
+purpose values as described for \fBX509_STORE_CTX_set_purpose()\fR above. The \fItrust\fR
+argument can have the same trust values as described in
+\&\fBX509_STORE_CTX_set_trust()\fR above. Any of the \fIdef_purpose\fR, \fIpurpose\fR or
+\&\fItrust\fR values may also have the value 0 to indicate that the supplied
+parameter should be ignored. After calling this function the purpose to be used
+for verification is set from the \fIpurpose\fR argument, and the trust is set from
+the \fItrust\fR argument. If \fItrust\fR is 0 then the trust value will be set from
+the default trust value for \fIpurpose\fR. If the default trust value for the
+purpose is \fIX509_TRUST_DEFAULT\fR and \fItrust\fR is 0 then the default trust value
+associated with the \fIdef_purpose\fR value is used for the trust setting instead.
.SH "NOTES"
.IX Header "NOTES"
The certificates and CRLs in a store are used internally and should \fBnot\fR
be freed up until after the associated \fBX509_STORE_CTX\fR is freed.
.SH "BUGS"
.IX Header "BUGS"
The certificates and CRLs in a context are used internally and should \fBnot\fR
be freed up until after the associated \fBX509_STORE_CTX\fR is freed. Copies
should be made or reference counts increased instead.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_STORE_CTX_new()\fR returns a newly allocated context or \fB\s-1NULL\s0\fR if an
error occurred.
.PP
\&\fBX509_STORE_CTX_init()\fR returns 1 for success or 0 if an error occurred.
.PP
\&\fBX509_STORE_CTX_get0_param()\fR returns a pointer to an \fBX509_VERIFY_PARAM\fR
structure or \fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBX509_STORE_CTX_cleanup()\fR, \fBX509_STORE_CTX_free()\fR,
\&\fBX509_STORE_CTX_set0_trusted_stack()\fR,
\&\fBX509_STORE_CTX_set_cert()\fR,
\&\fBX509_STORE_CTX_set0_crls()\fR and \fBX509_STORE_CTX_set0_param()\fR do not return
values.
.PP
\&\fBX509_STORE_CTX_set_default()\fR returns 1 for success or 0 if an error occurred.
.PP
\&\fBX509_STORE_CTX_get_num_untrusted()\fR returns the number of untrusted certificates
used.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_verify_cert\fR\|(3)
\&\fBX509_VERIFY_PARAM_set_flags\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBX509_STORE_CTX_set0_crls()\fR function was added in OpenSSL 1.0.0.
The \fBX509_STORE_CTX_get_num_untrusted()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
-Copyright 2009\-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009\-2022 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3 b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3
index 8179b608678f..9db32a66cd08 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_CTX_set_verify_cb.3
@@ -1,334 +1,334 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_STORE_CTX_SET_VERIFY_CB 3"
-.TH X509_STORE_CTX_SET_VERIFY_CB 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_STORE_CTX_SET_VERIFY_CB 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_STORE_CTX_get_cleanup, X509_STORE_CTX_get_lookup_crls, X509_STORE_CTX_get_lookup_certs, X509_STORE_CTX_get_check_policy, X509_STORE_CTX_get_cert_crl, X509_STORE_CTX_get_check_crl, X509_STORE_CTX_get_get_crl, X509_STORE_CTX_get_check_revocation, X509_STORE_CTX_get_check_issued, X509_STORE_CTX_get_get_issuer, X509_STORE_CTX_get_verify_cb, X509_STORE_CTX_set_verify_cb, X509_STORE_CTX_verify_cb \&\- get and set verification callback
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509_vfy.h>
\&
\& typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
\&
\& X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
\& X509_STORE_CTX_verify_cb verify_cb);
\&
\& X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx);
\& X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);
\& X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx);
\& X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx);
\& X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx);
\& X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx);
\& X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx);
\& X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx);
\& X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx);
\& X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_STORE_CTX_set_verify_cb()\fR sets the verification callback of \fBctx\fR to
\&\fBverify_cb\fR overwriting any existing callback.
.PP
The verification callback can be used to customise the operation of certificate
verification, either by overriding error conditions or logging errors for
debugging purposes.
.PP
However, a verification callback is \fBnot\fR essential and the default operation
is often sufficient.
.PP
The \fBok\fR parameter to the callback indicates the value the callback should
return to retain the default behaviour. If it is zero then an error condition
is indicated. If it is 1 then no error occurred. If the flag
\&\fBX509_V_FLAG_NOTIFY_POLICY\fR is set then \fBok\fR is set to 2 to indicate the
policy checking is complete.
.PP
The \fBctx\fR parameter to the callback is the \fBX509_STORE_CTX\fR structure that
is performing the verification operation. A callback can examine this
structure and receive additional information about the error, for example
by calling \fBX509_STORE_CTX_get_current_cert()\fR. Additional application data can
be passed to the callback via the \fBex_data\fR mechanism.
.PP
\&\fBX509_STORE_CTX_get_verify_cb()\fR returns the value of the current callback
for the specific \fBctx\fR.
.PP
\&\fBX509_STORE_CTX_get_get_issuer()\fR,
\&\fBX509_STORE_CTX_get_check_issued()\fR, \fBX509_STORE_CTX_get_check_revocation()\fR,
\&\fBX509_STORE_CTX_get_get_crl()\fR, \fBX509_STORE_CTX_get_check_crl()\fR,
\&\fBX509_STORE_CTX_get_cert_crl()\fR, \fBX509_STORE_CTX_get_check_policy()\fR,
\&\fBX509_STORE_CTX_get_lookup_certs()\fR, \fBX509_STORE_CTX_get_lookup_crls()\fR
and \fBX509_STORE_CTX_get_cleanup()\fR return the function pointers cached
from the corresponding \fBX509_STORE\fR, please see
\&\fBX509_STORE_set_verify\fR\|(3) for more information.
.SH "WARNINGS"
.IX Header "WARNINGS"
In general a verification callback should \fB\s-1NOT\s0\fR unconditionally return 1 in
all circumstances because this will allow verification to succeed no matter
what the error. This effectively removes all security from the application
because \fBany\fR certificate (including untrusted generated ones) will be
accepted.
.SH "NOTES"
.IX Header "NOTES"
The verification callback can be set and inherited from the parent structure
performing the operation. In some cases (such as S/MIME verification) the
\&\fBX509_STORE_CTX\fR structure is created and destroyed internally and the
only way to set a custom verification callback is by inheriting it from the
associated \fBX509_STORE\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_STORE_CTX_set_verify_cb()\fR does not return a value.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Default callback operation:
.PP
.Vb 3
\& int verify_callback(int ok, X509_STORE_CTX *ctx) {
\& return ok;
\& }
.Ve
.PP
Simple example, suppose a certificate in the chain is expired and we wish
to continue after this error:
.PP
.Vb 7
\& int verify_callback(int ok, X509_STORE_CTX *ctx) {
\& /* Tolerate certificate expiration */
\& if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED)
\& return 1;
\& /* Otherwise don\*(Aqt override */
\& return ok;
\& }
.Ve
.PP
More complex example, we don't wish to continue after \fBany\fR certificate has
expired just one specific case:
.PP
.Vb 4
\& int verify_callback(int ok, X509_STORE_CTX *ctx)
\& {
\& int err = X509_STORE_CTX_get_error(ctx);
\& X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx);
\&
\& if (err == X509_V_ERR_CERT_HAS_EXPIRED) {
\& if (check_is_acceptable_expired_cert(err_cert)
\& return 1;
\& }
\& return ok;
\& }
.Ve
.PP
Full featured logging callback. In this case the \fBbio_err\fR is assumed to be
a global logging \fB\s-1BIO\s0\fR, an alternative would to store a \s-1BIO\s0 in \fBctx\fR using
\&\fBex_data\fR.
.PP
.Vb 4
\& int verify_callback(int ok, X509_STORE_CTX *ctx)
\& {
\& X509 *err_cert;
\& int err, depth;
\&
\& err_cert = X509_STORE_CTX_get_current_cert(ctx);
\& err = X509_STORE_CTX_get_error(ctx);
\& depth = X509_STORE_CTX_get_error_depth(ctx);
\&
\& BIO_printf(bio_err, "depth=%d ", depth);
\& if (err_cert) {
\& X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
\& 0, XN_FLAG_ONELINE);
\& BIO_puts(bio_err, "\en");
\& }
\& else
\& BIO_puts(bio_err, "<no cert>\en");
\& if (!ok)
\& BIO_printf(bio_err, "verify error:num=%d:%s\en", err,
\& X509_verify_cert_error_string(err));
\& switch (err) {
\& case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
\& BIO_puts(bio_err, "issuer= ");
\& X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
\& 0, XN_FLAG_ONELINE);
\& BIO_puts(bio_err, "\en");
\& break;
\& case X509_V_ERR_CERT_NOT_YET_VALID:
\& case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
\& BIO_printf(bio_err, "notBefore=");
\& ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert));
\& BIO_printf(bio_err, "\en");
\& break;
\& case X509_V_ERR_CERT_HAS_EXPIRED:
\& case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
\& BIO_printf(bio_err, "notAfter=");
\& ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert));
\& BIO_printf(bio_err, "\en");
\& break;
\& case X509_V_ERR_NO_EXPLICIT_POLICY:
\& policies_print(bio_err, ctx);
\& break;
\& }
\& if (err == X509_V_OK && ok == 2)
\& /* print out policies */
\&
\& BIO_printf(bio_err, "verify return:%d\en", ok);
\& return(ok);
\& }
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_STORE_CTX_get_error\fR\|(3)
\&\fBX509_STORE_set_verify_cb_func\fR\|(3)
\&\fBX509_STORE_CTX_get_ex_new_index\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The
\&\fBX509_STORE_CTX_get_get_issuer()\fR,
\&\fBX509_STORE_CTX_get_check_issued()\fR, \fBX509_STORE_CTX_get_check_revocation()\fR,
\&\fBX509_STORE_CTX_get_get_crl()\fR, \fBX509_STORE_CTX_get_check_crl()\fR,
\&\fBX509_STORE_CTX_get_cert_crl()\fR, \fBX509_STORE_CTX_get_check_policy()\fR,
\&\fBX509_STORE_CTX_get_lookup_certs()\fR, \fBX509_STORE_CTX_get_lookup_crls()\fR
and \fBX509_STORE_CTX_get_cleanup()\fR functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2009\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3 b/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3
index f8301719ad0c..0b6c11f12b34 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_add_cert.3
@@ -1,243 +1,243 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_STORE_ADD_CERT 3"
-.TH X509_STORE_ADD_CERT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_STORE_ADD_CERT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_STORE, X509_STORE_add_cert, X509_STORE_add_crl, X509_STORE_set_depth, X509_STORE_set_flags, X509_STORE_set_purpose, X509_STORE_set_trust, X509_STORE_add_lookup, X509_STORE_load_locations, X509_STORE_set_default_paths \&\- X509_STORE manipulation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509_vfy.h>
\&
\& typedef x509_store_st X509_STORE;
\&
\& int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
\& int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
\& int X509_STORE_set_depth(X509_STORE *store, int depth);
\& int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
\& int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
\& int X509_STORE_set_trust(X509_STORE *ctx, int trust);
\&
\& X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *store,
\& X509_LOOKUP_METHOD *meth);
\&
\& int X509_STORE_load_locations(X509_STORE *ctx,
\& const char *file, const char *dir);
\& int X509_STORE_set_default_paths(X509_STORE *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBX509_STORE\fR structure is intended to be a consolidated mechanism for
holding information about X.509 certificates and CRLs, and constructing
and validating chains of certificates terminating in trusted roots.
It admits multiple lookup mechanisms and efficient scaling performance
with large numbers of certificates, and a great deal of flexibility in
how validation and policy checks are performed.
.PP
\&\fBX509_STORE_new\fR\|(3) creates an empty \fBX509_STORE\fR structure, which contains
no information about trusted certificates or where such certificates
are located on disk, and is generally not usable. Normally, trusted
certificates will be added to the \fBX509_STORE\fR to prepare it for use,
via mechanisms such as \fBX509_STORE_add_lookup()\fR and \fBX509_LOOKUP_file()\fR, or
\&\fBPEM_read_bio_X509_AUX()\fR and \fBX509_STORE_add_cert()\fR. CRLs can also be added,
and many behaviors configured as desired.
.PP
Once the \fBX509_STORE\fR is suitably configured, \fBX509_STORE_CTX_new()\fR is
used to instantiate a single-use \fBX509_STORE_CTX\fR for each chain-building
and verification operation. That process includes providing the end-entity
certificate to be verified and an additional set of untrusted certificates
that may be used in chain-building. As such, it is expected that the
certificates included in the \fBX509_STORE\fR are certificates that represent
trusted entities such as root certificate authorities (CAs).
OpenSSL represents these trusted certificates internally as \fBX509\fR objects
with an associated \fBX509_CERT_AUX\fR, as are produced by
\&\fBPEM_read_bio_X509_AUX()\fR and similar routines that refer to X509_AUX.
The public interfaces that operate on such trusted certificates still
operate on pointers to \fBX509\fR objects, though.
.PP
\&\fBX509_STORE_add_cert()\fR and \fBX509_STORE_add_crl()\fR add the respective object
to the \fBX509_STORE\fR's local storage. Untrusted objects should not be
added in this way. The added object's reference count is incremented by one,
hence the caller retains ownership of the object and needs to free it when it
is no longer needed.
.PP
\&\fBX509_STORE_set_depth()\fR, \fBX509_STORE_set_flags()\fR, \fBX509_STORE_set_purpose()\fR,
\&\fBX509_STORE_set_trust()\fR, and \fBX509_STORE_set1_param()\fR set the default values
for the corresponding values used in certificate chain validation. Their
behavior is documented in the corresponding \fBX509_VERIFY_PARAM\fR manual
pages, e.g., \fBX509_VERIFY_PARAM_set_depth\fR\|(3).
.PP
\&\fBX509_STORE_add_lookup()\fR finds or creates a \fBX509_LOOKUP\fR\|(3) with the
\&\fBX509_LOOKUP_METHOD\fR\|(3) \fImeth\fR and adds it to the \fBX509_STORE\fR
\&\fIstore\fR. This also associates the \fBX509_STORE\fR with the lookup, so
\&\fBX509_LOOKUP\fR functions can look up objects in that store.
.PP
\&\fBX509_STORE_load_locations()\fR loads trusted certificate(s) into an
\&\fBX509_STORE\fR from a given file and/or directory path. It is permitted
to specify just a file, just a directory, or both paths. The certificates
in the directory must be in hashed form, as documented in
\&\fBX509_LOOKUP_hash_dir\fR\|(3).
.PP
\&\fBX509_STORE_set_default_paths()\fR is somewhat misnamed, in that it does not
set what default paths should be used for loading certificates. Instead,
it loads certificates into the \fBX509_STORE\fR from the hardcoded default
paths.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_STORE_add_cert()\fR, \fBX509_STORE_add_crl()\fR, \fBX509_STORE_set_depth()\fR,
\&\fBX509_STORE_set_flags()\fR, \fBX509_STORE_set_purpose()\fR,
\&\fBX509_STORE_set_trust()\fR, \fBX509_STORE_load_locations()\fR, and
\&\fBX509_STORE_set_default_paths()\fR return 1 on success or 0 on failure.
.PP
\&\fBX509_STORE_add_lookup()\fR returns the found or created
\&\fBX509_LOOKUP\fR\|(3), or \s-1NULL\s0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_LOOKUP_hash_dir\fR\|(3).
\&\fBX509_VERIFY_PARAM_set_depth\fR\|(3).
\&\fBX509_STORE_new\fR\|(3),
\&\fBX509_STORE_get0_param\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3 b/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3
index 6c0db908941c..aae9c1bd6ea7 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_get0_param.3
@@ -1,186 +1,186 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_STORE_GET0_PARAM 3"
-.TH X509_STORE_GET0_PARAM 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_STORE_GET0_PARAM 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_STORE_get0_param, X509_STORE_set1_param, X509_STORE_get0_objects \- X509_STORE setter and getter functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509_vfy.h>
\&
\& X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx);
\& int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm);
\& STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_STORE_set1_param()\fR sets the verification parameters
to \fBpm\fR for \fBctx\fR.
.PP
\&\fBX509_STORE_get0_param()\fR retrieves an internal pointer to the verification
parameters for \fBctx\fR. The returned pointer must not be freed by the
calling application
.PP
\&\fBX509_STORE_get0_objects()\fR retrieve an internal pointer to the store's
X509 object cache. The cache contains \fBX509\fR and \fBX509_CRL\fR objects. The
returned pointer must not be freed by the calling application.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_STORE_get0_param()\fR returns a pointer to an
\&\fBX509_VERIFY_PARAM\fR structure.
.PP
\&\fBX509_STORE_set1_param()\fR returns 1 for success and 0 for failure.
.PP
\&\fBX509_STORE_get0_objects()\fR returns a pointer to a stack of \fBX509_OBJECT\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_STORE_new\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBX509_STORE_get0_param\fR and \fBX509_STORE_get0_objects\fR were added in
OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_new.3 b/secure/lib/libcrypto/man/man3/X509_STORE_new.3
index 17eb95537328..a61844003a74 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_new.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_new.3
@@ -1,188 +1,188 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_STORE_NEW 3"
-.TH X509_STORE_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_STORE_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_STORE_new, X509_STORE_up_ref, X509_STORE_free, X509_STORE_lock, X509_STORE_unlock \- X509_STORE allocation, freeing and locking functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509_vfy.h>
\&
\& X509_STORE *X509_STORE_new(void);
\& void X509_STORE_free(X509_STORE *v);
\& int X509_STORE_lock(X509_STORE *v);
\& int X509_STORE_unlock(X509_STORE *v);
\& int X509_STORE_up_ref(X509_STORE *v);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBX509_STORE_new()\fR function returns a new X509_STORE.
.PP
\&\fBX509_STORE_up_ref()\fR increments the reference count associated with the
X509_STORE object.
.PP
\&\fBX509_STORE_lock()\fR locks the store from modification by other threads,
\&\fBX509_STORE_unlock()\fR unlocks it.
.PP
\&\fBX509_STORE_free()\fR frees up a single X509_STORE object.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_STORE_new()\fR returns a newly created X509_STORE or \s-1NULL\s0 if the call fails.
.PP
\&\fBX509_STORE_up_ref()\fR, \fBX509_STORE_lock()\fR and \fBX509_STORE_unlock()\fR return
1 for success and 0 for failure.
.PP
\&\fBX509_STORE_free()\fR does not return values.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_STORE_set_verify_cb_func\fR\|(3)
\&\fBX509_STORE_get0_param\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBX509_STORE_up_ref()\fR, \fBX509_STORE_lock()\fR and \fBX509_STORE_unlock()\fR
functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3 b/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3
index 817a1132c914..9dbc4ef04e80 100644
--- a/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3
+++ b/secure/lib/libcrypto/man/man3/X509_STORE_set_verify_cb_func.3
@@ -1,364 +1,364 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_STORE_SET_VERIFY_CB_FUNC 3"
-.TH X509_STORE_SET_VERIFY_CB_FUNC 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_STORE_SET_VERIFY_CB_FUNC 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_STORE_set_lookup_crls_cb, X509_STORE_set_verify_func, X509_STORE_get_cleanup, X509_STORE_set_cleanup, X509_STORE_get_lookup_crls, X509_STORE_set_lookup_crls, X509_STORE_get_lookup_certs, X509_STORE_set_lookup_certs, X509_STORE_get_check_policy, X509_STORE_set_check_policy, X509_STORE_get_cert_crl, X509_STORE_set_cert_crl, X509_STORE_get_check_crl, X509_STORE_set_check_crl, X509_STORE_get_get_crl, X509_STORE_set_get_crl, X509_STORE_get_check_revocation, X509_STORE_set_check_revocation, X509_STORE_get_check_issued, X509_STORE_set_check_issued, X509_STORE_get_get_issuer, X509_STORE_set_get_issuer, X509_STORE_CTX_get_verify, X509_STORE_set_verify, X509_STORE_get_verify_cb, X509_STORE_set_verify_cb_func, X509_STORE_set_verify_cb, X509_STORE_CTX_cert_crl_fn, X509_STORE_CTX_check_crl_fn, X509_STORE_CTX_check_issued_fn, X509_STORE_CTX_check_policy_fn, X509_STORE_CTX_check_revocation_fn, X509_STORE_CTX_cleanup_fn, X509_STORE_CTX_get_crl_fn, X509_STORE_CTX_get_issuer_fn, X509_STORE_CTX_lookup_certs_fn, X509_STORE_CTX_lookup_crls_fn \&\- set verification callback
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509_vfy.h>
\&
\& typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer,
\& X509_STORE_CTX *ctx, X509 *x);
\& typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx,
\& X509 *x, X509 *issuer);
\& typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
\& typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx,
\& X509_CRL **crl, X509 *x);
\& typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl);
\& typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx,
\& X509_CRL *crl, X509 *x);
\& typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx);
\& typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx,
\& X509_NAME *nm);
\& typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)(X509_STORE_CTX *ctx,
\& X509_NAME *nm);
\& typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_verify_cb(X509_STORE *ctx,
\& X509_STORE_CTX_verify_cb verify_cb);
\& X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify);
\& X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_get_issuer(X509_STORE *ctx,
\& X509_STORE_CTX_get_issuer_fn get_issuer);
\& X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_check_issued(X509_STORE *ctx,
\& X509_STORE_CTX_check_issued_fn check_issued);
\& X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_check_revocation(X509_STORE *ctx,
\& X509_STORE_CTX_check_revocation_fn check_revocation);
\& X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_get_crl(X509_STORE *ctx,
\& X509_STORE_CTX_get_crl_fn get_crl);
\& X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_check_crl(X509_STORE *ctx,
\& X509_STORE_CTX_check_crl_fn check_crl);
\& X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_cert_crl(X509_STORE *ctx,
\& X509_STORE_CTX_cert_crl_fn cert_crl);
\& X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_check_policy(X509_STORE *ctx,
\& X509_STORE_CTX_check_policy_fn check_policy);
\& X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_lookup_certs(X509_STORE *ctx,
\& X509_STORE_CTX_lookup_certs_fn lookup_certs);
\& X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_lookup_crls(X509_STORE *ctx,
\& X509_STORE_CTX_lookup_crls_fn lookup_crls);
\& X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE_CTX *ctx);
\&
\& void X509_STORE_set_cleanup(X509_STORE *ctx,
\& X509_STORE_CTX_cleanup_fn cleanup);
\& X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE_CTX *ctx);
\&
\& /* Aliases */
\& void X509_STORE_set_verify_cb_func(X509_STORE *st,
\& X509_STORE_CTX_verify_cb verify_cb);
\& void X509_STORE_set_verify_func(X509_STORE *ctx,
\& X509_STORE_CTX_verify_fn verify);
\& void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx,
\& X509_STORE_CTX_lookup_crls_fn lookup_crls);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_STORE_set_verify_cb()\fR sets the verification callback of \fBctx\fR to
\&\fBverify_cb\fR overwriting the previous callback.
The callback assigned with this function becomes a default for the one
that can be assigned directly to the corresponding \fBX509_STORE_CTX\fR,
please see \fBX509_STORE_CTX_set_verify_cb\fR\|(3) for further information.
.PP
\&\fBX509_STORE_set_verify()\fR sets the final chain verification function for
\&\fBctx\fR to \fBverify\fR.
Its purpose is to go through the chain of certificates and check that
all signatures are valid and that the current time is within the
limits of each certificate's first and last validity time.
The final chain verification functions must return 0 on failure and 1
on success.
\&\fIIf no chain verification function is provided, the internal default
function will be used instead.\fR
.PP
\&\fBX509_STORE_set_get_issuer()\fR sets the function to get the issuer
certificate that verifies the given certificate \fBx\fR.
When found, the issuer certificate must be assigned to \fB*issuer\fR.
This function must return 0 on failure and 1 on success.
\&\fIIf no function to get the issuer is provided, the internal default
function will be used instead.\fR
.PP
\&\fBX509_STORE_set_check_issued()\fR sets the function to check that a given
certificate \fBx\fR is issued by the issuer certificate \fBissuer\fR.
This function must return 0 on failure (among others if \fBx\fR hasn't
been issued with \fBissuer\fR) and 1 on success.
\&\fIIf no function to get the issuer is provided, the internal default
function will be used instead.\fR
.PP
\&\fBX509_STORE_set_check_revocation()\fR sets the revocation checking
function.
Its purpose is to look through the final chain and check the
revocation status for each certificate.
It must return 0 on failure and 1 on success.
\&\fIIf no function to get the issuer is provided, the internal default
function will be used instead.\fR
.PP
\&\fBX509_STORE_set_get_crl()\fR sets the function to get the crl for a given
certificate \fBx\fR.
When found, the crl must be assigned to \fB*crl\fR.
This function must return 0 on failure and 1 on success.
\&\fIIf no function to get the issuer is provided, the internal default
function will be used instead.\fR
.PP
\&\fBX509_STORE_set_check_crl()\fR sets the function to check the validity of
the given \fBcrl\fR.
This function must return 0 on failure and 1 on success.
\&\fIIf no function to get the issuer is provided, the internal default
function will be used instead.\fR
.PP
\&\fBX509_STORE_set_cert_crl()\fR sets the function to check the revocation
status of the given certificate \fBx\fR against the given \fBcrl\fR.
This function must return 0 on failure and 1 on success.
\&\fIIf no function to get the issuer is provided, the internal default
function will be used instead.\fR
.PP
\&\fBX509_STORE_set_check_policy()\fR sets the function to check the policies
of all the certificates in the final chain..
This function must return 0 on failure and 1 on success.
\&\fIIf no function to get the issuer is provided, the internal default
function will be used instead.\fR
.PP
\&\fBX509_STORE_set_lookup_certs()\fR and \fBX509_STORE_set_lookup_crls()\fR set the
functions to look up all the certs or all the CRLs that match the
given name \fBnm\fR.
These functions return \s-1NULL\s0 on failure and a pointer to a stack of
certificates (\fBX509\fR) or to a stack of CRLs (\fBX509_CRL\fR) on
success.
\&\fIIf no function to get the issuer is provided, the internal default
function will be used instead.\fR
.PP
\&\fBX509_STORE_set_cleanup()\fR sets the final cleanup function, which is
called when the context (\fBX509_STORE_CTX\fR) is being torn down.
This function doesn't return any value.
\&\fIIf no function to get the issuer is provided, the internal default
function will be used instead.\fR
.PP
\&\fBX509_STORE_get_verify_cb()\fR, \fBX509_STORE_CTX_get_verify()\fR,
\&\fBX509_STORE_get_get_issuer()\fR, \fBX509_STORE_get_check_issued()\fR,
\&\fBX509_STORE_get_check_revocation()\fR, \fBX509_STORE_get_get_crl()\fR,
\&\fBX509_STORE_get_check_crl()\fR, \fBX509_STORE_set_verify()\fR,
\&\fBX509_STORE_set_get_issuer()\fR, \fBX509_STORE_get_cert_crl()\fR,
\&\fBX509_STORE_get_check_policy()\fR, \fBX509_STORE_get_lookup_certs()\fR,
\&\fBX509_STORE_get_lookup_crls()\fR and \fBX509_STORE_get_cleanup()\fR all return
the function pointer assigned with \fBX509_STORE_set_check_issued()\fR,
\&\fBX509_STORE_set_check_revocation()\fR, \fBX509_STORE_set_get_crl()\fR,
\&\fBX509_STORE_set_check_crl()\fR, \fBX509_STORE_set_cert_crl()\fR,
\&\fBX509_STORE_set_check_policy()\fR, \fBX509_STORE_set_lookup_certs()\fR,
\&\fBX509_STORE_set_lookup_crls()\fR and \fBX509_STORE_set_cleanup()\fR, or \s-1NULL\s0 if
no assignment has been made.
.PP
\&\fBX509_STORE_set_verify_cb_func()\fR, \fBX509_STORE_set_verify_func()\fR and
\&\fBX509_STORE_set_lookup_crls_cb()\fR are aliases for
\&\fBX509_STORE_set_verify_cb()\fR, \fBX509_STORE_set_verify()\fR and
X509_STORE_set_lookup_crls, available as macros for backward
compatibility.
.SH "NOTES"
.IX Header "NOTES"
All the callbacks from a \fBX509_STORE\fR are inherited by the
corresponding \fBX509_STORE_CTX\fR structure when it is initialized.
See \fBX509_STORE_CTX_set_verify_cb\fR\|(3) for further details.
.SH "BUGS"
.IX Header "BUGS"
The macro version of this function was the only one available before
OpenSSL 1.0.0.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The X509_STORE_set_*() functions do not return a value.
.PP
The X509_STORE_get_*() functions return a pointer of the appropriate
function type.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_STORE_CTX_set_verify_cb\fR\|(3), \fBX509_STORE_CTX_get0_chain\fR\|(3),
\&\fBX509_STORE_CTX_verify_cb\fR\|(3), \fBX509_STORE_CTX_verify_fn\fR\|(3),
\&\fBCMS_verify\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBX509_STORE_set_verify_cb()\fR function was added in OpenSSL 1.0.0.
.PP
The functions
\&\fBX509_STORE_set_verify_cb()\fR, \fBX509_STORE_get_verify_cb()\fR,
\&\fBX509_STORE_set_verify()\fR, \fBX509_STORE_CTX_get_verify()\fR,
\&\fBX509_STORE_set_get_issuer()\fR, \fBX509_STORE_get_get_issuer()\fR,
\&\fBX509_STORE_set_check_issued()\fR, \fBX509_STORE_get_check_issued()\fR,
\&\fBX509_STORE_set_check_revocation()\fR, \fBX509_STORE_get_check_revocation()\fR,
\&\fBX509_STORE_set_get_crl()\fR, \fBX509_STORE_get_get_crl()\fR,
\&\fBX509_STORE_set_check_crl()\fR, \fBX509_STORE_get_check_crl()\fR,
\&\fBX509_STORE_set_cert_crl()\fR, \fBX509_STORE_get_cert_crl()\fR,
\&\fBX509_STORE_set_check_policy()\fR, \fBX509_STORE_get_check_policy()\fR,
\&\fBX509_STORE_set_lookup_certs()\fR, \fBX509_STORE_get_lookup_certs()\fR,
\&\fBX509_STORE_set_lookup_crls()\fR, \fBX509_STORE_get_lookup_crls()\fR,
\&\fBX509_STORE_set_cleanup()\fR and \fBX509_STORE_get_cleanup()\fR
were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2009\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3 b/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3
index faaaca95210d..64fd6a594828 100644
--- a/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3
+++ b/secure/lib/libcrypto/man/man3/X509_VERIFY_PARAM_set_flags.3
@@ -1,503 +1,503 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_VERIFY_PARAM_SET_FLAGS 3"
-.TH X509_VERIFY_PARAM_SET_FLAGS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_VERIFY_PARAM_SET_FLAGS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_get_inh_flags, X509_VERIFY_PARAM_set_inh_flags, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_auth_level, X509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_get_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc \&\- X509 verification parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509_vfy.h>
\&
\& int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param,
\& unsigned long flags);
\& int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
\& unsigned long flags);
\& unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param);
\&
\& int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param,
\& uint32_t flags);
\& uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param);
\&
\& int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
\& int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
\&
\& void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
\& time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param);
\&
\& int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
\& ASN1_OBJECT *policy);
\& int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
\& STACK_OF(ASN1_OBJECT) *policies);
\&
\& void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
\& int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
\&
\& void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param,
\& int auth_level);
\& int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param);
\&
\& int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
\& const char *name, size_t namelen);
\& int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
\& const char *name, size_t namelen);
\& void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
\& unsigned int flags);
\& unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param);
\& char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param);
\& int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
\& const char *email, size_t emaillen);
\& int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
\& const unsigned char *ip, size_t iplen);
\& int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions manipulate the \fBX509_VERIFY_PARAM\fR structure associated with
a certificate verification operation.
.PP
The \fBX509_VERIFY_PARAM_set_flags()\fR function sets the flags in \fBparam\fR by oring
it with \fBflags\fR. See the \fB\s-1VERIFICATION FLAGS\s0\fR section for a complete
description of values the \fBflags\fR parameter can take.
.PP
\&\fBX509_VERIFY_PARAM_get_flags()\fR returns the flags in \fBparam\fR.
.PP
\&\fBX509_VERIFY_PARAM_get_inh_flags()\fR returns the inheritance flags in \fBparam\fR
which specifies how verification flags are copied from one structure to
another. \fBX509_VERIFY_PARAM_set_inh_flags()\fR sets the inheritance flags.
See the \fB\s-1INHERITANCE FLAGS\s0\fR section for a description of these bits.
.PP
\&\fBX509_VERIFY_PARAM_clear_flags()\fR clears the flags \fBflags\fR in \fBparam\fR.
.PP
\&\fBX509_VERIFY_PARAM_set_purpose()\fR sets the verification purpose in \fBparam\fR
to \fBpurpose\fR. This determines the acceptable purpose of the certificate
chain, for example \s-1SSL\s0 client or \s-1SSL\s0 server.
.PP
\&\fBX509_VERIFY_PARAM_set_trust()\fR sets the trust setting in \fBparam\fR to
\&\fBtrust\fR.
.PP
\&\fBX509_VERIFY_PARAM_set_time()\fR sets the verification time in \fBparam\fR to
\&\fBt\fR. Normally the current time is used.
.PP
\&\fBX509_VERIFY_PARAM_add0_policy()\fR enables policy checking (it is disabled
by default) and adds \fBpolicy\fR to the acceptable policy set.
.PP
\&\fBX509_VERIFY_PARAM_set1_policies()\fR enables policy checking (it is disabled
by default) and sets the acceptable policy set to \fBpolicies\fR. Any existing
policy set is cleared. The \fBpolicies\fR parameter can be \fB\s-1NULL\s0\fR to clear
an existing policy set.
.PP
\&\fBX509_VERIFY_PARAM_set_depth()\fR sets the maximum verification depth to \fBdepth\fR.
That is the maximum number of intermediate \s-1CA\s0 certificates that can appear in a
chain.
A maximal depth chain contains 2 more certificates than the limit, since
neither the end-entity certificate nor the trust-anchor count against this
limit.
Thus a \fBdepth\fR limit of 0 only allows the end-entity certificate to be signed
directly by the trust-anchor, while with a \fBdepth\fR limit of 1 there can be one
intermediate \s-1CA\s0 certificate between the trust-anchor and the end-entity
certificate.
.PP
\&\fBX509_VERIFY_PARAM_set_auth_level()\fR sets the authentication security level to
\&\fBauth_level\fR.
The authentication security level determines the acceptable signature and public
key strength when verifying certificate chains.
For a certificate chain to validate, the public keys of all the certificates
must meet the specified security level.
The signature algorithm security level is not enforced for the chain's \fItrust
anchor\fR certificate, which is either directly trusted or validated by means other
than its signature.
See \fBSSL_CTX_set_security_level\fR\|(3) for the definitions of the available
levels.
The default security level is \-1, or \*(L"not set\*(R".
At security level 0 or lower all algorithms are acceptable.
Security level 1 requires at least 80\-bit\-equivalent security and is broadly
interoperable, though it will, for example, reject \s-1MD5\s0 signatures or \s-1RSA\s0 keys
shorter than 1024 bits.
.PP
\&\fBX509_VERIFY_PARAM_set1_host()\fR sets the expected \s-1DNS\s0 hostname to
\&\fBname\fR clearing any previously specified hostname or names. If
\&\fBname\fR is \s-1NULL,\s0 or empty the list of hostnames is cleared, and
name checks are not performed on the peer certificate. If \fBname\fR
is NUL-terminated, \fBnamelen\fR may be zero, otherwise \fBnamelen\fR
must be set to the length of \fBname\fR.
.PP
When a hostname is specified,
certificate verification automatically invokes \fBX509_check_host\fR\|(3)
with flags equal to the \fBflags\fR argument given to
\&\fBX509_VERIFY_PARAM_set_hostflags()\fR (default zero). Applications
are strongly advised to use this interface in preference to explicitly
calling \fBX509_check_host\fR\|(3), hostname checks may be out of scope
with the \s-1\fBDANE\-EE\s0\fR\|(3) certificate usage, and the internal check will
be suppressed as appropriate when \s-1DANE\s0 verification is enabled.
.PP
When the subject CommonName will not be ignored, whether as a result of the
\&\fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR host flag, or because no \s-1DNS\s0 subject
alternative names are present in the certificate, any \s-1DNS\s0 name constraints in
issuer certificates apply to the subject CommonName as well as the subject
alternative name extension.
.PP
When the subject CommonName will be ignored, whether as a result of the
\&\fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR host flag, or because some \s-1DNS\s0 subject
alternative names are present in the certificate, \s-1DNS\s0 name constraints in
issuer certificates will not be applied to the subject \s-1DN.\s0
As described in \fBX509_check_host\fR\|(3) the \fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR
flag takes precedence over the \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR flag.
.PP
\&\fBX509_VERIFY_PARAM_get_hostflags()\fR returns any host flags previously set via a
call to \fBX509_VERIFY_PARAM_set_hostflags()\fR.
.PP
\&\fBX509_VERIFY_PARAM_add1_host()\fR adds \fBname\fR as an additional reference
identifier that can match the peer's certificate. Any previous names
set via \fBX509_VERIFY_PARAM_set1_host()\fR or \fBX509_VERIFY_PARAM_add1_host()\fR
are retained, no change is made if \fBname\fR is \s-1NULL\s0 or empty. When
multiple names are configured, the peer is considered verified when
any name matches.
.PP
\&\fBX509_VERIFY_PARAM_get0_peername()\fR returns the \s-1DNS\s0 hostname or subject
CommonName from the peer certificate that matched one of the reference
identifiers. When wildcard matching is not disabled, or when a
reference identifier specifies a parent domain (starts with \*(L".\*(R")
rather than a hostname, the peer name may be a wildcard name or a
sub-domain of the reference identifier respectively. The return
string is allocated by the library and is no longer valid once the
associated \fBparam\fR argument is freed. Applications must not free
the return value.
.PP
\&\fBX509_VERIFY_PARAM_set1_email()\fR sets the expected \s-1RFC822\s0 email address to
\&\fBemail\fR. If \fBemail\fR is NUL-terminated, \fBemaillen\fR may be zero, otherwise
\&\fBemaillen\fR must be set to the length of \fBemail\fR. When an email address
is specified, certificate verification automatically invokes
\&\fBX509_check_email\fR\|(3).
.PP
\&\fBX509_VERIFY_PARAM_set1_ip()\fR sets the expected \s-1IP\s0 address to \fBip\fR.
The \fBip\fR argument is in binary format, in network byte-order and
\&\fBiplen\fR must be set to 4 for IPv4 and 16 for IPv6. When an \s-1IP\s0
address is specified, certificate verification automatically invokes
\&\fBX509_check_ip\fR\|(3).
.PP
\&\fBX509_VERIFY_PARAM_set1_ip_asc()\fR sets the expected \s-1IP\s0 address to
\&\fBipasc\fR. The \fBipasc\fR argument is a NUL-terminal \s-1ASCII\s0 string:
dotted decimal quad for IPv4 and colon-separated hexadecimal for
IPv6. The condensed \*(L"::\*(R" notation is supported for IPv6 addresses.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_VERIFY_PARAM_set_flags()\fR, \fBX509_VERIFY_PARAM_clear_flags()\fR,
\&\fBX509_VERIFY_PARAM_set_inh_flags()\fR,
\&\fBX509_VERIFY_PARAM_set_purpose()\fR, \fBX509_VERIFY_PARAM_set_trust()\fR,
\&\fBX509_VERIFY_PARAM_add0_policy()\fR \fBX509_VERIFY_PARAM_set1_policies()\fR,
\&\fBX509_VERIFY_PARAM_set1_host()\fR, \fBX509_VERIFY_PARAM_add1_host()\fR,
\&\fBX509_VERIFY_PARAM_set1_email()\fR, \fBX509_VERIFY_PARAM_set1_ip()\fR and
\&\fBX509_VERIFY_PARAM_set1_ip_asc()\fR return 1 for success and 0 for
failure.
.PP
\&\fBX509_VERIFY_PARAM_get_flags()\fR returns the current verification flags.
.PP
\&\fBX509_VERIFY_PARAM_get_hostflags()\fR returns any current host flags.
.PP
\&\fBX509_VERIFY_PARAM_get_inh_flags()\fR returns the current inheritance flags.
.PP
\&\fBX509_VERIFY_PARAM_set_time()\fR and \fBX509_VERIFY_PARAM_set_depth()\fR do not return
values.
.PP
\&\fBX509_VERIFY_PARAM_get_depth()\fR returns the current verification depth.
.PP
\&\fBX509_VERIFY_PARAM_get_auth_level()\fR returns the current authentication security
level.
.SH "VERIFICATION FLAGS"
.IX Header "VERIFICATION FLAGS"
The verification flags consists of zero or more of the following flags
ored together.
.PP
\&\fBX509_V_FLAG_CRL_CHECK\fR enables \s-1CRL\s0 checking for the certificate chain leaf
certificate. An error occurs if a suitable \s-1CRL\s0 cannot be found.
.PP
\&\fBX509_V_FLAG_CRL_CHECK_ALL\fR enables \s-1CRL\s0 checking for the entire certificate
chain.
.PP
\&\fBX509_V_FLAG_IGNORE_CRITICAL\fR disabled critical extension checking. By default
any unhandled critical extensions in certificates or (if checked) CRLs results
in a fatal error. If this flag is set unhandled critical extensions are
ignored. \fB\s-1WARNING\s0\fR setting this option for anything other than debugging
purposes can be a security risk. Finer control over which extensions are
supported can be performed in the verification callback.
.PP
The \fBX509_V_FLAG_X509_STRICT\fR flag disables workarounds for some broken
certificates and makes the verification strictly apply \fBX509\fR rules.
.PP
\&\fBX509_V_FLAG_ALLOW_PROXY_CERTS\fR enables proxy certificate verification.
.PP
\&\fBX509_V_FLAG_POLICY_CHECK\fR enables certificate policy checking, by default
no policy checking is performed. Additional information is sent to the
verification callback relating to policy checking.
.PP
\&\fBX509_V_FLAG_EXPLICIT_POLICY\fR, \fBX509_V_FLAG_INHIBIT_ANY\fR and
\&\fBX509_V_FLAG_INHIBIT_MAP\fR set the \fBrequire explicit policy\fR, \fBinhibit any
policy\fR and \fBinhibit policy mapping\fR flags respectively as defined in
\&\fB\s-1RFC3280\s0\fR. Policy checking is automatically enabled if any of these flags
are set.
.PP
If \fBX509_V_FLAG_NOTIFY_POLICY\fR is set and the policy checking is successful
a special status code is set to the verification callback. This permits it
to examine the valid policy tree and perform additional checks or simply
log it for debugging purposes.
.PP
By default some additional features such as indirect CRLs and CRLs signed by
different keys are disabled. If \fBX509_V_FLAG_EXTENDED_CRL_SUPPORT\fR is set
they are enabled.
.PP
If \fBX509_V_FLAG_USE_DELTAS\fR is set delta CRLs (if present) are used to
determine certificate status. If not set deltas are ignored.
.PP
\&\fBX509_V_FLAG_CHECK_SS_SIGNATURE\fR requests checking the signature of
the last certificate in a chain if the certificate is supposedly self-signed.
This is prohibited and will result in an error if it is a non-conforming \s-1CA\s0
certificate with key usage restrictions not including the keyCertSign bit.
By default this check is disabled because it doesn't
add any additional security but in some cases applications might want to
check the signature anyway. A side effect of not checking the self-signature
of such a certificate is that disabled or unsupported message digests used for
the signature are not treated as fatal errors.
.PP
When \fBX509_V_FLAG_TRUSTED_FIRST\fR is set, construction of the certificate chain
in \fBX509_verify_cert\fR\|(3) will search the trust store for issuer certificates
before searching the provided untrusted certificates.
Local issuer certificates are often more likely to satisfy local security
requirements and lead to a locally trusted root.
This is especially important when some certificates in the trust store have
explicit trust settings (see \*(L"\s-1TRUST SETTINGS\*(R"\s0 in \fBx509\fR\|(1)).
As of OpenSSL 1.1.0 this option is on by default.
.PP
The \fBX509_V_FLAG_NO_ALT_CHAINS\fR flag suppresses checking for alternative
chains.
By default, unless \fBX509_V_FLAG_TRUSTED_FIRST\fR is set, when building a
certificate chain, if the first certificate chain found is not trusted, then
OpenSSL will attempt to replace untrusted certificates supplied by the peer
with certificates from the trust store to see if an alternative chain can be
found that is trusted.
As of OpenSSL 1.1.0, with \fBX509_V_FLAG_TRUSTED_FIRST\fR always set, this option
has no effect.
.PP
The \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag causes intermediate certificates in the
trust store to be treated as trust-anchors, in the same way as the self-signed
root \s-1CA\s0 certificates.
This makes it possible to trust certificates issued by an intermediate \s-1CA\s0
without having to trust its ancestor root \s-1CA.\s0
With OpenSSL 1.1.0 and later and <X509_V_FLAG_PARTIAL_CHAIN> set, chain
construction stops as soon as the first certificate from the trust store is
added to the chain, whether that certificate is a self-signed \*(L"root\*(R"
certificate or a not self-signed intermediate certificate.
Thus, when an intermediate certificate is found in the trust store, the
verified chain passed to callbacks may be shorter than it otherwise would
be without the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag.
.PP
The \fBX509_V_FLAG_NO_CHECK_TIME\fR flag suppresses checking the validity period
of certificates and CRLs against the current time. If \fBX509_VERIFY_PARAM_set_time()\fR
is used to specify a verification time, the check is not suppressed.
.SH "INHERITANCE FLAGS"
.IX Header "INHERITANCE FLAGS"
These flags specify how parameters are \*(L"inherited\*(R" from one structure to
another.
.PP
If \fBX509_VP_FLAG_ONCE\fR is set then the current setting is zeroed
after the next call.
.PP
If \fBX509_VP_FLAG_LOCKED\fR is set then no values are copied. This overrides
all of the following flags.
.PP
If \fBX509_VP_FLAG_DEFAULT\fR is set then anything set in the source is copied
to the destination. Effectively the values in \*(L"to\*(R" become default values
which will be used only if nothing new is set in \*(L"from\*(R". This is the
default.
.PP
If \fBX509_VP_FLAG_OVERWRITE\fR is set then all value are copied across whether
they are set or not. Flags is still Ored though.
.PP
If \fBX509_VP_FLAG_RESET_FLAGS\fR is set then the flags value is copied instead
of ORed.
.SH "NOTES"
.IX Header "NOTES"
The above functions should be used to manipulate verification parameters
instead of functions which work in specific structures such as
\&\fBX509_STORE_CTX_set_flags()\fR which are likely to be deprecated in a future
release.
.SH "BUGS"
.IX Header "BUGS"
Delta \s-1CRL\s0 checking is currently primitive. Only a single delta can be used and
(partly due to limitations of \fBX509_STORE\fR) constructed CRLs are not
maintained.
.PP
If CRLs checking is enable CRLs are expected to be available in the
corresponding \fBX509_STORE\fR structure. No attempt is made to download
CRLs from the \s-1CRL\s0 distribution points extension.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Enable \s-1CRL\s0 checking when performing certificate verification during \s-1SSL\s0
connections associated with an \fB\s-1SSL_CTX\s0\fR structure \fBctx\fR:
.PP
.Vb 1
\& X509_VERIFY_PARAM *param;
\&
\& param = X509_VERIFY_PARAM_new();
\& X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
\& SSL_CTX_set1_param(ctx, param);
\& X509_VERIFY_PARAM_free(param);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_verify_cert\fR\|(3),
\&\fBX509_check_host\fR\|(3),
\&\fBX509_check_email\fR\|(3),
\&\fBX509_check_ip\fR\|(3),
\&\fBx509\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBX509_V_FLAG_NO_ALT_CHAINS\fR flag was added in OpenSSL 1.1.0.
The flag \fBX509_V_FLAG_CB_ISSUER_CHECK\fR was deprecated in OpenSSL 1.1.0
and has no effect.
.PP
The \fBX509_VERIFY_PARAM_get_hostflags()\fR function was added in OpenSSL 1.1.0i.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2009\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_check_ca.3 b/secure/lib/libcrypto/man/man3/X509_check_ca.3
index 4141bbc7ce7d..e163a29356cb 100644
--- a/secure/lib/libcrypto/man/man3/X509_check_ca.3
+++ b/secure/lib/libcrypto/man/man3/X509_check_ca.3
@@ -1,177 +1,177 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_CHECK_CA 3"
-.TH X509_CHECK_CA 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_CHECK_CA 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_check_ca \- check if given certificate is CA certificate
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509v3.h>
\&
\& int X509_check_ca(X509 *cert);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This function checks if given certificate is \s-1CA\s0 certificate (can be used
to sign other certificates).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Function return 0, if it is not \s-1CA\s0 certificate, 1 if it is proper X509v3
\&\s-1CA\s0 certificate with \fBbasicConstraints\fR extension \s-1CA:TRUE,
3,\s0 if it is self-signed X509 v1 certificate, 4, if it is certificate with
\&\fBkeyUsage\fR extension with bit \fBkeyCertSign\fR set, but without
\&\fBbasicConstraints\fR, and 5 if it has outdated Netscape Certificate Type
extension telling that it is \s-1CA\s0 certificate.
.PP
Actually, any nonzero value means that this certificate could have been
used to sign other certificates.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_verify_cert\fR\|(3),
\&\fBX509_check_issued\fR\|(3),
\&\fBX509_check_purpose\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_check_host.3 b/secure/lib/libcrypto/man/man3/X509_check_host.3
index 49fa000bebc0..8b1339409af5 100644
--- a/secure/lib/libcrypto/man/man3/X509_check_host.3
+++ b/secure/lib/libcrypto/man/man3/X509_check_host.3
@@ -1,288 +1,288 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_CHECK_HOST 3"
-.TH X509_CHECK_HOST 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_CHECK_HOST 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc \- X.509 certificate matching
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509v3.h>
\&
\& int X509_check_host(X509 *, const char *name, size_t namelen,
\& unsigned int flags, char **peername);
\& int X509_check_email(X509 *, const char *address, size_t addresslen,
\& unsigned int flags);
\& int X509_check_ip(X509 *, const unsigned char *address, size_t addresslen,
\& unsigned int flags);
\& int X509_check_ip_asc(X509 *, const char *address, unsigned int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The certificate matching functions are used to check whether a
certificate matches a given hostname, email address, or \s-1IP\s0 address.
The validity of the certificate and its trust level has to be checked by
other means.
.PP
\&\fBX509_check_host()\fR checks if the certificate Subject Alternative
Name (\s-1SAN\s0) or Subject CommonName (\s-1CN\s0) matches the specified hostname,
which must be encoded in the preferred name syntax described
in section 3.5 of \s-1RFC 1034.\s0 By default, wildcards are supported
and they match only in the left-most label; but they may match
part of that label with an explicit prefix or suffix. For example,
by default, the host \fBname\fR \*(L"www.example.com\*(R" would match a
certificate with a \s-1SAN\s0 or \s-1CN\s0 value of \*(L"*.example.com\*(R", \*(L"w*.example.com\*(R"
or \*(L"*w.example.com\*(R".
.PP
Per section 6.4.2 of \s-1RFC 6125,\s0 \fBname\fR values representing international
domain names must be given in A\-label form. The \fBnamelen\fR argument
must be the number of characters in the name string or zero in which
case the length is calculated with strlen(\fBname\fR). When \fBname\fR starts
with a dot (e.g. \*(L".example.com\*(R"), it will be matched by a certificate
valid for any sub-domain of \fBname\fR, (see also
\&\fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR below).
.PP
When the certificate is matched, and \fBpeername\fR is not \s-1NULL,\s0 a
pointer to a copy of the matching \s-1SAN\s0 or \s-1CN\s0 from the peer certificate
is stored at the address passed in \fBpeername\fR. The application
is responsible for freeing the peername via \fBOPENSSL_free()\fR when it
is no longer needed.
.PP
\&\fBX509_check_email()\fR checks if the certificate matches the specified
email \fBaddress\fR. Only the mailbox syntax of \s-1RFC 822\s0 is supported,
comments are not allowed, and no attempt is made to normalize quoted
characters. The \fBaddresslen\fR argument must be the number of
characters in the address string or zero in which case the length
is calculated with strlen(\fBaddress\fR).
.PP
\&\fBX509_check_ip()\fR checks if the certificate matches a specified IPv4 or
IPv6 address. The \fBaddress\fR array is in binary format, in network
byte order. The length is either 4 (IPv4) or 16 (IPv6). Only
explicitly marked addresses in the certificates are considered; \s-1IP\s0
addresses stored in \s-1DNS\s0 names and Common Names are ignored.
.PP
\&\fBX509_check_ip_asc()\fR is similar, except that the NUL-terminated
string \fBaddress\fR is first converted to the internal representation.
.PP
The \fBflags\fR argument is usually 0. It can be the bitwise \s-1OR\s0 of the
flags:
.IP "\fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR," 4
.IX Item "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT,"
.PD 0
.IP "\fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR," 4
.IX Item "X509_CHECK_FLAG_NEVER_CHECK_SUBJECT,"
.IP "\fBX509_CHECK_FLAG_NO_WILDCARDS\fR," 4
.IX Item "X509_CHECK_FLAG_NO_WILDCARDS,"
.IP "\fBX509_CHECK_FLAG_NO_PARTIAL_WILDCARDS\fR," 4
.IX Item "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,"
.IP "\fBX509_CHECK_FLAG_MULTI_LABEL_WILDCARDS\fR." 4
.IX Item "X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS."
.IP "\fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR." 4
.IX Item "X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS."
.PD
.PP
The \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR flag causes the function
to consider the subject \s-1DN\s0 even if the certificate contains at least
one subject alternative name of the right type (\s-1DNS\s0 name or email
address as appropriate); the default is to ignore the subject \s-1DN\s0
when at least one corresponding subject alternative names is present.
.PP
The \fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR flag causes the function to never
consider the subject \s-1DN\s0 even if the certificate contains no subject alternative
names of the right type (\s-1DNS\s0 name or email address as appropriate); the default
is to use the subject \s-1DN\s0 when no corresponding subject alternative names are
present.
If both \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR and
\&\fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR are specified, the latter takes
precedence and the subject \s-1DN\s0 is not checked for matching names.
.PP
If set, \fBX509_CHECK_FLAG_NO_WILDCARDS\fR disables wildcard
expansion; this only applies to \fBX509_check_host\fR.
.PP
If set, \fBX509_CHECK_FLAG_NO_PARTIAL_WILDCARDS\fR suppresses support
for \*(L"*\*(R" as wildcard pattern in labels that have a prefix or suffix,
such as: \*(L"www*\*(R" or \*(L"*www\*(R"; this only applies to \fBX509_check_host\fR.
.PP
If set, \fBX509_CHECK_FLAG_MULTI_LABEL_WILDCARDS\fR allows a \*(L"*\*(R" that
constitutes the complete label of a \s-1DNS\s0 name (e.g. \*(L"*.example.com\*(R")
to match more than one label in \fBname\fR; this flag only applies
to \fBX509_check_host\fR.
.PP
If set, \fBX509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS\fR restricts \fBname\fR
values which start with \*(L".\*(R", that would otherwise match any sub-domain
in the peer certificate, to only match direct child sub-domains.
Thus, for instance, with this flag set a \fBname\fR of \*(L".example.com\*(R"
would match a peer certificate with a \s-1DNS\s0 name of \*(L"www.example.com\*(R",
but would not match a peer certificate with a \s-1DNS\s0 name of
\&\*(L"www.sub.example.com\*(R"; this flag only applies to \fBX509_check_host\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The functions return 1 for a successful match, 0 for a failed match
and \-1 for an internal error: typically a memory allocation failure
or an \s-1ASN.1\s0 decoding error.
.PP
All functions can also return \-2 if the input is malformed. For example,
\&\fBX509_check_host()\fR returns \-2 if the provided \fBname\fR contains embedded
NULs.
.SH "NOTES"
.IX Header "NOTES"
Applications are encouraged to use \fBX509_VERIFY_PARAM_set1_host()\fR
rather than explicitly calling \fBX509_check_host\fR\|(3). Host name
checks may be out of scope with the \s-1\fBDANE\-EE\s0\fR\|(3) certificate usage,
and the internal checks will be suppressed as appropriate when
\&\s-1DANE\s0 support is enabled.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_get_verify_result\fR\|(3),
\&\fBX509_VERIFY_PARAM_set1_host\fR\|(3),
\&\fBX509_VERIFY_PARAM_add1_host\fR\|(3),
\&\fBX509_VERIFY_PARAM_set1_email\fR\|(3),
\&\fBX509_VERIFY_PARAM_set1_ip\fR\|(3),
\&\fBX509_VERIFY_PARAM_set1_ipasc\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.0.2.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2012\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_check_issued.3 b/secure/lib/libcrypto/man/man3/X509_check_issued.3
index d3e3f6151c0a..99867f687215 100644
--- a/secure/lib/libcrypto/man/man3/X509_check_issued.3
+++ b/secure/lib/libcrypto/man/man3/X509_check_issued.3
@@ -1,176 +1,176 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_CHECK_ISSUED 3"
-.TH X509_CHECK_ISSUED 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_CHECK_ISSUED 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_check_issued \- checks if certificate is apparently issued by another certificate
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509v3.h>
\&
\& int X509_check_issued(X509 *issuer, X509 *subject);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_check_issued()\fR checks if certificate \fIsubject\fR was apparently issued
using (\s-1CA\s0) certificate \fIissuer\fR. This function takes into account not only
matching of the issuer field of \fIsubject\fR with the subject field of \fIissuer\fR,
but also compares all sub-fields of the \fBauthorityKeyIdentifier\fR extension of
\&\fIsubject\fR, as far as present, with the respective \fBsubjectKeyIdentifier\fR,
serial number, and issuer fields of \fIissuer\fR, as far as present. It also checks
if the \fBkeyUsage\fR field (if present) of \fIissuer\fR allows certificate signing.
It does not check the certificate signature.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Function return \fBX509_V_OK\fR if certificate \fIsubject\fR is issued by
\&\fIissuer\fR or some \fBX509_V_ERR*\fR constant to indicate an error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_verify_cert\fR\|(3),
\&\fBX509_check_ca\fR\|(3),
\&\fBverify\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_check_private_key.3 b/secure/lib/libcrypto/man/man3/X509_check_private_key.3
index ec81466b61b5..1b97e2a3fdca 100644
--- a/secure/lib/libcrypto/man/man3/X509_check_private_key.3
+++ b/secure/lib/libcrypto/man/man3/X509_check_private_key.3
@@ -1,183 +1,183 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_CHECK_PRIVATE_KEY 3"
-.TH X509_CHECK_PRIVATE_KEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_CHECK_PRIVATE_KEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_check_private_key, X509_REQ_check_private_key \- check the consistency of a private key with the public key in an X509 certificate or certificate request
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509_check_private_key(X509 *x, EVP_PKEY *k);
\&
\& int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_check_private_key()\fR function checks the consistency of private
key \fBk\fR with the public key in \fBx\fR.
.PP
\&\fBX509_REQ_check_private_key()\fR is equivalent to \fBX509_check_private_key()\fR
except that \fBx\fR represents a certificate request of structure \fBX509_REQ\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_check_private_key()\fR and \fBX509_REQ_check_private_key()\fR return 1 if
the keys match each other, and 0 if not.
.PP
If the key is invalid or an error occurred, the reason code can be
obtained using \fBERR_get_error\fR\|(3).
.SH "BUGS"
.IX Header "BUGS"
The \fBcheck_private_key\fR functions don't check if \fBk\fR itself is indeed
a private key or not. It merely compares the public materials (e.g. exponent
and modulus of an \s-1RSA\s0 key) and/or key parameters (e.g. \s-1EC\s0 params of an \s-1EC\s0 key)
of a key pair. So if you pass a public key to these functions in \fBk\fR, it will
return success.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_check_purpose.3 b/secure/lib/libcrypto/man/man3/X509_check_purpose.3
index b5d3298177da..661f50d5751b 100644
--- a/secure/lib/libcrypto/man/man3/X509_check_purpose.3
+++ b/secure/lib/libcrypto/man/man3/X509_check_purpose.3
@@ -1,204 +1,204 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_CHECK_PURPOSE 3"
-.TH X509_CHECK_PURPOSE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_CHECK_PURPOSE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_check_purpose \- Check the purpose of a certificate
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509v3.h>
\&
\& int X509_check_purpose(X509 *x, int id, int ca)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This function checks if certificate \fIx\fR was created with the purpose
represented by \fIid\fR. If \fIca\fR is nonzero, then certificate \fIx\fR is
checked to determine if it's a possible \s-1CA\s0 with various levels of certainty
possibly returned.
.PP
Below are the potential \s-1ID\s0's that can be checked:
.PP
.Vb 9
\& # define X509_PURPOSE_SSL_CLIENT 1
\& # define X509_PURPOSE_SSL_SERVER 2
\& # define X509_PURPOSE_NS_SSL_SERVER 3
\& # define X509_PURPOSE_SMIME_SIGN 4
\& # define X509_PURPOSE_SMIME_ENCRYPT 5
\& # define X509_PURPOSE_CRL_SIGN 6
\& # define X509_PURPOSE_ANY 7
\& # define X509_PURPOSE_OCSP_HELPER 8
\& # define X509_PURPOSE_TIMESTAMP_SIGN 9
.Ve
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
For non-CA checks
.IP "\-1 an error condition has occurred" 4
.IX Item "-1 an error condition has occurred"
.PD 0
.IP " 1 if the certificate was created to perform the purpose represented by \fIid\fR" 4
.IX Item " 1 if the certificate was created to perform the purpose represented by id"
.IP " 0 if the certificate was not created to perform the purpose represented by \fIid\fR" 4
.IX Item " 0 if the certificate was not created to perform the purpose represented by id"
.PD
.PP
For \s-1CA\s0 checks the below integers could be returned with the following meanings:
.IP "\-1 an error condition has occurred" 4
.IX Item "-1 an error condition has occurred"
.PD 0
.IP " 0 not a \s-1CA\s0 or does not have the purpose represented by \fIid\fR" 4
.IX Item " 0 not a CA or does not have the purpose represented by id"
.IP " 1 is a \s-1CA.\s0" 4
.IX Item " 1 is a CA."
.IP " 2 Only possible in old versions of openSSL when basicConstraints are absent. New versions will not return this value. May be a \s-1CA\s0" 4
.IX Item " 2 Only possible in old versions of openSSL when basicConstraints are absent. New versions will not return this value. May be a CA"
.IP " 3 basicConstraints absent but self signed V1." 4
.IX Item " 3 basicConstraints absent but self signed V1."
.IP " 4 basicConstraints absent but keyUsage present and keyCertSign asserted." 4
.IX Item " 4 basicConstraints absent but keyUsage present and keyCertSign asserted."
.IP " 5 legacy Netscape specific \s-1CA\s0 Flags present" 4
.IX Item " 5 legacy Netscape specific CA Flags present"
.PD
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2019\-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this
file except in compliance with the License. You can obtain a copy in the file
\&\s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_cmp.3 b/secure/lib/libcrypto/man/man3/X509_cmp.3
index 17c3051b2a54..01e04865856c 100644
--- a/secure/lib/libcrypto/man/man3/X509_cmp.3
+++ b/secure/lib/libcrypto/man/man3/X509_cmp.3
@@ -1,209 +1,209 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_CMP 3"
-.TH X509_CMP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_CMP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_cmp, X509_NAME_cmp, X509_issuer_and_serial_cmp, X509_issuer_name_cmp, X509_subject_name_cmp, X509_CRL_cmp, X509_CRL_match \&\- compare X509 certificates and related values
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509_cmp(const X509 *a, const X509 *b);
\& int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
\& int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
\& int X509_issuer_name_cmp(const X509 *a, const X509 *b);
\& int X509_subject_name_cmp(const X509 *a, const X509 *b);
\& int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
\& int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This set of functions are used to compare X509 objects, including X509
certificates, X509 \s-1CRL\s0 objects and various values in an X509 certificate.
.PP
The \fBX509_cmp()\fR function compares two \fBX509\fR objects indicated by parameters
\&\fBa\fR and \fBb\fR. The comparison is based on the \fBmemcmp\fR result of the hash
values of two \fBX509\fR objects and the canonical (\s-1DER\s0) encoding values.
.PP
The \fBX509_NAME_cmp()\fR function compares two \fBX509_NAME\fR objects indicated by
parameters \fBa\fR and \fBb\fR. The comparison is based on the \fBmemcmp\fR result of
the canonical (\s-1DER\s0) encoding values of the two objects. \fBi2d_X509_NAME\fR\|(3)
has a more detailed description of the \s-1DER\s0 encoding of the \fBX509_NAME\fR structure.
.PP
The \fBX509_issuer_and_serial_cmp()\fR function compares the serial number and issuer
values in the given \fBX509\fR objects \fBa\fR and \fBb\fR.
.PP
The \fBX509_issuer_name_cmp()\fR, \fBX509_subject_name_cmp()\fR and \fBX509_CRL_cmp()\fR functions
are effectively wrappers of the \fBX509_NAME_cmp()\fR function. These functions compare
issuer names and subject names of the objects, or issuers of \fBX509_CRL\fR
objects, respectively.
.IX Xref "509"
.PP
The \fBX509_CRL_match()\fR function compares two \fBX509_CRL\fR objects. Unlike the
\&\fBX509_CRL_cmp()\fR function, this function compares the whole \s-1CRL\s0 content instead
of just the issuer name.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Like common memory comparison functions, the \fBX509\fR comparison functions return
an integer less than, equal to, or greater than zero if object \fBa\fR is found to
be less than, to match, or be greater than object \fBb\fR, respectively.
.PP
\&\fBX509_NAME_cmp()\fR, \fBX509_issuer_and_serial_cmp()\fR, \fBX509_issuer_name_cmp()\fR,
\&\fBX509_subject_name_cmp()\fR and \fBX509_CRL_cmp()\fR may return \fB\-2\fR to indicate an error.
.SH "NOTES"
.IX Header "NOTES"
These functions in fact utilize the underlying \fBmemcmp\fR of the C library to do
the comparison job. Data to be compared varies from \s-1DER\s0 encoding data, hash
value or \fB\s-1ASN1_STRING\s0\fR. The sign of the comparison can be used to order the
objects but it does not have a special meaning in some cases.
.PP
\&\fBX509_NAME_cmp()\fR and wrappers utilize the value \fB\-2\fR to indicate errors in some
circumstances, which could cause confusion for the applications.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBi2d_X509_NAME\fR\|(3), \fBi2d_X509\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_cmp_time.3 b/secure/lib/libcrypto/man/man3/X509_cmp_time.3
index 95a24df20eee..fac8374aa326 100644
--- a/secure/lib/libcrypto/man/man3/X509_cmp_time.3
+++ b/secure/lib/libcrypto/man/man3/X509_cmp_time.3
@@ -1,192 +1,192 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_CMP_TIME 3"
-.TH X509_CMP_TIME 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_CMP_TIME 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_cmp_time, X509_cmp_current_time, X509_time_adj, X509_time_adj_ex \&\- X509 time functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 5
\& int X509_cmp_time(const ASN1_TIME *asn1_time, time_t *in_tm);
\& int X509_cmp_current_time(const ASN1_TIME *asn1_time);
\& ASN1_TIME *X509_time_adj(ASN1_TIME *asn1_time, long offset_sec, time_t *in_tm);
\& ASN1_TIME *X509_time_adj_ex(ASN1_TIME *asn1_time, int offset_day, long
\& offset_sec, time_t *in_tm);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_cmp_time()\fR compares the \s-1ASN1_TIME\s0 in \fBasn1_time\fR with the time
in <cmp_time>. \fBX509_cmp_current_time()\fR compares the \s-1ASN1_TIME\s0 in
\&\fBasn1_time\fR with the current time, expressed as time_t. \fBasn1_time\fR
must satisfy the \s-1ASN1_TIME\s0 format mandated by \s-1RFC 5280,\s0 i.e., its
format must be either \s-1YYMMDDHHMMSSZ\s0 or \s-1YYYYMMDDHHMMSSZ.\s0
.PP
\&\fBX509_time_adj_ex()\fR sets the \s-1ASN1_TIME\s0 structure \fBasn1_time\fR to the time
\&\fBoffset_day\fR and \fBoffset_sec\fR after \fBin_tm\fR.
.PP
\&\fBX509_time_adj()\fR sets the \s-1ASN1_TIME\s0 structure \fBasn1_time\fR to the time
\&\fBoffset_sec\fR after \fBin_tm\fR. This method can only handle second
offsets up to the capacity of long, so the newer \fBX509_time_adj_ex()\fR
\&\s-1API\s0 should be preferred.
.PP
In both methods, if \fBasn1_time\fR is \s-1NULL,\s0 a new \s-1ASN1_TIME\s0 structure
is allocated and returned.
.PP
In all methods, if \fBin_tm\fR is \s-1NULL,\s0 the current time, expressed as
time_t, is used.
.SH "BUGS"
.IX Header "BUGS"
Unlike many standard comparison functions, \fBX509_cmp_time()\fR and
\&\fBX509_cmp_current_time()\fR return 0 on error.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_cmp_time()\fR and \fBX509_cmp_current_time()\fR return \-1 if \fBasn1_time\fR
is earlier than, or equal to, \fBcmp_time\fR (resp. current time), and 1
otherwise. These methods return 0 on error.
.PP
\&\fBX509_time_adj()\fR and \fBX509_time_adj_ex()\fR return a pointer to the updated
\&\s-1ASN1_TIME\s0 structure, and \s-1NULL\s0 on error.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_digest.3 b/secure/lib/libcrypto/man/man3/X509_digest.3
index b516ad3b6db3..1009aa655414 100644
--- a/secure/lib/libcrypto/man/man3/X509_digest.3
+++ b/secure/lib/libcrypto/man/man3/X509_digest.3
@@ -1,194 +1,194 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_DIGEST 3"
-.TH X509_DIGEST 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_DIGEST 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_digest, X509_CRL_digest, X509_pubkey_digest, X509_NAME_digest, X509_REQ_digest, PKCS7_ISSUER_AND_SERIAL_digest \&\- get digest of various objects
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
\& unsigned int *len);
\&
\& int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,
\& unsigned int *len);
\&
\& int X509_pubkey_digest(const X509 *data, const EVP_MD *type,
\& unsigned char *md, unsigned int *len);
\&
\& int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type,
\& unsigned char *md, unsigned int *len);
\&
\& int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type,
\& unsigned char *md, unsigned int *len);
\&
\& #include <openssl/pkcs7.h>
\&
\& int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,
\& const EVP_MD *type, unsigned char *md,
\& unsigned int *len);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_pubkey_digest()\fR returns a digest of the \s-1DER\s0 representation of the public
key in the specified X509 \fBdata\fR object.
All other functions described here return a digest of the \s-1DER\s0 representation
of their entire \fBdata\fR objects.
.PP
The \fBtype\fR parameter specifies the digest to
be used, such as \fBEVP_sha1()\fR. The \fBmd\fR is a pointer to the buffer where the
digest will be copied and is assumed to be large enough; the constant
\&\fB\s-1EVP_MAX_MD_SIZE\s0\fR is suggested. The \fBlen\fR parameter, if not \s-1NULL,\s0 points
to a place where the digest size will be stored.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All functions described here return 1 for success and 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_sha1\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_dup.3 b/secure/lib/libcrypto/man/man3/X509_dup.3
index ad092537db25..e9c15aad4e09 100644
--- a/secure/lib/libcrypto/man/man3/X509_dup.3
+++ b/secure/lib/libcrypto/man/man3/X509_dup.3
@@ -1,202 +1,202 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_DUP 3"
-.TH X509_DUP 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_DUP 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
DECLARE_ASN1_FUNCTIONS, IMPLEMENT_ASN1_FUNCTIONS, ASN1_ITEM, ACCESS_DESCRIPTION_free, ACCESS_DESCRIPTION_new, ADMISSIONS_free, ADMISSIONS_new, ADMISSION_SYNTAX_free, ADMISSION_SYNTAX_new, ASIdOrRange_free, ASIdOrRange_new, ASIdentifierChoice_free, ASIdentifierChoice_new, ASIdentifiers_free, ASIdentifiers_new, ASRange_free, ASRange_new, AUTHORITY_INFO_ACCESS_free, AUTHORITY_INFO_ACCESS_new, AUTHORITY_KEYID_free, AUTHORITY_KEYID_new, BASIC_CONSTRAINTS_free, BASIC_CONSTRAINTS_new, CERTIFICATEPOLICIES_free, CERTIFICATEPOLICIES_new, CMS_ContentInfo_free, CMS_ContentInfo_new, CMS_ContentInfo_print_ctx, CMS_ReceiptRequest_free, CMS_ReceiptRequest_new, CRL_DIST_POINTS_free, CRL_DIST_POINTS_new, DIRECTORYSTRING_free, DIRECTORYSTRING_new, DISPLAYTEXT_free, DISPLAYTEXT_new, DIST_POINT_NAME_free, DIST_POINT_NAME_new, DIST_POINT_free, DIST_POINT_new, DSAparams_dup, ECPARAMETERS_free, ECPARAMETERS_new, ECPKPARAMETERS_free, ECPKPARAMETERS_new, EDIPARTYNAME_free, EDIPARTYNAME_new, ESS_CERT_ID_dup, ESS_CERT_ID_free, ESS_CERT_ID_new, ESS_ISSUER_SERIAL_dup, ESS_ISSUER_SERIAL_free, ESS_ISSUER_SERIAL_new, ESS_SIGNING_CERT_dup, ESS_SIGNING_CERT_free, ESS_SIGNING_CERT_new, EXTENDED_KEY_USAGE_free, EXTENDED_KEY_USAGE_new, GENERAL_NAMES_free, GENERAL_NAMES_new, GENERAL_NAME_dup, GENERAL_NAME_free, GENERAL_NAME_new, GENERAL_SUBTREE_free, GENERAL_SUBTREE_new, IPAddressChoice_free, IPAddressChoice_new, IPAddressFamily_free, IPAddressFamily_new, IPAddressOrRange_free, IPAddressOrRange_new, IPAddressRange_free, IPAddressRange_new, ISSUING_DIST_POINT_free, ISSUING_DIST_POINT_new, NAME_CONSTRAINTS_free, NAME_CONSTRAINTS_new, NAMING_AUTHORITY_free, NAMING_AUTHORITY_new, NETSCAPE_CERT_SEQUENCE_free, NETSCAPE_CERT_SEQUENCE_new, NETSCAPE_SPKAC_free, NETSCAPE_SPKAC_new, NETSCAPE_SPKI_free, NETSCAPE_SPKI_new, NOTICEREF_free, NOTICEREF_new, OCSP_BASICRESP_free, OCSP_BASICRESP_new, OCSP_CERTID_dup, OCSP_CERTID_new, OCSP_CERTSTATUS_free, OCSP_CERTSTATUS_new, OCSP_CRLID_free, OCSP_CRLID_new, OCSP_ONEREQ_free, OCSP_ONEREQ_new, OCSP_REQINFO_free, OCSP_REQINFO_new, OCSP_RESPBYTES_free, OCSP_RESPBYTES_new, OCSP_RESPDATA_free, OCSP_RESPDATA_new, OCSP_RESPID_free, OCSP_RESPID_new, OCSP_RESPONSE_new, OCSP_REVOKEDINFO_free, OCSP_REVOKEDINFO_new, OCSP_SERVICELOC_free, OCSP_SERVICELOC_new, OCSP_SIGNATURE_free, OCSP_SIGNATURE_new, OCSP_SINGLERESP_free, OCSP_SINGLERESP_new, OTHERNAME_free, OTHERNAME_new, PBE2PARAM_free, PBE2PARAM_new, PBEPARAM_free, PBEPARAM_new, PBKDF2PARAM_free, PBKDF2PARAM_new, PKCS12_BAGS_free, PKCS12_BAGS_new, PKCS12_MAC_DATA_free, PKCS12_MAC_DATA_new, PKCS12_SAFEBAG_free, PKCS12_SAFEBAG_new, PKCS12_free, PKCS12_new, PKCS7_DIGEST_free, PKCS7_DIGEST_new, PKCS7_ENCRYPT_free, PKCS7_ENCRYPT_new, PKCS7_ENC_CONTENT_free, PKCS7_ENC_CONTENT_new, PKCS7_ENVELOPE_free, PKCS7_ENVELOPE_new, PKCS7_ISSUER_AND_SERIAL_free, PKCS7_ISSUER_AND_SERIAL_new, PKCS7_RECIP_INFO_free, PKCS7_RECIP_INFO_new, PKCS7_SIGNED_free, PKCS7_SIGNED_new, PKCS7_SIGNER_INFO_free, PKCS7_SIGNER_INFO_new, PKCS7_SIGN_ENVELOPE_free, PKCS7_SIGN_ENVELOPE_new, PKCS7_dup, PKCS7_free, PKCS7_new, PKCS7_print_ctx, PKCS8_PRIV_KEY_INFO_free, PKCS8_PRIV_KEY_INFO_new, PKEY_USAGE_PERIOD_free, PKEY_USAGE_PERIOD_new, POLICYINFO_free, POLICYINFO_new, POLICYQUALINFO_free, POLICYQUALINFO_new, POLICY_CONSTRAINTS_free, POLICY_CONSTRAINTS_new, POLICY_MAPPING_free, POLICY_MAPPING_new, PROFESSION_INFO_free, PROFESSION_INFO_new, PROFESSION_INFOS_free, PROFESSION_INFOS_new, PROXY_CERT_INFO_EXTENSION_free, PROXY_CERT_INFO_EXTENSION_new, PROXY_POLICY_free, PROXY_POLICY_new, RSAPrivateKey_dup, RSAPublicKey_dup, RSA_OAEP_PARAMS_free, RSA_OAEP_PARAMS_new, RSA_PSS_PARAMS_free, RSA_PSS_PARAMS_new, SCRYPT_PARAMS_free, SCRYPT_PARAMS_new, SXNETID_free, SXNETID_new, SXNET_free, SXNET_new, TLS_FEATURE_free, TLS_FEATURE_new, TS_ACCURACY_dup, TS_ACCURACY_free, TS_ACCURACY_new, TS_MSG_IMPRINT_dup, TS_MSG_IMPRINT_free, TS_MSG_IMPRINT_new, TS_REQ_dup, TS_REQ_free, TS_REQ_new, TS_RESP_dup, TS_RESP_free, TS_RESP_new, TS_STATUS_INFO_dup, TS_STATUS_INFO_free, TS_STATUS_INFO_new, TS_TST_INFO_dup, TS_TST_INFO_free, TS_TST_INFO_new, USERNOTICE_free, USERNOTICE_new, X509_ALGOR_free, X509_ALGOR_new, X509_ATTRIBUTE_dup, X509_ATTRIBUTE_free, X509_ATTRIBUTE_new, X509_CERT_AUX_free, X509_CERT_AUX_new, X509_CINF_free, X509_CINF_new, X509_CRL_INFO_free, X509_CRL_INFO_new, X509_CRL_dup, X509_CRL_free, X509_CRL_new, X509_EXTENSION_dup, X509_EXTENSION_free, X509_EXTENSION_new, X509_NAME_ENTRY_dup, X509_NAME_ENTRY_free, X509_NAME_ENTRY_new, X509_NAME_dup, X509_NAME_free, X509_NAME_new, X509_REQ_INFO_free, X509_REQ_INFO_new, X509_REQ_dup, X509_REQ_free, X509_REQ_new, X509_REVOKED_dup, X509_REVOKED_free, X509_REVOKED_new, X509_SIG_free, X509_SIG_new, X509_VAL_free, X509_VAL_new, X509_dup, \&\- ASN1 object utilities
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/asn1t.h>
\&
\& DECLARE_ASN1_FUNCTIONS(type)
\& IMPLEMENT_ASN1_FUNCTIONS(stname)
\&
\& typedef struct ASN1_ITEM_st ASN1_ITEM;
\&
\& extern const ASN1_ITEM TYPE_it;
\& TYPE *TYPE_new(void);
\& TYPE *TYPE_dup(TYPE *a);
\& void TYPE_free(TYPE *a);
\& int TYPE_print_ctx(BIO *out, TYPE *a, int indent, const ASN1_PCTX *pctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In the description below, \fI\s-1TYPE\s0\fR is used
as a placeholder for any of the OpenSSL datatypes, such as \fIX509\fR.
.PP
The OpenSSL \s-1ASN1\s0 parsing library templates are like a data-driven bytecode
interpreter.
Every \s-1ASN1\s0 object as a global variable, TYPE_it, that describes the item
such as its fields. (On systems which cannot export variables from shared
libraries, the global is instead a function which returns a pointer to a
static variable.
.PP
The macro \s-1\fBDECLARE_ASN1_FUNCTIONS\s0()\fR is typically used in header files
to generate the function declarations.
.PP
The macro \s-1\fBIMPLEMENT_ASN1_FUNCTIONS\s0()\fR is used once in a source file
to generate the function bodies.
.PP
\&\fBTYPE_new()\fR allocates an empty object of the indicated type.
The object returned must be released by calling \fBTYPE_free()\fR.
.PP
\&\fBTYPE_dup()\fR copies an existing object.
.PP
\&\fBTYPE_free()\fR releases the object and all pointers and sub-objects
within it.
.PP
\&\fBTYPE_print_ctx()\fR prints the object \fBa\fR on the specified \s-1BIO\s0 \fBout\fR.
Each line will be prefixed with \fBindent\fR spaces.
The \fBpctx\fR specifies the printing context and is for internal
use; use \s-1NULL\s0 to get the default behavior. If a print function is
user-defined, then pass in any \fBpctx\fR down to any nested calls.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBTYPE_new()\fR and \fBTYPE_dup()\fR return a pointer to the object or \s-1NULL\s0 on failure.
.PP
\&\fBTYPE_print_ctx()\fR returns 1 on success or zero on failure.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3 b/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3
index 58bdac5ee3db..801f8fce35c6 100644
--- a/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3
+++ b/secure/lib/libcrypto/man/man3/X509_get0_notBefore.3
@@ -1,231 +1,231 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_GET0_NOTBEFORE 3"
-.TH X509_GET0_NOTBEFORE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_GET0_NOTBEFORE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_get0_notBefore, X509_getm_notBefore, X509_get0_notAfter, X509_getm_notAfter, X509_set1_notBefore, X509_set1_notAfter, X509_CRL_get0_lastUpdate, X509_CRL_get0_nextUpdate, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate \- get or set certificate or CRL dates
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& const ASN1_TIME *X509_get0_notBefore(const X509 *x);
\& const ASN1_TIME *X509_get0_notAfter(const X509 *x);
\&
\& ASN1_TIME *X509_getm_notBefore(const X509 *x);
\& ASN1_TIME *X509_getm_notAfter(const X509 *x);
\&
\& int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
\& int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm);
\&
\& const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
\& const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
\&
\& int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
\& int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_get0_notBefore()\fR and \fBX509_get0_notAfter()\fR return the \fBnotBefore\fR
and \fBnotAfter\fR fields of certificate \fBx\fR respectively. The value
returned is an internal pointer which must not be freed up after
the call.
.PP
\&\fBX509_getm_notBefore()\fR and \fBX509_getm_notAfter()\fR are similar to
\&\fBX509_get0_notBefore()\fR and \fBX509_get0_notAfter()\fR except they return
non-constant mutable references to the associated date field of
the certificate.
.PP
\&\fBX509_set1_notBefore()\fR and \fBX509_set1_notAfter()\fR set the \fBnotBefore\fR
and \fBnotAfter\fR fields of \fBx\fR to \fBtm\fR. Ownership of the passed
parameter \fBtm\fR is not transferred by these functions so it must
be freed up after the call.
.PP
\&\fBX509_CRL_get0_lastUpdate()\fR and \fBX509_CRL_get0_nextUpdate()\fR return the
\&\fBlastUpdate\fR and \fBnextUpdate\fR fields of \fBcrl\fR. The value
returned is an internal pointer which must not be freed up after
the call. If the \fBnextUpdate\fR field is absent from \fBcrl\fR then
\&\fB\s-1NULL\s0\fR is returned.
.PP
\&\fBX509_CRL_set1_lastUpdate()\fR and \fBX509_CRL_set1_nextUpdate()\fR set the \fBlastUpdate\fR
and \fBnextUpdate\fR fields of \fBcrl\fR to \fBtm\fR. Ownership of the passed parameter
\&\fBtm\fR is not transferred by these functions so it must be freed up after the
call.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_get0_notBefore()\fR, \fBX509_get0_notAfter()\fR and \fBX509_CRL_get0_lastUpdate()\fR
return a pointer to an \fB\s-1ASN1_TIME\s0\fR structure.
.PP
\&\fBX509_CRL_get0_lastUpdate()\fR return a pointer to an \fB\s-1ASN1_TIME\s0\fR structure
or \s-1NULL\s0 if the \fBlastUpdate\fR field is absent.
.PP
\&\fBX509_set1_notBefore()\fR, \fBX509_set1_notAfter()\fR, \fBX509_CRL_set1_lastUpdate()\fR and
\&\fBX509_CRL_set1_nextUpdate()\fR return 1 for success or 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\fBX509_CRL_get0_by_serial\fR\|(3),
\&\fBX509_get0_signature\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
\&\fBX509_get_subject_name\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_new\fR\|(3),
\&\fBX509_sign\fR\|(3),
\&\fBX509V3_get_d2i\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions are available in all versions of OpenSSL.
.PP
\&\fBX509_get_notBefore()\fR and \fBX509_get_notAfter()\fR were deprecated in OpenSSL
1.1.0
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get0_signature.3 b/secure/lib/libcrypto/man/man3/X509_get0_signature.3
index 75377159428b..7434c76a79f4 100644
--- a/secure/lib/libcrypto/man/man3/X509_get0_signature.3
+++ b/secure/lib/libcrypto/man/man3/X509_get0_signature.3
@@ -1,269 +1,269 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_GET0_SIGNATURE 3"
-.TH X509_GET0_SIGNATURE 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_GET0_SIGNATURE 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_get0_signature, X509_REQ_set0_signature, X509_REQ_set1_signature_algo, X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature, X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid, X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set \- signature information
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& void X509_get0_signature(const ASN1_BIT_STRING **psig,
\& const X509_ALGOR **palg,
\& const X509 *x);
\& void X509_REQ_set0_signature(X509_REQ *req, ASN1_BIT_STRING *psig);
\& int X509_REQ_set1_signature_algo(X509_REQ *req, X509_ALGOR *palg);
\& int X509_get_signature_nid(const X509 *x);
\& const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x);
\&
\& void X509_REQ_get0_signature(const X509_REQ *crl,
\& const ASN1_BIT_STRING **psig,
\& const X509_ALGOR **palg);
\& int X509_REQ_get_signature_nid(const X509_REQ *crl);
\&
\& void X509_CRL_get0_signature(const X509_CRL *crl,
\& const ASN1_BIT_STRING **psig,
\& const X509_ALGOR **palg);
\& int X509_CRL_get_signature_nid(const X509_CRL *crl);
\&
\& int X509_get_signature_info(X509 *x, int *mdnid, int *pknid, int *secbits,
\& uint32_t *flags);
\&
\& int X509_SIG_INFO_get(const X509_SIG_INFO *siginf, int *mdnid, int *pknid,
\& int *secbits, uint32_t *flags);
\& void X509_SIG_INFO_set(X509_SIG_INFO *siginf, int mdnid, int pknid,
\& int secbits, uint32_t flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_get0_signature()\fR sets \fB*psig\fR to the signature of \fBx\fR and \fB*palg\fR
to the signature algorithm of \fBx\fR. The values returned are internal
pointers which \fB\s-1MUST NOT\s0\fR be freed up after the call.
.PP
\&\fBX509_set0_signature()\fR and \fBX509_REQ_set1_signature_algo()\fR are the
equivalent setters for the two values of \fBX509_get0_signature()\fR.
.PP
\&\fBX509_get0_tbs_sigalg()\fR returns the signature algorithm in the signed
portion of \fBx\fR.
.PP
\&\fBX509_get_signature_nid()\fR returns the \s-1NID\s0 corresponding to the signature
algorithm of \fBx\fR.
.PP
\&\fBX509_REQ_get0_signature()\fR, \fBX509_REQ_get_signature_nid()\fR
\&\fBX509_CRL_get0_signature()\fR and \fBX509_CRL_get_signature_nid()\fR perform the
same function for certificate requests and CRLs.
.PP
\&\fBX509_get_signature_info()\fR retrieves information about the signature of
certificate \fBx\fR. The \s-1NID\s0 of the signing digest is written to \fB*mdnid\fR,
the public key algorithm to \fB*pknid\fR, the effective security bits to
\&\fB*secbits\fR and flag details to \fB*flags\fR. Any of the parameters can
be set to \fB\s-1NULL\s0\fR if the information is not required.
.PP
\&\fBX509_SIG_INFO_get()\fR and \fBX509_SIG_INFO_set()\fR get and set information
about a signature in an \fBX509_SIG_INFO\fR structure. They are only
used by implementations of algorithms which need to set custom
signature information: most applications will never need to call
them.
.SH "NOTES"
.IX Header "NOTES"
These functions provide lower level access to signatures in certificates
where an application wishes to analyse or generate a signature in a form
where \fBX509_sign()\fR et al is not appropriate (for example a non standard
or unsupported format).
.PP
The security bits returned by \fBX509_get_signature_info()\fR refers to information
available from the certificate signature (such as the signing digest). In some
cases the actual security of the signature is less because the signing
key is less secure: for example a certificate signed using \s-1SHA\-512\s0 and a
1024 bit \s-1RSA\s0 key.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_get_signature_nid()\fR, \fBX509_REQ_get_signature_nid()\fR and
\&\fBX509_CRL_get_signature_nid()\fR return a \s-1NID.\s0
.PP
\&\fBX509_get0_signature()\fR, \fBX509_REQ_get0_signature()\fR and
\&\fBX509_CRL_get0_signature()\fR do not return values.
.PP
\&\fBX509_get_signature_info()\fR returns 1 if the signature information
returned is valid or 0 if the information is not available (e.g.
unknown algorithms or malformed parameters).
.PP
\&\fBX509_REQ_set1_signature_algo()\fR returns 0 on success; or 1 on an
error (e.g. null \s-1ALGO\s0 pointer). X509_REQ_set0_signature does
not return an error value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\fBX509_CRL_get0_by_serial\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
\&\fBX509_get_subject_name\fR\|(3),
\&\fBX509_get_version\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_new\fR\|(3),
\&\fBX509_sign\fR\|(3),
\&\fBX509V3_get_d2i\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The
\&\fBX509_get0_signature()\fR and \fBX509_get_signature_nid()\fR functions were
added in OpenSSL 1.0.2.
.PP
The
\&\fBX509_REQ_get0_signature()\fR, \fBX509_REQ_get_signature_nid()\fR,
\&\fBX509_CRL_get0_signature()\fR and \fBX509_CRL_get_signature_nid()\fR were
added in OpenSSL 1.1.0.
.PP
The \fBX509_REQ_set0_signature()\fR and \fBX509_REQ_set1_signature_algo()\fR
were added in OpenSSL 1.1.1e.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get0_uids.3 b/secure/lib/libcrypto/man/man3/X509_get0_uids.3
index 470185c4cd6f..7425ea1f5b78 100644
--- a/secure/lib/libcrypto/man/man3/X509_get0_uids.3
+++ b/secure/lib/libcrypto/man/man3/X509_get0_uids.3
@@ -1,188 +1,188 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_GET0_UIDS 3"
-.TH X509_GET0_UIDS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_GET0_UIDS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_get0_uids \- get certificate unique identifiers
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
\& const ASN1_BIT_STRING **psuid);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_get0_uids()\fR sets \fB*piuid\fR and \fB*psuid\fR to the issuer and subject unique
identifiers of certificate \fBx\fR or \s-1NULL\s0 if the fields are not present.
.SH "NOTES"
.IX Header "NOTES"
The issuer and subject unique identifier fields are very rarely encountered in
practice outside test cases.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_get0_uids()\fR does not return a value.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\fBX509_CRL_get0_by_serial\fR\|(3),
\&\fBX509_get0_signature\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
\&\fBX509_get_subject_name\fR\|(3),
\&\fBX509_get_version\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_new\fR\|(3),
\&\fBX509_sign\fR\|(3),
\&\fBX509V3_get_d2i\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3 b/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3
index 04851f0ab01d..46e0e54d8969 100644
--- a/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3
+++ b/secure/lib/libcrypto/man/man3/X509_get_extension_flags.3
@@ -1,312 +1,312 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_GET_EXTENSION_FLAGS 3"
-.TH X509_GET_EXTENSION_FLAGS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_GET_EXTENSION_FLAGS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_get0_subject_key_id, X509_get0_authority_key_id, X509_get0_authority_issuer, X509_get0_authority_serial, X509_get_pathlen, X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage, X509_set_proxy_flag, X509_set_proxy_pathlen, X509_get_proxy_pathlen \- retrieve certificate extension data
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509v3.h>
\&
\& long X509_get_pathlen(X509 *x);
\& uint32_t X509_get_extension_flags(X509 *x);
\& uint32_t X509_get_key_usage(X509 *x);
\& uint32_t X509_get_extended_key_usage(X509 *x);
\& const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
\& const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
\& const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x);
\& const ASN1_INTEGER *X509_get0_authority_serial(X509 *x);
\& void X509_set_proxy_flag(X509 *x);
\& void X509_set_proxy_pathlen(int l);
\& long X509_get_proxy_pathlen(X509 *x);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions retrieve information related to commonly used certificate extensions.
.PP
\&\fBX509_get_pathlen()\fR retrieves the path length extension from a certificate.
This extension is used to limit the length of a cert chain that may be
issued from that \s-1CA.\s0
.PP
\&\fBX509_get_extension_flags()\fR retrieves general information about a certificate,
it will return one or more of the following flags ored together.
.IP "\fB\s-1EXFLAG_V1\s0\fR" 4
.IX Item "EXFLAG_V1"
The certificate is an obsolete version 1 certificate.
.IP "\fB\s-1EXFLAG_BCONS\s0\fR" 4
.IX Item "EXFLAG_BCONS"
The certificate contains a basic constraints extension.
.IP "\fB\s-1EXFLAG_CA\s0\fR" 4
.IX Item "EXFLAG_CA"
The certificate contains basic constraints and asserts the \s-1CA\s0 flag.
.IP "\fB\s-1EXFLAG_PROXY\s0\fR" 4
.IX Item "EXFLAG_PROXY"
The certificate is a valid proxy certificate.
.IP "\fB\s-1EXFLAG_SI\s0\fR" 4
.IX Item "EXFLAG_SI"
The certificate is self issued (that is subject and issuer names match).
.IP "\fB\s-1EXFLAG_SS\s0\fR" 4
.IX Item "EXFLAG_SS"
The subject and issuer names match and extension values imply it is self
signed.
.IP "\fB\s-1EXFLAG_FRESHEST\s0\fR" 4
.IX Item "EXFLAG_FRESHEST"
The freshest \s-1CRL\s0 extension is present in the certificate.
.IP "\fB\s-1EXFLAG_CRITICAL\s0\fR" 4
.IX Item "EXFLAG_CRITICAL"
The certificate contains an unhandled critical extension.
.IP "\fB\s-1EXFLAG_INVALID\s0\fR" 4
.IX Item "EXFLAG_INVALID"
Some certificate extension values are invalid or inconsistent.
The certificate should be rejected.
This bit may also be raised after an out-of-memory error while
processing the X509 object, so it may not be related to the processed
\&\s-1ASN1\s0 object itself.
.IP "\fB\s-1EXFLAG_NO_FINGERPRINT\s0\fR" 4
.IX Item "EXFLAG_NO_FINGERPRINT"
Failed to compute the internal \s-1SHA1\s0 hash value of the certificate.
This may be due to malloc failure or because no \s-1SHA1\s0 implementation was found.
.IP "\fB\s-1EXFLAG_INVALID_POLICY\s0\fR" 4
.IX Item "EXFLAG_INVALID_POLICY"
The NID_certificate_policies certificate extension is invalid or
inconsistent. The certificate should be rejected.
This bit may also be raised after an out-of-memory error while
processing the X509 object, so it may not be related to the processed
\&\s-1ASN1\s0 object itself.
.IP "\fB\s-1EXFLAG_KUSAGE\s0\fR" 4
.IX Item "EXFLAG_KUSAGE"
The certificate contains a key usage extension. The value can be retrieved
using \fBX509_get_key_usage()\fR.
.IP "\fB\s-1EXFLAG_XKUSAGE\s0\fR" 4
.IX Item "EXFLAG_XKUSAGE"
The certificate contains an extended key usage extension. The value can be
retrieved using \fBX509_get_extended_key_usage()\fR.
.PP
\&\fBX509_get_key_usage()\fR returns the value of the key usage extension. If key
usage is present will return zero or more of the flags:
\&\fB\s-1KU_DIGITAL_SIGNATURE\s0\fR, \fB\s-1KU_NON_REPUDIATION\s0\fR, \fB\s-1KU_KEY_ENCIPHERMENT\s0\fR,
\&\fB\s-1KU_DATA_ENCIPHERMENT\s0\fR, \fB\s-1KU_KEY_AGREEMENT\s0\fR, \fB\s-1KU_KEY_CERT_SIGN\s0\fR,
\&\fB\s-1KU_CRL_SIGN\s0\fR, \fB\s-1KU_ENCIPHER_ONLY\s0\fR or \fB\s-1KU_DECIPHER_ONLY\s0\fR corresponding to
individual key usage bits. If key usage is absent then \fB\s-1UINT32_MAX\s0\fR is
returned.
.PP
\&\fBX509_get_extended_key_usage()\fR returns the value of the extended key usage
extension. If extended key usage is present it will return zero or more of the
flags: \fB\s-1XKU_SSL_SERVER\s0\fR, \fB\s-1XKU_SSL_CLIENT\s0\fR, \fB\s-1XKU_SMIME\s0\fR, \fB\s-1XKU_CODE_SIGN\s0\fR
\&\fB\s-1XKU_OCSP_SIGN\s0\fR, \fB\s-1XKU_TIMESTAMP\s0\fR, \fB\s-1XKU_DVCS\s0\fR or \fB\s-1XKU_ANYEKU\s0\fR. These
correspond to the OIDs \fBid-kp-serverAuth\fR, \fBid-kp-clientAuth\fR,
\&\fBid-kp-emailProtection\fR, \fBid-kp-codeSigning\fR, \fBid-kp-OCSPSigning\fR,
\&\fBid-kp-timeStamping\fR, \fBid-kp-dvcs\fR and \fBanyExtendedKeyUsage\fR respectively.
Additionally \fB\s-1XKU_SGC\s0\fR is set if either Netscape or Microsoft \s-1SGC\s0 OIDs are
present.
.PP
\&\fBX509_get0_subject_key_id()\fR returns an internal pointer to the subject key
identifier of \fBx\fR as an \fB\s-1ASN1_OCTET_STRING\s0\fR or \fB\s-1NULL\s0\fR if the extension
is not present or cannot be parsed.
.PP
\&\fBX509_get0_authority_key_id()\fR returns an internal pointer to the authority key
identifier of \fBx\fR as an \fB\s-1ASN1_OCTET_STRING\s0\fR or \fB\s-1NULL\s0\fR if the extension
is not present or cannot be parsed.
.PP
\&\fBX509_get0_authority_issuer()\fR returns an internal pointer to the authority
certificate issuer of \fBx\fR as a stack of \fB\s-1GENERAL_NAME\s0\fR structures or
\&\fB\s-1NULL\s0\fR if the extension is not present or cannot be parsed.
.PP
\&\fBX509_get0_authority_serial()\fR returns an internal pointer to the authority
certificate serial number of \fBx\fR as an \fB\s-1ASN1_INTEGER\s0\fR or \fB\s-1NULL\s0\fR if the
extension is not present or cannot be parsed.
.PP
\&\fBX509_set_proxy_flag()\fR marks the certificate with the \fB\s-1EXFLAG_PROXY\s0\fR flag.
This is for the users who need to mark non\-RFC3820 proxy certificates as
such, as OpenSSL only detects \s-1RFC3820\s0 compliant ones.
.PP
\&\fBX509_set_proxy_pathlen()\fR sets the proxy certificate path length for the given
certificate \fBx\fR. This is for the users who need to mark non\-RFC3820 proxy
certificates as such, as OpenSSL only detects \s-1RFC3820\s0 compliant ones.
.PP
\&\fBX509_get_proxy_pathlen()\fR returns the proxy certificate path length for the
given certificate \fBx\fR if it is a proxy certificate.
.SH "NOTES"
.IX Header "NOTES"
The value of the flags correspond to extension values which are cached
in the \fBX509\fR structure. If the flags returned do not provide sufficient
information an application should examine extension values directly
for example using \fBX509_get_ext_d2i()\fR.
.PP
If the key usage or extended key usage extension is absent then typically usage
is unrestricted. For this reason \fBX509_get_key_usage()\fR and
\&\fBX509_get_extended_key_usage()\fR return \fB\s-1UINT32_MAX\s0\fR when the corresponding
extension is absent. Applications can additionally check the return value of
\&\fBX509_get_extension_flags()\fR and take appropriate action is an extension is
absent.
.PP
If \fBX509_get0_subject_key_id()\fR returns \fB\s-1NULL\s0\fR then the extension may be
absent or malformed. Applications can determine the precise reason using
\&\fBX509_get_ext_d2i()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_get_pathlen()\fR returns the path length value, or \-1 if the extension
is not present.
.PP
\&\fBX509_get_extension_flags()\fR, \fBX509_get_key_usage()\fR and
\&\fBX509_get_extended_key_usage()\fR return sets of flags corresponding to the
certificate extension values.
.PP
\&\fBX509_get0_subject_key_id()\fR returns the subject key identifier as a
pointer to an \fB\s-1ASN1_OCTET_STRING\s0\fR structure or \fB\s-1NULL\s0\fR if the extension
is absent or an error occurred during parsing.
.PP
\&\fBX509_get_proxy_pathlen()\fR returns the path length value if the given
certificate is a proxy one and has a path length set, and \-1 otherwise.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_check_purpose\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBX509_get_pathlen()\fR, \fBX509_set_proxy_flag()\fR, \fBX509_set_proxy_pathlen()\fR and
\&\fBX509_get_proxy_pathlen()\fR were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get_pubkey.3 b/secure/lib/libcrypto/man/man3/X509_get_pubkey.3
index 2187fc96bce5..56fbae908458 100644
--- a/secure/lib/libcrypto/man/man3/X509_get_pubkey.3
+++ b/secure/lib/libcrypto/man/man3/X509_get_pubkey.3
@@ -1,215 +1,215 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_GET_PUBKEY 3"
-.TH X509_GET_PUBKEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_GET_PUBKEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_get_pubkey, X509_get0_pubkey, X509_set_pubkey, X509_get_X509_PUBKEY, X509_REQ_get_pubkey, X509_REQ_get0_pubkey, X509_REQ_set_pubkey, X509_REQ_get_X509_PUBKEY \- get or set certificate or certificate request public key
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& EVP_PKEY *X509_get_pubkey(X509 *x);
\& EVP_PKEY *X509_get0_pubkey(const X509 *x);
\& int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
\& X509_PUBKEY *X509_get_X509_PUBKEY(X509 *x);
\&
\& EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
\& EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req);
\& int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
\& X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *x);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_get_pubkey()\fR attempts to decode the public key for certificate \fBx\fR. If
successful it returns the public key as an \fB\s-1EVP_PKEY\s0\fR pointer with its
reference count incremented: this means the returned key must be freed up
after use. \fBX509_get0_pubkey()\fR is similar except it does \fBnot\fR increment
the reference count of the returned \fB\s-1EVP_PKEY\s0\fR so it must not be freed up
after use.
.PP
\&\fBX509_get_X509_PUBKEY()\fR returns an internal pointer to the \fBX509_PUBKEY\fR
structure which encodes the certificate of \fBx\fR. The returned value
must not be freed up after use.
.PP
\&\fBX509_set_pubkey()\fR attempts to set the public key for certificate \fBx\fR to
\&\fBpkey\fR. The key \fBpkey\fR should be freed up after use.
.PP
\&\fBX509_REQ_get_pubkey()\fR, \fBX509_REQ_get0_pubkey()\fR, \fBX509_REQ_set_pubkey()\fR and
\&\fBX509_REQ_get_X509_PUBKEY()\fR are similar but operate on certificate request \fBreq\fR.
.SH "NOTES"
.IX Header "NOTES"
The first time a public key is decoded the \fB\s-1EVP_PKEY\s0\fR structure is
cached in the certificate or certificate request itself. Subsequent calls
return the cached structure with its reference count incremented to
improve performance.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_get_pubkey()\fR, \fBX509_get0_pubkey()\fR, \fBX509_get_X509_PUBKEY()\fR,
\&\fBX509_REQ_get_pubkey()\fR and \fBX509_REQ_get_X509_PUBKEY()\fR return a public key or
\&\fB\s-1NULL\s0\fR if an error occurred.
.PP
\&\fBX509_set_pubkey()\fR and \fBX509_REQ_set_pubkey()\fR return 1 for success and 0
for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\fBX509_CRL_get0_by_serial\fR\|(3),
\&\fBX509_get0_signature\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_subject_name\fR\|(3),
\&\fBX509_get_version\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_new\fR\|(3),
\&\fBX509_sign\fR\|(3),
\&\fBX509V3_get_d2i\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3 b/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3
index 77de5cfaf0d8..7a500918701f 100644
--- a/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3
+++ b/secure/lib/libcrypto/man/man3/X509_get_serialNumber.3
@@ -1,200 +1,200 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_GET_SERIALNUMBER 3"
-.TH X509_GET_SERIALNUMBER 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_GET_SERIALNUMBER 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_get_serialNumber, X509_get0_serialNumber, X509_set_serialNumber \&\- get or set certificate serial number
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& ASN1_INTEGER *X509_get_serialNumber(X509 *x);
\& const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x);
\& int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_get_serialNumber()\fR returns the serial number of certificate \fBx\fR as an
\&\fB\s-1ASN1_INTEGER\s0\fR structure which can be examined or initialised. The value
returned is an internal pointer which \fB\s-1MUST NOT\s0\fR be freed up after the call.
.PP
\&\fBX509_get0_serialNumber()\fR is the same as \fBX509_get_serialNumber()\fR except it
accepts a const parameter and returns a const result.
.PP
\&\fBX509_set_serialNumber()\fR sets the serial number of certificate \fBx\fR to
\&\fBserial\fR. A copy of the serial number is used internally so \fBserial\fR should
be freed up after use.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_get_serialNumber()\fR and \fBX509_get0_serialNumber()\fR return an \fB\s-1ASN1_INTEGER\s0\fR
structure.
.PP
\&\fBX509_set_serialNumber()\fR returns 1 for success and 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\fBX509_CRL_get0_by_serial\fR\|(3),
\&\fBX509_get0_signature\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
\&\fBX509_get_subject_name\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_new\fR\|(3),
\&\fBX509_sign\fR\|(3),
\&\fBX509V3_get_d2i\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBX509_get_serialNumber()\fR and \fBX509_set_serialNumber()\fR functions are
available in all versions of OpenSSL.
The \fBX509_get0_serialNumber()\fR function was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get_subject_name.3 b/secure/lib/libcrypto/man/man3/X509_get_subject_name.3
index a07667186161..3a8b37224c29 100644
--- a/secure/lib/libcrypto/man/man3/X509_get_subject_name.3
+++ b/secure/lib/libcrypto/man/man3/X509_get_subject_name.3
@@ -1,214 +1,214 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_GET_SUBJECT_NAME 3"
-.TH X509_GET_SUBJECT_NAME 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_GET_SUBJECT_NAME 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_get_subject_name, X509_set_subject_name, X509_get_issuer_name, X509_set_issuer_name, X509_REQ_get_subject_name, X509_REQ_set_subject_name, X509_CRL_get_issuer, X509_CRL_set_issuer_name \- get and set issuer or subject names
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& X509_NAME *X509_get_subject_name(const X509 *x);
\& int X509_set_subject_name(X509 *x, X509_NAME *name);
\&
\& X509_NAME *X509_get_issuer_name(const X509 *x);
\& int X509_set_issuer_name(X509 *x, X509_NAME *name);
\&
\& X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
\& int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
\&
\& X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
\& int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_get_subject_name()\fR returns the subject name of certificate \fBx\fR. The
returned value is an internal pointer which \fB\s-1MUST NOT\s0\fR be freed.
.PP
\&\fBX509_set_subject_name()\fR sets the issuer name of certificate \fBx\fR to
\&\fBname\fR. The \fBname\fR parameter is copied internally and should be freed
up when it is no longer needed.
.PP
\&\fBX509_get_issuer_name()\fR and \fBX509_set_issuer_name()\fR are identical to
\&\fBX509_get_subject_name()\fR and \fBX509_set_subject_name()\fR except the get and
set the issuer name of \fBx\fR.
.PP
Similarly \fBX509_REQ_get_subject_name()\fR, \fBX509_REQ_set_subject_name()\fR,
\&\fBX509_CRL_get_issuer()\fR and \fBX509_CRL_set_issuer_name()\fR get or set the subject
or issuer names of certificate requests of CRLs respectively.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_get_subject_name()\fR, \fBX509_get_issuer_name()\fR, \fBX509_REQ_get_subject_name()\fR
and \fBX509_CRL_get_issuer()\fR return an \fBX509_NAME\fR pointer.
.PP
\&\fBX509_set_subject_name()\fR, \fBX509_set_issuer_name()\fR, \fBX509_REQ_set_subject_name()\fR
and \fBX509_CRL_set_issuer_name()\fR return 1 for success and 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3), \fBd2i_X509\fR\|(3)
\&\fBX509_CRL_get0_by_serial\fR\|(3),
\&\fBX509_get0_signature\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_new\fR\|(3),
\&\fBX509_sign\fR\|(3),
\&\fBX509V3_get_d2i\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBX509_REQ_get_subject_name()\fR is a function in OpenSSL 1.1.0 and a macro in
earlier versions.
.PP
\&\fBX509_CRL_get_issuer()\fR is a function in OpenSSL 1.1.0. It was previously
added in OpenSSL 1.0.0 as a macro.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_get_version.3 b/secure/lib/libcrypto/man/man3/X509_get_version.3
index f424890a4b93..1dcc06f8ddf5 100644
--- a/secure/lib/libcrypto/man/man3/X509_get_version.3
+++ b/secure/lib/libcrypto/man/man3/X509_get_version.3
@@ -1,211 +1,211 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_GET_VERSION 3"
-.TH X509_GET_VERSION 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_GET_VERSION 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_get_version, X509_set_version, X509_REQ_get_version, X509_REQ_set_version, X509_CRL_get_version, X509_CRL_set_version \- get or set certificate, certificate request or CRL version
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& long X509_get_version(const X509 *x);
\& int X509_set_version(X509 *x, long version);
\&
\& long X509_REQ_get_version(const X509_REQ *req);
\& int X509_REQ_set_version(X509_REQ *x, long version);
\&
\& long X509_CRL_get_version(const X509_CRL *crl);
\& int X509_CRL_set_version(X509_CRL *x, long version);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_get_version()\fR returns the numerical value of the version field of
certificate \fBx\fR. Note: this is defined by standards (X.509 et al) to be one
less than the certificate version. So a version 3 certificate will return 2 and
a version 1 certificate will return 0.
.PP
\&\fBX509_set_version()\fR sets the numerical value of the version field of certificate
\&\fBx\fR to \fBversion\fR.
.PP
Similarly \fBX509_REQ_get_version()\fR, \fBX509_REQ_set_version()\fR,
\&\fBX509_CRL_get_version()\fR and \fBX509_CRL_set_version()\fR get and set the version
number of certificate requests and CRLs.
.SH "NOTES"
.IX Header "NOTES"
The version field of certificates, certificate requests and CRLs has a
\&\s-1DEFAULT\s0 value of \fB\fBv1\fB\|(0)\fR meaning the field should be omitted for version
1. This is handled transparently by these functions.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_get_version()\fR, \fBX509_REQ_get_version()\fR and \fBX509_CRL_get_version()\fR
return the numerical value of the version field.
.PP
\&\fBX509_set_version()\fR, \fBX509_REQ_set_version()\fR and \fBX509_CRL_set_version()\fR
return 1 for success and 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\fBX509_CRL_get0_by_serial\fR\|(3),
\&\fBX509_get0_signature\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
\&\fBX509_get_subject_name\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_new\fR\|(3),
\&\fBX509_sign\fR\|(3),
\&\fBX509V3_get_d2i\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBX509_get_version()\fR, \fBX509_REQ_get_version()\fR and \fBX509_CRL_get_version()\fR are
functions in OpenSSL 1.1.0, in previous versions they were macros.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_new.3 b/secure/lib/libcrypto/man/man3/X509_new.3
index 5a1f63dace63..eeab5b08713e 100644
--- a/secure/lib/libcrypto/man/man3/X509_new.3
+++ b/secure/lib/libcrypto/man/man3/X509_new.3
@@ -1,213 +1,213 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_NEW 3"
-.TH X509_NEW 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_NEW 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_chain_up_ref, X509_new, X509_free, X509_up_ref \- X509 certificate ASN1 allocation functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& X509 *X509_new(void);
\& void X509_free(X509 *a);
\& int X509_up_ref(X509 *a);
\& STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *x);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The X509 \s-1ASN1\s0 allocation routines, allocate and free an
X509 structure, which represents an X509 certificate.
.PP
\&\fBX509_new()\fR allocates and initializes a X509 structure with reference count
\&\fB1\fR.
.PP
\&\fBX509_free()\fR decrements the reference count of \fBX509\fR structure \fBa\fR and
frees it up if the reference count is zero. If \fBa\fR is \s-1NULL\s0 nothing is done.
.PP
\&\fBX509_up_ref()\fR increments the reference count of \fBa\fR.
.PP
\&\fBX509_chain_up_ref()\fR increases the reference count of all certificates in
chain \fBx\fR and returns a copy of the stack.
.SH "NOTES"
.IX Header "NOTES"
The function \fBX509_up_ref()\fR if useful if a certificate structure is being
used by several different operations each of which will free it up after
use: this avoids the need to duplicate the entire certificate structure.
.PP
The function \fBX509_chain_up_ref()\fR doesn't just up the reference count of
each certificate it also returns a copy of the stack, using \fBsk_X509_dup()\fR,
but it serves a similar purpose: the returned chain persists after the
original has been freed.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
If the allocation fails, \fBX509_new()\fR returns \fB\s-1NULL\s0\fR and sets an error
code that can be obtained by \fBERR_get_error\fR\|(3).
Otherwise it returns a pointer to the newly allocated structure.
.PP
\&\fBX509_up_ref()\fR returns 1 for success and 0 for failure.
.PP
\&\fBX509_chain_up_ref()\fR returns a copy of the stack or \fB\s-1NULL\s0\fR if an error
occurred.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\fBX509_CRL_get0_by_serial\fR\|(3),
\&\fBX509_get0_signature\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
\&\fBX509_get_subject_name\fR\|(3),
\&\fBX509_get_version\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_sign\fR\|(3),
\&\fBX509V3_get_d2i\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_sign.3 b/secure/lib/libcrypto/man/man3/X509_sign.3
index b1a227cf7732..1cd6e95b249e 100644
--- a/secure/lib/libcrypto/man/man3/X509_sign.3
+++ b/secure/lib/libcrypto/man/man3/X509_sign.3
@@ -1,227 +1,227 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_SIGN 3"
-.TH X509_SIGN 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_SIGN 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_sign, X509_sign_ctx, X509_verify, X509_REQ_sign, X509_REQ_sign_ctx, X509_REQ_verify, X509_CRL_sign, X509_CRL_sign_ctx, X509_CRL_verify \- sign or verify certificate, certificate request or CRL signature
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
\& int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
\& int X509_verify(X509 *a, EVP_PKEY *r);
\&
\& int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
\& int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
\& int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
\&
\& int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
\& int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
\& int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509_sign()\fR signs certificate \fBx\fR using private key \fBpkey\fR and message
digest \fBmd\fR and sets the signature in \fBx\fR. \fBX509_sign_ctx()\fR also signs
certificate \fBx\fR but uses the parameters contained in digest context \fBctx\fR.
.PP
\&\fBX509_verify()\fR verifies the signature of certificate \fBx\fR using public key
\&\fBpkey\fR. Only the signature is checked: no other checks (such as certificate
chain validity) are performed.
.PP
\&\fBX509_REQ_sign()\fR, \fBX509_REQ_sign_ctx()\fR, \fBX509_REQ_verify()\fR,
\&\fBX509_CRL_sign()\fR, \fBX509_CRL_sign_ctx()\fR and \fBX509_CRL_verify()\fR sign and verify
certificate requests and CRLs respectively.
.SH "NOTES"
.IX Header "NOTES"
\&\fBX509_sign_ctx()\fR is used where the default parameters for the corresponding
public key and digest are not suitable. It can be used to sign keys using
RSA-PSS for example.
.PP
For efficiency reasons and to work around \s-1ASN.1\s0 encoding issues the encoding
of the signed portion of a certificate, certificate request and \s-1CRL\s0 is cached
internally. If the signed portion of the structure is modified the encoding
is not always updated meaning a stale version is sometimes used. This is not
normally a problem because modifying the signed portion will invalidate the
signature and signing will always update the encoding.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_sign()\fR, \fBX509_sign_ctx()\fR, \fBX509_REQ_sign()\fR, \fBX509_REQ_sign_ctx()\fR,
\&\fBX509_CRL_sign()\fR and \fBX509_CRL_sign_ctx()\fR return the size of the signature
in bytes for success and zero for failure.
.PP
\&\fBX509_verify()\fR, \fBX509_REQ_verify()\fR and \fBX509_CRL_verify()\fR return 1 if the
signature is valid and 0 if the signature check fails. If the signature
could not be checked at all because it was invalid or some other error
occurred then \-1 is returned.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3),
\&\fBERR_get_error\fR\|(3),
\&\fBX509_CRL_get0_by_serial\fR\|(3),
\&\fBX509_get0_signature\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
\&\fBX509_get_subject_name\fR\|(3),
\&\fBX509_get_version\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_new\fR\|(3),
\&\fBX509V3_get_d2i\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBX509_sign()\fR, \fBX509_REQ_sign()\fR and \fBX509_CRL_sign()\fR functions are
available in all versions of OpenSSL.
.PP
The \fBX509_sign_ctx()\fR, \fBX509_REQ_sign_ctx()\fR
and \fBX509_CRL_sign_ctx()\fR functions were added OpenSSL 1.0.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509_verify_cert.3 b/secure/lib/libcrypto/man/man3/X509_verify_cert.3
index 030c9c26edfd..5355b651ef6a 100644
--- a/secure/lib/libcrypto/man/man3/X509_verify_cert.3
+++ b/secure/lib/libcrypto/man/man3/X509_verify_cert.3
@@ -1,190 +1,190 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509_VERIFY_CERT 3"
-.TH X509_VERIFY_CERT 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509_VERIFY_CERT 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509_verify_cert \- discover and verify X509 certificate chain
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509_verify_cert(X509_STORE_CTX *ctx);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBX509_verify_cert()\fR function attempts to discover and validate a
certificate chain based on parameters in \fBctx\fR. A complete description of
the process is contained in the \fBverify\fR\|(1) manual page.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
If a complete chain can be built and validated this function returns 1,
otherwise it return zero, in exceptional circumstances it can also
return a negative code.
.PP
If the function fails additional error information can be obtained by
examining \fBctx\fR using, for example \fBX509_STORE_CTX_get_error()\fR.
.SH "NOTES"
.IX Header "NOTES"
Applications rarely call this function directly but it is used by
OpenSSL internally for certificate validation, in both the S/MIME and
\&\s-1SSL/TLS\s0 code.
.PP
A negative return value from \fBX509_verify_cert()\fR can occur if it is invoked
incorrectly, such as with no certificate set in \fBctx\fR, or when it is called
twice in succession without reinitialising \fBctx\fR for the second call.
A negative return value can also happen due to internal resource problems or if
a retry operation is requested during internal lookups (which never happens
with standard lookup methods).
Applications must check for <= 0 return value on error.
.SH "BUGS"
.IX Header "BUGS"
This function uses the header \fBx509.h\fR as opposed to most chain verification
functions which use \fBx509_vfy.h\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_STORE_CTX_get_error\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2009\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3 b/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3
index 2b14b0580a8e..9a3550b7c1b1 100644
--- a/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3
+++ b/secure/lib/libcrypto/man/man3/X509v3_get_ext_by_NID.3
@@ -1,264 +1,264 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509V3_GET_EXT_BY_NID 3"
-.TH X509V3_GET_EXT_BY_NID 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509V3_GET_EXT_BY_NID 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X509v3_get_ext_count, X509v3_get_ext, X509v3_get_ext_by_NID, X509v3_get_ext_by_OBJ, X509v3_get_ext_by_critical, X509v3_delete_ext, X509v3_add_ext, X509_get_ext_count, X509_get_ext, X509_get_ext_by_NID, X509_get_ext_by_OBJ, X509_get_ext_by_critical, X509_delete_ext, X509_add_ext, X509_CRL_get_ext_count, X509_CRL_get_ext, X509_CRL_get_ext_by_NID, X509_CRL_get_ext_by_OBJ, X509_CRL_get_ext_by_critical, X509_CRL_delete_ext, X509_CRL_add_ext, X509_REVOKED_get_ext_count, X509_REVOKED_get_ext, X509_REVOKED_get_ext_by_NID, X509_REVOKED_get_ext_by_OBJ, X509_REVOKED_get_ext_by_critical, X509_REVOKED_delete_ext, X509_REVOKED_add_ext \- extension stack utility functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
\& X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc);
\&
\& int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
\& int nid, int lastpos);
\& int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
\& const ASN1_OBJECT *obj, int lastpos);
\& int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
\& int crit, int lastpos);
\& X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc);
\& STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
\& X509_EXTENSION *ex, int loc);
\&
\& int X509_get_ext_count(const X509 *x);
\& X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
\& int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos);
\& int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, int lastpos);
\& int X509_get_ext_by_critical(const X509 *x, int crit, int lastpos);
\& X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
\& int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
\&
\& int X509_CRL_get_ext_count(const X509_CRL *x);
\& X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
\& int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos);
\& int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj, int lastpos);
\& int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos);
\& X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
\& int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
\&
\& int X509_REVOKED_get_ext_count(const X509_REVOKED *x);
\& X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc);
\& int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, int lastpos);
\& int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj,
\& int lastpos);
\& int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit, int lastpos);
\& X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
\& int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBX509v3_get_ext_count()\fR retrieves the number of extensions in \fBx\fR.
.PP
\&\fBX509v3_get_ext()\fR retrieves extension \fBloc\fR from \fBx\fR. The index \fBloc\fR
can take any value from \fB0\fR to X509_get_ext_count(x) \- 1. The returned
extension is an internal pointer which \fBmust not\fR be freed up by the
application.
.PP
\&\fBX509v3_get_ext_by_NID()\fR and \fBX509v3_get_ext_by_OBJ()\fR look for an extension
with \fBnid\fR or \fBobj\fR from extension stack \fBx\fR. The search starts from the
extension after \fBlastpos\fR or from the beginning if <lastpos> is \fB\-1\fR. If
the extension is found its index is returned otherwise \fB\-1\fR is returned.
.PP
\&\fBX509v3_get_ext_by_critical()\fR is similar to \fBX509v3_get_ext_by_NID()\fR except it
looks for an extension of criticality \fBcrit\fR. A zero value for \fBcrit\fR
looks for a non-critical extension a nonzero value looks for a critical
extension.
.PP
\&\fBX509v3_delete_ext()\fR deletes the extension with index \fBloc\fR from \fBx\fR. The
deleted extension is returned and must be freed by the caller. If \fBloc\fR
is in invalid index value \fB\s-1NULL\s0\fR is returned.
.PP
\&\fBX509v3_add_ext()\fR adds extension \fBex\fR to stack \fB*x\fR at position \fBloc\fR. If
\&\fBloc\fR is \fB\-1\fR the new extension is added to the end. If \fB*x\fR is \fB\s-1NULL\s0\fR
a new stack will be allocated. The passed extension \fBex\fR is duplicated
internally so it must be freed after use.
.PP
\&\fBX509_get_ext_count()\fR, \fBX509_get_ext()\fR, \fBX509_get_ext_by_NID()\fR,
\&\fBX509_get_ext_by_OBJ()\fR, \fBX509_get_ext_by_critical()\fR, \fBX509_delete_ext()\fR
and \fBX509_add_ext()\fR operate on the extensions of certificate \fBx\fR they are
otherwise identical to the X509v3 functions.
.PP
\&\fBX509_CRL_get_ext_count()\fR, \fBX509_CRL_get_ext()\fR, \fBX509_CRL_get_ext_by_NID()\fR,
\&\fBX509_CRL_get_ext_by_OBJ()\fR, \fBX509_CRL_get_ext_by_critical()\fR,
\&\fBX509_CRL_delete_ext()\fR and \fBX509_CRL_add_ext()\fR operate on the extensions of
\&\s-1CRL\s0 \fBx\fR they are otherwise identical to the X509v3 functions.
.PP
\&\fBX509_REVOKED_get_ext_count()\fR, \fBX509_REVOKED_get_ext()\fR,
\&\fBX509_REVOKED_get_ext_by_NID()\fR, \fBX509_REVOKED_get_ext_by_OBJ()\fR,
\&\fBX509_REVOKED_get_ext_by_critical()\fR, \fBX509_REVOKED_delete_ext()\fR and
\&\fBX509_REVOKED_add_ext()\fR operate on the extensions of \s-1CRL\s0 entry \fBx\fR
they are otherwise identical to the X509v3 functions.
.SH "NOTES"
.IX Header "NOTES"
These functions are used to examine stacks of extensions directly. Many
applications will want to parse or encode and add an extension: they should
use the extension encode and decode functions instead such as
\&\fBX509_add1_ext_i2d()\fR and \fBX509_get_ext_d2i()\fR.
.PP
Extension indices start from zero, so a zero index return value is \fBnot\fR an
error. These search functions start from the extension \fBafter\fR the \fBlastpos\fR
parameter so it should initially be set to \fB\-1\fR, if it is set to zero the
initial extension will not be checked.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509v3_get_ext_count()\fR returns the extension count.
.PP
\&\fBX509v3_get_ext()\fR, \fBX509v3_delete_ext()\fR and \fBX509_delete_ext()\fR return an
\&\fBX509_EXTENSION\fR pointer or \fB\s-1NULL\s0\fR if an error occurs.
.PP
\&\fBX509v3_get_ext_by_NID()\fR \fBX509v3_get_ext_by_OBJ()\fR and
\&\fBX509v3_get_ext_by_critical()\fR return the an extension index or \fB\-1\fR if an
error occurs.
.PP
\&\fBX509v3_add_ext()\fR returns a stack of extensions or \fB\s-1NULL\s0\fR on error.
.PP
\&\fBX509_add_ext()\fR returns 1 on success and 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509V3_get_d2i\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2015\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/d2i_DHparams.3 b/secure/lib/libcrypto/man/man3/d2i_DHparams.3
index 19f70956918e..85f31f2fe63c 100644
--- a/secure/lib/libcrypto/man/man3/d2i_DHparams.3
+++ b/secure/lib/libcrypto/man/man3/d2i_DHparams.3
@@ -1,174 +1,174 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "D2I_DHPARAMS 3"
-.TH D2I_DHPARAMS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH D2I_DHPARAMS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
d2i_DHparams, i2d_DHparams \- PKCS#3 DH parameter functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/dh.h>
\&
\& DH *d2i_DHparams(DH **a, const unsigned char **pp, long length);
\& int i2d_DHparams(DH *a, unsigned char **pp);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions decode and encode PKCS#3 \s-1DH\s0 parameters using the
DHparameter structure described in PKCS#3.
.PP
Otherwise these behave in a similar way to \fBd2i_X509()\fR and \fBi2d_X509()\fR
described in the \fBd2i_X509\fR\|(3) manual page.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBd2i_DHparams()\fR returns a valid \fB\s-1DH\s0\fR structure or \s-1NULL\s0 if an error occurred.
.PP
\&\fBi2d_DHparams()\fR returns the length of encoded data on success or a value which
is less than or equal to 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_X509\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3 b/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3
index 3e9a835b31b4..2c5a508773c9 100644
--- a/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3
+++ b/secure/lib/libcrypto/man/man3/d2i_PKCS8PrivateKey_bio.3
@@ -1,203 +1,203 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "D2I_PKCS8PRIVATEKEY_BIO 3"
-.TH D2I_PKCS8PRIVATEKEY_BIO 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH D2I_PKCS8PRIVATEKEY_BIO 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
d2i_PKCS8PrivateKey_bio, d2i_PKCS8PrivateKey_fp, i2d_PKCS8PrivateKey_bio, i2d_PKCS8PrivateKey_fp, i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp \- PKCS#8 format private key functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u);
\& EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u);
\&
\& int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
\& char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\&
\& int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
\& char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\&
\& int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid,
\& char *kstr, int klen,
\& pem_password_cb *cb, void *u);
\&
\& int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid,
\& char *kstr, int klen,
\& pem_password_cb *cb, void *u);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The PKCS#8 functions encode and decode private keys in PKCS#8 format using both
PKCS#5 v1.5 and PKCS#5 v2.0 password based encryption algorithms.
.PP
Other than the use of \s-1DER\s0 as opposed to \s-1PEM\s0 these functions are identical to the
corresponding \fB\s-1PEM\s0\fR function as described in \fBPEM_read_PrivateKey\fR\|(3).
.SH "NOTES"
.IX Header "NOTES"
These functions are currently the only way to store encrypted private keys using \s-1DER\s0 format.
.PP
Currently all the functions use BIOs or \s-1FILE\s0 pointers, there are no functions which
work directly on memory: this can be readily worked around by converting the buffers
to memory BIOs, see \fBBIO_s_mem\fR\|(3) for details.
.PP
These functions make no assumption regarding the pass phrase received from the
password callback.
It will simply be treated as a byte sequence.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBd2i_PKCS8PrivateKey_bio()\fR and \fBd2i_PKCS8PrivateKey_fp()\fR return a valid \fB\s-1EVP_PKEY\s0\fR
structure or \s-1NULL\s0 if an error occurred.
.PP
\&\fBi2d_PKCS8PrivateKey_bio()\fR, \fBi2d_PKCS8PrivateKey_fp()\fR, \fBi2d_PKCS8PrivateKey_nid_bio()\fR
and \fBi2d_PKCS8PrivateKey_nid_fp()\fR return 1 on success or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBPEM_read_PrivateKey\fR\|(3),
\&\fBpassphrase\-encoding\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3 b/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3
index 88799f9e2691..09d71e11c3b5 100644
--- a/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3
+++ b/secure/lib/libcrypto/man/man3/d2i_PrivateKey.3
@@ -1,213 +1,213 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "D2I_PRIVATEKEY 3"
-.TH D2I_PRIVATEKEY 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH D2I_PRIVATEKEY 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
d2i_PrivateKey, d2i_PublicKey, d2i_AutoPrivateKey, i2d_PrivateKey, i2d_PublicKey, d2i_PrivateKey_bio, d2i_PrivateKey_fp \&\- decode and encode functions for reading and saving EVP_PKEY structures
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
\&
\& EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
\& long length);
\& EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
\& long length);
\& EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp,
\& long length);
\& int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp);
\& int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp);
\&
\& EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
\& EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a)
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBd2i_PrivateKey()\fR decodes a private key using algorithm \fBtype\fR. It attempts to
use any key specific format or PKCS#8 unencrypted PrivateKeyInfo format. The
\&\fBtype\fR parameter should be a public key algorithm constant such as
\&\fB\s-1EVP_PKEY_RSA\s0\fR. An error occurs if the decoded key does not match \fBtype\fR.
\&\fBd2i_PublicKey()\fR does the same for public keys.
.PP
\&\fBd2i_AutoPrivateKey()\fR is similar to \fBd2i_PrivateKey()\fR except it attempts to
automatically detect the private key format.
.PP
\&\fBi2d_PrivateKey()\fR encodes \fBkey\fR. It uses a key specific format or, if none is
defined for that key type, PKCS#8 unencrypted PrivateKeyInfo format.
\&\fBi2d_PublicKey()\fR does the same for public keys.
.PP
These functions are similar to the \fBd2i_X509()\fR functions; see \fBd2i_X509\fR\|(3).
.SH "NOTES"
.IX Header "NOTES"
All the functions that operate on data in memory update the data pointer \fI*pp\fR
after a successful operation, just like the other d2i and i2d functions;
see \fBd2i_X509\fR\|(3).
.PP
All these functions use \s-1DER\s0 format and unencrypted keys. Applications wishing
to encrypt or decrypt private keys should use other functions such as
\&\fBd2i_PKCS8PrivateKey()\fR instead.
.PP
If the \fB*a\fR is not \s-1NULL\s0 when calling \fBd2i_PrivateKey()\fR or \fBd2i_AutoPrivateKey()\fR
(i.e. an existing structure is being reused) and the key format is PKCS#8
then \fB*a\fR will be freed and replaced on a successful call.
.PP
To decode a key with type \fB\s-1EVP_PKEY_EC\s0\fR, \fBd2i_PublicKey()\fR requires \fB*a\fR to be
a non-NULL \s-1EVP_PKEY\s0 structure assigned an \s-1EC_KEY\s0 structure referencing the proper
\&\s-1EC_GROUP.\s0
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
The \fBd2i_PrivateKey()\fR, \fBd2i_AutoPrivateKey()\fR, \fBd2i_PrivateKey_bio()\fR, \fBd2i_PrivateKey_fp()\fR,
and \fBd2i_PublicKey()\fR functions return a valid \fB\s-1EVP_KEY\s0\fR structure or \fB\s-1NULL\s0\fR if an
error occurs. The error code can be obtained by calling \fBERR_get_error\fR\|(3).
.PP
\&\fBi2d_PrivateKey()\fR and \fBi2d_PublicKey()\fR return the number of bytes successfully
encoded or a negative value if an error occurs. The error code can be obtained
by calling \fBERR_get_error\fR\|(3).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrypto\fR\|(7),
\&\fBd2i_PKCS8PrivateKey_bio\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3 b/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3
index decaffc59b48..b1f6079e2fa7 100644
--- a/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3
+++ b/secure/lib/libcrypto/man/man3/d2i_SSL_SESSION.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "D2I_SSL_SESSION 3"
-.TH D2I_SSL_SESSION 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH D2I_SSL_SESSION 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
d2i_SSL_SESSION, i2d_SSL_SESSION \- convert SSL_SESSION object from/to ASN1 representation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ssl.h>
\&
\& SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
\& long length);
\& int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
These functions decode and encode an \s-1SSL_SESSION\s0 object.
For encoding details see \fBd2i_X509\fR\|(3).
.PP
\&\s-1SSL_SESSION\s0 objects keep internal link information about the session cache
list, when being inserted into one \s-1SSL_CTX\s0 object's session cache.
One \s-1SSL_SESSION\s0 object, regardless of its reference count, must therefore
only be used with one \s-1SSL_CTX\s0 object (and the \s-1SSL\s0 objects created
from this \s-1SSL_CTX\s0 object).
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBd2i_SSL_SESSION()\fR returns a pointer to the newly allocated \s-1SSL_SESSION\s0
object. In case of failure the NULL-pointer is returned and the error message
can be retrieved from the error stack.
.PP
\&\fBi2d_SSL_SESSION()\fR returns the size of the \s-1ASN1\s0 representation in bytes.
When the session is not valid, \fB0\fR is returned and no operation is performed.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBssl\fR\|(7), \fBSSL_SESSION_free\fR\|(3),
\&\fBSSL_CTX_sess_set_get_cb\fR\|(3),
\&\fBd2i_X509\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/d2i_X509.3 b/secure/lib/libcrypto/man/man3/d2i_X509.3
index 3ec48c146781..a9b751876de6 100644
--- a/secure/lib/libcrypto/man/man3/d2i_X509.3
+++ b/secure/lib/libcrypto/man/man3/d2i_X509.3
@@ -1,387 +1,387 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "D2I_X509 3"
-.TH D2I_X509 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH D2I_X509 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
d2i_ACCESS_DESCRIPTION, d2i_ADMISSIONS, d2i_ADMISSION_SYNTAX, d2i_ASIdOrRange, d2i_ASIdentifierChoice, d2i_ASIdentifiers, d2i_ASN1_BIT_STRING, d2i_ASN1_BMPSTRING, d2i_ASN1_ENUMERATED, d2i_ASN1_GENERALIZEDTIME, d2i_ASN1_GENERALSTRING, d2i_ASN1_IA5STRING, d2i_ASN1_INTEGER, d2i_ASN1_NULL, d2i_ASN1_OBJECT, d2i_ASN1_OCTET_STRING, d2i_ASN1_PRINTABLE, d2i_ASN1_PRINTABLESTRING, d2i_ASN1_SEQUENCE_ANY, d2i_ASN1_SET_ANY, d2i_ASN1_T61STRING, d2i_ASN1_TIME, d2i_ASN1_TYPE, d2i_ASN1_UINTEGER, d2i_ASN1_UNIVERSALSTRING, d2i_ASN1_UTCTIME, d2i_ASN1_UTF8STRING, d2i_ASN1_VISIBLESTRING, d2i_ASRange, d2i_AUTHORITY_INFO_ACCESS, d2i_AUTHORITY_KEYID, d2i_BASIC_CONSTRAINTS, d2i_CERTIFICATEPOLICIES, d2i_CMS_ContentInfo, d2i_CMS_ReceiptRequest, d2i_CMS_bio, d2i_CRL_DIST_POINTS, d2i_DHxparams, d2i_DIRECTORYSTRING, d2i_DISPLAYTEXT, d2i_DIST_POINT, d2i_DIST_POINT_NAME, d2i_DSAPrivateKey, d2i_DSAPrivateKey_bio, d2i_DSAPrivateKey_fp, d2i_DSAPublicKey, d2i_DSA_PUBKEY, d2i_DSA_PUBKEY_bio, d2i_DSA_PUBKEY_fp, d2i_DSA_SIG, d2i_DSAparams, d2i_ECDSA_SIG, d2i_ECPKParameters, d2i_ECParameters, d2i_ECPrivateKey, d2i_ECPrivateKey_bio, d2i_ECPrivateKey_fp, d2i_EC_PUBKEY, d2i_EC_PUBKEY_bio, d2i_EC_PUBKEY_fp, d2i_EDIPARTYNAME, d2i_ESS_CERT_ID, d2i_ESS_ISSUER_SERIAL, d2i_ESS_SIGNING_CERT, d2i_EXTENDED_KEY_USAGE, d2i_GENERAL_NAME, d2i_GENERAL_NAMES, d2i_IPAddressChoice, d2i_IPAddressFamily, d2i_IPAddressOrRange, d2i_IPAddressRange, d2i_ISSUING_DIST_POINT, d2i_NAMING_AUTHORITY, d2i_NETSCAPE_CERT_SEQUENCE, d2i_NETSCAPE_SPKAC, d2i_NETSCAPE_SPKI, d2i_NOTICEREF, d2i_OCSP_BASICRESP, d2i_OCSP_CERTID, d2i_OCSP_CERTSTATUS, d2i_OCSP_CRLID, d2i_OCSP_ONEREQ, d2i_OCSP_REQINFO, d2i_OCSP_REQUEST, d2i_OCSP_RESPBYTES, d2i_OCSP_RESPDATA, d2i_OCSP_RESPID, d2i_OCSP_RESPONSE, d2i_OCSP_REVOKEDINFO, d2i_OCSP_SERVICELOC, d2i_OCSP_SIGNATURE, d2i_OCSP_SINGLERESP, d2i_OTHERNAME, d2i_PBE2PARAM, d2i_PBEPARAM, d2i_PBKDF2PARAM, d2i_PKCS12, d2i_PKCS12_BAGS, d2i_PKCS12_MAC_DATA, d2i_PKCS12_SAFEBAG, d2i_PKCS12_bio, d2i_PKCS12_fp, d2i_PKCS7, d2i_PKCS7_DIGEST, d2i_PKCS7_ENCRYPT, d2i_PKCS7_ENC_CONTENT, d2i_PKCS7_ENVELOPE, d2i_PKCS7_ISSUER_AND_SERIAL, d2i_PKCS7_RECIP_INFO, d2i_PKCS7_SIGNED, d2i_PKCS7_SIGNER_INFO, d2i_PKCS7_SIGN_ENVELOPE, d2i_PKCS7_bio, d2i_PKCS7_fp, d2i_PKCS8_PRIV_KEY_INFO, d2i_PKCS8_PRIV_KEY_INFO_bio, d2i_PKCS8_PRIV_KEY_INFO_fp, d2i_PKCS8_bio, d2i_PKCS8_fp, d2i_PKEY_USAGE_PERIOD, d2i_POLICYINFO, d2i_POLICYQUALINFO, d2i_PROFESSION_INFO, d2i_PROXY_CERT_INFO_EXTENSION, d2i_PROXY_POLICY, d2i_RSAPrivateKey, d2i_RSAPrivateKey_bio, d2i_RSAPrivateKey_fp, d2i_RSAPublicKey, d2i_RSAPublicKey_bio, d2i_RSAPublicKey_fp, d2i_RSA_OAEP_PARAMS, d2i_RSA_PSS_PARAMS, d2i_RSA_PUBKEY, d2i_RSA_PUBKEY_bio, d2i_RSA_PUBKEY_fp, d2i_SCRYPT_PARAMS, d2i_SCT_LIST, d2i_SXNET, d2i_SXNETID, d2i_TS_ACCURACY, d2i_TS_MSG_IMPRINT, d2i_TS_MSG_IMPRINT_bio, d2i_TS_MSG_IMPRINT_fp, d2i_TS_REQ, d2i_TS_REQ_bio, d2i_TS_REQ_fp, d2i_TS_RESP, d2i_TS_RESP_bio, d2i_TS_RESP_fp, d2i_TS_STATUS_INFO, d2i_TS_TST_INFO, d2i_TS_TST_INFO_bio, d2i_TS_TST_INFO_fp, d2i_USERNOTICE, d2i_X509, d2i_X509_bio, d2i_X509_fp, d2i_X509_ALGOR, d2i_X509_ALGORS, d2i_X509_ATTRIBUTE, d2i_X509_CERT_AUX, d2i_X509_CINF, d2i_X509_CRL, d2i_X509_CRL_INFO, d2i_X509_CRL_bio, d2i_X509_CRL_fp, d2i_X509_EXTENSION, d2i_X509_EXTENSIONS, d2i_X509_NAME, d2i_X509_NAME_ENTRY, d2i_X509_PUBKEY, d2i_X509_REQ, d2i_X509_REQ_INFO, d2i_X509_REQ_bio, d2i_X509_REQ_fp, d2i_X509_REVOKED, d2i_X509_SIG, d2i_X509_VAL, i2d_ACCESS_DESCRIPTION, i2d_ADMISSIONS, i2d_ADMISSION_SYNTAX, i2d_ASIdOrRange, i2d_ASIdentifierChoice, i2d_ASIdentifiers, i2d_ASN1_BIT_STRING, i2d_ASN1_BMPSTRING, i2d_ASN1_ENUMERATED, i2d_ASN1_GENERALIZEDTIME, i2d_ASN1_GENERALSTRING, i2d_ASN1_IA5STRING, i2d_ASN1_INTEGER, i2d_ASN1_NULL, i2d_ASN1_OBJECT, i2d_ASN1_OCTET_STRING, i2d_ASN1_PRINTABLE, i2d_ASN1_PRINTABLESTRING, i2d_ASN1_SEQUENCE_ANY, i2d_ASN1_SET_ANY, i2d_ASN1_T61STRING, i2d_ASN1_TIME, i2d_ASN1_TYPE, i2d_ASN1_UNIVERSALSTRING, i2d_ASN1_UTCTIME, i2d_ASN1_UTF8STRING, i2d_ASN1_VISIBLESTRING, i2d_ASN1_bio_stream, i2d_ASRange, i2d_AUTHORITY_INFO_ACCESS, i2d_AUTHORITY_KEYID, i2d_BASIC_CONSTRAINTS, i2d_CERTIFICATEPOLICIES, i2d_CMS_ContentInfo, i2d_CMS_ReceiptRequest, i2d_CMS_bio, i2d_CRL_DIST_POINTS, i2d_DHxparams, i2d_DIRECTORYSTRING, i2d_DISPLAYTEXT, i2d_DIST_POINT, i2d_DIST_POINT_NAME, i2d_DSAPrivateKey, i2d_DSAPrivateKey_bio, i2d_DSAPrivateKey_fp, i2d_DSAPublicKey, i2d_DSA_PUBKEY, i2d_DSA_PUBKEY_bio, i2d_DSA_PUBKEY_fp, i2d_DSA_SIG, i2d_DSAparams, i2d_ECDSA_SIG, i2d_ECPKParameters, i2d_ECParameters, i2d_ECPrivateKey, i2d_ECPrivateKey_bio, i2d_ECPrivateKey_fp, i2d_EC_PUBKEY, i2d_EC_PUBKEY_bio, i2d_EC_PUBKEY_fp, i2d_EDIPARTYNAME, i2d_ESS_CERT_ID, i2d_ESS_ISSUER_SERIAL, i2d_ESS_SIGNING_CERT, i2d_EXTENDED_KEY_USAGE, i2d_GENERAL_NAME, i2d_GENERAL_NAMES, i2d_IPAddressChoice, i2d_IPAddressFamily, i2d_IPAddressOrRange, i2d_IPAddressRange, i2d_ISSUING_DIST_POINT, i2d_NAMING_AUTHORITY, i2d_NETSCAPE_CERT_SEQUENCE, i2d_NETSCAPE_SPKAC, i2d_NETSCAPE_SPKI, i2d_NOTICEREF, i2d_OCSP_BASICRESP, i2d_OCSP_CERTID, i2d_OCSP_CERTSTATUS, i2d_OCSP_CRLID, i2d_OCSP_ONEREQ, i2d_OCSP_REQINFO, i2d_OCSP_REQUEST, i2d_OCSP_RESPBYTES, i2d_OCSP_RESPDATA, i2d_OCSP_RESPID, i2d_OCSP_RESPONSE, i2d_OCSP_REVOKEDINFO, i2d_OCSP_SERVICELOC, i2d_OCSP_SIGNATURE, i2d_OCSP_SINGLERESP, i2d_OTHERNAME, i2d_PBE2PARAM, i2d_PBEPARAM, i2d_PBKDF2PARAM, i2d_PKCS12, i2d_PKCS12_BAGS, i2d_PKCS12_MAC_DATA, i2d_PKCS12_SAFEBAG, i2d_PKCS12_bio, i2d_PKCS12_fp, i2d_PKCS7, i2d_PKCS7_DIGEST, i2d_PKCS7_ENCRYPT, i2d_PKCS7_ENC_CONTENT, i2d_PKCS7_ENVELOPE, i2d_PKCS7_ISSUER_AND_SERIAL, i2d_PKCS7_NDEF, i2d_PKCS7_RECIP_INFO, i2d_PKCS7_SIGNED, i2d_PKCS7_SIGNER_INFO, i2d_PKCS7_SIGN_ENVELOPE, i2d_PKCS7_bio, i2d_PKCS7_fp, i2d_PKCS8PrivateKeyInfo_bio, i2d_PKCS8PrivateKeyInfo_fp, i2d_PKCS8_PRIV_KEY_INFO, i2d_PKCS8_PRIV_KEY_INFO_bio, i2d_PKCS8_PRIV_KEY_INFO_fp, i2d_PKCS8_bio, i2d_PKCS8_fp, i2d_PKEY_USAGE_PERIOD, i2d_POLICYINFO, i2d_POLICYQUALINFO, i2d_PROFESSION_INFO, i2d_PROXY_CERT_INFO_EXTENSION, i2d_PROXY_POLICY, i2d_RSAPrivateKey, i2d_RSAPrivateKey_bio, i2d_RSAPrivateKey_fp, i2d_RSAPublicKey, i2d_RSAPublicKey_bio, i2d_RSAPublicKey_fp, i2d_RSA_OAEP_PARAMS, i2d_RSA_PSS_PARAMS, i2d_RSA_PUBKEY, i2d_RSA_PUBKEY_bio, i2d_RSA_PUBKEY_fp, i2d_SCRYPT_PARAMS, i2d_SCT_LIST, i2d_SXNET, i2d_SXNETID, i2d_TS_ACCURACY, i2d_TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT_bio, i2d_TS_MSG_IMPRINT_fp, i2d_TS_REQ, i2d_TS_REQ_bio, i2d_TS_REQ_fp, i2d_TS_RESP, i2d_TS_RESP_bio, i2d_TS_RESP_fp, i2d_TS_STATUS_INFO, i2d_TS_TST_INFO, i2d_TS_TST_INFO_bio, i2d_TS_TST_INFO_fp, i2d_USERNOTICE, i2d_X509, i2d_X509_bio, i2d_X509_fp, i2d_X509_ALGOR, i2d_X509_ALGORS, i2d_X509_ATTRIBUTE, i2d_X509_CERT_AUX, i2d_X509_CINF, i2d_X509_CRL, i2d_X509_CRL_INFO, i2d_X509_CRL_bio, i2d_X509_CRL_fp, i2d_X509_EXTENSION, i2d_X509_EXTENSIONS, i2d_X509_NAME, i2d_X509_NAME_ENTRY, i2d_X509_PUBKEY, i2d_X509_REQ, i2d_X509_REQ_INFO, i2d_X509_REQ_bio, i2d_X509_REQ_fp, i2d_X509_REVOKED, i2d_X509_SIG, i2d_X509_VAL, \&\- convert objects from/to ASN.1/DER representation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 3
\& TYPE *d2i_TYPE(TYPE **a, const unsigned char **ppin, long length);
\& TYPE *d2i_TYPE_bio(BIO *bp, TYPE **a);
\& TYPE *d2i_TYPE_fp(FILE *fp, TYPE **a);
\&
\& int i2d_TYPE(TYPE *a, unsigned char **ppout);
\& int i2d_TYPE_fp(FILE *fp, TYPE *a);
\& int i2d_TYPE_bio(BIO *bp, TYPE *a);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In the description here, \fI\s-1TYPE\s0\fR is used a placeholder
for any of the OpenSSL datatypes, such as \fIX509_CRL\fR.
The function parameters \fIppin\fR and \fIppout\fR are generally
either both named \fIpp\fR in the headers, or \fIin\fR and \fIout\fR.
.PP
These functions convert OpenSSL objects to and from their \s-1ASN.1/DER\s0
encoding. Unlike the C structures which can have pointers to sub-objects
within, the \s-1DER\s0 is a serialized encoding, suitable for sending over the
network, writing to a file, and so on.
.PP
\&\fBd2i_TYPE()\fR attempts to decode \fBlen\fR bytes at \fB*ppin\fR. If successful a
pointer to the \fB\s-1TYPE\s0\fR structure is returned and \fB*ppin\fR is incremented to
the byte following the parsed data. If \fBa\fR is not \fB\s-1NULL\s0\fR then a pointer
to the returned structure is also written to \fB*a\fR. If an error occurred
then \fB\s-1NULL\s0\fR is returned.
.PP
On a successful return, if \fB*a\fR is not \fB\s-1NULL\s0\fR then it is assumed that \fB*a\fR
contains a valid \fB\s-1TYPE\s0\fR structure and an attempt is made to reuse it. This
\&\*(L"reuse\*(R" capability is present for historical compatibility but its use is
\&\fBstrongly discouraged\fR (see \s-1BUGS\s0 below, and the discussion in the \s-1RETURN
VALUES\s0 section).
.PP
\&\fBd2i_TYPE_bio()\fR is similar to \fBd2i_TYPE()\fR except it attempts
to parse data from \s-1BIO\s0 \fBbp\fR.
.PP
\&\fBd2i_TYPE_fp()\fR is similar to \fBd2i_TYPE()\fR except it attempts
to parse data from \s-1FILE\s0 pointer \fBfp\fR.
.PP
\&\fBi2d_TYPE()\fR encodes the structure pointed to by \fBa\fR into \s-1DER\s0 format.
If \fBppout\fR is not \fB\s-1NULL\s0\fR, it writes the \s-1DER\s0 encoded data to the buffer
at \fB*ppout\fR, and increments it to point after the data just written.
If the return value is negative an error occurred, otherwise it
returns the length of the encoded data.
.PP
If \fB*ppout\fR is \fB\s-1NULL\s0\fR memory will be allocated for a buffer and the encoded
data written to it. In this case \fB*ppout\fR is not incremented and it points
to the start of the data just written.
.PP
\&\fBi2d_TYPE_bio()\fR is similar to \fBi2d_TYPE()\fR except it writes
the encoding of the structure \fBa\fR to \s-1BIO\s0 \fBbp\fR and it
returns 1 for success and 0 for failure.
.PP
\&\fBi2d_TYPE_fp()\fR is similar to \fBi2d_TYPE()\fR except it writes
the encoding of the structure \fBa\fR to \s-1BIO\s0 \fBbp\fR and it
returns 1 for success and 0 for failure.
.PP
These routines do not encrypt private keys and therefore offer no
security; use \fBPEM_write_PrivateKey\fR\|(3) or similar for writing to files.
.SH "NOTES"
.IX Header "NOTES"
The letters \fBi\fR and \fBd\fR in \fBi2d_TYPE\fR stand for
\&\*(L"internal\*(R" (that is, an internal C structure) and \*(L"\s-1DER\*(R"\s0 respectively.
So \fBi2d_TYPE\fR converts from internal to \s-1DER.\s0
.PP
The functions can also understand \fB\s-1BER\s0\fR forms.
.PP
The actual \s-1TYPE\s0 structure passed to \fBi2d_TYPE()\fR must be a valid
populated \fB\s-1TYPE\s0\fR structure \*(-- it \fBcannot\fR simply be fed with an
empty structure such as that returned by \fBTYPE_new()\fR.
.PP
The encoded data is in binary form and may contain embedded zeros.
Therefore, any \s-1FILE\s0 pointers or BIOs should be opened in binary mode.
Functions such as \fBstrlen()\fR will \fBnot\fR return the correct length
of the encoded structure.
.PP
The ways that \fB*ppin\fR and \fB*ppout\fR are incremented after the operation
can trap the unwary. See the \fB\s-1WARNINGS\s0\fR section for some common
errors.
The reason for this-auto increment behaviour is to reflect a typical
usage of \s-1ASN1\s0 functions: after one structure is encoded or decoded
another will be processed after it.
.PP
The following points about the data types might be useful:
.IP "\fB\s-1ASN1_OBJECT\s0\fR" 4
.IX Item "ASN1_OBJECT"
Represents an \s-1ASN1 OBJECT IDENTIFIER.\s0
.IP "\fBDHparams\fR" 4
.IX Item "DHparams"
Represents a PKCS#3 \s-1DH\s0 parameters structure.
.IP "\fBDHxparams\fR" 4
.IX Item "DHxparams"
Represents an \s-1ANSI X9.42 DH\s0 parameters structure.
.IP "\fB\s-1DSA_PUBKEY\s0\fR" 4
.IX Item "DSA_PUBKEY"
Represents a \s-1DSA\s0 public key using a \fBSubjectPublicKeyInfo\fR structure.
.IP "\fBDSAPublicKey, DSAPrivateKey\fR" 4
.IX Item "DSAPublicKey, DSAPrivateKey"
Use a non-standard OpenSSL format and should be avoided; use \fB\s-1DSA_PUBKEY\s0\fR,
\&\fB\fBPEM_write_PrivateKey\fB\|(3)\fR, or similar instead.
.IP "\fB\s-1ECDSA_SIG\s0\fR" 4
.IX Item "ECDSA_SIG"
Represents an \s-1ECDSA\s0 signature.
.IP "\fBRSAPublicKey\fR" 4
.IX Item "RSAPublicKey"
Represents a PKCS#1 \s-1RSA\s0 public key structure.
.IP "\fBX509_ALGOR\fR" 4
.IX Item "X509_ALGOR"
Represents an \fBAlgorithmIdentifier\fR structure as used in \s-1IETF RFC 6960\s0 and
elsewhere.
.IP "\fBX509_Name\fR" 4
.IX Item "X509_Name"
Represents a \fBName\fR type as used for subject and issuer names in
\&\s-1IETF RFC 6960\s0 and elsewhere.
.IP "\fBX509_REQ\fR" 4
.IX Item "X509_REQ"
Represents a PKCS#10 certificate request.
.IP "\fBX509_SIG\fR" 4
.IX Item "X509_SIG"
Represents the \fBDigestInfo\fR structure defined in PKCS#1 and PKCS#7.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBd2i_TYPE()\fR, \fBd2i_TYPE_bio()\fR and \fBd2i_TYPE_fp()\fR return a valid \fB\s-1TYPE\s0\fR structure
or \fB\s-1NULL\s0\fR if an error occurs. If the \*(L"reuse\*(R" capability has been used with
a valid structure being passed in via \fBa\fR, then the object is freed in
the event of error and \fB*a\fR is set to \s-1NULL.\s0
.PP
\&\fBi2d_TYPE()\fR returns the number of bytes successfully encoded or a negative
value if an error occurs.
.PP
\&\fBi2d_TYPE_bio()\fR and \fBi2d_TYPE_fp()\fR return 1 for success and 0 if an error
occurs.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Allocate and encode the \s-1DER\s0 encoding of an X509 structure:
.PP
.Vb 2
\& int len;
\& unsigned char *buf;
\&
\& buf = NULL;
\& len = i2d_X509(x, &buf);
\& if (len < 0)
\& /* error */
.Ve
.PP
Attempt to decode a buffer:
.PP
.Vb 4
\& X509 *x;
\& unsigned char *buf;
\& const unsigned char *p;
\& int len;
\&
\& /* Set up buf and len to point to the input buffer. */
\& p = buf;
\& x = d2i_X509(NULL, &p, len);
\& if (x == NULL)
\& /* error */
.Ve
.PP
Alternative technique:
.PP
.Vb 4
\& X509 *x;
\& unsigned char *buf;
\& const unsigned char *p;
\& int len;
\&
\& /* Set up buf and len to point to the input buffer. */
\& p = buf;
\& x = NULL;
\&
\& if (d2i_X509(&x, &p, len) == NULL)
\& /* error */
.Ve
.SH "WARNINGS"
.IX Header "WARNINGS"
Using a temporary variable is mandatory. A common
mistake is to attempt to use a buffer directly as follows:
.PP
.Vb 2
\& int len;
\& unsigned char *buf;
\&
\& len = i2d_X509(x, NULL);
\& buf = OPENSSL_malloc(len);
\& ...
\& i2d_X509(x, &buf);
\& ...
\& OPENSSL_free(buf);
.Ve
.PP
This code will result in \fBbuf\fR apparently containing garbage because
it was incremented after the call to point after the data just written.
Also \fBbuf\fR will no longer contain the pointer allocated by \fBOPENSSL_malloc()\fR
and the subsequent call to \fBOPENSSL_free()\fR is likely to crash.
.PP
Another trap to avoid is misuse of the \fBa\fR argument to \fBd2i_TYPE()\fR:
.PP
.Vb 1
\& X509 *x;
\&
\& if (d2i_X509(&x, &p, len) == NULL)
\& /* error */
.Ve
.PP
This will probably crash somewhere in \fBd2i_X509()\fR. The reason for this
is that the variable \fBx\fR is uninitialized and an attempt will be made to
interpret its (invalid) value as an \fBX509\fR structure, typically causing
a segmentation violation. If \fBx\fR is set to \s-1NULL\s0 first then this will not
happen.
.SH "BUGS"
.IX Header "BUGS"
In some versions of OpenSSL the \*(L"reuse\*(R" behaviour of \fBd2i_TYPE()\fR when
\&\fB*a\fR is valid is broken and some parts of the reused structure may
persist if they are not present in the new one. Additionally, in versions of
OpenSSL prior to 1.1.0, when the \*(L"reuse\*(R" behaviour is used and an error occurs
the behaviour is inconsistent. Some functions behaved as described here, while
some did not free \fB*a\fR on error and did not set \fB*a\fR to \s-1NULL.\s0
.PP
As a result of the above issues the \*(L"reuse\*(R" behaviour is strongly discouraged.
.PP
\&\fBi2d_TYPE()\fR will not return an error in many versions of OpenSSL,
if mandatory fields are not initialized due to a programming error
then the encoded structure may contain invalid data or omit the
fields entirely and will not be parsed by \fBd2i_TYPE()\fR. This may be
fixed in future so code should not assume that \fBi2d_TYPE()\fR will
always succeed.
.PP
Any function which encodes a structure (\fBi2d_TYPE()\fR,
\&\fBi2d_TYPE()\fR or \fBi2d_TYPE()\fR) may return a stale encoding if the
structure has been modified after deserialization or previous
serialization. This is because some objects cache the encoding for
efficiency reasons.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 1998\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3 b/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3
index 054843c2349b..7e76897995c9 100644
--- a/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3
+++ b/secure/lib/libcrypto/man/man3/i2d_CMS_bio_stream.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "I2D_CMS_BIO_STREAM 3"
-.TH I2D_CMS_BIO_STREAM 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH I2D_CMS_BIO_STREAM 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
i2d_CMS_bio_stream \- output CMS_ContentInfo structure in BER format
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/cms.h>
\&
\& int i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBi2d_CMS_bio_stream()\fR outputs a CMS_ContentInfo structure in \s-1BER\s0 format.
.PP
It is otherwise identical to the function \fBSMIME_write_CMS()\fR.
.SH "NOTES"
.IX Header "NOTES"
This function is effectively a version of the \fBi2d_CMS_bio()\fR supporting
streaming.
.SH "BUGS"
.IX Header "BUGS"
The prefix \*(L"i2d\*(R" is arguably wrong because the function outputs \s-1BER\s0 format.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBi2d_CMS_bio_stream()\fR returns 1 for success or 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBCMS_sign\fR\|(3),
\&\fBCMS_verify\fR\|(3), \fBCMS_encrypt\fR\|(3)
\&\fBCMS_decrypt\fR\|(3),
\&\fBSMIME_write_CMS\fR\|(3),
\&\fBPEM_write_bio_CMS_stream\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBi2d_CMS_bio_stream()\fR function was added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3 b/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3
index 585ca293e917..8609a5eb2f47 100644
--- a/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3
+++ b/secure/lib/libcrypto/man/man3/i2d_PKCS7_bio_stream.3
@@ -1,182 +1,182 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "I2D_PKCS7_BIO_STREAM 3"
-.TH I2D_PKCS7_BIO_STREAM 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH I2D_PKCS7_BIO_STREAM 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
i2d_PKCS7_bio_stream \- output PKCS7 structure in BER format
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/pkcs7.h>
\&
\& int i2d_PKCS7_bio_stream(BIO *out, PKCS7 *p7, BIO *data, int flags);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBi2d_PKCS7_bio_stream()\fR outputs a \s-1PKCS7\s0 structure in \s-1BER\s0 format.
.PP
It is otherwise identical to the function \fBSMIME_write_PKCS7()\fR.
.SH "NOTES"
.IX Header "NOTES"
This function is effectively a version of the \fBd2i_PKCS7_bio()\fR supporting
streaming.
.SH "BUGS"
.IX Header "BUGS"
The prefix \*(L"i2d\*(R" is arguably wrong because the function outputs \s-1BER\s0 format.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBi2d_PKCS7_bio_stream()\fR returns 1 for success or 0 for failure.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3), \fBPKCS7_sign\fR\|(3),
\&\fBPKCS7_verify\fR\|(3), \fBPKCS7_encrypt\fR\|(3)
\&\fBPKCS7_decrypt\fR\|(3),
\&\fBSMIME_write_PKCS7\fR\|(3),
\&\fBPEM_write_bio_PKCS7_stream\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBi2d_PKCS7_bio_stream()\fR function was added in OpenSSL 1.0.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3 b/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3
index 406293b8d5aa..383df8853fc2 100644
--- a/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3
+++ b/secure/lib/libcrypto/man/man3/i2d_re_X509_tbs.3
@@ -1,218 +1,218 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "I2D_RE_X509_TBS 3"
-.TH I2D_RE_X509_TBS 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH I2D_RE_X509_TBS 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
d2i_X509_AUX, i2d_X509_AUX, i2d_re_X509_tbs, i2d_re_X509_CRL_tbs, i2d_re_X509_REQ_tbs \&\- X509 encode and decode functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
\&
\& X509 *d2i_X509_AUX(X509 **px, const unsigned char **in, long len);
\& int i2d_X509_AUX(X509 *x, unsigned char **out);
\& int i2d_re_X509_tbs(X509 *x, unsigned char **out);
\& int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp);
\& int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The X509 encode and decode routines encode and parse an
\&\fBX509\fR structure, which represents an X509 certificate.
.PP
\&\fBd2i_X509_AUX()\fR is similar to \fBd2i_X509\fR\|(3) but the input is expected to
consist of an X509 certificate followed by auxiliary trust information.
This is used by the \s-1PEM\s0 routines to read \*(L"\s-1TRUSTED CERTIFICATE\*(R"\s0 objects.
This function should not be called on untrusted input.
.PP
\&\fBi2d_X509_AUX()\fR is similar to \fBi2d_X509\fR\|(3), but the encoded output
contains both the certificate and any auxiliary trust information.
This is used by the \s-1PEM\s0 routines to write \*(L"\s-1TRUSTED CERTIFICATE\*(R"\s0 objects.
Note that this is a non-standard OpenSSL-specific data format.
.PP
\&\fBi2d_re_X509_tbs()\fR is similar to \fBi2d_X509\fR\|(3) except it encodes only
the TBSCertificate portion of the certificate. \fBi2d_re_X509_CRL_tbs()\fR
and \fBi2d_re_X509_REQ_tbs()\fR are analogous for \s-1CRL\s0 and certificate request,
respectively. The \*(L"re\*(R" in \fBi2d_re_X509_tbs\fR stands for \*(L"re-encode\*(R",
and ensures that a fresh encoding is generated in case the object has been
modified after creation (see the \s-1BUGS\s0 section).
.PP
The encoding of the TBSCertificate portion of a certificate is cached
in the \fBX509\fR structure internally to improve encoding performance
and to ensure certificate signatures are verified correctly in some
certificates with broken (non-DER) encodings.
.PP
If, after modification, the \fBX509\fR object is re-signed with \fBX509_sign()\fR,
the encoding is automatically renewed. Otherwise, the encoding of the
TBSCertificate portion of the \fBX509\fR can be manually renewed by calling
\&\fBi2d_re_X509_tbs()\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBd2i_X509_AUX()\fR returns a valid \fBX509\fR structure or \s-1NULL\s0 if an error occurred.
.PP
\&\fBi2d_X509_AUX()\fR returns the length of encoded data or \-1 on error.
.PP
\&\fBi2d_re_X509_tbs()\fR, \fBi2d_re_X509_CRL_tbs()\fR and \fBi2d_re_X509_REQ_tbs()\fR return the
length of encoded data or 0 on error.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBERR_get_error\fR\|(3)
\&\fBX509_CRL_get0_by_serial\fR\|(3),
\&\fBX509_get0_signature\fR\|(3),
\&\fBX509_get_ext_d2i\fR\|(3),
\&\fBX509_get_extension_flags\fR\|(3),
\&\fBX509_get_pubkey\fR\|(3),
\&\fBX509_get_subject_name\fR\|(3),
\&\fBX509_get_version\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_get_index_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_new\fR\|(3),
\&\fBX509_sign\fR\|(3),
\&\fBX509V3_get_d2i\fR\|(3),
\&\fBX509_verify_cert\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3 b/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3
index ed12aa7f8c99..98440a6eba6f 100644
--- a/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3
+++ b/secure/lib/libcrypto/man/man3/o2i_SCT_LIST.3
@@ -1,179 +1,179 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "O2I_SCT_LIST 3"
-.TH O2I_SCT_LIST 3 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH O2I_SCT_LIST 3 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
o2i_SCT_LIST, i2o_SCT_LIST, o2i_SCT, i2o_SCT \- decode and encode Signed Certificate Timestamp lists in TLS wire format
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ct.h>
\&
\& STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
\& size_t len);
\& int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp);
\& SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len);
\& int i2o_SCT(const SCT *sct, unsigned char **out);
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1SCT_LIST\s0 and \s-1SCT\s0 functions are very similar to the i2d and d2i family of
functions, except that they convert to and from \s-1TLS\s0 wire format, as described in
\&\s-1RFC 6962.\s0 See d2i_SCT_LIST for more information about how the parameters are
treated and the return values.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
All of the functions have return values consistent with those stated for
d2i_SCT_LIST and i2d_SCT_LIST.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBct\fR\|(7),
\&\fBd2i_SCT_LIST\fR\|(3),
\&\fBi2d_SCT_LIST\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
These functions were added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man5/x509v3_config.5 b/secure/lib/libcrypto/man/man5/x509v3_config.5
index dd1adf9a7358..df962c200354 100644
--- a/secure/lib/libcrypto/man/man5/x509v3_config.5
+++ b/secure/lib/libcrypto/man/man5/x509v3_config.5
@@ -1,704 +1,704 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509V3_CONFIG 5"
-.TH X509V3_CONFIG 5 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509V3_CONFIG 5 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
x509v3_config \- X509 V3 certificate extension configuration format
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Several of the OpenSSL utilities can add extensions to a certificate or
certificate request based on the contents of a configuration file.
.PP
Typically the application will contain an option to point to an extension
section. Each line of the extension section takes the form:
.PP
.Vb 1
\& extension_name=[critical,] extension_options
.Ve
.PP
If \fBcritical\fR is present then the extension will be critical.
.PP
The format of \fBextension_options\fR depends on the value of \fBextension_name\fR.
.PP
There are four main types of extension: \fIstring\fR extensions, \fImulti-valued\fR
extensions, \fIraw\fR and \fIarbitrary\fR extensions.
.PP
String extensions simply have a string which contains either the value itself
or how it is obtained.
.PP
For example:
.PP
.Vb 1
\& nsComment="This is a Comment"
.Ve
.PP
Multi-valued extensions have a short form and a long form. The short form
is a list of names and values:
.PP
.Vb 1
\& basicConstraints=critical,CA:true,pathlen:1
.Ve
.PP
The long form allows the values to be placed in a separate section:
.PP
.Vb 1
\& basicConstraints=critical,@bs_section
\&
\& [bs_section]
\&
\& CA=true
\& pathlen=1
.Ve
.PP
Both forms are equivalent.
.PP
The syntax of raw extensions is governed by the extension code: it can
for example contain data in multiple sections. The correct syntax to
use is defined by the extension code itself: check out the certificate
policies extension for an example.
.PP
If an extension type is unsupported then the \fIarbitrary\fR extension syntax
must be used, see the \s-1ARBITRARY EXTENSIONS\s0 section for more details.
.SH "STANDARD EXTENSIONS"
.IX Header "STANDARD EXTENSIONS"
The following sections describe each supported extension in detail.
.SS "Basic Constraints."
.IX Subsection "Basic Constraints."
This is a multi valued extension which indicates whether a certificate is
a \s-1CA\s0 certificate. The first (mandatory) name is \fB\s-1CA\s0\fR followed by \fB\s-1TRUE\s0\fR or
\&\fB\s-1FALSE\s0\fR. If \fB\s-1CA\s0\fR is \fB\s-1TRUE\s0\fR then an optional \fBpathlen\fR name followed by a
nonnegative value can be included.
.PP
For example:
.PP
.Vb 1
\& basicConstraints=CA:TRUE
\&
\& basicConstraints=CA:FALSE
\&
\& basicConstraints=critical,CA:TRUE, pathlen:0
.Ve
.PP
A \s-1CA\s0 certificate \fBmust\fR include the basicConstraints value with the \s-1CA\s0 field
set to \s-1TRUE.\s0 An end user certificate must either set \s-1CA\s0 to \s-1FALSE\s0 or exclude the
extension entirely. Some software may require the inclusion of basicConstraints
with \s-1CA\s0 set to \s-1FALSE\s0 for end entity certificates.
.PP
The pathlen parameter indicates the maximum number of CAs that can appear
below this one in a chain. So if you have a \s-1CA\s0 with a pathlen of zero it can
only be used to sign end user certificates and not further CAs.
.SS "Key Usage."
.IX Subsection "Key Usage."
Key usage is a multi valued extension consisting of a list of names of the
permitted key usages.
.PP
The supported names are: digitalSignature, nonRepudiation, keyEncipherment,
dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly
and decipherOnly.
.PP
Examples:
.PP
.Vb 1
\& keyUsage=digitalSignature, nonRepudiation
\&
\& keyUsage=critical, keyCertSign
.Ve
.SS "Extended Key Usage."
.IX Subsection "Extended Key Usage."
This extensions consists of a list of usages indicating purposes for which
the certificate public key can be used for,
.PP
These can either be object short names or the dotted numerical form of OIDs.
While any \s-1OID\s0 can be used only certain values make sense. In particular the
following \s-1PKIX, NS\s0 and \s-1MS\s0 values are meaningful:
.PP
.Vb 10
\& Value Meaning
\& \-\-\-\-\- \-\-\-\-\-\-\-
\& serverAuth SSL/TLS Web Server Authentication.
\& clientAuth SSL/TLS Web Client Authentication.
\& codeSigning Code signing.
\& emailProtection E\-mail Protection (S/MIME).
\& timeStamping Trusted Timestamping
\& OCSPSigning OCSP Signing
\& ipsecIKE ipsec Internet Key Exchange
\& msCodeInd Microsoft Individual Code Signing (authenticode)
\& msCodeCom Microsoft Commercial Code Signing (authenticode)
\& msCTLSign Microsoft Trust List Signing
\& msEFS Microsoft Encrypted File System
.Ve
.PP
Examples:
.PP
.Vb 2
\& extendedKeyUsage=critical,codeSigning,1.2.3.4
\& extendedKeyUsage=serverAuth,clientAuth
.Ve
.SS "Subject Key Identifier."
.IX Subsection "Subject Key Identifier."
This is really a string extension and can take two possible values. Either
the word \fBhash\fR which will automatically follow the guidelines in \s-1RFC3280\s0
or a hex string giving the extension value to include. The use of the hex
string is strongly discouraged.
.PP
Example:
.PP
.Vb 1
\& subjectKeyIdentifier=hash
.Ve
.SS "Authority Key Identifier."
.IX Subsection "Authority Key Identifier."
The authority key identifier extension permits two options. keyid and issuer:
both can take the optional value \*(L"always\*(R".
.PP
If the keyid option is present an attempt is made to copy the subject key
identifier from the parent certificate. If the value \*(L"always\*(R" is present
then an error is returned if the option fails.
.PP
The issuer option copies the issuer and serial number from the issuer
certificate. This will only be done if the keyid option fails or
is not included unless the \*(L"always\*(R" flag will always include the value.
.PP
Example:
.PP
.Vb 1
\& authorityKeyIdentifier=keyid,issuer
.Ve
.SS "Subject Alternative Name."
.IX Subsection "Subject Alternative Name."
The subject alternative name extension allows various literal values to be
included in the configuration file. These include \fBemail\fR (an email address)
\&\fB\s-1URI\s0\fR a uniform resource indicator, \fB\s-1DNS\s0\fR (a \s-1DNS\s0 domain name), \fB\s-1RID\s0\fR (a
registered \s-1ID: OBJECT IDENTIFIER\s0), \fB\s-1IP\s0\fR (an \s-1IP\s0 address), \fBdirName\fR
(a distinguished name) and otherName.
.PP
The email option include a special 'copy' value. This will automatically
include any email addresses contained in the certificate subject name in
the extension.
.PP
The \s-1IP\s0 address used in the \fB\s-1IP\s0\fR options can be in either IPv4 or IPv6 format.
.PP
The value of \fBdirName\fR should point to a section containing the distinguished
name to use as a set of name value pairs. Multi values AVAs can be formed by
prefacing the name with a \fB+\fR character.
.PP
otherName can include arbitrary data associated with an \s-1OID:\s0 the value
should be the \s-1OID\s0 followed by a semicolon and the content in standard
\&\fBASN1_generate_nconf\fR\|(3) format.
.PP
Examples:
.PP
.Vb 5
\& subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
\& subjectAltName=IP:192.168.7.1
\& subjectAltName=IP:13::17
\& subjectAltName=email:my@other.address,RID:1.2.3.4
\& subjectAltName=otherName:1.2.3.4;UTF8:some other identifier
\&
\& subjectAltName=dirName:dir_sect
\&
\& [dir_sect]
\& C=UK
\& O=My Organization
\& OU=My Unit
\& CN=My Name
.Ve
.SS "Issuer Alternative Name."
.IX Subsection "Issuer Alternative Name."
The issuer alternative name option supports all the literal options of
subject alternative name. It does \fBnot\fR support the email:copy option because
that would not make sense. It does support an additional issuer:copy option
that will copy all the subject alternative name values from the issuer
certificate (if possible).
.PP
Example:
.PP
.Vb 1
\& issuerAltName = issuer:copy
.Ve
.SS "Authority Info Access."
.IX Subsection "Authority Info Access."
The authority information access extension gives details about how to access
certain information relating to the \s-1CA.\s0 Its syntax is accessOID;location
where \fIlocation\fR has the same syntax as subject alternative name (except
that email:copy is not supported). accessOID can be any valid \s-1OID\s0 but only
certain values are meaningful, for example \s-1OCSP\s0 and caIssuers.
.PP
Example:
.PP
.Vb 2
\& authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
\& authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
.Ve
.SS "\s-1CRL\s0 distribution points"
.IX Subsection "CRL distribution points"
This is a multi-valued extension whose options can be either in name:value pair
using the same form as subject alternative name or a single value representing
a section name containing all the distribution point fields.
.PP
For a name:value pair a new DistributionPoint with the fullName field set to
the given value both the cRLissuer and reasons fields are omitted in this case.
.PP
In the single option case the section indicated contains values for each
field. In this section:
.PP
If the name is \*(L"fullname\*(R" the value field should contain the full name
of the distribution point in the same format as subject alternative name.
.PP
If the name is \*(L"relativename\*(R" then the value field should contain a section
name whose contents represent a \s-1DN\s0 fragment to be placed in this field.
.PP
The name \*(L"CRLIssuer\*(R" if present should contain a value for this field in
subject alternative name format.
.PP
If the name is \*(L"reasons\*(R" the value field should consist of a comma
separated field containing the reasons. Valid reasons are: \*(L"keyCompromise\*(R",
\&\*(L"CACompromise\*(R", \*(L"affiliationChanged\*(R", \*(L"superseded\*(R", \*(L"cessationOfOperation\*(R",
\&\*(L"certificateHold\*(R", \*(L"privilegeWithdrawn\*(R" and \*(L"AACompromise\*(R".
.PP
Simple examples:
.PP
.Vb 2
\& crlDistributionPoints=URI:http://myhost.com/myca.crl
\& crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl
.Ve
.PP
Full distribution point example:
.PP
.Vb 1
\& crlDistributionPoints=crldp1_section
\&
\& [crldp1_section]
\&
\& fullname=URI:http://myhost.com/myca.crl
\& CRLissuer=dirName:issuer_sect
\& reasons=keyCompromise, CACompromise
\&
\& [issuer_sect]
\& C=UK
\& O=Organisation
\& CN=Some Name
.Ve
.SS "Issuing Distribution Point"
.IX Subsection "Issuing Distribution Point"
This extension should only appear in CRLs. It is a multi valued extension
whose syntax is similar to the \*(L"section\*(R" pointed to by the \s-1CRL\s0 distribution
points extension with a few differences.
.PP
The names \*(L"reasons\*(R" and \*(L"CRLissuer\*(R" are not recognized.
.PP
The name \*(L"onlysomereasons\*(R" is accepted which sets this field. The value is
in the same format as the \s-1CRL\s0 distribution point \*(L"reasons\*(R" field.
.PP
The names \*(L"onlyuser\*(R", \*(L"onlyCA\*(R", \*(L"onlyAA\*(R" and \*(L"indirectCRL\*(R" are also accepted
the values should be a boolean value (\s-1TRUE\s0 or \s-1FALSE\s0) to indicate the value of
the corresponding field.
.PP
Example:
.PP
.Vb 1
\& issuingDistributionPoint=critical, @idp_section
\&
\& [idp_section]
\&
\& fullname=URI:http://myhost.com/myca.crl
\& indirectCRL=TRUE
\& onlysomereasons=keyCompromise, CACompromise
\&
\& [issuer_sect]
\& C=UK
\& O=Organisation
\& CN=Some Name
.Ve
.SS "Certificate Policies."
.IX Subsection "Certificate Policies."
This is a \fIraw\fR extension. All the fields of this extension can be set by
using the appropriate syntax.
.PP
If you follow the \s-1PKIX\s0 recommendations and just using one \s-1OID\s0 then you just
include the value of that \s-1OID.\s0 Multiple OIDs can be set separated by commas,
for example:
.PP
.Vb 1
\& certificatePolicies= 1.2.4.5, 1.1.3.4
.Ve
.PP
If you wish to include qualifiers then the policy \s-1OID\s0 and qualifiers need to
be specified in a separate section: this is done by using the \f(CW@section\fR syntax
instead of a literal \s-1OID\s0 value.
.PP
The section referred to must include the policy \s-1OID\s0 using the name
policyIdentifier, cPSuri qualifiers can be included using the syntax:
.PP
.Vb 1
\& CPS.nnn=value
.Ve
.PP
userNotice qualifiers can be set using the syntax:
.PP
.Vb 1
\& userNotice.nnn=@notice
.Ve
.PP
The value of the userNotice qualifier is specified in the relevant section.
This section can include explicitText, organization and noticeNumbers
options. explicitText and organization are text strings, noticeNumbers is a
comma separated list of numbers. The organization and noticeNumbers options
(if included) must \s-1BOTH\s0 be present. If you use the userNotice option with \s-1IE5\s0
then you need the 'ia5org' option at the top level to modify the encoding:
otherwise it will not be interpreted properly.
.PP
Example:
.PP
.Vb 1
\& certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect
\&
\& [polsect]
\&
\& policyIdentifier = 1.3.5.8
\& CPS.1="http://my.host.name/"
\& CPS.2="http://my.your.name/"
\& userNotice.1=@notice
\&
\& [notice]
\&
\& explicitText="Explicit Text Here"
\& organization="Organisation Name"
\& noticeNumbers=1,2,3,4
.Ve
.PP
The \fBia5org\fR option changes the type of the \fIorganization\fR field. In \s-1RFC2459\s0
it can only be of type DisplayText. In \s-1RFC3280\s0 IA5String is also permissible.
Some software (for example some versions of \s-1MSIE\s0) may require ia5org.
.PP
\&\s-1ASN1\s0 type of explicitText can be specified by prepending \fB\s-1UTF8\s0\fR,
\&\fB\s-1BMP\s0\fR or \fB\s-1VISIBLE\s0\fR prefix followed by colon. For example:
.PP
.Vb 2
\& [notice]
\& explicitText="UTF8:Explicit Text Here"
.Ve
.SS "Policy Constraints"
.IX Subsection "Policy Constraints"
This is a multi-valued extension which consisting of the names
\&\fBrequireExplicitPolicy\fR or \fBinhibitPolicyMapping\fR and a non negative integer
value. At least one component must be present.
.PP
Example:
.PP
.Vb 1
\& policyConstraints = requireExplicitPolicy:3
.Ve
.SS "Inhibit Any Policy"
.IX Subsection "Inhibit Any Policy"
This is a string extension whose value must be a non negative integer.
.PP
Example:
.PP
.Vb 1
\& inhibitAnyPolicy = 2
.Ve
.SS "Name Constraints"
.IX Subsection "Name Constraints"
The name constraints extension is a multi-valued extension. The name should
begin with the word \fBpermitted\fR or \fBexcluded\fR followed by a \fB;\fR. The rest of
the name and the value follows the syntax of subjectAltName except email:copy
is not supported and the \fB\s-1IP\s0\fR form should consist of an \s-1IP\s0 addresses and
subnet mask separated by a \fB/\fR.
.PP
Examples:
.PP
.Vb 1
\& nameConstraints=permitted;IP:192.168.0.0/255.255.0.0
\&
\& nameConstraints=permitted;email:.somedomain.com
\&
\& nameConstraints=excluded;email:.com
.Ve
.SS "\s-1OCSP\s0 No Check"
.IX Subsection "OCSP No Check"
The \s-1OCSP\s0 No Check extension is a string extension but its value is ignored.
.PP
Example:
.PP
.Vb 1
\& noCheck = ignored
.Ve
.SS "\s-1TLS\s0 Feature (aka Must Staple)"
.IX Subsection "TLS Feature (aka Must Staple)"
This is a multi-valued extension consisting of a list of \s-1TLS\s0 extension
identifiers. Each identifier may be a number (0..65535) or a supported name.
When a \s-1TLS\s0 client sends a listed extension, the \s-1TLS\s0 server is expected to
include that extension in its reply.
.PP
The supported names are: \fBstatus_request\fR and \fBstatus_request_v2\fR.
.PP
Example:
.PP
.Vb 1
\& tlsfeature = status_request
.Ve
.SH "DEPRECATED EXTENSIONS"
.IX Header "DEPRECATED EXTENSIONS"
The following extensions are non standard, Netscape specific and largely
obsolete. Their use in new applications is discouraged.
.SS "Netscape String extensions."
.IX Subsection "Netscape String extensions."
Netscape Comment (\fBnsComment\fR) is a string extension containing a comment
which will be displayed when the certificate is viewed in some browsers.
.PP
Example:
.PP
.Vb 1
\& nsComment = "Some Random Comment"
.Ve
.PP
Other supported extensions in this category are: \fBnsBaseUrl\fR,
\&\fBnsRevocationUrl\fR, \fBnsCaRevocationUrl\fR, \fBnsRenewalUrl\fR, \fBnsCaPolicyUrl\fR
and \fBnsSslServerName\fR.
.SS "Netscape Certificate Type"
.IX Subsection "Netscape Certificate Type"
This is a multi-valued extensions which consists of a list of flags to be
included. It was used to indicate the purposes for which a certificate could
be used. The basicConstraints, keyUsage and extended key usage extensions are
now used instead.
.PP
Acceptable values for nsCertType are: \fBclient\fR, \fBserver\fR, \fBemail\fR,
\&\fBobjsign\fR, \fBreserved\fR, \fBsslCA\fR, \fBemailCA\fR, \fBobjCA\fR.
.SH "ARBITRARY EXTENSIONS"
.IX Header "ARBITRARY EXTENSIONS"
If an extension is not supported by the OpenSSL code then it must be encoded
using the arbitrary extension format. It is also possible to use the arbitrary
format for supported extensions. Extreme care should be taken to ensure that
the data is formatted correctly for the given extension type.
.PP
There are two ways to encode arbitrary extensions.
.PP
The first way is to use the word \s-1ASN1\s0 followed by the extension content
using the same syntax as \fBASN1_generate_nconf\fR\|(3).
For example:
.PP
.Vb 1
\& 1.2.3.4=critical,ASN1:UTF8String:Some random data
\&
\& 1.2.3.4=ASN1:SEQUENCE:seq_sect
\&
\& [seq_sect]
\&
\& field1 = UTF8:field1
\& field2 = UTF8:field2
.Ve
.PP
It is also possible to use the word \s-1DER\s0 to include the raw encoded data in any
extension.
.PP
.Vb 2
\& 1.2.3.4=critical,DER:01:02:03:04
\& 1.2.3.4=DER:01020304
.Ve
.PP
The value following \s-1DER\s0 is a hex dump of the \s-1DER\s0 encoding of the extension
Any extension can be placed in this form to override the default behaviour.
For example:
.PP
.Vb 1
\& basicConstraints=critical,DER:00:01:02:03
.Ve
.SH "WARNINGS"
.IX Header "WARNINGS"
There is no guarantee that a specific implementation will process a given
extension. It may therefore be sometimes possible to use certificates for
purposes prohibited by their extensions because a specific application does
not recognize or honour the values of the relevant extensions.
.PP
The \s-1DER\s0 and \s-1ASN1\s0 options should be used with caution. It is possible to create
totally invalid extensions if they are not used carefully.
.SH "NOTES"
.IX Header "NOTES"
If an extension is multi-value and a field value must contain a comma the long
form must be used otherwise the comma would be misinterpreted as a field
separator. For example:
.PP
.Vb 1
\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
.Ve
.PP
will produce an error but the equivalent form:
.PP
.Vb 1
\& subjectAltName=@subject_alt_section
\&
\& [subject_alt_section]
\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
.Ve
.PP
is valid.
.PP
Due to the behaviour of the OpenSSL \fBconf\fR library the same field name
can only occur once in a section. This means that:
.PP
.Vb 1
\& subjectAltName=@alt_section
\&
\& [alt_section]
\&
\& email=steve@here
\& email=steve@there
.Ve
.PP
will only recognize the last value. This can be worked around by using the form:
.PP
.Vb 1
\& [alt_section]
\&
\& email.1=steve@here
\& email.2=steve@there
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBreq\fR\|(1), \fBca\fR\|(1), \fBx509\fR\|(1),
\&\fBASN1_generate_nconf\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/Ed25519.7 b/secure/lib/libcrypto/man/man7/Ed25519.7
index e5c4caf7583b..18a975bb4aab 100644
--- a/secure/lib/libcrypto/man/man7/Ed25519.7
+++ b/secure/lib/libcrypto/man/man7/Ed25519.7
@@ -1,221 +1,221 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ED25519 7"
-.TH ED25519 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ED25519 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
Ed25519, Ed448 \&\- EVP_PKEY Ed25519 and Ed448 support
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBEd25519\fR and \fBEd448\fR \s-1EVP_PKEY\s0 implementation supports key generation,
one-shot digest sign and digest verify using PureEdDSA and \fBEd25519\fR or \fBEd448\fR
(see \s-1RFC8032\s0). It has associated private and public key formats compatible with
\&\s-1RFC 8410.\s0
.PP
No additional parameters can be set during key generation, one-shot signing or
verification. In particular, because PureEdDSA is used, a digest must \fB\s-1NOT\s0\fR be
specified when signing or verifying.
.SH "NOTES"
.IX Header "NOTES"
The PureEdDSA algorithm does not support the streaming mechanism
of other signature algorithms using, for example, \fBEVP_DigestUpdate()\fR.
The message to sign or verify must be passed using the one-shot
\&\fBEVP_DigestSign()\fR and \fBEVP_DigestVerify()\fR functions.
.PP
When calling \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR, the
digest \fBtype\fR parameter \fB\s-1MUST\s0\fR be set to \fB\s-1NULL\s0\fR.
.PP
Applications wishing to sign certificates (or other structures such as
CRLs or certificate requests) using Ed25519 or Ed448 can either use \fBX509_sign()\fR
or \fBX509_sign_ctx()\fR in the usual way.
.PP
A context for the \fBEd25519\fR algorithm can be obtained by calling:
.PP
.Vb 1
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);
.Ve
.PP
For the \fBEd448\fR algorithm a context can be obtained by calling:
.PP
.Vb 1
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED448, NULL);
.Ve
.PP
Ed25519 or Ed448 private keys can be set directly using
\&\fBEVP_PKEY_new_raw_private_key\fR\|(3) or loaded from a PKCS#8 private key file
using \fBPEM_read_bio_PrivateKey\fR\|(3) (or similar function). Completely new keys
can also be generated (see the example below). Setting a private key also sets
the associated public key.
.PP
Ed25519 or Ed448 public keys can be set directly using
\&\fBEVP_PKEY_new_raw_public_key\fR\|(3) or loaded from a SubjectPublicKeyInfo
structure in a \s-1PEM\s0 file using \fBPEM_read_bio_PUBKEY\fR\|(3) (or similar function).
.PP
Ed25519 and Ed448 can be tested within \fBspeed\fR\|(1) application since version 1.1.1.
Valid algorithm names are \fBed25519\fR, \fBed448\fR and \fBeddsa\fR. If \fBeddsa\fR is
specified, then both Ed25519 and Ed448 are benchmarked.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This example generates an \fB\s-1ED25519\s0\fR private key and writes it to standard
output in \s-1PEM\s0 format:
.PP
.Vb 9
\& #include <openssl/evp.h>
\& #include <openssl/pem.h>
\& ...
\& EVP_PKEY *pkey = NULL;
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);
\& EVP_PKEY_keygen_init(pctx);
\& EVP_PKEY_keygen(pctx, &pkey);
\& EVP_PKEY_CTX_free(pctx);
\& PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_keygen\fR\|(3),
\&\fBEVP_DigestSignInit\fR\|(3),
\&\fBEVP_DigestVerifyInit\fR\|(3),
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/RAND.7 b/secure/lib/libcrypto/man/man7/RAND.7
index f038f4a95bcc..aaf0b7788ac6 100644
--- a/secure/lib/libcrypto/man/man7/RAND.7
+++ b/secure/lib/libcrypto/man/man7/RAND.7
@@ -1,210 +1,210 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND 7"
-.TH RAND 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND \&\- the OpenSSL random generator
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Random numbers are a vital part of cryptography, they are needed to provide
unpredictability for tasks like key generation, creating salts, and many more.
Software-based generators must be seeded with external randomness before they
can be used as a cryptographically-secure pseudo-random number generator
(\s-1CSPRNG\s0).
The availability of common hardware with special instructions and
modern operating systems, which may use items such as interrupt jitter
and network packet timings, can be reasonable sources of seeding material.
.PP
OpenSSL comes with a default implementation of the \s-1RAND API\s0 which is based on
the deterministic random bit generator (\s-1DRBG\s0) model as described in
[\s-1NIST SP 800\-90A\s0 Rev. 1]. The default random generator will initialize
automatically on first use and will be fully functional without having
to be initialized ('seeded') explicitly.
It seeds and reseeds itself automatically using trusted random sources
provided by the operating system.
.PP
As a normal application developer, you do not have to worry about any details,
just use \fBRAND_bytes\fR\|(3) to obtain random data.
Having said that, there is one important rule to obey: Always check the error
return value of \fBRAND_bytes\fR\|(3) and do not take randomness for granted.
Although (re\-)seeding is automatic, it can fail because no trusted random source
is available or the trusted source(s) temporarily fail to provide sufficient
random seed material.
In this case the \s-1CSPRNG\s0 enters an error state and ceases to provide output,
until it is able to recover from the error by reseeding itself.
For more details on reseeding and error recovery, see \s-1\fBRAND_DRBG\s0\fR\|(7).
.PP
For values that should remain secret, you can use \fBRAND_priv_bytes\fR\|(3)
instead.
This method does not provide 'better' randomness, it uses the same type of \s-1CSPRNG.\s0
The intention behind using a dedicated \s-1CSPRNG\s0 exclusively for private
values is that none of its output should be visible to an attacker (e.g.,
used as salt value), in order to reveal as little information as
possible about its internal state, and that a compromise of the \*(L"public\*(R"
\&\s-1CSPRNG\s0 instance will not affect the secrecy of these private values.
.PP
In the rare case where the default implementation does not satisfy your special
requirements, there are two options:
.IP "\(bu" 2
Replace the default \s-1RAND\s0 method by your own \s-1RAND\s0 method using
\&\fBRAND_set_rand_method\fR\|(3).
.IP "\(bu" 2
Modify the default settings of the OpenSSL \s-1RAND\s0 method by modifying the security
parameters of the underlying \s-1DRBG,\s0 which is described in detail in \s-1\fBRAND_DRBG\s0\fR\|(7).
.PP
Changing the default random generator or its default parameters should be necessary
only in exceptional cases and is not recommended, unless you have a profound knowledge
of cryptographic principles and understand the implications of your changes.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_add\fR\|(3),
\&\fBRAND_bytes\fR\|(3),
\&\fBRAND_priv_bytes\fR\|(3),
\&\fBRAND_get_rand_method\fR\|(3),
\&\fBRAND_set_rand_method\fR\|(3),
\&\fBRAND_OpenSSL\fR\|(3),
\&\s-1\fBRAND_DRBG\s0\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2018\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/RAND_DRBG.7 b/secure/lib/libcrypto/man/man7/RAND_DRBG.7
index fec3aa00a551..ba63cee941fe 100644
--- a/secure/lib/libcrypto/man/man7/RAND_DRBG.7
+++ b/secure/lib/libcrypto/man/man7/RAND_DRBG.7
@@ -1,396 +1,396 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND_DRBG 7"
-.TH RAND_DRBG 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND_DRBG 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RAND_DRBG \- the deterministic random bit generator
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/rand_drbg.h>
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The default OpenSSL \s-1RAND\s0 method is based on the \s-1RAND_DRBG\s0 class,
which implements a deterministic random bit generator (\s-1DRBG\s0).
A \s-1DRBG\s0 is a certain type of cryptographically-secure pseudo-random
number generator (\s-1CSPRNG\s0), which is described in
[\s-1NIST SP 800\-90A\s0 Rev. 1].
.PP
While the \s-1RAND API\s0 is the 'frontend' which is intended to be used by
application developers for obtaining random bytes, the \s-1RAND_DRBG API\s0
serves as the 'backend', connecting the former with the operating
systems's entropy sources and providing access to the \s-1DRBG\s0's
configuration parameters.
.SS "Disclaimer"
.IX Subsection "Disclaimer"
Unless you have very specific requirements for your random generator,
it is in general not necessary to utilize the \s-1RAND_DRBG API\s0 directly.
The usual way to obtain random bytes is to use \fBRAND_bytes\fR\|(3) or
\&\fBRAND_priv_bytes\fR\|(3), see also \s-1\fBRAND\s0\fR\|(7).
.SS "Typical Use Cases"
.IX Subsection "Typical Use Cases"
Typical examples for such special use cases are the following:
.IP "\(bu" 2
You want to use your own private \s-1DRBG\s0 instances.
Multiple \s-1DRBG\s0 instances which are accessed only by a single thread provide
additional security (because their internal states are independent) and
better scalability in multithreaded applications (because they don't need
to be locked).
.IP "\(bu" 2
You need to integrate a previously unsupported entropy source.
.IP "\(bu" 2
You need to change the default settings of the standard OpenSSL \s-1RAND\s0
implementation to meet specific requirements.
.SH "CHAINING"
.IX Header "CHAINING"
A \s-1DRBG\s0 instance can be used as the entropy source of another \s-1DRBG\s0 instance,
provided it has itself access to a valid entropy source.
The \s-1DRBG\s0 instance which acts as entropy source is called the \fIparent\fR \s-1DRBG,\s0
the other instance the \fIchild\fR \s-1DRBG.\s0
.PP
This is called chaining. A chained \s-1DRBG\s0 instance is created by passing
a pointer to the parent \s-1DRBG\s0 as argument to the \fBRAND_DRBG_new()\fR call.
It is possible to create chains of more than two \s-1DRBG\s0 in a row.
.SH "THE THREE SHARED DRBG INSTANCES"
.IX Header "THE THREE SHARED DRBG INSTANCES"
Currently, there are three shared \s-1DRBG\s0 instances,
the <master>, <public>, and <private> \s-1DRBG.\s0
While the <master> \s-1DRBG\s0 is a single global instance, the <public> and <private>
\&\s-1DRBG\s0 are created per thread and accessed through thread-local storage.
.PP
By default, the functions \fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3) use
the thread-local <public> and <private> \s-1DRBG\s0 instance, respectively.
.SS "The <master> \s-1DRBG\s0 instance"
.IX Subsection "The <master> DRBG instance"
The <master> \s-1DRBG\s0 is not used directly by the application, only for reseeding
the two other two \s-1DRBG\s0 instances. It reseeds itself by obtaining randomness
either from os entropy sources or by consuming randomness which was added
previously by \fBRAND_add\fR\|(3).
.SS "The <public> \s-1DRBG\s0 instance"
.IX Subsection "The <public> DRBG instance"
This instance is used per default by \fBRAND_bytes\fR\|(3).
.SS "The <private> \s-1DRBG\s0 instance"
.IX Subsection "The <private> DRBG instance"
This instance is used per default by \fBRAND_priv_bytes\fR\|(3)
.SH "LOCKING"
.IX Header "LOCKING"
The <master> \s-1DRBG\s0 is intended to be accessed concurrently for reseeding
by its child \s-1DRBG\s0 instances. The necessary locking is done internally.
It is \fInot\fR thread-safe to access the <master> \s-1DRBG\s0 directly via the
\&\s-1RAND_DRBG\s0 interface.
The <public> and <private> \s-1DRBG\s0 are thread-local, i.e. there is an
instance of each per thread. So they can safely be accessed without
locking via the \s-1RAND_DRBG\s0 interface.
.PP
Pointers to these \s-1DRBG\s0 instances can be obtained using
\&\fBRAND_DRBG_get0_master()\fR,
\&\fBRAND_DRBG_get0_public()\fR, and
\&\fBRAND_DRBG_get0_private()\fR, respectively.
Note that it is not allowed to store a pointer to one of the thread-local
\&\s-1DRBG\s0 instances in a variable or other memory location where it will be
accessed and used by multiple threads.
.PP
All other \s-1DRBG\s0 instances created by an application don't support locking,
because they are intended to be used by a single thread.
Instead of accessing a single \s-1DRBG\s0 instance concurrently from different
threads, it is recommended to instantiate a separate \s-1DRBG\s0 instance per
thread. Using the <master> \s-1DRBG\s0 as entropy source for multiple \s-1DRBG\s0
instances on different threads is thread-safe, because the \s-1DRBG\s0 instance
will lock the <master> \s-1DRBG\s0 automatically for obtaining random input.
.SH "THE OVERALL PICTURE"
.IX Header "THE OVERALL PICTURE"
The following picture gives an overview over how the \s-1DRBG\s0 instances work
together and are being used.
.PP
.Vb 10
\& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
\& | os entropy sources |
\& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
\& |
\& v +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
\& RAND_add() ==> <master> <\-| shared DRBG (with locking) |
\& / \e +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
\& / \e +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
\& <public> <private> <\- | per\-thread DRBG instances |
\& | | +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
\& v v
\& RAND_bytes() RAND_priv_bytes()
\& | ^
\& | |
\& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
\& | general purpose | | used for secrets like session keys |
\& | random generator | | and private keys for certificates |
\& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
.Ve
.PP
The usual way to obtain random bytes is to call RAND_bytes(...) or
RAND_priv_bytes(...). These calls are roughly equivalent to calling
RAND_DRBG_bytes(<public>, ...) and RAND_DRBG_bytes(<private>, ...),
respectively. The method \fBRAND_DRBG_bytes\fR\|(3) is a convenience method
wrapping the \fBRAND_DRBG_generate\fR\|(3) function, which serves the actual
request for random data.
.SH "RESEEDING"
.IX Header "RESEEDING"
A \s-1DRBG\s0 instance seeds itself automatically, pulling random input from
its entropy source. The entropy source can be either a trusted operating
system entropy source, or another \s-1DRBG\s0 with access to such a source.
.PP
Automatic reseeding occurs after a predefined number of generate requests.
The selection of the trusted entropy sources is configured at build
time using the \-\-with\-rand\-seed option. The following sections explain
the reseeding process in more detail.
.SS "Automatic Reseeding"
.IX Subsection "Automatic Reseeding"
Before satisfying a generate request (\fBRAND_DRBG_generate\fR\|(3)), the \s-1DRBG\s0
reseeds itself automatically, if one of the following conditions holds:
.PP
\&\- the \s-1DRBG\s0 was not instantiated (=seeded) yet or has been uninstantiated.
.PP
\&\- the number of generate requests since the last reseeding exceeds a
certain threshold, the so called \fIreseed_interval\fR.
This behaviour can be disabled by setting the \fIreseed_interval\fR to 0.
.PP
\&\- the time elapsed since the last reseeding exceeds a certain time
interval, the so called \fIreseed_time_interval\fR.
This can be disabled by setting the \fIreseed_time_interval\fR to 0.
.PP
\&\- the \s-1DRBG\s0 is in an error state.
.PP
\&\fBNote\fR: An error state is entered if the entropy source fails while
the \s-1DRBG\s0 is seeding or reseeding.
The last case ensures that the \s-1DRBG\s0 automatically recovers
from the error as soon as the entropy source is available again.
.SS "Manual Reseeding"
.IX Subsection "Manual Reseeding"
In addition to automatic reseeding, the caller can request an immediate
reseeding of the \s-1DRBG\s0 with fresh entropy by setting the
\&\fIprediction resistance\fR parameter to 1 when calling \fBRAND_DRBG_generate\fR\|(3).
.PP
The document [\s-1NIST SP 800\-90C\s0] describes prediction resistance requests
in detail and imposes strict conditions on the entropy sources that are
approved for providing prediction resistance.
Since the default \s-1DRBG\s0 implementation does not have access to such an approved
entropy source, a request for prediction resistance will currently always fail.
In other words, prediction resistance is currently not supported yet by the \s-1DRBG.\s0
.PP
For the three shared DRBGs (and only for these) there is another way to
reseed them manually:
If \fBRAND_add\fR\|(3) is called with a positive \fIrandomness\fR argument
(or \fBRAND_seed\fR\|(3)), then this will immediately reseed the <master> \s-1DRBG.\s0
The <public> and <private> \s-1DRBG\s0 will detect this on their next generate
call and reseed, pulling randomness from <master>.
.PP
The last feature has been added to support the common practice used with
previous OpenSSL versions to call \fBRAND_add()\fR before calling \fBRAND_bytes()\fR.
.SS "Entropy Input vs. Additional Data"
.IX Subsection "Entropy Input vs. Additional Data"
The \s-1DRBG\s0 distinguishes two different types of random input: \fIentropy\fR,
which comes from a trusted source, and \fIadditional input\fR',
which can optionally be added by the user and is considered untrusted.
It is possible to add \fIadditional input\fR not only during reseeding,
but also for every generate request.
This is in fact done automatically by \fBRAND_DRBG_bytes\fR\|(3).
.SS "Configuring the Random Seed Source"
.IX Subsection "Configuring the Random Seed Source"
In most cases OpenSSL will automatically choose a suitable seed source
for automatically seeding and reseeding its <master> \s-1DRBG.\s0 In some cases
however, it will be necessary to explicitly specify a seed source during
configuration, using the \-\-with\-rand\-seed option. For more information,
see the \s-1INSTALL\s0 instructions. There are also operating systems where no
seed source is available and automatic reseeding is disabled by default.
.PP
The following two sections describe the reseeding process of the master
\&\s-1DRBG,\s0 depending on whether automatic reseeding is available or not.
.SS "Reseeding the master \s-1DRBG\s0 with automatic seeding enabled"
.IX Subsection "Reseeding the master DRBG with automatic seeding enabled"
Calling \fBRAND_poll()\fR or \fBRAND_add()\fR is not necessary, because the \s-1DRBG\s0
pulls the necessary entropy from its source automatically.
However, both calls are permitted, and do reseed the \s-1RNG.\s0
.PP
\&\fBRAND_add()\fR can be used to add both kinds of random input, depending on the
value of the \fBrandomness\fR argument:
.IP "randomness == 0:" 4
.IX Item "randomness == 0:"
The random bytes are mixed as additional input into the current state of
the \s-1DRBG.\s0
Mixing in additional input is not considered a full reseeding, hence the
reseed counter is not reset.
.IP "randomness > 0:" 4
.IX Item "randomness > 0:"
The random bytes are used as entropy input for a full reseeding
(resp. reinstantiation) if the \s-1DRBG\s0 is instantiated
(resp. uninstantiated or in an error state).
The number of random bits required for reseeding is determined by the
security strength of the \s-1DRBG.\s0 Currently it defaults to 256 bits (32 bytes).
It is possible to provide less randomness than required.
In this case the missing randomness will be obtained by pulling random input
from the trusted entropy sources.
.SS "Reseeding the master \s-1DRBG\s0 with automatic seeding disabled"
.IX Subsection "Reseeding the master DRBG with automatic seeding disabled"
Calling \fBRAND_poll()\fR will always fail.
.PP
\&\fBRAND_add()\fR needs to be called for initial seeding and periodic reseeding.
At least 48 bytes (384 bits) of randomness have to be provided, otherwise
the (re\-)seeding of the \s-1DRBG\s0 will fail. This corresponds to one and a half
times the security strength of the \s-1DRBG.\s0 The extra half is used for the
nonce during instantiation.
.PP
More precisely, the number of bytes needed for seeding depend on the
\&\fIsecurity strength\fR of the \s-1DRBG,\s0 which is set to 256 by default.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_DRBG_bytes\fR\|(3),
\&\fBRAND_DRBG_generate\fR\|(3),
\&\fBRAND_DRBG_reseed\fR\|(3),
\&\fBRAND_DRBG_get0_master\fR\|(3),
\&\fBRAND_DRBG_get0_public\fR\|(3),
\&\fBRAND_DRBG_get0_private\fR\|(3),
\&\fBRAND_DRBG_set_reseed_interval\fR\|(3),
\&\fBRAND_DRBG_set_reseed_time_interval\fR\|(3),
\&\fBRAND_DRBG_set_reseed_defaults\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7),
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/RSA-PSS.7 b/secure/lib/libcrypto/man/man7/RSA-PSS.7
index 61cfde4af24c..3caa556da04b 100644
--- a/secure/lib/libcrypto/man/man7/RSA-PSS.7
+++ b/secure/lib/libcrypto/man/man7/RSA-PSS.7
@@ -1,189 +1,189 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA-PSS 7"
-.TH RSA-PSS 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA-PSS 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
RSA\-PSS \- EVP_PKEY RSA\-PSS algorithm support
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBRSA-PSS\fR \s-1EVP_PKEY\s0 implementation is a restricted version of the \s-1RSA\s0
algorithm which only supports signing, verification and key generation
using \s-1PSS\s0 padding modes with optional parameter restrictions.
.PP
It has associated private key and public key formats.
.PP
This algorithm shares several control operations with the \fB\s-1RSA\s0\fR algorithm
but with some restrictions described below.
.SS "Signing and Verification"
.IX Subsection "Signing and Verification"
Signing and verification is similar to the \fB\s-1RSA\s0\fR algorithm except the
padding mode is always \s-1PSS.\s0 If the key in use has parameter restrictions then
the corresponding signature parameters are set to the restrictions:
for example, if the key can only be used with digest \s-1SHA256, MGF1 SHA256\s0
and minimum salt length 32 then the digest, \s-1MGF1\s0 digest and salt length
will be set to \s-1SHA256, SHA256\s0 and 32 respectively.
.SS "Key Generation"
.IX Subsection "Key Generation"
By default no parameter restrictions are placed on the generated key.
.SH "NOTES"
.IX Header "NOTES"
The public key format is documented in \s-1RFC4055.\s0
.PP
The PKCS#8 private key format used for RSA-PSS keys is similar to the \s-1RSA\s0
format except it uses the \fBid-RSASSA-PSS\fR \s-1OID\s0 and the parameters field, if
present, restricts the key parameters in the same way as the public key.
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1RFC 4055\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_md\fR\|(3),
\&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md\fR\|(3),
\&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_saltlen\fR\|(3),
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/SM2.7 b/secure/lib/libcrypto/man/man7/SM2.7
index 6695fe3b11a0..b8b057f8e22a 100644
--- a/secure/lib/libcrypto/man/man7/SM2.7
+++ b/secure/lib/libcrypto/man/man7/SM2.7
@@ -1,217 +1,217 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SM2 7"
-.TH SM2 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SM2 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
SM2 \- Chinese SM2 signature and encryption algorithm support
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1SM2\s0\fR algorithm was first defined by the Chinese national standard \s-1GM/T
0003\-2012\s0 and was later standardized by \s-1ISO\s0 as \s-1ISO/IEC 14888.\s0 \fB\s-1SM2\s0\fR is actually
an elliptic curve based algorithm. The current implementation in OpenSSL supports
both signature and encryption schemes via the \s-1EVP\s0 interface.
.PP
When doing the \fB\s-1SM2\s0\fR signature algorithm, it requires a distinguishing identifier
to form the message prefix which is hashed before the real message is hashed.
.SH "NOTES"
.IX Header "NOTES"
\&\fB\s-1SM2\s0\fR signatures can be generated by using the 'DigestSign' series of APIs, for
instance, \fBEVP_DigestSignInit()\fR, \fBEVP_DigestSignUpdate()\fR and \fBEVP_DigestSignFinal()\fR.
Ditto for the verification process by calling the 'DigestVerify' series of APIs.
.PP
There are several special steps that need to be done before computing an \fB\s-1SM2\s0\fR
signature.
.PP
The \fB\s-1EVP_PKEY\s0\fR structure will default to using \s-1ECDSA\s0 for signatures when it is
created. It should be set to \fB\s-1EVP_PKEY_SM2\s0\fR by calling:
.PP
.Vb 1
\& EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
.Ve
.PP
Then an \s-1ID\s0 should be set by calling:
.PP
.Vb 1
\& EVP_PKEY_CTX_set1_id(pctx, id, id_len);
.Ve
.PP
When calling the \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR functions, a
preallocated \fB\s-1EVP_PKEY_CTX\s0\fR should be assigned to the \fB\s-1EVP_MD_CTX\s0\fR. This is
done by calling:
.PP
.Vb 1
\& EVP_MD_CTX_set_pkey_ctx(mctx, pctx);
.Ve
.PP
And normally there is no need to pass a \fBpctx\fR parameter to \fBEVP_DigestSignInit()\fR
or \fBEVP_DigestVerifyInit()\fR in such a scenario.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This example demonstrates the calling sequence for using an \fB\s-1EVP_PKEY\s0\fR to verify
a message with the \s-1SM2\s0 signature algorithm and the \s-1SM3\s0 hash algorithm:
.PP
.Vb 1
\& #include <openssl/evp.h>
\&
\& /* obtain an EVP_PKEY using whatever methods... */
\& EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
\& mctx = EVP_MD_CTX_new();
\& pctx = EVP_PKEY_CTX_new(pkey, NULL);
\& EVP_PKEY_CTX_set1_id(pctx, id, id_len);
\& EVP_MD_CTX_set_pkey_ctx(mctx, pctx);;
\& EVP_DigestVerifyInit(mctx, NULL, EVP_sm3(), NULL, pkey);
\& EVP_DigestVerifyUpdate(mctx, msg, msg_len);
\& EVP_DigestVerifyFinal(mctx, sig, sig_len)
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_set_alias_type\fR\|(3),
\&\fBEVP_DigestSignInit\fR\|(3),
\&\fBEVP_DigestVerifyInit\fR\|(3),
\&\fBEVP_PKEY_CTX_set1_id\fR\|(3),
\&\fBEVP_MD_CTX_set_pkey_ctx\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2018\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/X25519.7 b/secure/lib/libcrypto/man/man7/X25519.7
index 0bee023684c6..07924aa909b7 100644
--- a/secure/lib/libcrypto/man/man7/X25519.7
+++ b/secure/lib/libcrypto/man/man7/X25519.7
@@ -1,208 +1,208 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X25519 7"
-.TH X25519 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X25519 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
X25519, X448 \&\- EVP_PKEY X25519 and X448 support
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBX25519\fR and \fBX448\fR \s-1EVP_PKEY\s0 implementation supports key generation and
key derivation using \fBX25519\fR and \fBX448\fR. It has associated private and public
key formats compatible with \s-1RFC 8410.\s0
.PP
No additional parameters can be set during key generation.
.PP
The peer public key must be set using \fBEVP_PKEY_derive_set_peer()\fR when
performing key derivation.
.SH "NOTES"
.IX Header "NOTES"
A context for the \fBX25519\fR algorithm can be obtained by calling:
.PP
.Vb 1
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL);
.Ve
.PP
For the \fBX448\fR algorithm a context can be obtained by calling:
.PP
.Vb 1
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X448, NULL);
.Ve
.PP
X25519 or X448 private keys can be set directly using
\&\fBEVP_PKEY_new_raw_private_key\fR\|(3) or loaded from a PKCS#8 private key file
using \fBPEM_read_bio_PrivateKey\fR\|(3) (or similar function). Completely new keys
can also be generated (see the example below). Setting a private key also sets
the associated public key.
.PP
X25519 or X448 public keys can be set directly using
\&\fBEVP_PKEY_new_raw_public_key\fR\|(3) or loaded from a SubjectPublicKeyInfo
structure in a \s-1PEM\s0 file using \fBPEM_read_bio_PUBKEY\fR\|(3) (or similar function).
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This example generates an \fBX25519\fR private key and writes it to standard
output in \s-1PEM\s0 format:
.PP
.Vb 9
\& #include <openssl/evp.h>
\& #include <openssl/pem.h>
\& ...
\& EVP_PKEY *pkey = NULL;
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL);
\& EVP_PKEY_keygen_init(pctx);
\& EVP_PKEY_keygen(pctx, &pkey);
\& EVP_PKEY_CTX_free(pctx);
\& PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL);
.Ve
.PP
The key derivation example in \fBEVP_PKEY_derive\fR\|(3) can be used with
\&\fBX25519\fR and \fBX448\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_keygen\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3),
\&\fBEVP_PKEY_derive_set_peer\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/bio.7 b/secure/lib/libcrypto/man/man7/bio.7
index 914be2789e0a..a2de31387de8 100644
--- a/secure/lib/libcrypto/man/man7/bio.7
+++ b/secure/lib/libcrypto/man/man7/bio.7
@@ -1,217 +1,217 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "BIO 7"
-.TH BIO 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH BIO 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
bio \- Basic I/O abstraction
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/bio.h>
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
A \s-1BIO\s0 is an I/O abstraction, it hides many of the underlying I/O
details from an application. If an application uses a \s-1BIO\s0 for its
I/O it can transparently handle \s-1SSL\s0 connections, unencrypted network
connections and file I/O.
.PP
There are two type of \s-1BIO,\s0 a source/sink \s-1BIO\s0 and a filter \s-1BIO.\s0
.PP
As its name implies a source/sink \s-1BIO\s0 is a source and/or sink of data,
examples include a socket \s-1BIO\s0 and a file \s-1BIO.\s0
.PP
A filter \s-1BIO\s0 takes data from one \s-1BIO\s0 and passes it through to
another, or the application. The data may be left unmodified (for
example a message digest \s-1BIO\s0) or translated (for example an
encryption \s-1BIO\s0). The effect of a filter \s-1BIO\s0 may change according
to the I/O operation it is performing: for example an encryption
\&\s-1BIO\s0 will encrypt data if it is being written to and decrypt data
if it is being read from.
.PP
BIOs can be joined together to form a chain (a single \s-1BIO\s0 is a chain
with one component). A chain normally consist of one source/sink
\&\s-1BIO\s0 and one or more filter BIOs. Data read from or written to the
first \s-1BIO\s0 then traverses the chain to the end (normally a source/sink
\&\s-1BIO\s0).
.PP
Some BIOs (such as memory BIOs) can be used immediately after calling
\&\fBBIO_new()\fR. Others (such as file BIOs) need some additional initialization,
and frequently a utility function exists to create and initialize such BIOs.
.PP
If \fBBIO_free()\fR is called on a \s-1BIO\s0 chain it will only free one \s-1BIO\s0 resulting
in a memory leak.
.PP
Calling \fBBIO_free_all()\fR on a single \s-1BIO\s0 has the same effect as calling
\&\fBBIO_free()\fR on it other than the discarded return value.
.PP
Normally the \fBtype\fR argument is supplied by a function which returns a
pointer to a \s-1BIO_METHOD.\s0 There is a naming convention for such functions:
a source/sink \s-1BIO\s0 is normally called BIO_s_*() and a filter \s-1BIO\s0
BIO_f_*();
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create a memory \s-1BIO:\s0
.PP
.Vb 1
\& BIO *mem = BIO_new(BIO_s_mem());
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBIO_ctrl\fR\|(3),
\&\fBBIO_f_base64\fR\|(3), \fBBIO_f_buffer\fR\|(3),
\&\fBBIO_f_cipher\fR\|(3), \fBBIO_f_md\fR\|(3),
\&\fBBIO_f_null\fR\|(3), \fBBIO_f_ssl\fR\|(3),
\&\fBBIO_find_type\fR\|(3), \fBBIO_new\fR\|(3),
\&\fBBIO_new_bio_pair\fR\|(3),
\&\fBBIO_push\fR\|(3), \fBBIO_read_ex\fR\|(3),
\&\fBBIO_s_accept\fR\|(3), \fBBIO_s_bio\fR\|(3),
\&\fBBIO_s_connect\fR\|(3), \fBBIO_s_fd\fR\|(3),
\&\fBBIO_s_file\fR\|(3), \fBBIO_s_mem\fR\|(3),
\&\fBBIO_s_null\fR\|(3), \fBBIO_s_socket\fR\|(3),
\&\fBBIO_set_callback\fR\|(3),
\&\fBBIO_should_retry\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ct.7 b/secure/lib/libcrypto/man/man7/ct.7
index ac2e833b8fa8..40513f394965 100644
--- a/secure/lib/libcrypto/man/man7/ct.7
+++ b/secure/lib/libcrypto/man/man7/ct.7
@@ -1,185 +1,185 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CT 7"
-.TH CT 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CT 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ct \- Certificate Transparency
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/ct.h>
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This library implements Certificate Transparency (\s-1CT\s0) verification for \s-1TLS\s0
clients, as defined in \s-1RFC 6962.\s0 This verification can provide some confidence
that a certificate has been publicly logged in a set of \s-1CT\s0 logs.
.PP
By default, these checks are disabled. They can be enabled using
\&\fBSSL_CTX_enable_ct\fR\|(3) or \fBSSL_enable_ct\fR\|(3).
.PP
This library can also be used to parse and examine \s-1CT\s0 data structures, such as
Signed Certificate Timestamps (SCTs), or to read a list of \s-1CT\s0 logs. There are
functions for:
\&\- decoding and encoding SCTs in \s-1DER\s0 and \s-1TLS\s0 wire format.
\&\- printing SCTs.
\&\- verifying the authenticity of SCTs.
\&\- loading a \s-1CT\s0 log list from a \s-1CONF\s0 file.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBd2i_SCT_LIST\fR\|(3),
\&\fBCTLOG_STORE_new\fR\|(3),
\&\fBCTLOG_STORE_get0_log_by_id\fR\|(3),
\&\fBSCT_new\fR\|(3),
\&\fBSCT_print\fR\|(3),
\&\fBSCT_validate\fR\|(3),
\&\fBSCT_validate\fR\|(3),
\&\fBCT_POLICY_EVAL_CTX_new\fR\|(3),
\&\fBSSL_CTX_set_ct_validation_callback\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The ct library was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/des_modes.7 b/secure/lib/libcrypto/man/man7/des_modes.7
index de5b7ae92adf..4b5bc914b1b0 100644
--- a/secure/lib/libcrypto/man/man7/des_modes.7
+++ b/secure/lib/libcrypto/man/man7/des_modes.7
@@ -1,295 +1,295 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DES_MODES 7"
-.TH DES_MODES 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DES_MODES 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
des_modes \- the variants of DES and other crypto algorithms of OpenSSL
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Several crypto algorithms for OpenSSL can be used in a number of modes. Those
are used for using block ciphers in a way similar to stream ciphers, among
other things.
.SH "OVERVIEW"
.IX Header "OVERVIEW"
.SS "Electronic Codebook Mode (\s-1ECB\s0)"
.IX Subsection "Electronic Codebook Mode (ECB)"
Normally, this is found as the function \fIalgorithm\fR\fB_ecb_encrypt()\fR.
.IP "\(bu" 2
64 bits are enciphered at a time.
.IP "\(bu" 2
The order of the blocks can be rearranged without detection.
.IP "\(bu" 2
The same plaintext block always produces the same ciphertext block
(for the same key) making it vulnerable to a 'dictionary attack'.
.IP "\(bu" 2
An error will only affect one ciphertext block.
.SS "Cipher Block Chaining Mode (\s-1CBC\s0)"
.IX Subsection "Cipher Block Chaining Mode (CBC)"
Normally, this is found as the function \fIalgorithm\fR\fB_cbc_encrypt()\fR.
Be aware that \fBdes_cbc_encrypt()\fR is not really \s-1DES CBC\s0 (it does
not update the \s-1IV\s0); use \fBdes_ncbc_encrypt()\fR instead.
.IP "\(bu" 2
a multiple of 64 bits are enciphered at a time.
.IP "\(bu" 2
The \s-1CBC\s0 mode produces the same ciphertext whenever the same
plaintext is encrypted using the same key and starting variable.
.IP "\(bu" 2
The chaining operation makes the ciphertext blocks dependent on the
current and all preceding plaintext blocks and therefore blocks can not
be rearranged.
.IP "\(bu" 2
The use of different starting variables prevents the same plaintext
enciphering to the same ciphertext.
.IP "\(bu" 2
An error will affect the current and the following ciphertext blocks.
.SS "Cipher Feedback Mode (\s-1CFB\s0)"
.IX Subsection "Cipher Feedback Mode (CFB)"
Normally, this is found as the function \fIalgorithm\fR\fB_cfb_encrypt()\fR.
.IP "\(bu" 2
a number of bits (j) <= 64 are enciphered at a time.
.IP "\(bu" 2
The \s-1CFB\s0 mode produces the same ciphertext whenever the same
plaintext is encrypted using the same key and starting variable.
.IP "\(bu" 2
The chaining operation makes the ciphertext variables dependent on the
current and all preceding variables and therefore j\-bit variables are
chained together and can not be rearranged.
.IP "\(bu" 2
The use of different starting variables prevents the same plaintext
enciphering to the same ciphertext.
.IP "\(bu" 2
The strength of the \s-1CFB\s0 mode depends on the size of k (maximal if
j == k). In my implementation this is always the case.
.IP "\(bu" 2
Selection of a small value for j will require more cycles through
the encipherment algorithm per unit of plaintext and thus cause
greater processing overheads.
.IP "\(bu" 2
Only multiples of j bits can be enciphered.
.IP "\(bu" 2
An error will affect the current and the following ciphertext variables.
.SS "Output Feedback Mode (\s-1OFB\s0)"
.IX Subsection "Output Feedback Mode (OFB)"
Normally, this is found as the function \fIalgorithm\fR\fB_ofb_encrypt()\fR.
.IP "\(bu" 2
a number of bits (j) <= 64 are enciphered at a time.
.IP "\(bu" 2
The \s-1OFB\s0 mode produces the same ciphertext whenever the same
plaintext enciphered using the same key and starting variable. More
over, in the \s-1OFB\s0 mode the same key stream is produced when the same
key and start variable are used. Consequently, for security reasons
a specific start variable should be used only once for a given key.
.IP "\(bu" 2
The absence of chaining makes the \s-1OFB\s0 more vulnerable to specific attacks.
.IP "\(bu" 2
The use of different start variables values prevents the same
plaintext enciphering to the same ciphertext, by producing different
key streams.
.IP "\(bu" 2
Selection of a small value for j will require more cycles through
the encipherment algorithm per unit of plaintext and thus cause
greater processing overheads.
.IP "\(bu" 2
Only multiples of j bits can be enciphered.
.IP "\(bu" 2
\&\s-1OFB\s0 mode of operation does not extend ciphertext errors in the
resultant plaintext output. Every bit error in the ciphertext causes
only one bit to be in error in the deciphered plaintext.
.IP "\(bu" 2
\&\s-1OFB\s0 mode is not self-synchronizing. If the two operation of
encipherment and decipherment get out of synchronism, the system needs
to be re-initialized.
.IP "\(bu" 2
Each re-initialization should use a value of the start variable
different from the start variable values used before with the same
key. The reason for this is that an identical bit stream would be
produced each time from the same parameters. This would be
susceptible to a 'known plaintext' attack.
.SS "Triple \s-1ECB\s0 Mode"
.IX Subsection "Triple ECB Mode"
Normally, this is found as the function \fIalgorithm\fR\fB_ecb3_encrypt()\fR.
.IP "\(bu" 2
Encrypt with key1, decrypt with key2 and encrypt with key3 again.
.IP "\(bu" 2
As for \s-1ECB\s0 encryption but increases the key length to 168 bits.
There are theoretic attacks that can be used that make the effective
key length 112 bits, but this attack also requires 2^56 blocks of
memory, not very likely, even for the \s-1NSA.\s0
.IP "\(bu" 2
If both keys are the same it is equivalent to encrypting once with
just one key.
.IP "\(bu" 2
If the first and last key are the same, the key length is 112 bits.
There are attacks that could reduce the effective key strength
to only slightly more than 56 bits, but these require a lot of memory.
.IP "\(bu" 2
If all 3 keys are the same, this is effectively the same as normal
ecb mode.
.SS "Triple \s-1CBC\s0 Mode"
.IX Subsection "Triple CBC Mode"
Normally, this is found as the function \fIalgorithm\fR\fB_ede3_cbc_encrypt()\fR.
.IP "\(bu" 2
Encrypt with key1, decrypt with key2 and then encrypt with key3.
.IP "\(bu" 2
As for \s-1CBC\s0 encryption but increases the key length to 168 bits with
the same restrictions as for triple ecb mode.
.SH "NOTES"
.IX Header "NOTES"
This text was been written in large parts by Eric Young in his original
documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed
it to:
.PP
.Vb 5
\& AS 2805.5.2
\& Australian Standard
\& Electronic funds transfer \- Requirements for interfaces,
\& Part 5.2: Modes of operation for an n\-bit block cipher algorithm
\& Appendix A
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBBF_encrypt\fR\|(3), \fBDES_crypt\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/evp.7 b/secure/lib/libcrypto/man/man7/evp.7
index 4826734a0d46..068eea26f0d5 100644
--- a/secure/lib/libcrypto/man/man7/evp.7
+++ b/secure/lib/libcrypto/man/man7/evp.7
@@ -1,236 +1,236 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EVP 7"
-.TH EVP 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EVP 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
evp \- high\-level cryptographic functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/evp.h>
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP\s0 library provides a high-level interface to cryptographic
functions.
.PP
The \fBEVP_Seal\fR\fI\s-1XXX\s0\fR and \fBEVP_Open\fR\fI\s-1XXX\s0\fR
functions provide public key encryption and decryption to implement digital \*(L"envelopes\*(R".
.PP
The \fBEVP_DigestSign\fR\fI\s-1XXX\s0\fR and
\&\fBEVP_DigestVerify\fR\fI\s-1XXX\s0\fR functions implement
digital signatures and Message Authentication Codes (MACs). Also see the older
\&\fBEVP_Sign\fR\fI\s-1XXX\s0\fR and \fBEVP_Verify\fR\fI\s-1XXX\s0\fR
functions.
.PP
Symmetric encryption is available with the \fBEVP_Encrypt\fR\fI\s-1XXX\s0\fR
functions. The \fBEVP_Digest\fR\fI\s-1XXX\s0\fR functions provide message digests.
.PP
The \fB\s-1EVP_PKEY\s0\fR\fI\s-1XXX\s0\fR functions provide a high-level interface to
asymmetric algorithms. To create a new \s-1EVP_PKEY\s0 see
\&\fBEVP_PKEY_new\fR\|(3). EVP_PKEYs can be associated
with a private key of a particular algorithm by using the functions
described on the \fBEVP_PKEY_set1_RSA\fR\|(3) page, or
new keys can be generated using \fBEVP_PKEY_keygen\fR\|(3).
EVP_PKEYs can be compared using \fBEVP_PKEY_cmp\fR\|(3), or printed using
\&\fBEVP_PKEY_print_private\fR\|(3).
.PP
The \s-1EVP_PKEY\s0 functions support the full range of asymmetric algorithm operations:
.IP "For key agreement see \fBEVP_PKEY_derive\fR\|(3)" 4
.IX Item "For key agreement see EVP_PKEY_derive"
.PD 0
.IP "For signing and verifying see \fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify\fR\|(3) and \fBEVP_PKEY_verify_recover\fR\|(3). However, note that these functions do not perform a digest of the data to be signed. Therefore, normally you would use the \fBEVP_DigestSignInit\fR\|(3) functions for this purpose." 4
.IX Item "For signing and verifying see EVP_PKEY_sign, EVP_PKEY_verify and EVP_PKEY_verify_recover. However, note that these functions do not perform a digest of the data to be signed. Therefore, normally you would use the EVP_DigestSignInit functions for this purpose."
.ie n .IP "For encryption and decryption see \fBEVP_PKEY_encrypt\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ""digital envelope"" using the \fBEVP_SealInit\fR\|(3) and \fBEVP_OpenInit\fR\|(3) functions." 4
.el .IP "For encryption and decryption see \fBEVP_PKEY_encrypt\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ``digital envelope'' using the \fBEVP_SealInit\fR\|(3) and \fBEVP_OpenInit\fR\|(3) functions." 4
.IX Item "For encryption and decryption see EVP_PKEY_encrypt and EVP_PKEY_decrypt respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a digital envelope using the EVP_SealInit and EVP_OpenInit functions."
.PD
.PP
The \fBEVP_BytesToKey\fR\|(3) function provides some limited support for password
based encryption. Careful selection of the parameters will provide a PKCS#5 \s-1PBKDF1\s0 compatible
implementation. However, new applications should not typically use this (preferring, for example,
\&\s-1PBKDF2\s0 from PCKS#5).
.PP
The \fBEVP_Encode\fR\fI\s-1XXX\s0\fR and
\&\fBEVP_Decode\fR\fI\s-1XXX\s0\fR functions implement base 64 encoding
and decoding.
.PP
All the symmetric algorithms (ciphers), digests and asymmetric algorithms
(public key algorithms) can be replaced by \s-1ENGINE\s0 modules providing alternative
implementations. If \s-1ENGINE\s0 implementations of ciphers or digests are registered
as defaults, then the various \s-1EVP\s0 functions will automatically use those
implementations automatically in preference to built in software
implementations. For more information, consult the \fBengine\fR\|(3) man page.
.PP
Although low-level algorithm specific functions exist for many algorithms
their use is discouraged. They cannot be used with an \s-1ENGINE\s0 and \s-1ENGINE\s0
versions of new algorithms cannot be accessed using the low-level functions.
Also makes code harder to adapt to new algorithms and some options are not
cleanly supported at the low-level and some operations are more efficient
using the high-level interface.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_DigestInit\fR\|(3),
\&\fBEVP_EncryptInit\fR\|(3),
\&\fBEVP_OpenInit\fR\|(3),
\&\fBEVP_SealInit\fR\|(3),
\&\fBEVP_DigestSignInit\fR\|(3),
\&\fBEVP_SignInit\fR\|(3),
\&\fBEVP_VerifyInit\fR\|(3),
\&\fBEVP_EncodeInit\fR\|(3),
\&\fBEVP_PKEY_new\fR\|(3),
\&\fBEVP_PKEY_set1_RSA\fR\|(3),
\&\fBEVP_PKEY_keygen\fR\|(3),
\&\fBEVP_PKEY_print_private\fR\|(3),
\&\fBEVP_PKEY_decrypt\fR\|(3),
\&\fBEVP_PKEY_encrypt\fR\|(3),
\&\fBEVP_PKEY_sign\fR\|(3),
\&\fBEVP_PKEY_verify\fR\|(3),
\&\fBEVP_PKEY_verify_recover\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3),
\&\fBEVP_BytesToKey\fR\|(3),
\&\fBENGINE_by_id\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl_store-file.7 b/secure/lib/libcrypto/man/man7/ossl_store-file.7
index fe046ebc34e9..362b84c7554b 100644
--- a/secure/lib/libcrypto/man/man7/ossl_store-file.7
+++ b/secure/lib/libcrypto/man/man7/ossl_store-file.7
@@ -1,191 +1,191 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OSSL_STORE-FILE 7"
-.TH OSSL_STORE-FILE 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OSSL_STORE-FILE 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ossl_store\-file \- The store 'file' scheme loader
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
#include <openssl/store.h>
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR.
Since files come in all kinds of formats and content types, the 'file'
scheme has its own layer of functionality called \*(L"file handlers\*(R",
which are used to try to decode diverse types of file contents.
.PP
In case a file is formatted as \s-1PEM,\s0 each called file handler receives
the \s-1PEM\s0 name (everything following any '\f(CW\*(C`\-\-\-\-\-BEGIN \*(C'\fR') as well as
possible \s-1PEM\s0 headers, together with the decoded \s-1PEM\s0 body. Since \s-1PEM\s0
formatted files can contain more than one object, the file handlers
are called upon for each such object.
.PP
If the file isn't determined to be formatted as \s-1PEM,\s0 the content is
loaded in raw form in its entirety and passed to the available file
handlers as is, with no \s-1PEM\s0 name or headers.
.PP
Each file handler is expected to handle \s-1PEM\s0 and non-PEM content as
appropriate. Some may refuse non-PEM content for the sake of
determinism (for example, there are keys out in the wild that are
represented as an \s-1ASN.1 OCTET STRING.\s0 In raw form, it's not easily
possible to distinguish those from any other data coming as an \s-1ASN.1
OCTET STRING,\s0 so such keys would naturally be accepted as \s-1PEM\s0 files
only).
.SH "NOTES"
.IX Header "NOTES"
When needed, the 'file' scheme loader will require a pass phrase by
using the \f(CW\*(C`UI_METHOD\*(C'\fR that was passed via \fBOSSL_STORE_open()\fR.
This pass phrase is expected to be \s-1UTF\-8\s0 encoded, anything else will
give an undefined result.
The files made accessible through this loader are expected to be
standard compliant with regards to pass phrase encoding.
Files that aren't should be re-generated with a correctly encoded pass
phrase.
See \fBpassphrase\-encoding\fR\|(7) for more information.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBossl_store\fR\|(7), \fBpassphrase\-encoding\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ossl_store.7 b/secure/lib/libcrypto/man/man7/ossl_store.7
index be20f029b8b2..3f1e77d74c21 100644
--- a/secure/lib/libcrypto/man/man7/ossl_store.7
+++ b/secure/lib/libcrypto/man/man7/ossl_store.7
@@ -1,215 +1,215 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OSSL_STORE 7"
-.TH OSSL_STORE 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OSSL_STORE 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ossl_store \- Store retrieval functions
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
#include <openssl/store.h>
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
.SS "General"
.IX Subsection "General"
A \s-1STORE\s0 is a layer of functionality to retrieve a number of supported
objects from a repository of any kind, addressable as a filename or
as a \s-1URI.\s0
.PP
The functionality supports the pattern \*(L"open a channel to the
repository\*(R", \*(L"loop and retrieve one object at a time\*(R", and \*(L"finish up
by closing the channel\*(R".
.PP
The retrieved objects are returned as a wrapper type \fB\s-1OSSL_STORE_INFO\s0\fR,
from which an OpenSSL type can be retrieved.
.SS "\s-1URI\s0 schemes and loaders"
.IX Subsection "URI schemes and loaders"
Support for a \s-1URI\s0 scheme is called a \s-1STORE\s0 \*(L"loader\*(R", and can be added
dynamically from the calling application or from a loadable engine.
.PP
Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR.
See \fBossl_store\-file\fR\|(7) for more information.
.SS "\s-1UI_METHOD\s0 and pass phrases"
.IX Subsection "UI_METHOD and pass phrases"
The \fB\s-1OSS_STORE\s0\fR \s-1API\s0 does nothing to enforce any specific format or
encoding on the pass phrase that the \fB\s-1UI_METHOD\s0\fR provides. However,
the pass phrase is expected to be \s-1UTF\-8\s0 encoded. The result of any
other encoding is undefined.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
.SS "A generic call"
.IX Subsection "A generic call"
.Vb 1
\& OSSL_STORE_CTX *ctx = OSSL_STORE_open("file:/foo/bar/data.pem");
\&
\& /*
\& * OSSL_STORE_eof() simulates file semantics for any repository to signal
\& * that no more data can be expected
\& */
\& while (!OSSL_STORE_eof(ctx)) {
\& OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
\&
\& /*
\& * Do whatever is necessary with the OSSL_STORE_INFO,
\& * here just one example
\& */
\& switch (OSSL_STORE_INFO_get_type(info)) {
\& case OSSL_STORE_INFO_CERT:
\& /* Print the X.509 certificate text */
\& X509_print_fp(stdout, OSSL_STORE_INFO_get0_CERT(info));
\& /* Print the X.509 certificate PEM output */
\& PEM_write_X509(stdout, OSSL_STORE_INFO_get0_CERT(info));
\& break;
\& }
\& }
\&
\& OSSL_STORE_close(ctx);
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\s-1\fBOSSL_STORE_INFO\s0\fR\|(3), \s-1\fBOSSL_STORE_LOADER\s0\fR\|(3),
\&\fBOSSL_STORE_open\fR\|(3), \fBOSSL_STORE_expect\fR\|(3),
\&\s-1\fBOSSL_STORE_SEARCH\s0\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/passphrase-encoding.7 b/secure/lib/libcrypto/man/man7/passphrase-encoding.7
index 02fdd969a504..322c30f3edbe 100644
--- a/secure/lib/libcrypto/man/man7/passphrase-encoding.7
+++ b/secure/lib/libcrypto/man/man7/passphrase-encoding.7
@@ -1,287 +1,287 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PASSPHRASE-ENCODING 7"
-.TH PASSPHRASE-ENCODING 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PASSPHRASE-ENCODING 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
passphrase\-encoding \&\- How diverse parts of OpenSSL treat pass phrases character encoding
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
In a modern world with all sorts of character encodings, the treatment of pass
phrases has become increasingly complex.
This manual page attempts to give an overview over how this problem is
currently addressed in different parts of the OpenSSL library.
.SS "The general case"
.IX Subsection "The general case"
The OpenSSL library doesn't treat pass phrases in any special way as a general
rule, and trusts the application or user to choose a suitable character set
and stick to that throughout the lifetime of affected objects.
This means that for an object that was encrypted using a pass phrase encoded in
\&\s-1ISO\-8859\-1,\s0 that object needs to be decrypted using a pass phrase encoded in
\&\s-1ISO\-8859\-1.\s0
Using the wrong encoding is expected to cause a decryption failure.
.SS "PKCS#12"
.IX Subsection "PKCS#12"
PKCS#12 is a bit different regarding pass phrase encoding.
The standard stipulates that the pass phrase shall be encoded as an \s-1ASN.1\s0
BMPString, which consists of the code points of the basic multilingual plane,
encoded in big endian (\s-1UCS\-2 BE\s0).
.PP
OpenSSL tries to adapt to this requirements in one of the following manners:
.IP "1." 4
Treats the received pass phrase as \s-1UTF\-8\s0 encoded and tries to re-encode it to
\&\s-1UTF\-16\s0 (which is the same as \s-1UCS\-2\s0 for characters U+0000 to U+D7FF and U+E000
to U+FFFF, but becomes an expansion for any other character), or failing that,
proceeds with step 2.
.IP "2." 4
Assumes that the pass phrase is encoded in \s-1ASCII\s0 or \s-1ISO\-8859\-1\s0 and
opportunistically prepends each byte with a zero byte to obtain the \s-1UCS\-2\s0
encoding of the characters, which it stores as a BMPString.
.Sp
Note that since there is no check of your locale, this may produce \s-1UCS\-2 /
UTF\-16\s0 characters that do not correspond to the original pass phrase characters
for other character sets, such as any \s-1ISO\-8859\-X\s0 encoding other than
\&\s-1ISO\-8859\-1\s0 (or for Windows, \s-1CP 1252\s0 with exception for the extra \*(L"graphical\*(R"
characters in the 0x80\-0x9F range).
.PP
OpenSSL versions older than 1.1.0 do variant 2 only, and that is the reason why
OpenSSL still does this, to be able to read files produced with older versions.
.PP
It should be noted that this approach isn't entirely fault free.
.PP
A pass phrase encoded in \s-1ISO\-8859\-2\s0 could very well have a sequence such as
0xC3 0xAF (which is the two characters \*(L"\s-1LATIN CAPITAL LETTER A WITH BREVE\*(R"\s0
and \*(L"\s-1LATIN CAPITAL LETTER Z WITH DOT ABOVE\*(R"\s0 in \s-1ISO\-8859\-2\s0 encoding), but would
be misinterpreted as the perfectly valid \s-1UTF\-8\s0 encoded code point U+00EF (\s-1LATIN
SMALL LETTER I WITH DIAERESIS\s0) \fIif the pass phrase doesn't contain anything that
would be invalid \s-1UTF\-8\s0\fR.
A pass phrase that contains this kind of byte sequence will give a different
outcome in OpenSSL 1.1.0 and newer than in OpenSSL older than 1.1.0.
.PP
.Vb 2
\& 0x00 0xC3 0x00 0xAF # OpenSSL older than 1.1.0
\& 0x00 0xEF # OpenSSL 1.1.0 and newer
.Ve
.PP
On the same accord, anything encoded in \s-1UTF\-8\s0 that was given to OpenSSL older
than 1.1.0 was misinterpreted as \s-1ISO\-8859\-1\s0 sequences.
.SS "\s-1OSSL_STORE\s0"
.IX Subsection "OSSL_STORE"
\&\fBossl_store\fR\|(7) acts as a general interface to access all kinds of objects,
potentially protected with a pass phrase, a \s-1PIN\s0 or something else.
This \s-1API\s0 stipulates that pass phrases should be \s-1UTF\-8\s0 encoded, and that any
other pass phrase encoding may give undefined results.
This \s-1API\s0 relies on the application to ensure \s-1UTF\-8\s0 encoding, and doesn't check
that this is the case, so what it gets, it will also pass to the underlying
loader.
.SH "RECOMMENDATIONS"
.IX Header "RECOMMENDATIONS"
This section assumes that you know what pass phrase was used for encryption,
but that it may have been encoded in a different character encoding than the
one used by your current input method.
For example, the pass phrase may have been used at a time when your default
encoding was \s-1ISO\-8859\-1\s0 (i.e. \*(L"nai\*:ve\*(R" resulting in the byte sequence 0x6E 0x61
0xEF 0x76 0x65), and you're now in an environment where your default encoding
is \s-1UTF\-8\s0 (i.e. \*(L"nai\*:ve\*(R" resulting in the byte sequence 0x6E 0x61 0xC3 0xAF 0x76
0x65).
Whenever it's mentioned that you should use a certain character encoding, it
should be understood that you either change the input method to use the
mentioned encoding when you type in your pass phrase, or use some suitable tool
to convert your pass phrase from your default encoding to the target encoding.
.PP
Also note that the sub-sections below discuss human readable pass phrases.
This is particularly relevant for PKCS#12 objects, where human readable pass
phrases are assumed.
For other objects, it's as legitimate to use any byte sequence (such as a
sequence of bytes from `/dev/urandom` that's been saved away), which makes any
character encoding discussion irrelevant; in such cases, simply use the same
byte sequence as it is.
.SS "Creating new objects"
.IX Subsection "Creating new objects"
For creating new pass phrase protected objects, make sure the pass phrase is
encoded using \s-1UTF\-8.\s0
This is default on most modern Unixes, but may involve an effort on other
platforms.
Specifically for Windows, setting the environment variable
\&\f(CW\*(C`OPENSSL_WIN32_UTF8\*(C'\fR will have anything entered on [Windows] console prompt
converted to \s-1UTF\-8\s0 (command line and separately prompted pass phrases alike).
.SS "Opening existing objects"
.IX Subsection "Opening existing objects"
For opening pass phrase protected objects where you know what character
encoding was used for the encryption pass phrase, make sure to use the same
encoding again.
.PP
For opening pass phrase protected objects where the character encoding that was
used is unknown, or where the producing application is unknown, try one of the
following:
.IP "1." 4
Try the pass phrase that you have as it is in the character encoding of your
environment.
It's possible that its byte sequence is exactly right.
.IP "2." 4
Convert the pass phrase to \s-1UTF\-8\s0 and try with the result.
Specifically with PKCS#12, this should open up any object that was created
according to the specification.
.IP "3." 4
Do a nai\*:ve (i.e. purely mathematical) \s-1ISO\-8859\-1\s0 to \s-1UTF\-8\s0 conversion and try
with the result.
This differs from the previous attempt because \s-1ISO\-8859\-1\s0 maps directly to
U+0000 to U+00FF, which other non\-UTF\-8 character sets do not.
.Sp
This also takes care of the case when a \s-1UTF\-8\s0 encoded string was used with
OpenSSL older than 1.1.0.
(for example, \f(CW\*(C`i\*:\*(C'\fR, which is 0xC3 0xAF when encoded in \s-1UTF\-8,\s0 would become 0xC3
0x83 0xC2 0xAF when re-encoded in the nai\*:ve manner.
The conversion to BMPString would then yield 0x00 0xC3 0x00 0xA4 0x00 0x00, the
erroneous/non\-compliant encoding used by OpenSSL older than 1.1.0)
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBevp\fR\|(7),
\&\fBossl_store\fR\|(7),
\&\fBEVP_BytesToKey\fR\|(3), \fBEVP_DecryptInit\fR\|(3),
\&\fBPEM_do_header\fR\|(3),
\&\fBPKCS12_parse\fR\|(3), \fBPKCS12_newpass\fR\|(3),
\&\fBd2i_PKCS8PrivateKey_bio\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2018\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/proxy-certificates.7 b/secure/lib/libcrypto/man/man7/proxy-certificates.7
index cbc6b61808d4..952170bf5090 100644
--- a/secure/lib/libcrypto/man/man7/proxy-certificates.7
+++ b/secure/lib/libcrypto/man/man7/proxy-certificates.7
@@ -1,478 +1,478 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PROXY-CERTIFICATES 7"
-.TH PROXY-CERTIFICATES 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PROXY-CERTIFICATES 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
proxy\-certificates \- Proxy certificates in OpenSSL
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Proxy certificates are defined in \s-1RFC 3820.\s0 They are used to
extend rights to some other entity (a computer process, typically, or
sometimes to the user itself). This allows the entity to perform
operations on behalf of the owner of the \s-1EE\s0 (End Entity) certificate.
.PP
The requirements for a valid proxy certificate are:
.IP "\(bu" 4
They are issued by an End Entity, either a normal \s-1EE\s0 certificate, or
another proxy certificate.
.IP "\(bu" 4
They must not have the \fBsubjectAltName\fR or \fBissuerAltName\fR
extensions.
.IP "\(bu" 4
They must have the \fBproxyCertInfo\fR extension.
.IP "\(bu" 4
They must have the subject of their issuer, with one \fBcommonName\fR
added.
.SS "Enabling proxy certificate verification"
.IX Subsection "Enabling proxy certificate verification"
OpenSSL expects applications that want to use proxy certificates to be
specially aware of them, and make that explicit. This is done by
setting an X509 verification flag:
.PP
.Vb 1
\& X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
.Ve
.PP
or
.PP
.Vb 1
\& X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_ALLOW_PROXY_CERTS);
.Ve
.PP
See \*(L"\s-1NOTES\*(R"\s0 for a discussion on this requirement.
.SS "Creating proxy certificates"
.IX Subsection "Creating proxy certificates"
Creating proxy certificates can be done using the \fBopenssl\-x509\fR\|(1)
command, with some extra extensions:
.PP
.Vb 3
\& [ v3_proxy ]
\& # A proxy certificate MUST NEVER be a CA certificate.
\& basicConstraints=CA:FALSE
\&
\& # Usual authority key ID
\& authorityKeyIdentifier=keyid,issuer:always
\&
\& # The extension which marks this certificate as a proxy
\& proxyCertInfo=critical,language:id\-ppl\-anyLanguage,pathlen:1,policy:text:AB
.Ve
.PP
It's also possible to specify the proxy extension in a separate section:
.PP
.Vb 1
\& proxyCertInfo=critical,@proxy_ext
\&
\& [ proxy_ext ]
\& language=id\-ppl\-anyLanguage
\& pathlen=0
\& policy=text:BC
.Ve
.PP
The policy value has a specific syntax, \fIsyntag\fR:\fIstring\fR, where the
\&\fIsyntag\fR determines what will be done with the string. The following
\&\fIsyntag\fRs are recognised:
.IP "\fBtext\fR" 4
.IX Item "text"
indicates that the string is a byte sequence, without any encoding:
.Sp
.Vb 1
\& policy=text:ra\*:ksmo\*:rga\*os
.Ve
.IP "\fBhex\fR" 4
.IX Item "hex"
indicates the string is encoded hexadecimal encoded binary data, with
colons between each byte (every second hex digit):
.Sp
.Vb 1
\& policy=hex:72:E4:6B:73:6D:F6:72:67:E5:73
.Ve
.IP "\fBfile\fR" 4
.IX Item "file"
indicates that the text of the policy should be taken from a file.
The string is then a filename. This is useful for policies that are
large (more than a few lines, e.g. \s-1XML\s0 documents).
.PP
\&\fI\s-1NOTE:\s0 The proxy policy value is what determines the rights granted
to the process during the proxy certificate. It's up to the
application to interpret and combine these policies.\fR
.PP
With a proxy extension, creating a proxy certificate is a matter of
two commands:
.PP
.Vb 3
\& openssl req \-new \-config proxy.cnf \e
\& \-out proxy.req \-keyout proxy.key \e
\& \-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1"
\&
\& openssl x509 \-req \-CAcreateserial \-in proxy.req \-out proxy.crt \e
\& \-CA user.crt \-CAkey user.key \-days 7 \e
\& \-extfile proxy.cnf \-extensions v3_proxy1
.Ve
.PP
You can also create a proxy certificate using another proxy
certificate as issuer (note: using a different configuration
section for the proxy extensions):
.PP
.Vb 3
\& openssl req \-new \-config proxy.cnf \e
\& \-out proxy2.req \-keyout proxy2.key \e
\& \-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2"
\&
\& openssl x509 \-req \-CAcreateserial \-in proxy2.req \-out proxy2.crt \e
\& \-CA proxy.crt \-CAkey proxy.key \-days 7 \e
\& \-extfile proxy.cnf \-extensions v3_proxy2
.Ve
.SS "Using proxy certs in applications"
.IX Subsection "Using proxy certs in applications"
To interpret proxy policies, the application would normally start with
some default rights (perhaps none at all), then compute the resulting
rights by checking the rights against the chain of proxy certificates,
user certificate and \s-1CA\s0 certificates.
.PP
The complicated part is figuring out how to pass data between your
application and the certificate validation procedure.
.PP
The following ingredients are needed for such processing:
.IP "\(bu" 4
a callback function that will be called for every certificate being
validated. The callback is called several times for each certificate,
so you must be careful to do the proxy policy interpretation at the
right time. You also need to fill in the defaults when the \s-1EE\s0
certificate is checked.
.IP "\(bu" 4
a data structure that is shared between your application code and the
callback.
.IP "\(bu" 4
a wrapper function that sets it all up.
.IP "\(bu" 4
an ex_data index function that creates an index into the generic
ex_data store that is attached to an X509 validation context.
.PP
The following skeleton code can be used as a starting point:
.PP
.Vb 4
\& #include <string.h>
\& #include <netdb.h>
\& #include <openssl/x509.h>
\& #include <openssl/x509v3.h>
\&
\& #define total_rights 25
\&
\& /*
\& * In this example, I will use a view of granted rights as a bit
\& * array, one bit for each possible right.
\& */
\& typedef struct your_rights {
\& unsigned char rights[(total_rights + 7) / 8];
\& } YOUR_RIGHTS;
\&
\& /*
\& * The following procedure will create an index for the ex_data
\& * store in the X509 validation context the first time it\*(Aqs
\& * called. Subsequent calls will return the same index.
\& */
\& static int get_proxy_auth_ex_data_idx(X509_STORE_CTX *ctx)
\& {
\& static volatile int idx = \-1;
\&
\& if (idx < 0) {
\& X509_STORE_lock(X509_STORE_CTX_get0_store(ctx));
\& if (idx < 0) {
\& idx = X509_STORE_CTX_get_ex_new_index(0,
\& "for verify callback",
\& NULL,NULL,NULL);
\& }
\& X509_STORE_unlock(X509_STORE_CTX_get0_store(ctx));
\& }
\& return idx;
\& }
\&
\& /* Callback to be given to the X509 validation procedure. */
\& static int verify_callback(int ok, X509_STORE_CTX *ctx)
\& {
\& if (ok == 1) {
\& /*
\& * It\*(Aqs REALLY important you keep the proxy policy check
\& * within this section. It\*(Aqs important to know that when
\& * ok is 1, the certificates are checked from top to
\& * bottom. You get the CA root first, followed by the
\& * possible chain of intermediate CAs, followed by the EE
\& * certificate, followed by the possible proxy
\& * certificates.
\& */
\& X509 *xs = X509_STORE_CTX_get_current_cert(ctx);
\&
\& if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
\& YOUR_RIGHTS *rights =
\& (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx,
\& get_proxy_auth_ex_data_idx(ctx));
\& PROXY_CERT_INFO_EXTENSION *pci =
\& X509_get_ext_d2i(xs, NID_proxyCertInfo, NULL, NULL);
\&
\& switch (OBJ_obj2nid(pci\->proxyPolicy\->policyLanguage)) {
\& case NID_Independent:
\& /*
\& * Do whatever you need to grant explicit rights
\& * to this particular proxy certificate, usually
\& * by pulling them from some database. If there
\& * are none to be found, clear all rights (making
\& * this and any subsequent proxy certificate void
\& * of any rights).
\& */
\& memset(rights\->rights, 0, sizeof(rights\->rights));
\& break;
\& case NID_id_ppl_inheritAll:
\& /*
\& * This is basically a NOP, we simply let the
\& * current rights stand as they are.
\& */
\& break;
\& default:
\& /*
\& * This is usually the most complex section of
\& * code. You really do whatever you want as long
\& * as you follow RFC 3820. In the example we use
\& * here, the simplest thing to do is to build
\& * another, temporary bit array and fill it with
\& * the rights granted by the current proxy
\& * certificate, then use it as a mask on the
\& * accumulated rights bit array, and voila\*`, you
\& * now have a new accumulated rights bit array.
\& */
\& {
\& int i;
\& YOUR_RIGHTS tmp_rights;
\& memset(tmp_rights.rights, 0,
\& sizeof(tmp_rights.rights));
\&
\& /*
\& * process_rights() is supposed to be a
\& * procedure that takes a string and its
\& * length, interprets it and sets the bits
\& * in the YOUR_RIGHTS pointed at by the
\& * third argument.
\& */
\& process_rights((char *) pci\->proxyPolicy\->policy\->data,
\& pci\->proxyPolicy\->policy\->length,
\& &tmp_rights);
\&
\& for(i = 0; i < total_rights / 8; i++)
\& rights\->rights[i] &= tmp_rights.rights[i];
\& }
\& break;
\& }
\& PROXY_CERT_INFO_EXTENSION_free(pci);
\& } else if (!(X509_get_extension_flags(xs) & EXFLAG_CA)) {
\& /* We have an EE certificate, let\*(Aqs use it to set default! */
\& YOUR_RIGHTS *rights =
\& (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx,
\& get_proxy_auth_ex_data_idx(ctx));
\&
\& /*
\& * The following procedure finds out what rights the
\& * owner of the current certificate has, and sets them
\& * in the YOUR_RIGHTS structure pointed at by the
\& * second argument.
\& */
\& set_default_rights(xs, rights);
\& }
\& }
\& return ok;
\& }
\&
\& static int my_X509_verify_cert(X509_STORE_CTX *ctx,
\& YOUR_RIGHTS *needed_rights)
\& {
\& int ok;
\& int (*save_verify_cb)(int ok,X509_STORE_CTX *ctx) =
\& X509_STORE_CTX_get_verify_cb(ctx);
\& YOUR_RIGHTS rights;
\&
\& X509_STORE_CTX_set_verify_cb(ctx, verify_callback);
\& X509_STORE_CTX_set_ex_data(ctx, get_proxy_auth_ex_data_idx(ctx),
\& &rights);
\& X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
\& ok = X509_verify_cert(ctx);
\&
\& if (ok == 1) {
\& ok = check_needed_rights(rights, needed_rights);
\& }
\&
\& X509_STORE_CTX_set_verify_cb(ctx, save_verify_cb);
\&
\& return ok;
\& }
.Ve
.PP
If you use \s-1SSL\s0 or \s-1TLS,\s0 you can easily set up a callback to have the
certificates checked properly, using the code above:
.PP
.Vb 2
\& SSL_CTX_set_cert_verify_callback(s_ctx, my_X509_verify_cert,
\& &needed_rights);
.Ve
.SH "NOTES"
.IX Header "NOTES"
To this date, it seems that proxy certificates have only been used in
environments that are aware of them, and no one seems to have
investigated how they can be used or misused outside of such an
environment.
.PP
For that reason, OpenSSL requires that applications aware of proxy
certificates must also make that explicit.
.PP
\&\fBsubjectAltName\fR and \fBissuerAltName\fR are forbidden in proxy
certificates, and this is enforced in OpenSSL. The subject must be
the same as the issuer, with one commonName added on.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_STORE_CTX_set_flags\fR\|(3),
\&\fBX509_STORE_CTX_set_verify_cb\fR\|(3),
\&\fBX509_VERIFY_PARAM_set_flags\fR\|(3),
\&\fBSSL_CTX_set_cert_verify_callback\fR\|(3),
\&\fBopenssl\-req\fR\|(1), \fBopenssl\-x509\fR\|(1),
\&\s-1RFC 3820\s0 <https://tools.ietf.org/html/rfc3820>
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/scrypt.7 b/secure/lib/libcrypto/man/man7/scrypt.7
index 89a356f03996..a4260eaed6fb 100644
--- a/secure/lib/libcrypto/man/man7/scrypt.7
+++ b/secure/lib/libcrypto/man/man7/scrypt.7
@@ -1,248 +1,248 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SCRYPT 7"
-.TH SCRYPT 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SCRYPT 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
scrypt \- EVP_PKEY scrypt KDF support
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \s-1EVP_PKEY_SCRYPT\s0 algorithm implements the scrypt password based key
derivation function, as described in \s-1RFC 7914.\s0 It is memory-hard in the sense
that it deliberately requires a significant amount of \s-1RAM\s0 for efficient
computation. The intention of this is to render brute forcing of passwords on
systems that lack large amounts of main memory (such as GPUs or ASICs)
computationally infeasible.
.PP
scrypt provides three work factors that can be customized: N, r and p. N, which
has to be a positive power of two, is the general work factor and scales \s-1CPU\s0
time in an approximately linear fashion. r is the block size of the internally
used hash function and p is the parallelization factor. Both r and p need to be
greater than zero. The amount of \s-1RAM\s0 that scrypt requires for its computation
is roughly (128 * N * r * p) bytes.
.PP
In the original paper of Colin Percival (\*(L"Stronger Key Derivation via
Sequential Memory-Hard Functions\*(R", 2009), the suggested values that give a
computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N =
2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for
this computation is roughly 1 GiB. On a more recent \s-1CPU\s0 (Intel i7\-5930K at 3.5
GHz), this computation takes about 3 seconds. When N, r or p are not specified,
they default to 1048576, 8, and 1, respectively. The default amount of \s-1RAM\s0 that
may be used by scrypt defaults to 1025 MiB.
.SH "NOTES"
.IX Header "NOTES"
A context for scrypt can be obtained by calling:
.PP
.Vb 1
\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL);
.Ve
.PP
The output length of an scrypt key derivation is specified via the
length parameter to the \fBEVP_PKEY_derive\fR\|(3) function.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
This example derives a 64\-byte long test vector using scrypt using the password
\&\*(L"password\*(R", salt \*(L"NaCl\*(R" and N = 1024, r = 8, p = 16.
.PP
.Vb 2
\& EVP_PKEY_CTX *pctx;
\& unsigned char out[64];
\&
\& size_t outlen = sizeof(out);
\& pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL);
\&
\& if (EVP_PKEY_derive_init(pctx) <= 0) {
\& error("EVP_PKEY_derive_init");
\& }
\& if (EVP_PKEY_CTX_set1_pbe_pass(pctx, "password", 8) <= 0) {
\& error("EVP_PKEY_CTX_set1_pbe_pass");
\& }
\& if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, "NaCl", 4) <= 0) {
\& error("EVP_PKEY_CTX_set1_scrypt_salt");
\& }
\& if (EVP_PKEY_CTX_set_scrypt_N(pctx, 1024) <= 0) {
\& error("EVP_PKEY_CTX_set_scrypt_N");
\& }
\& if (EVP_PKEY_CTX_set_scrypt_r(pctx, 8) <= 0) {
\& error("EVP_PKEY_CTX_set_scrypt_r");
\& }
\& if (EVP_PKEY_CTX_set_scrypt_p(pctx, 16) <= 0) {
\& error("EVP_PKEY_CTX_set_scrypt_p");
\& }
\& if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
\& error("EVP_PKEY_derive");
\& }
\&
\& {
\& const unsigned char expected[sizeof(out)] = {
\& 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
\& 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
\& 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
\& 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
\& 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
\& 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
\& 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
\& 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
\& };
\&
\& assert(!memcmp(out, expected, sizeof(out)));
\& }
\&
\& EVP_PKEY_CTX_free(pctx);
.Ve
.SH "CONFORMING TO"
.IX Header "CONFORMING TO"
\&\s-1RFC 7914\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBEVP_PKEY_CTX_set1_scrypt_salt\fR\|(3),
\&\fBEVP_PKEY_CTX_set_scrypt_N\fR\|(3),
\&\fBEVP_PKEY_CTX_set_scrypt_r\fR\|(3),
\&\fBEVP_PKEY_CTX_set_scrypt_p\fR\|(3),
\&\fBEVP_PKEY_CTX_set_scrypt_maxmem_bytes\fR\|(3),
\&\fBEVP_PKEY_CTX_new\fR\|(3),
\&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3),
\&\fBEVP_PKEY_derive\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/ssl.7 b/secure/lib/libcrypto/man/man7/ssl.7
index 8d5dd3cb20c7..e9582be9ebc4 100644
--- a/secure/lib/libcrypto/man/man7/ssl.7
+++ b/secure/lib/libcrypto/man/man7/ssl.7
@@ -1,914 +1,914 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSL 7"
-.TH SSL 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SSL 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
ssl \- OpenSSL SSL/TLS library
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
See the individual manual pages for details.
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The OpenSSL \fBssl\fR library implements the Secure Sockets Layer (\s-1SSL\s0 v2/v3) and
Transport Layer Security (\s-1TLS\s0 v1) protocols. It provides a rich \s-1API\s0 which is
documented here.
.PP
An \fB\s-1SSL_CTX\s0\fR object is created as a framework to establish
\&\s-1TLS/SSL\s0 enabled connections (see \fBSSL_CTX_new\fR\|(3)).
Various options regarding certificates, algorithms etc. can be set
in this object.
.PP
When a network connection has been created, it can be assigned to an
\&\fB\s-1SSL\s0\fR object. After the \fB\s-1SSL\s0\fR object has been created using
\&\fBSSL_new\fR\|(3), \fBSSL_set_fd\fR\|(3) or
\&\fBSSL_set_bio\fR\|(3) can be used to associate the network
connection with the object.
.PP
When the \s-1TLS/SSL\s0 handshake is performed using
\&\fBSSL_accept\fR\|(3) or \fBSSL_connect\fR\|(3)
respectively.
\&\fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_write_ex\fR\|(3) and \fBSSL_write\fR\|(3) are
used to read and write data on the \s-1TLS/SSL\s0 connection.
\&\fBSSL_shutdown\fR\|(3) can be used to shut down the
\&\s-1TLS/SSL\s0 connection.
.SH "DATA STRUCTURES"
.IX Header "DATA STRUCTURES"
Currently the OpenSSL \fBssl\fR library functions deals with the following data
structures:
.IP "\fB\s-1SSL_METHOD\s0\fR (\s-1SSL\s0 Method)" 4
.IX Item "SSL_METHOD (SSL Method)"
This is a dispatch structure describing the internal \fBssl\fR library
methods/functions which implement the various protocol versions (SSLv3
TLSv1, ...). It's needed to create an \fB\s-1SSL_CTX\s0\fR.
.IP "\fB\s-1SSL_CIPHER\s0\fR (\s-1SSL\s0 Cipher)" 4
.IX Item "SSL_CIPHER (SSL Cipher)"
This structure holds the algorithm information for a particular cipher which
are a core part of the \s-1SSL/TLS\s0 protocol. The available ciphers are configured
on a \fB\s-1SSL_CTX\s0\fR basis and the actual ones used are then part of the
\&\fB\s-1SSL_SESSION\s0\fR.
.IP "\fB\s-1SSL_CTX\s0\fR (\s-1SSL\s0 Context)" 4
.IX Item "SSL_CTX (SSL Context)"
This is the global context structure which is created by a server or client
once per program life-time and which holds mainly default values for the
\&\fB\s-1SSL\s0\fR structures which are later created for the connections.
.IP "\fB\s-1SSL_SESSION\s0\fR (\s-1SSL\s0 Session)" 4
.IX Item "SSL_SESSION (SSL Session)"
This is a structure containing the current \s-1TLS/SSL\s0 session details for a
connection: \fB\s-1SSL_CIPHER\s0\fRs, client and server certificates, keys, etc.
.IP "\fB\s-1SSL\s0\fR (\s-1SSL\s0 Connection)" 4
.IX Item "SSL (SSL Connection)"
This is the main \s-1SSL/TLS\s0 structure which is created by a server or client per
established connection. This actually is the core structure in the \s-1SSL API.\s0
At run-time the application usually deals with this structure which has
links to mostly all other structures.
.SH "HEADER FILES"
.IX Header "HEADER FILES"
Currently the OpenSSL \fBssl\fR library provides the following C header files
containing the prototypes for the data structures and functions:
.IP "\fBssl.h\fR" 4
.IX Item "ssl.h"
This is the common header file for the \s-1SSL/TLS API.\s0 Include it into your
program to make the \s-1API\s0 of the \fBssl\fR library available. It internally
includes both more private \s-1SSL\s0 headers and headers from the \fBcrypto\fR library.
Whenever you need hard-core details on the internals of the \s-1SSL API,\s0 look
inside this header file.
.IP "\fBssl2.h\fR" 4
.IX Item "ssl2.h"
Unused. Present for backwards compatibility only.
.IP "\fBssl3.h\fR" 4
.IX Item "ssl3.h"
This is the sub header file dealing with the SSLv3 protocol only.
\&\fIUsually you don't have to include it explicitly because
it's already included by ssl.h\fR.
.IP "\fBtls1.h\fR" 4
.IX Item "tls1.h"
This is the sub header file dealing with the TLSv1 protocol only.
\&\fIUsually you don't have to include it explicitly because
it's already included by ssl.h\fR.
.SH "API FUNCTIONS"
.IX Header "API FUNCTIONS"
Currently the OpenSSL \fBssl\fR library exports 214 \s-1API\s0 functions.
They are documented in the following:
.SS "Dealing with Protocol Methods"
.IX Subsection "Dealing with Protocol Methods"
Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0
protocol methods defined in \fB\s-1SSL_METHOD\s0\fR structures.
.IP "const \s-1SSL_METHOD\s0 *\fBTLS_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLS_method(void);"
Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for clients,
servers or both.
See \fBSSL_CTX_new\fR\|(3) for details.
.IP "const \s-1SSL_METHOD\s0 *\fBTLS_client_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLS_client_method(void);"
Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for clients.
Must be used to support the TLSv1.3 protocol.
.IP "const \s-1SSL_METHOD\s0 *\fBTLS_server_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLS_server_method(void);"
Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for servers.
Must be used to support the TLSv1.3 protocol.
.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLSv1_2_method(void);"
Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for clients, servers or both.
.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_client_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLSv1_2_client_method(void);"
Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for clients.
.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_server_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLSv1_2_server_method(void);"
Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for servers.
.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLSv1_1_method(void);"
Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for clients, servers or both.
.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_client_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLSv1_1_client_method(void);"
Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for clients.
.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_server_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLSv1_1_server_method(void);"
Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for servers.
.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLSv1_method(void);"
Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for clients, servers or both.
.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_client_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLSv1_client_method(void);"
Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for clients.
.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_server_method\fR(void);" 4
.IX Item "const SSL_METHOD *TLSv1_server_method(void);"
Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for servers.
.IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_method\fR(void);" 4
.IX Item "const SSL_METHOD *SSLv3_method(void);"
Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for clients, servers or both.
.IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_client_method\fR(void);" 4
.IX Item "const SSL_METHOD *SSLv3_client_method(void);"
Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for clients.
.IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_server_method\fR(void);" 4
.IX Item "const SSL_METHOD *SSLv3_server_method(void);"
Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for servers.
.SS "Dealing with Ciphers"
.IX Subsection "Dealing with Ciphers"
Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0
ciphers defined in \fB\s-1SSL_CIPHER\s0\fR structures.
.IP "char *\fBSSL_CIPHER_description\fR(\s-1SSL_CIPHER\s0 *cipher, char *buf, int len);" 4
.IX Item "char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len);"
Write a string to \fIbuf\fR (with a maximum size of \fIlen\fR) containing a human
readable description of \fIcipher\fR. Returns \fIbuf\fR.
.IP "int \fBSSL_CIPHER_get_bits\fR(\s-1SSL_CIPHER\s0 *cipher, int *alg_bits);" 4
.IX Item "int SSL_CIPHER_get_bits(SSL_CIPHER *cipher, int *alg_bits);"
Determine the number of bits in \fIcipher\fR. Because of export crippled ciphers
there are two bits: The bits the algorithm supports in general (stored to
\&\fIalg_bits\fR) and the bits which are actually used (the return value).
.IP "const char *\fBSSL_CIPHER_get_name\fR(\s-1SSL_CIPHER\s0 *cipher);" 4
.IX Item "const char *SSL_CIPHER_get_name(SSL_CIPHER *cipher);"
Return the internal name of \fIcipher\fR as a string. These are the various
strings defined by the \fISSL3_TXT_xxx\fR and \fITLS1_TXT_xxx\fR
definitions in the header files.
.IP "const char *\fBSSL_CIPHER_get_version\fR(\s-1SSL_CIPHER\s0 *cipher);" 4
.IX Item "const char *SSL_CIPHER_get_version(SSL_CIPHER *cipher);"
Returns a string like "\f(CW\*(C`SSLv3\*(C'\fR\*(L" or \*(R"\f(CW\*(C`TLSv1.2\*(C'\fR" which indicates the
\&\s-1SSL/TLS\s0 protocol version to which \fIcipher\fR belongs (i.e. where it was defined
in the specification the first time).
.SS "Dealing with Protocol Contexts"
.IX Subsection "Dealing with Protocol Contexts"
Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0
protocol context defined in the \fB\s-1SSL_CTX\s0\fR structure.
.IP "int \fBSSL_CTX_add_client_CA\fR(\s-1SSL_CTX\s0 *ctx, X509 *x);" 4
.IX Item "int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);"
.PD 0
.IP "long \fBSSL_CTX_add_extra_chain_cert\fR(\s-1SSL_CTX\s0 *ctx, X509 *x509);" 4
.IX Item "long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);"
.IP "int \fBSSL_CTX_add_session\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *c);" 4
.IX Item "int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c);"
.IP "int \fBSSL_CTX_check_private_key\fR(const \s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_check_private_key(const SSL_CTX *ctx);"
.IP "long \fBSSL_CTX_ctrl\fR(\s-1SSL_CTX\s0 *ctx, int cmd, long larg, char *parg);" 4
.IX Item "long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg);"
.IP "void \fBSSL_CTX_flush_sessions\fR(\s-1SSL_CTX\s0 *s, long t);" 4
.IX Item "void SSL_CTX_flush_sessions(SSL_CTX *s, long t);"
.IP "void \fBSSL_CTX_free\fR(\s-1SSL_CTX\s0 *a);" 4
.IX Item "void SSL_CTX_free(SSL_CTX *a);"
.IP "char *\fBSSL_CTX_get_app_data\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "char *SSL_CTX_get_app_data(SSL_CTX *ctx);"
.IP "X509_STORE *\fBSSL_CTX_get_cert_store\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx);"
.IP "\s-1STACK\s0 *\fBSSL_CTX_get_ciphers\fR(const \s-1SSL_CTX\s0 *ctx);" 4
.IX Item "STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);"
.IP "\s-1STACK\s0 *\fBSSL_CTX_get_client_CA_list\fR(const \s-1SSL_CTX\s0 *ctx);" 4
.IX Item "STACK *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);"
.IP "int (*\fBSSL_CTX_get_client_cert_cb\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, X509 **x509, \s-1EVP_PKEY\s0 **pkey);" 4
.IX Item "int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);"
.IP "void \fBSSL_CTX_get_default_read_ahead\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "void SSL_CTX_get_default_read_ahead(SSL_CTX *ctx);"
.IP "char *\fBSSL_CTX_get_ex_data\fR(const \s-1SSL_CTX\s0 *s, int idx);" 4
.IX Item "char *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx);"
.IP "int \fBSSL_CTX_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4
.IX Item "int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))"
.IP "void (*\fBSSL_CTX_get_info_callback\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, int cb, int ret);" 4
.IX Item "void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);"
.IP "int \fBSSL_CTX_get_quiet_shutdown\fR(const \s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);"
.IP "void \fBSSL_CTX_get_read_ahead\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "void SSL_CTX_get_read_ahead(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_get_session_cache_mode\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_get_session_cache_mode(SSL_CTX *ctx);"
.IP "long \fBSSL_CTX_get_timeout\fR(const \s-1SSL_CTX\s0 *ctx);" 4
.IX Item "long SSL_CTX_get_timeout(const SSL_CTX *ctx);"
.IP "int (*\fBSSL_CTX_get_verify_callback\fR(const \s-1SSL_CTX\s0 *ctx))(int ok, X509_STORE_CTX *ctx);" 4
.IX Item "int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);"
.IP "int \fBSSL_CTX_get_verify_mode\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_get_verify_mode(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_load_verify_locations\fR(\s-1SSL_CTX\s0 *ctx, const char *CAfile, const char *CApath);" 4
.IX Item "int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);"
.IP "\s-1SSL_CTX\s0 *\fBSSL_CTX_new\fR(const \s-1SSL_METHOD\s0 *meth);" 4
.IX Item "SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);"
.IP "int SSL_CTX_up_ref(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_up_ref(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_remove_session\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *c);" 4
.IX Item "int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c);"
.IP "int \fBSSL_CTX_sess_accept\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_accept(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_sess_accept_good\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_accept_good(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_sess_accept_renegotiate\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_accept_renegotiate(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_sess_cache_full\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_cache_full(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_sess_cb_hits\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_cb_hits(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_sess_connect\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_connect(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_sess_connect_good\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_connect_good(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_sess_connect_renegotiate\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_connect_renegotiate(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_sess_get_cache_size\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_get_cache_size(SSL_CTX *ctx);"
.IP "\s-1SSL_SESSION\s0 *(*\fBSSL_CTX_sess_get_get_cb\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, unsigned char *data, int len, int *copy);" 4
.IX Item "SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, int len, int *copy);"
.IP "int (*\fBSSL_CTX_sess_get_new_cb\fR(\s-1SSL_CTX\s0 *ctx)(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *sess);" 4
.IX Item "int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)(SSL *ssl, SSL_SESSION *sess);"
.IP "void (*\fBSSL_CTX_sess_get_remove_cb\fR(\s-1SSL_CTX\s0 *ctx)(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *sess);" 4
.IX Item "void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)(SSL_CTX *ctx, SSL_SESSION *sess);"
.IP "int \fBSSL_CTX_sess_hits\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_hits(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_sess_misses\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_misses(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_sess_number\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_number(SSL_CTX *ctx);"
.IP "void \fBSSL_CTX_sess_set_cache_size\fR(\s-1SSL_CTX\s0 *ctx, t);" 4
.IX Item "void SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, t);"
.IP "void \fBSSL_CTX_sess_set_get_cb\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *(*cb)(\s-1SSL\s0 *ssl, unsigned char *data, int len, int *copy));" 4
.IX Item "void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(SSL *ssl, unsigned char *data, int len, int *copy));"
.IP "void \fBSSL_CTX_sess_set_new_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *sess));" 4
.IX Item "void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, SSL_SESSION *sess));"
.IP "void \fBSSL_CTX_sess_set_remove_cb\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *sess));" 4
.IX Item "void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess));"
.IP "int \fBSSL_CTX_sess_timeouts\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_sess_timeouts(SSL_CTX *ctx);"
.IP "\s-1LHASH\s0 *\fBSSL_CTX_sessions\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "LHASH *SSL_CTX_sessions(SSL_CTX *ctx);"
.IP "int \fBSSL_CTX_set_app_data\fR(\s-1SSL_CTX\s0 *ctx, void *arg);" 4
.IX Item "int SSL_CTX_set_app_data(SSL_CTX *ctx, void *arg);"
.IP "void \fBSSL_CTX_set_cert_store\fR(\s-1SSL_CTX\s0 *ctx, X509_STORE *cs);" 4
.IX Item "void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *cs);"
.IP "void \fBSSL_CTX_set1_cert_store\fR(\s-1SSL_CTX\s0 *ctx, X509_STORE *cs);" 4
.IX Item "void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *cs);"
.IP "void \fBSSL_CTX_set_cert_verify_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(), char *arg)" 4
.IX Item "void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(), char *arg)"
.IP "int \fBSSL_CTX_set_cipher_list\fR(\s-1SSL_CTX\s0 *ctx, char *str);" 4
.IX Item "int SSL_CTX_set_cipher_list(SSL_CTX *ctx, char *str);"
.IP "void \fBSSL_CTX_set_client_CA_list\fR(\s-1SSL_CTX\s0 *ctx, \s-1STACK\s0 *list);" 4
.IX Item "void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK *list);"
.IP "void \fBSSL_CTX_set_client_cert_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(\s-1SSL\s0 *ssl, X509 **x509, \s-1EVP_PKEY\s0 **pkey));" 4
.IX Item "void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));"
.IP "int \fBSSL_CTX_set_ct_validation_callback\fR(\s-1SSL_CTX\s0 *ctx, ssl_ct_validation_cb callback, void *arg);" 4
.IX Item "int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, ssl_ct_validation_cb callback, void *arg);"
.IP "void \fBSSL_CTX_set_default_passwd_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb);(void))" 4
.IX Item "void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, int (*cb);(void))"
.IP "void \fBSSL_CTX_set_default_read_ahead\fR(\s-1SSL_CTX\s0 *ctx, int m);" 4
.IX Item "void SSL_CTX_set_default_read_ahead(SSL_CTX *ctx, int m);"
.IP "int \fBSSL_CTX_set_default_verify_paths\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);"
.PD
Use the default paths to locate trusted \s-1CA\s0 certificates. There is one default
directory path and one default file path. Both are set via this call.
.IP "int \fBSSL_CTX_set_default_verify_dir\fR(\s-1SSL_CTX\s0 *ctx)" 4
.IX Item "int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)"
Use the default directory path to locate trusted \s-1CA\s0 certificates.
.IP "int \fBSSL_CTX_set_default_verify_file\fR(\s-1SSL_CTX\s0 *ctx)" 4
.IX Item "int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)"
Use the file path to locate trusted \s-1CA\s0 certificates.
.IP "int \fBSSL_CTX_set_ex_data\fR(\s-1SSL_CTX\s0 *s, int idx, char *arg);" 4
.IX Item "int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, char *arg);"
.PD 0
.IP "void \fBSSL_CTX_set_info_callback\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(\s-1SSL\s0 *ssl, int cb, int ret));" 4
.IX Item "void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(SSL *ssl, int cb, int ret));"
.IP "void \fBSSL_CTX_set_msg_callback\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, \s-1SSL\s0 *ssl, void *arg));" 4
.IX Item "void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));"
.IP "void \fBSSL_CTX_set_msg_callback_arg\fR(\s-1SSL_CTX\s0 *ctx, void *arg);" 4
.IX Item "void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);"
.IP "unsigned long \fBSSL_CTX_clear_options\fR(\s-1SSL_CTX\s0 *ctx, unsigned long op);" 4
.IX Item "unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);"
.IP "unsigned long \fBSSL_CTX_get_options\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "unsigned long SSL_CTX_get_options(SSL_CTX *ctx);"
.IP "unsigned long \fBSSL_CTX_set_options\fR(\s-1SSL_CTX\s0 *ctx, unsigned long op);" 4
.IX Item "unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);"
.IP "void \fBSSL_CTX_set_quiet_shutdown\fR(\s-1SSL_CTX\s0 *ctx, int mode);" 4
.IX Item "void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);"
.IP "void \fBSSL_CTX_set_read_ahead\fR(\s-1SSL_CTX\s0 *ctx, int m);" 4
.IX Item "void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int m);"
.IP "void \fBSSL_CTX_set_session_cache_mode\fR(\s-1SSL_CTX\s0 *ctx, int mode);" 4
.IX Item "void SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode);"
.IP "int \fBSSL_CTX_set_ssl_version\fR(\s-1SSL_CTX\s0 *ctx, const \s-1SSL_METHOD\s0 *meth);" 4
.IX Item "int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);"
.IP "void \fBSSL_CTX_set_timeout\fR(\s-1SSL_CTX\s0 *ctx, long t);" 4
.IX Item "void SSL_CTX_set_timeout(SSL_CTX *ctx, long t);"
.IP "long \fBSSL_CTX_set_tmp_dh\fR(SSL_CTX* ctx, \s-1DH\s0 *dh);" 4
.IX Item "long SSL_CTX_set_tmp_dh(SSL_CTX* ctx, DH *dh);"
.IP "long \fBSSL_CTX_set_tmp_dh_callback\fR(\s-1SSL_CTX\s0 *ctx, \s-1DH\s0 *(*cb)(void));" 4
.IX Item "long SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*cb)(void));"
.IP "void \fBSSL_CTX_set_verify\fR(\s-1SSL_CTX\s0 *ctx, int mode, int (*cb);(void))" 4
.IX Item "void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb);(void))"
.IP "int \fBSSL_CTX_use_PrivateKey\fR(\s-1SSL_CTX\s0 *ctx, \s-1EVP_PKEY\s0 *pkey);" 4
.IX Item "int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);"
.IP "int \fBSSL_CTX_use_PrivateKey_ASN1\fR(int type, \s-1SSL_CTX\s0 *ctx, unsigned char *d, long len);" 4
.IX Item "int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d, long len);"
.IP "int \fBSSL_CTX_use_PrivateKey_file\fR(\s-1SSL_CTX\s0 *ctx, const char *file, int type);" 4
.IX Item "int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);"
.IP "int \fBSSL_CTX_use_RSAPrivateKey\fR(\s-1SSL_CTX\s0 *ctx, \s-1RSA\s0 *rsa);" 4
.IX Item "int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);"
.IP "int \fBSSL_CTX_use_RSAPrivateKey_ASN1\fR(\s-1SSL_CTX\s0 *ctx, unsigned char *d, long len);" 4
.IX Item "int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);"
.IP "int \fBSSL_CTX_use_RSAPrivateKey_file\fR(\s-1SSL_CTX\s0 *ctx, const char *file, int type);" 4
.IX Item "int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);"
.IP "int \fBSSL_CTX_use_certificate\fR(\s-1SSL_CTX\s0 *ctx, X509 *x);" 4
.IX Item "int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);"
.IP "int \fBSSL_CTX_use_certificate_ASN1\fR(\s-1SSL_CTX\s0 *ctx, int len, unsigned char *d);" 4
.IX Item "int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);"
.IP "int \fBSSL_CTX_use_certificate_file\fR(\s-1SSL_CTX\s0 *ctx, const char *file, int type);" 4
.IX Item "int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);"
.IP "int \fBSSL_CTX_use_cert_and_key\fR(\s-1SSL_CTX\s0 *ctx, X509 *x, \s-1EVP_PKEY\s0 *pkey, \s-1STACK_OF\s0(X509) *chain, int override);" 4
.IX Item "int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);"
.IP "X509 *\fBSSL_CTX_get0_certificate\fR(const \s-1SSL_CTX\s0 *ctx);" 4
.IX Item "X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);"
.IP "\s-1EVP_PKEY\s0 *\fBSSL_CTX_get0_privatekey\fR(const \s-1SSL_CTX\s0 *ctx);" 4
.IX Item "EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);"
.IP "void \fBSSL_CTX_set_psk_client_callback\fR(\s-1SSL_CTX\s0 *ctx, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" 4
.IX Item "void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));"
.IP "int \fBSSL_CTX_use_psk_identity_hint\fR(\s-1SSL_CTX\s0 *ctx, const char *hint);" 4
.IX Item "int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint);"
.IP "void \fBSSL_CTX_set_psk_server_callback\fR(\s-1SSL_CTX\s0 *ctx, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *identity, unsigned char *psk, int max_psk_len));" 4
.IX Item "void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));"
.PD
.SS "Dealing with Sessions"
.IX Subsection "Dealing with Sessions"
Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0
sessions defined in the \fB\s-1SSL_SESSION\s0\fR structures.
.IP "int \fBSSL_SESSION_cmp\fR(const \s-1SSL_SESSION\s0 *a, const \s-1SSL_SESSION\s0 *b);" 4
.IX Item "int SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b);"
.PD 0
.IP "void \fBSSL_SESSION_free\fR(\s-1SSL_SESSION\s0 *ss);" 4
.IX Item "void SSL_SESSION_free(SSL_SESSION *ss);"
.IP "char *\fBSSL_SESSION_get_app_data\fR(\s-1SSL_SESSION\s0 *s);" 4
.IX Item "char *SSL_SESSION_get_app_data(SSL_SESSION *s);"
.IP "char *\fBSSL_SESSION_get_ex_data\fR(const \s-1SSL_SESSION\s0 *s, int idx);" 4
.IX Item "char *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx);"
.IP "int \fBSSL_SESSION_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4
.IX Item "int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))"
.IP "long \fBSSL_SESSION_get_time\fR(const \s-1SSL_SESSION\s0 *s);" 4
.IX Item "long SSL_SESSION_get_time(const SSL_SESSION *s);"
.IP "long \fBSSL_SESSION_get_timeout\fR(const \s-1SSL_SESSION\s0 *s);" 4
.IX Item "long SSL_SESSION_get_timeout(const SSL_SESSION *s);"
.IP "unsigned long \fBSSL_SESSION_hash\fR(const \s-1SSL_SESSION\s0 *a);" 4
.IX Item "unsigned long SSL_SESSION_hash(const SSL_SESSION *a);"
.IP "\s-1SSL_SESSION\s0 *\fBSSL_SESSION_new\fR(void);" 4
.IX Item "SSL_SESSION *SSL_SESSION_new(void);"
.IP "int \fBSSL_SESSION_print\fR(\s-1BIO\s0 *bp, const \s-1SSL_SESSION\s0 *x);" 4
.IX Item "int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x);"
.IP "int \fBSSL_SESSION_print_fp\fR(\s-1FILE\s0 *fp, const \s-1SSL_SESSION\s0 *x);" 4
.IX Item "int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x);"
.IP "int \fBSSL_SESSION_set_app_data\fR(\s-1SSL_SESSION\s0 *s, char *a);" 4
.IX Item "int SSL_SESSION_set_app_data(SSL_SESSION *s, char *a);"
.IP "int \fBSSL_SESSION_set_ex_data\fR(\s-1SSL_SESSION\s0 *s, int idx, char *arg);" 4
.IX Item "int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, char *arg);"
.IP "long \fBSSL_SESSION_set_time\fR(\s-1SSL_SESSION\s0 *s, long t);" 4
.IX Item "long SSL_SESSION_set_time(SSL_SESSION *s, long t);"
.IP "long \fBSSL_SESSION_set_timeout\fR(\s-1SSL_SESSION\s0 *s, long t);" 4
.IX Item "long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);"
.PD
.SS "Dealing with Connections"
.IX Subsection "Dealing with Connections"
Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0
connection defined in the \fB\s-1SSL\s0\fR structure.
.IP "int \fBSSL_accept\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_accept(SSL *ssl);"
.PD 0
.IP "int \fBSSL_add_dir_cert_subjects_to_stack\fR(\s-1STACK\s0 *stack, const char *dir);" 4
.IX Item "int SSL_add_dir_cert_subjects_to_stack(STACK *stack, const char *dir);"
.IP "int \fBSSL_add_file_cert_subjects_to_stack\fR(\s-1STACK\s0 *stack, const char *file);" 4
.IX Item "int SSL_add_file_cert_subjects_to_stack(STACK *stack, const char *file);"
.IP "int \fBSSL_add_client_CA\fR(\s-1SSL\s0 *ssl, X509 *x);" 4
.IX Item "int SSL_add_client_CA(SSL *ssl, X509 *x);"
.IP "char *\fBSSL_alert_desc_string\fR(int value);" 4
.IX Item "char *SSL_alert_desc_string(int value);"
.IP "char *\fBSSL_alert_desc_string_long\fR(int value);" 4
.IX Item "char *SSL_alert_desc_string_long(int value);"
.IP "char *\fBSSL_alert_type_string\fR(int value);" 4
.IX Item "char *SSL_alert_type_string(int value);"
.IP "char *\fBSSL_alert_type_string_long\fR(int value);" 4
.IX Item "char *SSL_alert_type_string_long(int value);"
.IP "int \fBSSL_check_private_key\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_check_private_key(const SSL *ssl);"
.IP "void \fBSSL_clear\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "void SSL_clear(SSL *ssl);"
.IP "long \fBSSL_clear_num_renegotiations\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "long SSL_clear_num_renegotiations(SSL *ssl);"
.IP "int \fBSSL_connect\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_connect(SSL *ssl);"
.IP "int \fBSSL_copy_session_id\fR(\s-1SSL\s0 *t, const \s-1SSL\s0 *f);" 4
.IX Item "int SSL_copy_session_id(SSL *t, const SSL *f);"
.PD
Sets the session details for \fBt\fR to be the same as in \fBf\fR. Returns 1 on
success or 0 on failure.
.IP "long \fBSSL_ctrl\fR(\s-1SSL\s0 *ssl, int cmd, long larg, char *parg);" 4
.IX Item "long SSL_ctrl(SSL *ssl, int cmd, long larg, char *parg);"
.PD 0
.IP "int \fBSSL_do_handshake\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_do_handshake(SSL *ssl);"
.IP "\s-1SSL\s0 *\fBSSL_dup\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "SSL *SSL_dup(SSL *ssl);"
.PD
\&\fBSSL_dup()\fR allows applications to configure an \s-1SSL\s0 handle for use
in multiple \s-1SSL\s0 connections, and then duplicate it prior to initiating
each connection with the duplicated handle.
Use of \fBSSL_dup()\fR avoids the need to repeat the configuration of the
handles for each connection.
.Sp
For \fBSSL_dup()\fR to work, the connection \s-1MUST\s0 be in its initial state
and \s-1MUST NOT\s0 have not yet have started the \s-1SSL\s0 handshake.
For connections that are not in their initial state \fBSSL_dup()\fR just
increments an internal reference count and returns the \fIsame\fR
handle.
It may be possible to use \fBSSL_clear\fR\|(3) to recycle an \s-1SSL\s0 handle
that is not in its initial state for re-use, but this is best
avoided.
Instead, save and restore the session, if desired, and construct a
fresh handle for each connection.
.IP "\s-1STACK\s0 *\fBSSL_dup_CA_list\fR(\s-1STACK\s0 *sk);" 4
.IX Item "STACK *SSL_dup_CA_list(STACK *sk);"
.PD 0
.IP "void \fBSSL_free\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "void SSL_free(SSL *ssl);"
.IP "\s-1SSL_CTX\s0 *\fBSSL_get_SSL_CTX\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);"
.IP "char *\fBSSL_get_app_data\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "char *SSL_get_app_data(SSL *ssl);"
.IP "X509 *\fBSSL_get_certificate\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "X509 *SSL_get_certificate(const SSL *ssl);"
.IP "const char *\fBSSL_get_cipher\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "const char *SSL_get_cipher(const SSL *ssl);"
.IP "int \fBSSL_is_dtls\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_is_dtls(const SSL *ssl);"
.IP "int \fBSSL_get_cipher_bits\fR(const \s-1SSL\s0 *ssl, int *alg_bits);" 4
.IX Item "int SSL_get_cipher_bits(const SSL *ssl, int *alg_bits);"
.IP "char *\fBSSL_get_cipher_list\fR(const \s-1SSL\s0 *ssl, int n);" 4
.IX Item "char *SSL_get_cipher_list(const SSL *ssl, int n);"
.IP "char *\fBSSL_get_cipher_name\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "char *SSL_get_cipher_name(const SSL *ssl);"
.IP "char *\fBSSL_get_cipher_version\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "char *SSL_get_cipher_version(const SSL *ssl);"
.IP "\s-1STACK\s0 *\fBSSL_get_ciphers\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "STACK *SSL_get_ciphers(const SSL *ssl);"
.IP "\s-1STACK\s0 *\fBSSL_get_client_CA_list\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "STACK *SSL_get_client_CA_list(const SSL *ssl);"
.IP "\s-1SSL_CIPHER\s0 *\fBSSL_get_current_cipher\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);"
.IP "long \fBSSL_get_default_timeout\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "long SSL_get_default_timeout(const SSL *ssl);"
.IP "int \fBSSL_get_error\fR(const \s-1SSL\s0 *ssl, int i);" 4
.IX Item "int SSL_get_error(const SSL *ssl, int i);"
.IP "char *\fBSSL_get_ex_data\fR(const \s-1SSL\s0 *ssl, int idx);" 4
.IX Item "char *SSL_get_ex_data(const SSL *ssl, int idx);"
.IP "int \fBSSL_get_ex_data_X509_STORE_CTX_idx\fR(void);" 4
.IX Item "int SSL_get_ex_data_X509_STORE_CTX_idx(void);"
.IP "int \fBSSL_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4
.IX Item "int SSL_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))"
.IP "int \fBSSL_get_fd\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_get_fd(const SSL *ssl);"
.IP "void (*\fBSSL_get_info_callback\fR(const \s-1SSL\s0 *ssl);)()" 4
.IX Item "void (*SSL_get_info_callback(const SSL *ssl);)()"
.IP "int \fBSSL_get_key_update_type\fR(\s-1SSL\s0 *s);" 4
.IX Item "int SSL_get_key_update_type(SSL *s);"
.IP "\s-1STACK\s0 *\fBSSL_get_peer_cert_chain\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "STACK *SSL_get_peer_cert_chain(const SSL *ssl);"
.IP "X509 *\fBSSL_get_peer_certificate\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "X509 *SSL_get_peer_certificate(const SSL *ssl);"
.IP "const \s-1STACK_OF\s0(\s-1SCT\s0) *\fBSSL_get0_peer_scts\fR(\s-1SSL\s0 *s);" 4
.IX Item "const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s);"
.IP "\s-1EVP_PKEY\s0 *\fBSSL_get_privatekey\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "EVP_PKEY *SSL_get_privatekey(const SSL *ssl);"
.IP "int \fBSSL_get_quiet_shutdown\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_get_quiet_shutdown(const SSL *ssl);"
.IP "\s-1BIO\s0 *\fBSSL_get_rbio\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "BIO *SSL_get_rbio(const SSL *ssl);"
.IP "int \fBSSL_get_read_ahead\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_get_read_ahead(const SSL *ssl);"
.IP "\s-1SSL_SESSION\s0 *\fBSSL_get_session\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "SSL_SESSION *SSL_get_session(const SSL *ssl);"
.IP "char *\fBSSL_get_shared_ciphers\fR(const \s-1SSL\s0 *ssl, char *buf, int size);" 4
.IX Item "char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int size);"
.IP "int \fBSSL_get_shutdown\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_get_shutdown(const SSL *ssl);"
.IP "const \s-1SSL_METHOD\s0 *\fBSSL_get_ssl_method\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "const SSL_METHOD *SSL_get_ssl_method(SSL *ssl);"
.IP "int \fBSSL_get_state\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_get_state(const SSL *ssl);"
.IP "long \fBSSL_get_time\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "long SSL_get_time(const SSL *ssl);"
.IP "long \fBSSL_get_timeout\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "long SSL_get_timeout(const SSL *ssl);"
.IP "int (*\fBSSL_get_verify_callback\fR(const \s-1SSL\s0 *ssl))(int, X509_STORE_CTX *)" 4
.IX Item "int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *)"
.IP "int \fBSSL_get_verify_mode\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_get_verify_mode(const SSL *ssl);"
.IP "long \fBSSL_get_verify_result\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "long SSL_get_verify_result(const SSL *ssl);"
.IP "char *\fBSSL_get_version\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "char *SSL_get_version(const SSL *ssl);"
.IP "\s-1BIO\s0 *\fBSSL_get_wbio\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "BIO *SSL_get_wbio(const SSL *ssl);"
.IP "int \fBSSL_in_accept_init\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_in_accept_init(SSL *ssl);"
.IP "int \fBSSL_in_before\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_in_before(SSL *ssl);"
.IP "int \fBSSL_in_connect_init\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_in_connect_init(SSL *ssl);"
.IP "int \fBSSL_in_init\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_in_init(SSL *ssl);"
.IP "int \fBSSL_is_init_finished\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_is_init_finished(SSL *ssl);"
.IP "int \fBSSL_key_update\fR(\s-1SSL\s0 *s, int updatetype);" 4
.IX Item "int SSL_key_update(SSL *s, int updatetype);"
.IP "\s-1STACK\s0 *\fBSSL_load_client_CA_file\fR(const char *file);" 4
.IX Item "STACK *SSL_load_client_CA_file(const char *file);"
.IP "\s-1SSL\s0 *\fBSSL_new\fR(\s-1SSL_CTX\s0 *ctx);" 4
.IX Item "SSL *SSL_new(SSL_CTX *ctx);"
.IP "int SSL_up_ref(\s-1SSL\s0 *s);" 4
.IX Item "int SSL_up_ref(SSL *s);"
.IP "long \fBSSL_num_renegotiations\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "long SSL_num_renegotiations(SSL *ssl);"
.IP "int \fBSSL_peek\fR(\s-1SSL\s0 *ssl, void *buf, int num);" 4
.IX Item "int SSL_peek(SSL *ssl, void *buf, int num);"
.IP "int \fBSSL_pending\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_pending(const SSL *ssl);"
.IP "int \fBSSL_read\fR(\s-1SSL\s0 *ssl, void *buf, int num);" 4
.IX Item "int SSL_read(SSL *ssl, void *buf, int num);"
.IP "int \fBSSL_renegotiate\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_renegotiate(SSL *ssl);"
.IP "char *\fBSSL_rstate_string\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "char *SSL_rstate_string(SSL *ssl);"
.IP "char *\fBSSL_rstate_string_long\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "char *SSL_rstate_string_long(SSL *ssl);"
.IP "long \fBSSL_session_reused\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "long SSL_session_reused(SSL *ssl);"
.IP "void \fBSSL_set_accept_state\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "void SSL_set_accept_state(SSL *ssl);"
.IP "void \fBSSL_set_app_data\fR(\s-1SSL\s0 *ssl, char *arg);" 4
.IX Item "void SSL_set_app_data(SSL *ssl, char *arg);"
.IP "void \fBSSL_set_bio\fR(\s-1SSL\s0 *ssl, \s-1BIO\s0 *rbio, \s-1BIO\s0 *wbio);" 4
.IX Item "void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);"
.IP "int \fBSSL_set_cipher_list\fR(\s-1SSL\s0 *ssl, char *str);" 4
.IX Item "int SSL_set_cipher_list(SSL *ssl, char *str);"
.IP "void \fBSSL_set_client_CA_list\fR(\s-1SSL\s0 *ssl, \s-1STACK\s0 *list);" 4
.IX Item "void SSL_set_client_CA_list(SSL *ssl, STACK *list);"
.IP "void \fBSSL_set_connect_state\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "void SSL_set_connect_state(SSL *ssl);"
.IP "int \fBSSL_set_ct_validation_callback\fR(\s-1SSL\s0 *ssl, ssl_ct_validation_cb callback, void *arg);" 4
.IX Item "int SSL_set_ct_validation_callback(SSL *ssl, ssl_ct_validation_cb callback, void *arg);"
.IP "int \fBSSL_set_ex_data\fR(\s-1SSL\s0 *ssl, int idx, char *arg);" 4
.IX Item "int SSL_set_ex_data(SSL *ssl, int idx, char *arg);"
.IP "int \fBSSL_set_fd\fR(\s-1SSL\s0 *ssl, int fd);" 4
.IX Item "int SSL_set_fd(SSL *ssl, int fd);"
.IP "void \fBSSL_set_info_callback\fR(\s-1SSL\s0 *ssl, void (*cb);(void))" 4
.IX Item "void SSL_set_info_callback(SSL *ssl, void (*cb);(void))"
.IP "void \fBSSL_set_msg_callback\fR(\s-1SSL\s0 *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, \s-1SSL\s0 *ssl, void *arg));" 4
.IX Item "void SSL_set_msg_callback(SSL *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));"
.IP "void \fBSSL_set_msg_callback_arg\fR(\s-1SSL\s0 *ctx, void *arg);" 4
.IX Item "void SSL_set_msg_callback_arg(SSL *ctx, void *arg);"
.IP "unsigned long \fBSSL_clear_options\fR(\s-1SSL\s0 *ssl, unsigned long op);" 4
.IX Item "unsigned long SSL_clear_options(SSL *ssl, unsigned long op);"
.IP "unsigned long \fBSSL_get_options\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "unsigned long SSL_get_options(SSL *ssl);"
.IP "unsigned long \fBSSL_set_options\fR(\s-1SSL\s0 *ssl, unsigned long op);" 4
.IX Item "unsigned long SSL_set_options(SSL *ssl, unsigned long op);"
.IP "void \fBSSL_set_quiet_shutdown\fR(\s-1SSL\s0 *ssl, int mode);" 4
.IX Item "void SSL_set_quiet_shutdown(SSL *ssl, int mode);"
.IP "void \fBSSL_set_read_ahead\fR(\s-1SSL\s0 *ssl, int yes);" 4
.IX Item "void SSL_set_read_ahead(SSL *ssl, int yes);"
.IP "int \fBSSL_set_rfd\fR(\s-1SSL\s0 *ssl, int fd);" 4
.IX Item "int SSL_set_rfd(SSL *ssl, int fd);"
.IP "int \fBSSL_set_session\fR(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *session);" 4
.IX Item "int SSL_set_session(SSL *ssl, SSL_SESSION *session);"
.IP "void \fBSSL_set_shutdown\fR(\s-1SSL\s0 *ssl, int mode);" 4
.IX Item "void SSL_set_shutdown(SSL *ssl, int mode);"
.IP "int \fBSSL_set_ssl_method\fR(\s-1SSL\s0 *ssl, const \s-1SSL_METHOD\s0 *meth);" 4
.IX Item "int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *meth);"
.IP "void \fBSSL_set_time\fR(\s-1SSL\s0 *ssl, long t);" 4
.IX Item "void SSL_set_time(SSL *ssl, long t);"
.IP "void \fBSSL_set_timeout\fR(\s-1SSL\s0 *ssl, long t);" 4
.IX Item "void SSL_set_timeout(SSL *ssl, long t);"
.IP "void \fBSSL_set_verify\fR(\s-1SSL\s0 *ssl, int mode, int (*callback);(void))" 4
.IX Item "void SSL_set_verify(SSL *ssl, int mode, int (*callback);(void))"
.IP "void \fBSSL_set_verify_result\fR(\s-1SSL\s0 *ssl, long arg);" 4
.IX Item "void SSL_set_verify_result(SSL *ssl, long arg);"
.IP "int \fBSSL_set_wfd\fR(\s-1SSL\s0 *ssl, int fd);" 4
.IX Item "int SSL_set_wfd(SSL *ssl, int fd);"
.IP "int \fBSSL_shutdown\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_shutdown(SSL *ssl);"
.IP "\s-1OSSL_HANDSHAKE_STATE\s0 \fBSSL_get_state\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);"
.PD
Returns the current handshake state.
.IP "char *\fBSSL_state_string\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "char *SSL_state_string(const SSL *ssl);"
.PD 0
.IP "char *\fBSSL_state_string_long\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "char *SSL_state_string_long(const SSL *ssl);"
.IP "long \fBSSL_total_renegotiations\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "long SSL_total_renegotiations(SSL *ssl);"
.IP "int \fBSSL_use_PrivateKey\fR(\s-1SSL\s0 *ssl, \s-1EVP_PKEY\s0 *pkey);" 4
.IX Item "int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);"
.IP "int \fBSSL_use_PrivateKey_ASN1\fR(int type, \s-1SSL\s0 *ssl, unsigned char *d, long len);" 4
.IX Item "int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len);"
.IP "int \fBSSL_use_PrivateKey_file\fR(\s-1SSL\s0 *ssl, const char *file, int type);" 4
.IX Item "int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);"
.IP "int \fBSSL_use_RSAPrivateKey\fR(\s-1SSL\s0 *ssl, \s-1RSA\s0 *rsa);" 4
.IX Item "int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);"
.IP "int \fBSSL_use_RSAPrivateKey_ASN1\fR(\s-1SSL\s0 *ssl, unsigned char *d, long len);" 4
.IX Item "int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);"
.IP "int \fBSSL_use_RSAPrivateKey_file\fR(\s-1SSL\s0 *ssl, const char *file, int type);" 4
.IX Item "int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);"
.IP "int \fBSSL_use_certificate\fR(\s-1SSL\s0 *ssl, X509 *x);" 4
.IX Item "int SSL_use_certificate(SSL *ssl, X509 *x);"
.IP "int \fBSSL_use_certificate_ASN1\fR(\s-1SSL\s0 *ssl, int len, unsigned char *d);" 4
.IX Item "int SSL_use_certificate_ASN1(SSL *ssl, int len, unsigned char *d);"
.IP "int \fBSSL_use_certificate_file\fR(\s-1SSL\s0 *ssl, const char *file, int type);" 4
.IX Item "int SSL_use_certificate_file(SSL *ssl, const char *file, int type);"
.IP "int \fBSSL_use_cert_and_key\fR(\s-1SSL\s0 *ssl, X509 *x, \s-1EVP_PKEY\s0 *pkey, \s-1STACK_OF\s0(X509) *chain, int override);" 4
.IX Item "int SSL_use_cert_and_key(SSL *ssl, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);"
.IP "int \fBSSL_version\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_version(const SSL *ssl);"
.IP "int \fBSSL_want\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_want(const SSL *ssl);"
.IP "int \fBSSL_want_nothing\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_want_nothing(const SSL *ssl);"
.IP "int \fBSSL_want_read\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_want_read(const SSL *ssl);"
.IP "int \fBSSL_want_write\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_want_write(const SSL *ssl);"
.IP "int \fBSSL_want_x509_lookup\fR(const \s-1SSL\s0 *ssl);" 4
.IX Item "int SSL_want_x509_lookup(const SSL *ssl);"
.IP "int \fBSSL_write\fR(\s-1SSL\s0 *ssl, const void *buf, int num);" 4
.IX Item "int SSL_write(SSL *ssl, const void *buf, int num);"
.IP "void \fBSSL_set_psk_client_callback\fR(\s-1SSL\s0 *ssl, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" 4
.IX Item "void SSL_set_psk_client_callback(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));"
.IP "int \fBSSL_use_psk_identity_hint\fR(\s-1SSL\s0 *ssl, const char *hint);" 4
.IX Item "int SSL_use_psk_identity_hint(SSL *ssl, const char *hint);"
.IP "void \fBSSL_set_psk_server_callback\fR(\s-1SSL\s0 *ssl, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *identity, unsigned char *psk, int max_psk_len));" 4
.IX Item "void SSL_set_psk_server_callback(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));"
.IP "const char *\fBSSL_get_psk_identity_hint\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "const char *SSL_get_psk_identity_hint(SSL *ssl);"
.IP "const char *\fBSSL_get_psk_identity\fR(\s-1SSL\s0 *ssl);" 4
.IX Item "const char *SSL_get_psk_identity(SSL *ssl);"
.PD
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
See the individual manual pages for details.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1), \fBcrypto\fR\|(7),
\&\fBCRYPTO_get_ex_new_index\fR\|(3),
\&\fBSSL_accept\fR\|(3), \fBSSL_clear\fR\|(3),
\&\fBSSL_connect\fR\|(3),
\&\fBSSL_CIPHER_get_name\fR\|(3),
\&\fBSSL_COMP_add_compression_method\fR\|(3),
\&\fBSSL_CTX_add_extra_chain_cert\fR\|(3),
\&\fBSSL_CTX_add_session\fR\|(3),
\&\fBSSL_CTX_ctrl\fR\|(3),
\&\fBSSL_CTX_flush_sessions\fR\|(3),
\&\fBSSL_CTX_get_verify_mode\fR\|(3),
\&\fBSSL_CTX_load_verify_locations\fR\|(3)
\&\fBSSL_CTX_new\fR\|(3),
\&\fBSSL_CTX_sess_number\fR\|(3),
\&\fBSSL_CTX_sess_set_cache_size\fR\|(3),
\&\fBSSL_CTX_sess_set_get_cb\fR\|(3),
\&\fBSSL_CTX_sessions\fR\|(3),
\&\fBSSL_CTX_set_cert_store\fR\|(3),
\&\fBSSL_CTX_set_cert_verify_callback\fR\|(3),
\&\fBSSL_CTX_set_cipher_list\fR\|(3),
\&\fBSSL_CTX_set_client_CA_list\fR\|(3),
\&\fBSSL_CTX_set_client_cert_cb\fR\|(3),
\&\fBSSL_CTX_set_default_passwd_cb\fR\|(3),
\&\fBSSL_CTX_set_generate_session_id\fR\|(3),
\&\fBSSL_CTX_set_info_callback\fR\|(3),
\&\fBSSL_CTX_set_max_cert_list\fR\|(3),
\&\fBSSL_CTX_set_mode\fR\|(3),
\&\fBSSL_CTX_set_msg_callback\fR\|(3),
\&\fBSSL_CTX_set_options\fR\|(3),
\&\fBSSL_CTX_set_quiet_shutdown\fR\|(3),
\&\fBSSL_CTX_set_read_ahead\fR\|(3),
\&\fBSSL_CTX_set_security_level\fR\|(3),
\&\fBSSL_CTX_set_session_cache_mode\fR\|(3),
\&\fBSSL_CTX_set_session_id_context\fR\|(3),
\&\fBSSL_CTX_set_ssl_version\fR\|(3),
\&\fBSSL_CTX_set_timeout\fR\|(3),
\&\fBSSL_CTX_set_tmp_dh_callback\fR\|(3),
\&\fBSSL_CTX_set_verify\fR\|(3),
\&\fBSSL_CTX_use_certificate\fR\|(3),
\&\fBSSL_alert_type_string\fR\|(3),
\&\fBSSL_do_handshake\fR\|(3),
\&\fBSSL_enable_ct\fR\|(3),
\&\fBSSL_get_SSL_CTX\fR\|(3),
\&\fBSSL_get_ciphers\fR\|(3),
\&\fBSSL_get_client_CA_list\fR\|(3),
\&\fBSSL_get_default_timeout\fR\|(3),
\&\fBSSL_get_error\fR\|(3),
\&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3),
\&\fBSSL_get_fd\fR\|(3),
\&\fBSSL_get_peer_cert_chain\fR\|(3),
\&\fBSSL_get_rbio\fR\|(3),
\&\fBSSL_get_session\fR\|(3),
\&\fBSSL_get_verify_result\fR\|(3),
\&\fBSSL_get_version\fR\|(3),
\&\fBSSL_load_client_CA_file\fR\|(3),
\&\fBSSL_new\fR\|(3),
\&\fBSSL_pending\fR\|(3),
\&\fBSSL_read_ex\fR\|(3),
\&\fBSSL_read\fR\|(3),
\&\fBSSL_rstate_string\fR\|(3),
\&\fBSSL_session_reused\fR\|(3),
\&\fBSSL_set_bio\fR\|(3),
\&\fBSSL_set_connect_state\fR\|(3),
\&\fBSSL_set_fd\fR\|(3),
\&\fBSSL_set_session\fR\|(3),
\&\fBSSL_set_shutdown\fR\|(3),
\&\fBSSL_shutdown\fR\|(3),
\&\fBSSL_state_string\fR\|(3),
\&\fBSSL_want\fR\|(3),
\&\fBSSL_write_ex\fR\|(3),
\&\fBSSL_write\fR\|(3),
\&\fBSSL_SESSION_free\fR\|(3),
\&\fBSSL_SESSION_get_time\fR\|(3),
\&\fBd2i_SSL_SESSION\fR\|(3),
\&\fBSSL_CTX_set_psk_client_callback\fR\|(3),
\&\fBSSL_CTX_use_psk_identity_hint\fR\|(3),
\&\fBSSL_get_psk_identity\fR\|(3),
\&\fBDTLSv1_listen\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
\&\fBSSLv2_client_method\fR, \fBSSLv2_server_method\fR and \fBSSLv2_method\fR were removed
in OpenSSL 1.1.0.
.PP
The return type of \fBSSL_copy_session_id\fR was changed from void to int in
OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/lib/libcrypto/man/man7/x509.7 b/secure/lib/libcrypto/man/man7/x509.7
index 32bf1c247d9a..46c369893f31 100644
--- a/secure/lib/libcrypto/man/man7/x509.7
+++ b/secure/lib/libcrypto/man/man7/x509.7
@@ -1,206 +1,206 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509 7"
-.TH X509 7 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509 7 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
x509 \- X.509 certificate handling
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509.h>
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
An X.509 certificate is a structured grouping of information about
an individual, a device, or anything one can imagine. An X.509 \s-1CRL\s0
(certificate revocation list) is a tool to help determine if a
certificate is still valid. The exact definition of those can be
found in the X.509 document from ITU-T, or in \s-1RFC3280\s0 from \s-1PKIX.\s0
In OpenSSL, the type X509 is used to express such a certificate, and
the type X509_CRL is used to express a \s-1CRL.\s0
.PP
A related structure is a certificate request, defined in PKCS#10 from
\&\s-1RSA\s0 Security, Inc, also reflected in \s-1RFC2896.\s0 In OpenSSL, the type
X509_REQ is used to express such a certificate request.
.PP
To handle some complex parts of a certificate, there are the types
X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express
a certificate attribute), X509_EXTENSION (to express a certificate
extension) and a few more.
.PP
Finally, there's the supertype X509_INFO, which can contain a \s-1CRL,\s0 a
certificate and a corresponding private key.
.PP
\&\fBX509_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_\fR\fI\s-1XXX\s0\fR functions
handle X.509 certificates, with some exceptions, shown below.
.PP
\&\fBX509_CRL_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_CRL_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_CRL_\fR\fI\s-1XXX\s0\fR
functions handle X.509 CRLs.
.PP
\&\fBX509_REQ_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_REQ_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_REQ_\fR\fI\s-1XXX\s0\fR
functions handle PKCS#10 certificate requests.
.PP
\&\fBX509_NAME_\fR\fI\s-1XXX\s0\fR functions handle certificate names.
.PP
\&\fBX509_ATTRIBUTE_\fR\fI\s-1XXX\s0\fR functions handle certificate attributes.
.PP
\&\fBX509_EXTENSION_\fR\fI\s-1XXX\s0\fR functions handle certificate extensions.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBX509_NAME_ENTRY_get_object\fR\|(3),
\&\fBX509_NAME_add_entry_by_txt\fR\|(3),
\&\fBX509_NAME_add_entry_by_NID\fR\|(3),
\&\fBX509_NAME_print_ex\fR\|(3),
\&\fBX509_NAME_new\fR\|(3),
\&\fBd2i_X509\fR\|(3),
\&\fBd2i_X509_ALGOR\fR\|(3),
\&\fBd2i_X509_CRL\fR\|(3),
\&\fBd2i_X509_NAME\fR\|(3),
\&\fBd2i_X509_REQ\fR\|(3),
\&\fBd2i_X509_SIG\fR\|(3),
\&\fBX509v3\fR\|(3),
\&\fBcrypto\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2003\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1
index fda8ebb93f49..ad93656beb96 100644
--- a/secure/usr.bin/openssl/man/CA.pl.1
+++ b/secure/usr.bin/openssl/man/CA.pl.1
@@ -1,341 +1,341 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CA.PL 1"
-.TH CA.PL 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CA.PL 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
CA.pl \- friendlier interface for OpenSSL certificate programs
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fB\s-1CA\s0.pl\fR
\&\fB\-?\fR |
\&\fB\-h\fR |
\&\fB\-help\fR
.PP
\&\fB\s-1CA\s0.pl\fR
\&\fB\-newcert\fR |
\&\fB\-newreq\fR |
\&\fB\-newreq\-nodes\fR |
\&\fB\-xsign\fR |
\&\fB\-sign\fR |
\&\fB\-signCA\fR |
\&\fB\-signcert\fR |
\&\fB\-crl\fR |
\&\fB\-newca\fR
[\fB\-extra\-cmd\fR extra\-params]
.PP
\&\fB\s-1CA\s0.pl\fR \fB\-pkcs12\fR [\fB\-extra\-pkcs12\fR extra\-params] [\fBcertname\fR]
.PP
\&\fB\s-1CA\s0.pl\fR \fB\-verify\fR [\fB\-extra\-verify\fR extra\-params] \fBcertfile\fR...
.PP
\&\fB\s-1CA\s0.pl\fR \fB\-revoke\fR [\fB\-extra\-ca\fR extra\-params] \fBcertfile\fR [\fBreason\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fB\s-1CA\s0.pl\fR script is a perl script that supplies the relevant command line
arguments to the \fBopenssl\fR command for some common certificate operations.
It is intended to simplify the process of certificate creation and management
by the use of some simple options.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4
.IX Item "?, -h, -help"
Prints a usage message.
.IP "\fB\-newcert\fR" 4
.IX Item "-newcert"
Creates a new self signed certificate. The private key is written to the file
\&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R".
This argument invokes \fBopenssl req\fR command.
.IP "\fB\-newreq\fR" 4
.IX Item "-newreq"
Creates a new certificate request. The private key is written to the file
\&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R".
Executes \fBopenssl req\fR command below the hood.
.IP "\fB\-newreq\-nodes\fR" 4
.IX Item "-newreq-nodes"
Is like \fB\-newreq\fR except that the private key will not be encrypted.
Uses \fBopenssl req\fR command.
.IP "\fB\-newca\fR" 4
.IX Item "-newca"
Creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR
and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0
certificates (which should also contain the private key) or by hitting \s-1ENTER\s0
details of the \s-1CA\s0 will be prompted for. The relevant files and directories
are created in a directory called \*(L"demoCA\*(R" in the current directory.
\&\fBopenssl req\fR and \fBopenssl ca\fR commands are get invoked.
.IP "\fB\-pkcs12\fR" 4
.IX Item "-pkcs12"
Create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0
certificate. It expects the user certificate and private key to be in the
file \*(L"newcert.pem\*(R" and the \s-1CA\s0 certificate to be in the file demoCA/cacert.pem,
it creates a file \*(L"newcert.p12\*(R". This command can thus be called after the
\&\fB\-sign\fR option. The PKCS#12 file can be imported directly into a browser.
If there is an additional argument on the command line it will be used as the
\&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser
list box), otherwise the name \*(L"My Certificate\*(R" is used.
Delegates work to \fBopenssl pkcs12\fR command.
.IP "\fB\-sign\fR, \fB\-signcert\fR, \fB\-xsign\fR" 4
.IX Item "-sign, -signcert, -xsign"
Calls the \fBca\fR program to sign a certificate request. It expects the request
to be in the file \*(L"newreq.pem\*(R". The new certificate is written to the file
\&\*(L"newcert.pem\*(R" except in the case of the \fB\-xsign\fR option when it is written
to standard output. Leverages \fBopenssl ca\fR command.
.IP "\fB\-signCA\fR" 4
.IX Item "-signCA"
This option is the same as the \fB\-sign\fR option except it uses the
configuration file section \fBv3_ca\fR and so makes the signed request a
valid \s-1CA\s0 certificate. This is useful when creating intermediate \s-1CA\s0 from
a root \s-1CA.\s0 Extra params are passed on to \fBopenssl ca\fR command.
.IP "\fB\-signcert\fR" 4
.IX Item "-signcert"
This option is the same as \fB\-sign\fR except it expects a self signed certificate
to be present in the file \*(L"newreq.pem\*(R".
Extra params are passed on to \fBopenssl x509\fR and \fBopenssl ca\fR commands.
.IP "\fB\-crl\fR" 4
.IX Item "-crl"
Generate a \s-1CRL.\s0 Executes \fBopenssl ca\fR command.
.IP "\fB\-revoke certfile [reason]\fR" 4
.IX Item "-revoke certfile [reason]"
Revoke the certificate contained in the specified \fBcertfile\fR. An optional
reason may be specified, and must be one of: \fBunspecified\fR,
\&\fBkeyCompromise\fR, \fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR,
\&\fBcessationOfOperation\fR, \fBcertificateHold\fR, or \fBremoveFromCRL\fR.
Leverages \fBopenssl ca\fR command.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no
certificates are specified on the command line it tries to verify the file
\&\*(L"newcert.pem\*(R". Invokes \fBopenssl verify\fR command.
.IP "\fB\-extra\-req\fR | \fB\-extra\-ca\fR | \fB\-extra\-pkcs12\fR | \fB\-extra\-x509\fR | \fB\-extra\-verify\fR <extra\-params>" 4
.IX Item "-extra-req | -extra-ca | -extra-pkcs12 | -extra-x509 | -extra-verify <extra-params>"
The purpose of these parameters is to allow optional parameters to be supplied
to \fBopenssl\fR that this command executes. The \fB\-extra\-cmd\fR are specific to the
option being used and the \fBopenssl\fR command getting invoked. For example
when this command invokes \fBopenssl req\fR extra parameters can be passed on
with the \fB\-extra\-req\fR parameter. The
\&\fBopenssl\fR commands being invoked per option are documented below.
Users should consult \fBopenssl\fR command documentation for more information.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create a \s-1CA\s0 hierarchy:
.PP
.Vb 1
\& CA.pl \-newca
.Ve
.PP
Complete certificate creation example: create a \s-1CA,\s0 create a request, sign
the request and finally create a PKCS#12 file containing it.
.PP
.Vb 4
\& CA.pl \-newca
\& CA.pl \-newreq
\& CA.pl \-sign
\& CA.pl \-pkcs12 "My Test Certificate"
.Ve
.SH "DSA CERTIFICATES"
.IX Header "DSA CERTIFICATES"
Although the \fB\s-1CA\s0.pl\fR creates \s-1RSA\s0 CAs and requests it is still possible to
use it with \s-1DSA\s0 certificates and requests using the \fBreq\fR\|(1) command
directly. The following example shows the steps that would typically be taken.
.PP
Create some \s-1DSA\s0 parameters:
.PP
.Vb 1
\& openssl dsaparam \-out dsap.pem 1024
.Ve
.PP
Create a \s-1DSA CA\s0 certificate and private key:
.PP
.Vb 1
\& openssl req \-x509 \-newkey dsa:dsap.pem \-keyout cacert.pem \-out cacert.pem
.Ve
.PP
Create the \s-1CA\s0 directories and files:
.PP
.Vb 1
\& CA.pl \-newca
.Ve
.PP
enter cacert.pem when prompted for the \s-1CA\s0 filename.
.PP
Create a \s-1DSA\s0 certificate request and private key (a different set of parameters
can optionally be created first):
.PP
.Vb 1
\& openssl req \-out newreq.pem \-newkey dsa:dsap.pem
.Ve
.PP
Sign the request:
.PP
.Vb 1
\& CA.pl \-sign
.Ve
.SH "NOTES"
.IX Header "NOTES"
Most of the filenames mentioned can be modified by editing the \fB\s-1CA\s0.pl\fR script.
.PP
If the demoCA directory already exists then the \fB\-newca\fR command will not
overwrite it and will do nothing. This can happen if a previous call using
the \fB\-newca\fR option terminated abnormally. To get the correct behaviour
delete the demoCA directory if it already exists.
.PP
Under some environments it may not be possible to run the \fB\s-1CA\s0.pl\fR script
directly (for example Win32) and the default configuration file location may
be wrong. In this case the command:
.PP
.Vb 1
\& perl \-S CA.pl
.Ve
.PP
can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to
the correct path of the configuration file.
.PP
The script is intended as a simple front end for the \fBopenssl\fR program for use
by a beginner. Its behaviour isn't always what is wanted. For more control over the
behaviour of the certificate commands call the \fBopenssl\fR command directly.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBx509\fR\|(1), \fBca\fR\|(1), \fBreq\fR\|(1), \fBpkcs12\fR\|(1),
\&\fBconfig\fR\|(5)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1
index e0ce155d00fb..a26c502089e0 100644
--- a/secure/usr.bin/openssl/man/asn1parse.1
+++ b/secure/usr.bin/openssl/man/asn1parse.1
@@ -1,339 +1,339 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ASN1PARSE 1"
-.TH ASN1PARSE 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ASN1PARSE 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-asn1parse, asn1parse \- ASN.1 parsing tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBasn1parse\fR
[\fB\-help\fR]
[\fB\-inform PEM|DER\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-noout\fR]
[\fB\-offset number\fR]
[\fB\-length number\fR]
[\fB\-i\fR]
[\fB\-oid filename\fR]
[\fB\-dump\fR]
[\fB\-dlimit num\fR]
[\fB\-strparse offset\fR]
[\fB\-genstr string\fR]
[\fB\-genconf file\fR]
[\fB\-strictpem\fR]
[\fB\-item name\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN.1\s0
structures. It can also be used to extract data from \s-1ASN.1\s0 formatted data.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform\fR \fBDER|PEM\fR" 4
.IX Item "-inform DER|PEM"
The input format. \fB\s-1DER\s0\fR is binary format and \fB\s-1PEM\s0\fR (the default) is base64
encoded.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
The input file, default is standard input.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Output file to place the \s-1DER\s0 encoded data into. If this
option is not present then no data will be output. This is most useful when
combined with the \fB\-strparse\fR option.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Don't output the parsed version of the input file.
.IP "\fB\-offset number\fR" 4
.IX Item "-offset number"
Starting offset to begin parsing, default is start of file.
.IP "\fB\-length number\fR" 4
.IX Item "-length number"
Number of bytes to parse, default is until end of file.
.IP "\fB\-i\fR" 4
.IX Item "-i"
Indents the output according to the \*(L"depth\*(R" of the structures.
.IP "\fB\-oid filename\fR" 4
.IX Item "-oid filename"
A file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this
file is described in the \s-1NOTES\s0 section below.
.IP "\fB\-dump\fR" 4
.IX Item "-dump"
Dump unknown data in hex format.
.IP "\fB\-dlimit num\fR" 4
.IX Item "-dlimit num"
Like \fB\-dump\fR, but only the first \fBnum\fR bytes are output.
.IP "\fB\-strparse offset\fR" 4
.IX Item "-strparse offset"
Parse the contents octets of the \s-1ASN.1\s0 object starting at \fBoffset\fR. This
option can be used multiple times to \*(L"drill down\*(R" into a nested structure.
.IP "\fB\-genstr string\fR, \fB\-genconf file\fR" 4
.IX Item "-genstr string, -genconf file"
Generate encoded data based on \fBstring\fR, \fBfile\fR or both using
\&\fBASN1_generate_nconf\fR\|(3) format. If \fBfile\fR only is
present then the string is obtained from the default section using the name
\&\fBasn1\fR. The encoded data is passed through the \s-1ASN1\s0 parser and printed out as
though it came from a file, the contents can thus be examined and written to a
file using the \fBout\fR option.
.IP "\fB\-strictpem\fR" 4
.IX Item "-strictpem"
If this option is used then \fB\-inform\fR will be ignored. Without this option any
data in a \s-1PEM\s0 format input file will be treated as being base64 encoded and
processed whether it has the normal \s-1PEM BEGIN\s0 and \s-1END\s0 markers or not. This
option will ignore any data prior to the start of the \s-1BEGIN\s0 marker, or after an
\&\s-1END\s0 marker in a \s-1PEM\s0 file.
.IP "\fB\-item name\fR" 4
.IX Item "-item name"
Attempt to decode and print the data as \fB\s-1ASN1_ITEM\s0 name\fR. This can be used to
print out the fields of any supported \s-1ASN.1\s0 structure if the type is known.
.SS "Output"
.IX Subsection "Output"
The output will typically contain lines like this:
.PP
.Vb 1
\& 0:d=0 hl=4 l= 681 cons: SEQUENCE
.Ve
.PP
\&.....
.PP
.Vb 10
\& 229:d=3 hl=3 l= 141 prim: BIT STRING
\& 373:d=2 hl=3 l= 162 cons: cont [ 3 ]
\& 376:d=3 hl=3 l= 159 cons: SEQUENCE
\& 379:d=4 hl=2 l= 29 cons: SEQUENCE
\& 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
\& 386:d=5 hl=2 l= 22 prim: OCTET STRING
\& 410:d=4 hl=2 l= 112 cons: SEQUENCE
\& 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
\& 417:d=5 hl=2 l= 105 prim: OCTET STRING
\& 524:d=4 hl=2 l= 12 cons: SEQUENCE
.Ve
.PP
\&.....
.PP
This example is part of a self-signed certificate. Each line starts with the
offset in decimal. \fBd=XX\fR specifies the current depth. The depth is increased
within the scope of any \s-1SET\s0 or \s-1SEQUENCE.\s0 \fBhl=XX\fR gives the header length
(tag and length octets) of the current type. \fBl=XX\fR gives the length of
the contents octets.
.PP
The \fB\-i\fR option can be used to make the output more readable.
.PP
Some knowledge of the \s-1ASN.1\s0 structure is needed to interpret the output.
.PP
In this example the \s-1BIT STRING\s0 at offset 229 is the certificate public key.
The contents octets of this will contain the public key information. This can
be examined using the option \fB\-strparse 229\fR to yield:
.PP
.Vb 3
\& 0:d=0 hl=3 l= 137 cons: SEQUENCE
\& 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
\& 135:d=1 hl=2 l= 3 prim: INTEGER :010001
.Ve
.SH "NOTES"
.IX Header "NOTES"
If an \s-1OID\s0 is not part of OpenSSL's internal table it will be represented in
numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option
allows additional OIDs to be included. Each line consists of three columns,
the first column is the \s-1OID\s0 in numerical format and should be followed by white
space. The second column is the \*(L"short name\*(R" which is a single word followed
by white space. The final column is the rest of the line and is the
\&\*(L"long name\*(R". \fBasn1parse\fR displays the long name. Example:
.PP
\&\f(CW\*(C`1.2.3.4 shortName A long name\*(C'\fR
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Parse a file:
.PP
.Vb 1
\& openssl asn1parse \-in file.pem
.Ve
.PP
Parse a \s-1DER\s0 file:
.PP
.Vb 1
\& openssl asn1parse \-inform DER \-in file.der
.Ve
.PP
Generate a simple UTF8String:
.PP
.Vb 1
\& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq
.Ve
.PP
Generate and write out a UTF8String, don't print parsed output:
.PP
.Vb 1
\& openssl asn1parse \-genstr \*(AqUTF8:Hello World\*(Aq \-noout \-out utf8.der
.Ve
.PP
Generate using a config file:
.PP
.Vb 1
\& openssl asn1parse \-genconf asn1.cnf \-noout \-out asn1.der
.Ve
.PP
Example config file:
.PP
.Vb 1
\& asn1=SEQUENCE:seq_sect
\&
\& [seq_sect]
\&
\& field1=BOOL:TRUE
\& field2=EXP:0, UTF8:some random string
.Ve
.SH "BUGS"
.IX Header "BUGS"
There should be options to change the format of output lines. The output of some
\&\s-1ASN.1\s0 types is not well handled (if at all).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBASN1_generate_nconf\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1
index 788d74fb12b5..eb0d52df1c89 100644
--- a/secure/usr.bin/openssl/man/ca.1
+++ b/secure/usr.bin/openssl/man/ca.1
@@ -1,823 +1,823 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CA 1"
-.TH CA 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CA 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ca, ca \- sample minimal CA application
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBca\fR
[\fB\-help\fR]
[\fB\-verbose\fR]
[\fB\-config filename\fR]
[\fB\-name section\fR]
[\fB\-gencrl\fR]
[\fB\-revoke file\fR]
[\fB\-valid file\fR]
[\fB\-status serial\fR]
[\fB\-updatedb\fR]
[\fB\-crl_reason reason\fR]
[\fB\-crl_hold instruction\fR]
[\fB\-crl_compromise time\fR]
[\fB\-crl_CA_compromise time\fR]
[\fB\-crldays days\fR]
[\fB\-crlhours hours\fR]
[\fB\-crlexts section\fR]
[\fB\-startdate date\fR]
[\fB\-enddate date\fR]
[\fB\-days arg\fR]
[\fB\-md arg\fR]
[\fB\-policy arg\fR]
[\fB\-keyfile arg\fR]
[\fB\-keyform PEM|DER\fR]
[\fB\-key arg\fR]
[\fB\-passin arg\fR]
[\fB\-cert file\fR]
[\fB\-selfsign\fR]
[\fB\-in file\fR]
[\fB\-out file\fR]
[\fB\-notext\fR]
[\fB\-outdir dir\fR]
[\fB\-infiles\fR]
[\fB\-spkac file\fR]
[\fB\-ss_cert file\fR]
[\fB\-preserveDN\fR]
[\fB\-noemailDN\fR]
[\fB\-batch\fR]
[\fB\-msie_hack\fR]
[\fB\-extensions section\fR]
[\fB\-extfile section\fR]
[\fB\-engine id\fR]
[\fB\-subj arg\fR]
[\fB\-utf8\fR]
[\fB\-sigopt nm:v\fR]
[\fB\-create_serial\fR]
[\fB\-rand_serial\fR]
[\fB\-multivalue\-rdn\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used
to sign certificate requests in a variety of forms and generate
CRLs it also maintains a text database of issued certificates
and their status.
.PP
The options descriptions will be divided into each purpose.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
This prints extra details about the operations being performed.
.IP "\fB\-config filename\fR" 4
.IX Item "-config filename"
Specifies the configuration file to use.
Optional; for a description of the default value,
see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
.IP "\fB\-name section\fR" 4
.IX Item "-name section"
Specifies the configuration file section to use (overrides
\&\fBdefault_ca\fR in the \fBca\fR section).
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
An input filename containing a single certificate request to be
signed by the \s-1CA.\s0
.IP "\fB\-ss_cert filename\fR" 4
.IX Item "-ss_cert filename"
A single self-signed certificate to be signed by the \s-1CA.\s0
.IP "\fB\-spkac filename\fR" 4
.IX Item "-spkac filename"
A file containing a single Netscape signed public key and challenge
and additional field values to be signed by the \s-1CA.\s0 See the \fB\s-1SPKAC FORMAT\s0\fR
section for information on the required input and output format.
.IP "\fB\-infiles\fR" 4
.IX Item "-infiles"
If present this should be the last option, all subsequent arguments
are taken as the names of files containing certificate requests.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
The output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
file in \s-1PEM\s0 format (except that \fB\-spkac\fR outputs \s-1DER\s0 format).
.IP "\fB\-outdir directory\fR" 4
.IX Item "-outdir directory"
The directory to output certificates to. The certificate will be
written to a filename consisting of the serial number in hex with
\&\*(L".pem\*(R" appended.
.IP "\fB\-cert\fR" 4
.IX Item "-cert"
The \s-1CA\s0 certificate file.
.IP "\fB\-keyfile filename\fR" 4
.IX Item "-keyfile filename"
The private key to sign requests with.
.IP "\fB\-keyform PEM|DER\fR" 4
.IX Item "-keyform PEM|DER"
The format of the data in the private key file.
The default is \s-1PEM.\s0
.IP "\fB\-sigopt nm:v\fR" 4
.IX Item "-sigopt nm:v"
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
.IP "\fB\-key password\fR" 4
.IX Item "-key password"
The password used to encrypt the private key. Since on some
systems the command line arguments are visible (e.g. Unix with
the 'ps' utility) this option should be used with caution.
.IP "\fB\-selfsign\fR" 4
.IX Item "-selfsign"
Indicates the issued certificates are to be signed with the key
the certificate requests were signed with (given with \fB\-keyfile\fR).
Certificate requests signed with a different key are ignored. If
\&\fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is
ignored.
.Sp
A consequence of using \fB\-selfsign\fR is that the self-signed
certificate appears among the entries in the certificate database
(see the configuration option \fBdatabase\fR), and uses the same
serial number counter as all other certificates sign with the
self-signed certificate.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The key password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-notext\fR" 4
.IX Item "-notext"
Don't output the text form of a certificate to the output file.
.IP "\fB\-startdate date\fR" 4
.IX Item "-startdate date"
This allows the start date to be explicitly set. The format of the
date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
\&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
both formats, seconds \s-1SS\s0 and timezone Z must be present.
.IP "\fB\-enddate date\fR" 4
.IX Item "-enddate date"
This allows the expiry date to be explicitly set. The format of the
date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or
\&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In
both formats, seconds \s-1SS\s0 and timezone Z must be present.
.IP "\fB\-days arg\fR" 4
.IX Item "-days arg"
The number of days to certify the certificate for.
.IP "\fB\-md alg\fR" 4
.IX Item "-md alg"
The message digest to use.
Any digest supported by the OpenSSL \fBdgst\fR command can be used. For signing
algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message
digest that is set is ignored. This option also applies to CRLs.
.IP "\fB\-policy arg\fR" 4
.IX Item "-policy arg"
This option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in
the configuration file which decides which fields should be mandatory
or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY FORMAT\s0\fR section
for more information.
.IP "\fB\-msie_hack\fR" 4
.IX Item "-msie_hack"
This is a deprecated option to make \fBca\fR work with very old versions of
the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings
for almost everything. Since the old control has various security bugs
its use is strongly discouraged.
.IP "\fB\-preserveDN\fR" 4
.IX Item "-preserveDN"
Normally the \s-1DN\s0 order of a certificate is the same as the order of the
fields in the relevant policy section. When this option is set the order
is the same as the request. This is largely for compatibility with the
older \s-1IE\s0 enrollment control which would only accept certificates if their
DNs match the order of the request. This is not needed for Xenroll.
.IP "\fB\-noemailDN\fR" 4
.IX Item "-noemailDN"
The \s-1DN\s0 of a certificate can contain the \s-1EMAIL\s0 field if present in the
request \s-1DN,\s0 however, it is good policy just having the e\-mail set into
the altName extension of the certificate. When this option is set the
\&\s-1EMAIL\s0 field is removed from the certificate' subject and set only in
the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be
used in the configuration file to enable this behaviour.
.IP "\fB\-batch\fR" 4
.IX Item "-batch"
This sets the batch mode. In this mode no questions will be asked
and all certificates will be certified automatically.
.IP "\fB\-extensions section\fR" 4
.IX Item "-extensions section"
The section of the configuration file containing certificate extensions
to be added when a certificate is issued (defaults to \fBx509_extensions\fR
unless the \fB\-extfile\fR option is used). If no extension section is
present then, a V1 certificate is created. If the extension section
is present (even if it is empty), then a V3 certificate is created. See the
\&\fBx509v3_config\fR\|(5) manual page for details of the
extension section format.
.IP "\fB\-extfile file\fR" 4
.IX Item "-extfile file"
An additional configuration file to read certificate extensions from
(using the default section unless the \fB\-extensions\fR option is also
used).
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBca\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fB\-subj arg\fR" 4
.IX Item "-subj arg"
Supersedes subject name given in the request.
The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
Keyword characters may be escaped by \e (backslash), and whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the resulting certificate.
.IP "\fB\-utf8\fR" 4
.IX Item "-utf8"
This option causes field values to be interpreted as \s-1UTF8\s0 strings, by
default they are interpreted as \s-1ASCII.\s0 This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid \s-1UTF8\s0 strings.
.IP "\fB\-create_serial\fR" 4
.IX Item "-create_serial"
If reading serial from the text file as specified in the configuration
fails, specifying this option creates a new random serial to be used as next
serial number.
To get random serial numbers, use the \fB\-rand_serial\fR flag instead; this
should only be used for simple error-recovery.
.IP "\fB\-rand_serial\fR" 4
.IX Item "-rand_serial"
Generate a large random number to use as the serial number.
This overrides any option or configuration to use a serial number file.
.IP "\fB\-multivalue\-rdn\fR" 4
.IX Item "-multivalue-rdn"
This option causes the \-subj argument to be interpreted with full
support for multivalued RDNs. Example:
.Sp
\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR
.Sp
If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.SH "CRL OPTIONS"
.IX Header "CRL OPTIONS"
.IP "\fB\-gencrl\fR" 4
.IX Item "-gencrl"
This option generates a \s-1CRL\s0 based on information in the index file.
.IP "\fB\-crldays num\fR" 4
.IX Item "-crldays num"
The number of days before the next \s-1CRL\s0 is due. That is the days from
now to place in the \s-1CRL\s0 nextUpdate field.
.IP "\fB\-crlhours num\fR" 4
.IX Item "-crlhours num"
The number of hours before the next \s-1CRL\s0 is due.
.IP "\fB\-revoke filename\fR" 4
.IX Item "-revoke filename"
A filename containing a certificate to revoke.
.IP "\fB\-valid filename\fR" 4
.IX Item "-valid filename"
A filename containing a certificate to add a Valid certificate entry.
.IP "\fB\-status serial\fR" 4
.IX Item "-status serial"
Displays the revocation status of the certificate with the specified
serial number and exits.
.IP "\fB\-updatedb\fR" 4
.IX Item "-updatedb"
Updates the database index to purge expired certificates.
.IP "\fB\-crl_reason reason\fR" 4
.IX Item "-crl_reason reason"
Revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR,
\&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR,
\&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fBreason\fR is case
insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2.
.Sp
In practice \fBremoveFromCRL\fR is not particularly useful because it is only used
in delta CRLs which are not currently implemented.
.IP "\fB\-crl_hold instruction\fR" 4
.IX Item "-crl_hold instruction"
This sets the \s-1CRL\s0 revocation reason code to \fBcertificateHold\fR and the hold
instruction to \fBinstruction\fR which must be an \s-1OID.\s0 Although any \s-1OID\s0 can be
used only \fBholdInstructionNone\fR (the use of which is discouraged by \s-1RFC2459\s0)
\&\fBholdInstructionCallIssuer\fR or \fBholdInstructionReject\fR will normally be used.
.IP "\fB\-crl_compromise time\fR" 4
.IX Item "-crl_compromise time"
This sets the revocation reason to \fBkeyCompromise\fR and the compromise time to
\&\fBtime\fR. \fBtime\fR should be in GeneralizedTime format that is \fB\s-1YYYYMMDDHHMMSSZ\s0\fR.
.IP "\fB\-crl_CA_compromise time\fR" 4
.IX Item "-crl_CA_compromise time"
This is the same as \fBcrl_compromise\fR except the revocation reason is set to
\&\fBCACompromise\fR.
.IP "\fB\-crlexts section\fR" 4
.IX Item "-crlexts section"
The section of the configuration file containing \s-1CRL\s0 extensions to
include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is
created, if the \s-1CRL\s0 extension section is present (even if it is
empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are
\&\s-1CRL\s0 extensions and \fBnot\fR \s-1CRL\s0 entry extensions. It should be noted
that some software (for example Netscape) can't handle V2 CRLs. See
\&\fBx509v3_config\fR\|(5) manual page for details of the
extension section format.
.SH "CONFIGURATION FILE OPTIONS"
.IX Header "CONFIGURATION FILE OPTIONS"
The section of the configuration file containing options for \fBca\fR
is found as follows: If the \fB\-name\fR command line option is used,
then it names the section to be used. Otherwise the section to
be used must be named in the \fBdefault_ca\fR option of the \fBca\fR section
of the configuration file (or in the default section of the
configuration file). Besides \fBdefault_ca\fR, the following options are
read directly from the \fBca\fR section:
\s-1RANDFILE\s0
preserve
msie_hack
With the exception of \fB\s-1RANDFILE\s0\fR, this is probably a bug and may
change in future releases.
.PP
Many of the configuration file options are identical to command line
options. Where the option is present in the configuration file
and the command line the command line value is used. Where an
option is described as mandatory then it must be present in
the configuration file or the command line equivalent (if
any) used.
.IP "\fBoid_file\fR" 4
.IX Item "oid_file"
This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
Each line of the file should consist of the numerical form of the
object identifier followed by white space then the short name followed
by white space and finally the long name.
.IP "\fBoid_section\fR" 4
.IX Item "oid_section"
This specifies a section in the configuration file containing extra
object identifiers. Each line should consist of the short name of the
object identifier followed by \fB=\fR and the numerical form. The short
and long names are the same when this option is used.
.IP "\fBnew_certs_dir\fR" 4
.IX Item "new_certs_dir"
The same as the \fB\-outdir\fR command line option. It specifies
the directory where new certificates will be placed. Mandatory.
.IP "\fBcertificate\fR" 4
.IX Item "certificate"
The same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0
certificate. Mandatory.
.IP "\fBprivate_key\fR" 4
.IX Item "private_key"
Same as the \fB\-keyfile\fR option. The file containing the
\&\s-1CA\s0 private key. Mandatory.
.IP "\fB\s-1RANDFILE\s0\fR" 4
.IX Item "RANDFILE"
At startup the specified file is loaded into the random number generator,
and at exit 256 bytes will be written to it.
.IP "\fBdefault_days\fR" 4
.IX Item "default_days"
The same as the \fB\-days\fR option. The number of days to certify
a certificate for.
.IP "\fBdefault_startdate\fR" 4
.IX Item "default_startdate"
The same as the \fB\-startdate\fR option. The start date to certify
a certificate for. If not set the current time is used.
.IP "\fBdefault_enddate\fR" 4
.IX Item "default_enddate"
The same as the \fB\-enddate\fR option. Either this option or
\&\fBdefault_days\fR (or the command line equivalents) must be
present.
.IP "\fBdefault_crl_hours default_crl_days\fR" 4
.IX Item "default_crl_hours default_crl_days"
The same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These
will only be used if neither command line option is present. At
least one of these must be present to generate a \s-1CRL.\s0
.IP "\fBdefault_md\fR" 4
.IX Item "default_md"
The same as the \fB\-md\fR option. Mandatory except where the signing algorithm does
not require a digest (i.e. Ed25519 and Ed448).
.IP "\fBdatabase\fR" 4
.IX Item "database"
The text database file to use. Mandatory. This file must be present
though initially it will be empty.
.IP "\fBunique_subject\fR" 4
.IX Item "unique_subject"
If the value \fByes\fR is given, the valid certificate entries in the
database must have unique subjects. if the value \fBno\fR is given,
several valid certificate entries may have the exact same subject.
The default value is \fByes\fR, to be compatible with older (pre 0.9.8)
versions of OpenSSL. However, to make \s-1CA\s0 certificate roll-over easier,
it's recommended to use the value \fBno\fR, especially if combined with
the \fB\-selfsign\fR command line option.
.Sp
Note that it is valid in some circumstances for certificates to be created
without any subject. In the case where there are multiple certificates without
subjects this does not count as a duplicate.
.IP "\fBserial\fR" 4
.IX Item "serial"
A text file containing the next serial number to use in hex. Mandatory.
This file must be present and contain a valid serial number.
.IP "\fBcrlnumber\fR" 4
.IX Item "crlnumber"
A text file containing the next \s-1CRL\s0 number to use in hex. The crl number
will be inserted in the CRLs only if this file exists. If this file is
present, it must contain a valid \s-1CRL\s0 number.
.IP "\fBx509_extensions\fR" 4
.IX Item "x509_extensions"
The same as \fB\-extensions\fR.
.IP "\fBcrl_extensions\fR" 4
.IX Item "crl_extensions"
The same as \fB\-crlexts\fR.
.IP "\fBpreserve\fR" 4
.IX Item "preserve"
The same as \fB\-preserveDN\fR
.IP "\fBemail_in_dn\fR" 4
.IX Item "email_in_dn"
The same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed
from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present
the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN.\s0
.IP "\fBmsie_hack\fR" 4
.IX Item "msie_hack"
The same as \fB\-msie_hack\fR
.IP "\fBpolicy\fR" 4
.IX Item "policy"
The same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY FORMAT\s0\fR section
for more information.
.IP "\fBname_opt\fR, \fBcert_opt\fR" 4
.IX Item "name_opt, cert_opt"
These options allow the format used to display the certificate details
when asking the user to confirm signing. All the options supported by
the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used
here, except the \fBno_signame\fR and \fBno_sigdump\fR are permanently set
and cannot be disabled (this is because the certificate signature cannot
be displayed because the certificate has not been signed at this point).
.Sp
For convenience the values \fBca_default\fR are accepted by both to produce
a reasonable output.
.Sp
If neither option is present the format used in earlier versions of
OpenSSL is used. Use of the old format is \fBstrongly\fR discouraged because
it only displays fields mentioned in the \fBpolicy\fR section, mishandles
multicharacter string types and does not display extensions.
.IP "\fBcopy_extensions\fR" 4
.IX Item "copy_extensions"
Determines how extensions in certificate requests should be handled.
If set to \fBnone\fR or this option is not present then extensions are
ignored and not copied to the certificate. If set to \fBcopy\fR then any
extensions present in the request that are not already present are copied
to the certificate. If set to \fBcopyall\fR then all extensions in the
request are copied to the certificate: if the extension is already present
in the certificate it is deleted first. See the \fB\s-1WARNINGS\s0\fR section before
using this option.
.Sp
The main use of this option is to allow a certificate request to supply
values for certain extensions such as subjectAltName.
.SH "POLICY FORMAT"
.IX Header "POLICY FORMAT"
The policy section consists of a set of variables corresponding to
certificate \s-1DN\s0 fields. If the value is \*(L"match\*(R" then the field value
must match the same field in the \s-1CA\s0 certificate. If the value is
\&\*(L"supplied\*(R" then it must be present. If the value is \*(L"optional\*(R" then
it may be present. Any fields not mentioned in the policy section
are silently deleted, unless the \fB\-preserveDN\fR option is set but
this can be regarded more of a quirk than intended behaviour.
.SH "SPKAC FORMAT"
.IX Header "SPKAC FORMAT"
The input to the \fB\-spkac\fR command line option is a Netscape
signed public key and challenge. This will usually come from
the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key.
It is however possible to create SPKACs using the \fBspkac\fR utility.
.PP
The file should contain the variable \s-1SPKAC\s0 set to the value of
the \s-1SPKAC\s0 and also the required \s-1DN\s0 components as name value pairs.
If you need to include the same component twice then it can be
preceded by a number and a '.'.
.PP
When processing \s-1SPKAC\s0 format, the output is \s-1DER\s0 if the \fB\-out\fR
flag is used, but \s-1PEM\s0 format if sending to stdout or the \fB\-outdir\fR
flag is used.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: these examples assume that the \fBca\fR directory structure is
already set up and the relevant files already exist. This usually
involves creating a \s-1CA\s0 certificate and private key with \fBreq\fR, a
serial number file and an empty index file and placing them in
the relevant directories.
.PP
To use the sample configuration file below the directories demoCA,
demoCA/private and demoCA/newcerts would be created. The \s-1CA\s0
certificate would be copied to demoCA/cacert.pem and its private
key to demoCA/private/cakey.pem. A file demoCA/serial would be
created containing for example \*(L"01\*(R" and the empty index file
demoCA/index.txt.
.PP
Sign a certificate request:
.PP
.Vb 1
\& openssl ca \-in req.pem \-out newcert.pem
.Ve
.PP
Sign a certificate request, using \s-1CA\s0 extensions:
.PP
.Vb 1
\& openssl ca \-in req.pem \-extensions v3_ca \-out newcert.pem
.Ve
.PP
Generate a \s-1CRL\s0
.PP
.Vb 1
\& openssl ca \-gencrl \-out crl.pem
.Ve
.PP
Sign several requests:
.PP
.Vb 1
\& openssl ca \-infiles req1.pem req2.pem req3.pem
.Ve
.PP
Certify a Netscape \s-1SPKAC:\s0
.PP
.Vb 1
\& openssl ca \-spkac spkac.txt
.Ve
.PP
A sample \s-1SPKAC\s0 file (the \s-1SPKAC\s0 line has been truncated for clarity):
.PP
.Vb 5
\& SPKAC=MIG0MGAwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PDhCeV/xIxUg8V70YRxK2A5
\& CN=Steve Test
\& emailAddress=steve@openssl.org
\& 0.OU=OpenSSL Group
\& 1.OU=Another Group
.Ve
.PP
A sample configuration file with the relevant sections for \fBca\fR:
.PP
.Vb 2
\& [ ca ]
\& default_ca = CA_default # The default ca section
\&
\& [ CA_default ]
\&
\& dir = ./demoCA # top dir
\& database = $dir/index.txt # index file.
\& new_certs_dir = $dir/newcerts # new certs dir
\&
\& certificate = $dir/cacert.pem # The CA cert
\& serial = $dir/serial # serial no file
\& #rand_serial = yes # for random serial#\*(Aqs
\& private_key = $dir/private/cakey.pem# CA private key
\& RANDFILE = $dir/private/.rand # random number file
\&
\& default_days = 365 # how long to certify for
\& default_crl_days= 30 # how long before next CRL
\& default_md = md5 # md to use
\&
\& policy = policy_any # default policy
\& email_in_dn = no # Don\*(Aqt add the email into cert DN
\&
\& name_opt = ca_default # Subject name display option
\& cert_opt = ca_default # Certificate display option
\& copy_extensions = none # Don\*(Aqt copy extensions from request
\&
\& [ policy_any ]
\& countryName = supplied
\& stateOrProvinceName = optional
\& organizationName = optional
\& organizationalUnitName = optional
\& commonName = supplied
\& emailAddress = optional
.Ve
.SH "FILES"
.IX Header "FILES"
Note: the location of all files can change either by compile time options,
configuration file entries, environment variables or command line options.
The values below reflect the default values.
.PP
.Vb 10
\& /usr/local/ssl/lib/openssl.cnf \- master configuration file
\& ./demoCA \- main CA directory
\& ./demoCA/cacert.pem \- CA certificate
\& ./demoCA/private/cakey.pem \- CA private key
\& ./demoCA/serial \- CA serial number file
\& ./demoCA/serial.old \- CA serial number backup file
\& ./demoCA/index.txt \- CA text database file
\& ./demoCA/index.txt.old \- CA text database backup file
\& ./demoCA/certs \- certificate output file
\& ./demoCA/.rnd \- CA random seed information
.Ve
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
The text database index file is a critical part of the process and
if corrupted it can be difficult to fix. It is theoretically possible
to rebuild the index file from all the issued certificates and a current
\&\s-1CRL:\s0 however there is no option to do this.
.PP
V2 \s-1CRL\s0 features like delta CRLs are not currently supported.
.PP
Although several requests can be input and handled at once it is only
possible to include one \s-1SPKAC\s0 or self-signed certificate.
.SH "BUGS"
.IX Header "BUGS"
The use of an in-memory text database can cause problems when large
numbers of certificates are present because, as the name implies
the database has to be kept in memory.
.PP
The \fBca\fR command really needs rewriting or the required functionality
exposed at either a command or interface level so a more friendly utility
(perl script or \s-1GUI\s0) can handle things properly. The script
\&\fB\s-1CA\s0.pl\fR helps a little but not very much.
.PP
Any fields in a request that are not present in a policy are silently
deleted. This does not happen if the \fB\-preserveDN\fR option is used. To
enforce the absence of the \s-1EMAIL\s0 field within the \s-1DN,\s0 as suggested by
RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR
option can be used. The behaviour should be more friendly and
configurable.
.PP
Canceling some commands by refusing to certify a certificate can
create an empty file.
.SH "WARNINGS"
.IX Header "WARNINGS"
The \fBca\fR command is quirky and at times downright unfriendly.
.PP
The \fBca\fR utility was originally meant as an example of how to do things
in a \s-1CA.\s0 It was not supposed to be used as a full blown \s-1CA\s0 itself:
nevertheless some people are using it for this purpose.
.PP
The \fBca\fR command is effectively a single user command: no locking is
done on the various files and attempts to run more than one \fBca\fR command
on the same database can have unpredictable results.
.PP
The \fBcopy_extensions\fR option should be used with caution. If care is
not taken then it can be a security risk. For example if a certificate
request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the
\&\fBcopy_extensions\fR value is set to \fBcopyall\fR and the user does not spot
this when the certificate is displayed then this will hand the requester
a valid \s-1CA\s0 certificate.
.PP
This situation can be avoided by setting \fBcopy_extensions\fR to \fBcopy\fR
and including basicConstraints with \s-1CA:FALSE\s0 in the configuration file.
Then if the request contains a basicConstraints extension it will be
ignored.
.PP
It is advisable to also include values for other extensions such
as \fBkeyUsage\fR to prevent a request supplying its own values.
.PP
Additional restrictions can be placed on the \s-1CA\s0 certificate itself.
For example if the \s-1CA\s0 certificate has:
.PP
.Vb 1
\& basicConstraints = CA:TRUE, pathlen:0
.Ve
.PP
then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid.
.SH "HISTORY"
.IX Header "HISTORY"
Since OpenSSL 1.1.1, the program follows \s-1RFC5280.\s0 Specifically,
certificate validity period (specified by any of \fB\-startdate\fR,
\&\fB\-enddate\fR and \fB\-days\fR) will be encoded as UTCTime if the dates are
earlier than year 2049 (included), and as GeneralizedTime if the dates
are in year 2050 or later.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBreq\fR\|(1), \fBspkac\fR\|(1), \fBx509\fR\|(1), \s-1\fBCA\s0.pl\fR\|(1),
\&\fBconfig\fR\|(5), \fBx509v3_config\fR\|(5)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1
index d3d829f4b161..ee2f02f31f57 100644
--- a/secure/usr.bin/openssl/man/ciphers.1
+++ b/secure/usr.bin/openssl/man/ciphers.1
@@ -1,868 +1,868 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CIPHERS 1"
-.TH CIPHERS 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CIPHERS 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ciphers, ciphers \- SSL cipher display and cipher list tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBciphers\fR
[\fB\-help\fR]
[\fB\-s\fR]
[\fB\-v\fR]
[\fB\-V\fR]
[\fB\-ssl3\fR]
[\fB\-tls1\fR]
[\fB\-tls1_1\fR]
[\fB\-tls1_2\fR]
[\fB\-tls1_3\fR]
[\fB\-s\fR]
[\fB\-psk\fR]
[\fB\-srp\fR]
[\fB\-stdname\fR]
[\fB\-convert name\fR]
[\fB\-ciphersuites val\fR]
[\fBcipherlist\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBciphers\fR command converts textual OpenSSL cipher lists into ordered
\&\s-1SSL\s0 cipher preference lists. It can be used as a test tool to determine
the appropriate cipherlist.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print a usage message.
.IP "\fB\-s\fR" 4
.IX Item "-s"
Only list supported ciphers: those consistent with the security level, and
minimum and maximum protocol version. This is closer to the actual cipher list
an application will support.
.Sp
\&\s-1PSK\s0 and \s-1SRP\s0 ciphers are not enabled by default: they require \fB\-psk\fR or \fB\-srp\fR
to enable them.
.Sp
It also does not change the default list of supported signature algorithms.
.Sp
On a server the list of supported ciphers might also exclude other ciphers
depending on the configured certificates and presence of \s-1DH\s0 parameters.
.Sp
If this option is not used then all ciphers that match the cipherlist will be
listed.
.IP "\fB\-psk\fR" 4
.IX Item "-psk"
When combined with \fB\-s\fR includes cipher suites which require \s-1PSK.\s0
.IP "\fB\-srp\fR" 4
.IX Item "-srp"
When combined with \fB\-s\fR includes cipher suites which require \s-1SRP.\s0
.IP "\fB\-v\fR" 4
.IX Item "-v"
Verbose output: For each cipher suite, list details as provided by
\&\fBSSL_CIPHER_description\fR\|(3).
.IP "\fB\-V\fR" 4
.IX Item "-V"
Like \fB\-v\fR, but include the official cipher suite values in hex.
.IP "\fB\-tls1_3\fR, \fB\-tls1_2\fR, \fB\-tls1_1\fR, \fB\-tls1\fR, \fB\-ssl3\fR" 4
.IX Item "-tls1_3, -tls1_2, -tls1_1, -tls1, -ssl3"
In combination with the \fB\-s\fR option, list the ciphers which could be used if
the specified protocol were negotiated.
Note that not all protocols and flags may be available, depending on how
OpenSSL was built.
.IP "\fB\-stdname\fR" 4
.IX Item "-stdname"
Precede each cipher suite by its standard name.
.IP "\fB\-convert name\fR" 4
.IX Item "-convert name"
Convert a standard cipher \fBname\fR to its OpenSSL name.
.IP "\fB\-ciphersuites val\fR" 4
.IX Item "-ciphersuites val"
Sets the list of TLSv1.3 ciphersuites. This list will be combined with any
TLSv1.2 and below ciphersuites that have been configured. The format for this
list is a simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names. By
default this value is:
.Sp
.Vb 1
\& TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
.Ve
.IP "\fBcipherlist\fR" 4
.IX Item "cipherlist"
A cipher list of TLSv1.2 and below ciphersuites to convert to a cipher
preference list. This list will be combined with any TLSv1.3 ciphersuites that
have been configured. If it is not included then the default cipher list will be
used. The format is described below.
.SH "CIPHER LIST FORMAT"
.IX Header "CIPHER LIST FORMAT"
The cipher list consists of one or more \fIcipher strings\fR separated by colons.
Commas or spaces are also acceptable separators but colons are normally used.
.PP
The actual cipher string can take several different forms.
.PP
It can consist of a single cipher suite such as \fB\s-1RC4\-SHA\s0\fR.
.PP
It can represent a list of cipher suites containing a certain algorithm, or
cipher suites of a certain type. For example \fB\s-1SHA1\s0\fR represents all ciphers
suites using the digest algorithm \s-1SHA1\s0 and \fBSSLv3\fR represents all \s-1SSL\s0 v3
algorithms.
.PP
Lists of cipher suites can be combined in a single cipher string using the
\&\fB+\fR character. This is used as a logical \fBand\fR operation. For example
\&\fB\s-1SHA1+DES\s0\fR represents all cipher suites containing the \s-1SHA1\s0 \fBand\fR the \s-1DES\s0
algorithms.
.PP
Each cipher string can be optionally preceded by the characters \fB!\fR,
\&\fB\-\fR or \fB+\fR.
.PP
If \fB!\fR is used then the ciphers are permanently deleted from the list.
The ciphers deleted can never reappear in the list even if they are
explicitly stated.
.PP
If \fB\-\fR is used then the ciphers are deleted from the list, but some or
all of the ciphers can be added again by later options.
.PP
If \fB+\fR is used then the ciphers are moved to the end of the list. This
option doesn't add any new ciphers it just moves matching existing ones.
.PP
If none of these characters is present then the string is just interpreted
as a list of ciphers to be appended to the current preference list. If the
list includes any ciphers already present they will be ignored: that is they
will not moved to the end of the list.
.PP
The cipher string \fB\f(CB@STRENGTH\fB\fR can be used at any point to sort the current
cipher list in order of encryption algorithm key length.
.PP
The cipher string \fB\f(CB@SECLEVEL\fB=n\fR can be used at any point to set the security
level to \fBn\fR, which should be a number between zero and five, inclusive.
See SSL_CTX_set_security_level for a description of what each level means.
.PP
The cipher list can be prefixed with the \fB\s-1DEFAULT\s0\fR keyword, which enables
the default cipher list as defined below. Unlike cipher strings,
this prefix may not be combined with other strings using \fB+\fR character.
For example, \fB\s-1DEFAULT+DES\s0\fR is not valid.
.PP
The content of the default list is determined at compile time and normally
corresponds to \fB\s-1ALL:\s0!COMPLEMENTOFDEFAULT:!eNULL\fR.
.SH "CIPHER STRINGS"
.IX Header "CIPHER STRINGS"
The following is a list of all permitted cipher strings and their meanings.
.IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4
.IX Item "COMPLEMENTOFDEFAULT"
The ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently
this includes all \s-1RC4\s0 and anonymous ciphers. Note that this rule does
not cover \fBeNULL\fR, which is not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if
necessary). Note that \s-1RC4\s0 based cipher suites are not built into OpenSSL by
default (see the enable-weak-ssl-ciphers option to Configure).
.IP "\fB\s-1ALL\s0\fR" 4
.IX Item "ALL"
All cipher suites except the \fBeNULL\fR ciphers (which must be explicitly enabled
if needed).
As of OpenSSL 1.0.0, the \fB\s-1ALL\s0\fR cipher suites are sensibly ordered by default.
.IP "\fB\s-1COMPLEMENTOFALL\s0\fR" 4
.IX Item "COMPLEMENTOFALL"
The cipher suites not enabled by \fB\s-1ALL\s0\fR, currently \fBeNULL\fR.
.IP "\fB\s-1HIGH\s0\fR" 4
.IX Item "HIGH"
\&\*(L"High\*(R" encryption cipher suites. This currently means those with key lengths
larger than 128 bits, and some cipher suites with 128\-bit keys.
.IP "\fB\s-1MEDIUM\s0\fR" 4
.IX Item "MEDIUM"
\&\*(L"Medium\*(R" encryption cipher suites, currently some of those using 128 bit
encryption.
.IP "\fB\s-1LOW\s0\fR" 4
.IX Item "LOW"
\&\*(L"Low\*(R" encryption cipher suites, currently those using 64 or 56 bit
encryption algorithms but excluding export cipher suites. All these
cipher suites have been removed as of OpenSSL 1.1.0.
.IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4
.IX Item "eNULL, NULL"
The \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no
encryption at all and are a security risk they are not enabled via either the
\&\fB\s-1DEFAULT\s0\fR or \fB\s-1ALL\s0\fR cipher strings.
Be careful when building cipherlists out of lower-level primitives such as
\&\fBkRSA\fR or \fBaECDSA\fR as these do overlap with the \fBeNULL\fR ciphers. When in
doubt, include \fB!eNULL\fR in your cipherlist.
.IP "\fBaNULL\fR" 4
.IX Item "aNULL"
The cipher suites offering no authentication. This is currently the anonymous
\&\s-1DH\s0 algorithms and anonymous \s-1ECDH\s0 algorithms. These cipher suites are vulnerable
to \*(L"man in the middle\*(R" attacks and so their use is discouraged.
These are excluded from the \fB\s-1DEFAULT\s0\fR ciphers, but included in the \fB\s-1ALL\s0\fR
ciphers.
Be careful when building cipherlists out of lower-level primitives such as
\&\fBkDHE\fR or \fB\s-1AES\s0\fR as these do overlap with the \fBaNULL\fR ciphers.
When in doubt, include \fB!aNULL\fR in your cipherlist.
.IP "\fBkRSA\fR, \fBaRSA\fR, \fB\s-1RSA\s0\fR" 4
.IX Item "kRSA, aRSA, RSA"
Cipher suites using \s-1RSA\s0 key exchange or authentication. \fB\s-1RSA\s0\fR is an alias for
\&\fBkRSA\fR.
.IP "\fBkDHr\fR, \fBkDHd\fR, \fBkDH\fR" 4
.IX Item "kDHr, kDHd, kDH"
Cipher suites using static \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs
with \s-1RSA\s0 and \s-1DSS\s0 keys or either respectively.
All these cipher suites have been removed in OpenSSL 1.1.0.
.IP "\fBkDHE\fR, \fBkEDH\fR, \fB\s-1DH\s0\fR" 4
.IX Item "kDHE, kEDH, DH"
Cipher suites using ephemeral \s-1DH\s0 key agreement, including anonymous cipher
suites.
.IP "\fB\s-1DHE\s0\fR, \fB\s-1EDH\s0\fR" 4
.IX Item "DHE, EDH"
Cipher suites using authenticated ephemeral \s-1DH\s0 key agreement.
.IP "\fB\s-1ADH\s0\fR" 4
.IX Item "ADH"
Anonymous \s-1DH\s0 cipher suites, note that this does not include anonymous Elliptic
Curve \s-1DH\s0 (\s-1ECDH\s0) cipher suites.
.IP "\fBkEECDH\fR, \fBkECDHE\fR, \fB\s-1ECDH\s0\fR" 4
.IX Item "kEECDH, kECDHE, ECDH"
Cipher suites using ephemeral \s-1ECDH\s0 key agreement, including anonymous
cipher suites.
.IP "\fB\s-1ECDHE\s0\fR, \fB\s-1EECDH\s0\fR" 4
.IX Item "ECDHE, EECDH"
Cipher suites using authenticated ephemeral \s-1ECDH\s0 key agreement.
.IP "\fB\s-1AECDH\s0\fR" 4
.IX Item "AECDH"
Anonymous Elliptic Curve Diffie-Hellman cipher suites.
.IP "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4
.IX Item "aDSS, DSS"
Cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys.
.IP "\fBaDH\fR" 4
.IX Item "aDH"
Cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry
\&\s-1DH\s0 keys.
All these cipher suites have been removed in OpenSSL 1.1.0.
.IP "\fBaECDSA\fR, \fB\s-1ECDSA\s0\fR" 4
.IX Item "aECDSA, ECDSA"
Cipher suites using \s-1ECDSA\s0 authentication, i.e. the certificates carry \s-1ECDSA\s0
keys.
.IP "\fBTLSv1.2\fR, \fBTLSv1.0\fR, \fBSSLv3\fR" 4
.IX Item "TLSv1.2, TLSv1.0, SSLv3"
Lists cipher suites which are only supported in at least \s-1TLS\s0 v1.2, \s-1TLS\s0 v1.0 or
\&\s-1SSL\s0 v3.0 respectively.
Note: there are no cipher suites specific to \s-1TLS\s0 v1.1.
Since this is only the minimum version, if, for example, TLSv1.0 is negotiated
then both TLSv1.0 and SSLv3.0 cipher suites are available.
.Sp
Note: these cipher strings \fBdo not\fR change the negotiated version of \s-1SSL\s0 or
\&\s-1TLS,\s0 they only affect the list of available cipher suites.
.IP "\fB\s-1AES128\s0\fR, \fB\s-1AES256\s0\fR, \fB\s-1AES\s0\fR" 4
.IX Item "AES128, AES256, AES"
cipher suites using 128 bit \s-1AES, 256\s0 bit \s-1AES\s0 or either 128 or 256 bit \s-1AES.\s0
.IP "\fB\s-1AESGCM\s0\fR" 4
.IX Item "AESGCM"
\&\s-1AES\s0 in Galois Counter Mode (\s-1GCM\s0): these cipher suites are only supported
in \s-1TLS\s0 v1.2.
.IP "\fB\s-1AESCCM\s0\fR, \fB\s-1AESCCM8\s0\fR" 4
.IX Item "AESCCM, AESCCM8"
\&\s-1AES\s0 in Cipher Block Chaining \- Message Authentication Mode (\s-1CCM\s0): these
cipher suites are only supported in \s-1TLS\s0 v1.2. \fB\s-1AESCCM\s0\fR references \s-1CCM\s0
cipher suites using both 16 and 8 octet Integrity Check Value (\s-1ICV\s0)
while \fB\s-1AESCCM8\s0\fR only references 8 octet \s-1ICV.\s0
.IP "\fB\s-1ARIA128\s0\fR, \fB\s-1ARIA256\s0\fR, \fB\s-1ARIA\s0\fR" 4
.IX Item "ARIA128, ARIA256, ARIA"
Cipher suites using 128 bit \s-1ARIA, 256\s0 bit \s-1ARIA\s0 or either 128 or 256 bit
\&\s-1ARIA.\s0
.IP "\fB\s-1CAMELLIA128\s0\fR, \fB\s-1CAMELLIA256\s0\fR, \fB\s-1CAMELLIA\s0\fR" 4
.IX Item "CAMELLIA128, CAMELLIA256, CAMELLIA"
Cipher suites using 128 bit \s-1CAMELLIA, 256\s0 bit \s-1CAMELLIA\s0 or either 128 or 256 bit
\&\s-1CAMELLIA.\s0
.IP "\fB\s-1CHACHA20\s0\fR" 4
.IX Item "CHACHA20"
Cipher suites using ChaCha20.
.IP "\fB3DES\fR" 4
.IX Item "3DES"
Cipher suites using triple \s-1DES.\s0
.IP "\fB\s-1DES\s0\fR" 4
.IX Item "DES"
Cipher suites using \s-1DES\s0 (not triple \s-1DES\s0).
All these cipher suites have been removed in OpenSSL 1.1.0.
.IP "\fB\s-1RC4\s0\fR" 4
.IX Item "RC4"
Cipher suites using \s-1RC4.\s0
.IP "\fB\s-1RC2\s0\fR" 4
.IX Item "RC2"
Cipher suites using \s-1RC2.\s0
.IP "\fB\s-1IDEA\s0\fR" 4
.IX Item "IDEA"
Cipher suites using \s-1IDEA.\s0
.IP "\fB\s-1SEED\s0\fR" 4
.IX Item "SEED"
Cipher suites using \s-1SEED.\s0
.IP "\fB\s-1MD5\s0\fR" 4
.IX Item "MD5"
Cipher suites using \s-1MD5.\s0
.IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4
.IX Item "SHA1, SHA"
Cipher suites using \s-1SHA1.\s0
.IP "\fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR" 4
.IX Item "SHA256, SHA384"
Cipher suites using \s-1SHA256\s0 or \s-1SHA384.\s0
.IP "\fBaGOST\fR" 4
.IX Item "aGOST"
Cipher suites using \s-1GOST R 34.10\s0 (either 2001 or 94) for authentication
(needs an engine supporting \s-1GOST\s0 algorithms).
.IP "\fBaGOST01\fR" 4
.IX Item "aGOST01"
Cipher suites using \s-1GOST R 34.10\-2001\s0 authentication.
.IP "\fBkGOST\fR" 4
.IX Item "kGOST"
Cipher suites, using \s-1VKO 34.10\s0 key exchange, specified in the \s-1RFC 4357.\s0
.IP "\fB\s-1GOST94\s0\fR" 4
.IX Item "GOST94"
Cipher suites, using \s-1HMAC\s0 based on \s-1GOST R 34.11\-94.\s0
.IP "\fB\s-1GOST89MAC\s0\fR" 4
.IX Item "GOST89MAC"
Cipher suites using \s-1GOST 28147\-89 MAC\s0 \fBinstead of\fR \s-1HMAC.\s0
.IP "\fB\s-1PSK\s0\fR" 4
.IX Item "PSK"
All cipher suites using pre-shared keys (\s-1PSK\s0).
.IP "\fBkPSK\fR, \fBkECDHEPSK\fR, \fBkDHEPSK\fR, \fBkRSAPSK\fR" 4
.IX Item "kPSK, kECDHEPSK, kDHEPSK, kRSAPSK"
Cipher suites using \s-1PSK\s0 key exchange, \s-1ECDHE_PSK, DHE_PSK\s0 or \s-1RSA_PSK.\s0
.IP "\fBaPSK\fR" 4
.IX Item "aPSK"
Cipher suites using \s-1PSK\s0 authentication (currently all \s-1PSK\s0 modes apart from
\&\s-1RSA_PSK\s0).
.IP "\fB\s-1SUITEB128\s0\fR, \fB\s-1SUITEB128ONLY\s0\fR, \fB\s-1SUITEB192\s0\fR" 4
.IX Item "SUITEB128, SUITEB128ONLY, SUITEB192"
Enables suite B mode of operation using 128 (permitting 192 bit mode by peer)
128 bit (not permitting 192 bit by peer) or 192 bit level of security
respectively.
If used these cipherstrings should appear first in the cipher
list and anything after them is ignored.
Setting Suite B mode has additional consequences required to comply with
\&\s-1RFC6460.\s0
In particular the supported signature algorithms is reduced to support only
\&\s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384,\s0 only the elliptic curves P\-256 and P\-384 can be
used and only the two suite B compliant cipher suites
(\s-1ECDHE\-ECDSA\-AES128\-GCM\-SHA256\s0 and \s-1ECDHE\-ECDSA\-AES256\-GCM\-SHA384\s0) are
permissible.
.SH "CIPHER SUITE NAMES"
.IX Header "CIPHER SUITE NAMES"
The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the
relevant specification and their OpenSSL equivalents. It should be noted,
that several cipher suite names do not include the authentication used,
e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used.
.SS "\s-1SSL\s0 v3.0 cipher suites"
.IX Subsection "SSL v3.0 cipher suites"
.Vb 6
\& SSL_RSA_WITH_NULL_MD5 NULL\-MD5
\& SSL_RSA_WITH_NULL_SHA NULL\-SHA
\& SSL_RSA_WITH_RC4_128_MD5 RC4\-MD5
\& SSL_RSA_WITH_RC4_128_SHA RC4\-SHA
\& SSL_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA
\& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA
\&
\& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH\-DSS\-DES\-CBC3\-SHA
\& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH\-RSA\-DES\-CBC3\-SHA
\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE\-DSS\-DES\-CBC3\-SHA
\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE\-RSA\-DES\-CBC3\-SHA
\&
\& SSL_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5
\& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA
\&
\& SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented.
\& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented.
\& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented.
.Ve
.SS "\s-1TLS\s0 v1.0 cipher suites"
.IX Subsection "TLS v1.0 cipher suites"
.Vb 6
\& TLS_RSA_WITH_NULL_MD5 NULL\-MD5
\& TLS_RSA_WITH_NULL_SHA NULL\-SHA
\& TLS_RSA_WITH_RC4_128_MD5 RC4\-MD5
\& TLS_RSA_WITH_RC4_128_SHA RC4\-SHA
\& TLS_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA
\& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA
\&
\& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented.
\& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented.
\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE\-DSS\-DES\-CBC3\-SHA
\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE\-RSA\-DES\-CBC3\-SHA
\&
\& TLS_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5
\& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA
.Ve
.SS "\s-1AES\s0 cipher suites from \s-1RFC3268,\s0 extending \s-1TLS\s0 v1.0"
.IX Subsection "AES cipher suites from RFC3268, extending TLS v1.0"
.Vb 2
\& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA
\& TLS_RSA_WITH_AES_256_CBC_SHA AES256\-SHA
\&
\& TLS_DH_DSS_WITH_AES_128_CBC_SHA DH\-DSS\-AES128\-SHA
\& TLS_DH_DSS_WITH_AES_256_CBC_SHA DH\-DSS\-AES256\-SHA
\& TLS_DH_RSA_WITH_AES_128_CBC_SHA DH\-RSA\-AES128\-SHA
\& TLS_DH_RSA_WITH_AES_256_CBC_SHA DH\-RSA\-AES256\-SHA
\&
\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE\-DSS\-AES128\-SHA
\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE\-DSS\-AES256\-SHA
\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE\-RSA\-AES128\-SHA
\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE\-RSA\-AES256\-SHA
\&
\& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH\-AES128\-SHA
\& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH\-AES256\-SHA
.Ve
.SS "Camellia cipher suites from \s-1RFC4132,\s0 extending \s-1TLS\s0 v1.0"
.IX Subsection "Camellia cipher suites from RFC4132, extending TLS v1.0"
.Vb 2
\& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA
\& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256\-SHA
\&
\& TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA DH\-DSS\-CAMELLIA128\-SHA
\& TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA DH\-DSS\-CAMELLIA256\-SHA
\& TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA DH\-RSA\-CAMELLIA128\-SHA
\& TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA DH\-RSA\-CAMELLIA256\-SHA
\&
\& TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA DHE\-DSS\-CAMELLIA128\-SHA
\& TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA DHE\-DSS\-CAMELLIA256\-SHA
\& TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DHE\-RSA\-CAMELLIA128\-SHA
\& TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DHE\-RSA\-CAMELLIA256\-SHA
\&
\& TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH\-CAMELLIA128\-SHA
\& TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH\-CAMELLIA256\-SHA
.Ve
.SS "\s-1SEED\s0 cipher suites from \s-1RFC4162,\s0 extending \s-1TLS\s0 v1.0"
.IX Subsection "SEED cipher suites from RFC4162, extending TLS v1.0"
.Vb 1
\& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA
\&
\& TLS_DH_DSS_WITH_SEED_CBC_SHA DH\-DSS\-SEED\-SHA
\& TLS_DH_RSA_WITH_SEED_CBC_SHA DH\-RSA\-SEED\-SHA
\&
\& TLS_DHE_DSS_WITH_SEED_CBC_SHA DHE\-DSS\-SEED\-SHA
\& TLS_DHE_RSA_WITH_SEED_CBC_SHA DHE\-RSA\-SEED\-SHA
\&
\& TLS_DH_anon_WITH_SEED_CBC_SHA ADH\-SEED\-SHA
.Ve
.SS "\s-1GOST\s0 cipher suites from draft-chudov-cryptopro-cptls, extending \s-1TLS\s0 v1.0"
.IX Subsection "GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0"
Note: these ciphers require an engine which including \s-1GOST\s0 cryptographic
algorithms, such as the \fBccgost\fR engine, included in the OpenSSL distribution.
.PP
.Vb 4
\& TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94\-GOST89\-GOST89
\& TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001\-GOST89\-GOST89
\& TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94\-NULL\-GOST94
\& TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001\-NULL\-GOST94
.Ve
.SS "Additional Export 1024 and other cipher suites"
.IX Subsection "Additional Export 1024 and other cipher suites"
Note: these ciphers can also be used in \s-1SSL\s0 v3.
.PP
.Vb 1
\& TLS_DHE_DSS_WITH_RC4_128_SHA DHE\-DSS\-RC4\-SHA
.Ve
.SS "Elliptic curve cipher suites."
.IX Subsection "Elliptic curve cipher suites."
.Vb 5
\& TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE\-RSA\-NULL\-SHA
\& TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE\-RSA\-RC4\-SHA
\& TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE\-RSA\-DES\-CBC3\-SHA
\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE\-RSA\-AES128\-SHA
\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE\-RSA\-AES256\-SHA
\&
\& TLS_ECDHE_ECDSA_WITH_NULL_SHA ECDHE\-ECDSA\-NULL\-SHA
\& TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE\-ECDSA\-RC4\-SHA
\& TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE\-ECDSA\-DES\-CBC3\-SHA
\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE\-ECDSA\-AES128\-SHA
\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE\-ECDSA\-AES256\-SHA
\&
\& TLS_ECDH_anon_WITH_NULL_SHA AECDH\-NULL\-SHA
\& TLS_ECDH_anon_WITH_RC4_128_SHA AECDH\-RC4\-SHA
\& TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH\-DES\-CBC3\-SHA
\& TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH\-AES128\-SHA
\& TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH\-AES256\-SHA
.Ve
.SS "\s-1TLS\s0 v1.2 cipher suites"
.IX Subsection "TLS v1.2 cipher suites"
.Vb 1
\& TLS_RSA_WITH_NULL_SHA256 NULL\-SHA256
\&
\& TLS_RSA_WITH_AES_128_CBC_SHA256 AES128\-SHA256
\& TLS_RSA_WITH_AES_256_CBC_SHA256 AES256\-SHA256
\& TLS_RSA_WITH_AES_128_GCM_SHA256 AES128\-GCM\-SHA256
\& TLS_RSA_WITH_AES_256_GCM_SHA384 AES256\-GCM\-SHA384
\&
\& TLS_DH_RSA_WITH_AES_128_CBC_SHA256 DH\-RSA\-AES128\-SHA256
\& TLS_DH_RSA_WITH_AES_256_CBC_SHA256 DH\-RSA\-AES256\-SHA256
\& TLS_DH_RSA_WITH_AES_128_GCM_SHA256 DH\-RSA\-AES128\-GCM\-SHA256
\& TLS_DH_RSA_WITH_AES_256_GCM_SHA384 DH\-RSA\-AES256\-GCM\-SHA384
\&
\& TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH\-DSS\-AES128\-SHA256
\& TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH\-DSS\-AES256\-SHA256
\& TLS_DH_DSS_WITH_AES_128_GCM_SHA256 DH\-DSS\-AES128\-GCM\-SHA256
\& TLS_DH_DSS_WITH_AES_256_GCM_SHA384 DH\-DSS\-AES256\-GCM\-SHA384
\&
\& TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE\-RSA\-AES128\-SHA256
\& TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE\-RSA\-AES256\-SHA256
\& TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE\-RSA\-AES128\-GCM\-SHA256
\& TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE\-RSA\-AES256\-GCM\-SHA384
\&
\& TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE\-DSS\-AES128\-SHA256
\& TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE\-DSS\-AES256\-SHA256
\& TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE\-DSS\-AES128\-GCM\-SHA256
\& TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE\-DSS\-AES256\-GCM\-SHA384
\&
\& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE\-RSA\-AES128\-SHA256
\& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE\-RSA\-AES256\-SHA384
\& TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE\-RSA\-AES128\-GCM\-SHA256
\& TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE\-RSA\-AES256\-GCM\-SHA384
\&
\& TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE\-ECDSA\-AES128\-SHA256
\& TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE\-ECDSA\-AES256\-SHA384
\& TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE\-ECDSA\-AES128\-GCM\-SHA256
\& TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE\-ECDSA\-AES256\-GCM\-SHA384
\&
\& TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH\-AES128\-SHA256
\& TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH\-AES256\-SHA256
\& TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH\-AES128\-GCM\-SHA256
\& TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH\-AES256\-GCM\-SHA384
\&
\& RSA_WITH_AES_128_CCM AES128\-CCM
\& RSA_WITH_AES_256_CCM AES256\-CCM
\& DHE_RSA_WITH_AES_128_CCM DHE\-RSA\-AES128\-CCM
\& DHE_RSA_WITH_AES_256_CCM DHE\-RSA\-AES256\-CCM
\& RSA_WITH_AES_128_CCM_8 AES128\-CCM8
\& RSA_WITH_AES_256_CCM_8 AES256\-CCM8
\& DHE_RSA_WITH_AES_128_CCM_8 DHE\-RSA\-AES128\-CCM8
\& DHE_RSA_WITH_AES_256_CCM_8 DHE\-RSA\-AES256\-CCM8
\& ECDHE_ECDSA_WITH_AES_128_CCM ECDHE\-ECDSA\-AES128\-CCM
\& ECDHE_ECDSA_WITH_AES_256_CCM ECDHE\-ECDSA\-AES256\-CCM
\& ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE\-ECDSA\-AES128\-CCM8
\& ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE\-ECDSA\-AES256\-CCM8
.Ve
.SS "\s-1ARIA\s0 cipher suites from \s-1RFC6209,\s0 extending \s-1TLS\s0 v1.2"
.IX Subsection "ARIA cipher suites from RFC6209, extending TLS v1.2"
Note: the \s-1CBC\s0 modes mentioned in this \s-1RFC\s0 are not supported.
.PP
.Vb 10
\& TLS_RSA_WITH_ARIA_128_GCM_SHA256 ARIA128\-GCM\-SHA256
\& TLS_RSA_WITH_ARIA_256_GCM_SHA384 ARIA256\-GCM\-SHA384
\& TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 DHE\-RSA\-ARIA128\-GCM\-SHA256
\& TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 DHE\-RSA\-ARIA256\-GCM\-SHA384
\& TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 DHE\-DSS\-ARIA128\-GCM\-SHA256
\& TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 DHE\-DSS\-ARIA256\-GCM\-SHA384
\& TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ECDSA\-ARIA128\-GCM\-SHA256
\& TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ECDSA\-ARIA256\-GCM\-SHA384
\& TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ARIA128\-GCM\-SHA256
\& TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ARIA256\-GCM\-SHA384
\& TLS_PSK_WITH_ARIA_128_GCM_SHA256 PSK\-ARIA128\-GCM\-SHA256
\& TLS_PSK_WITH_ARIA_256_GCM_SHA384 PSK\-ARIA256\-GCM\-SHA384
\& TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 DHE\-PSK\-ARIA128\-GCM\-SHA256
\& TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 DHE\-PSK\-ARIA256\-GCM\-SHA384
\& TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 RSA\-PSK\-ARIA128\-GCM\-SHA256
\& TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 RSA\-PSK\-ARIA256\-GCM\-SHA384
.Ve
.SS "Camellia HMAC-Based cipher suites from \s-1RFC6367,\s0 extending \s-1TLS\s0 v1.2"
.IX Subsection "Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2"
.Vb 4
\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-ECDSA\-CAMELLIA128\-SHA256
\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-ECDSA\-CAMELLIA256\-SHA384
\& TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-RSA\-CAMELLIA128\-SHA256
\& TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-RSA\-CAMELLIA256\-SHA384
.Ve
.SS "Pre-shared keying (\s-1PSK\s0) cipher suites"
.IX Subsection "Pre-shared keying (PSK) cipher suites"
.Vb 3
\& PSK_WITH_NULL_SHA PSK\-NULL\-SHA
\& DHE_PSK_WITH_NULL_SHA DHE\-PSK\-NULL\-SHA
\& RSA_PSK_WITH_NULL_SHA RSA\-PSK\-NULL\-SHA
\&
\& PSK_WITH_RC4_128_SHA PSK\-RC4\-SHA
\& PSK_WITH_3DES_EDE_CBC_SHA PSK\-3DES\-EDE\-CBC\-SHA
\& PSK_WITH_AES_128_CBC_SHA PSK\-AES128\-CBC\-SHA
\& PSK_WITH_AES_256_CBC_SHA PSK\-AES256\-CBC\-SHA
\&
\& DHE_PSK_WITH_RC4_128_SHA DHE\-PSK\-RC4\-SHA
\& DHE_PSK_WITH_3DES_EDE_CBC_SHA DHE\-PSK\-3DES\-EDE\-CBC\-SHA
\& DHE_PSK_WITH_AES_128_CBC_SHA DHE\-PSK\-AES128\-CBC\-SHA
\& DHE_PSK_WITH_AES_256_CBC_SHA DHE\-PSK\-AES256\-CBC\-SHA
\&
\& RSA_PSK_WITH_RC4_128_SHA RSA\-PSK\-RC4\-SHA
\& RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA\-PSK\-3DES\-EDE\-CBC\-SHA
\& RSA_PSK_WITH_AES_128_CBC_SHA RSA\-PSK\-AES128\-CBC\-SHA
\& RSA_PSK_WITH_AES_256_CBC_SHA RSA\-PSK\-AES256\-CBC\-SHA
\&
\& PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256
\& PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384
\& DHE_PSK_WITH_AES_128_GCM_SHA256 DHE\-PSK\-AES128\-GCM\-SHA256
\& DHE_PSK_WITH_AES_256_GCM_SHA384 DHE\-PSK\-AES256\-GCM\-SHA384
\& RSA_PSK_WITH_AES_128_GCM_SHA256 RSA\-PSK\-AES128\-GCM\-SHA256
\& RSA_PSK_WITH_AES_256_GCM_SHA384 RSA\-PSK\-AES256\-GCM\-SHA384
\&
\& PSK_WITH_AES_128_CBC_SHA256 PSK\-AES128\-CBC\-SHA256
\& PSK_WITH_AES_256_CBC_SHA384 PSK\-AES256\-CBC\-SHA384
\& PSK_WITH_NULL_SHA256 PSK\-NULL\-SHA256
\& PSK_WITH_NULL_SHA384 PSK\-NULL\-SHA384
\& DHE_PSK_WITH_AES_128_CBC_SHA256 DHE\-PSK\-AES128\-CBC\-SHA256
\& DHE_PSK_WITH_AES_256_CBC_SHA384 DHE\-PSK\-AES256\-CBC\-SHA384
\& DHE_PSK_WITH_NULL_SHA256 DHE\-PSK\-NULL\-SHA256
\& DHE_PSK_WITH_NULL_SHA384 DHE\-PSK\-NULL\-SHA384
\& RSA_PSK_WITH_AES_128_CBC_SHA256 RSA\-PSK\-AES128\-CBC\-SHA256
\& RSA_PSK_WITH_AES_256_CBC_SHA384 RSA\-PSK\-AES256\-CBC\-SHA384
\& RSA_PSK_WITH_NULL_SHA256 RSA\-PSK\-NULL\-SHA256
\& RSA_PSK_WITH_NULL_SHA384 RSA\-PSK\-NULL\-SHA384
\& PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256
\& PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384
\&
\& ECDHE_PSK_WITH_RC4_128_SHA ECDHE\-PSK\-RC4\-SHA
\& ECDHE_PSK_WITH_3DES_EDE_CBC_SHA ECDHE\-PSK\-3DES\-EDE\-CBC\-SHA
\& ECDHE_PSK_WITH_AES_128_CBC_SHA ECDHE\-PSK\-AES128\-CBC\-SHA
\& ECDHE_PSK_WITH_AES_256_CBC_SHA ECDHE\-PSK\-AES256\-CBC\-SHA
\& ECDHE_PSK_WITH_AES_128_CBC_SHA256 ECDHE\-PSK\-AES128\-CBC\-SHA256
\& ECDHE_PSK_WITH_AES_256_CBC_SHA384 ECDHE\-PSK\-AES256\-CBC\-SHA384
\& ECDHE_PSK_WITH_NULL_SHA ECDHE\-PSK\-NULL\-SHA
\& ECDHE_PSK_WITH_NULL_SHA256 ECDHE\-PSK\-NULL\-SHA256
\& ECDHE_PSK_WITH_NULL_SHA384 ECDHE\-PSK\-NULL\-SHA384
\&
\& PSK_WITH_CAMELLIA_128_CBC_SHA256 PSK\-CAMELLIA128\-SHA256
\& PSK_WITH_CAMELLIA_256_CBC_SHA384 PSK\-CAMELLIA256\-SHA384
\&
\& DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 DHE\-PSK\-CAMELLIA128\-SHA256
\& DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 DHE\-PSK\-CAMELLIA256\-SHA384
\&
\& RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 RSA\-PSK\-CAMELLIA128\-SHA256
\& RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 RSA\-PSK\-CAMELLIA256\-SHA384
\&
\& ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-PSK\-CAMELLIA128\-SHA256
\& ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-PSK\-CAMELLIA256\-SHA384
\&
\& PSK_WITH_AES_128_CCM PSK\-AES128\-CCM
\& PSK_WITH_AES_256_CCM PSK\-AES256\-CCM
\& DHE_PSK_WITH_AES_128_CCM DHE\-PSK\-AES128\-CCM
\& DHE_PSK_WITH_AES_256_CCM DHE\-PSK\-AES256\-CCM
\& PSK_WITH_AES_128_CCM_8 PSK\-AES128\-CCM8
\& PSK_WITH_AES_256_CCM_8 PSK\-AES256\-CCM8
\& DHE_PSK_WITH_AES_128_CCM_8 DHE\-PSK\-AES128\-CCM8
\& DHE_PSK_WITH_AES_256_CCM_8 DHE\-PSK\-AES256\-CCM8
.Ve
.SS "ChaCha20\-Poly1305 cipher suites, extending \s-1TLS\s0 v1.2"
.IX Subsection "ChaCha20-Poly1305 cipher suites, extending TLS v1.2"
.Vb 7
\& TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-RSA\-CHACHA20\-POLY1305
\& TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-ECDSA\-CHACHA20\-POLY1305
\& TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 DHE\-RSA\-CHACHA20\-POLY1305
\& TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 PSK\-CHACHA20\-POLY1305
\& TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-PSK\-CHACHA20\-POLY1305
\& TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE\-PSK\-CHACHA20\-POLY1305
\& TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA\-PSK\-CHACHA20\-POLY1305
.Ve
.SS "\s-1TLS\s0 v1.3 cipher suites"
.IX Subsection "TLS v1.3 cipher suites"
.Vb 5
\& TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256
\& TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384
\& TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256
\& TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_SHA256
\& TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_8_SHA256
.Ve
.SS "Older names used by OpenSSL"
.IX Subsection "Older names used by OpenSSL"
The following names are accepted by older releases:
.PP
.Vb 2
\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH\-RSA\-DES\-CBC3\-SHA (DHE\-RSA\-DES\-CBC3\-SHA)
\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA (DHE\-DSS\-DES\-CBC3\-SHA)
.Ve
.SH "NOTES"
.IX Header "NOTES"
Some compiled versions of OpenSSL may not include all the ciphers
listed here because some ciphers were excluded at compile time.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Verbose listing of all OpenSSL ciphers including \s-1NULL\s0 ciphers:
.PP
.Vb 1
\& openssl ciphers \-v \*(AqALL:eNULL\*(Aq
.Ve
.PP
Include all ciphers except \s-1NULL\s0 and anonymous \s-1DH\s0 then sort by
strength:
.PP
.Vb 1
\& openssl ciphers \-v \*(AqALL:!ADH:@STRENGTH\*(Aq
.Ve
.PP
Include all ciphers except ones with no encryption (eNULL) or no
authentication (aNULL):
.PP
.Vb 1
\& openssl ciphers \-v \*(AqALL:!aNULL\*(Aq
.Ve
.PP
Include only 3DES ciphers and then place \s-1RSA\s0 ciphers last:
.PP
.Vb 1
\& openssl ciphers \-v \*(Aq3DES:+RSA\*(Aq
.Ve
.PP
Include all \s-1RC4\s0 ciphers but leave out those without authentication:
.PP
.Vb 1
\& openssl ciphers \-v \*(AqRC4:!COMPLEMENTOFDEFAULT\*(Aq
.Ve
.PP
Include all ciphers with \s-1RSA\s0 authentication but leave out ciphers without
encryption.
.PP
.Vb 1
\& openssl ciphers \-v \*(AqRSA:!COMPLEMENTOFALL\*(Aq
.Ve
.PP
Set security level to 2 and display all ciphers consistent with level 2:
.PP
.Vb 1
\& openssl ciphers \-s \-v \*(AqALL:@SECLEVEL=2\*(Aq
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBs_client\fR\|(1), \fBs_server\fR\|(1), \fBssl\fR\|(7)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-V\fR option for the \fBciphers\fR command was added in OpenSSL 1.0.0.
.PP
The \fB\-stdname\fR is only available if OpenSSL is built with tracing enabled
(\fBenable-ssl-trace\fR argument to Configure) before OpenSSL 1.1.1.
.PP
The \fB\-convert\fR option was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/cms.1 b/secure/usr.bin/openssl/man/cms.1
index 14987f9a005f..aa2f13047228 100644
--- a/secure/usr.bin/openssl/man/cms.1
+++ b/secure/usr.bin/openssl/man/cms.1
@@ -1,820 +1,823 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CMS 1"
-.TH CMS 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CMS 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-cms, cms \- CMS utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBcms\fR
[\fB\-help\fR]
[\fB\-encrypt\fR]
[\fB\-decrypt\fR]
[\fB\-sign\fR]
[\fB\-verify\fR]
[\fB\-cmsout\fR]
[\fB\-resign\fR]
[\fB\-data_create\fR]
[\fB\-data_out\fR]
[\fB\-digest_create\fR]
[\fB\-digest_verify\fR]
[\fB\-compress\fR]
[\fB\-uncompress\fR]
[\fB\-EncryptedData_encrypt\fR]
[\fB\-sign_receipt\fR]
[\fB\-verify_receipt receipt\fR]
[\fB\-in filename\fR]
[\fB\-inform SMIME|PEM|DER\fR]
[\fB\-rctform SMIME|PEM|DER\fR]
[\fB\-out filename\fR]
[\fB\-outform SMIME|PEM|DER\fR]
[\fB\-stream \-indef \-noindef\fR]
[\fB\-noindef\fR]
[\fB\-content filename\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-print\fR]
[\fB\-CAfile file\fR]
[\fB\-CApath dir\fR]
[\fB\-no\-CAfile\fR]
[\fB\-no\-CApath\fR]
[\fB\-attime timestamp\fR]
[\fB\-check_ss_sig\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-explicit_policy\fR]
[\fB\-extended_crl\fR]
[\fB\-ignore_critical\fR]
[\fB\-inhibit_any\fR]
[\fB\-inhibit_map\fR]
[\fB\-no_check_time\fR]
[\fB\-partial_chain\fR]
[\fB\-policy arg\fR]
[\fB\-policy_check\fR]
[\fB\-policy_print\fR]
[\fB\-purpose purpose\fR]
[\fB\-suiteB_128\fR]
[\fB\-suiteB_128_only\fR]
[\fB\-suiteB_192\fR]
[\fB\-trusted_first\fR]
[\fB\-no_alt_chains\fR]
[\fB\-use_deltas\fR]
[\fB\-auth_level num\fR]
[\fB\-verify_depth num\fR]
[\fB\-verify_email email\fR]
[\fB\-verify_hostname hostname\fR]
[\fB\-verify_ip ip\fR]
[\fB\-verify_name name\fR]
[\fB\-x509_strict\fR]
[\fB\-md digest\fR]
[\fB\-\f(BIcipher\fB\fR]
[\fB\-nointern\fR]
[\fB\-noverify\fR]
[\fB\-nocerts\fR]
[\fB\-noattr\fR]
[\fB\-nosmimecap\fR]
[\fB\-binary\fR]
[\fB\-crlfeol\fR]
[\fB\-asciicrlf\fR]
[\fB\-nodetach\fR]
[\fB\-certfile file\fR]
[\fB\-certsout file\fR]
[\fB\-signer file\fR]
[\fB\-recip file\fR]
[\fB\-keyid\fR]
[\fB\-receipt_request_all\fR]
[\fB\-receipt_request_first\fR]
[\fB\-receipt_request_from emailaddress\fR]
[\fB\-receipt_request_to emailaddress\fR]
[\fB\-receipt_request_print\fR]
[\fB\-secretkey key\fR]
[\fB\-secretkeyid id\fR]
[\fB\-econtent_type type\fR]
[\fB\-inkey file\fR]
[\fB\-keyopt name:parameter\fR]
[\fB\-passin arg\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fBcert.pem...\fR]
[\fB\-to addr\fR]
[\fB\-from addr\fR]
[\fB\-subject subj\fR]
[cert.pem]...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBcms\fR command handles S/MIME v3.1 mail. It can encrypt, decrypt, sign and
verify, compress and uncompress S/MIME messages.
.SH "OPTIONS"
.IX Header "OPTIONS"
There are fourteen operation options that set the type of operation to be
performed. The meaning of the other options varies according to the operation
type.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-encrypt\fR" 4
.IX Item "-encrypt"
Encrypt mail for the given recipient certificates. Input file is the message
to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. The
actual \s-1CMS\s0 type is <B>EnvelopedData<B>.
.Sp
Note that no revocation check is done for the recipient cert, so if that
key has been compromised, others may be able to decrypt the text.
.IP "\fB\-decrypt\fR" 4
.IX Item "-decrypt"
Decrypt mail using the supplied certificate and private key. Expects an
encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
is written to the output file.
.IP "\fB\-debug_decrypt\fR" 4
.IX Item "-debug_decrypt"
This option sets the \fB\s-1CMS_DEBUG_DECRYPT\s0\fR flag. This option should be used
with caution: see the notes section below.
.IP "\fB\-sign\fR" 4
.IX Item "-sign"
Sign mail using the supplied certificate and private key. Input file is
the message to be signed. The signed message in \s-1MIME\s0 format is written
to the output file.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verify signed mail. Expects a signed mail message on input and outputs
the signed data. Both clear text and opaque signing is supported.
.IP "\fB\-cmsout\fR" 4
.IX Item "-cmsout"
Takes an input message and writes out a \s-1PEM\s0 encoded \s-1CMS\s0 structure.
.IP "\fB\-resign\fR" 4
.IX Item "-resign"
Resign a message: take an existing message and one or more new signers.
.IP "\fB\-data_create\fR" 4
.IX Item "-data_create"
Create a \s-1CMS\s0 \fBData\fR type.
.IP "\fB\-data_out\fR" 4
.IX Item "-data_out"
\&\fBData\fR type and output the content.
.IP "\fB\-digest_create\fR" 4
.IX Item "-digest_create"
Create a \s-1CMS\s0 \fBDigestedData\fR type.
.IP "\fB\-digest_verify\fR" 4
.IX Item "-digest_verify"
Verify a \s-1CMS\s0 \fBDigestedData\fR type and output the content.
.IP "\fB\-compress\fR" 4
.IX Item "-compress"
Create a \s-1CMS\s0 \fBCompressedData\fR type. OpenSSL must be compiled with \fBzlib\fR
support for this option to work, otherwise it will output an error.
.IP "\fB\-uncompress\fR" 4
.IX Item "-uncompress"
Uncompress a \s-1CMS\s0 \fBCompressedData\fR type and output the content. OpenSSL must be
compiled with \fBzlib\fR support for this option to work, otherwise it will
output an error.
.IP "\fB\-EncryptedData_encrypt\fR" 4
.IX Item "-EncryptedData_encrypt"
Encrypt content using supplied symmetric key and algorithm using a \s-1CMS\s0
\&\fBEncryptedData\fR type and output the content.
.IP "\fB\-sign_receipt\fR" 4
.IX Item "-sign_receipt"
Generate and output a signed receipt for the supplied message. The input
message \fBmust\fR contain a signed receipt request. Functionality is otherwise
similar to the \fB\-sign\fR operation.
.IP "\fB\-verify_receipt receipt\fR" 4
.IX Item "-verify_receipt receipt"
Verify a signed receipt in filename \fBreceipt\fR. The input message \fBmust\fR
contain the original receipt request. Functionality is otherwise similar
to the \fB\-verify\fR operation.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
The input message to be encrypted or signed or the message to be decrypted
or verified.
.IP "\fB\-inform SMIME|PEM|DER\fR" 4
.IX Item "-inform SMIME|PEM|DER"
This specifies the input format for the \s-1CMS\s0 structure. The default
is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
format change this to expect \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures
instead. This currently only affects the input format of the \s-1CMS\s0
structure, if no \s-1CMS\s0 structure is being input (for example with
\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect.
.IP "\fB\-rctform SMIME|PEM|DER\fR" 4
.IX Item "-rctform SMIME|PEM|DER"
Specify the format for a signed receipt for use with the \fB\-receipt_verify\fR
operation.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
The message text that has been decrypted or verified or the output \s-1MIME\s0
format message that has been signed or verified.
.IP "\fB\-outform SMIME|PEM|DER\fR" 4
.IX Item "-outform SMIME|PEM|DER"
This specifies the output format for the \s-1CMS\s0 structure. The default
is \fB\s-1SMIME\s0\fR which writes an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
format change this to write \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures
instead. This currently only affects the output format of the \s-1CMS\s0
structure, if no \s-1CMS\s0 structure is being output (for example with
\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect.
.IP "\fB\-stream \-indef \-noindef\fR" 4
.IX Item "-stream -indef -noindef"
The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
the need to hold the entire contents in memory, potentially supporting very
large files. Streaming is automatically set for S/MIME signing with detached
data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default for all
other operations.
.IP "\fB\-noindef\fR" 4
.IX Item "-noindef"
Disable streaming I/O where it would produce and indefinite length constructed
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
.IP "\fB\-content filename\fR" 4
.IX Item "-content filename"
This specifies a file containing the detached content, this is only
useful with the \fB\-verify\fR command. This is only usable if the \s-1CMS\s0
structure is using the detached signature form where the content is
not included. This option will override any content if the input format
is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
.IP "\fB\-text\fR" 4
.IX Item "-text"
This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
off text headers: if the decrypted or verified message is not of \s-1MIME\s0
type text/plain then an error occurs.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
For the \fB\-cmsout\fR operation do not output the parsed \s-1CMS\s0 structure. This
is useful when combined with the \fB\-print\fR option or if the syntax of the \s-1CMS\s0
structure is being checked.
.IP "\fB\-print\fR" 4
.IX Item "-print"
For the \fB\-cmsout\fR operation print out all fields of the \s-1CMS\s0 structure. This
is mainly useful for testing purposes.
.IP "\fB\-CAfile file\fR" 4
.IX Item "-CAfile file"
A file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR.
.IP "\fB\-CApath dir\fR" 4
.IX Item "-CApath dir"
A directory containing trusted \s-1CA\s0 certificates, only used with
\&\fB\-verify\fR. This directory must be a standard certificate directory: that
is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
to each certificate.
.IP "\fB\-no\-CAfile\fR" 4
.IX Item "-no-CAfile"
Do not load the trusted \s-1CA\s0 certificates from the default file location
.IP "\fB\-no\-CApath\fR" 4
.IX Item "-no-CApath"
Do not load the trusted \s-1CA\s0 certificates from the default directory location
.IP "\fB\-md digest\fR" 4
.IX Item "-md digest"
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
.IP "\fB\-\f(BIcipher\fB\fR" 4
.IX Item "-cipher"
The encryption algorithm to use. For example triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR
or 256 bit \s-1AES\s0 \- \fB\-aes256\fR. Any standard algorithm name (as used by the
\&\fBEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for
example \fB\-aes\-128\-cbc\fR. See \fBenc\fR\|(1) for a list of ciphers
supported by your version of OpenSSL.
.Sp
If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR and
\&\fB\-EncryptedData_create\fR commands.
.IP "\fB\-nointern\fR" 4
.IX Item "-nointern"
When verifying a message normally certificates (if any) included in
the message are searched for the signing certificate. With this option
only the certificates specified in the \fB\-certfile\fR option are used.
The supplied certificates can still be used as untrusted CAs however.
.IP "\fB\-noverify\fR" 4
.IX Item "-noverify"
Do not verify the signers certificate of a signed message.
.IP "\fB\-nocerts\fR" 4
.IX Item "-nocerts"
When signing a message the signer's certificate is normally included
with this option it is excluded. This will reduce the size of the
signed message but the verifier must have a copy of the signers certificate
available locally (passed using the \fB\-certfile\fR option for example).
.IP "\fB\-noattr\fR" 4
.IX Item "-noattr"
Normally when a message is signed a set of attributes are included which
include the signing time and supported symmetric algorithms. With this
option they are not included.
.IP "\fB\-nosmimecap\fR" 4
.IX Item "-nosmimecap"
Exclude the list of supported algorithms from signed attributes, other options
such as signing time and content type are still included.
.IP "\fB\-binary\fR" 4
.IX Item "-binary"
Normally the input message is converted to \*(L"canonical\*(R" format which is
effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME
specification. When this option is present no translation occurs. This
is useful when handling binary data which may not be in \s-1MIME\s0 format.
.IP "\fB\-crlfeol\fR" 4
.IX Item "-crlfeol"
Normally the output file uses a single \fB\s-1LF\s0\fR as end of line. When this
option is present \fB\s-1CRLF\s0\fR is used instead.
.IP "\fB\-asciicrlf\fR" 4
.IX Item "-asciicrlf"
When signing use \s-1ASCII CRLF\s0 format canonicalisation. This strips trailing
whitespace from all lines, deletes trailing blank lines at \s-1EOF\s0 and sets
the encapsulated content type. This option is normally used with detached
content and an output signature format of \s-1DER.\s0 This option is not normally
needed when verifying as it is enabled automatically if the encapsulated
content format is detected.
.IP "\fB\-nodetach\fR" 4
.IX Item "-nodetach"
When signing a message use opaque signing: this form is more resistant
to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the \s-1MIME\s0 type multipart/signed is used.
.IP "\fB\-certfile file\fR" 4
.IX Item "-certfile file"
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in \s-1PEM\s0 format.
.IP "\fB\-certsout file\fR" 4
.IX Item "-certsout file"
Any certificates contained in the message are written to \fBfile\fR.
.IP "\fB\-signer file\fR" 4
.IX Item "-signer file"
A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
.IP "\fB\-recip file\fR" 4
.IX Item "-recip file"
When decrypting a message this specifies the recipients certificate. The
certificate must match one of the recipients of the message or an error
occurs.
.Sp
When encrypting a message this option may be used multiple times to specify
each recipient. This form \fBmust\fR be used if customised parameters are
required (for example to specify RSA-OAEP).
.Sp
Only certificates carrying \s-1RSA,\s0 Diffie-Hellman or \s-1EC\s0 keys are supported by this
option.
.IP "\fB\-keyid\fR" 4
.IX Item "-keyid"
Use subject key identifier to identify certificates instead of issuer name and
serial number. The supplied certificate \fBmust\fR include a subject key
identifier extension. Supported by \fB\-sign\fR and \fB\-encrypt\fR options.
.IP "\fB\-receipt_request_all\fR, \fB\-receipt_request_first\fR" 4
.IX Item "-receipt_request_all, -receipt_request_first"
For \fB\-sign\fR option include a signed receipt request. Indicate requests should
be provided by all recipient or first tier recipients (those mailed directly
and not from a mailing list). Ignored it \fB\-receipt_request_from\fR is included.
.IP "\fB\-receipt_request_from emailaddress\fR" 4
.IX Item "-receipt_request_from emailaddress"
For \fB\-sign\fR option include a signed receipt request. Add an explicit email
address where receipts should be supplied.
.IP "\fB\-receipt_request_to emailaddress\fR" 4
.IX Item "-receipt_request_to emailaddress"
Add an explicit email address where signed receipts should be sent to. This
option \fBmust\fR but supplied if a signed receipt it requested.
.IP "\fB\-receipt_request_print\fR" 4
.IX Item "-receipt_request_print"
For the \fB\-verify\fR operation print out the contents of any signed receipt
requests.
.IP "\fB\-secretkey key\fR" 4
.IX Item "-secretkey key"
Specify symmetric key to use. The key must be supplied in hex format and be
consistent with the algorithm used. Supported by the \fB\-EncryptedData_encrypt\fR
\&\fB\-EncryptedData_decrypt\fR, \fB\-encrypt\fR and \fB\-decrypt\fR options. When used
with \fB\-encrypt\fR or \fB\-decrypt\fR the supplied key is used to wrap or unwrap the
content encryption key using an \s-1AES\s0 key in the \fBKEKRecipientInfo\fR type.
.IP "\fB\-secretkeyid id\fR" 4
.IX Item "-secretkeyid id"
The key identifier for the supplied symmetric key for \fBKEKRecipientInfo\fR type.
This option \fBmust\fR be present if the \fB\-secretkey\fR option is used with
\&\fB\-encrypt\fR. With \fB\-decrypt\fR operations the \fBid\fR is used to locate the
relevant key if it is not supplied then an attempt is used to decrypt any
\&\fBKEKRecipientInfo\fR structures.
.IP "\fB\-econtent_type type\fR" 4
.IX Item "-econtent_type type"
Set the encapsulated content type to \fBtype\fR if not supplied the \fBData\fR type
is used. The \fBtype\fR argument can be any valid \s-1OID\s0 name in either text or
numerical format.
.IP "\fB\-inkey file\fR" 4
.IX Item "-inkey file"
The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
private key must be included in the certificate file specified with
the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used
multiple times to specify successive keys.
.IP "\fB\-keyopt name:opt\fR" 4
.IX Item "-keyopt name:opt"
For signing and encryption this option can be used multiple times to
set customised parameters for the preceding key or certificate. It can
currently be used to set RSA-PSS for signing, RSA-OAEP for encryption
or to modify default parameters for \s-1ECDH.\s0
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The private key password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fBcert.pem...\fR" 4
.IX Item "cert.pem..."
One or more certificates of message recipients: used when encrypting
a message.
.IP "\fB\-to, \-from, \-subject\fR" 4
.IX Item "-to, -from, -subject"
The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4
.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict"
Set various certificate chain validation options. See the
\&\fBverify\fR\|(1) manual page for details.
.SH "NOTES"
.IX Header "NOTES"
The \s-1MIME\s0 message must be sent without any blank lines between the
headers and the output. Some mail programs will automatically add
a blank line. Piping the mail directly to sendmail is one way to
achieve the correct format.
.PP
The supplied message to be signed or encrypted must include the
necessary \s-1MIME\s0 headers or many S/MIME clients won't display it
properly (if at all). You can use the \fB\-text\fR option to automatically
add plain text headers.
.PP
A \*(L"signed and encrypted\*(R" message is one where a signed message is
then encrypted. This can be produced by encrypting an already signed
message: see the examples section.
.PP
This version of the program only allows one signer per message but it
will verify multiple signers on received messages. Some S/MIME clients
choke if a message contains multiple signers. It is possible to sign
messages \*(L"in parallel\*(R" by signing an already signed message.
.PP
The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME
clients. Strictly speaking these process \s-1CMS\s0 enveloped data: \s-1CMS\s0
encrypted data is used for other purposes.
.PP
The \fB\-resign\fR option uses an existing message digest when adding a new
signer. This means that attributes must be present in at least one existing
signer using the same message digest or this operation will fail.
.PP
The \fB\-stream\fR and \fB\-indef\fR options enable streaming I/O support.
As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding
and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the
\&\fB\-sign\fR operation if the content is not detached.
.PP
Streaming is always used for the \fB\-sign\fR operation with detached data but
since the content is no longer part of the \s-1CMS\s0 structure the encoding
remains \s-1DER.\s0
.PP
If the \fB\-decrypt\fR option is used without a recipient certificate then an
attempt is made to locate the recipient by trying each potential recipient
in turn using the supplied private key. To thwart the \s-1MMA\s0 attack
(Bleichenbacher's attack on \s-1PKCS\s0 #1 v1.5 \s-1RSA\s0 padding) all recipients are
tried whether they succeed or not and if no recipients match the message
is \*(L"decrypted\*(R" using a random key which will typically output garbage.
The \fB\-debug_decrypt\fR option can be used to disable the \s-1MMA\s0 attack protection
and return an error if no recipient can be found: this option should be used
with caution. For a fuller description see \fBCMS_decrypt\fR\|(3)).
.SH "EXIT CODES"
.IX Header "EXIT CODES"
.IP "0" 4
The operation was completely successfully.
.IP "1" 4
.IX Item "1"
An error occurred parsing the command options.
.IP "2" 4
.IX Item "2"
One of the input files could not be read.
.IP "3" 4
.IX Item "3"
An error occurred creating the \s-1CMS\s0 file or when reading the \s-1MIME\s0
message.
.IP "4" 4
.IX Item "4"
An error occurred decrypting or verifying the message.
.IP "5" 4
.IX Item "5"
The message was verified correctly but an error occurred writing out
the signers certificates.
.SH "COMPATIBILITY WITH PKCS#7 format."
.IX Header "COMPATIBILITY WITH PKCS#7 format."
The \fBsmime\fR utility can only process the older \fBPKCS#7\fR format. The \fBcms\fR
utility supports Cryptographic Message Syntax format. Use of some features
will result in messages which cannot be processed by applications which only
support the older format. These are detailed below.
.PP
The use of the \fB\-keyid\fR option with \fB\-sign\fR or \fB\-encrypt\fR.
.PP
The \fB\-outform \s-1PEM\s0\fR option uses different headers.
.PP
The \fB\-compress\fR option.
.PP
The \fB\-secretkey\fR option when used with \fB\-encrypt\fR.
.PP
The use of \s-1PSS\s0 with \fB\-sign\fR.
.PP
The use of \s-1OAEP\s0 or non-RSA keys with \fB\-encrypt\fR.
.PP
Additionally the \fB\-EncryptedData_create\fR and \fB\-data_create\fR type cannot
be processed by the older \fBsmime\fR command.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create a cleartext signed message:
.PP
.Vb 2
\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e
\& \-signer mycert.pem
.Ve
.PP
Create an opaque signed message
.PP
.Vb 2
\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e
\& \-signer mycert.pem
.Ve
.PP
Create a signed message, include some additional certificates and
read the private key from another file:
.PP
.Vb 2
\& openssl cms \-sign \-in in.txt \-text \-out mail.msg \e
\& \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem
.Ve
.PP
Create a signed message with two signers, use key identifier:
.PP
.Vb 2
\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e
\& \-signer mycert.pem \-signer othercert.pem \-keyid
.Ve
.PP
Send a signed message under Unix directly to sendmail, including headers:
.PP
.Vb 3
\& openssl cms \-sign \-in in.txt \-text \-signer mycert.pem \e
\& \-from steve@openssl.org \-to someone@somewhere \e
\& \-subject "Signed message" | sendmail someone@somewhere
.Ve
.PP
Verify a message and extract the signer's certificate if successful:
.PP
.Vb 1
\& openssl cms \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt
.Ve
.PP
Send encrypted mail using triple \s-1DES:\s0
.PP
.Vb 3
\& openssl cms \-encrypt \-in in.txt \-from steve@openssl.org \e
\& \-to someone@somewhere \-subject "Encrypted message" \e
\& \-des3 user.pem \-out mail.msg
.Ve
.PP
Sign and encrypt mail:
.PP
.Vb 4
\& openssl cms \-sign \-in ml.txt \-signer my.pem \-text \e
\& | openssl cms \-encrypt \-out mail.msg \e
\& \-from steve@openssl.org \-to someone@somewhere \e
\& \-subject "Signed and Encrypted message" \-des3 user.pem
.Ve
.PP
Note: the encryption command does not include the \fB\-text\fR option because the
message being encrypted already has \s-1MIME\s0 headers.
.PP
Decrypt mail:
.PP
.Vb 1
\& openssl cms \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem
.Ve
.PP
The output from Netscape form signing is a PKCS#7 structure with the
detached signature format. You can use this program to verify the
signature by line wrapping the base64 encoded structure and surrounding
it with:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\-
\& \-\-\-\-\-END PKCS7\-\-\-\-\-
.Ve
.PP
and using the command,
.PP
.Vb 1
\& openssl cms \-verify \-inform PEM \-in signature.pem \-content content.txt
.Ve
.PP
alternatively you can base64 decode the signature and use
.PP
.Vb 1
\& openssl cms \-verify \-inform DER \-in signature.der \-content content.txt
.Ve
.PP
Create an encrypted message using 128 bit Camellia:
.PP
.Vb 1
\& openssl cms \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem
.Ve
.PP
Add a signer to an existing message:
.PP
.Vb 1
\& openssl cms \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg
.Ve
.PP
Sign mail using RSA-PSS:
.PP
.Vb 2
\& openssl cms \-sign \-in message.txt \-text \-out mail.msg \e
\& \-signer mycert.pem \-keyopt rsa_padding_mode:pss
.Ve
.PP
Create encrypted mail using RSA-OAEP:
.PP
.Vb 2
\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e
\& \-recip cert.pem \-keyopt rsa_padding_mode:oaep
.Ve
.PP
Use \s-1SHA256 KDF\s0 with an \s-1ECDH\s0 certificate:
.PP
.Vb 2
\& openssl cms \-encrypt \-in plain.txt \-out mail.msg \e
\& \-recip ecdhcert.pem \-keyopt ecdh_kdf_md:sha256
.Ve
.SH "BUGS"
.IX Header "BUGS"
The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've
thrown at it but it may choke on others.
.PP
The code currently will only write out the signer's certificate to a file: if
the signer has a separate encryption certificate this must be manually
extracted. There should be some heuristic that determines the correct
encryption certificate.
.PP
Ideally a database should be maintained of a certificates for each email
address.
.PP
The code doesn't currently take note of the permitted symmetric encryption
algorithms as supplied in the SMIMECapabilities signed attribute. this means the
user has to manually include the correct encryption algorithm. It should store
the list of permitted ciphers in a database and only use those.
.PP
No revocation checking is done on the signer's certificate.
+.PP
+The \fB\-binary\fR option does not work correctly when processing text input which
+(contrary to the S/MIME specification) uses \s-1LF\s0 rather than \s-1CRLF\s0 line endings.
.SH "HISTORY"
.IX Header "HISTORY"
The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
added in OpenSSL 1.0.0.
.PP
The \fBkeyopt\fR option was added in OpenSSL 1.0.2.
.PP
Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.
.PP
The use of non-RSA keys with \fB\-encrypt\fR and \fB\-decrypt\fR
was added in OpenSSL 1.0.2.
.PP
The \-no_alt_chains option was added in OpenSSL 1.0.2b.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
-Copyright 2008\-2021 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008\-2022 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1
index 26391bc01122..559c0acd9712 100644
--- a/secure/usr.bin/openssl/man/crl.1
+++ b/secure/usr.bin/openssl/man/crl.1
@@ -1,257 +1,257 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CRL 1"
-.TH CRL 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CRL 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-crl, crl \- CRL utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBcrl\fR
[\fB\-help\fR]
[\fB\-inform PEM|DER\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-text\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-nameopt option\fR]
[\fB\-noout\fR]
[\fB\-hash\fR]
[\fB\-issuer\fR]
[\fB\-lastupdate\fR]
[\fB\-nextupdate\fR]
[\fB\-CAfile file\fR]
[\fB\-CApath dir\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBcrl\fR command processes \s-1CRL\s0 files in \s-1DER\s0 or \s-1PEM\s0 format.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0
structure. \fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
the \s-1DER\s0 form with header and footer lines.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format, the options have the same meaning and default
as the \fB\-inform\fR option.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read from or standard input if this
option is not specified.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write to or standard output by
default.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Print out the \s-1CRL\s0 in text form.
.IP "\fB\-nameopt option\fR" 4
.IX Item "-nameopt option"
Option which determines how the subject or issuer names are displayed. See
the description of \fB\-nameopt\fR in \fBx509\fR\|(1).
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Don't output the encoded version of the \s-1CRL.\s0
.IP "\fB\-hash\fR" 4
.IX Item "-hash"
Output a hash of the issuer name. This can be use to lookup CRLs in
a directory by issuer name.
.IP "\fB\-hash_old\fR" 4
.IX Item "-hash_old"
Outputs the \*(L"hash\*(R" of the \s-1CRL\s0 issuer name using the older algorithm
as used by OpenSSL before version 1.0.0.
.IP "\fB\-issuer\fR" 4
.IX Item "-issuer"
Output the issuer name.
.IP "\fB\-lastupdate\fR" 4
.IX Item "-lastupdate"
Output the lastUpdate field.
.IP "\fB\-nextupdate\fR" 4
.IX Item "-nextupdate"
Output the nextUpdate field.
.IP "\fB\-CAfile file\fR" 4
.IX Item "-CAfile file"
Verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in
\&\fBfile\fR.
.IP "\fB\-CApath dir\fR" 4
.IX Item "-CApath dir"
Verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in
\&\fBdir\fR. This directory must be a standard certificate directory: that
is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
to each certificate.
.SH "NOTES"
.IX Header "NOTES"
The \s-1PEM CRL\s0 format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN X509 CRL\-\-\-\-\-
\& \-\-\-\-\-END X509 CRL\-\-\-\-\-
.Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Convert a \s-1CRL\s0 file from \s-1PEM\s0 to \s-1DER:\s0
.PP
.Vb 1
\& openssl crl \-in crl.pem \-outform DER \-out crl.der
.Ve
.PP
Output the text form of a \s-1DER\s0 encoded certificate:
.PP
.Vb 1
\& openssl crl \-in crl.der \-inform DER \-text \-noout
.Ve
.SH "BUGS"
.IX Header "BUGS"
Ideally it should be possible to create a \s-1CRL\s0 using appropriate options
and files too.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrl2pkcs7\fR\|(1), \fBca\fR\|(1), \fBx509\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1
index dbcabf0e0578..00fd5cd9956e 100644
--- a/secure/usr.bin/openssl/man/crl2pkcs7.1
+++ b/secure/usr.bin/openssl/man/crl2pkcs7.1
@@ -1,227 +1,227 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "CRL2PKCS7 1"
-.TH CRL2PKCS7 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH CRL2PKCS7 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-crl2pkcs7, crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBcrl2pkcs7\fR
[\fB\-help\fR]
[\fB\-inform PEM|DER\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-certfile filename\fR]
[\fB\-nocrl\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBcrl2pkcs7\fR command takes an optional \s-1CRL\s0 and one or more
certificates and converts them into a PKCS#7 degenerate \*(L"certificates
only\*(R" structure.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the \s-1CRL\s0 input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0
structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
the \s-1DER\s0 form with header and footer lines. The default format is \s-1PEM.\s0
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the PKCS#7 structure output format. \fB\s-1DER\s0\fR format is \s-1DER\s0
encoded PKCS#7 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
the \s-1DER\s0 form with header and footer lines. The default format is \s-1PEM.\s0
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a \s-1CRL\s0 from or standard input if this
option is not specified.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write the PKCS#7 structure to or standard
output by default.
.IP "\fB\-certfile filename\fR" 4
.IX Item "-certfile filename"
Specifies a filename containing one or more certificates in \fB\s-1PEM\s0\fR format.
All certificates in the file will be added to the PKCS#7 structure. This
option can be used more than once to read certificates from multiple
files.
.IP "\fB\-nocrl\fR" 4
.IX Item "-nocrl"
Normally a \s-1CRL\s0 is included in the output file. With this option no \s-1CRL\s0 is
included in the output file and a \s-1CRL\s0 is not read from the input file.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create a PKCS#7 structure from a certificate and \s-1CRL:\s0
.PP
.Vb 1
\& openssl crl2pkcs7 \-in crl.pem \-certfile cert.pem \-out p7.pem
.Ve
.PP
Creates a PKCS#7 structure in \s-1DER\s0 format with no \s-1CRL\s0 from several
different certificates:
.PP
.Vb 2
\& openssl crl2pkcs7 \-nocrl \-certfile newcert.pem
\& \-certfile demoCA/cacert.pem \-outform DER \-out p7.der
.Ve
.SH "NOTES"
.IX Header "NOTES"
The output file is a PKCS#7 signed data structure containing no signers and
just certificates and an optional \s-1CRL.\s0
.PP
This utility can be used to send certificates and CAs to Netscape as part of
the certificate enrollment process. This involves sending the \s-1DER\s0 encoded output
as \s-1MIME\s0 type application/x\-x509\-user\-cert.
.PP
The \fB\s-1PEM\s0\fR encoded form with the header and footer lines removed can be used to
install user certificates and CAs in \s-1MSIE\s0 using the Xenroll control.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBpkcs7\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1
index 5daa3bd49340..abec590a64f9 100644
--- a/secure/usr.bin/openssl/man/dgst.1
+++ b/secure/usr.bin/openssl/man/dgst.1
@@ -1,346 +1,346 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DGST 1"
-.TH DGST 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DGST 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-dgst, dgst \- perform digest operations
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl dgst\fR
[\fB\-\f(BIdigest\fB\fR]
[\fB\-help\fR]
[\fB\-c\fR]
[\fB\-d\fR]
[\fB\-list\fR]
[\fB\-hex\fR]
[\fB\-binary\fR]
[\fB\-r\fR]
[\fB\-out filename\fR]
[\fB\-sign filename\fR]
[\fB\-keyform arg\fR]
[\fB\-passin arg\fR]
[\fB\-verify filename\fR]
[\fB\-prverify filename\fR]
[\fB\-signature filename\fR]
[\fB\-sigopt nm:v\fR]
[\fB\-hmac key\fR]
[\fB\-fips\-fingerprint\fR]
[\fB\-rand file...\fR]
[\fB\-engine id\fR]
[\fB\-engine_impl\fR]
[\fBfile...\fR]
.PP
\&\fBopenssl\fR \fIdigest\fR [\fB...\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The digest functions output the message digest of a supplied file or files
in hexadecimal. The digest functions also generate and verify digital
signatures using message digests.
.PP
The generic name, \fBdgst\fR, may be used with an option specifying the
algorithm to be used.
The default digest is \fIsha256\fR.
A supported \fIdigest\fR name may also be used as the command name.
To see the list of supported algorithms, use the \fIlist \-\-digest\-commands\fR
command.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
Specifies name of a supported digest to be used. To see the list of
supported digests, use the command \fIlist \-\-digest\-commands\fR.
.IP "\fB\-c\fR" 4
.IX Item "-c"
Print out the digest in two digit groups separated by colons, only relevant if
\&\fBhex\fR format output is used.
.IP "\fB\-d\fR" 4
.IX Item "-d"
Print out \s-1BIO\s0 debugging information.
.IP "\fB\-list\fR" 4
.IX Item "-list"
Prints out a list of supported message digests.
.IP "\fB\-hex\fR" 4
.IX Item "-hex"
Digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R"
digest as opposed to a digital signature. See \s-1NOTES\s0 below for digital
signatures using \fB\-hex\fR.
.IP "\fB\-binary\fR" 4
.IX Item "-binary"
Output the digest or signature in binary form.
.IP "\fB\-r\fR" 4
.IX Item "-r"
Output the digest in the \*(L"coreutils\*(R" format, including newlines.
Used by programs like \fBsha1sum\fR.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Filename to output to, or standard output by default.
.IP "\fB\-sign filename\fR" 4
.IX Item "-sign filename"
Digitally sign the digest using the private key in \*(L"filename\*(R". Note this option
does not support Ed25519 or Ed448 private keys.
.IP "\fB\-keyform arg\fR" 4
.IX Item "-keyform arg"
Specifies the key format to sign digest with. The \s-1DER, PEM, P12,\s0
and \s-1ENGINE\s0 formats are supported.
.IP "\fB\-sigopt nm:v\fR" 4
.IX Item "-sigopt nm:v"
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The private key password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-verify filename\fR" 4
.IX Item "-verify filename"
Verify the signature using the public key in \*(L"filename\*(R".
The output is either \*(L"Verification \s-1OK\*(R"\s0 or \*(L"Verification Failure\*(R".
.IP "\fB\-prverify filename\fR" 4
.IX Item "-prverify filename"
Verify the signature using the private key in \*(L"filename\*(R".
.IP "\fB\-signature filename\fR" 4
.IX Item "-signature filename"
The actual signature to verify.
.IP "\fB\-hmac key\fR" 4
.IX Item "-hmac key"
Create a hashed \s-1MAC\s0 using \*(L"key\*(R".
.IP "\fB\-mac alg\fR" 4
.IX Item "-mac alg"
Create \s-1MAC\s0 (keyed Message Authentication Code). The most popular \s-1MAC\s0
algorithm is \s-1HMAC\s0 (hash-based \s-1MAC\s0), but there are other \s-1MAC\s0 algorithms
which are not based on hash, for instance \fBgost-mac\fR algorithm,
supported by \fBccgost\fR engine. \s-1MAC\s0 keys and other options should be set
via \fB\-macopt\fR parameter.
.IP "\fB\-macopt nm:v\fR" 4
.IX Item "-macopt nm:v"
Passes options to \s-1MAC\s0 algorithm, specified by \fB\-mac\fR key.
Following options are supported by both by \fB\s-1HMAC\s0\fR and \fBgost-mac\fR:
.RS 4
.IP "\fBkey:string\fR" 4
.IX Item "key:string"
Specifies \s-1MAC\s0 key as alphanumeric string (use if key contain printable
characters only). String length must conform to any restrictions of
the \s-1MAC\s0 algorithm for example exactly 32 chars for gost-mac.
.IP "\fBhexkey:string\fR" 4
.IX Item "hexkey:string"
Specifies \s-1MAC\s0 key in hexadecimal form (two hex digits per byte).
Key length must conform to any restrictions of the \s-1MAC\s0 algorithm
for example exactly 32 chars for gost-mac.
.RE
.RS 4
.RE
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-fips\-fingerprint\fR" 4
.IX Item "-fips-fingerprint"
Compute \s-1HMAC\s0 using a specific key for certain OpenSSL-FIPS operations.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Use engine \fBid\fR for operations (including private key storage).
This engine is not used as source for digest algorithms, unless it is
also specified in the configuration file or \fB\-engine_impl\fR is also
specified.
.IP "\fB\-engine_impl\fR" 4
.IX Item "-engine_impl"
When used with the \fB\-engine\fR option, it specifies to also use
engine \fBid\fR for digest operations.
.IP "\fBfile...\fR" 4
.IX Item "file..."
File or files to digest. If no files are specified then standard input is
used.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To create a hex-encoded message digest of a file:
openssl dgst \-md5 \-hex file.txt
.PP
To sign a file using \s-1SHA\-256\s0 with binary file output:
openssl dgst \-sha256 \-sign privatekey.pem \-out signature.sign file.txt
.PP
To verify a signature:
openssl dgst \-sha256 \-verify publickey.pem \e
\-signature signature.sign \e
file.txt
.SH "NOTES"
.IX Header "NOTES"
The digest mechanisms that are available will depend on the options
used when building OpenSSL.
The \fBlist digest-commands\fR command can be used to list them.
.PP
New or agile applications should use probably use \s-1SHA\-256.\s0 Other digests,
particularly \s-1SHA\-1\s0 and \s-1MD5,\s0 are still widely used for interoperating
with existing formats and protocols.
.PP
When signing a file, \fBdgst\fR will automatically determine the algorithm
(\s-1RSA, ECC,\s0 etc) to use for signing based on the private key's \s-1ASN.1\s0 info.
When verifying signatures, it only handles the \s-1RSA, DSA,\s0 or \s-1ECDSA\s0 signature
itself, not the related data to identify the signer and algorithm used in
formats such as x.509, \s-1CMS,\s0 and S/MIME.
.PP
A source of random numbers is required for certain signing algorithms, in
particular \s-1ECDSA\s0 and \s-1DSA.\s0
.PP
The signing and verify options should only be used if a single file is
being signed or verified.
.PP
Hex signatures cannot be verified using \fBopenssl\fR. Instead, use \*(L"xxd \-r\*(R"
or similar program to transform the hex signature into a binary signature
prior to verification.
.SH "HISTORY"
.IX Header "HISTORY"
The default digest was changed from \s-1MD5\s0 to \s-1SHA256\s0 in OpenSSL 1.1.0.
The FIPS-related options were removed in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1
index 4638bf14c1c0..d5179c34430f 100644
--- a/secure/usr.bin/openssl/man/dhparam.1
+++ b/secure/usr.bin/openssl/man/dhparam.1
@@ -1,276 +1,276 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DHPARAM 1"
-.TH DHPARAM 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DHPARAM 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-dhparam, dhparam \- DH parameter manipulation and generation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl dhparam\fR
[\fB\-help\fR]
[\fB\-inform DER|PEM\fR]
[\fB\-outform DER|PEM\fR]
[\fB\-in\fR \fIfilename\fR]
[\fB\-out\fR \fIfilename\fR]
[\fB\-dsaparam\fR]
[\fB\-check\fR]
[\fB\-noout\fR]
[\fB\-text\fR]
[\fB\-C\fR]
[\fB\-2\fR]
[\fB\-5\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-engine id\fR]
[\fInumbits\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to manipulate \s-1DH\s0 parameter files.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
form compatible with the PKCS#3 DHparameter structure. The \s-1PEM\s0 form is the
default format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with
additional header and footer lines.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format, the options have the same meaning and default
as the \fB\-inform\fR option.
.IP "\fB\-in\fR \fIfilename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read parameters from or standard input if
this option is not specified.
.IP "\fB\-out\fR \fIfilename\fR" 4
.IX Item "-out filename"
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should \fBnot\fR be the same
as the input filename.
.IP "\fB\-dsaparam\fR" 4
.IX Item "-dsaparam"
If this option is used, \s-1DSA\s0 rather than \s-1DH\s0 parameters are read or created;
they are converted to \s-1DH\s0 format. Otherwise, \*(L"strong\*(R" primes (such
that (p\-1)/2 is also prime) will be used for \s-1DH\s0 parameter generation.
.Sp
\&\s-1DH\s0 parameter generation with the \fB\-dsaparam\fR option is much faster,
and the recommended exponent length is shorter, which makes \s-1DH\s0 key
exchange more efficient. Beware that with such DSA-style \s-1DH\s0
parameters, a fresh \s-1DH\s0 key should be created for each use to
avoid small-subgroup attacks that may be possible otherwise.
.IP "\fB\-check\fR" 4
.IX Item "-check"
Performs numerous checks to see if the supplied parameters are valid and
displays a warning if not.
.IP "\fB\-2\fR, \fB\-5\fR" 4
.IX Item "-2, -5"
The generator to use, either 2 or 5. If present then the
input file is ignored and parameters are generated instead. If not
present but \fBnumbits\fR is present, parameters are generated with the
default generator 2.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fInumbits\fR" 4
.IX Item "numbits"
This option specifies that a parameter set should be generated of size
\&\fInumbits\fR. It must be the last option. If this option is present then
the input file is ignored and parameters are generated instead. If
this option is not present but a generator (\fB\-2\fR or \fB\-5\fR) is
present, parameters are generated with a default length of 2048 bits.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option inhibits the output of the encoded version of the parameters.
.IP "\fB\-text\fR" 4
.IX Item "-text"
This option prints out the \s-1DH\s0 parameters in human readable form.
.IP "\fB\-C\fR" 4
.IX Item "-C"
This option converts the parameters into C code. The parameters can then
be loaded by calling the \fBget_dhNNNN()\fR function.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBdhparam\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.SH "WARNINGS"
.IX Header "WARNINGS"
The program \fBdhparam\fR combines the functionality of the programs \fBdh\fR and
\&\fBgendh\fR in previous versions of OpenSSL. The \fBdh\fR and \fBgendh\fR
programs are retained for now but may have different purposes in future
versions of OpenSSL.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1PEM\s0 format \s-1DH\s0 parameters use the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN DH PARAMETERS\-\-\-\-\-
\& \-\-\-\-\-END DH PARAMETERS\-\-\-\-\-
.Ve
.PP
OpenSSL currently only supports the older PKCS#3 \s-1DH,\s0 not the newer X9.42
\&\s-1DH.\s0
.PP
This program manipulates \s-1DH\s0 parameters not keys.
.SH "BUGS"
.IX Header "BUGS"
There should be a way to generate and manipulate \s-1DH\s0 keys.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBdsaparam\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1
index 377b20e120ea..08c6dd834111 100644
--- a/secure/usr.bin/openssl/man/dsa.1
+++ b/secure/usr.bin/openssl/man/dsa.1
@@ -1,306 +1,306 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSA 1"
-.TH DSA 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSA 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-dsa, dsa \- DSA key processing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBdsa\fR
[\fB\-help\fR]
[\fB\-inform PEM|DER\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-in filename\fR]
[\fB\-passin arg\fR]
[\fB\-out filename\fR]
[\fB\-passout arg\fR]
[\fB\-aes128\fR]
[\fB\-aes192\fR]
[\fB\-aes256\fR]
[\fB\-aria128\fR]
[\fB\-aria192\fR]
[\fB\-aria256\fR]
[\fB\-camellia128\fR]
[\fB\-camellia192\fR]
[\fB\-camellia256\fR]
[\fB\-des\fR]
[\fB\-des3\fR]
[\fB\-idea\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-modulus\fR]
[\fB\-pubin\fR]
[\fB\-pubout\fR]
[\fB\-engine id\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBdsa\fR command processes \s-1DSA\s0 keys. They can be converted between various
forms and their components printed out. \fBNote\fR This command uses the
traditional SSLeay compatible format for private key encryption: newer
applications should use the more secure PKCS#8 format using the \fBpkcs8\fR
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses
an \s-1ASN1 DER\s0 encoded form of an \s-1ASN.1 SEQUENCE\s0 consisting of the values of
version (currently zero), p, q, g, the public and private key components
respectively as \s-1ASN.1\s0 INTEGERs. When used with a public key it uses a
SubjectPublicKeyInfo structure: it is an error if the key is not \s-1DSA.\s0
.Sp
The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
encoded with additional header and footer lines. In the case of a private key
PKCS#8 format is also accepted.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format, the options have the same meaning and default
as the \fB\-inform\fR option.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The input file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write a key to or standard output by
is not specified. If any encryption options are set then a pass phrase will be
prompted for. The output filename should \fBnot\fR be the same as the input
filename.
.IP "\fB\-passout arg\fR" 4
.IX Item "-passout arg"
The output file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
These options encrypt the private key with the specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
means that using the \fBdsa\fR utility to read in an encrypted key with no
encryption option can be used to remove the pass phrase from a key, or by
setting the encryption options it can be use to add or change the pass phrase.
These options can only be used with \s-1PEM\s0 format output files.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the public, private key components and parameters.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output of the encoded version of the key.
.IP "\fB\-modulus\fR" 4
.IX Item "-modulus"
This option prints out the value of the public key component of the key.
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
By default, a private key is read from the input file. With this option a
public key is read instead.
.IP "\fB\-pubout\fR" 4
.IX Item "-pubout"
By default, a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBdsa\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.SH "NOTES"
.IX Header "NOTES"
The \s-1PEM\s0 private key format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN DSA PRIVATE KEY\-\-\-\-\-
\& \-\-\-\-\-END DSA PRIVATE KEY\-\-\-\-\-
.Ve
.PP
The \s-1PEM\s0 public key format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-
\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
.Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To remove the pass phrase on a \s-1DSA\s0 private key:
.PP
.Vb 1
\& openssl dsa \-in key.pem \-out keyout.pem
.Ve
.PP
To encrypt a private key using triple \s-1DES:\s0
.PP
.Vb 1
\& openssl dsa \-in key.pem \-des3 \-out keyout.pem
.Ve
.PP
To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format:
.PP
.Vb 1
\& openssl dsa \-in key.pem \-outform DER \-out keyout.der
.Ve
.PP
To print out the components of a private key to standard output:
.PP
.Vb 1
\& openssl dsa \-in key.pem \-text \-noout
.Ve
.PP
To just output the public part of a private key:
.PP
.Vb 1
\& openssl dsa \-in key.pem \-pubout \-out pubkey.pem
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBdsaparam\fR\|(1), \fBgendsa\fR\|(1), \fBrsa\fR\|(1),
\&\fBgenrsa\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1
index 303c1f1352cd..2b6cf415404b 100644
--- a/secure/usr.bin/openssl/man/dsaparam.1
+++ b/secure/usr.bin/openssl/man/dsaparam.1
@@ -1,245 +1,245 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "DSAPARAM 1"
-.TH DSAPARAM 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH DSAPARAM 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-dsaparam, dsaparam \- DSA parameter manipulation and generation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl dsaparam\fR
[\fB\-help\fR]
[\fB\-inform DER|PEM\fR]
[\fB\-outform DER|PEM\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-noout\fR]
[\fB\-text\fR]
[\fB\-C\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-genkey\fR]
[\fB\-engine id\fR]
[\fBnumbits\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to manipulate or generate \s-1DSA\s0 parameter files.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
form compatible with \s-1RFC2459\s0 (\s-1PKIX\s0) DSS-Parms that is a \s-1SEQUENCE\s0 consisting
of p, q and g respectively. The \s-1PEM\s0 form is the default format: it consists
of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format, the options have the same meaning and default
as the \fB\-inform\fR option.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read parameters from or standard input if
this option is not specified. If the \fBnumbits\fR parameter is included then
this option will be ignored.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should \fBnot\fR be the same
as the input filename.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option inhibits the output of the encoded version of the parameters.
.IP "\fB\-text\fR" 4
.IX Item "-text"
This option prints out the \s-1DSA\s0 parameters in human readable form.
.IP "\fB\-C\fR" 4
.IX Item "-C"
This option converts the parameters into C code. The parameters can then
be loaded by calling the \fBget_dsaXXX()\fR function.
.IP "\fB\-genkey\fR" 4
.IX Item "-genkey"
This option will generate a \s-1DSA\s0 either using the specified or generated
parameters.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fBnumbits\fR" 4
.IX Item "numbits"
This option specifies that a parameter set should be generated of size
\&\fBnumbits\fR. It must be the last option. If this option is included then
the input file (if any) is ignored.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBdsaparam\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1PEM\s0 format \s-1DSA\s0 parameters use the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN DSA PARAMETERS\-\-\-\-\-
\& \-\-\-\-\-END DSA PARAMETERS\-\-\-\-\-
.Ve
.PP
\&\s-1DSA\s0 parameter generation is a slow process and as a result the same set of
\&\s-1DSA\s0 parameters is often used to generate several distinct keys.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBgendsa\fR\|(1), \fBdsa\fR\|(1), \fBgenrsa\fR\|(1),
\&\fBrsa\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ec.1 b/secure/usr.bin/openssl/man/ec.1
index 2abd3d21ca1f..b39e9ad334a7 100644
--- a/secure/usr.bin/openssl/man/ec.1
+++ b/secure/usr.bin/openssl/man/ec.1
@@ -1,326 +1,326 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EC 1"
-.TH EC 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH EC 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ec, ec \- EC key processing
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBec\fR
[\fB\-help\fR]
[\fB\-inform PEM|DER\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-in filename\fR]
[\fB\-passin arg\fR]
[\fB\-out filename\fR]
[\fB\-passout arg\fR]
[\fB\-des\fR]
[\fB\-des3\fR]
[\fB\-idea\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-param_out\fR]
[\fB\-pubin\fR]
[\fB\-pubout\fR]
[\fB\-conv_form arg\fR]
[\fB\-param_enc arg\fR]
[\fB\-no_public\fR]
[\fB\-check\fR]
[\fB\-engine id\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBec\fR command processes \s-1EC\s0 keys. They can be converted between various
forms and their components printed out. \fBNote\fR OpenSSL uses the
private key format specified in '\s-1SEC 1:\s0 Elliptic Curve Cryptography'
(http://www.secg.org/). To convert an OpenSSL \s-1EC\s0 private key into the
PKCS#8 private key format use the \fBpkcs8\fR command.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses
an \s-1ASN.1 DER\s0 encoded \s-1SEC1\s0 private key. When used with a public key it
uses the SubjectPublicKeyInfo structure as specified in \s-1RFC 3280.\s0
The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
encoded with additional header and footer lines. In the case of a private key
PKCS#8 format is also accepted.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format, the options have the same meaning and default
as the \fB\-inform\fR option.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The input file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write a key to or standard output by
is not specified. If any encryption options are set then a pass phrase will be
prompted for. The output filename should \fBnot\fR be the same as the input
filename.
.IP "\fB\-passout arg\fR" 4
.IX Item "-passout arg"
The output file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-des|\-des3|\-idea\fR" 4
.IX Item "-des|-des3|-idea"
These options encrypt the private key with the \s-1DES,\s0 triple \s-1DES, IDEA\s0 or
any other cipher supported by OpenSSL before outputting it. A pass phrase is
prompted for.
If none of these options is specified the key is written in plain text. This
means that using the \fBec\fR utility to read in an encrypted key with no
encryption option can be used to remove the pass phrase from a key, or by
setting the encryption options it can be use to add or change the pass phrase.
These options can only be used with \s-1PEM\s0 format output files.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the public, private key components and parameters.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output of the encoded version of the key.
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
By default, a private key is read from the input file. With this option a
public key is read instead.
.IP "\fB\-pubout\fR" 4
.IX Item "-pubout"
By default a private key is output. With this option a public
key will be output instead. This option is automatically set if the input is
a public key.
.IP "\fB\-conv_form\fR" 4
.IX Item "-conv_form"
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: \fBcompressed\fR (the default
value), \fBuncompressed\fR and \fBhybrid\fR. For more information regarding
the point conversion forms please read the X9.62 standard.
\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time.
.IP "\fB\-param_enc arg\fR" 4
.IX Item "-param_enc arg"
This specifies how the elliptic curve parameters are encoded.
Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are
specified by an \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are
explicitly given (see \s-1RFC 3279\s0 for the definition of the
\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR.
\&\fBNote\fR the \fBimplicitlyCA\fR alternative, as specified in \s-1RFC 3279,\s0
is currently not implemented in OpenSSL.
.IP "\fB\-no_public\fR" 4
.IX Item "-no_public"
This option omits the public key components from the private key output.
.IP "\fB\-check\fR" 4
.IX Item "-check"
This option checks the consistency of an \s-1EC\s0 private or public key.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBec\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.SH "NOTES"
.IX Header "NOTES"
The \s-1PEM\s0 private key format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN EC PRIVATE KEY\-\-\-\-\-
\& \-\-\-\-\-END EC PRIVATE KEY\-\-\-\-\-
.Ve
.PP
The \s-1PEM\s0 public key format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-
\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
.Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To encrypt a private key using triple \s-1DES:\s0
.PP
.Vb 1
\& openssl ec \-in key.pem \-des3 \-out keyout.pem
.Ve
.PP
To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format:
.PP
.Vb 1
\& openssl ec \-in key.pem \-outform DER \-out keyout.der
.Ve
.PP
To print out the components of a private key to standard output:
.PP
.Vb 1
\& openssl ec \-in key.pem \-text \-noout
.Ve
.PP
To just output the public part of a private key:
.PP
.Vb 1
\& openssl ec \-in key.pem \-pubout \-out pubkey.pem
.Ve
.PP
To change the parameters encoding to \fBexplicit\fR:
.PP
.Vb 1
\& openssl ec \-in key.pem \-param_enc explicit \-out keyout.pem
.Ve
.PP
To change the point conversion form to \fBcompressed\fR:
.PP
.Vb 1
\& openssl ec \-in key.pem \-conv_form compressed \-out keyout.pem
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBecparam\fR\|(1), \fBdsa\fR\|(1), \fBrsa\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2003\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ecparam.1 b/secure/usr.bin/openssl/man/ecparam.1
index bb664c0df45a..bce8c8c57e19 100644
--- a/secure/usr.bin/openssl/man/ecparam.1
+++ b/secure/usr.bin/openssl/man/ecparam.1
@@ -1,312 +1,312 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ECPARAM 1"
-.TH ECPARAM 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ECPARAM 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ecparam, ecparam \- EC parameter manipulation and generation
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl ecparam\fR
[\fB\-help\fR]
[\fB\-inform DER|PEM\fR]
[\fB\-outform DER|PEM\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-noout\fR]
[\fB\-text\fR]
[\fB\-C\fR]
[\fB\-check\fR]
[\fB\-name arg\fR]
[\fB\-list_curves\fR]
[\fB\-conv_form arg\fR]
[\fB\-param_enc arg\fR]
[\fB\-no_seed\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-genkey\fR]
[\fB\-engine id\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to manipulate or generate \s-1EC\s0 parameter files.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN.1 DER\s0 encoded
form compatible with \s-1RFC 3279\s0 EcpkParameters. The \s-1PEM\s0 form is the default
format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with additional
header and footer lines.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format, the options have the same meaning and default
as the \fB\-inform\fR option.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read parameters from or standard input if
this option is not specified.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies the output filename parameters to. Standard output is used
if this option is not present. The output filename should \fBnot\fR be the same
as the input filename.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option inhibits the output of the encoded version of the parameters.
.IP "\fB\-text\fR" 4
.IX Item "-text"
This option prints out the \s-1EC\s0 parameters in human readable form.
.IP "\fB\-C\fR" 4
.IX Item "-C"
This option converts the \s-1EC\s0 parameters into C code. The parameters can then
be loaded by calling the \fBget_ec_group_XXX()\fR function.
.IP "\fB\-check\fR" 4
.IX Item "-check"
Validate the elliptic curve parameters.
.IP "\fB\-name arg\fR" 4
.IX Item "-name arg"
Use the \s-1EC\s0 parameters with the specified 'short' name. Use \fB\-list_curves\fR
to get a list of all currently implemented \s-1EC\s0 parameters.
.IP "\fB\-list_curves\fR" 4
.IX Item "-list_curves"
If this options is specified \fBecparam\fR will print out a list of all
currently implemented \s-1EC\s0 parameters names and exit.
.IP "\fB\-conv_form\fR" 4
.IX Item "-conv_form"
This specifies how the points on the elliptic curve are converted
into octet strings. Possible values are: \fBcompressed\fR, \fBuncompressed\fR (the
default value) and \fBhybrid\fR. For more information regarding
the point conversion forms please read the X9.62 standard.
\&\fBNote\fR Due to patent issues the \fBcompressed\fR option is disabled
by default for binary curves and can be enabled by defining
the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time.
.IP "\fB\-param_enc arg\fR" 4
.IX Item "-param_enc arg"
This specifies how the elliptic curve parameters are encoded.
Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are
specified by an \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are
explicitly given (see \s-1RFC 3279\s0 for the definition of the
\&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR.
\&\fBNote\fR the \fBimplicitlyCA\fR alternative, as specified in \s-1RFC 3279,\s0
is currently not implemented in OpenSSL.
.IP "\fB\-no_seed\fR" 4
.IX Item "-no_seed"
This option inhibits that the 'seed' for the parameter generation
is included in the ECParameters structure (see \s-1RFC 3279\s0).
.IP "\fB\-genkey\fR" 4
.IX Item "-genkey"
This option will generate an \s-1EC\s0 private key using the specified parameters.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBecparam\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1PEM\s0 format \s-1EC\s0 parameters use the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN EC PARAMETERS\-\-\-\-\-
\& \-\-\-\-\-END EC PARAMETERS\-\-\-\-\-
.Ve
.PP
OpenSSL is currently not able to generate new groups and therefore
\&\fBecparam\fR can only create \s-1EC\s0 parameters from known (named) curves.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To create \s-1EC\s0 parameters with the group 'prime192v1':
.PP
.Vb 1
\& openssl ecparam \-out ec_param.pem \-name prime192v1
.Ve
.PP
To create \s-1EC\s0 parameters with explicit parameters:
.PP
.Vb 1
\& openssl ecparam \-out ec_param.pem \-name prime192v1 \-param_enc explicit
.Ve
.PP
To validate given \s-1EC\s0 parameters:
.PP
.Vb 1
\& openssl ecparam \-in ec_param.pem \-check
.Ve
.PP
To create \s-1EC\s0 parameters and a private key:
.PP
.Vb 1
\& openssl ecparam \-out ec_key.pem \-name prime192v1 \-genkey
.Ve
.PP
To change the point encoding to 'compressed':
.PP
.Vb 1
\& openssl ecparam \-in ec_in.pem \-out ec_out.pem \-conv_form compressed
.Ve
.PP
To print out the \s-1EC\s0 parameters to standard output:
.PP
.Vb 1
\& openssl ecparam \-in ec_param.pem \-noout \-text
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBec\fR\|(1), \fBdsaparam\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2003\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1
index 4036199be52b..51ef0532bd8f 100644
--- a/secure/usr.bin/openssl/man/enc.1
+++ b/secure/usr.bin/openssl/man/enc.1
@@ -1,543 +1,543 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ENC 1"
-.TH ENC 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ENC 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-enc, enc \- symmetric cipher routines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl enc \-\f(BIcipher\fB\fR
[\fB\-help\fR]
[\fB\-list\fR]
[\fB\-ciphers\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-pass arg\fR]
[\fB\-e\fR]
[\fB\-d\fR]
[\fB\-a\fR]
[\fB\-base64\fR]
[\fB\-A\fR]
[\fB\-k password\fR]
[\fB\-kfile filename\fR]
[\fB\-K key\fR]
[\fB\-iv \s-1IV\s0\fR]
[\fB\-S salt\fR]
[\fB\-salt\fR]
[\fB\-nosalt\fR]
[\fB\-z\fR]
[\fB\-md digest\fR]
[\fB\-iter count\fR]
[\fB\-pbkdf2\fR]
[\fB\-p\fR]
[\fB\-P\fR]
[\fB\-bufsize number\fR]
[\fB\-nopad\fR]
[\fB\-debug\fR]
[\fB\-none\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-engine id\fR]
.PP
\&\fBopenssl\fR \fI[cipher]\fR [\fB...\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The symmetric cipher commands allow data to be encrypted or decrypted
using various block and stream ciphers using keys based on passwords
or explicitly provided. Base64 encoding or decoding can also be performed
either by itself or in addition to the encryption or decryption.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-list\fR" 4
.IX Item "-list"
List all supported ciphers.
.IP "\fB\-ciphers\fR" 4
.IX Item "-ciphers"
Alias of \-list to display all supported ciphers.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
The input filename, standard input by default.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
The output filename, standard output by default.
.IP "\fB\-pass arg\fR" 4
.IX Item "-pass arg"
The password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-e\fR" 4
.IX Item "-e"
Encrypt the input data: this is the default.
.IP "\fB\-d\fR" 4
.IX Item "-d"
Decrypt the input data.
.IP "\fB\-a\fR" 4
.IX Item "-a"
Base64 process the data. This means that if encryption is taking place
the data is base64 encoded after encryption. If decryption is set then
the input data is base64 decoded before being decrypted.
.IP "\fB\-base64\fR" 4
.IX Item "-base64"
Same as \fB\-a\fR
.IP "\fB\-A\fR" 4
.IX Item "-A"
If the \fB\-a\fR option is set then base64 process the data on one line.
.IP "\fB\-k password\fR" 4
.IX Item "-k password"
The password to derive the key from. This is for compatibility with previous
versions of OpenSSL. Superseded by the \fB\-pass\fR argument.
.IP "\fB\-kfile filename\fR" 4
.IX Item "-kfile filename"
Read the password to derive the key from the first line of \fBfilename\fR.
This is for compatibility with previous versions of OpenSSL. Superseded by
the \fB\-pass\fR argument.
.IP "\fB\-md digest\fR" 4
.IX Item "-md digest"
Use the specified digest to create the key from the passphrase.
The default algorithm is sha\-256.
.IP "\fB\-iter count\fR" 4
.IX Item "-iter count"
Use a given number of iterations on the password in deriving the encryption key.
High values increase the time required to brute-force the resulting file.
This option enables the use of \s-1PBKDF2\s0 algorithm to derive the key.
.IP "\fB\-pbkdf2\fR" 4
.IX Item "-pbkdf2"
Use \s-1PBKDF2\s0 algorithm with default iteration count unless otherwise specified.
.IP "\fB\-nosalt\fR" 4
.IX Item "-nosalt"
Don't use a salt in the key derivation routines. This option \fB\s-1SHOULD NOT\s0\fR be
used except for test purposes or compatibility with ancient versions of
OpenSSL.
.IP "\fB\-salt\fR" 4
.IX Item "-salt"
Use salt (randomly generated or provide with \fB\-S\fR option) when
encrypting, this is the default.
.IP "\fB\-S salt\fR" 4
.IX Item "-S salt"
The actual salt to use: this must be represented as a string of hex digits.
.IP "\fB\-K key\fR" 4
.IX Item "-K key"
The actual key to use: this must be represented as a string comprised only
of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified
using the \fB\-iv\fR option. When both a key and a password are specified, the
key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the
password will be taken. It does not make much sense to specify both key
and password.
.IP "\fB\-iv \s-1IV\s0\fR" 4
.IX Item "-iv IV"
The actual \s-1IV\s0 to use: this must be represented as a string comprised only
of hex digits. When only the key is specified using the \fB\-K\fR option, the
\&\s-1IV\s0 must explicitly be defined. When a password is being specified using
one of the other options, the \s-1IV\s0 is generated from this password.
.IP "\fB\-p\fR" 4
.IX Item "-p"
Print out the key and \s-1IV\s0 used.
.IP "\fB\-P\fR" 4
.IX Item "-P"
Print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption
or decryption.
.IP "\fB\-bufsize number\fR" 4
.IX Item "-bufsize number"
Set the buffer size for I/O.
.IP "\fB\-nopad\fR" 4
.IX Item "-nopad"
Disable standard block padding.
.IP "\fB\-debug\fR" 4
.IX Item "-debug"
Debug the BIOs used for I/O.
.IP "\fB\-z\fR" 4
.IX Item "-z"
Compress or decompress encrypted data using zlib after encryption or before
decryption. This option exists only if OpenSSL was compiled with the zlib
or zlib-dynamic option.
.IP "\fB\-none\fR" 4
.IX Item "-none"
Use \s-1NULL\s0 cipher (no encryption or decryption of input).
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.SH "NOTES"
.IX Header "NOTES"
The program can be called either as \fBopenssl cipher\fR or
\&\fBopenssl enc \-cipher\fR. The first form doesn't work with
engine-provided ciphers, because this form is processed before the
configuration file is read and any ENGINEs loaded.
Use the \fBlist\fR command to get a list of supported ciphers.
.PP
Engines which provide entirely new encryption algorithms (such as the ccgost
engine which provides gost89 algorithm) should be configured in the
configuration file. Engines specified on the command line using \-engine
options can only be used for hardware-assisted implementations of
ciphers which are supported by the OpenSSL core or another engine specified
in the configuration file.
.PP
When the enc command lists supported ciphers, ciphers provided by engines,
specified in the configuration files are listed too.
.PP
A password will be prompted for to derive the key and \s-1IV\s0 if necessary.
.PP
The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived
from a password unless you want compatibility with previous versions of
OpenSSL.
.PP
Without the \fB\-salt\fR option it is possible to perform efficient dictionary
attacks on the password and to attack stream cipher encrypted data. The reason
for this is that without the salt the same password always generates the same
encryption key. When the salt is being used the first eight bytes of the
encrypted data are reserved for the salt: it is generated at random when
encrypting a file and read from the encrypted file when it is decrypted.
.PP
Some of the ciphers do not have large keys and others have security
implications if not used correctly. A beginner is advised to just use
a strong block cipher, such as \s-1AES,\s0 in \s-1CBC\s0 mode.
.PP
All the block ciphers normally use PKCS#5 padding, also known as standard
block padding. This allows a rudimentary integrity or password check to
be performed. However, since the chance of random data passing the test
is better than 1 in 256 it isn't a very good test.
.PP
If padding is disabled then the input data must be a multiple of the cipher
block length.
.PP
All \s-1RC2\s0 ciphers have the same key and effective key length.
.PP
Blowfish and \s-1RC5\s0 algorithms use a 128 bit key.
.SH "SUPPORTED CIPHERS"
.IX Header "SUPPORTED CIPHERS"
Note that some of these ciphers can be disabled at compile time
and some are available only if an appropriate engine is configured
in the configuration file. The output of the \fBenc\fR command run with
the \fB\-ciphers\fR option (that is \fBopenssl enc \-ciphers\fR) produces a
list of ciphers, supported by your version of OpenSSL, including
ones provided by configured engines.
.PP
The \fBenc\fR program does not support authenticated encryption modes
like \s-1CCM\s0 and \s-1GCM,\s0 and will not support such modes in the future.
The \fBenc\fR interface by necessity must begin streaming output (e.g.,
to standard output when \fB\-out\fR is not used) before the authentication
tag could be validated, leading to the usage of \fBenc\fR in pipelines
that begin processing untrusted data and are not capable of rolling
back upon authentication failure. The \s-1AEAD\s0 modes currently in common
use also suffer from catastrophic failure of confidentiality and/or
integrity upon reuse of key/iv/nonce, and since \fBenc\fR places the
entire burden of key/iv/nonce management upon the user, the risk of
exposing \s-1AEAD\s0 modes is too great to allow. These key/iv/nonce
management issues also affect other modes currently exposed in \fBenc\fR,
but the failure modes are less extreme in these cases, and the
functionality cannot be removed with a stable release branch.
For bulk encryption of data, whether using authenticated encryption
modes or other modes, \fBcms\fR\|(1) is recommended, as it provides a
standard data format and performs the needed key/iv/nonce management.
.PP
.Vb 1
\& base64 Base 64
\&
\& bf\-cbc Blowfish in CBC mode
\& bf Alias for bf\-cbc
\& blowfish Alias for bf\-cbc
\& bf\-cfb Blowfish in CFB mode
\& bf\-ecb Blowfish in ECB mode
\& bf\-ofb Blowfish in OFB mode
\&
\& cast\-cbc CAST in CBC mode
\& cast Alias for cast\-cbc
\& cast5\-cbc CAST5 in CBC mode
\& cast5\-cfb CAST5 in CFB mode
\& cast5\-ecb CAST5 in ECB mode
\& cast5\-ofb CAST5 in OFB mode
\&
\& chacha20 ChaCha20 algorithm
\&
\& des\-cbc DES in CBC mode
\& des Alias for des\-cbc
\& des\-cfb DES in CFB mode
\& des\-ofb DES in OFB mode
\& des\-ecb DES in ECB mode
\&
\& des\-ede\-cbc Two key triple DES EDE in CBC mode
\& des\-ede Two key triple DES EDE in ECB mode
\& des\-ede\-cfb Two key triple DES EDE in CFB mode
\& des\-ede\-ofb Two key triple DES EDE in OFB mode
\&
\& des\-ede3\-cbc Three key triple DES EDE in CBC mode
\& des\-ede3 Three key triple DES EDE in ECB mode
\& des3 Alias for des\-ede3\-cbc
\& des\-ede3\-cfb Three key triple DES EDE CFB mode
\& des\-ede3\-ofb Three key triple DES EDE in OFB mode
\&
\& desx DESX algorithm.
\&
\& gost89 GOST 28147\-89 in CFB mode (provided by ccgost engine)
\& gost89\-cnt \`GOST 28147\-89 in CNT mode (provided by ccgost engine)
\&
\& idea\-cbc IDEA algorithm in CBC mode
\& idea same as idea\-cbc
\& idea\-cfb IDEA in CFB mode
\& idea\-ecb IDEA in ECB mode
\& idea\-ofb IDEA in OFB mode
\&
\& rc2\-cbc 128 bit RC2 in CBC mode
\& rc2 Alias for rc2\-cbc
\& rc2\-cfb 128 bit RC2 in CFB mode
\& rc2\-ecb 128 bit RC2 in ECB mode
\& rc2\-ofb 128 bit RC2 in OFB mode
\& rc2\-64\-cbc 64 bit RC2 in CBC mode
\& rc2\-40\-cbc 40 bit RC2 in CBC mode
\&
\& rc4 128 bit RC4
\& rc4\-64 64 bit RC4
\& rc4\-40 40 bit RC4
\&
\& rc5\-cbc RC5 cipher in CBC mode
\& rc5 Alias for rc5\-cbc
\& rc5\-cfb RC5 cipher in CFB mode
\& rc5\-ecb RC5 cipher in ECB mode
\& rc5\-ofb RC5 cipher in OFB mode
\&
\& seed\-cbc SEED cipher in CBC mode
\& seed Alias for seed\-cbc
\& seed\-cfb SEED cipher in CFB mode
\& seed\-ecb SEED cipher in ECB mode
\& seed\-ofb SEED cipher in OFB mode
\&
\& sm4\-cbc SM4 cipher in CBC mode
\& sm4 Alias for sm4\-cbc
\& sm4\-cfb SM4 cipher in CFB mode
\& sm4\-ctr SM4 cipher in CTR mode
\& sm4\-ecb SM4 cipher in ECB mode
\& sm4\-ofb SM4 cipher in OFB mode
\&
\& aes\-[128|192|256]\-cbc 128/192/256 bit AES in CBC mode
\& aes[128|192|256] Alias for aes\-[128|192|256]\-cbc
\& aes\-[128|192|256]\-cfb 128/192/256 bit AES in 128 bit CFB mode
\& aes\-[128|192|256]\-cfb1 128/192/256 bit AES in 1 bit CFB mode
\& aes\-[128|192|256]\-cfb8 128/192/256 bit AES in 8 bit CFB mode
\& aes\-[128|192|256]\-ctr 128/192/256 bit AES in CTR mode
\& aes\-[128|192|256]\-ecb 128/192/256 bit AES in ECB mode
\& aes\-[128|192|256]\-ofb 128/192/256 bit AES in OFB mode
\&
\& aria\-[128|192|256]\-cbc 128/192/256 bit ARIA in CBC mode
\& aria[128|192|256] Alias for aria\-[128|192|256]\-cbc
\& aria\-[128|192|256]\-cfb 128/192/256 bit ARIA in 128 bit CFB mode
\& aria\-[128|192|256]\-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
\& aria\-[128|192|256]\-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
\& aria\-[128|192|256]\-ctr 128/192/256 bit ARIA in CTR mode
\& aria\-[128|192|256]\-ecb 128/192/256 bit ARIA in ECB mode
\& aria\-[128|192|256]\-ofb 128/192/256 bit ARIA in OFB mode
\&
\& camellia\-[128|192|256]\-cbc 128/192/256 bit Camellia in CBC mode
\& camellia[128|192|256] Alias for camellia\-[128|192|256]\-cbc
\& camellia\-[128|192|256]\-cfb 128/192/256 bit Camellia in 128 bit CFB mode
\& camellia\-[128|192|256]\-cfb1 128/192/256 bit Camellia in 1 bit CFB mode
\& camellia\-[128|192|256]\-cfb8 128/192/256 bit Camellia in 8 bit CFB mode
\& camellia\-[128|192|256]\-ctr 128/192/256 bit Camellia in CTR mode
\& camellia\-[128|192|256]\-ecb 128/192/256 bit Camellia in ECB mode
\& camellia\-[128|192|256]\-ofb 128/192/256 bit Camellia in OFB mode
.Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Just base64 encode a binary file:
.PP
.Vb 1
\& openssl base64 \-in file.bin \-out file.b64
.Ve
.PP
Decode the same file
.PP
.Vb 1
\& openssl base64 \-d \-in file.b64 \-out file.bin
.Ve
.PP
Encrypt a file using \s-1AES\-128\s0 using a prompted password
and \s-1PBKDF2\s0 key derivation:
.PP
.Vb 1
\& openssl enc \-aes128 \-pbkdf2 \-in file.txt \-out file.aes128
.Ve
.PP
Decrypt a file using a supplied password:
.PP
.Vb 2
\& openssl enc \-aes128 \-pbkdf2 \-d \-in file.aes128 \-out file.txt \e
\& \-pass pass:<password>
.Ve
.PP
Encrypt a file then base64 encode it (so it can be sent via mail for example)
using \s-1AES\-256\s0 in \s-1CTR\s0 mode and \s-1PBKDF2\s0 key derivation:
.PP
.Vb 1
\& openssl enc \-aes\-256\-ctr \-pbkdf2 \-a \-in file.txt \-out file.aes256
.Ve
.PP
Base64 decode a file then decrypt it using a password supplied in a file:
.PP
.Vb 2
\& openssl enc \-aes\-256\-ctr \-pbkdf2 \-d \-a \-in file.aes256 \-out file.txt \e
\& \-pass file:<passfile>
.Ve
.SH "BUGS"
.IX Header "BUGS"
The \fB\-A\fR option when used with large files doesn't work properly.
.PP
The \fBenc\fR program only supports a fixed number of algorithms with
certain parameters. So if, for example, you want to use \s-1RC2\s0 with a
76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program.
.SH "HISTORY"
.IX Header "HISTORY"
The default digest was changed from \s-1MD5\s0 to \s-1SHA256\s0 in OpenSSL 1.1.0.
.PP
The \fB\-list\fR option was added in OpenSSL 1.1.1e.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/engine.1 b/secure/usr.bin/openssl/man/engine.1
index f7bcf48a0492..64eb9a7bee6c 100644
--- a/secure/usr.bin/openssl/man/engine.1
+++ b/secure/usr.bin/openssl/man/engine.1
@@ -1,240 +1,240 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ENGINE 1"
-.TH ENGINE 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ENGINE 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-engine, engine \- load and query engines
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl engine\fR
[ \fIengine...\fR ]
[\fB\-v\fR]
[\fB\-vv\fR]
[\fB\-vvv\fR]
[\fB\-vvv\fR]
[\fB\-vvv\fR]
[\fB\-c\fR]
[\fB\-t\fR]
[\fB\-tt\fR]
[\fB\-pre\fR \fIcommand\fR]
[\fB\-post\fR \fIcommand\fR]
[ \fIengine...\fR ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBengine\fR command is used to query the status and capabilities
of the specified \fBengine\fR's.
Engines may be specified before and after all other command-line flags.
Only those specified are queried.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-v\fR \fB\-vv\fR \fB\-vvv\fR \fB\-vvvv\fR" 4
.IX Item "-v -vv -vvv -vvvv"
Provides information about each specified engine. The first flag lists
all the possible run-time control commands; the second adds a
description of each command; the third adds the input flags, and the
final option adds the internal input flags.
.IP "\fB\-c\fR" 4
.IX Item "-c"
Lists the capabilities of each engine.
.IP "\fB\-t\fR" 4
.IX Item "-t"
Tests if each specified engine is available, and displays the answer.
.IP "\fB\-tt\fR" 4
.IX Item "-tt"
Displays an error trace for any unavailable engine.
.IP "\fB\-pre\fR \fIcommand\fR" 4
.IX Item "-pre command"
.PD 0
.IP "\fB\-post\fR \fIcommand\fR" 4
.IX Item "-post command"
.PD
Command-line configuration of engines.
The \fB\-pre\fR command is given to the engine before it is loaded and
the \fB\-post\fR command is given after the engine is loaded.
The \fIcommand\fR is of the form \fIcmd:val\fR where \fIcmd\fR is the command,
and \fIval\fR is the value for the command.
See the example below.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To list all the commands available to a dynamic engine:
.PP
.Vb 10
\& $ openssl engine \-t \-tt \-vvvv dynamic
\& (dynamic) Dynamic engine loading support
\& [ unavailable ]
\& SO_PATH: Specifies the path to the new ENGINE shared library
\& (input flags): STRING
\& NO_VCHECK: Specifies to continue even if version checking fails (boolean)
\& (input flags): NUMERIC
\& ID: Specifies an ENGINE id name for loading
\& (input flags): STRING
\& LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory)
\& (input flags): NUMERIC
\& DIR_LOAD: Specifies whether to load from \*(AqDIR_ADD\*(Aq directories (0=no,1=yes,2=mandatory)
\& (input flags): NUMERIC
\& DIR_ADD: Adds a directory from which ENGINEs can be loaded
\& (input flags): STRING
\& LOAD: Load up the ENGINE specified by other settings
\& (input flags): NO_INPUT
.Ve
.PP
To list the capabilities of the \fIrsax\fR engine:
.PP
.Vb 4
\& $ openssl engine \-c
\& (rsax) RSAX engine support
\& [RSA]
\& (dynamic) Dynamic engine loading support
.Ve
.SH "ENVIRONMENT"
.IX Header "ENVIRONMENT"
.IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4
.IX Item "OPENSSL_ENGINES"
The path to the engines directory.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBconfig\fR\|(5)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/errstr.1 b/secure/usr.bin/openssl/man/errstr.1
index 1933dcbf783b..8228df47b46a 100644
--- a/secure/usr.bin/openssl/man/errstr.1
+++ b/secure/usr.bin/openssl/man/errstr.1
@@ -1,181 +1,181 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "ERRSTR 1"
-.TH ERRSTR 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH ERRSTR 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-errstr, errstr \- lookup error codes
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl errstr error_code\fR
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Sometimes an application will not load error message and only
numerical forms will be available. The \fBerrstr\fR utility can be used to
display the meaning of the hex code. The hex code is the hex digits after the
second colon.
.SH "OPTIONS"
.IX Header "OPTIONS"
None.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The error code:
.PP
.Vb 1
\& 27594:error:2006D080:lib(32):func(109):reason(128):bss_file.c:107:
.Ve
.PP
can be displayed with:
.PP
.Vb 1
\& openssl errstr 2006D080
.Ve
.PP
to produce the error message:
.PP
.Vb 1
\& error:2006D080:BIO routines:BIO_new_file:no such file
.Ve
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1
index bcc7d188e543..e2cd2621fdf1 100644
--- a/secure/usr.bin/openssl/man/gendsa.1
+++ b/secure/usr.bin/openssl/man/gendsa.1
@@ -1,219 +1,219 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "GENDSA 1"
-.TH GENDSA 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH GENDSA 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-gendsa, gendsa \- generate a DSA private key from a set of parameters
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBgendsa\fR
[\fB\-help\fR]
[\fB\-out filename\fR]
[\fB\-aes128\fR]
[\fB\-aes192\fR]
[\fB\-aes256\fR]
[\fB\-aria128\fR]
[\fB\-aria192\fR]
[\fB\-aria256\fR]
[\fB\-camellia128\fR]
[\fB\-camellia192\fR]
[\fB\-camellia256\fR]
[\fB\-des\fR]
[\fB\-des3\fR]
[\fB\-idea\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-engine id\fR]
[\fBparamfile\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBgendsa\fR command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 parameter file
(which will be typically generated by the \fBopenssl dsaparam\fR command).
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Output the key to the specified file. If this argument is not specified then
standard output is used.
.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
These options encrypt the private key with specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBgendsa\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fBparamfile\fR" 4
.IX Item "paramfile"
This option specifies the \s-1DSA\s0 parameter file to use. The parameters in this
file determine the size of the private key. \s-1DSA\s0 parameters can be generated
and examined using the \fBopenssl dsaparam\fR command.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1DSA\s0 key generation is little more than random number generation so it is
much quicker that \s-1RSA\s0 key generation for example.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBdsaparam\fR\|(1), \fBdsa\fR\|(1), \fBgenrsa\fR\|(1),
\&\fBrsa\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/genpkey.1 b/secure/usr.bin/openssl/man/genpkey.1
index 82cd3f1ea1ec..ff01bd244b44 100644
--- a/secure/usr.bin/openssl/man/genpkey.1
+++ b/secure/usr.bin/openssl/man/genpkey.1
@@ -1,434 +1,434 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "GENPKEY 1"
-.TH GENPKEY 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH GENPKEY 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-genpkey, genpkey \- generate a private key
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBgenpkey\fR
[\fB\-help\fR]
[\fB\-out filename\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-pass arg\fR]
[\fB\-\f(BIcipher\fB\fR]
[\fB\-engine id\fR]
[\fB\-paramfile file\fR]
[\fB\-algorithm alg\fR]
[\fB\-pkeyopt opt:value\fR]
[\fB\-genparam\fR]
[\fB\-text\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBgenpkey\fR command generates a private key.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Output the key to the specified file. If this argument is not specified then
standard output is used.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0
.IP "\fB\-pass arg\fR" 4
.IX Item "-pass arg"
The output file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-\f(BIcipher\fB\fR" 4
.IX Item "-cipher"
This option encrypts the private key with the supplied cipher. Any algorithm
name accepted by \fBEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBgenpkey\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other
options.
.IP "\fB\-algorithm alg\fR" 4
.IX Item "-algorithm alg"
Public key algorithm to use such as \s-1RSA, DSA\s0 or \s-1DH.\s0 If used this option must
precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
are mutually exclusive. Engines may add algorithms in addition to the standard
built-in ones.
.Sp
Valid built-in algorithm names for private key generation are \s-1RSA,\s0 RSA-PSS, \s-1EC,
X25519, X448, ED25519\s0 and \s-1ED448.\s0
.Sp
Valid built-in algorithm names for parameter generation (see the \fB\-genparam\fR
option) are \s-1DH, DSA\s0 and \s-1EC.\s0
.Sp
Note that the algorithm name X9.42 \s-1DH\s0 may be used as a synonym for the \s-1DH\s0
algorithm. These are identical and do not indicate the type of parameters that
will be generated. Use the \fBdh_paramgen_type\fR option to indicate whether PKCS#3
or X9.42 \s-1DH\s0 parameters are required. See \*(L"\s-1DH\s0 Parameter Generation Options\*(R"
below for more details.
.IP "\fB\-pkeyopt opt:value\fR" 4
.IX Item "-pkeyopt opt:value"
Set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
options supported depends on the public key algorithm used and its
implementation. See \*(L"\s-1KEY GENERATION OPTIONS\*(R"\s0 and
\&\*(L"\s-1PARAMETER GENERATION OPTIONS\*(R"\s0 below for more details.
.IP "\fB\-genparam\fR" 4
.IX Item "-genparam"
Generate a set of parameters instead of a private key. If used this option must
precede any \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options.
.IP "\fB\-paramfile filename\fR" 4
.IX Item "-paramfile filename"
Some public key algorithms generate a private key based on a set of parameters.
They can be supplied using this option. If this option is used the public key
algorithm used is determined by the parameters. If used this option must
precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR
are mutually exclusive.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Print an (unencrypted) text representation of private and public keys and
parameters along with the \s-1PEM\s0 or \s-1DER\s0 structure.
.SH "KEY GENERATION OPTIONS"
.IX Header "KEY GENERATION OPTIONS"
The options supported by each algorithm and indeed each implementation of an
algorithm can vary. The options for the OpenSSL implementations are detailed
below. There are no key generation options defined for the X25519, X448, \s-1ED25519\s0
or \s-1ED448\s0 algorithms.
.SS "\s-1RSA\s0 Key Generation Options"
.IX Subsection "RSA Key Generation Options"
.IP "\fBrsa_keygen_bits:numbits\fR" 4
.IX Item "rsa_keygen_bits:numbits"
The number of bits in the generated key. If not specified 2048 is used.
.IP "\fBrsa_keygen_primes:numprimes\fR" 4
.IX Item "rsa_keygen_primes:numprimes"
The number of primes in the generated key. If not specified 2 is used.
.IP "\fBrsa_keygen_pubexp:value\fR" 4
.IX Item "rsa_keygen_pubexp:value"
The \s-1RSA\s0 public exponent value. This can be a large decimal or
hexadecimal value if preceded by \fB0x\fR. Default value is 65537.
.SS "RSA-PSS Key Generation Options"
.IX Subsection "RSA-PSS Key Generation Options"
Note: by default an \fBRSA-PSS\fR key has no parameter restrictions.
.IP "\fBrsa_keygen_bits:numbits\fR, \fBrsa_keygen_primes:numprimes\fR, \fBrsa_keygen_pubexp:value\fR" 4
.IX Item "rsa_keygen_bits:numbits, rsa_keygen_primes:numprimes, rsa_keygen_pubexp:value"
These options have the same meaning as the \fB\s-1RSA\s0\fR algorithm.
.IP "\fBrsa_pss_keygen_md:digest\fR" 4
.IX Item "rsa_pss_keygen_md:digest"
If set the key is restricted and can only use \fBdigest\fR for signing.
.IP "\fBrsa_pss_keygen_mgf1_md:digest\fR" 4
.IX Item "rsa_pss_keygen_mgf1_md:digest"
If set the key is restricted and can only use \fBdigest\fR as it's \s-1MGF1\s0
parameter.
.IP "\fBrsa_pss_keygen_saltlen:len\fR" 4
.IX Item "rsa_pss_keygen_saltlen:len"
If set the key is restricted and \fBlen\fR specifies the minimum salt length.
.SS "\s-1EC\s0 Key Generation Options"
.IX Subsection "EC Key Generation Options"
The \s-1EC\s0 key generation options can also be used for parameter generation.
.IP "\fBec_paramgen_curve:curve\fR" 4
.IX Item "ec_paramgen_curve:curve"
The \s-1EC\s0 curve to use. OpenSSL supports \s-1NIST\s0 curve names such as \*(L"P\-256\*(R".
.IP "\fBec_param_enc:encoding\fR" 4
.IX Item "ec_param_enc:encoding"
The encoding to use for parameters. The \*(L"encoding\*(R" parameter must be either
\&\*(L"named_curve\*(R" or \*(L"explicit\*(R". The default value is \*(L"named_curve\*(R".
.SH "PARAMETER GENERATION OPTIONS"
.IX Header "PARAMETER GENERATION OPTIONS"
The options supported by each algorithm and indeed each implementation of an
algorithm can vary. The options for the OpenSSL implementations are detailed
below.
.SS "\s-1DSA\s0 Parameter Generation Options"
.IX Subsection "DSA Parameter Generation Options"
.IP "\fBdsa_paramgen_bits:numbits\fR" 4
.IX Item "dsa_paramgen_bits:numbits"
The number of bits in the generated prime. If not specified 2048 is used.
.IP "\fBdsa_paramgen_q_bits:numbits\fR" 4
.IX Item "dsa_paramgen_q_bits:numbits"
The number of bits in the q parameter. Must be one of 160, 224 or 256. If not
specified 224 is used.
.IP "\fBdsa_paramgen_md:digest\fR" 4
.IX Item "dsa_paramgen_md:digest"
The digest to use during parameter generation. Must be one of \fBsha1\fR, \fBsha224\fR
or \fBsha256\fR. If set, then the number of bits in \fBq\fR will match the output size
of the specified digest and the \fBdsa_paramgen_q_bits\fR parameter will be
ignored. If not set, then a digest will be used that gives an output matching
the number of bits in \fBq\fR, i.e. \fBsha1\fR if q length is 160, \fBsha224\fR if it 224
or \fBsha256\fR if it is 256.
.SS "\s-1DH\s0 Parameter Generation Options"
.IX Subsection "DH Parameter Generation Options"
.IP "\fBdh_paramgen_prime_len:numbits\fR" 4
.IX Item "dh_paramgen_prime_len:numbits"
The number of bits in the prime parameter \fBp\fR. The default is 2048.
.IP "\fBdh_paramgen_subprime_len:numbits\fR" 4
.IX Item "dh_paramgen_subprime_len:numbits"
The number of bits in the sub prime parameter \fBq\fR. The default is 256 if the
prime is at least 2048 bits long or 160 otherwise. Only relevant if used in
conjunction with the \fBdh_paramgen_type\fR option to generate X9.42 \s-1DH\s0 parameters.
.IP "\fBdh_paramgen_generator:value\fR" 4
.IX Item "dh_paramgen_generator:value"
The value to use for the generator \fBg\fR. The default is 2.
.IP "\fBdh_paramgen_type:value\fR" 4
.IX Item "dh_paramgen_type:value"
The type of \s-1DH\s0 parameters to generate. Use 0 for PKCS#3 \s-1DH\s0 and 1 for X9.42 \s-1DH.\s0
The default is 0.
.IP "\fBdh_rfc5114:num\fR" 4
.IX Item "dh_rfc5114:num"
If this option is set, then the appropriate \s-1RFC5114\s0 parameters are used
instead of generating new parameters. The value \fBnum\fR can take the
values 1, 2 or 3 corresponding to \s-1RFC5114 DH\s0 parameters consisting of
1024 bit group with 160 bit subgroup, 2048 bit group with 224 bit subgroup
and 2048 bit group with 256 bit subgroup as mentioned in \s-1RFC5114\s0 sections
2.1, 2.2 and 2.3 respectively. If present this overrides all other \s-1DH\s0 parameter
options.
.SS "\s-1EC\s0 Parameter Generation Options"
.IX Subsection "EC Parameter Generation Options"
The \s-1EC\s0 parameter generation options are the same as for key generation. See
\&\*(L"\s-1EC\s0 Key Generation Options\*(R" above.
.SH "NOTES"
.IX Header "NOTES"
The use of the genpkey program is encouraged over the algorithm specific
utilities because additional algorithm options and \s-1ENGINE\s0 provided algorithms
can be used.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Generate an \s-1RSA\s0 private key using default parameters:
.PP
.Vb 1
\& openssl genpkey \-algorithm RSA \-out key.pem
.Ve
.PP
Encrypt output private key using 128 bit \s-1AES\s0 and the passphrase \*(L"hello\*(R":
.PP
.Vb 1
\& openssl genpkey \-algorithm RSA \-out key.pem \-aes\-128\-cbc \-pass pass:hello
.Ve
.PP
Generate a 2048 bit \s-1RSA\s0 key using 3 as the public exponent:
.PP
.Vb 2
\& openssl genpkey \-algorithm RSA \-out key.pem \e
\& \-pkeyopt rsa_keygen_bits:2048 \-pkeyopt rsa_keygen_pubexp:3
.Ve
.PP
Generate 2048 bit \s-1DSA\s0 parameters:
.PP
.Vb 2
\& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \e
\& \-pkeyopt dsa_paramgen_bits:2048
.Ve
.PP
Generate \s-1DSA\s0 key from parameters:
.PP
.Vb 1
\& openssl genpkey \-paramfile dsap.pem \-out dsakey.pem
.Ve
.PP
Generate 2048 bit \s-1DH\s0 parameters:
.PP
.Vb 2
\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e
\& \-pkeyopt dh_paramgen_prime_len:2048
.Ve
.PP
Generate 2048 bit X9.42 \s-1DH\s0 parameters:
.PP
.Vb 3
\& openssl genpkey \-genparam \-algorithm DH \-out dhpx.pem \e
\& \-pkeyopt dh_paramgen_prime_len:2048 \e
\& \-pkeyopt dh_paramgen_type:1
.Ve
.PP
Output \s-1RFC5114 2048\s0 bit \s-1DH\s0 parameters with 224 bit subgroup:
.PP
.Vb 1
\& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \-pkeyopt dh_rfc5114:2
.Ve
.PP
Generate \s-1DH\s0 key from parameters:
.PP
.Vb 1
\& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem
.Ve
.PP
Generate \s-1EC\s0 parameters:
.PP
.Vb 3
\& openssl genpkey \-genparam \-algorithm EC \-out ecp.pem \e
\& \-pkeyopt ec_paramgen_curve:secp384r1 \e
\& \-pkeyopt ec_param_enc:named_curve
.Ve
.PP
Generate \s-1EC\s0 key from parameters:
.PP
.Vb 1
\& openssl genpkey \-paramfile ecp.pem \-out eckey.pem
.Ve
.PP
Generate \s-1EC\s0 key directly:
.PP
.Vb 3
\& openssl genpkey \-algorithm EC \-out eckey.pem \e
\& \-pkeyopt ec_paramgen_curve:P\-384 \e
\& \-pkeyopt ec_param_enc:named_curve
.Ve
.PP
Generate an X25519 private key:
.PP
.Vb 1
\& openssl genpkey \-algorithm X25519 \-out xkey.pem
.Ve
.PP
Generate an \s-1ED448\s0 private key:
.PP
.Vb 1
\& openssl genpkey \-algorithm ED448 \-out xkey.pem
.Ve
.SH "HISTORY"
.IX Header "HISTORY"
The ability to use \s-1NIST\s0 curve names, and to generate an \s-1EC\s0 key directly,
were added in OpenSSL 1.0.2.
The ability to generate X25519 keys was added in OpenSSL 1.1.0.
The ability to generate X448, \s-1ED25519\s0 and \s-1ED448\s0 keys was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1
index 250ac02a5da3..8f8e2a975fc0 100644
--- a/secure/usr.bin/openssl/man/genrsa.1
+++ b/secure/usr.bin/openssl/man/genrsa.1
@@ -1,243 +1,243 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "GENRSA 1"
-.TH GENRSA 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH GENRSA 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-genrsa, genrsa \- generate an RSA private key
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBgenrsa\fR
[\fB\-help\fR]
[\fB\-out filename\fR]
[\fB\-passout arg\fR]
[\fB\-aes128\fR]
[\fB\-aes192\fR]
[\fB\-aes256\fR]
[\fB\-aria128\fR]
[\fB\-aria192\fR]
[\fB\-aria256\fR]
[\fB\-camellia128\fR]
[\fB\-camellia192\fR]
[\fB\-camellia256\fR]
[\fB\-des\fR]
[\fB\-des3\fR]
[\fB\-idea\fR]
[\fB\-f4\fR]
[\fB\-3\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-engine id\fR]
[\fB\-primes num\fR]
[\fBnumbits\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBgenrsa\fR command generates an \s-1RSA\s0 private key.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Output the key to the specified file. If this argument is not specified then
standard output is used.
.IP "\fB\-passout arg\fR" 4
.IX Item "-passout arg"
The output file password source. For more information about the format
of \fBarg\fR see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
These options encrypt the private key with specified
cipher before outputting it. If none of these options is
specified no encryption is used. If encryption is used a pass phrase is prompted
for if it is not supplied via the \fB\-passout\fR argument.
.IP "\fB\-F4|\-3\fR" 4
.IX Item "-F4|-3"
The public exponent to use, either 65537 or 3. The default is 65537.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBgenrsa\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fB\-primes num\fR" 4
.IX Item "-primes num"
Specify the number of primes to use while generating the \s-1RSA\s0 key. The \fBnum\fR
parameter must be a positive integer that is greater than 1 and less than 16.
If \fBnum\fR is greater than 2, then the generated key is called a 'multi\-prime'
\&\s-1RSA\s0 key, which is defined in \s-1RFC 8017.\s0
.IP "\fBnumbits\fR" 4
.IX Item "numbits"
The size of the private key to generate in bits. This must be the last option
specified. The default is 2048 and values less than 512 are not allowed.
.SH "NOTES"
.IX Header "NOTES"
\&\s-1RSA\s0 private key generation essentially involves the generation of two or more
prime numbers. When generating a private key various symbols will be output to
indicate the progress of the generation. A \fB.\fR represents each number which
has passed an initial sieve test, \fB+\fR means a number has passed a single
round of the Miller-Rabin primality test, \fB*\fR means the current prime starts
a regenerating progress due to some failed tests. A newline means that the number
has passed all the prime tests (the actual number depends on the key size).
.PP
Because key generation is a random process the time taken to generate a key
may vary somewhat. But in general, more primes lead to less generation time
of a key.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBgendsa\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/list.1 b/secure/usr.bin/openssl/man/list.1
index 326bdae5bb10..8ce5f0e69253 100644
--- a/secure/usr.bin/openssl/man/list.1
+++ b/secure/usr.bin/openssl/man/list.1
@@ -1,211 +1,211 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "LIST 1"
-.TH LIST 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH LIST 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-list, list \- list algorithms and features
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl list\fR
[\fB\-help\fR]
[\fB\-1\fR]
[\fB\-commands\fR]
[\fB\-digest\-commands\fR]
[\fB\-digest\-algorithms\fR]
[\fB\-cipher\-commands\fR]
[\fB\-cipher\-algorithms\fR]
[\fB\-public\-key\-algorithms\fR]
[\fB\-public\-key\-methods\fR]
[\fB\-disabled\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to generate list of algorithms or disabled
features.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Display a usage message.
.IP "\fB\-1\fR" 4
.IX Item "-1"
List the commands, digest-commands, or cipher-commands in a single column.
If used, this option must be given first.
.IP "\fB\-commands\fR" 4
.IX Item "-commands"
Display a list of standard commands.
.IP "\fB\-digest\-commands\fR" 4
.IX Item "-digest-commands"
Display a list of message digest commands, which are typically used
as input to the \fBdgst\fR\|(1) or \fBspeed\fR\|(1) commands.
.IP "\fB\-digest\-algorithms\fR" 4
.IX Item "-digest-algorithms"
Display a list of message digest algorithms.
If a line is of the form
foo => bar
then \fBfoo\fR is an alias for the official algorithm name, \fBbar\fR.
.IP "\fB\-cipher\-commands\fR" 4
.IX Item "-cipher-commands"
Display a list of cipher commands, which are typically used as input
to the \fBdgst\fR\|(1) or \fBspeed\fR\|(1) commands.
.IP "\fB\-cipher\-algorithms\fR" 4
.IX Item "-cipher-algorithms"
Display a list of cipher algorithms.
If a line is of the form
foo => bar
then \fBfoo\fR is an alias for the official algorithm name, \fBbar\fR.
.IP "\fB\-public\-key\-algorithms\fR" 4
.IX Item "-public-key-algorithms"
Display a list of public key algorithms, with each algorithm as
a block of multiple lines, all but the first are indented.
.IP "\fB\-public\-key\-methods\fR" 4
.IX Item "-public-key-methods"
Display a list of public key method OIDs: this also includes public key methods
without an associated \s-1ASN.1\s0 method, for example, \s-1KDF\s0 algorithms.
.IP "\fB\-disabled\fR" 4
.IX Item "-disabled"
Display a list of disabled features, those that were compiled out
of the installation.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1
index 67900a530b42..63ec7028c169 100644
--- a/secure/usr.bin/openssl/man/nseq.1
+++ b/secure/usr.bin/openssl/man/nseq.1
@@ -1,211 +1,211 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "NSEQ 1"
-.TH NSEQ 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH NSEQ 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-nseq, nseq \- create or examine a Netscape certificate sequence
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBnseq\fR
[\fB\-help\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-toseq\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBnseq\fR command takes a file containing a Netscape certificate
sequence and prints out the certificates contained in it or takes a
file of certificates and converts it into a Netscape certificate
sequence.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read or standard input if this
option is not specified.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Specifies the output filename or standard output by default.
.IP "\fB\-toseq\fR" 4
.IX Item "-toseq"
Normally a Netscape certificate sequence will be input and the output
is the certificates contained in it. With the \fB\-toseq\fR option the
situation is reversed: a Netscape certificate sequence is created from
a file of certificates.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Output the certificates in a Netscape certificate sequence
.PP
.Vb 1
\& openssl nseq \-in nseq.pem \-out certs.pem
.Ve
.PP
Create a Netscape certificate sequence
.PP
.Vb 1
\& openssl nseq \-in certs.pem \-toseq \-out nseq.pem
.Ve
.SH "NOTES"
.IX Header "NOTES"
The \fB\s-1PEM\s0\fR encoded form uses the same headers and footers as a certificate:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.Ve
.PP
A Netscape certificate sequence is a Netscape specific format that can be sent
to browsers as an alternative to the standard PKCS#7 format when several
certificates are sent to the browser: for example during certificate enrollment.
It is used by Netscape certificate server for example.
.SH "BUGS"
.IX Header "BUGS"
This program needs a few more options: like allowing \s-1DER\s0 or \s-1PEM\s0 input and
output files and allowing multiple certificate files to be used.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1
index 56ab1678556c..2909ba184e6b 100644
--- a/secure/usr.bin/openssl/man/ocsp.1
+++ b/secure/usr.bin/openssl/man/ocsp.1
@@ -1,584 +1,584 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OCSP 1"
-.TH OCSP 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OCSP 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ocsp, ocsp \- Online Certificate Status Protocol utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBocsp\fR
[\fB\-help\fR]
[\fB\-out file\fR]
[\fB\-issuer file\fR]
[\fB\-cert file\fR]
[\fB\-serial n\fR]
[\fB\-signer file\fR]
[\fB\-signkey file\fR]
[\fB\-sign_other file\fR]
[\fB\-no_certs\fR]
[\fB\-req_text\fR]
[\fB\-resp_text\fR]
[\fB\-text\fR]
[\fB\-reqout file\fR]
[\fB\-respout file\fR]
[\fB\-reqin file\fR]
[\fB\-respin file\fR]
[\fB\-nonce\fR]
[\fB\-no_nonce\fR]
[\fB\-url \s-1URL\s0\fR]
[\fB\-host host:port\fR]
[\fB\-multi process-count\fR]
[\fB\-header\fR]
[\fB\-path\fR]
[\fB\-CApath dir\fR]
[\fB\-CAfile file\fR]
[\fB\-no\-CAfile\fR]
[\fB\-no\-CApath\fR]
[\fB\-attime timestamp\fR]
[\fB\-check_ss_sig\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-explicit_policy\fR]
[\fB\-extended_crl\fR]
[\fB\-ignore_critical\fR]
[\fB\-inhibit_any\fR]
[\fB\-inhibit_map\fR]
[\fB\-no_check_time\fR]
[\fB\-partial_chain\fR]
[\fB\-policy arg\fR]
[\fB\-policy_check\fR]
[\fB\-policy_print\fR]
[\fB\-purpose purpose\fR]
[\fB\-suiteB_128\fR]
[\fB\-suiteB_128_only\fR]
[\fB\-suiteB_192\fR]
[\fB\-trusted_first\fR]
[\fB\-no_alt_chains\fR]
[\fB\-use_deltas\fR]
[\fB\-auth_level num\fR]
[\fB\-verify_depth num\fR]
[\fB\-verify_email email\fR]
[\fB\-verify_hostname hostname\fR]
[\fB\-verify_ip ip\fR]
[\fB\-verify_name name\fR]
[\fB\-x509_strict\fR]
[\fB\-VAfile file\fR]
[\fB\-validity_period n\fR]
[\fB\-status_age n\fR]
[\fB\-noverify\fR]
[\fB\-verify_other file\fR]
[\fB\-trust_other\fR]
[\fB\-no_intern\fR]
[\fB\-no_signature_verify\fR]
[\fB\-no_cert_verify\fR]
[\fB\-no_chain\fR]
[\fB\-no_cert_checks\fR]
[\fB\-no_explicit\fR]
[\fB\-port num\fR]
[\fB\-ignore_err\fR]
[\fB\-index file\fR]
[\fB\-CA file\fR]
[\fB\-rsigner file\fR]
[\fB\-rkey file\fR]
[\fB\-rother file\fR]
[\fB\-rsigopt nm:v\fR]
[\fB\-resp_no_certs\fR]
[\fB\-nmin n\fR]
[\fB\-ndays n\fR]
[\fB\-resp_key_id\fR]
[\fB\-nrequest n\fR]
[\fB\-\f(BIdigest\fB\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to
determine the (revocation) state of an identified certificate (\s-1RFC 2560\s0).
.PP
The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used
to print out requests and responses, create requests and send queries
to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself.
.SH "OPTIONS"
.IX Header "OPTIONS"
This command operates as either a client or a server.
The options are described below, divided into those two modes.
.SS "\s-1OCSP\s0 Client Options"
.IX Subsection "OCSP Client Options"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
specify output filename, default is standard output.
.IP "\fB\-issuer filename\fR" 4
.IX Item "-issuer filename"
This specifies the current issuer certificate. This option can be used
multiple times. The certificate specified in \fBfilename\fR must be in
\&\s-1PEM\s0 format. This option \fB\s-1MUST\s0\fR come before any \fB\-cert\fR options.
.IP "\fB\-cert filename\fR" 4
.IX Item "-cert filename"
Add the certificate \fBfilename\fR to the request. The issuer certificate
is taken from the previous \fBissuer\fR option, or an error occurs if no
issuer certificate is specified.
.IP "\fB\-serial num\fR" 4
.IX Item "-serial num"
Same as the \fBcert\fR option except the certificate with serial number
\&\fBnum\fR is added to the request. The serial number is interpreted as a
decimal integer unless preceded by \fB0x\fR. Negative integers can also
be specified by preceding the value by a \fB\-\fR sign.
.IP "\fB\-signer filename\fR, \fB\-signkey filename\fR" 4
.IX Item "-signer filename, -signkey filename"
Sign the \s-1OCSP\s0 request using the certificate specified in the \fBsigner\fR
option and the private key specified by the \fBsignkey\fR option. If
the \fBsignkey\fR option is not present then the private key is read
from the same file as the certificate. If neither option is specified then
the \s-1OCSP\s0 request is not signed.
.IP "\fB\-sign_other filename\fR" 4
.IX Item "-sign_other filename"
Additional certificates to include in the signed request.
.IP "\fB\-nonce\fR, \fB\-no_nonce\fR" 4
.IX Item "-nonce, -no_nonce"
Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition.
Normally if an \s-1OCSP\s0 request is input using the \fBreqin\fR option no
nonce is added: using the \fBnonce\fR option will force addition of a nonce.
If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options)
a nonce is automatically added specifying \fBno_nonce\fR overrides this.
.IP "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4
.IX Item "-req_text, -resp_text, -text"
Print out the text form of the \s-1OCSP\s0 request, response or both respectively.
.IP "\fB\-reqout file\fR, \fB\-respout file\fR" 4
.IX Item "-reqout file, -respout file"
Write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR.
.IP "\fB\-reqin file\fR, \fB\-respin file\fR" 4
.IX Item "-reqin file, -respin file"
Read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored
if \s-1OCSP\s0 request or response creation is implied by other options (for example
with \fBserial\fR, \fBcert\fR and \fBhost\fR options).
.IP "\fB\-url responder_url\fR" 4
.IX Item "-url responder_url"
Specify the responder \s-1URL.\s0 Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified.
.IP "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4
.IX Item "-host hostname:port, -path pathname"
If the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host
\&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 pathname to use
or \*(L"/\*(R" by default. This is equivalent to specifying \fB\-url\fR with scheme
http:// and the given hostname, port, and pathname.
.IP "\fB\-header name=value\fR" 4
.IX Item "-header name=value"
Adds the header \fBname\fR with the specified \fBvalue\fR to the \s-1OCSP\s0 request
that is sent to the responder.
This may be repeated.
.IP "\fB\-timeout seconds\fR" 4
.IX Item "-timeout seconds"
Connection timeout to the \s-1OCSP\s0 responder in seconds.
On \s-1POSIX\s0 systems, when running as an \s-1OCSP\s0 responder, this option also limits
the time that the responder is willing to wait for the client request.
This time is measured from the time the responder accepts the connection until
the complete request is received.
.IP "\fB\-multi process-count\fR" 4
.IX Item "-multi process-count"
Run the specified number of \s-1OCSP\s0 responder child processes, with the parent
process respawning child processes as needed.
Child processes will detect changes in the \s-1CA\s0 index file and automatically
reload it.
When running as a responder \fB\-timeout\fR option is recommended to limit the time
each child is willing to wait for the client's \s-1OCSP\s0 response.
This option is available on \s-1POSIX\s0 systems (that support the \fBfork()\fR and other
required unix system-calls).
.IP "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4
.IX Item "-CAfile file, -CApath pathname"
File or pathname containing trusted \s-1CA\s0 certificates. These are used to verify
the signature on the \s-1OCSP\s0 response.
.IP "\fB\-no\-CAfile\fR" 4
.IX Item "-no-CAfile"
Do not load the trusted \s-1CA\s0 certificates from the default file location
.IP "\fB\-no\-CApath\fR" 4
.IX Item "-no-CApath"
Do not load the trusted \s-1CA\s0 certificates from the default directory location
.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4
.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict"
Set different certificate verification options.
See \fBverify\fR\|(1) manual page for details.
.IP "\fB\-verify_other file\fR" 4
.IX Item "-verify_other file"
File containing additional certificates to search when attempting to locate
the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's
certificate from the response: this option can be used to supply the necessary
certificate in such cases.
.IP "\fB\-trust_other\fR" 4
.IX Item "-trust_other"
The certificates specified by the \fB\-verify_other\fR option should be explicitly
trusted and no additional checks will be performed on them. This is useful
when the complete responder certificate chain is not available or trusting a
root \s-1CA\s0 is not appropriate.
.IP "\fB\-VAfile file\fR" 4
.IX Item "-VAfile file"
File containing explicitly trusted responder certificates. Equivalent to the
\&\fB\-verify_other\fR and \fB\-trust_other\fR options.
.IP "\fB\-noverify\fR" 4
.IX Item "-noverify"
Don't attempt to verify the \s-1OCSP\s0 response signature or the nonce
values. This option will normally only be used for debugging since it
disables all verification of the responders certificate.
.IP "\fB\-no_intern\fR" 4
.IX Item "-no_intern"
Ignore certificates contained in the \s-1OCSP\s0 response when searching for the
signers certificate. With this option the signers certificate must be specified
with either the \fB\-verify_other\fR or \fB\-VAfile\fR options.
.IP "\fB\-no_signature_verify\fR" 4
.IX Item "-no_signature_verify"
Don't check the signature on the \s-1OCSP\s0 response. Since this option
tolerates invalid signatures on \s-1OCSP\s0 responses it will normally only be
used for testing purposes.
.IP "\fB\-no_cert_verify\fR" 4
.IX Item "-no_cert_verify"
Don't verify the \s-1OCSP\s0 response signers certificate at all. Since this
option allows the \s-1OCSP\s0 response to be signed by any certificate it should
only be used for testing purposes.
.IP "\fB\-no_chain\fR" 4
.IX Item "-no_chain"
Do not use certificates in the response as additional untrusted \s-1CA\s0
certificates.
.IP "\fB\-no_explicit\fR" 4
.IX Item "-no_explicit"
Do not explicitly trust the root \s-1CA\s0 if it is set to be trusted for \s-1OCSP\s0 signing.
.IP "\fB\-no_cert_checks\fR" 4
.IX Item "-no_cert_checks"
Don't perform any additional checks on the \s-1OCSP\s0 response signers certificate.
That is do not make any checks to see if the signers certificate is authorised
to provide the necessary status information: as a result this option should
only be used for testing purposes.
.IP "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4
.IX Item "-validity_period nsec, -status_age age"
These options specify the range of times, in seconds, which will be tolerated
in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR
time and an optional \fBnotAfter\fR time. The current time should fall between
these two values, but the interval between the two times may be only a few
seconds. In practice the \s-1OCSP\s0 responder and clients clocks may not be precisely
synchronised and so such a check may fail. To avoid this the
\&\fB\-validity_period\fR option can be used to specify an acceptable error range in
seconds, the default value is 5 minutes.
.Sp
If the \fBnotAfter\fR time is omitted from a response then this means that new
status information is immediately available. In this case the age of the
\&\fBnotBefore\fR field is checked to see it is not older than \fBage\fR seconds old.
By default this additional check is not performed.
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
This option sets digest algorithm to use for certificate identification in the
\&\s-1OCSP\s0 request. Any digest supported by the OpenSSL \fBdgst\fR command can be used.
The default is \s-1SHA\-1.\s0 This option may be used multiple times to specify the
digest used by subsequent certificate identifiers.
.SS "\s-1OCSP\s0 Server Options"
.IX Subsection "OCSP Server Options"
.IP "\fB\-index indexfile\fR" 4
.IX Item "-index indexfile"
The \fBindexfile\fR parameter is the name of a text index file in \fBca\fR
format containing certificate revocation information.
.Sp
If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder
mode, otherwise it is in client mode. The request(s) the responder
processes can be either specified on the command line (using \fBissuer\fR
and \fBserial\fR options), supplied in a file (using the \fBreqin\fR option)
or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified).
.Sp
If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options
must also be present.
.IP "\fB\-CA file\fR" 4
.IX Item "-CA file"
\&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR.
.IP "\fB\-rsigner file\fR" 4
.IX Item "-rsigner file"
The certificate to sign \s-1OCSP\s0 responses with.
.IP "\fB\-rother file\fR" 4
.IX Item "-rother file"
Additional certificates to include in the \s-1OCSP\s0 response.
.IP "\fB\-resp_no_certs\fR" 4
.IX Item "-resp_no_certs"
Don't include any certificates in the \s-1OCSP\s0 response.
.IP "\fB\-resp_key_id\fR" 4
.IX Item "-resp_key_id"
Identify the signer certificate using the key \s-1ID,\s0 default is to use the
subject name.
.IP "\fB\-rkey file\fR" 4
.IX Item "-rkey file"
The private key to sign \s-1OCSP\s0 responses with: if not present the file
specified in the \fBrsigner\fR option is used.
.IP "\fB\-rsigopt nm:v\fR" 4
.IX Item "-rsigopt nm:v"
Pass options to the signature algorithm when signing \s-1OCSP\s0 responses.
Names and values of these options are algorithm-specific.
.IP "\fB\-port portnum\fR" 4
.IX Item "-port portnum"
Port to listen for \s-1OCSP\s0 requests on. The port may also be specified
using the \fBurl\fR option.
.IP "\fB\-ignore_err\fR" 4
.IX Item "-ignore_err"
Ignore malformed requests or responses: When acting as an \s-1OCSP\s0 client, retry if
a malformed response is received. When acting as an \s-1OCSP\s0 responder, continue
running instead of terminating upon receiving a malformed request.
.IP "\fB\-nrequest number\fR" 4
.IX Item "-nrequest number"
The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited.
.IP "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4
.IX Item "-nmin minutes, -ndays days"
Number of minutes or days when fresh revocation information is available:
used in the \fBnextUpdate\fR field. If neither option is present then the
\&\fBnextUpdate\fR field is omitted meaning fresh revocation information is
immediately available.
.SH "OCSP Response verification."
.IX Header "OCSP Response verification."
\&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560.\s0
.PP
Initially the \s-1OCSP\s0 responder certificate is located and the signature on
the \s-1OCSP\s0 request checked using the responder certificate's public key.
.PP
Then a normal certificate verify is performed on the \s-1OCSP\s0 responder certificate
building up a certificate chain in the process. The locations of the trusted
certificates used to build the chain can be specified by the \fBCAfile\fR
and \fBCApath\fR options or they will be looked for in the standard OpenSSL
certificates directory.
.PP
If the initial verify fails then the \s-1OCSP\s0 verify process halts with an
error.
.PP
Otherwise the issuing \s-1CA\s0 certificate in the request is compared to the \s-1OCSP\s0
responder certificate: if there is a match then the \s-1OCSP\s0 verify succeeds.
.PP
Otherwise the \s-1OCSP\s0 responder certificate's \s-1CA\s0 is checked against the issuing
\&\s-1CA\s0 certificate in the request. If there is a match and the OCSPSigning
extended key usage is present in the \s-1OCSP\s0 responder certificate then the
\&\s-1OCSP\s0 verify succeeds.
.PP
Otherwise, if \fB\-no_explicit\fR is \fBnot\fR set the root \s-1CA\s0 of the \s-1OCSP\s0 responders
\&\s-1CA\s0 is checked to see if it is trusted for \s-1OCSP\s0 signing. If it is the \s-1OCSP\s0
verify succeeds.
.PP
If none of these checks is successful then the \s-1OCSP\s0 verify fails.
.PP
What this effectively means if that if the \s-1OCSP\s0 responder certificate is
authorised directly by the \s-1CA\s0 it is issuing revocation information about
(and it is correctly configured) then verification will succeed.
.PP
If the \s-1OCSP\s0 responder is a \*(L"global responder\*(R" which can give details about
multiple CAs and has its own separate certificate chain then its root
\&\s-1CA\s0 can be trusted for \s-1OCSP\s0 signing. For example:
.PP
.Vb 1
\& openssl x509 \-in ocspCA.pem \-addtrust OCSPSigning \-out trustedCA.pem
.Ve
.PP
Alternatively the responder certificate itself can be explicitly trusted
with the \fB\-VAfile\fR option.
.SH "NOTES"
.IX Header "NOTES"
As noted, most of the verify options are for testing or debugging purposes.
Normally only the \fB\-CApath\fR, \fB\-CAfile\fR and (if the responder is a 'global
\&\s-1VA\s0') \fB\-VAfile\fR options need to be used.
.PP
The \s-1OCSP\s0 server is only useful for test and demonstration purposes: it is
not really usable as a full \s-1OCSP\s0 responder. It contains only a very
simple \s-1HTTP\s0 request handling and can only handle the \s-1POST\s0 form of \s-1OCSP\s0
queries. It also handles requests serially meaning it cannot respond to
new requests until it has processed the current one. The text index file
format of revocation is also inefficient for large quantities of revocation
data.
.PP
It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0
script using the \fBreqin\fR and \fBrespout\fR options.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create an \s-1OCSP\s0 request and write it to a file:
.PP
.Vb 1
\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \-reqout req.der
.Ve
.PP
Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the
response to a file, print it out in text form, and verify the response:
.PP
.Vb 2
\& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \e
\& \-url http://ocsp.myhost.com/ \-resp_text \-respout resp.der
.Ve
.PP
Read in an \s-1OCSP\s0 response and print out text form:
.PP
.Vb 1
\& openssl ocsp \-respin resp.der \-text \-noverify
.Ve
.PP
\&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate
responder certificate. All requests and responses are printed to a file.
.PP
.Vb 2
\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem
\& \-text \-out log.txt
.Ve
.PP
As above but exit after processing one request:
.PP
.Vb 2
\& openssl ocsp \-index demoCA/index.txt \-port 8888 \-rsigner rcert.pem \-CA demoCA/cacert.pem
\& \-nrequest 1
.Ve
.PP
Query status information using an internally generated request:
.PP
.Vb 2
\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem
\& \-issuer demoCA/cacert.pem \-serial 1
.Ve
.PP
Query status information using request read from a file, and write the response
to a second file.
.PP
.Vb 2
\& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem
\& \-reqin req.der \-respout resp.der
.Ve
.SH "HISTORY"
.IX Header "HISTORY"
The \-no_alt_chains option was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2001\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1
index 891b440f3639..361a372a933a 100644
--- a/secure/usr.bin/openssl/man/openssl.1
+++ b/secure/usr.bin/openssl/man/openssl.1
@@ -1,583 +1,583 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "OPENSSL 1"
-.TH OPENSSL 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH OPENSSL 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl \- OpenSSL command line tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR
\&\fIcommand\fR
[ \fIcommand_opts\fR ]
[ \fIcommand_args\fR ]
.PP
\&\fBopenssl\fR \fBlist\fR [ \fBstandard-commands\fR | \fBdigest-commands\fR | \fBcipher-commands\fR | \fBcipher-algorithms\fR | \fBdigest-algorithms\fR | \fBpublic-key-algorithms\fR]
.PP
\&\fBopenssl\fR \fBno\-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (\s-1SSL\s0
v2/v3) and Transport Layer Security (\s-1TLS\s0 v1) network protocols and related
cryptography standards required by them.
.PP
The \fBopenssl\fR program is a command line tool for using the various
cryptography functions of OpenSSL's \fBcrypto\fR library from the shell.
It can be used for
.PP
.Vb 8
\& o Creation and management of private keys, public keys and parameters
\& o Public key cryptographic operations
\& o Creation of X.509 certificates, CSRs and CRLs
\& o Calculation of Message Digests
\& o Encryption and Decryption with Ciphers
\& o SSL/TLS Client and Server Tests
\& o Handling of S/MIME signed or encrypted mail
\& o Time Stamp requests, generation and verification
.Ve
.SH "COMMAND SUMMARY"
.IX Header "COMMAND SUMMARY"
The \fBopenssl\fR program provides a rich variety of commands (\fIcommand\fR in the
\&\s-1SYNOPSIS\s0 above), each of which often has a wealth of options and arguments
(\fIcommand_opts\fR and \fIcommand_args\fR in the \s-1SYNOPSIS\s0).
.PP
Detailed documentation and use cases for most standard subcommands are available
(e.g., \fBx509\fR\|(1) or \fBopenssl\-x509\fR\|(1)).
.PP
Many commands use an external configuration file for some or all of their
arguments and have a \fB\-config\fR option to specify that file.
The environment variable \fB\s-1OPENSSL_CONF\s0\fR can be used to specify
the location of the file.
If the environment variable is not specified, then the file is named
\&\fBopenssl.cnf\fR in the default certificate storage area, whose value
depends on the configuration flags specified when the OpenSSL
was built.
.PP
The list parameters \fBstandard-commands\fR, \fBdigest-commands\fR,
and \fBcipher-commands\fR output a list (one entry per line) of the names
of all standard commands, message digest commands, or cipher commands,
respectively, that are available in the present \fBopenssl\fR utility.
.PP
The list parameters \fBcipher-algorithms\fR and
\&\fBdigest-algorithms\fR list all cipher and message digest names, one entry per line. Aliases are listed as:
.PP
.Vb 1
\& from => to
.Ve
.PP
The list parameter \fBpublic-key-algorithms\fR lists all supported public
key algorithms.
.PP
The command \fBno\-\fR\fI\s-1XXX\s0\fR tests whether a command of the
specified name is available. If no command named \fI\s-1XXX\s0\fR exists, it
returns 0 (success) and prints \fBno\-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1
and prints \fI\s-1XXX\s0\fR. In both cases, the output goes to \fBstdout\fR and
nothing is printed to \fBstderr\fR. Additional command line arguments
are always ignored. Since for each cipher there is a command of the
same name, this provides an easy way for shell scripts to test for the
availability of ciphers in the \fBopenssl\fR program. (\fBno\-\fR\fI\s-1XXX\s0\fR is
not able to detect pseudo-commands such as \fBquit\fR,
\&\fBlist\fR, or \fBno\-\fR\fI\s-1XXX\s0\fR itself.)
.SS "Standard Commands"
.IX Subsection "Standard Commands"
.IP "\fBasn1parse\fR" 4
.IX Item "asn1parse"
Parse an \s-1ASN.1\s0 sequence.
.IP "\fBca\fR" 4
.IX Item "ca"
Certificate Authority (\s-1CA\s0) Management.
.IP "\fBciphers\fR" 4
.IX Item "ciphers"
Cipher Suite Description Determination.
.IP "\fBcms\fR" 4
.IX Item "cms"
\&\s-1CMS\s0 (Cryptographic Message Syntax) utility.
.IP "\fBcrl\fR" 4
.IX Item "crl"
Certificate Revocation List (\s-1CRL\s0) Management.
.IP "\fBcrl2pkcs7\fR" 4
.IX Item "crl2pkcs7"
\&\s-1CRL\s0 to PKCS#7 Conversion.
.IP "\fBdgst\fR" 4
.IX Item "dgst"
Message Digest Calculation.
.IP "\fBdh\fR" 4
.IX Item "dh"
Diffie-Hellman Parameter Management.
Obsoleted by \fBdhparam\fR\|(1).
.IP "\fBdhparam\fR" 4
.IX Item "dhparam"
Generation and Management of Diffie-Hellman Parameters. Superseded by
\&\fBgenpkey\fR\|(1) and \fBpkeyparam\fR\|(1).
.IP "\fBdsa\fR" 4
.IX Item "dsa"
\&\s-1DSA\s0 Data Management.
.IP "\fBdsaparam\fR" 4
.IX Item "dsaparam"
\&\s-1DSA\s0 Parameter Generation and Management. Superseded by
\&\fBgenpkey\fR\|(1) and \fBpkeyparam\fR\|(1).
.IP "\fBec\fR" 4
.IX Item "ec"
\&\s-1EC\s0 (Elliptic curve) key processing.
.IP "\fBecparam\fR" 4
.IX Item "ecparam"
\&\s-1EC\s0 parameter manipulation and generation.
.IP "\fBenc\fR" 4
.IX Item "enc"
Encoding with Ciphers.
.IP "\fBengine\fR" 4
.IX Item "engine"
Engine (loadable module) information and manipulation.
.IP "\fBerrstr\fR" 4
.IX Item "errstr"
Error Number to Error String Conversion.
.IP "\fBgendh\fR" 4
.IX Item "gendh"
Generation of Diffie-Hellman Parameters.
Obsoleted by \fBdhparam\fR\|(1).
.IP "\fBgendsa\fR" 4
.IX Item "gendsa"
Generation of \s-1DSA\s0 Private Key from Parameters. Superseded by
\&\fBgenpkey\fR\|(1) and \fBpkey\fR\|(1).
.IP "\fBgenpkey\fR" 4
.IX Item "genpkey"
Generation of Private Key or Parameters.
.IP "\fBgenrsa\fR" 4
.IX Item "genrsa"
Generation of \s-1RSA\s0 Private Key. Superseded by \fBgenpkey\fR\|(1).
.IP "\fBnseq\fR" 4
.IX Item "nseq"
Create or examine a Netscape certificate sequence.
.IP "\fBocsp\fR" 4
.IX Item "ocsp"
Online Certificate Status Protocol utility.
.IP "\fBpasswd\fR" 4
.IX Item "passwd"
Generation of hashed passwords.
.IP "\fBpkcs12\fR" 4
.IX Item "pkcs12"
PKCS#12 Data Management.
.IP "\fBpkcs7\fR" 4
.IX Item "pkcs7"
PKCS#7 Data Management.
.IP "\fBpkcs8\fR" 4
.IX Item "pkcs8"
PKCS#8 format private key conversion tool.
.IP "\fBpkey\fR" 4
.IX Item "pkey"
Public and private key management.
.IP "\fBpkeyparam\fR" 4
.IX Item "pkeyparam"
Public key algorithm parameter management.
.IP "\fBpkeyutl\fR" 4
.IX Item "pkeyutl"
Public key algorithm cryptographic operation utility.
.IP "\fBprime\fR" 4
.IX Item "prime"
Compute prime numbers.
.IP "\fBrand\fR" 4
.IX Item "rand"
Generate pseudo-random bytes.
.IP "\fBrehash\fR" 4
.IX Item "rehash"
Create symbolic links to certificate and \s-1CRL\s0 files named by the hash values.
.IP "\fBreq\fR" 4
.IX Item "req"
PKCS#10 X.509 Certificate Signing Request (\s-1CSR\s0) Management.
.IP "\fBrsa\fR" 4
.IX Item "rsa"
\&\s-1RSA\s0 key management.
.IP "\fBrsautl\fR" 4
.IX Item "rsautl"
\&\s-1RSA\s0 utility for signing, verification, encryption, and decryption. Superseded
by \fBpkeyutl\fR\|(1).
.IP "\fBs_client\fR" 4
.IX Item "s_client"
This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent
connection to a remote server speaking \s-1SSL/TLS.\s0 It's intended for testing
purposes only and provides only rudimentary interface functionality but
internally uses mostly all functionality of the OpenSSL \fBssl\fR library.
.IP "\fBs_server\fR" 4
.IX Item "s_server"
This implements a generic \s-1SSL/TLS\s0 server which accepts connections from remote
clients speaking \s-1SSL/TLS.\s0 It's intended for testing purposes only and provides
only rudimentary interface functionality but internally uses mostly all
functionality of the OpenSSL \fBssl\fR library. It provides both an own command
line oriented protocol for testing \s-1SSL\s0 functions and a simple \s-1HTTP\s0 response
facility to emulate an SSL/TLS\-aware webserver.
.IP "\fBs_time\fR" 4
.IX Item "s_time"
\&\s-1SSL\s0 Connection Timer.
.IP "\fBsess_id\fR" 4
.IX Item "sess_id"
\&\s-1SSL\s0 Session Data Management.
.IP "\fBsmime\fR" 4
.IX Item "smime"
S/MIME mail processing.
.IP "\fBspeed\fR" 4
.IX Item "speed"
Algorithm Speed Measurement.
.IP "\fBspkac\fR" 4
.IX Item "spkac"
\&\s-1SPKAC\s0 printing and generating utility.
.IP "\fBsrp\fR" 4
.IX Item "srp"
Maintain \s-1SRP\s0 password file.
.IP "\fBstoreutl\fR" 4
.IX Item "storeutl"
Utility to list and display certificates, keys, CRLs, etc.
.IP "\fBts\fR" 4
.IX Item "ts"
Time Stamping Authority tool (client/server).
.IP "\fBverify\fR" 4
.IX Item "verify"
X.509 Certificate Verification.
.IP "\fBversion\fR" 4
.IX Item "version"
OpenSSL Version Information.
.IP "\fBx509\fR" 4
.IX Item "x509"
X.509 Certificate Data Management.
.SS "Message Digest Commands"
.IX Subsection "Message Digest Commands"
.IP "\fBblake2b512\fR" 4
.IX Item "blake2b512"
BLAKE2b\-512 Digest
.IP "\fBblake2s256\fR" 4
.IX Item "blake2s256"
BLAKE2s\-256 Digest
.IP "\fBmd2\fR" 4
.IX Item "md2"
\&\s-1MD2\s0 Digest
.IP "\fBmd4\fR" 4
.IX Item "md4"
\&\s-1MD4\s0 Digest
.IP "\fBmd5\fR" 4
.IX Item "md5"
\&\s-1MD5\s0 Digest
.IP "\fBmdc2\fR" 4
.IX Item "mdc2"
\&\s-1MDC2\s0 Digest
.IP "\fBrmd160\fR" 4
.IX Item "rmd160"
\&\s-1RMD\-160\s0 Digest
.IP "\fBsha1\fR" 4
.IX Item "sha1"
\&\s-1SHA\-1\s0 Digest
.IP "\fBsha224\fR" 4
.IX Item "sha224"
\&\s-1SHA\-2 224\s0 Digest
.IP "\fBsha256\fR" 4
.IX Item "sha256"
\&\s-1SHA\-2 256\s0 Digest
.IP "\fBsha384\fR" 4
.IX Item "sha384"
\&\s-1SHA\-2 384\s0 Digest
.IP "\fBsha512\fR" 4
.IX Item "sha512"
\&\s-1SHA\-2 512\s0 Digest
.IP "\fBsha3\-224\fR" 4
.IX Item "sha3-224"
\&\s-1SHA\-3 224\s0 Digest
.IP "\fBsha3\-256\fR" 4
.IX Item "sha3-256"
\&\s-1SHA\-3 256\s0 Digest
.IP "\fBsha3\-384\fR" 4
.IX Item "sha3-384"
\&\s-1SHA\-3 384\s0 Digest
.IP "\fBsha3\-512\fR" 4
.IX Item "sha3-512"
\&\s-1SHA\-3 512\s0 Digest
.IP "\fBshake128\fR" 4
.IX Item "shake128"
\&\s-1SHA\-3 SHAKE128\s0 Digest
.IP "\fBshake256\fR" 4
.IX Item "shake256"
\&\s-1SHA\-3 SHAKE256\s0 Digest
.IP "\fBsm3\fR" 4
.IX Item "sm3"
\&\s-1SM3\s0 Digest
.SS "Encoding and Cipher Commands"
.IX Subsection "Encoding and Cipher Commands"
The following aliases provide convenient access to the most used encodings
and ciphers.
.PP
Depending on how OpenSSL was configured and built, not all ciphers listed
here may be present. See \fBenc\fR\|(1) for more information and command usage.
.IP "\fBaes128\fR, \fBaes\-128\-cbc\fR, \fBaes\-128\-cfb\fR, \fBaes\-128\-ctr\fR, \fBaes\-128\-ecb\fR, \fBaes\-128\-ofb\fR" 4
.IX Item "aes128, aes-128-cbc, aes-128-cfb, aes-128-ctr, aes-128-ecb, aes-128-ofb"
\&\s-1AES\-128\s0 Cipher
.IP "\fBaes192\fR, \fBaes\-192\-cbc\fR, \fBaes\-192\-cfb\fR, \fBaes\-192\-ctr\fR, \fBaes\-192\-ecb\fR, \fBaes\-192\-ofb\fR" 4
.IX Item "aes192, aes-192-cbc, aes-192-cfb, aes-192-ctr, aes-192-ecb, aes-192-ofb"
\&\s-1AES\-192\s0 Cipher
.IP "\fBaes256\fR, \fBaes\-256\-cbc\fR, \fBaes\-256\-cfb\fR, \fBaes\-256\-ctr\fR, \fBaes\-256\-ecb\fR, \fBaes\-256\-ofb\fR" 4
.IX Item "aes256, aes-256-cbc, aes-256-cfb, aes-256-ctr, aes-256-ecb, aes-256-ofb"
\&\s-1AES\-256\s0 Cipher
.IP "\fBaria128\fR, \fBaria\-128\-cbc\fR, \fBaria\-128\-cfb\fR, \fBaria\-128\-ctr\fR, \fBaria\-128\-ecb\fR, \fBaria\-128\-ofb\fR" 4
.IX Item "aria128, aria-128-cbc, aria-128-cfb, aria-128-ctr, aria-128-ecb, aria-128-ofb"
Aria\-128 Cipher
.IP "\fBaria192\fR, \fBaria\-192\-cbc\fR, \fBaria\-192\-cfb\fR, \fBaria\-192\-ctr\fR, \fBaria\-192\-ecb\fR, \fBaria\-192\-ofb\fR" 4
.IX Item "aria192, aria-192-cbc, aria-192-cfb, aria-192-ctr, aria-192-ecb, aria-192-ofb"
Aria\-192 Cipher
.IP "\fBaria256\fR, \fBaria\-256\-cbc\fR, \fBaria\-256\-cfb\fR, \fBaria\-256\-ctr\fR, \fBaria\-256\-ecb\fR, \fBaria\-256\-ofb\fR" 4
.IX Item "aria256, aria-256-cbc, aria-256-cfb, aria-256-ctr, aria-256-ecb, aria-256-ofb"
Aria\-256 Cipher
.IP "\fBbase64\fR" 4
.IX Item "base64"
Base64 Encoding
.IP "\fBbf\fR, \fBbf-cbc\fR, \fBbf-cfb\fR, \fBbf-ecb\fR, \fBbf-ofb\fR" 4
.IX Item "bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb"
Blowfish Cipher
.IP "\fBcamellia128\fR, \fBcamellia\-128\-cbc\fR, \fBcamellia\-128\-cfb\fR, \fBcamellia\-128\-ctr\fR, \fBcamellia\-128\-ecb\fR, \fBcamellia\-128\-ofb\fR" 4
.IX Item "camellia128, camellia-128-cbc, camellia-128-cfb, camellia-128-ctr, camellia-128-ecb, camellia-128-ofb"
Camellia\-128 Cipher
.IP "\fBcamellia192\fR, \fBcamellia\-192\-cbc\fR, \fBcamellia\-192\-cfb\fR, \fBcamellia\-192\-ctr\fR, \fBcamellia\-192\-ecb\fR, \fBcamellia\-192\-ofb\fR" 4
.IX Item "camellia192, camellia-192-cbc, camellia-192-cfb, camellia-192-ctr, camellia-192-ecb, camellia-192-ofb"
Camellia\-192 Cipher
.IP "\fBcamellia256\fR, \fBcamellia\-256\-cbc\fR, \fBcamellia\-256\-cfb\fR, \fBcamellia\-256\-ctr\fR, \fBcamellia\-256\-ecb\fR, \fBcamellia\-256\-ofb\fR" 4
.IX Item "camellia256, camellia-256-cbc, camellia-256-cfb, camellia-256-ctr, camellia-256-ecb, camellia-256-ofb"
Camellia\-256 Cipher
.IP "\fBcast\fR, \fBcast-cbc\fR" 4
.IX Item "cast, cast-cbc"
\&\s-1CAST\s0 Cipher
.IP "\fBcast5\-cbc\fR, \fBcast5\-cfb\fR, \fBcast5\-ecb\fR, \fBcast5\-ofb\fR" 4
.IX Item "cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb"
\&\s-1CAST5\s0 Cipher
.IP "\fBchacha20\fR" 4
.IX Item "chacha20"
Chacha20 Cipher
.IP "\fBdes\fR, \fBdes-cbc\fR, \fBdes-cfb\fR, \fBdes-ecb\fR, \fBdes-ede\fR, \fBdes-ede-cbc\fR, \fBdes-ede-cfb\fR, \fBdes-ede-ofb\fR, \fBdes-ofb\fR" 4
.IX Item "des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-ede-ofb, des-ofb"
\&\s-1DES\s0 Cipher
.IP "\fBdes3\fR, \fBdesx\fR, \fBdes\-ede3\fR, \fBdes\-ede3\-cbc\fR, \fBdes\-ede3\-cfb\fR, \fBdes\-ede3\-ofb\fR" 4
.IX Item "des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb"
Triple-DES Cipher
.IP "\fBidea\fR, \fBidea-cbc\fR, \fBidea-cfb\fR, \fBidea-ecb\fR, \fBidea-ofb\fR" 4
.IX Item "idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb"
\&\s-1IDEA\s0 Cipher
.IP "\fBrc2\fR, \fBrc2\-cbc\fR, \fBrc2\-cfb\fR, \fBrc2\-ecb\fR, \fBrc2\-ofb\fR" 4
.IX Item "rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb"
\&\s-1RC2\s0 Cipher
.IP "\fBrc4\fR" 4
.IX Item "rc4"
\&\s-1RC4\s0 Cipher
.IP "\fBrc5\fR, \fBrc5\-cbc\fR, \fBrc5\-cfb\fR, \fBrc5\-ecb\fR, \fBrc5\-ofb\fR" 4
.IX Item "rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb"
\&\s-1RC5\s0 Cipher
.IP "\fBseed\fR, \fBseed-cbc\fR, \fBseed-cfb\fR, \fBseed-ecb\fR, \fBseed-ofb\fR" 4
.IX Item "seed, seed-cbc, seed-cfb, seed-ecb, seed-ofb"
\&\s-1SEED\s0 Cipher
.IP "\fBsm4\fR, \fBsm4\-cbc\fR, \fBsm4\-cfb\fR, \fBsm4\-ctr\fR, \fBsm4\-ecb\fR, \fBsm4\-ofb\fR" 4
.IX Item "sm4, sm4-cbc, sm4-cfb, sm4-ctr, sm4-ecb, sm4-ofb"
\&\s-1SM4\s0 Cipher
.SH "OPTIONS"
.IX Header "OPTIONS"
Details of which options are available depend on the specific command.
This section describes some common options with common behavior.
.SS "Common Options"
.IX Subsection "Common Options"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Provides a terse summary of all options.
.SS "Pass Phrase Options"
.IX Subsection "Pass Phrase Options"
Several commands accept password arguments, typically using \fB\-passin\fR
and \fB\-passout\fR for input and output passwords respectively. These allow
the password to be obtained from a variety of sources. Both of these
options take a single argument whose format is described below. If no
password argument is given and a password is required then the user is
prompted to enter one: this will typically be read from the current
terminal with echoing turned off.
.PP
Note that character encoding may be relevant, please see
\&\fBpassphrase\-encoding\fR\|(7).
.IP "\fBpass:password\fR" 4
.IX Item "pass:password"
The actual password is \fBpassword\fR. Since the password is visible
to utilities (like 'ps' under Unix) this form should only be used
where security is not important.
.IP "\fBenv:var\fR" 4
.IX Item "env:var"
Obtain the password from the environment variable \fBvar\fR. Since
the environment of other processes is visible on certain platforms
(e.g. ps under certain Unix OSes) this option should be used with caution.
.IP "\fBfile:pathname\fR" 4
.IX Item "file:pathname"
The first line of \fBpathname\fR is the password. If the same \fBpathname\fR
argument is supplied to \fB\-passin\fR and \fB\-passout\fR arguments then the first
line will be used for the input password and the next line for the output
password. \fBpathname\fR need not refer to a regular file: it could for example
refer to a device or named pipe.
.IP "\fBfd:number\fR" 4
.IX Item "fd:number"
Read the password from the file descriptor \fBnumber\fR. This can be used to
send the data via a pipe for example.
.IP "\fBstdin\fR" 4
.IX Item "stdin"
Read the password from standard input.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBasn1parse\fR\|(1), \fBca\fR\|(1), \fBciphers\fR\|(1), \fBcms\fR\|(1), \fBconfig\fR\|(5),
\&\fBcrl\fR\|(1), \fBcrl2pkcs7\fR\|(1), \fBdgst\fR\|(1),
\&\fBdhparam\fR\|(1), \fBdsa\fR\|(1), \fBdsaparam\fR\|(1),
\&\fBec\fR\|(1), \fBecparam\fR\|(1),
\&\fBenc\fR\|(1), \fBengine\fR\|(1), \fBerrstr\fR\|(1), \fBgendsa\fR\|(1), \fBgenpkey\fR\|(1),
\&\fBgenrsa\fR\|(1), \fBnseq\fR\|(1), \fBocsp\fR\|(1),
\&\fBpasswd\fR\|(1),
\&\fBpkcs12\fR\|(1), \fBpkcs7\fR\|(1), \fBpkcs8\fR\|(1),
\&\fBpkey\fR\|(1), \fBpkeyparam\fR\|(1), \fBpkeyutl\fR\|(1), \fBprime\fR\|(1),
\&\fBrand\fR\|(1), \fBrehash\fR\|(1), \fBreq\fR\|(1), \fBrsa\fR\|(1),
\&\fBrsautl\fR\|(1), \fBs_client\fR\|(1),
\&\fBs_server\fR\|(1), \fBs_time\fR\|(1), \fBsess_id\fR\|(1),
\&\fBsmime\fR\|(1), \fBspeed\fR\|(1), \fBspkac\fR\|(1), \fBsrp\fR\|(1), \fBstoreutl\fR\|(1),
\&\fBts\fR\|(1),
\&\fBverify\fR\|(1), \fBversion\fR\|(1), \fBx509\fR\|(1),
\&\fBcrypto\fR\|(7), \fBssl\fR\|(7), \fBx509v3_config\fR\|(5)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBlist\-\fR\fI\s-1XXX\s0\fR\fB\-algorithms\fR pseudo-commands were added in OpenSSL 1.0.0;
For notes on the availability of other commands, see their individual
manual pages.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1
index 8e4944576a92..a9963e46967e 100644
--- a/secure/usr.bin/openssl/man/passwd.1
+++ b/secure/usr.bin/openssl/man/passwd.1
@@ -1,246 +1,246 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PASSWD 1"
-.TH PASSWD 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PASSWD 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-passwd, passwd \- compute password hashes
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl passwd\fR
[\fB\-help\fR]
[\fB\-crypt\fR]
[\fB\-1\fR]
[\fB\-apr1\fR]
[\fB\-aixmd5\fR]
[\fB\-5\fR]
[\fB\-6\fR]
[\fB\-salt\fR \fIstring\fR]
[\fB\-in\fR \fIfile\fR]
[\fB\-stdin\fR]
[\fB\-noverify\fR]
[\fB\-quiet\fR]
[\fB\-table\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
{\fIpassword\fR}
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBpasswd\fR command computes the hash of a password typed at
run-time or the hash of each password in a list. The password list is
taken from the named file for option \fB\-in file\fR, from stdin for
option \fB\-stdin\fR, or from the command line, or from the terminal otherwise.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-crypt\fR" 4
.IX Item "-crypt"
Use the \fBcrypt\fR algorithm (default).
.IP "\fB\-1\fR" 4
.IX Item "-1"
Use the \s-1MD5\s0 based \s-1BSD\s0 password algorithm \fB1\fR.
.IP "\fB\-apr1\fR" 4
.IX Item "-apr1"
Use the \fBapr1\fR algorithm (Apache variant of the \s-1BSD\s0 algorithm).
.IP "\fB\-aixmd5\fR" 4
.IX Item "-aixmd5"
Use the \fB\s-1AIX MD5\s0\fR algorithm (\s-1AIX\s0 variant of the \s-1BSD\s0 algorithm).
.IP "\fB\-5\fR" 4
.IX Item "-5"
.PD 0
.IP "\fB\-6\fR" 4
.IX Item "-6"
.PD
Use the \fB\s-1SHA256\s0\fR / \fB\s-1SHA512\s0\fR based algorithms defined by Ulrich Drepper.
See <https://www.akkadia.org/drepper/SHA\-crypt.txt>.
.IP "\fB\-salt\fR \fIstring\fR" 4
.IX Item "-salt string"
Use the specified salt.
When reading a password from the terminal, this implies \fB\-noverify\fR.
.IP "\fB\-in\fR \fIfile\fR" 4
.IX Item "-in file"
Read passwords from \fIfile\fR.
.IP "\fB\-stdin\fR" 4
.IX Item "-stdin"
Read passwords from \fBstdin\fR.
.IP "\fB\-noverify\fR" 4
.IX Item "-noverify"
Don't verify when reading a password from the terminal.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
Don't output warnings when passwords given at the command line are truncated.
.IP "\fB\-table\fR" 4
.IX Item "-table"
In the output list, prepend the cleartext password and a \s-1TAB\s0 character
to each password hash.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
.Vb 2
\& % openssl passwd \-crypt \-salt xx password
\& xxj31ZMTZzkVA
\&
\& % openssl passwd \-1 \-salt xxxxxxxx password
\& $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.
\&
\& % openssl passwd \-apr1 \-salt xxxxxxxx password
\& $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0
\&
\& % openssl passwd \-aixmd5 \-salt xxxxxxxx password
\& xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/
.Ve
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1
index 84d221e8edc5..70d7ba4b6695 100644
--- a/secure/usr.bin/openssl/man/pkcs12.1
+++ b/secure/usr.bin/openssl/man/pkcs12.1
@@ -1,475 +1,475 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS12 1"
-.TH PKCS12 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS12 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkcs12, pkcs12 \- PKCS#12 file utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkcs12\fR
[\fB\-help\fR]
[\fB\-export\fR]
[\fB\-chain\fR]
[\fB\-inkey file_or_id\fR]
[\fB\-certfile filename\fR]
[\fB\-name name\fR]
[\fB\-caname name\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-noout\fR]
[\fB\-nomacver\fR]
[\fB\-nocerts\fR]
[\fB\-clcerts\fR]
[\fB\-cacerts\fR]
[\fB\-nokeys\fR]
[\fB\-info\fR]
[\fB\-des | \-des3 | \-idea | \-aes128 | \-aes192 | \-aes256 | \-aria128 | \-aria192 | \-aria256 | \-camellia128 | \-camellia192 | \-camellia256 | \-nodes\fR]
[\fB\-noiter\fR]
[\fB\-maciter | \-nomaciter | \-nomac\fR]
[\fB\-twopass\fR]
[\fB\-descert\fR]
[\fB\-certpbe cipher\fR]
[\fB\-keypbe cipher\fR]
[\fB\-macalg digest\fR]
[\fB\-keyex\fR]
[\fB\-keysig\fR]
[\fB\-password arg\fR]
[\fB\-passin arg\fR]
[\fB\-passout arg\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-CAfile file\fR]
[\fB\-CApath dir\fR]
[\fB\-no\-CAfile\fR]
[\fB\-no\-CApath\fR]
[\fB\-CSP name\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as
\&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several
programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook.
.SH "OPTIONS"
.IX Header "OPTIONS"
There are a lot of options the meaning of some depends of whether a PKCS#12 file
is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12
file can be created by using the \fB\-export\fR option (see below).
.SH "PARSING OPTIONS"
.IX Header "PARSING OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies filename of the PKCS#12 file to be parsed. Standard input is used
by default.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
The filename to write certificates and private keys to, standard output by
default. They are all written in \s-1PEM\s0 format.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The PKCS#12 file (i.e. input file) password source. For more information about
the format of \fBarg\fR see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-passout arg\fR" 4
.IX Item "-passout arg"
Pass phrase source to encrypt any outputted private keys with. For more
information about the format of \fBarg\fR see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-password arg\fR" 4
.IX Item "-password arg"
With \-export, \-password is equivalent to \-passout.
Otherwise, \-password is equivalent to \-passin.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option inhibits output of the keys and certificates to the output file
version of the PKCS#12 file.
.IP "\fB\-clcerts\fR" 4
.IX Item "-clcerts"
Only output client certificates (not \s-1CA\s0 certificates).
.IP "\fB\-cacerts\fR" 4
.IX Item "-cacerts"
Only output \s-1CA\s0 certificates (not client certificates).
.IP "\fB\-nocerts\fR" 4
.IX Item "-nocerts"
No certificates at all will be output.
.IP "\fB\-nokeys\fR" 4
.IX Item "-nokeys"
No private keys will be output.
.IP "\fB\-info\fR" 4
.IX Item "-info"
Output additional information about the PKCS#12 file structure, algorithms
used and iteration counts.
.IP "\fB\-des\fR" 4
.IX Item "-des"
Use \s-1DES\s0 to encrypt private keys before outputting.
.IP "\fB\-des3\fR" 4
.IX Item "-des3"
Use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default.
.IP "\fB\-idea\fR" 4
.IX Item "-idea"
Use \s-1IDEA\s0 to encrypt private keys before outputting.
.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR" 4
.IX Item "-aes128, -aes192, -aes256"
Use \s-1AES\s0 to encrypt private keys before outputting.
.IP "\fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR" 4
.IX Item "-aria128, -aria192, -aria256"
Use \s-1ARIA\s0 to encrypt private keys before outputting.
.IP "\fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR" 4
.IX Item "-camellia128, -camellia192, -camellia256"
Use Camellia to encrypt private keys before outputting.
.IP "\fB\-nodes\fR" 4
.IX Item "-nodes"
Don't encrypt the private keys at all.
.IP "\fB\-nomacver\fR" 4
.IX Item "-nomacver"
Don't attempt to verify the integrity \s-1MAC\s0 before reading the file.
.IP "\fB\-twopass\fR" 4
.IX Item "-twopass"
Prompt for separate integrity and encryption passwords: most software
always assumes these are the same so this option will render such
PKCS#12 files unreadable. Cannot be used in combination with the options
\&\-password, \-passin (if importing) or \-passout (if exporting).
.SH "FILE CREATION OPTIONS"
.IX Header "FILE CREATION OPTIONS"
.IP "\fB\-export\fR" 4
.IX Item "-export"
This option specifies that a PKCS#12 file will be created rather than
parsed.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies filename to write the PKCS#12 file to. Standard output is used
by default.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
The filename to read certificates and private keys from, standard input by
default. They must all be in \s-1PEM\s0 format. The order doesn't matter but one
private key and its corresponding certificate should be present. If additional
certificates are present they will also be included in the PKCS#12 file.
.IP "\fB\-inkey file_or_id\fR" 4
.IX Item "-inkey file_or_id"
File to read private key from. If not present then a private key must be present
in the input file.
If no engine is used, the argument is taken as a file; if an engine is
specified, the argument is given to the engine as a key identifier.
.IP "\fB\-name friendlyname\fR" 4
.IX Item "-name friendlyname"
This specifies the \*(L"friendly name\*(R" for the certificate and private key. This
name is typically displayed in list boxes by software importing the file.
.IP "\fB\-certfile filename\fR" 4
.IX Item "-certfile filename"
A filename to read additional certificates from.
.IP "\fB\-caname friendlyname\fR" 4
.IX Item "-caname friendlyname"
This specifies the \*(L"friendly name\*(R" for other certificates. This option may be
used multiple times to specify names for all certificates in the order they
appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s0
displays them.
.IP "\fB\-pass arg\fR, \fB\-passout arg\fR" 4
.IX Item "-pass arg, -passout arg"
The PKCS#12 file (i.e. output file) password source. For more information about
the format of \fBarg\fR see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-passin password\fR" 4
.IX Item "-passin password"
Pass phrase source to decrypt any input private keys with. For more information
about the format of \fBarg\fR see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-chain\fR" 4
.IX Item "-chain"
If this option is present then an attempt is made to include the entire
certificate chain of the user certificate. The standard \s-1CA\s0 store is used
for this search. If the search fails it is considered a fatal error.
.IP "\fB\-descert\fR" 4
.IX Item "-descert"
Encrypt the certificate using triple \s-1DES,\s0 this may render the PKCS#12
file unreadable by some \*(L"export grade\*(R" software. By default the private
key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2\s0
unless \s-1RC2\s0 is disabled in which case triple \s-1DES\s0 is used.
.IP "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4
.IX Item "-keypbe alg, -certpbe alg"
These options allow the algorithm used to encrypt the private key and
certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 \s-1PBE\s0 algorithm name
can be used (see \fB\s-1NOTES\s0\fR section for more information). If a cipher name
(as output by the \fBlist-cipher-algorithms\fR command is specified then it
is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only
use PKCS#12 algorithms.
.IP "\fB\-keyex|\-keysig\fR" 4
.IX Item "-keyex|-keysig"
Specifies that the private key is to be used for key exchange or just signing.
This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally
\&\*(L"export grade\*(R" software will only allow 512 bit \s-1RSA\s0 keys to be used for
encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR
option marks the key for signing only. Signing only keys can be used for
S/MIME signing, authenticode (ActiveX control signing) and \s-1SSL\s0 client
authentication, however, due to a bug only \s-1MSIE 5.0\s0 and later support
the use of signing only keys for \s-1SSL\s0 client authentication.
.IP "\fB\-macalg digest\fR" 4
.IX Item "-macalg digest"
Specify the \s-1MAC\s0 digest algorithm. If not included them \s-1SHA1\s0 will be used.
.IP "\fB\-nomaciter\fR, \fB\-noiter\fR" 4
.IX Item "-nomaciter, -noiter"
These options affect the iteration counts on the \s-1MAC\s0 and key algorithms.
Unless you wish to produce files compatible with \s-1MSIE 4.0\s0 you should leave
these options alone.
.Sp
To discourage attacks by using large dictionaries of common passwords the
algorithm that derives keys from passwords can have an iteration count applied
to it: this causes a certain part of the algorithm to be repeated and slows it
down. The \s-1MAC\s0 is used to check the file integrity but since it will normally
have the same password as the keys and certificates it could also be attacked.
By default both \s-1MAC\s0 and encryption iteration counts are set to 2048, using
these options the \s-1MAC\s0 and encryption iteration counts can be set to 1, since
this reduces the file security you should not use these options unless you
really have to. Most software supports both \s-1MAC\s0 and key iteration counts.
\&\s-1MSIE 4.0\s0 doesn't support \s-1MAC\s0 iteration counts so it needs the \fB\-nomaciter\fR
option.
.IP "\fB\-maciter\fR" 4
.IX Item "-maciter"
This option is included for compatibility with previous versions, it used
to be needed to use \s-1MAC\s0 iterations counts but they are now used by default.
.IP "\fB\-nomac\fR" 4
.IX Item "-nomac"
Don't attempt to provide the \s-1MAC\s0 integrity.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-CAfile file\fR" 4
.IX Item "-CAfile file"
\&\s-1CA\s0 storage as a file.
.IP "\fB\-CApath dir\fR" 4
.IX Item "-CApath dir"
\&\s-1CA\s0 storage as a directory. This directory must be a standard certificate
directory: that is a hash of each subject name (using \fBx509 \-hash\fR) should be
linked to each certificate.
.IP "\fB\-no\-CAfile\fR" 4
.IX Item "-no-CAfile"
Do not load the trusted \s-1CA\s0 certificates from the default file location.
.IP "\fB\-no\-CApath\fR" 4
.IX Item "-no-CApath"
Do not load the trusted \s-1CA\s0 certificates from the default directory location.
.IP "\fB\-CSP name\fR" 4
.IX Item "-CSP name"
Write \fBname\fR as a Microsoft \s-1CSP\s0 name.
.SH "NOTES"
.IX Header "NOTES"
Although there are a large number of options most of them are very rarely
used. For PKCS#12 file parsing only \fB\-in\fR and \fB\-out\fR need to be used
for PKCS#12 file creation \fB\-export\fR and \fB\-name\fR are also used.
.PP
If none of the \fB\-clcerts\fR, \fB\-cacerts\fR or \fB\-nocerts\fR options are present
then all certificates will be output in the order they appear in the input
PKCS#12 files. There is no guarantee that the first certificate present is
the one corresponding to the private key. Certain software which requires
a private key and certificate and assumes the first certificate in the
file is the one corresponding to the private key: this may not always
be the case. Using the \fB\-clcerts\fR option will solve this problem by only
outputting the certificate corresponding to the private key. If the \s-1CA\s0
certificates are required then they can be output to a separate file using
the \fB\-nokeys \-cacerts\fR options to just output \s-1CA\s0 certificates.
.PP
The \fB\-keypbe\fR and \fB\-certpbe\fR algorithms allow the precise encryption
algorithms for private keys and certificates to be specified. Normally
the defaults are fine but occasionally software can't handle triple \s-1DES\s0
encrypted private keys, then the option \fB\-keypbe \s-1PBE\-SHA1\-RC2\-40\s0\fR can
be used to reduce the private key encryption to 40 bit \s-1RC2. A\s0 complete
description of all algorithms is contained in the \fBpkcs8\fR manual page.
.PP
Prior 1.1 release passwords containing non-ASCII characters were encoded
in non-compliant manner, which limited interoperability, in first hand
with Windows. But switching to standard-compliant password encoding
poses problem accessing old data protected with broken encoding. For
this reason even legacy encodings is attempted when reading the
data. If you use PKCS#12 files in production application you are advised
to convert the data, because implemented heuristic approach is not
MT-safe, its sole goal is to facilitate the data upgrade with this
utility.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Parse a PKCS#12 file and output it to a file:
.PP
.Vb 1
\& openssl pkcs12 \-in file.p12 \-out file.pem
.Ve
.PP
Output only client certificates to a file:
.PP
.Vb 1
\& openssl pkcs12 \-in file.p12 \-clcerts \-out file.pem
.Ve
.PP
Don't encrypt the private key:
.PP
.Vb 1
\& openssl pkcs12 \-in file.p12 \-out file.pem \-nodes
.Ve
.PP
Print some info about a PKCS#12 file:
.PP
.Vb 1
\& openssl pkcs12 \-in file.p12 \-info \-noout
.Ve
.PP
Create a PKCS#12 file:
.PP
.Vb 1
\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate"
.Ve
.PP
Include some extra certificates:
.PP
.Vb 2
\& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate" \e
\& \-certfile othercerts.pem
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBpkcs8\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1
index 2046b835aa6b..3afbe5d3f2cd 100644
--- a/secure/usr.bin/openssl/man/pkcs7.1
+++ b/secure/usr.bin/openssl/man/pkcs7.1
@@ -1,242 +1,242 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS7 1"
-.TH PKCS7 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS7 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkcs7, pkcs7 \- PKCS#7 utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkcs7\fR
[\fB\-help\fR]
[\fB\-inform PEM|DER\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-print_certs\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-engine id\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBpkcs7\fR command processes PKCS#7 files in \s-1DER\s0 or \s-1PEM\s0 format.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded PKCS#7
v1.5 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of
the \s-1DER\s0 form with header and footer lines.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format, the options have the same meaning and default
as the \fB\-inform\fR option.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read from or standard input if this
option is not specified.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write to or standard output by
default.
.IP "\fB\-print_certs\fR" 4
.IX Item "-print_certs"
Prints out any certificates or CRLs contained in the file. They are
preceded by their subject and issuer names in one line format.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out certificates details in full rather than just subject and
issuer names.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Don't output the encoded version of the PKCS#7 structure (or certificates
is \fB\-print_certs\fR is set).
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs7\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Convert a PKCS#7 file from \s-1PEM\s0 to \s-1DER:\s0
.PP
.Vb 1
\& openssl pkcs7 \-in file.pem \-outform DER \-out file.der
.Ve
.PP
Output all certificates in a file:
.PP
.Vb 1
\& openssl pkcs7 \-in file.pem \-print_certs \-out certs.pem
.Ve
.SH "NOTES"
.IX Header "NOTES"
The \s-1PEM\s0 PKCS#7 format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\-
\& \-\-\-\-\-END PKCS7\-\-\-\-\-
.Ve
.PP
For compatibility with some CAs it will also accept:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.Ve
.SH "RESTRICTIONS"
.IX Header "RESTRICTIONS"
There is no option to print out all the fields of a PKCS#7 file.
.PP
This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in \s-1RFC2315\s0 they
cannot currently parse, for example, the new \s-1CMS\s0 as described in \s-1RFC2630.\s0
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBcrl2pkcs7\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1
index 9e870661b9d4..570e8ed2b627 100644
--- a/secure/usr.bin/openssl/man/pkcs8.1
+++ b/secure/usr.bin/openssl/man/pkcs8.1
@@ -1,434 +1,434 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKCS8 1"
-.TH PKCS8 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKCS8 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkcs8, pkcs8 \- PKCS#8 format private key conversion tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkcs8\fR
[\fB\-help\fR]
[\fB\-topk8\fR]
[\fB\-inform PEM|DER\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-in filename\fR]
[\fB\-passin arg\fR]
[\fB\-out filename\fR]
[\fB\-passout arg\fR]
[\fB\-iter count\fR]
[\fB\-noiter\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-nocrypt\fR]
[\fB\-traditional\fR]
[\fB\-v2 alg\fR]
[\fB\-v2prf alg\fR]
[\fB\-v1 alg\fR]
[\fB\-engine id\fR]
[\fB\-scrypt\fR]
[\fB\-scrypt_N N\fR]
[\fB\-scrypt_r r\fR]
[\fB\-scrypt_p p\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBpkcs8\fR command processes private keys in PKCS#8 format. It can handle
both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo
format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-topk8\fR" 4
.IX Item "-topk8"
Normally a PKCS#8 private key is expected on input and a private key will be
written to the output file. With the \fB\-topk8\fR option the situation is
reversed: it reads a private key and writes a PKCS#8 format key.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format: see \*(L"\s-1KEY FORMATS\*(R"\s0 for more details. The default
format is \s-1PEM.\s0
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format: see \*(L"\s-1KEY FORMATS\*(R"\s0 for more details. The default
format is \s-1PEM.\s0
.IP "\fB\-traditional\fR" 4
.IX Item "-traditional"
When this option is present and \fB\-topk8\fR is not a traditional format private
key is written.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The input file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write a key to or standard output by
default. If any encryption options are set then a pass phrase will be
prompted for. The output filename should \fBnot\fR be the same as the input
filename.
.IP "\fB\-passout arg\fR" 4
.IX Item "-passout arg"
The output file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-iter count\fR" 4
.IX Item "-iter count"
When creating new PKCS#8 containers, use a given number of iterations on
the password in deriving the encryption key for the PKCS#8 output.
High values increase the time required to brute-force a PKCS#8 container.
.IP "\fB\-nocrypt\fR" 4
.IX Item "-nocrypt"
PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
structures using an appropriate password based encryption algorithm. With
this option an unencrypted PrivateKeyInfo structure is expected or output.
This option does not encrypt private keys at all and should only be used
when absolutely necessary. Certain software such as some versions of Java
code signing software used unencrypted private keys.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-v2 alg\fR" 4
.IX Item "-v2 alg"
This option sets the PKCS#5 v2.0 algorithm.
.Sp
The \fBalg\fR argument is the encryption algorithm to use, valid values include
\&\fBaes128\fR, \fBaes256\fR and \fBdes3\fR. If this option isn't specified then \fBaes256\fR
is used.
.IP "\fB\-v2prf alg\fR" 4
.IX Item "-v2prf alg"
This option sets the \s-1PRF\s0 algorithm to use with PKCS#5 v2.0. A typical value
value would be \fBhmacWithSHA256\fR. If this option isn't set then the default
for the cipher is used or \fBhmacWithSHA256\fR if there is no default.
.Sp
Some implementations may not support custom \s-1PRF\s0 algorithms and may require
the \fBhmacWithSHA1\fR option to work.
.IP "\fB\-v1 alg\fR" 4
.IX Item "-v1 alg"
This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some
older implementations may not support PKCS#5 v2.0 and may require this option.
If not specified PKCS#5 v2.0 form is used.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs8\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fB\-scrypt\fR" 4
.IX Item "-scrypt"
Uses the \fBscrypt\fR algorithm for private key encryption using default
parameters: currently N=16384, r=8 and p=1 and \s-1AES\s0 in \s-1CBC\s0 mode with a 256 bit
key. These parameters can be modified using the \fB\-scrypt_N\fR, \fB\-scrypt_r\fR,
\&\fB\-scrypt_p\fR and \fB\-v2\fR options.
.IP "\fB\-scrypt_N N\fR \fB\-scrypt_r r\fR \fB\-scrypt_p p\fR" 4
.IX Item "-scrypt_N N -scrypt_r r -scrypt_p p"
Sets the scrypt \fBN\fR, \fBr\fR or \fBp\fR parameters.
.SH "KEY FORMATS"
.IX Header "KEY FORMATS"
Various different formats are used by the pkcs8 utility. These are detailed
below.
.PP
If a key is being converted from PKCS#8 form (i.e. the \fB\-topk8\fR option is
not used) then the input file must be in PKCS#8 format. An encrypted
key is expected unless \fB\-nocrypt\fR is included.
.PP
If \fB\-topk8\fR is not used and \fB\s-1PEM\s0\fR mode is set the output file will be an
unencrypted private key in PKCS#8 format. If the \fB\-traditional\fR option is
used then a traditional format private key is written instead.
.PP
If \fB\-topk8\fR is not used and \fB\s-1DER\s0\fR mode is set the output file will be an
unencrypted private key in traditional \s-1DER\s0 format.
.PP
If \fB\-topk8\fR is used then any supported private key can be used for the input
file in a format specified by \fB\-inform\fR. The output file will be encrypted
PKCS#8 format using the specified encryption parameters unless \fB\-nocrypt\fR
is included.
.SH "NOTES"
.IX Header "NOTES"
By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
\&\s-1AES\s0 with \s-1HMAC\s0 and \s-1SHA256\s0 is used.
.PP
Some older implementations do not support PKCS#5 v2.0 format and require
the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
encryption algorithms such as 56 bit \s-1DES.\s0
.PP
The encrypted form of a \s-1PEM\s0 encode PKCS#8 files uses the following
headers and footers:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN ENCRYPTED PRIVATE KEY\-\-\-\-\-
\& \-\-\-\-\-END ENCRYPTED PRIVATE KEY\-\-\-\-\-
.Ve
.PP
The unencrypted form uses:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
\& \-\-\-\-\-END PRIVATE KEY\-\-\-\-\-
.Ve
.PP
Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
counts are more secure that those encrypted using the traditional
SSLeay compatible formats. So if additional security is considered
important the keys should be converted.
.PP
It is possible to write out \s-1DER\s0 encoded encrypted private keys in
PKCS#8 format because the encryption details are included at an \s-1ASN1\s0
level whereas the traditional format includes them at a \s-1PEM\s0 level.
.SH "PKCS#5 v1.5 and PKCS#12 algorithms."
.IX Header "PKCS#5 v1.5 and PKCS#12 algorithms."
Various algorithms can be used with the \fB\-v1\fR command line option,
including PKCS#5 v1.5 and PKCS#12. These are described in more detail
below.
.IP "\fB\s-1PBE\-MD2\-DES PBE\-MD5\-DES\s0\fR" 4
.IX Item "PBE-MD2-DES PBE-MD5-DES"
These algorithms were included in the original PKCS#5 v1.5 specification.
They only offer 56 bits of protection since they both use \s-1DES.\s0
.IP "\fB\s-1PBE\-SHA1\-RC2\-64\s0\fR, \fB\s-1PBE\-MD2\-RC2\-64\s0\fR, \fB\s-1PBE\-MD5\-RC2\-64\s0\fR, \fB\s-1PBE\-SHA1\-DES\s0\fR" 4
.IX Item "PBE-SHA1-RC2-64, PBE-MD2-RC2-64, PBE-MD5-RC2-64, PBE-SHA1-DES"
These algorithms are not mentioned in the original PKCS#5 v1.5 specification
but they use the same key derivation algorithm and are supported by some
software. They are mentioned in PKCS#5 v2.0. They use either 64 bit \s-1RC2\s0 or
56 bit \s-1DES.\s0
.IP "\fB\s-1PBE\-SHA1\-RC4\-128\s0\fR, \fB\s-1PBE\-SHA1\-RC4\-40\s0\fR, \fB\s-1PBE\-SHA1\-3DES\s0\fR, \fB\s-1PBE\-SHA1\-2DES\s0\fR, \fB\s-1PBE\-SHA1\-RC2\-128\s0\fR, \fB\s-1PBE\-SHA1\-RC2\-40\s0\fR" 4
.IX Item "PBE-SHA1-RC4-128, PBE-SHA1-RC4-40, PBE-SHA1-3DES, PBE-SHA1-2DES, PBE-SHA1-RC2-128, PBE-SHA1-RC2-40"
These algorithms use the PKCS#12 password based encryption algorithm and
allow strong encryption algorithms like triple \s-1DES\s0 or 128 bit \s-1RC2\s0 to be used.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Convert a private key to PKCS#8 format using default parameters (\s-1AES\s0 with
256 bit key and \fBhmacWithSHA256\fR):
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-out enckey.pem
.Ve
.PP
Convert a private key to PKCS#8 unencrypted format:
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-nocrypt \-out enckey.pem
.Ve
.PP
Convert a private key to PKCS#5 v2.0 format using triple \s-1DES:\s0
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-v2 des3 \-out enckey.pem
.Ve
.PP
Convert a private key to PKCS#5 v2.0 format using \s-1AES\s0 with 256 bits in \s-1CBC\s0
mode and \fBhmacWithSHA512\fR \s-1PRF:\s0
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-v2prf hmacWithSHA512 \-out enckey.pem
.Ve
.PP
Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
(\s-1DES\s0):
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-v1 PBE\-MD5\-DES \-out enckey.pem
.Ve
.PP
Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm
(3DES):
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-out enckey.pem \-v1 PBE\-SHA1\-3DES
.Ve
.PP
Read a \s-1DER\s0 unencrypted PKCS#8 format private key:
.PP
.Vb 1
\& openssl pkcs8 \-inform DER \-nocrypt \-in key.der \-out key.pem
.Ve
.PP
Convert a private key from any PKCS#8 encrypted format to traditional format:
.PP
.Vb 1
\& openssl pkcs8 \-in pk8.pem \-traditional \-out key.pem
.Ve
.PP
Convert a private key to PKCS#8 format, encrypting with \s-1AES\-256\s0 and with
one million iterations of the password:
.PP
.Vb 1
\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-iter 1000000 \-out pk8.pem
.Ve
.SH "STANDARDS"
.IX Header "STANDARDS"
Test vectors from this PKCS#5 v2.0 implementation were posted to the
pkcs-tng mailing list using triple \s-1DES, DES\s0 and \s-1RC2\s0 with high iteration
counts, several people confirmed that they could decrypt the private
keys produced and therefore, it can be assumed that the PKCS#5 v2.0
implementation is reasonably accurate at least as far as these
algorithms are concerned.
.PP
The format of PKCS#8 \s-1DSA\s0 (and other) private keys is not well documented:
it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default \s-1DSA\s0
PKCS#8 private key format complies with this standard.
.SH "BUGS"
.IX Header "BUGS"
There should be an option that prints out the encryption algorithm
in use and other details such as the iteration count.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBdsa\fR\|(1), \fBrsa\fR\|(1), \fBgenrsa\fR\|(1),
\&\fBgendsa\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-iter\fR option was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkey.1 b/secure/usr.bin/openssl/man/pkey.1
index ec2b31a37e37..f380e10c5ca4 100644
--- a/secure/usr.bin/openssl/man/pkey.1
+++ b/secure/usr.bin/openssl/man/pkey.1
@@ -1,288 +1,288 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKEY 1"
-.TH PKEY 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKEY 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkey, pkey \- public or private key processing tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkey\fR
[\fB\-help\fR]
[\fB\-inform PEM|DER\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-in filename\fR]
[\fB\-passin arg\fR]
[\fB\-out filename\fR]
[\fB\-passout arg\fR]
[\fB\-traditional\fR]
[\fB\-\f(BIcipher\fB\fR]
[\fB\-text\fR]
[\fB\-text_pub\fR]
[\fB\-noout\fR]
[\fB\-pubin\fR]
[\fB\-pubout\fR]
[\fB\-engine id\fR]
[\fB\-check\fR]
[\fB\-pubcheck\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBpkey\fR command processes public or private keys. They can be converted
between various forms and their components printed out.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format, the options have the same meaning and default
as the \fB\-inform\fR option.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The input file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write a key to or standard output if this
option is not specified. If any encryption options are set then a pass phrase
will be prompted for. The output filename should \fBnot\fR be the same as the input
filename.
.IP "\fB\-passout password\fR" 4
.IX Item "-passout password"
The output file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-traditional\fR" 4
.IX Item "-traditional"
Normally a private key is written using standard format: this is PKCS#8 form
with the appropriate encryption algorithm (if any). If the \fB\-traditional\fR
option is specified then the older \*(L"traditional\*(R" format is used instead.
.IP "\fB\-\f(BIcipher\fB\fR" 4
.IX Item "-cipher"
These options encrypt the private key with the supplied cipher. Any algorithm
name accepted by \fBEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the various public or private key components in
plain text in addition to the encoded version.
.IP "\fB\-text_pub\fR" 4
.IX Item "-text_pub"
Print out only public key components even if a private key is being processed.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Do not output the encoded version of the key.
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
By default a private key is read from the input file: with this
option a public key is read instead.
.IP "\fB\-pubout\fR" 4
.IX Item "-pubout"
By default a private key is output: with this option a public
key will be output instead. This option is automatically set if
the input is a public key.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBpkey\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fB\-check\fR" 4
.IX Item "-check"
This option checks the consistency of a key pair for both public and private
components.
.IP "\fB\-pubcheck\fR" 4
.IX Item "-pubcheck"
This option checks the correctness of either a public key or the public component
of a key pair.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To remove the pass phrase on an \s-1RSA\s0 private key:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-out keyout.pem
.Ve
.PP
To encrypt a private key using triple \s-1DES:\s0
.PP
.Vb 1
\& openssl pkey \-in key.pem \-des3 \-out keyout.pem
.Ve
.PP
To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-outform DER \-out keyout.der
.Ve
.PP
To print out the components of a private key to standard output:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-text \-noout
.Ve
.PP
To print out the public components of a private key to standard output:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-text_pub \-noout
.Ve
.PP
To just output the public part of a private key:
.PP
.Vb 1
\& openssl pkey \-in key.pem \-pubout \-out pubkey.pem
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBgenpkey\fR\|(1), \fBrsa\fR\|(1), \fBpkcs8\fR\|(1),
\&\fBdsa\fR\|(1), \fBgenrsa\fR\|(1), \fBgendsa\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkeyparam.1 b/secure/usr.bin/openssl/man/pkeyparam.1
index 595e52e8071a..ffe7b17257cf 100644
--- a/secure/usr.bin/openssl/man/pkeyparam.1
+++ b/secure/usr.bin/openssl/man/pkeyparam.1
@@ -1,207 +1,207 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKEYPARAM 1"
-.TH PKEYPARAM 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKEYPARAM 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkeyparam, pkeyparam \- public key algorithm parameter processing tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkeyparam\fR
[\fB\-help\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-engine id\fR]
[\fB\-check\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBpkeyparam\fR command processes public key algorithm parameters.
They can be checked for correctness and their components printed out.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read parameters from or standard input if
this option is not specified.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write parameters to or standard output if
this option is not specified.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the parameters in plain text in addition to the encoded version.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Do not output the encoded version of the parameters.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyparam\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fB\-check\fR" 4
.IX Item "-check"
This option checks the correctness of parameters.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Print out text version of parameters:
.PP
.Vb 1
\& openssl pkeyparam \-in param.pem \-text
.Ve
.SH "NOTES"
.IX Header "NOTES"
There are no \fB\-inform\fR or \fB\-outform\fR options for this command because only
\&\s-1PEM\s0 format is supported because the key type is determined by the \s-1PEM\s0 headers.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBgenpkey\fR\|(1), \fBrsa\fR\|(1), \fBpkcs8\fR\|(1),
\&\fBdsa\fR\|(1), \fBgenrsa\fR\|(1), \fBgendsa\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2019 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/pkeyutl.1 b/secure/usr.bin/openssl/man/pkeyutl.1
index a7032e604df1..8c4b8e42fa78 100644
--- a/secure/usr.bin/openssl/man/pkeyutl.1
+++ b/secure/usr.bin/openssl/man/pkeyutl.1
@@ -1,439 +1,439 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PKEYUTL 1"
-.TH PKEYUTL 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PKEYUTL 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-pkeyutl, pkeyutl \- public key algorithm utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBpkeyutl\fR
[\fB\-help\fR]
[\fB\-in file\fR]
[\fB\-out file\fR]
[\fB\-sigfile file\fR]
[\fB\-inkey file\fR]
[\fB\-keyform PEM|DER|ENGINE\fR]
[\fB\-passin arg\fR]
[\fB\-peerkey file\fR]
[\fB\-peerform PEM|DER|ENGINE\fR]
[\fB\-pubin\fR]
[\fB\-certin\fR]
[\fB\-rev\fR]
[\fB\-sign\fR]
[\fB\-verify\fR]
[\fB\-verifyrecover\fR]
[\fB\-encrypt\fR]
[\fB\-decrypt\fR]
[\fB\-derive\fR]
[\fB\-kdf algorithm\fR]
[\fB\-kdflen length\fR]
[\fB\-pkeyopt opt:value\fR]
[\fB\-hexdump\fR]
[\fB\-asn1parse\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-engine id\fR]
[\fB\-engine_impl\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBpkeyutl\fR command can be used to perform low-level public key operations
using any supported algorithm.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read data from or standard input
if this option is not specified.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write to or standard output by
default.
.IP "\fB\-sigfile file\fR" 4
.IX Item "-sigfile file"
Signature file, required for \fBverify\fR operations only
.IP "\fB\-inkey file\fR" 4
.IX Item "-inkey file"
The input key file, by default it should be a private key.
.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4
.IX Item "-keyform PEM|DER|ENGINE"
The key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 Default is \s-1PEM.\s0
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The input key password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-peerkey file\fR" 4
.IX Item "-peerkey file"
The peer key file, used by key derivation (agreement) operations.
.IP "\fB\-peerform PEM|DER|ENGINE\fR" 4
.IX Item "-peerform PEM|DER|ENGINE"
The peer key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 Default is \s-1PEM.\s0
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
The input file is a public key.
.IP "\fB\-certin\fR" 4
.IX Item "-certin"
The input is a certificate containing a public key.
.IP "\fB\-rev\fR" 4
.IX Item "-rev"
Reverse the order of the input buffer. This is useful for some libraries
(such as CryptoAPI) which represent the buffer in little endian format.
.IP "\fB\-sign\fR" 4
.IX Item "-sign"
Sign the input data (which must be a hash) and output the signed result. This
requires a private key.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verify the input data (which must be a hash) against the signature file and
indicate if the verification succeeded or failed.
.IP "\fB\-verifyrecover\fR" 4
.IX Item "-verifyrecover"
Verify the input data (which must be a hash) and output the recovered data.
.IP "\fB\-encrypt\fR" 4
.IX Item "-encrypt"
Encrypt the input data using a public key.
.IP "\fB\-decrypt\fR" 4
.IX Item "-decrypt"
Decrypt the input data using a private key.
.IP "\fB\-derive\fR" 4
.IX Item "-derive"
Derive a shared secret using the peer key.
.IP "\fB\-kdf algorithm\fR" 4
.IX Item "-kdf algorithm"
Use key derivation function \fBalgorithm\fR. The supported algorithms are
at present \fB\s-1TLS1\-PRF\s0\fR and \fB\s-1HKDF\s0\fR.
Note: additional parameters and the \s-1KDF\s0 output length will normally have to be
set for this to work.
See \fBEVP_PKEY_CTX_set_hkdf_md\fR\|(3) and \fBEVP_PKEY_CTX_set_tls1_prf_md\fR\|(3)
for the supported string parameters of each algorithm.
.IP "\fB\-kdflen length\fR" 4
.IX Item "-kdflen length"
Set the output length for \s-1KDF.\s0
.IP "\fB\-pkeyopt opt:value\fR" 4
.IX Item "-pkeyopt opt:value"
Public key options specified as opt:value. See \s-1NOTES\s0 below for more details.
.IP "\fB\-hexdump\fR" 4
.IX Item "-hexdump"
hex dump the output data.
.IP "\fB\-asn1parse\fR" 4
.IX Item "-asn1parse"
Parse the \s-1ASN.1\s0 output data, this is useful when combined with the
\&\fB\-verifyrecover\fR option when an \s-1ASN1\s0 structure is signed.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyutl\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fB\-engine_impl\fR" 4
.IX Item "-engine_impl"
When used with the \fB\-engine\fR option, it specifies to also use
engine \fBid\fR for crypto operations.
.SH "NOTES"
.IX Header "NOTES"
The operations and options supported vary according to the key algorithm
and its implementation. The OpenSSL operations and options are indicated below.
.PP
Unless otherwise mentioned all algorithms support the \fBdigest:alg\fR option
which specifies the digest in use for sign, verify and verifyrecover operations.
The value \fBalg\fR should represent a digest name as used in the
\&\fBEVP_get_digestbyname()\fR function for example \fBsha1\fR. This value is not used to
hash the input data. It is used (by some algorithms) for sanity-checking the
lengths of data passed in to the \fBpkeyutl\fR and for creating the structures that
make up the signature (e.g. \fBDigestInfo\fR in \s-1RSASSA\s0 PKCS#1 v1.5 signatures).
.PP
This utility does not hash the input data but rather it will use the data
directly as input to the signature algorithm. Depending on the key type,
signature type, and mode of padding, the maximum acceptable lengths of input
data differ. The signed data can't be longer than the key modulus with \s-1RSA.\s0 In
case of \s-1ECDSA\s0 and \s-1DSA\s0 the data shouldn't be longer than the field
size, otherwise it will be silently truncated to the field size. In any event
the input size must not be larger than the largest supported digest size.
.PP
In other words, if the value of digest is \fBsha1\fR the input should be the 20
bytes long binary encoding of the \s-1SHA\-1\s0 hash function output.
.PP
The Ed25519 and Ed448 signature algorithms are not supported by this utility.
They accept non-hashed input, but this utility can only be used to sign hashed
input.
.SH "RSA ALGORITHM"
.IX Header "RSA ALGORITHM"
The \s-1RSA\s0 algorithm generally supports the encrypt, decrypt, sign,
verify and verifyrecover operations. However, some padding modes
support only a subset of these operations. The following additional
\&\fBpkeyopt\fR values are supported:
.IP "\fBrsa_padding_mode:mode\fR" 4
.IX Item "rsa_padding_mode:mode"
This sets the \s-1RSA\s0 padding mode. Acceptable values for \fBmode\fR are \fBpkcs1\fR for
PKCS#1 padding, \fBsslv23\fR for SSLv23 padding, \fBnone\fR for no padding, \fBoaep\fR
for \fB\s-1OAEP\s0\fR mode, \fBx931\fR for X9.31 mode and \fBpss\fR for \s-1PSS.\s0
.Sp
In PKCS#1 padding if the message digest is not set then the supplied data is
signed or verified directly instead of using a \fBDigestInfo\fR structure. If a
digest is set then the a \fBDigestInfo\fR structure is used and its the length
must correspond to the digest type.
.Sp
For \fBoaep\fR mode only encryption and decryption is supported.
.Sp
For \fBx931\fR if the digest type is set it is used to format the block data
otherwise the first byte is used to specify the X9.31 digest \s-1ID.\s0 Sign,
verify and verifyrecover are can be performed in this mode.
.Sp
For \fBpss\fR mode only sign and verify are supported and the digest type must be
specified.
.IP "\fBrsa_pss_saltlen:len\fR" 4
.IX Item "rsa_pss_saltlen:len"
For \fBpss\fR mode only this option specifies the salt length. Three special
values are supported: \*(L"digest\*(R" sets the salt length to the digest length,
\&\*(L"max\*(R" sets the salt length to the maximum permissible value. When verifying
\&\*(L"auto\*(R" causes the salt length to be automatically determined based on the
\&\fB\s-1PSS\s0\fR block structure.
.IP "\fBrsa_mgf1_md:digest\fR" 4
.IX Item "rsa_mgf1_md:digest"
For \s-1PSS\s0 and \s-1OAEP\s0 padding sets the \s-1MGF1\s0 digest. If the \s-1MGF1\s0 digest is not
explicitly set in \s-1PSS\s0 mode then the signing digest is used.
.IP "\fBrsa_oaep_md:\fR\fIdigest\fR" 4
.IX Item "rsa_oaep_md:digest"
Sets the digest used for the \s-1OAEP\s0 hash function. If not explicitly set then
\&\s-1SHA1\s0 is used.
.SH "RSA-PSS ALGORITHM"
.IX Header "RSA-PSS ALGORITHM"
The RSA-PSS algorithm is a restricted version of the \s-1RSA\s0 algorithm which only
supports the sign and verify operations with \s-1PSS\s0 padding. The following
additional \fBpkeyopt\fR values are supported:
.IP "\fBrsa_padding_mode:mode\fR, \fBrsa_pss_saltlen:len\fR, \fBrsa_mgf1_md:digest\fR" 4
.IX Item "rsa_padding_mode:mode, rsa_pss_saltlen:len, rsa_mgf1_md:digest"
These have the same meaning as the \fB\s-1RSA\s0\fR algorithm with some additional
restrictions. The padding mode can only be set to \fBpss\fR which is the
default value.
.Sp
If the key has parameter restrictions than the digest, \s-1MGF1\s0
digest and salt length are set to the values specified in the parameters.
The digest and \s-1MG\s0 cannot be changed and the salt length cannot be set to a
value less than the minimum restriction.
.SH "DSA ALGORITHM"
.IX Header "DSA ALGORITHM"
The \s-1DSA\s0 algorithm supports signing and verification operations only. Currently
there are no additional \fB\-pkeyopt\fR options other than \fBdigest\fR. The \s-1SHA1\s0
digest is assumed by default.
.SH "DH ALGORITHM"
.IX Header "DH ALGORITHM"
The \s-1DH\s0 algorithm only supports the derivation operation and no additional
\&\fB\-pkeyopt\fR options.
.SH "EC ALGORITHM"
.IX Header "EC ALGORITHM"
The \s-1EC\s0 algorithm supports sign, verify and derive operations. The sign and
verify operations use \s-1ECDSA\s0 and derive uses \s-1ECDH. SHA1\s0 is assumed by default for
the \fB\-pkeyopt\fR \fBdigest\fR option.
.SH "X25519 and X448 ALGORITHMS"
.IX Header "X25519 and X448 ALGORITHMS"
The X25519 and X448 algorithms support key derivation only. Currently there are
no additional options.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Sign some data using a private key:
.PP
.Vb 1
\& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig
.Ve
.PP
Recover the signed data (e.g. if an \s-1RSA\s0 key is used):
.PP
.Vb 1
\& openssl pkeyutl \-verifyrecover \-in sig \-inkey key.pem
.Ve
.PP
Verify the signature (e.g. a \s-1DSA\s0 key):
.PP
.Vb 1
\& openssl pkeyutl \-verify \-in file \-sigfile sig \-inkey key.pem
.Ve
.PP
Sign data using a message digest value (this is currently only valid for \s-1RSA\s0):
.PP
.Vb 1
\& openssl pkeyutl \-sign \-in file \-inkey key.pem \-out sig \-pkeyopt digest:sha256
.Ve
.PP
Derive a shared secret value:
.PP
.Vb 1
\& openssl pkeyutl \-derive \-inkey key.pem \-peerkey pubkey.pem \-out secret
.Ve
.PP
Hexdump 48 bytes of \s-1TLS1 PRF\s0 using digest \fB\s-1SHA256\s0\fR and shared secret and
seed consisting of the single byte 0xFF:
.PP
.Vb 2
\& openssl pkeyutl \-kdf TLS1\-PRF \-kdflen 48 \-pkeyopt md:SHA256 \e
\& \-pkeyopt hexsecret:ff \-pkeyopt hexseed:ff \-hexdump
.Ve
.PP
Decrypt some data using a private key with \s-1OAEP\s0 padding using \s-1SHA256:\s0
.PP
.Vb 2
\& openssl pkeyutl \-decrypt \-in file \-inkey key.pem \-out secret \e
\& \-pkeyopt rsa_padding_mode:oaep \-pkeyopt rsa_oaep_md:sha256
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBgenpkey\fR\|(1), \fBpkey\fR\|(1), \fBrsautl\fR\|(1)
\&\fBdgst\fR\|(1), \fBrsa\fR\|(1), \fBgenrsa\fR\|(1),
\&\fBEVP_PKEY_CTX_set_hkdf_md\fR\|(3), \fBEVP_PKEY_CTX_set_tls1_prf_md\fR\|(3)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/prime.1 b/secure/usr.bin/openssl/man/prime.1
index c4f40214b84a..58c0cd2c6e34 100644
--- a/secure/usr.bin/openssl/man/prime.1
+++ b/secure/usr.bin/openssl/man/prime.1
@@ -1,189 +1,189 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "PRIME 1"
-.TH PRIME 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH PRIME 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-prime, prime \- compute prime numbers
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl prime\fR
[\fB\-help\fR]
[\fB\-hex\fR]
[\fB\-generate\fR]
[\fB\-bits\fR]
[\fB\-safe\fR]
[\fB\-checks\fR]
[\fInumber...\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBprime\fR command checks if the specified numbers are prime.
.PP
If no numbers are given on the command line, the \fB\-generate\fR flag should
be used to generate primes according to the requirements specified by the
rest of the flags.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "[\fB\-help\fR]" 4
.IX Item "[-help]"
Display an option summary.
.IP "[\fB\-hex\fR]" 4
.IX Item "[-hex]"
Generate hex output.
.IP "[\fB\-generate\fR]" 4
.IX Item "[-generate]"
Generate a prime number.
.IP "[\fB\-bits num\fR]" 4
.IX Item "[-bits num]"
Generate a prime with \fBnum\fR bits.
.IP "[\fB\-safe\fR]" 4
.IX Item "[-safe]"
When used with \fB\-generate\fR, generates a \*(L"safe\*(R" prime. If the number
generated is \fBn\fR, then check that \fB(n\-1)/2\fR is also prime.
.IP "[\fB\-checks num\fR]" 4
.IX Item "[-checks num]"
Perform the checks \fBnum\fR times to see that the generated number
is prime. The default is 20.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1
index f4c0bf900220..250a60159fe4 100644
--- a/secure/usr.bin/openssl/man/rand.1
+++ b/secure/usr.bin/openssl/man/rand.1
@@ -1,214 +1,214 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RAND 1"
-.TH RAND 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RAND 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-rand, rand \- generate pseudo\-random bytes
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl rand\fR
[\fB\-help\fR]
[\fB\-out\fR \fIfile\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-base64\fR]
[\fB\-hex\fR]
\&\fInum\fR
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command generates \fInum\fR random bytes using a cryptographically
secure pseudo random number generator (\s-1CSPRNG\s0).
.PP
The random bytes are generated using the \fBRAND_bytes\fR\|(3) function,
which provides a security level of 256 bits, provided it managed to
seed itself successfully from a trusted operating system entropy source.
Otherwise, the command will fail with a nonzero error code.
For more details, see \fBRAND_bytes\fR\|(3), \s-1\fBRAND\s0\fR\|(7), and \s-1\fBRAND_DRBG\s0\fR\|(7).
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out file\fR" 4
.IX Item "-out file"
Write to \fIfile\fR instead of standard output.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
Explicitly specifying a seed file is in general not necessary, see the
\&\*(L"\s-1NOTES\*(R"\s0 section for more information.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-base64\fR" 4
.IX Item "-base64"
Perform base64 encoding on the output.
.IP "\fB\-hex\fR" 4
.IX Item "-hex"
Show the output as a hex string.
.SH "NOTES"
.IX Header "NOTES"
Prior to OpenSSL 1.1.1, it was common for applications to store information
about the state of the random-number generator in a file that was loaded
at startup and rewritten upon exit. On modern operating systems, this is
generally no longer necessary as OpenSSL will seed itself from a trusted
entropy source provided by the operating system. The \fB\-rand\fR and
\&\fB\-writerand\fR flags are still supported for special platforms or
circumstances that might require them.
.PP
It is generally an error to use the same seed file more than once and
every use of \fB\-rand\fR should be paired with \fB\-writerand\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBRAND_bytes\fR\|(3),
\&\s-1\fBRAND\s0\fR\|(7),
\&\s-1\fBRAND_DRBG\s0\fR\|(7)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1
index f69ffb2a6e78..178fe89991f2 100644
--- a/secure/usr.bin/openssl/man/req.1
+++ b/secure/usr.bin/openssl/man/req.1
@@ -1,797 +1,797 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "REQ 1"
-.TH REQ 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH REQ 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-req, req \- PKCS#10 certificate request and certificate generating utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBreq\fR
[\fB\-help\fR]
[\fB\-inform PEM|DER\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-in filename\fR]
[\fB\-passin arg\fR]
[\fB\-out filename\fR]
[\fB\-passout arg\fR]
[\fB\-text\fR]
[\fB\-pubkey\fR]
[\fB\-noout\fR]
[\fB\-verify\fR]
[\fB\-modulus\fR]
[\fB\-new\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-newkey rsa:bits\fR]
[\fB\-newkey alg:file\fR]
[\fB\-nodes\fR]
[\fB\-key filename\fR]
[\fB\-keyform PEM|DER\fR]
[\fB\-keyout filename\fR]
[\fB\-keygen_engine id\fR]
[\fB\-\f(BIdigest\fB\fR]
[\fB\-config filename\fR]
[\fB\-multivalue\-rdn\fR]
[\fB\-x509\fR]
[\fB\-days n\fR]
[\fB\-set_serial n\fR]
[\fB\-newhdr\fR]
[\fB\-addext ext\fR]
[\fB\-extensions section\fR]
[\fB\-reqexts section\fR]
[\fB\-precert\fR]
[\fB\-utf8\fR]
[\fB\-nameopt\fR]
[\fB\-reqopt\fR]
[\fB\-subject\fR]
[\fB\-subj arg\fR]
[\fB\-sigopt nm:v\fR]
[\fB\-batch\fR]
[\fB\-verbose\fR]
[\fB\-engine id\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBreq\fR command primarily creates and processes certificate requests
in PKCS#10 format. It can additionally create self signed certificates
for use as root CAs for example.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
form compatible with the PKCS#10. The \fB\s-1PEM\s0\fR form is the default format: it
consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and
footer lines.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format, the options have the same meaning and default
as the \fB\-inform\fR option.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a request from or standard input
if this option is not specified. A request is only read if the creation
options (\fB\-new\fR and \fB\-newkey\fR) are not specified.
.IP "\fB\-sigopt nm:v\fR" 4
.IX Item "-sigopt nm:v"
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The input file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write to or standard output by
default.
.IP "\fB\-passout arg\fR" 4
.IX Item "-passout arg"
The output file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the certificate request in text form.
.IP "\fB\-subject\fR" 4
.IX Item "-subject"
Prints out the request subject (or certificate subject if \fB\-x509\fR is
specified)
.IP "\fB\-pubkey\fR" 4
.IX Item "-pubkey"
Outputs the public key.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output of the encoded version of the request.
.IP "\fB\-modulus\fR" 4
.IX Item "-modulus"
This option prints out the value of the modulus of the public key
contained in the request.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verifies the signature on the request.
.IP "\fB\-new\fR" 4
.IX Item "-new"
This option generates a new certificate request. It will prompt
the user for the relevant field values. The actual fields
prompted for and their maximum and minimum sizes are specified
in the configuration file and any requested extensions.
.Sp
If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private
key using information specified in the configuration file.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-newkey arg\fR" 4
.IX Item "-newkey arg"
This option creates a new certificate request and a new private
key. The argument takes one of several forms. \fBrsa:nbits\fR, where
\&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR
in size. If \fBnbits\fR is omitted, i.e. \fB\-newkey rsa\fR specified,
the default key size, specified in the configuration file is used.
.Sp
All other algorithms support the \fB\-newkey alg:file\fR form, where file may be
an algorithm parameter file, created by the \fBgenpkey \-genparam\fR command
or and X.509 certificate for a key with appropriate algorithm.
.Sp
\&\fBparam:file\fR generates a key using the parameter file or certificate \fBfile\fR,
the algorithm is determined by the parameters. \fBalgname:file\fR use algorithm
\&\fBalgname\fR and parameter file \fBfile\fR: the two algorithms must match or an
error occurs. \fBalgname\fR just uses algorithm \fBalgname\fR, and parameters,
if necessary should be specified via \fB\-pkeyopt\fR parameter.
.Sp
\&\fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters
in the file \fBfilename\fR. \fBec:filename\fR generates \s-1EC\s0 key (usable both with
\&\s-1ECDSA\s0 or \s-1ECDH\s0 algorithms), \fBgost2001:filename\fR generates \s-1GOST R
34.10\-2001\s0 key (requires \fBccgost\fR engine configured in the configuration
file). If just \fBgost2001\fR is specified a parameter set should be
specified by \fB\-pkeyopt paramset:X\fR
.IP "\fB\-pkeyopt opt:value\fR" 4
.IX Item "-pkeyopt opt:value"
Set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of
options supported depends on the public key algorithm used and its
implementation. See \fB\s-1KEY GENERATION OPTIONS\s0\fR in the \fBgenpkey\fR manual page
for more details.
.IP "\fB\-key filename\fR" 4
.IX Item "-key filename"
This specifies the file to read the private key from. It also
accepts PKCS#8 format private keys for \s-1PEM\s0 format files.
.IP "\fB\-keyform PEM|DER\fR" 4
.IX Item "-keyform PEM|DER"
The format of the private key file specified in the \fB\-key\fR
argument. \s-1PEM\s0 is the default.
.IP "\fB\-keyout filename\fR" 4
.IX Item "-keyout filename"
This gives the filename to write the newly created private key to.
If this option is not specified then the filename present in the
configuration file is used.
.IP "\fB\-nodes\fR" 4
.IX Item "-nodes"
If this option is specified then if a private key is created it
will not be encrypted.
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
This specifies the message digest to sign the request.
Any digest supported by the OpenSSL \fBdgst\fR command can be used.
This overrides the digest algorithm specified in
the configuration file.
.Sp
Some public key algorithms may override this choice. For instance, \s-1DSA\s0
signatures always use \s-1SHA1, GOST R 34.10\s0 signatures always use
\&\s-1GOST R 34.11\-94\s0 (\fB\-md_gost94\fR), Ed25519 and Ed448 never use any digest.
.IP "\fB\-config filename\fR" 4
.IX Item "-config filename"
This allows an alternative configuration file to be specified.
Optional; for a description of the default value,
see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
.IP "\fB\-subj arg\fR" 4
.IX Item "-subj arg"
Sets subject name for new request or supersedes the subject name
when processing a request.
The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
Keyword characters may be escaped by \e (backslash), and whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the request.
.IP "\fB\-multivalue\-rdn\fR" 4
.IX Item "-multivalue-rdn"
This option causes the \-subj argument to be interpreted with full
support for multivalued RDNs. Example:
.Sp
\&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR
.Sp
If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR.
.IP "\fB\-x509\fR" 4
.IX Item "-x509"
This option outputs a self signed certificate instead of a certificate
request. This is typically used to generate a test certificate or
a self signed root \s-1CA.\s0 The extensions added to the certificate
(if any) are specified in the configuration file. Unless specified
using the \fBset_serial\fR option, a large random number will be used for
the serial number.
.Sp
If existing request is specified with the \fB\-in\fR option, it is converted
to the self signed certificate otherwise new request is created.
.IP "\fB\-days n\fR" 4
.IX Item "-days n"
When the \fB\-x509\fR option is being used this specifies the number of
days to certify the certificate for, otherwise it is ignored. \fBn\fR should
be a positive integer. The default is 30 days.
.IP "\fB\-set_serial n\fR" 4
.IX Item "-set_serial n"
Serial number to use when outputting a self signed certificate. This
may be specified as a decimal value or a hex value if preceded by \fB0x\fR.
.IP "\fB\-addext ext\fR" 4
.IX Item "-addext ext"
Add a specific extension to the certificate (if the \fB\-x509\fR option is
present) or certificate request. The argument must have the form of
a key=value pair as it would appear in a config file.
.Sp
This option can be given multiple times.
.IP "\fB\-extensions section\fR" 4
.IX Item "-extensions section"
.PD 0
.IP "\fB\-reqexts section\fR" 4
.IX Item "-reqexts section"
.PD
These options specify alternative sections to include certificate
extensions (if the \fB\-x509\fR option is present) or certificate
request extensions. This allows several different sections to
be used in the same configuration file to specify requests for
a variety of purposes.
.IP "\fB\-precert\fR" 4
.IX Item "-precert"
A poison extension will be added to the certificate, making it a
\&\*(L"pre-certificate\*(R" (see \s-1RFC6962\s0). This can be submitted to Certificate
Transparency logs in order to obtain signed certificate timestamps (SCTs).
These SCTs can then be embedded into the pre-certificate as an extension, before
removing the poison and signing the certificate.
.Sp
This implies the \fB\-new\fR flag.
.IP "\fB\-utf8\fR" 4
.IX Item "-utf8"
This option causes field values to be interpreted as \s-1UTF8\s0 strings, by
default they are interpreted as \s-1ASCII.\s0 This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid \s-1UTF8\s0 strings.
.IP "\fB\-nameopt option\fR" 4
.IX Item "-nameopt option"
Option which determines how the subject or issuer names are displayed. The
\&\fBoption\fR argument can be a single option or multiple options separated by
commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to
set multiple options. See the \fBx509\fR\|(1) manual page for details.
.IP "\fB\-reqopt\fR" 4
.IX Item "-reqopt"
Customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be
a single option or multiple options separated by commas.
.Sp
See discussion of the \fB\-certopt\fR parameter in the \fBx509\fR\|(1)
command.
.IP "\fB\-newhdr\fR" 4
.IX Item "-newhdr"
Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputted
request. Some software (Netscape certificate server) and some CAs need this.
.IP "\fB\-batch\fR" 4
.IX Item "-batch"
Non-interactive mode.
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
Print extra details about the operations being performed.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBreq\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fB\-keygen_engine id\fR" 4
.IX Item "-keygen_engine id"
Specifies an engine (by its unique \fBid\fR string) which would be used
for key generation operations.
.SH "CONFIGURATION FILE FORMAT"
.IX Header "CONFIGURATION FILE FORMAT"
The configuration options are specified in the \fBreq\fR section of
the configuration file. As with all configuration files if no
value is specified in the specific section (i.e. \fBreq\fR) then
the initial unnamed or \fBdefault\fR section is searched too.
.PP
The options available are described in detail below.
.IP "\fBinput_password output_password\fR" 4
.IX Item "input_password output_password"
The passwords for the input private key file (if present) and
the output private key file (if one will be created). The
command line options \fBpassin\fR and \fBpassout\fR override the
configuration file values.
.IP "\fBdefault_bits\fR" 4
.IX Item "default_bits"
Specifies the default key size in bits.
.Sp
This option is used in conjunction with the \fB\-new\fR option to generate
a new key. It can be overridden by specifying an explicit key size in
the \fB\-newkey\fR option. The smallest accepted key size is 512 bits. If
no key size is specified then 2048 bits is used.
.IP "\fBdefault_keyfile\fR" 4
.IX Item "default_keyfile"
This is the default filename to write a private key to. If not
specified the key is written to standard output. This can be
overridden by the \fB\-keyout\fR option.
.IP "\fBoid_file\fR" 4
.IX Item "oid_file"
This specifies a file containing additional \fB\s-1OBJECT IDENTIFIERS\s0\fR.
Each line of the file should consist of the numerical form of the
object identifier followed by white space then the short name followed
by white space and finally the long name.
.IP "\fBoid_section\fR" 4
.IX Item "oid_section"
This specifies a section in the configuration file containing extra
object identifiers. Each line should consist of the short name of the
object identifier followed by \fB=\fR and the numerical form. The short
and long names are the same when this option is used.
.IP "\fB\s-1RANDFILE\s0\fR" 4
.IX Item "RANDFILE"
At startup the specified file is loaded into the random number generator,
and at exit 256 bytes will be written to it.
It is used for private key generation.
.IP "\fBencrypt_key\fR" 4
.IX Item "encrypt_key"
If this is set to \fBno\fR then if a private key is generated it is
\&\fBnot\fR encrypted. This is equivalent to the \fB\-nodes\fR command line
option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option.
.IP "\fBdefault_md\fR" 4
.IX Item "default_md"
This option specifies the digest algorithm to use. Any digest supported by the
OpenSSL \fBdgst\fR command can be used. This option can be overridden on the
command line. Certain signing algorithms (i.e. Ed25519 and Ed448) will ignore
any digest that has been set.
.IP "\fBstring_mask\fR" 4
.IX Item "string_mask"
This option masks out the use of certain string types in certain
fields. Most users will not need to change this option.
.Sp
It can be set to several values \fBdefault\fR which is also the default
option uses PrintableStrings, T61Strings and BMPStrings if the
\&\fBpkix\fR value is used then only PrintableStrings and BMPStrings will
be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459.\s0 If the
\&\fButf8only\fR option is used then only UTF8Strings will be used: this
is the \s-1PKIX\s0 recommendation in \s-1RFC2459\s0 after 2003. Finally the \fBnombstr\fR
option just uses PrintableStrings and T61Strings: certain software has
problems with BMPStrings and UTF8Strings: in particular Netscape.
.IP "\fBreq_extensions\fR" 4
.IX Item "req_extensions"
This specifies the configuration file section containing a list of
extensions to add to the certificate request. It can be overridden
by the \fB\-reqexts\fR command line switch. See the
\&\fBx509v3_config\fR\|(5) manual page for details of the
extension section format.
.IP "\fBx509_extensions\fR" 4
.IX Item "x509_extensions"
This specifies the configuration file section containing a list of
extensions to add to certificate generated when the \fB\-x509\fR switch
is used. It can be overridden by the \fB\-extensions\fR command line switch.
.IP "\fBprompt\fR" 4
.IX Item "prompt"
If set to the value \fBno\fR this disables prompting of certificate fields
and just takes values from the config file directly. It also changes the
expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections.
.IP "\fButf8\fR" 4
.IX Item "utf8"
If set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0
strings, by default they are interpreted as \s-1ASCII.\s0 This means that
the field values, whether prompted from a terminal or obtained from a
configuration file, must be valid \s-1UTF8\s0 strings.
.IP "\fBattributes\fR" 4
.IX Item "attributes"
This specifies the section containing any request attributes: its format
is the same as \fBdistinguished_name\fR. Typically these may contain the
challengePassword or unstructuredName types. They are currently ignored
by OpenSSL's request signing utilities but some CAs might want them.
.IP "\fBdistinguished_name\fR" 4
.IX Item "distinguished_name"
This specifies the section containing the distinguished name fields to
prompt for when generating a certificate or certificate request. The format
is described in the next section.
.SH "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT"
.IX Header "DISTINGUISHED NAME AND ATTRIBUTE SECTION FORMAT"
There are two separate formats for the distinguished name and attribute
sections. If the \fBprompt\fR option is set to \fBno\fR then these sections
just consist of field names and values: for example,
.PP
.Vb 3
\& CN=My Name
\& OU=My Organization
\& emailAddress=someone@somewhere.org
.Ve
.PP
This allows external programs (e.g. \s-1GUI\s0 based) to generate a template file
with all the field names and values and just pass it to \fBreq\fR. An example
of this kind of configuration file is contained in the \fB\s-1EXAMPLES\s0\fR section.
.PP
Alternatively if the \fBprompt\fR option is absent or not set to \fBno\fR then the
file contains field prompting information. It consists of lines of the form:
.PP
.Vb 4
\& fieldName="prompt"
\& fieldName_default="default field value"
\& fieldName_min= 2
\& fieldName_max= 4
.Ve
.PP
\&\*(L"fieldName\*(R" is the field name being used, for example commonName (or \s-1CN\s0).
The \*(L"prompt\*(R" string is used to ask the user to enter the relevant
details. If the user enters nothing then the default value is used if no
default value is present then the field is omitted. A field can
still be omitted if a default value is present if the user just
enters the '.' character.
.PP
The number of characters entered must be between the fieldName_min and
fieldName_max limits: there may be additional restrictions based
on the field being used (for example countryName can only ever be
two characters long and must fit in a PrintableString).
.PP
Some fields (such as organizationName) can be used more than once
in a \s-1DN.\s0 This presents a problem because configuration files will
not recognize the same name occurring twice. To avoid this problem
if the fieldName contains some characters followed by a full stop
they will be ignored. So for example a second organizationName can
be input by calling it \*(L"1.organizationName\*(R".
.PP
The actual permitted field names are any object identifier short or
long names. These are compiled into OpenSSL and include the usual
values such as commonName, countryName, localityName, organizationName,
organizationalUnitName, stateOrProvinceName. Additionally emailAddress
is included as well as name, surname, givenName, initials, and dnQualifier.
.PP
Additional object identifiers can be defined with the \fBoid_file\fR or
\&\fBoid_section\fR options in the configuration file. Any additional fields
will be treated as though they were a DirectoryString.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Examine and verify certificate request:
.PP
.Vb 1
\& openssl req \-in req.pem \-text \-verify \-noout
.Ve
.PP
Create a private key and then generate a certificate request from it:
.PP
.Vb 2
\& openssl genrsa \-out key.pem 2048
\& openssl req \-new \-key key.pem \-out req.pem
.Ve
.PP
The same but just using req:
.PP
.Vb 1
\& openssl req \-newkey rsa:2048 \-keyout key.pem \-out req.pem
.Ve
.PP
Generate a self signed root certificate:
.PP
.Vb 1
\& openssl req \-x509 \-newkey rsa:2048 \-keyout key.pem \-out req.pem
.Ve
.PP
Example of a file pointed to by the \fBoid_file\fR option:
.PP
.Vb 2
\& 1.2.3.4 shortName A longer Name
\& 1.2.3.6 otherName Other longer Name
.Ve
.PP
Example of a section pointed to by \fBoid_section\fR making use of variable
expansion:
.PP
.Vb 2
\& testoid1=1.2.3.5
\& testoid2=${testoid1}.6
.Ve
.PP
Sample configuration file prompting for field values:
.PP
.Vb 6
\& [ req ]
\& default_bits = 2048
\& default_keyfile = privkey.pem
\& distinguished_name = req_distinguished_name
\& attributes = req_attributes
\& req_extensions = v3_ca
\&
\& dirstring_type = nobmp
\&
\& [ req_distinguished_name ]
\& countryName = Country Name (2 letter code)
\& countryName_default = AU
\& countryName_min = 2
\& countryName_max = 2
\&
\& localityName = Locality Name (eg, city)
\&
\& organizationalUnitName = Organizational Unit Name (eg, section)
\&
\& commonName = Common Name (eg, YOUR name)
\& commonName_max = 64
\&
\& emailAddress = Email Address
\& emailAddress_max = 40
\&
\& [ req_attributes ]
\& challengePassword = A challenge password
\& challengePassword_min = 4
\& challengePassword_max = 20
\&
\& [ v3_ca ]
\&
\& subjectKeyIdentifier=hash
\& authorityKeyIdentifier=keyid:always,issuer:always
\& basicConstraints = critical, CA:true
.Ve
.PP
Sample configuration containing all field values:
.PP
.Vb 1
\& RANDFILE = $ENV::HOME/.rnd
\&
\& [ req ]
\& default_bits = 2048
\& default_keyfile = keyfile.pem
\& distinguished_name = req_distinguished_name
\& attributes = req_attributes
\& prompt = no
\& output_password = mypass
\&
\& [ req_distinguished_name ]
\& C = GB
\& ST = Test State or Province
\& L = Test Locality
\& O = Organization Name
\& OU = Organizational Unit Name
\& CN = Common Name
\& emailAddress = test@email.address
\&
\& [ req_attributes ]
\& challengePassword = A challenge password
.Ve
.PP
Example of giving the most common attributes (subject and extensions)
on the command line:
.PP
.Vb 4
\& openssl req \-new \-subj "/C=GB/CN=foo" \e
\& \-addext "subjectAltName = DNS:foo.co.uk" \e
\& \-addext "certificatePolicies = 1.2.3.4" \e
\& \-newkey rsa:2048 \-keyout key.pem \-out req.pem
.Ve
.SH "NOTES"
.IX Header "NOTES"
The header and footer lines in the \fB\s-1PEM\s0\fR format are normally:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN CERTIFICATE REQUEST\-\-\-\-\-
\& \-\-\-\-\-END CERTIFICATE REQUEST\-\-\-\-\-
.Ve
.PP
some software (some versions of Netscape certificate server) instead needs:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN NEW CERTIFICATE REQUEST\-\-\-\-\-
\& \-\-\-\-\-END NEW CERTIFICATE REQUEST\-\-\-\-\-
.Ve
.PP
which is produced with the \fB\-newhdr\fR option but is otherwise compatible.
Either form is accepted transparently on input.
.PP
The certificate requests generated by \fBXenroll\fR with \s-1MSIE\s0 have extensions
added. It includes the \fBkeyUsage\fR extension which determines the type of
key (signature only or general purpose) and any additional OIDs entered
by the script in an extendedKeyUsage extension.
.SH "DIAGNOSTICS"
.IX Header "DIAGNOSTICS"
The following messages are frequently asked about:
.PP
.Vb 2
\& Using configuration from /some/path/openssl.cnf
\& Unable to load config info
.Ve
.PP
This is followed some time later by...
.PP
.Vb 2
\& unable to find \*(Aqdistinguished_name\*(Aq in config
\& problems making Certificate Request
.Ve
.PP
The first error message is the clue: it can't find the configuration
file! Certain operations (like examining a certificate request) don't
need a configuration file so its use isn't enforced. Generation of
certificates or requests however does need a configuration file. This
could be regarded as a bug.
.PP
Another puzzling message is this:
.PP
.Vb 2
\& Attributes:
\& a0:00
.Ve
.PP
this is displayed when no attributes are present and the request includes
the correct empty \fB\s-1SET OF\s0\fR structure (the \s-1DER\s0 encoding of which is 0xa0
0x00). If you just see:
.PP
.Vb 1
\& Attributes:
.Ve
.PP
then the \fB\s-1SET OF\s0\fR is missing and the encoding is technically invalid (but
it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR
for more information.
.SH "BUGS"
.IX Header "BUGS"
OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively
treats them as \s-1ISO\-8859\-1\s0 (Latin 1), Netscape and \s-1MSIE\s0 have similar behaviour.
This can cause problems if you need characters that aren't available in
PrintableStrings and you don't want to or can't use BMPStrings.
.PP
As a consequence of the T61String handling the only correct way to represent
accented characters in OpenSSL is to use a BMPString: unfortunately Netscape
currently chokes on these. If you have to use accented characters with Netscape
and \s-1MSIE\s0 then you currently need to use the invalid T61String form.
.PP
The current prompting is not very friendly. It doesn't allow you to confirm what
you've just entered. Other things like extensions in certificate requests are
statically defined in the configuration file. Some of these: like an email
address in subjectAltName should be input by the user.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBx509\fR\|(1), \fBca\fR\|(1), \fBgenrsa\fR\|(1),
\&\fBgendsa\fR\|(1), \fBconfig\fR\|(5),
\&\fBx509v3_config\fR\|(5)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1
index b958558653dd..aef19b78893c 100644
--- a/secure/usr.bin/openssl/man/rsa.1
+++ b/secure/usr.bin/openssl/man/rsa.1
@@ -1,330 +1,330 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSA 1"
-.TH RSA 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSA 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-rsa, rsa \- RSA key processing tool
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBrsa\fR
[\fB\-help\fR]
[\fB\-inform PEM|DER\fR]
[\fB\-outform PEM|DER\fR]
[\fB\-in filename\fR]
[\fB\-passin arg\fR]
[\fB\-out filename\fR]
[\fB\-passout arg\fR]
[\fB\-aes128\fR]
[\fB\-aes192\fR]
[\fB\-aes256\fR]
[\fB\-aria128\fR]
[\fB\-aria192\fR]
[\fB\-aria256\fR]
[\fB\-camellia128\fR]
[\fB\-camellia192\fR]
[\fB\-camellia256\fR]
[\fB\-des\fR]
[\fB\-des3\fR]
[\fB\-idea\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-modulus\fR]
[\fB\-check\fR]
[\fB\-pubin\fR]
[\fB\-pubout\fR]
[\fB\-RSAPublicKey_in\fR]
[\fB\-RSAPublicKey_out\fR]
[\fB\-engine id\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBrsa\fR command processes \s-1RSA\s0 keys. They can be converted between various
forms and their components printed out. \fBNote\fR this command uses the
traditional SSLeay compatible format for private key encryption: newer
applications should use the more secure PKCS#8 format using the \fBpkcs8\fR
utility.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64
encoded with additional header and footer lines. On input PKCS#8 format private
keys are also accepted.
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format, the options have the same meaning and default
as the \fB\-inform\fR option.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a key from or standard input if this
option is not specified. If the key is encrypted a pass phrase will be
prompted for.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The input file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write a key to or standard output if this
option is not specified. If any encryption options are set then a pass phrase
will be prompted for. The output filename should \fBnot\fR be the same as the input
filename.
.IP "\fB\-passout password\fR" 4
.IX Item "-passout password"
The output file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4
.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea"
These options encrypt the private key with the specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
means that using the \fBrsa\fR utility to read in an encrypted key with no
encryption option can be used to remove the pass phrase from a key, or by
setting the encryption options it can be use to add or change the pass phrase.
These options can only be used with \s-1PEM\s0 format output files.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the various public or private key components in
plain text in addition to the encoded version.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output of the encoded version of the key.
.IP "\fB\-modulus\fR" 4
.IX Item "-modulus"
This option prints out the value of the modulus of the key.
.IP "\fB\-check\fR" 4
.IX Item "-check"
This option checks the consistency of an \s-1RSA\s0 private key.
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
By default a private key is read from the input file: with this
option a public key is read instead.
.IP "\fB\-pubout\fR" 4
.IX Item "-pubout"
By default a private key is output: with this option a public
key will be output instead. This option is automatically set if
the input is a public key.
.IP "\fB\-RSAPublicKey_in\fR, \fB\-RSAPublicKey_out\fR" 4
.IX Item "-RSAPublicKey_in, -RSAPublicKey_out"
Like \fB\-pubin\fR and \fB\-pubout\fR except \fBRSAPublicKey\fR format is used instead.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBrsa\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.SH "NOTES"
.IX Header "NOTES"
The \s-1PEM\s0 private key format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
.Ve
.PP
The \s-1PEM\s0 public key format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN PUBLIC KEY\-\-\-\-\-
\& \-\-\-\-\-END PUBLIC KEY\-\-\-\-\-
.Ve
.PP
The \s-1PEM\s0 \fBRSAPublicKey\fR format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN RSA PUBLIC KEY\-\-\-\-\-
\& \-\-\-\-\-END RSA PUBLIC KEY\-\-\-\-\-
.Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To remove the pass phrase on an \s-1RSA\s0 private key:
.PP
.Vb 1
\& openssl rsa \-in key.pem \-out keyout.pem
.Ve
.PP
To encrypt a private key using triple \s-1DES:\s0
.PP
.Vb 1
\& openssl rsa \-in key.pem \-des3 \-out keyout.pem
.Ve
.PP
To convert a private key from \s-1PEM\s0 to \s-1DER\s0 format:
.PP
.Vb 1
\& openssl rsa \-in key.pem \-outform DER \-out keyout.der
.Ve
.PP
To print out the components of a private key to standard output:
.PP
.Vb 1
\& openssl rsa \-in key.pem \-text \-noout
.Ve
.PP
To just output the public part of a private key:
.PP
.Vb 1
\& openssl rsa \-in key.pem \-pubout \-out pubkey.pem
.Ve
.PP
Output the public part of a private key in \fBRSAPublicKey\fR format:
.PP
.Vb 1
\& openssl rsa \-in key.pem \-RSAPublicKey_out \-out pubkey.pem
.Ve
.SH "BUGS"
.IX Header "BUGS"
There should be an option that automatically handles .key files,
without having to manually edit them.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBpkcs8\fR\|(1), \fBdsa\fR\|(1), \fBgenrsa\fR\|(1),
\&\fBgendsa\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1
index 0b033046c926..d1af4638b656 100644
--- a/secure/usr.bin/openssl/man/rsautl.1
+++ b/secure/usr.bin/openssl/man/rsautl.1
@@ -1,345 +1,345 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "RSAUTL 1"
-.TH RSAUTL 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH RSAUTL 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-rsautl, rsautl \- RSA utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBrsautl\fR
[\fB\-help\fR]
[\fB\-in file\fR]
[\fB\-out file\fR]
[\fB\-inkey file\fR]
[\fB\-keyform PEM|DER|ENGINE\fR]
[\fB\-pubin\fR]
[\fB\-certin\fR]
[\fB\-sign\fR]
[\fB\-verify\fR]
[\fB\-encrypt\fR]
[\fB\-decrypt\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-pkcs\fR]
[\fB\-ssl\fR]
[\fB\-raw\fR]
[\fB\-hexdump\fR]
[\fB\-asn1parse\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBrsautl\fR command can be used to sign, verify, encrypt and decrypt
data using the \s-1RSA\s0 algorithm.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read data from or standard input
if this option is not specified.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write to or standard output by
default.
.IP "\fB\-inkey file\fR" 4
.IX Item "-inkey file"
The input key file, by default it should be an \s-1RSA\s0 private key.
.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4
.IX Item "-keyform PEM|DER|ENGINE"
The key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0
.IP "\fB\-pubin\fR" 4
.IX Item "-pubin"
The input file is an \s-1RSA\s0 public key.
.IP "\fB\-certin\fR" 4
.IX Item "-certin"
The input is a certificate containing an \s-1RSA\s0 public key.
.IP "\fB\-sign\fR" 4
.IX Item "-sign"
Sign the input data and output the signed result. This requires
an \s-1RSA\s0 private key.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verify the input data and output the recovered data.
.IP "\fB\-encrypt\fR" 4
.IX Item "-encrypt"
Encrypt the input data using an \s-1RSA\s0 public key.
.IP "\fB\-decrypt\fR" 4
.IX Item "-decrypt"
Decrypt the input data using an \s-1RSA\s0 private key.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4
.IX Item "-pkcs, -oaep, -ssl, -raw"
The padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP,\s0
special padding used in \s-1SSL\s0 v2 backwards compatible handshakes,
or no padding, respectively.
For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used.
.IP "\fB\-hexdump\fR" 4
.IX Item "-hexdump"
Hex dump the output data.
.IP "\fB\-asn1parse\fR" 4
.IX Item "-asn1parse"
Parse the \s-1ASN.1\s0 output data, this is useful when combined with the
\&\fB\-verify\fR option.
.SH "NOTES"
.IX Header "NOTES"
\&\fBrsautl\fR because it uses the \s-1RSA\s0 algorithm directly can only be
used to sign or verify small pieces of data.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Sign some data using a private key:
.PP
.Vb 1
\& openssl rsautl \-sign \-in file \-inkey key.pem \-out sig
.Ve
.PP
Recover the signed data
.PP
.Vb 1
\& openssl rsautl \-verify \-in sig \-inkey key.pem
.Ve
.PP
Examine the raw signed data:
.PP
.Vb 1
\& openssl rsautl \-verify \-in sig \-inkey key.pem \-raw \-hexdump
\&
\& 0000 \- 00 01 ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0010 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0020 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0030 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0040 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0050 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0060 \- ff ff ff ff ff ff ff ff\-ff ff ff ff ff ff ff ff ................
\& 0070 \- ff ff ff ff 00 68 65 6c\-6c 6f 20 77 6f 72 6c 64 .....hello world
.Ve
.PP
The PKCS#1 block formatting is evident from this. If this was done using
encrypt and decrypt the block would have been of type 2 (the second byte)
and random padding data visible instead of the 0xff bytes.
.PP
It is possible to analyse the signature of certificates using this
utility in conjunction with \fBasn1parse\fR. Consider the self signed
example in certs/pca\-cert.pem . Running \fBasn1parse\fR as follows yields:
.PP
.Vb 1
\& openssl asn1parse \-in pca\-cert.pem
\&
\& 0:d=0 hl=4 l= 742 cons: SEQUENCE
\& 4:d=1 hl=4 l= 591 cons: SEQUENCE
\& 8:d=2 hl=2 l= 3 cons: cont [ 0 ]
\& 10:d=3 hl=2 l= 1 prim: INTEGER :02
\& 13:d=2 hl=2 l= 1 prim: INTEGER :00
\& 16:d=2 hl=2 l= 13 cons: SEQUENCE
\& 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
\& 29:d=3 hl=2 l= 0 prim: NULL
\& 31:d=2 hl=2 l= 92 cons: SEQUENCE
\& 33:d=3 hl=2 l= 11 cons: SET
\& 35:d=4 hl=2 l= 9 cons: SEQUENCE
\& 37:d=5 hl=2 l= 3 prim: OBJECT :countryName
\& 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
\& ....
\& 599:d=1 hl=2 l= 13 cons: SEQUENCE
\& 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
\& 612:d=2 hl=2 l= 0 prim: NULL
\& 614:d=1 hl=3 l= 129 prim: BIT STRING
.Ve
.PP
The final \s-1BIT STRING\s0 contains the actual signature. It can be extracted with:
.PP
.Vb 1
\& openssl asn1parse \-in pca\-cert.pem \-out sig \-noout \-strparse 614
.Ve
.PP
The certificate public key can be extracted with:
.PP
.Vb 1
\& openssl x509 \-in test/testx509.pem \-pubkey \-noout >pubkey.pem
.Ve
.PP
The signature can be analysed with:
.PP
.Vb 1
\& openssl rsautl \-in sig \-verify \-asn1parse \-inkey pubkey.pem \-pubin
\&
\& 0:d=0 hl=2 l= 32 cons: SEQUENCE
\& 2:d=1 hl=2 l= 12 cons: SEQUENCE
\& 4:d=2 hl=2 l= 8 prim: OBJECT :md5
\& 14:d=2 hl=2 l= 0 prim: NULL
\& 16:d=1 hl=2 l= 16 prim: OCTET STRING
\& 0000 \- f3 46 9e aa 1a 4a 73 c9\-37 ea 93 00 48 25 08 b5 .F...Js.7...H%..
.Ve
.PP
This is the parsed version of an \s-1ASN1\s0 DigestInfo structure. It can be seen that
the digest used was md5. The actual part of the certificate that was signed can
be extracted with:
.PP
.Vb 1
\& openssl asn1parse \-in pca\-cert.pem \-out tbs \-noout \-strparse 4
.Ve
.PP
and its digest computed with:
.PP
.Vb 2
\& openssl md5 \-c tbs
\& MD5(tbs)= f3:46:9e:aa:1a:4a:73:c9:37:ea:93:00:48:25:08:b5
.Ve
.PP
which it can be seen agrees with the recovered value above.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBdgst\fR\|(1), \fBrsa\fR\|(1), \fBgenrsa\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1
index 368d31bbfa08..f7e4401b9b9c 100644
--- a/secure/usr.bin/openssl/man/s_client.1
+++ b/secure/usr.bin/openssl/man/s_client.1
@@ -1,863 +1,863 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "S_CLIENT 1"
-.TH S_CLIENT 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH S_CLIENT 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-s_client, s_client \- SSL/TLS client program
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBs_client\fR
[\fB\-help\fR]
[\fB\-connect host:port\fR]
[\fB\-bind host:port\fR]
[\fB\-proxy host:port\fR]
[\fB\-unix path\fR]
[\fB\-4\fR]
[\fB\-6\fR]
[\fB\-servername name\fR]
[\fB\-noservername\fR]
[\fB\-verify depth\fR]
[\fB\-verify_return_error\fR]
[\fB\-cert filename\fR]
[\fB\-certform DER|PEM\fR]
[\fB\-key filename\fR]
[\fB\-keyform DER|PEM\fR]
[\fB\-cert_chain filename\fR]
[\fB\-build_chain\fR]
[\fB\-xkey\fR]
[\fB\-xcert\fR]
[\fB\-xchain\fR]
[\fB\-xchain_build\fR]
[\fB\-xcertform PEM|DER\fR]
[\fB\-xkeyform PEM|DER\fR]
[\fB\-pass arg\fR]
[\fB\-CApath directory\fR]
[\fB\-CAfile filename\fR]
[\fB\-chainCApath directory\fR]
[\fB\-chainCAfile filename\fR]
[\fB\-no\-CAfile\fR]
[\fB\-no\-CApath\fR]
[\fB\-requestCAfile filename\fR]
[\fB\-dane_tlsa_domain domain\fR]
[\fB\-dane_tlsa_rrdata rrdata\fR]
[\fB\-dane_ee_no_namechecks\fR]
[\fB\-attime timestamp\fR]
[\fB\-check_ss_sig\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-explicit_policy\fR]
[\fB\-extended_crl\fR]
[\fB\-ignore_critical\fR]
[\fB\-inhibit_any\fR]
[\fB\-inhibit_map\fR]
[\fB\-no_check_time\fR]
[\fB\-partial_chain\fR]
[\fB\-policy arg\fR]
[\fB\-policy_check\fR]
[\fB\-policy_print\fR]
[\fB\-purpose purpose\fR]
[\fB\-suiteB_128\fR]
[\fB\-suiteB_128_only\fR]
[\fB\-suiteB_192\fR]
[\fB\-trusted_first\fR]
[\fB\-no_alt_chains\fR]
[\fB\-use_deltas\fR]
[\fB\-auth_level num\fR]
[\fB\-nameopt option\fR]
[\fB\-verify_depth num\fR]
[\fB\-verify_email email\fR]
[\fB\-verify_hostname hostname\fR]
[\fB\-verify_ip ip\fR]
[\fB\-verify_name name\fR]
[\fB\-build_chain\fR]
[\fB\-x509_strict\fR]
[\fB\-reconnect\fR]
[\fB\-showcerts\fR]
[\fB\-debug\fR]
[\fB\-msg\fR]
[\fB\-nbio_test\fR]
[\fB\-state\fR]
[\fB\-nbio\fR]
[\fB\-crlf\fR]
[\fB\-ign_eof\fR]
[\fB\-no_ign_eof\fR]
[\fB\-psk_identity identity\fR]
[\fB\-psk key\fR]
[\fB\-psk_session file\fR]
[\fB\-quiet\fR]
[\fB\-ssl3\fR]
[\fB\-tls1\fR]
[\fB\-tls1_1\fR]
[\fB\-tls1_2\fR]
[\fB\-tls1_3\fR]
[\fB\-no_ssl3\fR]
[\fB\-no_tls1\fR]
[\fB\-no_tls1_1\fR]
[\fB\-no_tls1_2\fR]
[\fB\-no_tls1_3\fR]
[\fB\-dtls\fR]
[\fB\-dtls1\fR]
[\fB\-dtls1_2\fR]
[\fB\-sctp\fR]
[\fB\-sctp_label_bug\fR]
[\fB\-fallback_scsv\fR]
[\fB\-async\fR]
[\fB\-max_send_frag\fR]
[\fB\-split_send_frag\fR]
[\fB\-max_pipelines\fR]
[\fB\-read_buf\fR]
[\fB\-bugs\fR]
[\fB\-comp\fR]
[\fB\-no_comp\fR]
[\fB\-allow_no_dhe_kex\fR]
[\fB\-sigalgs sigalglist\fR]
[\fB\-curves curvelist\fR]
[\fB\-cipher cipherlist\fR]
[\fB\-ciphersuites val\fR]
[\fB\-serverpref\fR]
[\fB\-starttls protocol\fR]
[\fB\-xmpphost hostname\fR]
[\fB\-name hostname\fR]
[\fB\-engine id\fR]
[\fB\-tlsextdebug\fR]
[\fB\-no_ticket\fR]
[\fB\-sess_out filename\fR]
[\fB\-sess_in filename\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-serverinfo types\fR]
[\fB\-status\fR]
[\fB\-alpn protocols\fR]
[\fB\-nextprotoneg protocols\fR]
[\fB\-ct\fR]
[\fB\-noct\fR]
[\fB\-ctlogfile\fR]
[\fB\-keylogfile file\fR]
[\fB\-early_data file\fR]
[\fB\-enable_pha\fR]
[\fBtarget\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects
to a remote host using \s-1SSL/TLS.\s0 It is a \fIvery\fR useful diagnostic tool for
\&\s-1SSL\s0 servers.
.SH "OPTIONS"
.IX Header "OPTIONS"
In addition to the options below the \fBs_client\fR utility also supports the
common and client only options documented
in the \*(L"Supported Command Line Commands\*(R" section of the \fBSSL_CONF_cmd\fR\|(3)
manual page.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-connect host:port\fR" 4
.IX Item "-connect host:port"
This specifies the host and optional port to connect to. It is possible to
select the host and port using the optional target positional argument instead.
If neither this nor the target positional argument are specified then an attempt
is made to connect to the local host on port 4433.
.IP "\fB\-bind host:port\fR]" 4
.IX Item "-bind host:port]"
This specifies the host address and or port to bind as the source for the
connection. For Unix-domain sockets the port is ignored and the host is
used as the source socket address.
.IP "\fB\-proxy host:port\fR" 4
.IX Item "-proxy host:port"
When used with the \fB\-connect\fR flag, the program uses the host and port
specified with this flag and issues an \s-1HTTP CONNECT\s0 command to connect
to the desired server.
.IP "\fB\-unix path\fR" 4
.IX Item "-unix path"
Connect over the specified Unix-domain socket.
.IP "\fB\-4\fR" 4
.IX Item "-4"
Use IPv4 only.
.IP "\fB\-6\fR" 4
.IX Item "-6"
Use IPv6 only.
.IP "\fB\-servername name\fR" 4
.IX Item "-servername name"
Set the \s-1TLS SNI\s0 (Server Name Indication) extension in the ClientHello message to
the given value.
If \fB\-servername\fR is not provided, the \s-1TLS SNI\s0 extension will be populated with
the name given to \fB\-connect\fR if it follows a \s-1DNS\s0 name format. If \fB\-connect\fR is
not provided either, the \s-1SNI\s0 is set to \*(L"localhost\*(R".
This is the default since OpenSSL 1.1.1.
.Sp
Even though \s-1SNI\s0 should normally be a \s-1DNS\s0 name and not an \s-1IP\s0 address, if
\&\fB\-servername\fR is provided then that name will be sent, regardless of whether
it is a \s-1DNS\s0 name or not.
.Sp
This option cannot be used in conjunction with \fB\-noservername\fR.
.IP "\fB\-noservername\fR" 4
.IX Item "-noservername"
Suppresses sending of the \s-1SNI\s0 (Server Name Indication) extension in the
ClientHello message. Cannot be used in conjunction with the \fB\-servername\fR or
<\-dane_tlsa_domain> options.
.IP "\fB\-cert certname\fR" 4
.IX Item "-cert certname"
The certificate to use, if one is requested by the server. The default is
not to use a certificate.
.IP "\fB\-certform format\fR" 4
.IX Item "-certform format"
The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
.IP "\fB\-key keyfile\fR" 4
.IX Item "-key keyfile"
The private key to use. If not specified then the certificate file will
be used.
.IP "\fB\-keyform format\fR" 4
.IX Item "-keyform format"
The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
.IP "\fB\-cert_chain\fR" 4
.IX Item "-cert_chain"
A file containing trusted certificates to use when attempting to build the
client/server certificate chain related to the certificate specified via the
\&\fB\-cert\fR option.
.IP "\fB\-build_chain\fR" 4
.IX Item "-build_chain"
Specify whether the application should build the certificate chain to be
provided to the server.
.IP "\fB\-xkey infile\fR, \fB\-xcert infile\fR, \fB\-xchain\fR" 4
.IX Item "-xkey infile, -xcert infile, -xchain"
Specify an extra certificate, private key and certificate chain. These behave
in the same manner as the \fB\-cert\fR, \fB\-key\fR and \fB\-cert_chain\fR options. When
specified, the callback returning the first valid chain will be in use by the
client.
.IP "\fB\-xchain_build\fR" 4
.IX Item "-xchain_build"
Specify whether the application should build the certificate chain to be
provided to the server for the extra certificates provided via \fB\-xkey infile\fR,
\&\fB\-xcert infile\fR, \fB\-xchain\fR options.
.IP "\fB\-xcertform PEM|DER\fR, \fB\-xkeyform PEM|DER\fR" 4
.IX Item "-xcertform PEM|DER, -xkeyform PEM|DER"
Extra certificate and private key format respectively.
.IP "\fB\-pass arg\fR" 4
.IX Item "-pass arg"
the private key password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-verify depth\fR" 4
.IX Item "-verify depth"
The verify depth to use. This specifies the maximum length of the
server certificate chain and turns on server certificate verification.
Currently the verify operation continues after errors so all the problems
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
.IP "\fB\-verify_return_error\fR" 4
.IX Item "-verify_return_error"
Return verification errors instead of continuing. This will typically
abort the handshake with a fatal error.
.IP "\fB\-nameopt option\fR" 4
.IX Item "-nameopt option"
Option which determines how the subject or issuer names are displayed. The
\&\fBoption\fR argument can be a single option or multiple options separated by
commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to
set multiple options. See the \fBx509\fR\|(1) manual page for details.
.IP "\fB\-CApath directory\fR" 4
.IX Item "-CApath directory"
The directory to use for server certificate verification. This directory
must be in \*(L"hash format\*(R", see \fBverify\fR\|(1) for more information. These are
also used when building the client certificate chain.
.IP "\fB\-CAfile file\fR" 4
.IX Item "-CAfile file"
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
.IP "\fB\-chainCApath directory\fR" 4
.IX Item "-chainCApath directory"
The directory to use for building the chain provided to the server. This
directory must be in \*(L"hash format\*(R", see \fBverify\fR\|(1) for more information.
.IP "\fB\-chainCAfile file\fR" 4
.IX Item "-chainCAfile file"
A file containing trusted certificates to use when attempting to build the
client certificate chain.
.IP "\fB\-no\-CAfile\fR" 4
.IX Item "-no-CAfile"
Do not load the trusted \s-1CA\s0 certificates from the default file location
.IP "\fB\-no\-CApath\fR" 4
.IX Item "-no-CApath"
Do not load the trusted \s-1CA\s0 certificates from the default directory location
.IP "\fB\-requestCAfile file\fR" 4
.IX Item "-requestCAfile file"
A file containing a list of certificates whose subject names will be sent
to the server in the \fBcertificate_authorities\fR extension. Only supported
for \s-1TLS 1.3\s0
.IP "\fB\-dane_tlsa_domain domain\fR" 4
.IX Item "-dane_tlsa_domain domain"
Enable \s-1RFC6698/RFC7671 DANE TLSA\s0 authentication and specify the
\&\s-1TLSA\s0 base domain which becomes the default \s-1SNI\s0 hint and the primary
reference identifier for hostname checks. This must be used in
combination with at least one instance of the \fB\-dane_tlsa_rrdata\fR
option below.
.Sp
When \s-1DANE\s0 authentication succeeds, the diagnostic output will include
the lowest (closest to 0) depth at which a \s-1TLSA\s0 record authenticated
a chain certificate. When that \s-1TLSA\s0 record is a \*(L"2 1 0\*(R" trust
anchor public key that signed (rather than matched) the top-most
certificate of the chain, the result is reported as \*(L"\s-1TA\s0 public key
verified\*(R". Otherwise, either the \s-1TLSA\s0 record \*(L"matched \s-1TA\s0 certificate\*(R"
at a positive depth or else \*(L"matched \s-1EE\s0 certificate\*(R" at depth 0.
.IP "\fB\-dane_tlsa_rrdata rrdata\fR" 4
.IX Item "-dane_tlsa_rrdata rrdata"
Use one or more times to specify the \s-1RRDATA\s0 fields of the \s-1DANE TLSA\s0
RRset associated with the target service. The \fBrrdata\fR value is
specified in \*(L"presentation form\*(R", that is four whitespace separated
fields that specify the usage, selector, matching type and associated
data, with the last of these encoded in hexadecimal. Optional
whitespace is ignored in the associated data field. For example:
.Sp
.Vb 12
\& $ openssl s_client \-brief \-starttls smtp \e
\& \-connect smtp.example.com:25 \e
\& \-dane_tlsa_domain smtp.example.com \e
\& \-dane_tlsa_rrdata "2 1 1
\& B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E 02CF362B" \e
\& \-dane_tlsa_rrdata "2 1 1
\& 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18"
\& ...
\& Verification: OK
\& Verified peername: smtp.example.com
\& DANE TLSA 2 1 1 ...ee12d2cc90180517616e8a18 matched TA certificate at depth 1
\& ...
.Ve
.IP "\fB\-dane_ee_no_namechecks\fR" 4
.IX Item "-dane_ee_no_namechecks"
This disables server name checks when authenticating via \s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0
records.
For some applications, primarily web browsers, it is not safe to disable name
checks due to \*(L"unknown key share\*(R" attacks, in which a malicious server can
convince a client that a connection to a victim server is instead a secure
connection to the malicious server.
The malicious server may then be able to violate cross-origin scripting
restrictions.
Thus, despite the text of \s-1RFC7671,\s0 name checks are by default enabled for
\&\s-1\fBDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records, and can be disabled in applications where it is safe
to do so.
In particular, \s-1SMTP\s0 and \s-1XMPP\s0 clients should set this option as \s-1SRV\s0 and \s-1MX\s0
records already make it possible for a remote domain to redirect client
connections to any server of its choice, and in any case \s-1SMTP\s0 and \s-1XMPP\s0 clients
do not execute scripts downloaded from remote servers.
.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4
.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict"
Set various certificate chain validation options. See the
\&\fBverify\fR\|(1) manual page for details.
.IP "\fB\-reconnect\fR" 4
.IX Item "-reconnect"
Reconnects to the same server 5 times using the same session \s-1ID,\s0 this can
be used as a test that session caching is working.
.IP "\fB\-showcerts\fR" 4
.IX Item "-showcerts"
Displays the server certificate list as sent by the server: it only consists of
certificates the server has sent (in the order the server has sent them). It is
\&\fBnot\fR a verified chain.
.IP "\fB\-prexit\fR" 4
.IX Item "-prexit"
Print session information when the program exits. This will always attempt
to print out information even if the connection fails. Normally information
will only be printed out once if the connection succeeds. This option is useful
because the cipher in use may be renegotiated or the connection may fail
because a client certificate is required or is requested only after an
attempt is made to access a certain \s-1URL.\s0 Note: the output produced by this
option is not always accurate because a connection might never have been
established.
.IP "\fB\-state\fR" 4
.IX Item "-state"
Prints out the \s-1SSL\s0 session states.
.IP "\fB\-debug\fR" 4
.IX Item "-debug"
Print extensive debugging information including a hex dump of all traffic.
.IP "\fB\-msg\fR" 4
.IX Item "-msg"
Show all protocol messages with hex dump.
.IP "\fB\-trace\fR" 4
.IX Item "-trace"
Show verbose trace output of protocol messages. OpenSSL needs to be compiled
with \fBenable-ssl-trace\fR for this option to work.
.IP "\fB\-msgfile\fR" 4
.IX Item "-msgfile"
File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output.
.IP "\fB\-nbio_test\fR" 4
.IX Item "-nbio_test"
Tests nonblocking I/O
.IP "\fB\-nbio\fR" 4
.IX Item "-nbio"
Turns on nonblocking I/O
.IP "\fB\-crlf\fR" 4
.IX Item "-crlf"
This option translated a line feed from the terminal into \s-1CR+LF\s0 as required
by some servers.
.IP "\fB\-ign_eof\fR" 4
.IX Item "-ign_eof"
Inhibit shutting down the connection when end of file is reached in the
input.
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
Inhibit printing of session and certificate information. This implicitly
turns on \fB\-ign_eof\fR as well.
.IP "\fB\-no_ign_eof\fR" 4
.IX Item "-no_ign_eof"
Shut down the connection when end of file is reached in the input.
Can be used to override the implicit \fB\-ign_eof\fR after \fB\-quiet\fR.
.IP "\fB\-psk_identity identity\fR" 4
.IX Item "-psk_identity identity"
Use the \s-1PSK\s0 identity \fBidentity\fR when using a \s-1PSK\s0 cipher suite.
The default value is \*(L"Client_identity\*(R" (without the quotes).
.IP "\fB\-psk key\fR" 4
.IX Item "-psk key"
Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is
given as a hexadecimal number without leading 0x, for example \-psk
1a2b3c4d.
This option must be provided in order to use a \s-1PSK\s0 cipher.
.IP "\fB\-psk_session file\fR" 4
.IX Item "-psk_session file"
Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fBfile\fR as the basis of a \s-1PSK.\s0
Note that this will only work if TLSv1.3 is negotiated.
.IP "\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4
.IX Item "-ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3"
These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols.
By default \fBs_client\fR will negotiate the highest mutually supported protocol
version.
When a specific \s-1TLS\s0 version is required, only that version will be offered to
and accepted from the server.
Note that not all protocols and flags may be available, depending on how
OpenSSL was built.
.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
.IX Item "-dtls, -dtls1, -dtls1_2"
These options make \fBs_client\fR use \s-1DTLS\s0 protocols instead of \s-1TLS.\s0
With \fB\-dtls\fR, \fBs_client\fR will negotiate any supported \s-1DTLS\s0 protocol version,
whilst \fB\-dtls1\fR and \fB\-dtls1_2\fR will only support \s-1DTLS1.0\s0 and \s-1DTLS1.2\s0
respectively.
.IP "\fB\-sctp\fR" 4
.IX Item "-sctp"
Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in
conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only
available where OpenSSL has support for \s-1SCTP\s0 enabled.
.IP "\fB\-sctp_label_bug\fR" 4
.IX Item "-sctp_label_bug"
Use the incorrect behaviour of older OpenSSL implementations when computing
endpoint-pair shared secrets for \s-1DTLS/SCTP.\s0 This allows communication with
older broken implementations but breaks interoperability with correct
implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only
available where OpenSSL has support for \s-1SCTP\s0 enabled.
.IP "\fB\-fallback_scsv\fR" 4
.IX Item "-fallback_scsv"
Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello.
.IP "\fB\-async\fR" 4
.IX Item "-async"
Switch on asynchronous mode. Cryptographic operations will be performed
asynchronously. This will only have an effect if an asynchronous capable engine
is also used via the \fB\-engine\fR option. For test purposes the dummy async engine
(dasync) can be used (if available).
.IP "\fB\-max_send_frag int\fR" 4
.IX Item "-max_send_frag int"
The maximum size of data fragment to send.
See \fBSSL_CTX_set_max_send_fragment\fR\|(3) for further information.
.IP "\fB\-split_send_frag int\fR" 4
.IX Item "-split_send_frag int"
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
maximum number of pipelines defined by max_pipelines. This only has an effect if
a suitable cipher suite has been negotiated, an engine that supports pipelining
has been loaded, and max_pipelines is greater than 1. See
\&\fBSSL_CTX_set_split_send_fragment\fR\|(3) for further information.
.IP "\fB\-max_pipelines int\fR" 4
.IX Item "-max_pipelines int"
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
engine) and a suitable cipher suite has been negotiated. The default value is 1.
See \fBSSL_CTX_set_max_pipelines\fR\|(3) for further information.
.IP "\fB\-read_buf int\fR" 4
.IX Item "-read_buf int"
The default read buffer size to be used for connections. This will only have an
effect if the buffer size is larger than the size that would otherwise be used
and pipelining is in use (see \fBSSL_CTX_set_default_read_buffer_len\fR\|(3) for
further information).
.IP "\fB\-bugs\fR" 4
.IX Item "-bugs"
There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
option enables various workarounds.
.IP "\fB\-comp\fR" 4
.IX Item "-comp"
Enables support for \s-1SSL/TLS\s0 compression.
This option was introduced in OpenSSL 1.1.0.
\&\s-1TLS\s0 compression is not recommended and is off by default as of
OpenSSL 1.1.0.
.IP "\fB\-no_comp\fR" 4
.IX Item "-no_comp"
Disables support for \s-1SSL/TLS\s0 compression.
\&\s-1TLS\s0 compression is not recommended and is off by default as of
OpenSSL 1.1.0.
.IP "\fB\-brief\fR" 4
.IX Item "-brief"
Only provide a brief summary of connection parameters instead of the
normal verbose output.
.IP "\fB\-sigalgs sigalglist\fR" 4
.IX Item "-sigalgs sigalglist"
Specifies the list of signature algorithms that are sent by the client.
The server selects one entry in the list based on its preferences.
For example strings, see \fBSSL_CTX_set1_sigalgs\fR\|(3)
.IP "\fB\-curves curvelist\fR" 4
.IX Item "-curves curvelist"
Specifies the list of supported curves to be sent by the client. The curve is
ultimately selected by the server. For a list of all curves, use:
.Sp
.Vb 1
\& $ openssl ecparam \-list_curves
.Ve
.IP "\fB\-cipher cipherlist\fR" 4
.IX Item "-cipher cipherlist"
This allows the TLSv1.2 and below cipher list sent by the client to be modified.
This list will be combined with any TLSv1.3 ciphersuites that have been
configured. Although the server determines which ciphersuite is used it should
take the first supported cipher in the list sent by the client. See the
\&\fBciphers\fR command for more information.
.IP "\fB\-ciphersuites val\fR" 4
.IX Item "-ciphersuites val"
This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
list will be combined with any TLSv1.2 and below ciphersuites that have been
configured. Although the server determines which cipher suite is used it should
take the first supported cipher in the list sent by the client. See the
\&\fBciphers\fR command for more information. The format for this list is a simple
colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names.
.IP "\fB\-starttls protocol\fR" 4
.IX Item "-starttls protocol"
Send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication.
\&\fBprotocol\fR is a keyword for the intended protocol. Currently, the only
supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", \*(L"ftp\*(R", \*(L"xmpp\*(R", \*(L"xmpp-server\*(R",
\&\*(L"irc\*(R", \*(L"postgres\*(R", \*(L"mysql\*(R", \*(L"lmtp\*(R", \*(L"nntp\*(R", \*(L"sieve\*(R" and \*(L"ldap\*(R".
.IP "\fB\-xmpphost hostname\fR" 4
.IX Item "-xmpphost hostname"
This option, when used with \*(L"\-starttls xmpp\*(R" or \*(L"\-starttls xmpp-server\*(R",
specifies the host for the \*(L"to\*(R" attribute of the stream element.
If this option is not specified, then the host specified with \*(L"\-connect\*(R"
will be used.
.Sp
This option is an alias of the \fB\-name\fR option for \*(L"xmpp\*(R" and \*(L"xmpp-server\*(R".
.IP "\fB\-name hostname\fR" 4
.IX Item "-name hostname"
This option is used to specify hostname information for various protocols
used with \fB\-starttls\fR option. Currently only \*(L"xmpp\*(R", \*(L"xmpp-server\*(R",
\&\*(L"smtp\*(R" and \*(L"lmtp\*(R" can utilize this \fB\-name\fR option.
.Sp
If this option is used with \*(L"\-starttls xmpp\*(R" or \*(L"\-starttls xmpp-server\*(R",
if specifies the host for the \*(L"to\*(R" attribute of the stream element. If this
option is not specified, then the host specified with \*(L"\-connect\*(R" will be used.
.Sp
If this option is used with \*(L"\-starttls lmtp\*(R" or \*(L"\-starttls smtp\*(R", it specifies
the name to use in the \*(L"\s-1LMTP LHLO\*(R"\s0 or \*(L"\s-1SMTP EHLO\*(R"\s0 message, respectively. If
this option is not specified, then \*(L"mail.example.com\*(R" will be used.
.IP "\fB\-tlsextdebug\fR" 4
.IX Item "-tlsextdebug"
Print out a hex dump of any \s-1TLS\s0 extensions received from the server.
.IP "\fB\-no_ticket\fR" 4
.IX Item "-no_ticket"
Disable RFC4507bis session ticket support.
.IP "\fB\-sess_out filename\fR" 4
.IX Item "-sess_out filename"
Output \s-1SSL\s0 session to \fBfilename\fR.
.IP "\fB\-sess_in sess.pem\fR" 4
.IX Item "-sess_in sess.pem"
Load \s-1SSL\s0 session from \fBfilename\fR. The client will attempt to resume a
connection from this session.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBs_client\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-serverinfo types\fR" 4
.IX Item "-serverinfo types"
A list of comma-separated \s-1TLS\s0 Extension Types (numbers between 0 and
65535). Each type will be sent as an empty ClientHello \s-1TLS\s0 Extension.
The server's response (if any) will be encoded and displayed as a \s-1PEM\s0
file.
.IP "\fB\-status\fR" 4
.IX Item "-status"
Sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server
response (if any) is printed out.
.IP "\fB\-alpn protocols\fR, \fB\-nextprotoneg protocols\fR" 4
.IX Item "-alpn protocols, -nextprotoneg protocols"
These flags enable the Enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the
\&\s-1IETF\s0 standard and replaces \s-1NPN.\s0
The \fBprotocols\fR list is a comma-separated list of protocol names that
the client should advertise support for. The list should contain the most
desirable protocols first. Protocol names are printable \s-1ASCII\s0 strings,
for example \*(L"http/1.1\*(R" or \*(L"spdy/3\*(R".
An empty list of protocols is treated specially and will cause the
client to advertise support for the \s-1TLS\s0 extension but disconnect just
after receiving ServerHello with a list of server supported protocols.
The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used.
.IP "\fB\-ct\fR, \fB\-noct\fR" 4
.IX Item "-ct, -noct"
Use one of these two options to control whether Certificate Transparency (\s-1CT\s0)
is enabled (\fB\-ct\fR) or disabled (\fB\-noct\fR).
If \s-1CT\s0 is enabled, signed certificate timestamps (SCTs) will be requested from
the server and reported at handshake completion.
.Sp
Enabling \s-1CT\s0 also enables \s-1OCSP\s0 stapling, as this is one possible delivery method
for SCTs.
.IP "\fB\-ctlogfile\fR" 4
.IX Item "-ctlogfile"
A file containing a list of known Certificate Transparency logs. See
\&\fBSSL_CTX_set_ctlog_list_file\fR\|(3) for the expected file format.
.IP "\fB\-keylogfile file\fR" 4
.IX Item "-keylogfile file"
Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs
(like Wireshark) can decrypt \s-1TLS\s0 connections.
.IP "\fB\-early_data file\fR" 4
.IX Item "-early_data file"
Reads the contents of the specified file and attempts to send it as early data
to the server. This will only work with resumed sessions that support early
data and when the server accepts the early data.
.IP "\fB\-enable_pha\fR" 4
.IX Item "-enable_pha"
For TLSv1.3 only, send the Post-Handshake Authentication extension. This will
happen whether or not a certificate has been provided via \fB\-cert\fR.
.IP "\fB[target]\fR" 4
.IX Item "[target]"
Rather than providing \fB\-connect\fR, the target hostname and optional port may
be provided as a single positional argument after all options. If neither this
nor \fB\-connect\fR are provided, falls back to attempting to connect to localhost
on port 4433.
.SH "CONNECTED COMMANDS"
.IX Header "CONNECTED COMMANDS"
If a connection is established with an \s-1SSL\s0 server then any data received
from the server is displayed and any key presses will be sent to the
server. If end of file is reached then the connection will be closed down. When
used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR have been
given), then certain commands are also recognized which perform special
operations. These commands are a letter which must appear at the start of a
line. They are listed below.
.IP "\fBQ\fR" 4
.IX Item "Q"
End the current \s-1SSL\s0 connection and exit.
.IP "\fBR\fR" 4
.IX Item "R"
Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only).
.IP "\fBB\fR" 4
.IX Item "B"
Send a heartbeat message to the server (\s-1DTLS\s0 only)
.IP "\fBk\fR" 4
.IX Item "k"
Send a key update message to the server (TLSv1.3 only)
.IP "\fBK\fR" 4
.IX Item "K"
Send a key update message to the server and request one back (TLSv1.3 only)
.SH "NOTES"
.IX Header "NOTES"
\&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL HTTP\s0
server the command:
.PP
.Vb 1
\& openssl s_client \-connect servername:443
.Ve
.PP
would typically be used (https uses port 443). If the connection succeeds
then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET /\*(R"\s0 to retrieve a web page.
.PP
If the handshake fails then there are several possible causes, if it is
nothing obvious like no client certificate then the \fB\-bugs\fR,
\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried
in case it is a buggy server. In particular you should play with these
options \fBbefore\fR submitting a bug report to an OpenSSL mailing list.
.PP
A frequent problem when attempting to get client certificates working
is that a web client complains it has no certificates or gives an empty
list to choose from. This is normally because the server is not sending
the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
requests a certificate. By using \fBs_client\fR the \s-1CA\s0 list can be viewed
and checked. However, some servers only request client authentication
after a specific \s-1URL\s0 is requested. To obtain the list in this case it
is necessary to use the \fB\-prexit\fR option and send an \s-1HTTP\s0 request
for an appropriate page.
.PP
If a certificate is specified on the command line using the \fB\-cert\fR
option it will not be used unless the server specifically requests
a client certificate. Therefore, merely including a client certificate
on the command line is no guarantee that the certificate works.
.PP
If there are problems verifying a server certificate then the
\&\fB\-showcerts\fR option can be used to show all the certificates sent by the
server.
.PP
The \fBs_client\fR utility is a test tool and is designed to continue the
handshake after any certificate verification errors. As a result it will
accept any certificate chain (trusted or not) sent by the peer. Non-test
applications should \fBnot\fR do this as it makes them vulnerable to a \s-1MITM\s0
attack. This behaviour can be changed by with the \fB\-verify_return_error\fR
option: any verify errors are then returned aborting the handshake.
.PP
The \fB\-bind\fR option may be useful if the server or a firewall requires
connections to come from some particular address and or port.
.SH "BUGS"
.IX Header "BUGS"
Because this program has a lot of options and also because some of the
techniques used are rather old, the C source of \fBs_client\fR is rather hard to
read and not a model of how things should be done.
A typical \s-1SSL\s0 client program would be much simpler.
.PP
The \fB\-prexit\fR option is a bit of a hack. We should really report
information whenever a session is renegotiated.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CONF_cmd\fR\|(3), \fBsess_id\fR\|(1), \fBs_server\fR\|(1), \fBciphers\fR\|(1),
\&\fBSSL_CTX_set_max_send_fragment\fR\|(3), \fBSSL_CTX_set_split_send_fragment\fR\|(3),
\&\fBSSL_CTX_set_max_pipelines\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-no_alt_chains\fR option was added in OpenSSL 1.1.0.
The \fB\-name\fR option was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1
index 31f193e08c2e..131d1ed0d9e1 100644
--- a/secure/usr.bin/openssl/man/s_server.1
+++ b/secure/usr.bin/openssl/man/s_server.1
@@ -1,868 +1,868 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "S_SERVER 1"
-.TH S_SERVER 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH S_SERVER 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-s_server, s_server \- SSL/TLS server program
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBs_server\fR
[\fB\-help\fR]
[\fB\-port +int\fR]
[\fB\-accept val\fR]
[\fB\-unix val\fR]
[\fB\-4\fR]
[\fB\-6\fR]
[\fB\-unlink\fR]
[\fB\-context val\fR]
[\fB\-verify int\fR]
[\fB\-Verify int\fR]
[\fB\-cert infile\fR]
[\fB\-nameopt val\fR]
[\fB\-naccept +int\fR]
[\fB\-serverinfo val\fR]
[\fB\-certform PEM|DER\fR]
[\fB\-key infile\fR]
[\fB\-keyform format\fR]
[\fB\-pass val\fR]
[\fB\-dcert infile\fR]
[\fB\-dcertform PEM|DER\fR]
[\fB\-dkey infile\fR]
[\fB\-dkeyform PEM|DER\fR]
[\fB\-dpass val\fR]
[\fB\-nbio_test\fR]
[\fB\-crlf\fR]
[\fB\-debug\fR]
[\fB\-msg\fR]
[\fB\-msgfile outfile\fR]
[\fB\-state\fR]
[\fB\-CAfile infile\fR]
[\fB\-CApath dir\fR]
[\fB\-no\-CAfile\fR]
[\fB\-no\-CApath\fR]
[\fB\-nocert\fR]
[\fB\-quiet\fR]
[\fB\-no_resume_ephemeral\fR]
[\fB\-www\fR]
[\fB\-WWW\fR]
[\fB\-servername\fR]
[\fB\-servername_fatal\fR]
[\fB\-cert2 infile\fR]
[\fB\-key2 infile\fR]
[\fB\-tlsextdebug\fR]
[\fB\-HTTP\fR]
[\fB\-id_prefix val\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-keymatexport val\fR]
[\fB\-keymatexportlen +int\fR]
[\fB\-CRL infile\fR]
[\fB\-crl_download\fR]
[\fB\-cert_chain infile\fR]
[\fB\-dcert_chain infile\fR]
[\fB\-chainCApath dir\fR]
[\fB\-verifyCApath dir\fR]
[\fB\-no_cache\fR]
[\fB\-ext_cache\fR]
[\fB\-CRLform PEM|DER\fR]
[\fB\-verify_return_error\fR]
[\fB\-verify_quiet\fR]
[\fB\-build_chain\fR]
[\fB\-chainCAfile infile\fR]
[\fB\-verifyCAfile infile\fR]
[\fB\-ign_eof\fR]
[\fB\-no_ign_eof\fR]
[\fB\-status\fR]
[\fB\-status_verbose\fR]
[\fB\-status_timeout int\fR]
[\fB\-status_url val\fR]
[\fB\-status_file infile\fR]
[\fB\-trace\fR]
[\fB\-security_debug\fR]
[\fB\-security_debug_verbose\fR]
[\fB\-brief\fR]
[\fB\-rev\fR]
[\fB\-async\fR]
[\fB\-ssl_config val\fR]
[\fB\-max_send_frag +int\fR]
[\fB\-split_send_frag +int\fR]
[\fB\-max_pipelines +int\fR]
[\fB\-read_buf +int\fR]
[\fB\-no_ssl3\fR]
[\fB\-no_tls1\fR]
[\fB\-no_tls1_1\fR]
[\fB\-no_tls1_2\fR]
[\fB\-no_tls1_3\fR]
[\fB\-bugs\fR]
[\fB\-no_comp\fR]
[\fB\-comp\fR]
[\fB\-no_ticket\fR]
[\fB\-num_tickets\fR]
[\fB\-serverpref\fR]
[\fB\-legacy_renegotiation\fR]
[\fB\-no_renegotiation\fR]
[\fB\-legacy_server_connect\fR]
[\fB\-no_resumption_on_reneg\fR]
[\fB\-no_legacy_server_connect\fR]
[\fB\-allow_no_dhe_kex\fR]
[\fB\-prioritize_chacha\fR]
[\fB\-strict\fR]
[\fB\-sigalgs val\fR]
[\fB\-client_sigalgs val\fR]
[\fB\-groups val\fR]
[\fB\-curves val\fR]
[\fB\-named_curve val\fR]
[\fB\-cipher val\fR]
[\fB\-ciphersuites val\fR]
[\fB\-dhparam infile\fR]
[\fB\-record_padding val\fR]
[\fB\-debug_broken_protocol\fR]
[\fB\-policy val\fR]
[\fB\-purpose val\fR]
[\fB\-verify_name val\fR]
[\fB\-verify_depth int\fR]
[\fB\-auth_level int\fR]
[\fB\-attime intmax\fR]
[\fB\-verify_hostname val\fR]
[\fB\-verify_email val\fR]
[\fB\-verify_ip\fR]
[\fB\-ignore_critical\fR]
[\fB\-issuer_checks\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-policy_check\fR]
[\fB\-explicit_policy\fR]
[\fB\-inhibit_any\fR]
[\fB\-inhibit_map\fR]
[\fB\-x509_strict\fR]
[\fB\-extended_crl\fR]
[\fB\-use_deltas\fR]
[\fB\-policy_print\fR]
[\fB\-check_ss_sig\fR]
[\fB\-trusted_first\fR]
[\fB\-suiteB_128_only\fR]
[\fB\-suiteB_128\fR]
[\fB\-suiteB_192\fR]
[\fB\-partial_chain\fR]
[\fB\-no_alt_chains\fR]
[\fB\-no_check_time\fR]
[\fB\-allow_proxy_certs\fR]
[\fB\-xkey\fR]
[\fB\-xcert\fR]
[\fB\-xchain\fR]
[\fB\-xchain_build\fR]
[\fB\-xcertform PEM|DER\fR]
[\fB\-xkeyform PEM|DER\fR]
[\fB\-nbio\fR]
[\fB\-psk_identity val\fR]
[\fB\-psk_hint val\fR]
[\fB\-psk val\fR]
[\fB\-psk_session file\fR]
[\fB\-srpvfile infile\fR]
[\fB\-srpuserseed val\fR]
[\fB\-ssl3\fR]
[\fB\-tls1\fR]
[\fB\-tls1_1\fR]
[\fB\-tls1_2\fR]
[\fB\-tls1_3\fR]
[\fB\-dtls\fR]
[\fB\-timeout\fR]
[\fB\-mtu +int\fR]
[\fB\-listen\fR]
[\fB\-dtls1\fR]
[\fB\-dtls1_2\fR]
[\fB\-sctp\fR]
[\fB\-sctp_label_bug\fR]
[\fB\-no_dhe\fR]
[\fB\-nextprotoneg val\fR]
[\fB\-use_srtp val\fR]
[\fB\-alpn val\fR]
[\fB\-engine val\fR]
[\fB\-keylogfile outfile\fR]
[\fB\-max_early_data int\fR]
[\fB\-early_data\fR]
[\fB\-anti_replay\fR]
[\fB\-no_anti_replay\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBs_server\fR command implements a generic \s-1SSL/TLS\s0 server which listens
for connections on a given port using \s-1SSL/TLS.\s0
.SH "OPTIONS"
.IX Header "OPTIONS"
In addition to the options below the \fBs_server\fR utility also supports the
common and server only options documented
in the \*(L"Supported Command Line Commands\*(R" section of the \fBSSL_CONF_cmd\fR\|(3)
manual page.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-port +int\fR" 4
.IX Item "-port +int"
The \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used.
.IP "\fB\-accept val\fR" 4
.IX Item "-accept val"
The optional \s-1TCP\s0 host and port to listen on for connections. If not specified, *:4433 is used.
.IP "\fB\-unix val\fR" 4
.IX Item "-unix val"
Unix domain socket to accept on.
.IP "\fB\-4\fR" 4
.IX Item "-4"
Use IPv4 only.
.IP "\fB\-6\fR" 4
.IX Item "-6"
Use IPv6 only.
.IP "\fB\-unlink\fR" 4
.IX Item "-unlink"
For \-unix, unlink any existing socket first.
.IP "\fB\-context val\fR" 4
.IX Item "-context val"
Sets the \s-1SSL\s0 context id. It can be given any string value. If this option
is not present a default value will be used.
.IP "\fB\-verify int\fR, \fB\-Verify int\fR" 4
.IX Item "-verify int, -Verify int"
The verify depth to use. This specifies the maximum length of the
client certificate chain and makes the server request a certificate from
the client. With the \fB\-verify\fR option a certificate is requested but the
client does not have to send one, with the \fB\-Verify\fR option the client
must supply a certificate or an error occurs.
.Sp
If the cipher suite cannot request a client certificate (for example an
anonymous cipher suite or \s-1PSK\s0) this option has no effect.
.IP "\fB\-cert infile\fR" 4
.IX Item "-cert infile"
The certificate to use, most servers cipher suites require the use of a
certificate and some require a certificate with a certain public key type:
for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0
(\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used.
.IP "\fB\-cert_chain\fR" 4
.IX Item "-cert_chain"
A file containing trusted certificates to use when attempting to build the
client/server certificate chain related to the certificate specified via the
\&\fB\-cert\fR option.
.IP "\fB\-build_chain\fR" 4
.IX Item "-build_chain"
Specify whether the application should build the certificate chain to be
provided to the client.
.IP "\fB\-nameopt val\fR" 4
.IX Item "-nameopt val"
Option which determines how the subject or issuer names are displayed. The
\&\fBval\fR argument can be a single option or multiple options separated by
commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to
set multiple options. See the \fBx509\fR\|(1) manual page for details.
.IP "\fB\-naccept +int\fR" 4
.IX Item "-naccept +int"
The server will exit after receiving the specified number of connections,
default unlimited.
.IP "\fB\-serverinfo val\fR" 4
.IX Item "-serverinfo val"
A file containing one or more blocks of \s-1PEM\s0 data. Each \s-1PEM\s0 block
must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length,
followed by \*(L"length\*(R" bytes of extension data). If the client sends
an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding
ServerHello extension will be returned.
.IP "\fB\-certform PEM|DER\fR" 4
.IX Item "-certform PEM|DER"
The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
.IP "\fB\-key infile\fR" 4
.IX Item "-key infile"
The private key to use. If not specified then the certificate file will
be used.
.IP "\fB\-keyform format\fR" 4
.IX Item "-keyform format"
The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default.
.IP "\fB\-pass val\fR" 4
.IX Item "-pass val"
The private key password source. For more information about the format of \fBval\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-dcert infile\fR, \fB\-dkey infile\fR" 4
.IX Item "-dcert infile, -dkey infile"
Specify an additional certificate and private key, these behave in the
same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default
if they are not specified (no additional certificate and key is used). As
noted above some cipher suites require a certificate containing a key of
a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key
and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys
a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites
by using an appropriate certificate.
.IP "\fB\-dcert_chain\fR" 4
.IX Item "-dcert_chain"
A file containing trusted certificates to use when attempting to build the
server certificate chain when a certificate specified via the \fB\-dcert\fR option
is in use.
.IP "\fB\-dcertform PEM|DER\fR, \fB\-dkeyform PEM|DER\fR, \fB\-dpass val\fR" 4
.IX Item "-dcertform PEM|DER, -dkeyform PEM|DER, -dpass val"
Additional certificate and private key format and passphrase respectively.
.IP "\fB\-xkey infile\fR, \fB\-xcert infile\fR, \fB\-xchain\fR" 4
.IX Item "-xkey infile, -xcert infile, -xchain"
Specify an extra certificate, private key and certificate chain. These behave
in the same manner as the \fB\-cert\fR, \fB\-key\fR and \fB\-cert_chain\fR options. When
specified, the callback returning the first valid chain will be in use by
the server.
.IP "\fB\-xchain_build\fR" 4
.IX Item "-xchain_build"
Specify whether the application should build the certificate chain to be
provided to the client for the extra certificates provided via \fB\-xkey infile\fR,
\&\fB\-xcert infile\fR, \fB\-xchain\fR options.
.IP "\fB\-xcertform PEM|DER\fR, \fB\-xkeyform PEM|DER\fR" 4
.IX Item "-xcertform PEM|DER, -xkeyform PEM|DER"
Extra certificate and private key format respectively.
.IP "\fB\-nbio_test\fR" 4
.IX Item "-nbio_test"
Tests non blocking I/O.
.IP "\fB\-crlf\fR" 4
.IX Item "-crlf"
This option translated a line feed from the terminal into \s-1CR+LF.\s0
.IP "\fB\-debug\fR" 4
.IX Item "-debug"
Print extensive debugging information including a hex dump of all traffic.
.IP "\fB\-msg\fR" 4
.IX Item "-msg"
Show all protocol messages with hex dump.
.IP "\fB\-msgfile outfile\fR" 4
.IX Item "-msgfile outfile"
File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output.
.IP "\fB\-state\fR" 4
.IX Item "-state"
Prints the \s-1SSL\s0 session states.
.IP "\fB\-CAfile infile\fR" 4
.IX Item "-CAfile infile"
A file containing trusted certificates to use during client authentication
and to use when attempting to build the server certificate chain. The list
is also used in the list of acceptable client CAs passed to the client when
a certificate is requested.
.IP "\fB\-CApath dir\fR" 4
.IX Item "-CApath dir"
The directory to use for client certificate verification. This directory
must be in \*(L"hash format\*(R", see \fBverify\fR\|(1) for more information. These are
also used when building the server certificate chain.
.IP "\fB\-chainCApath dir\fR" 4
.IX Item "-chainCApath dir"
The directory to use for building the chain provided to the client. This
directory must be in \*(L"hash format\*(R", see \fBverify\fR\|(1) for more information.
.IP "\fB\-chainCAfile file\fR" 4
.IX Item "-chainCAfile file"
A file containing trusted certificates to use when attempting to build the
server certificate chain.
.IP "\fB\-no\-CAfile\fR" 4
.IX Item "-no-CAfile"
Do not load the trusted \s-1CA\s0 certificates from the default file location.
.IP "\fB\-no\-CApath\fR" 4
.IX Item "-no-CApath"
Do not load the trusted \s-1CA\s0 certificates from the default directory location.
.IP "\fB\-nocert\fR" 4
.IX Item "-nocert"
If this option is set then no certificate is used. This restricts the
cipher suites available to the anonymous ones (currently just anonymous
\&\s-1DH\s0).
.IP "\fB\-quiet\fR" 4
.IX Item "-quiet"
Inhibit printing of session and certificate information.
.IP "\fB\-www\fR" 4
.IX Item "-www"
Sends a status message back to the client when it connects. This includes
information about the ciphers used and various session parameters.
The output is in \s-1HTML\s0 format so this option will normally be used with a
web browser. Cannot be used in conjunction with \fB\-early_data\fR.
.IP "\fB\-WWW\fR" 4
.IX Item "-WWW"
Emulates a simple web server. Pages will be resolved relative to the
current directory, for example if the \s-1URL\s0 https://myhost/page.html is
requested the file ./page.html will be loaded. Cannot be used in conjunction
with \fB\-early_data\fR.
.IP "\fB\-tlsextdebug\fR" 4
.IX Item "-tlsextdebug"
Print a hex dump of any \s-1TLS\s0 extensions received from the server.
.IP "\fB\-HTTP\fR" 4
.IX Item "-HTTP"
Emulates a simple web server. Pages will be resolved relative to the
current directory, for example if the \s-1URL\s0 https://myhost/page.html is
requested the file ./page.html will be loaded. The files loaded are
assumed to contain a complete and correct \s-1HTTP\s0 response (lines that
are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0). Cannot be
used in conjunction with \fB\-early_data\fR.
.IP "\fB\-id_prefix val\fR" 4
.IX Item "-id_prefix val"
Generate \s-1SSL/TLS\s0 session IDs prefixed by \fBval\fR. This is mostly useful
for testing any \s-1SSL/TLS\s0 code (e.g. proxies) that wish to deal with multiple
servers, when each of which might be generating a unique range of session
IDs (e.g. with a certain prefix).
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-verify_return_error\fR" 4
.IX Item "-verify_return_error"
Verification errors normally just print a message but allow the
connection to continue, for debugging purposes.
If this option is used, then verification errors close the connection.
.IP "\fB\-status\fR" 4
.IX Item "-status"
Enables certificate status request support (aka \s-1OCSP\s0 stapling).
.IP "\fB\-status_verbose\fR" 4
.IX Item "-status_verbose"
Enables certificate status request support (aka \s-1OCSP\s0 stapling) and gives
a verbose printout of the \s-1OCSP\s0 response.
.IP "\fB\-status_timeout int\fR" 4
.IX Item "-status_timeout int"
Sets the timeout for \s-1OCSP\s0 response to \fBint\fR seconds.
.IP "\fB\-status_url val\fR" 4
.IX Item "-status_url val"
Sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the
server certificate. Without this option an error is returned if the server
certificate does not contain a responder address.
.IP "\fB\-status_file infile\fR" 4
.IX Item "-status_file infile"
Overrides any \s-1OCSP\s0 responder URLs from the certificate and always provides the
\&\s-1OCSP\s0 Response stored in the file. The file must be in \s-1DER\s0 format.
.IP "\fB\-trace\fR" 4
.IX Item "-trace"
Show verbose trace output of protocol messages. OpenSSL needs to be compiled
with \fBenable-ssl-trace\fR for this option to work.
.IP "\fB\-brief\fR" 4
.IX Item "-brief"
Provide a brief summary of connection parameters instead of the normal verbose
output.
.IP "\fB\-rev\fR" 4
.IX Item "-rev"
Simple test server which just reverses the text received from the client
and sends it back to the server. Also sets \fB\-brief\fR. Cannot be used in
conjunction with \fB\-early_data\fR.
.IP "\fB\-async\fR" 4
.IX Item "-async"
Switch on asynchronous mode. Cryptographic operations will be performed
asynchronously. This will only have an effect if an asynchronous capable engine
is also used via the \fB\-engine\fR option. For test purposes the dummy async engine
(dasync) can be used (if available).
.IP "\fB\-max_send_frag +int\fR" 4
.IX Item "-max_send_frag +int"
The maximum size of data fragment to send.
See \fBSSL_CTX_set_max_send_fragment\fR\|(3) for further information.
.IP "\fB\-split_send_frag +int\fR" 4
.IX Item "-split_send_frag +int"
The size used to split data for encrypt pipelines. If more data is written in
one go than this value then it will be split into multiple pipelines, up to the
maximum number of pipelines defined by max_pipelines. This only has an effect if
a suitable cipher suite has been negotiated, an engine that supports pipelining
has been loaded, and max_pipelines is greater than 1. See
\&\fBSSL_CTX_set_split_send_fragment\fR\|(3) for further information.
.IP "\fB\-max_pipelines +int\fR" 4
.IX Item "-max_pipelines +int"
The maximum number of encrypt/decrypt pipelines to be used. This will only have
an effect if an engine has been loaded that supports pipelining (e.g. the dasync
engine) and a suitable cipher suite has been negotiated. The default value is 1.
See \fBSSL_CTX_set_max_pipelines\fR\|(3) for further information.
.IP "\fB\-read_buf +int\fR" 4
.IX Item "-read_buf +int"
The default read buffer size to be used for connections. This will only have an
effect if the buffer size is larger than the size that would otherwise be used
and pipelining is in use (see \fBSSL_CTX_set_default_read_buffer_len\fR\|(3) for
further information).
.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4
.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3"
These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols.
By default \fBs_server\fR will negotiate the highest mutually supported protocol
version.
When a specific \s-1TLS\s0 version is required, only that version will be accepted
from the client.
Note that not all protocols and flags may be available, depending on how
OpenSSL was built.
.IP "\fB\-bugs\fR" 4
.IX Item "-bugs"
There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
option enables various workarounds.
.IP "\fB\-no_comp\fR" 4
.IX Item "-no_comp"
Disable negotiation of \s-1TLS\s0 compression.
\&\s-1TLS\s0 compression is not recommended and is off by default as of
OpenSSL 1.1.0.
.IP "\fB\-comp\fR" 4
.IX Item "-comp"
Enable negotiation of \s-1TLS\s0 compression.
This option was introduced in OpenSSL 1.1.0.
\&\s-1TLS\s0 compression is not recommended and is off by default as of
OpenSSL 1.1.0.
.IP "\fB\-no_ticket\fR" 4
.IX Item "-no_ticket"
Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
is negotiated. See \fB\-num_tickets\fR.
.IP "\fB\-num_tickets\fR" 4
.IX Item "-num_tickets"
Control the number of tickets that will be sent to the client after a full
handshake in TLSv1.3. The default number of tickets is 2. This option does not
affect the number of tickets sent after a resumption handshake.
.IP "\fB\-serverpref\fR" 4
.IX Item "-serverpref"
Use the server's cipher preferences, rather than the client's preferences.
.IP "\fB\-prioritize_chacha\fR" 4
.IX Item "-prioritize_chacha"
Prioritize ChaCha ciphers when preferred by clients. Requires \fB\-serverpref\fR.
.IP "\fB\-no_resumption_on_reneg\fR" 4
.IX Item "-no_resumption_on_reneg"
Set the \fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR option.
.IP "\fB\-client_sigalgs val\fR" 4
.IX Item "-client_sigalgs val"
Signature algorithms to support for client certificate authentication
(colon-separated list).
.IP "\fB\-named_curve val\fR" 4
.IX Item "-named_curve val"
Specifies the elliptic curve to use. \s-1NOTE:\s0 this is single curve, not a list.
For a list of all possible curves, use:
.Sp
.Vb 1
\& $ openssl ecparam \-list_curves
.Ve
.IP "\fB\-cipher val\fR" 4
.IX Item "-cipher val"
This allows the list of TLSv1.2 and below ciphersuites used by the server to be
modified. This list is combined with any TLSv1.3 ciphersuites that have been
configured. When the client sends a list of supported ciphers the first client
cipher also included in the server list is used. Because the client specifies
the preference order, the order of the server cipherlist is irrelevant. See
the \fBciphers\fR command for more information.
.IP "\fB\-ciphersuites val\fR" 4
.IX Item "-ciphersuites val"
This allows the list of TLSv1.3 ciphersuites used by the server to be modified.
This list is combined with any TLSv1.2 and below ciphersuites that have been
configured. When the client sends a list of supported ciphers the first client
cipher also included in the server list is used. Because the client specifies
the preference order, the order of the server cipherlist is irrelevant. See
the \fBciphers\fR command for more information. The format for this list is a
simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names.
.IP "\fB\-dhparam infile\fR" 4
.IX Item "-dhparam infile"
The \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys
using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to
load the parameters from the server certificate file.
If this fails then a static set of parameters hard coded into the \fBs_server\fR
program will be used.
.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4
.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict"
Set different peer certificate verification options.
See the \fBverify\fR\|(1) manual page for details.
.IP "\fB\-crl_check\fR, \fB\-crl_check_all\fR" 4
.IX Item "-crl_check, -crl_check_all"
Check the peer certificate has not been revoked by its \s-1CA.\s0
The \s-1CRL\s0(s) are appended to the certificate file. With the \fB\-crl_check_all\fR
option all CRLs of all CAs in the chain are checked.
.IP "\fB\-nbio\fR" 4
.IX Item "-nbio"
Turns on non blocking I/O.
.IP "\fB\-psk_identity val\fR" 4
.IX Item "-psk_identity val"
Expect the client to send \s-1PSK\s0 identity \fBval\fR when using a \s-1PSK\s0
cipher suite, and warn if they do not. By default, the expected \s-1PSK\s0
identity is the string \*(L"Client_identity\*(R".
.IP "\fB\-psk_hint val\fR" 4
.IX Item "-psk_hint val"
Use the \s-1PSK\s0 identity hint \fBval\fR when using a \s-1PSK\s0 cipher suite.
.IP "\fB\-psk val\fR" 4
.IX Item "-psk val"
Use the \s-1PSK\s0 key \fBval\fR when using a \s-1PSK\s0 cipher suite. The key is
given as a hexadecimal number without leading 0x, for example \-psk
1a2b3c4d.
This option must be provided in order to use a \s-1PSK\s0 cipher.
.IP "\fB\-psk_session file\fR" 4
.IX Item "-psk_session file"
Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fBfile\fR as the basis of a \s-1PSK.\s0
Note that this will only work if TLSv1.3 is negotiated.
.IP "\fB\-listen\fR" 4
.IX Item "-listen"
This option can only be used in conjunction with one of the \s-1DTLS\s0 options above.
With this option \fBs_server\fR will listen on a \s-1UDP\s0 port for incoming connections.
Any ClientHellos that arrive will be checked to see if they have a cookie in
them or not.
Any without a cookie will be responded to with a HelloVerifyRequest.
If a ClientHello with a cookie is received then \fBs_server\fR will connect to
that peer and complete the handshake.
.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4
.IX Item "-dtls, -dtls1, -dtls1_2"
These options make \fBs_server\fR use \s-1DTLS\s0 protocols instead of \s-1TLS.\s0
With \fB\-dtls\fR, \fBs_server\fR will negotiate any supported \s-1DTLS\s0 protocol version,
whilst \fB\-dtls1\fR and \fB\-dtls1_2\fR will only support DTLSv1.0 and DTLSv1.2
respectively.
.IP "\fB\-sctp\fR" 4
.IX Item "-sctp"
Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in
conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only
available where OpenSSL has support for \s-1SCTP\s0 enabled.
.IP "\fB\-sctp_label_bug\fR" 4
.IX Item "-sctp_label_bug"
Use the incorrect behaviour of older OpenSSL implementations when computing
endpoint-pair shared secrets for \s-1DTLS/SCTP.\s0 This allows communication with
older broken implementations but breaks interoperability with correct
implementations. Must be used in conjunction with \fB\-sctp\fR. This option is only
available where OpenSSL has support for \s-1SCTP\s0 enabled.
.IP "\fB\-no_dhe\fR" 4
.IX Item "-no_dhe"
If this option is set then no \s-1DH\s0 parameters will be loaded effectively
disabling the ephemeral \s-1DH\s0 cipher suites.
.IP "\fB\-alpn val\fR, \fB\-nextprotoneg val\fR" 4
.IX Item "-alpn val, -nextprotoneg val"
These flags enable the Application-Layer Protocol Negotiation
or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the
\&\s-1IETF\s0 standard and replaces \s-1NPN.\s0
The \fBval\fR list is a comma-separated list of supported protocol
names. The list should contain the most desirable protocols first.
Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or
\&\*(L"spdy/3\*(R".
The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used.
.IP "\fB\-engine val\fR" 4
.IX Item "-engine val"
Specifying an engine (by its unique id string in \fBval\fR) will cause \fBs_server\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fB\-keylogfile outfile\fR" 4
.IX Item "-keylogfile outfile"
Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs
(like Wireshark) can decrypt \s-1TLS\s0 connections.
.IP "\fB\-max_early_data int\fR" 4
.IX Item "-max_early_data int"
Change the default maximum early data bytes that are specified for new sessions
and any incoming early data (when used in conjunction with the \fB\-early_data\fR
flag). The default value is approximately 16k. The argument must be an integer
greater than or equal to 0.
.IP "\fB\-early_data\fR" 4
.IX Item "-early_data"
Accept early data where possible. Cannot be used in conjunction with \fB\-www\fR,
\&\fB\-WWW\fR, \fB\-HTTP\fR or \fB\-rev\fR.
.IP "\fB\-anti_replay\fR, \fB\-no_anti_replay\fR" 4
.IX Item "-anti_replay, -no_anti_replay"
Switches replay protection on or off, respectively. Replay protection is on by
default unless overridden by a configuration file. When it is on, OpenSSL will
automatically detect if a session ticket has been used more than once, TLSv1.3
has been negotiated, and early data is enabled on the server. A full handshake
is forced if a session ticket is used a second or subsequent time. Any early
data that was sent will be rejected.
.SH "CONNECTED COMMANDS"
.IX Header "CONNECTED COMMANDS"
If a connection request is established with an \s-1SSL\s0 client and neither the
\&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received
from the client is displayed and any key presses will be sent to the client.
.PP
Certain commands are also recognized which perform special operations. These
commands are a letter which must appear at the start of a line. They are listed
below.
.IP "\fBq\fR" 4
.IX Item "q"
End the current \s-1SSL\s0 connection but still accept new connections.
.IP "\fBQ\fR" 4
.IX Item "Q"
End the current \s-1SSL\s0 connection and exit.
.IP "\fBr\fR" 4
.IX Item "r"
Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only).
.IP "\fBR\fR" 4
.IX Item "R"
Renegotiate the \s-1SSL\s0 session and request a client certificate (TLSv1.2 and below
only).
.IP "\fBP\fR" 4
.IX Item "P"
Send some plain text down the underlying \s-1TCP\s0 connection: this should
cause the client to disconnect due to a protocol violation.
.IP "\fBS\fR" 4
.IX Item "S"
Print out some session cache status information.
.IP "\fBB\fR" 4
.IX Item "B"
Send a heartbeat message to the client (\s-1DTLS\s0 only)
.IP "\fBk\fR" 4
.IX Item "k"
Send a key update message to the client (TLSv1.3 only)
.IP "\fBK\fR" 4
.IX Item "K"
Send a key update message to the client and request one back (TLSv1.3 only)
.IP "\fBc\fR" 4
.IX Item "c"
Send a certificate request to the client (TLSv1.3 only)
.SH "NOTES"
.IX Header "NOTES"
\&\fBs_server\fR can be used to debug \s-1SSL\s0 clients. To accept connections from
a web browser the command:
.PP
.Vb 1
\& openssl s_server \-accept 443 \-www
.Ve
.PP
can be used for example.
.PP
Although specifying an empty list of CAs when requesting a client certificate
is strictly speaking a protocol violation, some \s-1SSL\s0 clients interpret this to
mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes.
.PP
The session parameters can printed out using the \fBsess_id\fR program.
.SH "BUGS"
.IX Header "BUGS"
Because this program has a lot of options and also because some of the
techniques used are rather old, the C source of \fBs_server\fR is rather hard to
read and not a model of how things should be done.
A typical \s-1SSL\s0 server program would be much simpler.
.PP
The output of common ciphers is wrong: it just gives the list of ciphers that
OpenSSL recognizes and the client supports.
.PP
There should be a way for the \fBs_server\fR program to print out details of any
unknown cipher suites a client says it supports.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBSSL_CONF_cmd\fR\|(3), \fBsess_id\fR\|(1), \fBs_client\fR\|(1), \fBciphers\fR\|(1)
\&\fBSSL_CTX_set_max_send_fragment\fR\|(3),
\&\fBSSL_CTX_set_split_send_fragment\fR\|(3),
\&\fBSSL_CTX_set_max_pipelines\fR\|(3)
.SH "HISTORY"
.IX Header "HISTORY"
The \-no_alt_chains option was added in OpenSSL 1.1.0.
.PP
The
\&\-allow\-no\-dhe\-kex and \-prioritize_chacha options were added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/s_time.1 b/secure/usr.bin/openssl/man/s_time.1
index c101cd54dc95..77880b5e9672 100644
--- a/secure/usr.bin/openssl/man/s_time.1
+++ b/secure/usr.bin/openssl/man/s_time.1
@@ -1,320 +1,320 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "S_TIME 1"
-.TH S_TIME 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH S_TIME 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-s_time, s_time \- SSL/TLS performance timing program
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBs_time\fR
[\fB\-help\fR]
[\fB\-connect host:port\fR]
[\fB\-www page\fR]
[\fB\-cert filename\fR]
[\fB\-key filename\fR]
[\fB\-CApath directory\fR]
[\fB\-CAfile filename\fR]
[\fB\-no\-CAfile\fR]
[\fB\-no\-CApath\fR]
[\fB\-reuse\fR]
[\fB\-new\fR]
[\fB\-verify depth\fR]
[\fB\-nameopt option\fR]
[\fB\-time seconds\fR]
[\fB\-ssl3\fR]
[\fB\-bugs\fR]
[\fB\-cipher cipherlist\fR]
[\fB\-ciphersuites val\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBs_time\fR command implements a generic \s-1SSL/TLS\s0 client which connects to a
remote host using \s-1SSL/TLS.\s0 It can request a page from the server and includes
the time to transfer the payload data in its timing measurements. It measures
the number of connections within a given timeframe, the amount of data
transferred (if any), and calculates the average time spent for one connection.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-connect host:port\fR" 4
.IX Item "-connect host:port"
This specifies the host and optional port to connect to.
.IP "\fB\-www page\fR" 4
.IX Item "-www page"
This specifies the page to \s-1GET\s0 from the server. A value of '/' gets the
index.htm[l] page. If this parameter is not specified, then \fBs_time\fR will only
perform the handshake to establish \s-1SSL\s0 connections but not transfer any
payload data.
.IP "\fB\-cert certname\fR" 4
.IX Item "-cert certname"
The certificate to use, if one is requested by the server. The default is
not to use a certificate. The file is in \s-1PEM\s0 format.
.IP "\fB\-key keyfile\fR" 4
.IX Item "-key keyfile"
The private key to use. If not specified then the certificate file will
be used. The file is in \s-1PEM\s0 format.
.IP "\fB\-verify depth\fR" 4
.IX Item "-verify depth"
The verify depth to use. This specifies the maximum length of the
server certificate chain and turns on server certificate verification.
Currently the verify operation continues after errors so all the problems
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
.IP "\fB\-nameopt option\fR" 4
.IX Item "-nameopt option"
Option which determines how the subject or issuer names are displayed. The
\&\fBoption\fR argument can be a single option or multiple options separated by
commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to
set multiple options. See the \fBx509\fR\|(1) manual page for details.
.IP "\fB\-CApath directory\fR" 4
.IX Item "-CApath directory"
The directory to use for server certificate verification. This directory
must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are
also used when building the client certificate chain.
.IP "\fB\-CAfile file\fR" 4
.IX Item "-CAfile file"
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
.IP "\fB\-no\-CAfile\fR" 4
.IX Item "-no-CAfile"
Do not load the trusted \s-1CA\s0 certificates from the default file location
.IP "\fB\-no\-CApath\fR" 4
.IX Item "-no-CApath"
Do not load the trusted \s-1CA\s0 certificates from the default directory location
.IP "\fB\-new\fR" 4
.IX Item "-new"
Performs the timing test using a new session \s-1ID\s0 for each connection.
If neither \fB\-new\fR nor \fB\-reuse\fR are specified, they are both on by default
and executed in sequence.
.IP "\fB\-reuse\fR" 4
.IX Item "-reuse"
Performs the timing test using the same session \s-1ID\s0; this can be used as a test
that session caching is working. If neither \fB\-new\fR nor \fB\-reuse\fR are
specified, they are both on by default and executed in sequence.
.IP "\fB\-ssl3\fR" 4
.IX Item "-ssl3"
This option disables the use of \s-1SSL\s0 version 3. By default
the initial handshake uses a method which should be compatible with all
servers and permit them to use \s-1SSL\s0 v3 or \s-1TLS\s0 as appropriate.
.Sp
The timing program is not as rich in options to turn protocols on and off as
the \fBs_client\fR\|(1) program and may not connect to all servers.
Unfortunately there are a lot of ancient and broken servers in use which
cannot handle this technique and will fail to connect. Some servers only
work if \s-1TLS\s0 is turned off with the \fB\-ssl3\fR option.
.Sp
Note that this option may not be available, depending on how
OpenSSL was built.
.IP "\fB\-bugs\fR" 4
.IX Item "-bugs"
There are several known bugs in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this
option enables various workarounds.
.IP "\fB\-cipher cipherlist\fR" 4
.IX Item "-cipher cipherlist"
This allows the TLSv1.2 and below cipher list sent by the client to be modified.
This list will be combined with any TLSv1.3 ciphersuites that have been
configured. Although the server determines which cipher suite is used it should
take the first supported cipher in the list sent by the client. See
\&\fBciphers\fR\|(1) for more information.
.IP "\fB\-ciphersuites val\fR" 4
.IX Item "-ciphersuites val"
This allows the TLSv1.3 ciphersuites sent by the client to be modified. This
list will be combined with any TLSv1.2 and below ciphersuites that have been
configured. Although the server determines which cipher suite is used it should
take the first supported cipher in the list sent by the client. See
\&\fBciphers\fR\|(1) for more information. The format for this list is a simple
colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names.
.IP "\fB\-time length\fR" 4
.IX Item "-time length"
Specifies how long (in seconds) \fBs_time\fR should establish connections and
optionally transfer payload data from a server. Server and client performance
and the link speed determine how many connections \fBs_time\fR can establish.
.SH "NOTES"
.IX Header "NOTES"
\&\fBs_time\fR can be used to measure the performance of an \s-1SSL\s0 connection.
To connect to an \s-1SSL HTTP\s0 server and get the default page the command
.PP
.Vb 1
\& openssl s_time \-connect servername:443 \-www / \-CApath yourdir \-CAfile yourfile.pem \-cipher commoncipher [\-ssl3]
.Ve
.PP
would typically be used (https uses port 443). 'commoncipher' is a cipher to
which both client and server can agree, see the \fBciphers\fR\|(1) command
for details.
.PP
If the handshake fails then there are several possible causes, if it is
nothing obvious like no client certificate then the \fB\-bugs\fR and
\&\fB\-ssl3\fR options can be tried
in case it is a buggy server. In particular you should play with these
options \fBbefore\fR submitting a bug report to an OpenSSL mailing list.
.PP
A frequent problem when attempting to get client certificates working
is that a web client complains it has no certificates or gives an empty
list to choose from. This is normally because the server is not sending
the clients certificate authority in its \*(L"acceptable \s-1CA\s0 list\*(R" when it
requests a certificate. By using \fBs_client\fR\|(1) the \s-1CA\s0 list can be
viewed and checked. However, some servers only request client authentication
after a specific \s-1URL\s0 is requested. To obtain the list in this case it
is necessary to use the \fB\-prexit\fR option of \fBs_client\fR\|(1) and
send an \s-1HTTP\s0 request for an appropriate page.
.PP
If a certificate is specified on the command line using the \fB\-cert\fR
option it will not be used unless the server specifically requests
a client certificate. Therefore, merely including a client certificate
on the command line is no guarantee that the certificate works.
.SH "BUGS"
.IX Header "BUGS"
Because this program does not have all the options of the
\&\fBs_client\fR\|(1) program to turn protocols on and off, you may not be
able to measure the performance of all protocols with all servers.
.PP
The \fB\-verify\fR option should really exit if the server verification
fails.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBs_client\fR\|(1), \fBs_server\fR\|(1), \fBciphers\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2004\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1
index 3f2c10ee9570..948a6c47fb6e 100644
--- a/secure/usr.bin/openssl/man/sess_id.1
+++ b/secure/usr.bin/openssl/man/sess_id.1
@@ -1,272 +1,272 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SESS_ID 1"
-.TH SESS_ID 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SESS_ID 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-sess_id, sess_id \- SSL/TLS session handling utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBsess_id\fR
[\fB\-help\fR]
[\fB\-inform PEM|DER\fR]
[\fB\-outform PEM|DER|NSS\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-text\fR]
[\fB\-noout\fR]
[\fB\-context \s-1ID\s0\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBsess_id\fR process the encoded version of the \s-1SSL\s0 session structure
and optionally prints out \s-1SSL\s0 session details (for example the \s-1SSL\s0 session
master key) in human readable format. Since this is a diagnostic tool that
needs some knowledge of the \s-1SSL\s0 protocol to use properly, most users will
not need to use it.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded
format containing session details. The precise format can vary from one version
to the next. The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR
format base64 encoded with additional header and footer lines.
.IP "\fB\-outform DER|PEM|NSS\fR" 4
.IX Item "-outform DER|PEM|NSS"
This specifies the output format. The \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR options have the same meaning
and default as the \fB\-inform\fR option. The \fB\s-1NSS\s0\fR option outputs the session id and
the master key in \s-1NSS\s0 keylog format.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read session information from or standard
input by default.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write session information to or standard
output if this option is not specified.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the various public or private key components in
plain text in addition to the encoded version.
.IP "\fB\-cert\fR" 4
.IX Item "-cert"
If a certificate is present in the session it will be output using this option,
if the \fB\-text\fR option is also present then it will be printed out in text form.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output of the encoded version of the session.
.IP "\fB\-context \s-1ID\s0\fR" 4
.IX Item "-context ID"
This option can set the session id so the output session information uses the
supplied \s-1ID.\s0 The \s-1ID\s0 can be any string of characters. This option won't normally
be used.
.SH "OUTPUT"
.IX Header "OUTPUT"
Typical output:
.PP
.Vb 10
\& SSL\-Session:
\& Protocol : TLSv1
\& Cipher : 0016
\& Session\-ID: 871E62626C554CE95488823752CBD5F3673A3EF3DCE9C67BD916C809914B40ED
\& Session\-ID\-ctx: 01000000
\& Master\-Key: A7CEFC571974BE02CAC305269DC59F76EA9F0B180CB6642697A68251F2D2BB57E51DBBB4C7885573192AE9AEE220FACD
\& Key\-Arg : None
\& Start Time: 948459261
\& Timeout : 300 (sec)
\& Verify return code 0 (ok)
.Ve
.PP
These are described below in more detail.
.IP "\fBProtocol\fR" 4
.IX Item "Protocol"
This is the protocol in use TLSv1.3, TLSv1.2, TLSv1.1, TLSv1 or SSLv3.
.IP "\fBCipher\fR" 4
.IX Item "Cipher"
The cipher used this is the actual raw \s-1SSL\s0 or \s-1TLS\s0 cipher code, see the \s-1SSL\s0
or \s-1TLS\s0 specifications for more information.
.IP "\fBSession-ID\fR" 4
.IX Item "Session-ID"
The \s-1SSL\s0 session \s-1ID\s0 in hex format.
.IP "\fBSession-ID-ctx\fR" 4
.IX Item "Session-ID-ctx"
The session \s-1ID\s0 context in hex format.
.IP "\fBMaster-Key\fR" 4
.IX Item "Master-Key"
This is the \s-1SSL\s0 session master key.
.IP "\fBStart Time\fR" 4
.IX Item "Start Time"
This is the session start time represented as an integer in standard
Unix format.
.IP "\fBTimeout\fR" 4
.IX Item "Timeout"
The timeout in seconds.
.IP "\fBVerify return code\fR" 4
.IX Item "Verify return code"
This is the return code when an \s-1SSL\s0 client certificate is verified.
.SH "NOTES"
.IX Header "NOTES"
The \s-1PEM\s0 encoded session format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN SSL SESSION PARAMETERS\-\-\-\-\-
\& \-\-\-\-\-END SSL SESSION PARAMETERS\-\-\-\-\-
.Ve
.PP
Since the \s-1SSL\s0 session output contains the master key it is
possible to read the contents of an encrypted session using this
information. Therefore, appropriate security precautions should be taken if
the information is being output by a \*(L"real\*(R" application. This is however
strongly discouraged and should only be used for debugging purposes.
.SH "BUGS"
.IX Header "BUGS"
The cipher and start time should be printed out in human readable form.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBciphers\fR\|(1), \fBs_server\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1
index de91955e93de..d17badf7ad3a 100644
--- a/secure/usr.bin/openssl/man/smime.1
+++ b/secure/usr.bin/openssl/man/smime.1
@@ -1,617 +1,617 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SMIME 1"
-.TH SMIME 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SMIME 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-smime, smime \- S/MIME utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBsmime\fR
[\fB\-help\fR]
[\fB\-encrypt\fR]
[\fB\-decrypt\fR]
[\fB\-sign\fR]
[\fB\-resign\fR]
[\fB\-verify\fR]
[\fB\-pk7out\fR]
[\fB\-binary\fR]
[\fB\-crlfeol\fR]
[\fB\-\f(BIcipher\fB\fR]
[\fB\-in file\fR]
[\fB\-CAfile file\fR]
[\fB\-CApath dir\fR]
[\fB\-no\-CAfile\fR]
[\fB\-no\-CApath\fR]
[\fB\-attime timestamp\fR]
[\fB\-check_ss_sig\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-explicit_policy\fR]
[\fB\-extended_crl\fR]
[\fB\-ignore_critical\fR]
[\fB\-inhibit_any\fR]
[\fB\-inhibit_map\fR]
[\fB\-partial_chain\fR]
[\fB\-policy arg\fR]
[\fB\-policy_check\fR]
[\fB\-policy_print\fR]
[\fB\-purpose purpose\fR]
[\fB\-suiteB_128\fR]
[\fB\-suiteB_128_only\fR]
[\fB\-suiteB_192\fR]
[\fB\-trusted_first\fR]
[\fB\-no_alt_chains\fR]
[\fB\-use_deltas\fR]
[\fB\-auth_level num\fR]
[\fB\-verify_depth num\fR]
[\fB\-verify_email email\fR]
[\fB\-verify_hostname hostname\fR]
[\fB\-verify_ip ip\fR]
[\fB\-verify_name name\fR]
[\fB\-x509_strict\fR]
[\fB\-certfile file\fR]
[\fB\-signer file\fR]
[\fB\-recip file\fR]
[\fB\-inform SMIME|PEM|DER\fR]
[\fB\-passin arg\fR]
[\fB\-inkey file_or_id\fR]
[\fB\-out file\fR]
[\fB\-outform SMIME|PEM|DER\fR]
[\fB\-content file\fR]
[\fB\-to addr\fR]
[\fB\-from ad\fR]
[\fB\-subject s\fR]
[\fB\-text\fR]
[\fB\-indef\fR]
[\fB\-noindef\fR]
[\fB\-stream\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-md digest\fR]
[cert.pem]...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and
verify S/MIME messages.
.SH "OPTIONS"
.IX Header "OPTIONS"
There are six operation options that set the type of operation to be performed.
The meaning of the other options varies according to the operation type.
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-encrypt\fR" 4
.IX Item "-encrypt"
Encrypt mail for the given recipient certificates. Input file is the message
to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format.
.Sp
Note that no revocation check is done for the recipient cert, so if that
key has been compromised, others may be able to decrypt the text.
.IP "\fB\-decrypt\fR" 4
.IX Item "-decrypt"
Decrypt mail using the supplied certificate and private key. Expects an
encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail
is written to the output file.
.IP "\fB\-sign\fR" 4
.IX Item "-sign"
Sign mail using the supplied certificate and private key. Input file is
the message to be signed. The signed message in \s-1MIME\s0 format is written
to the output file.
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verify signed mail. Expects a signed mail message on input and outputs
the signed data. Both clear text and opaque signing is supported.
.IP "\fB\-pk7out\fR" 4
.IX Item "-pk7out"
Takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure.
.IP "\fB\-resign\fR" 4
.IX Item "-resign"
Resign a message: take an existing message and one or more new signers.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
The input message to be encrypted or signed or the \s-1MIME\s0 message to
be decrypted or verified.
.IP "\fB\-inform SMIME|PEM|DER\fR" 4
.IX Item "-inform SMIME|PEM|DER"
This specifies the input format for the PKCS#7 structure. The default
is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
instead. This currently only affects the input format of the PKCS#7
structure, if no PKCS#7 structure is being input (for example with
\&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
The message text that has been decrypted or verified or the output \s-1MIME\s0
format message that has been signed or verified.
.IP "\fB\-outform SMIME|PEM|DER\fR" 4
.IX Item "-outform SMIME|PEM|DER"
This specifies the output format for the PKCS#7 structure. The default
is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR
format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures
instead. This currently only affects the output format of the PKCS#7
structure, if no PKCS#7 structure is being output (for example with
\&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect.
.IP "\fB\-stream \-indef \-noindef\fR" 4
.IX Item "-stream -indef -noindef"
The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O
for encoding operations. This permits single pass processing of data without
the need to hold the entire contents in memory, potentially supporting very
large files. Streaming is automatically set for S/MIME signing with detached
data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default for all
other operations.
.IP "\fB\-noindef\fR" 4
.IX Item "-noindef"
Disable streaming I/O where it would produce and indefinite length constructed
encoding. This option currently has no effect. In future streaming will be
enabled by default on all relevant operations and this option will disable it.
.IP "\fB\-content filename\fR" 4
.IX Item "-content filename"
This specifies a file containing the detached content, this is only
useful with the \fB\-verify\fR command. This is only usable if the PKCS#7
structure is using the detached signature form where the content is
not included. This option will override any content if the input format
is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type.
.IP "\fB\-text\fR" 4
.IX Item "-text"
This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied
message if encrypting or signing. If decrypting or verifying it strips
off text headers: if the decrypted or verified message is not of \s-1MIME\s0
type text/plain then an error occurs.
.IP "\fB\-CAfile file\fR" 4
.IX Item "-CAfile file"
A file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR.
.IP "\fB\-CApath dir\fR" 4
.IX Item "-CApath dir"
A directory containing trusted \s-1CA\s0 certificates, only used with
\&\fB\-verify\fR. This directory must be a standard certificate directory: that
is a hash of each subject name (using \fBx509 \-hash\fR) should be linked
to each certificate.
.IP "\fB\-no\-CAfile\fR" 4
.IX Item "-no-CAfile"
Do not load the trusted \s-1CA\s0 certificates from the default file location.
.IP "\fB\-no\-CApath\fR" 4
.IX Item "-no-CApath"
Do not load the trusted \s-1CA\s0 certificates from the default directory location.
.IP "\fB\-md digest\fR" 4
.IX Item "-md digest"
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually \s-1SHA1\s0).
.IP "\fB\-\f(BIcipher\fB\fR" 4
.IX Item "-cipher"
The encryption algorithm to use. For example \s-1DES\s0 (56 bits) \- \fB\-des\fR,
triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR,
\&\fBEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for
example \fB\-aes\-128\-cbc\fR. See \fBenc\fR for list of ciphers
supported by your version of OpenSSL.
.Sp
If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR.
.IP "\fB\-nointern\fR" 4
.IX Item "-nointern"
When verifying a message normally certificates (if any) included in
the message are searched for the signing certificate. With this option
only the certificates specified in the \fB\-certfile\fR option are used.
The supplied certificates can still be used as untrusted CAs however.
.IP "\fB\-noverify\fR" 4
.IX Item "-noverify"
Do not verify the signers certificate of a signed message.
.IP "\fB\-nochain\fR" 4
.IX Item "-nochain"
Do not do chain verification of signers certificates: that is don't
use the certificates in the signed message as untrusted CAs.
.IP "\fB\-nosigs\fR" 4
.IX Item "-nosigs"
Don't try to verify the signatures on the message.
.IP "\fB\-nocerts\fR" 4
.IX Item "-nocerts"
When signing a message the signer's certificate is normally included
with this option it is excluded. This will reduce the size of the
signed message but the verifier must have a copy of the signers certificate
available locally (passed using the \fB\-certfile\fR option for example).
.IP "\fB\-noattr\fR" 4
.IX Item "-noattr"
Normally when a message is signed a set of attributes are included which
include the signing time and supported symmetric algorithms. With this
option they are not included.
.IP "\fB\-binary\fR" 4
.IX Item "-binary"
Normally the input message is converted to \*(L"canonical\*(R" format which is
effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME
specification. When this option is present no translation occurs. This
is useful when handling binary data which may not be in \s-1MIME\s0 format.
.IP "\fB\-crlfeol\fR" 4
.IX Item "-crlfeol"
Normally the output file uses a single \fB\s-1LF\s0\fR as end of line. When this
option is present \fB\s-1CRLF\s0\fR is used instead.
.IP "\fB\-nodetach\fR" 4
.IX Item "-nodetach"
When signing a message use opaque signing: this form is more resistant
to translation by mail relays but it cannot be read by mail agents that
do not support S/MIME. Without this option cleartext signing with
the \s-1MIME\s0 type multipart/signed is used.
.IP "\fB\-certfile file\fR" 4
.IX Item "-certfile file"
Allows additional certificates to be specified. When signing these will
be included with the message. When verifying these will be searched for
the signers certificates. The certificates should be in \s-1PEM\s0 format.
.IP "\fB\-signer file\fR" 4
.IX Item "-signer file"
A signing certificate when signing or resigning a message, this option can be
used multiple times if more than one signer is required. If a message is being
verified then the signers certificates will be written to this file if the
verification was successful.
.IP "\fB\-recip file\fR" 4
.IX Item "-recip file"
The recipients certificate when decrypting a message. This certificate
must match one of the recipients of the message or an error occurs.
.IP "\fB\-inkey file_or_id\fR" 4
.IX Item "-inkey file_or_id"
The private key to use when signing or decrypting. This must match the
corresponding certificate. If this option is not specified then the
private key must be included in the certificate file specified with
the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used
multiple times to specify successive keys.
If no engine is used, the argument is taken as a file; if an engine is
specified, the argument is given to the engine as a key identifier.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The private key password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fBcert.pem...\fR" 4
.IX Item "cert.pem..."
One or more certificates of message recipients: used when encrypting
a message.
.IP "\fB\-to, \-from, \-subject\fR" 4
.IX Item "-to, -from, -subject"
The relevant mail headers. These are included outside the signed
portion of a message so they may be included manually. If signing
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4
.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict"
Set various options of certificate chain verification. See
\&\fBverify\fR\|(1) manual page for details.
.SH "NOTES"
.IX Header "NOTES"
The \s-1MIME\s0 message must be sent without any blank lines between the
headers and the output. Some mail programs will automatically add
a blank line. Piping the mail directly to sendmail is one way to
achieve the correct format.
.PP
The supplied message to be signed or encrypted must include the
necessary \s-1MIME\s0 headers or many S/MIME clients won't display it
properly (if at all). You can use the \fB\-text\fR option to automatically
add plain text headers.
.PP
A \*(L"signed and encrypted\*(R" message is one where a signed message is
then encrypted. This can be produced by encrypting an already signed
message: see the examples section.
.PP
This version of the program only allows one signer per message but it
will verify multiple signers on received messages. Some S/MIME clients
choke if a message contains multiple signers. It is possible to sign
messages \*(L"in parallel\*(R" by signing an already signed message.
.PP
The options \fB\-encrypt\fR and \fB\-decrypt\fR reflect common usage in S/MIME
clients. Strictly speaking these process PKCS#7 enveloped data: PKCS#7
encrypted data is used for other purposes.
.PP
The \fB\-resign\fR option uses an existing message digest when adding a new
signer. This means that attributes must be present in at least one existing
signer using the same message digest or this operation will fail.
.PP
The \fB\-stream\fR and \fB\-indef\fR options enable streaming I/O support.
As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding
and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the
\&\fB\-sign\fR operation if the content is not detached.
.PP
Streaming is always used for the \fB\-sign\fR operation with detached data but
since the content is no longer part of the PKCS#7 structure the encoding
remains \s-1DER.\s0
.SH "EXIT CODES"
.IX Header "EXIT CODES"
.IP "0" 4
The operation was completely successfully.
.IP "1" 4
.IX Item "1"
An error occurred parsing the command options.
.IP "2" 4
.IX Item "2"
One of the input files could not be read.
.IP "3" 4
.IX Item "3"
An error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0
message.
.IP "4" 4
.IX Item "4"
An error occurred decrypting or verifying the message.
.IP "5" 4
.IX Item "5"
The message was verified correctly but an error occurred writing out
the signers certificates.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Create a cleartext signed message:
.PP
.Vb 2
\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e
\& \-signer mycert.pem
.Ve
.PP
Create an opaque signed message:
.PP
.Vb 2
\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \-nodetach \e
\& \-signer mycert.pem
.Ve
.PP
Create a signed message, include some additional certificates and
read the private key from another file:
.PP
.Vb 2
\& openssl smime \-sign \-in in.txt \-text \-out mail.msg \e
\& \-signer mycert.pem \-inkey mykey.pem \-certfile mycerts.pem
.Ve
.PP
Create a signed message with two signers:
.PP
.Vb 2
\& openssl smime \-sign \-in message.txt \-text \-out mail.msg \e
\& \-signer mycert.pem \-signer othercert.pem
.Ve
.PP
Send a signed message under Unix directly to sendmail, including headers:
.PP
.Vb 3
\& openssl smime \-sign \-in in.txt \-text \-signer mycert.pem \e
\& \-from steve@openssl.org \-to someone@somewhere \e
\& \-subject "Signed message" | sendmail someone@somewhere
.Ve
.PP
Verify a message and extract the signer's certificate if successful:
.PP
.Vb 1
\& openssl smime \-verify \-in mail.msg \-signer user.pem \-out signedtext.txt
.Ve
.PP
Send encrypted mail using triple \s-1DES:\s0
.PP
.Vb 3
\& openssl smime \-encrypt \-in in.txt \-from steve@openssl.org \e
\& \-to someone@somewhere \-subject "Encrypted message" \e
\& \-des3 user.pem \-out mail.msg
.Ve
.PP
Sign and encrypt mail:
.PP
.Vb 4
\& openssl smime \-sign \-in ml.txt \-signer my.pem \-text \e
\& | openssl smime \-encrypt \-out mail.msg \e
\& \-from steve@openssl.org \-to someone@somewhere \e
\& \-subject "Signed and Encrypted message" \-des3 user.pem
.Ve
.PP
Note: the encryption command does not include the \fB\-text\fR option because the
message being encrypted already has \s-1MIME\s0 headers.
.PP
Decrypt mail:
.PP
.Vb 1
\& openssl smime \-decrypt \-in mail.msg \-recip mycert.pem \-inkey key.pem
.Ve
.PP
The output from Netscape form signing is a PKCS#7 structure with the
detached signature format. You can use this program to verify the
signature by line wrapping the base64 encoded structure and surrounding
it with:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN PKCS7\-\-\-\-\-
\& \-\-\-\-\-END PKCS7\-\-\-\-\-
.Ve
.PP
and using the command:
.PP
.Vb 1
\& openssl smime \-verify \-inform PEM \-in signature.pem \-content content.txt
.Ve
.PP
Alternatively you can base64 decode the signature and use:
.PP
.Vb 1
\& openssl smime \-verify \-inform DER \-in signature.der \-content content.txt
.Ve
.PP
Create an encrypted message using 128 bit Camellia:
.PP
.Vb 1
\& openssl smime \-encrypt \-in plain.txt \-camellia128 \-out mail.msg cert.pem
.Ve
.PP
Add a signer to an existing message:
.PP
.Vb 1
\& openssl smime \-resign \-in mail.msg \-signer newsign.pem \-out mail2.msg
.Ve
.SH "BUGS"
.IX Header "BUGS"
The \s-1MIME\s0 parser isn't very clever: it seems to handle most messages that I've
thrown at it but it may choke on others.
.PP
The code currently will only write out the signer's certificate to a file: if
the signer has a separate encryption certificate this must be manually
extracted. There should be some heuristic that determines the correct
encryption certificate.
.PP
Ideally a database should be maintained of a certificates for each email
address.
.PP
The code doesn't currently take note of the permitted symmetric encryption
algorithms as supplied in the SMIMECapabilities signed attribute. This means the
user has to manually include the correct encryption algorithm. It should store
the list of permitted ciphers in a database and only use those.
.PP
No revocation checking is done on the signer's certificate.
.PP
The current code can only handle S/MIME v2 messages, the more complex S/MIME v3
structures may cause parsing errors.
.SH "HISTORY"
.IX Header "HISTORY"
The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first
added in OpenSSL 1.0.0
.PP
The \-no_alt_chains option was added in OpenSSL 1.1.0.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1
index d277bc829111..4e8b8b84e649 100644
--- a/secure/usr.bin/openssl/man/speed.1
+++ b/secure/usr.bin/openssl/man/speed.1
@@ -1,220 +1,220 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SPEED 1"
-.TH SPEED 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SPEED 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-speed, speed \- test library performance
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl speed\fR
[\fB\-help\fR]
[\fB\-engine id\fR]
[\fB\-elapsed\fR]
[\fB\-evp algo\fR]
[\fB\-decrypt\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-primes num\fR]
[\fB\-seconds num\fR]
[\fB\-bytes num\fR]
[\fBalgorithm...\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to test the performance of cryptographic algorithms.
To see the list of supported algorithms, use the \fIlist \-\-digest\-commands\fR
or \fIlist \-\-cipher\-commands\fR command. The global \s-1CSPRNG\s0 is denoted by
the \fIrand\fR algorithm name.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBspeed\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fB\-elapsed\fR" 4
.IX Item "-elapsed"
When calculating operations\- or bytes-per-second, use wall-clock time
instead of \s-1CPU\s0 user time as divisor. It can be useful when testing speed
of hardware engines.
.IP "\fB\-evp algo\fR" 4
.IX Item "-evp algo"
Use the specified cipher or message digest algorithm via the \s-1EVP\s0 interface.
If \fBalgo\fR is an \s-1AEAD\s0 cipher, then you can pass <\-aead> to benchmark a
TLS-like sequence. And if \fBalgo\fR is a multi-buffer capable cipher, e.g.
aes\-128\-cbc\-hmac\-sha1, then \fB\-mb\fR will time multi-buffer operation.
.IP "\fB\-decrypt\fR" 4
.IX Item "-decrypt"
Time the decryption instead of encryption. Affects only the \s-1EVP\s0 testing.
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-primes num\fR" 4
.IX Item "-primes num"
Generate a \fBnum\fR\-prime \s-1RSA\s0 key and use it to run the benchmarks. This option
is only effective if \s-1RSA\s0 algorithm is specified to test.
.IP "\fB\-seconds num\fR" 4
.IX Item "-seconds num"
Run benchmarks for \fBnum\fR seconds.
.IP "\fB\-bytes num\fR" 4
.IX Item "-bytes num"
Run benchmarks on \fBnum\fR\-byte buffers. Affects ciphers, digests and the \s-1CSPRNG.\s0
.IP "\fB[zero or more test algorithms]\fR" 4
.IX Item "[zero or more test algorithms]"
If any options are given, \fBspeed\fR tests those algorithms, otherwise a
pre-compiled grand selection is tested.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1
index 7dd822f651fe..8e303da57d8d 100644
--- a/secure/usr.bin/openssl/man/spkac.1
+++ b/secure/usr.bin/openssl/man/spkac.1
@@ -1,274 +1,274 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SPKAC 1"
-.TH SPKAC 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SPKAC 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-spkac, spkac \- SPKAC printing and generating utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBspkac\fR
[\fB\-help\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-key keyfile\fR]
[\fB\-keyform PEM|DER|ENGINE\fR]
[\fB\-passin arg\fR]
[\fB\-challenge string\fR]
[\fB\-pubkey\fR]
[\fB\-spkac spkacname\fR]
[\fB\-spksect section\fR]
[\fB\-noout\fR]
[\fB\-verify\fR]
[\fB\-engine id\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBspkac\fR command processes Netscape signed public key and challenge
(\s-1SPKAC\s0) files. It can print out their contents, verify the signature and
produce its own SPKACs from a supplied private key.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read from or standard input if this
option is not specified. Ignored if the \fB\-key\fR option is used.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
Specifies the output filename to write to or standard output by
default.
.IP "\fB\-key keyfile\fR" 4
.IX Item "-key keyfile"
Create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The
\&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if
present.
.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4
.IX Item "-keyform PEM|DER|ENGINE"
Whether the key format is \s-1PEM, DER,\s0 or an engine-backed key.
The default is \s-1PEM.\s0
.IP "\fB\-passin password\fR" 4
.IX Item "-passin password"
The input file password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-challenge string\fR" 4
.IX Item "-challenge string"
Specifies the challenge string if an \s-1SPKAC\s0 is being created.
.IP "\fB\-spkac spkacname\fR" 4
.IX Item "-spkac spkacname"
Allows an alternative name form the variable containing the
\&\s-1SPKAC.\s0 The default is \*(L"\s-1SPKAC\*(R".\s0 This option affects both
generated and input \s-1SPKAC\s0 files.
.IP "\fB\-spksect section\fR" 4
.IX Item "-spksect section"
Allows an alternative name form the section containing the
\&\s-1SPKAC.\s0 The default is the default section.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
Don't output the text version of the \s-1SPKAC\s0 (not used if an
\&\s-1SPKAC\s0 is being created).
.IP "\fB\-pubkey\fR" 4
.IX Item "-pubkey"
Output the public key of an \s-1SPKAC\s0 (not used if an \s-1SPKAC\s0 is
being created).
.IP "\fB\-verify\fR" 4
.IX Item "-verify"
Verifies the digital signature on the supplied \s-1SPKAC.\s0
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBspkac\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Print out the contents of an \s-1SPKAC:\s0
.PP
.Vb 1
\& openssl spkac \-in spkac.cnf
.Ve
.PP
Verify the signature of an \s-1SPKAC:\s0
.PP
.Vb 1
\& openssl spkac \-in spkac.cnf \-noout \-verify
.Ve
.PP
Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R":
.PP
.Vb 1
\& openssl spkac \-key key.pem \-challenge hello \-out spkac.cnf
.Ve
.PP
Example of an \s-1SPKAC,\s0 (long lines split up for clarity):
.PP
.Vb 6
\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA\e
\& 1cCoq2Wa3Ixs47uI7FPVwHVIPDx5yso105Y6zpozam135a\e
\& 8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03uPFoQIDAQAB\e
\& FgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJ\e
\& h1bEIYuc2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnD\e
\& dq+NQ3F+X4deMx9AaEglZtULwV4=
.Ve
.SH "NOTES"
.IX Header "NOTES"
A created \s-1SPKAC\s0 with suitable \s-1DN\s0 components appended can be fed into
the \fBca\fR utility.
.PP
SPKACs are typically generated by Netscape when a form is submitted
containing the \fB\s-1KEYGEN\s0\fR tag as part of the certificate enrollment
process.
.PP
The challenge string permits a primitive form of proof of possession
of private key. By checking the \s-1SPKAC\s0 signature and a random challenge
string some guarantee is given that the user knows the private key
corresponding to the public key being certified. This is important in
some applications. Without this it is possible for a previous \s-1SPKAC\s0
to be used in a \*(L"replay attack\*(R".
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBca\fR\|(1)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/srp.1 b/secure/usr.bin/openssl/man/srp.1
index ef09edda9511..fbce82ac0693 100644
--- a/secure/usr.bin/openssl/man/srp.1
+++ b/secure/usr.bin/openssl/man/srp.1
@@ -1,198 +1,198 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SRP 1"
-.TH SRP 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH SRP 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-srp, srp \- maintain SRP password file
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl srp\fR
[\fB\-help\fR]
[\fB\-verbose\fR]
[\fB\-add\fR]
[\fB\-modify\fR]
[\fB\-delete\fR]
[\fB\-list\fR]
[\fB\-name section\fR]
[\fB\-config file\fR]
[\fB\-srpvfile file\fR]
[\fB\-gn identifier\fR]
[\fB\-userinfo text...\fR]
[\fB\-passin arg\fR]
[\fB\-passout arg\fR]
[\fIuser...\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBsrp\fR command is user to maintain an \s-1SRP\s0 (secure remote password)
file.
At most one of the \fB\-add\fR, \fB\-modify\fR, \fB\-delete\fR, and \fB\-list\fR options
can be specified.
These options take zero or more usernames as parameters and perform the
appropriate operation on the \s-1SRP\s0 file.
For \fB\-list\fR, if no \fBuser\fR is given then all users are displayed.
.PP
The configuration file to use, and the section within the file, can be
specified with the \fB\-config\fR and \fB\-name\fR flags, respectively.
If the config file is not specified, the \fB\-srpvfile\fR can be used to
just specify the file to operate on.
.PP
The \fB\-userinfo\fR option specifies additional information to add when
adding or modifying a user.
.PP
The \fB\-gn\fR flag specifies the \fBg\fR and \fBN\fR values, using one of
the strengths defined in \s-1IETF RFC 5054.\s0
.PP
The \fB\-passin\fR and \fB\-passout\fR arguments are parsed as described in
the \fBopenssl\fR\|(1) command.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "[\fB\-help\fR]" 4
.IX Item "[-help]"
Display an option summary.
.IP "[\fB\-verbose\fR]" 4
.IX Item "[-verbose]"
Generate verbose output while processing.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/storeutl.1 b/secure/usr.bin/openssl/man/storeutl.1
index edbaf86daf8f..c4bd95beb4b6 100644
--- a/secure/usr.bin/openssl/man/storeutl.1
+++ b/secure/usr.bin/openssl/man/storeutl.1
@@ -1,249 +1,249 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "STOREUTL 1"
-.TH STOREUTL 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH STOREUTL 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-storeutl, storeutl \- STORE utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBstoreutl\fR
[\fB\-help\fR]
[\fB\-out file\fR]
[\fB\-noout\fR]
[\fB\-passin arg\fR]
[\fB\-text arg\fR]
[\fB\-engine id\fR]
[\fB\-r\fR]
[\fB\-certs\fR]
[\fB\-keys\fR]
[\fB\-crls\fR]
[\fB\-subject arg\fR]
[\fB\-issuer arg\fR]
[\fB\-serial arg\fR]
[\fB\-alias arg\fR]
[\fB\-fingerprint arg\fR]
[\fB\-\f(BIdigest\fB\fR]
\&\fBuri\fR ...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBstoreutl\fR command can be used to display the contents (after decryption
as the case may be) fetched from the given URIs.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
specifies the output filename to write to or standard output by
default.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
this option prevents output of the \s-1PEM\s0 data.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
the key password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the objects in text form, similarly to the \fB\-text\fR output from
\&\fBopenssl x509\fR, \fBopenssl pkey\fR, etc.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
specifying an engine (by its unique \fBid\fR string) will cause \fBstoreutl\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed.
The engine will then be set as the default for all available algorithms.
.IP "\fB\-r\fR" 4
.IX Item "-r"
Fetch objects recursively when possible.
.IP "\fB\-certs\fR" 4
.IX Item "-certs"
.PD 0
.IP "\fB\-keys\fR" 4
.IX Item "-keys"
.IP "\fB\-crls\fR" 4
.IX Item "-crls"
.PD
Only select the certificates, keys or CRLs from the given \s-1URI.\s0
However, if this \s-1URI\s0 would return a set of names (URIs), those are always
returned.
.IP "\fB\-subject arg\fR" 4
.IX Item "-subject arg"
Search for an object having the subject name \fBarg\fR.
The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR.
Keyword characters may be escaped by \e (backslash), and whitespace is retained.
Empty values are permitted but are ignored for the search. That is,
a search with an empty value will have the same effect as not specifying
the type at all.
.IP "\fB\-issuer arg\fR" 4
.IX Item "-issuer arg"
.PD 0
.IP "\fB\-serial arg\fR" 4
.IX Item "-serial arg"
.PD
Search for an object having the given issuer name and serial number.
These two options \fImust\fR be used together.
The issuer arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR,
characters may be escaped by \e (backslash), no spaces are skipped.
The serial arg may be specified as a decimal value or a hex value if preceded
by \fB0x\fR.
.IP "\fB\-alias arg\fR" 4
.IX Item "-alias arg"
Search for an object having the given alias.
.IP "\fB\-fingerprint arg\fR" 4
.IX Item "-fingerprint arg"
Search for an object having the given fingerprint.
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
The digest that was used to compute the fingerprint given with \fB\-fingerprint\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fBopenssl\fR \fBstoreutl\fR app was added in OpenSSL 1.1.1.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/ts.1 b/secure/usr.bin/openssl/man/ts.1
index 06baf4b9eb14..c718d89fa598 100644
--- a/secure/usr.bin/openssl/man/ts.1
+++ b/secure/usr.bin/openssl/man/ts.1
@@ -1,727 +1,727 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "TS 1"
-.TH TS 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH TS 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-ts, ts \- Time Stamping Authority tool (client/server)
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBts\fR
\&\fB\-query\fR
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-config\fR configfile]
[\fB\-data\fR file_to_hash]
[\fB\-digest\fR digest_bytes]
[\fB\-\f(BIdigest\fB\fR]
[\fB\-tspolicy\fR object_id]
[\fB\-no_nonce\fR]
[\fB\-cert\fR]
[\fB\-in\fR request.tsq]
[\fB\-out\fR request.tsq]
[\fB\-text\fR]
.PP
\&\fBopenssl\fR \fBts\fR
\&\fB\-reply\fR
[\fB\-config\fR configfile]
[\fB\-section\fR tsa_section]
[\fB\-queryfile\fR request.tsq]
[\fB\-passin\fR password_src]
[\fB\-signer\fR tsa_cert.pem]
[\fB\-inkey\fR file_or_id]
[\fB\-\f(BIdigest\fB\fR]
[\fB\-chain\fR certs_file.pem]
[\fB\-tspolicy\fR object_id]
[\fB\-in\fR response.tsr]
[\fB\-token_in\fR]
[\fB\-out\fR response.tsr]
[\fB\-token_out\fR]
[\fB\-text\fR]
[\fB\-engine\fR id]
.PP
\&\fBopenssl\fR \fBts\fR
\&\fB\-verify\fR
[\fB\-data\fR file_to_hash]
[\fB\-digest\fR digest_bytes]
[\fB\-queryfile\fR request.tsq]
[\fB\-in\fR response.tsr]
[\fB\-token_in\fR]
[\fB\-CApath\fR trusted_cert_path]
[\fB\-CAfile\fR trusted_certs.pem]
[\fB\-untrusted\fR cert_file.pem]
[\fIverify options\fR]
.PP
\&\fIverify options:\fR
[\-attime timestamp]
[\-check_ss_sig]
[\-crl_check]
[\-crl_check_all]
[\-explicit_policy]
[\-extended_crl]
[\-ignore_critical]
[\-inhibit_any]
[\-inhibit_map]
[\-issuer_checks]
[\-no_alt_chains]
[\-no_check_time]
[\-partial_chain]
[\-policy arg]
[\-policy_check]
[\-policy_print]
[\-purpose purpose]
[\-suiteB_128]
[\-suiteB_128_only]
[\-suiteB_192]
[\-trusted_first]
[\-use_deltas]
[\-auth_level num]
[\-verify_depth num]
[\-verify_email email]
[\-verify_hostname hostname]
[\-verify_ip ip]
[\-verify_name name]
[\-x509_strict]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBts\fR command is a basic Time Stamping Authority (\s-1TSA\s0) client and server
application as specified in \s-1RFC 3161\s0 (Time-Stamp Protocol, \s-1TSP\s0). A
\&\s-1TSA\s0 can be part of a \s-1PKI\s0 deployment and its role is to provide long
term proof of the existence of a certain datum before a particular
time. Here is a brief description of the protocol:
.IP "1." 4
The \s-1TSA\s0 client computes a one-way hash value for a data file and sends
the hash to the \s-1TSA.\s0
.IP "2." 4
The \s-1TSA\s0 attaches the current date and time to the received hash value,
signs them and sends the timestamp token back to the client. By
creating this token the \s-1TSA\s0 certifies the existence of the original
data file at the time of response generation.
.IP "3." 4
The \s-1TSA\s0 client receives the timestamp token and verifies the
signature on it. It also checks if the token contains the same hash
value that it had sent to the \s-1TSA.\s0
.PP
There is one \s-1DER\s0 encoded protocol data unit defined for transporting
a timestamp request to the \s-1TSA\s0 and one for sending the timestamp response
back to the client. The \fBts\fR command has three main functions:
creating a timestamp request based on a data file,
creating a timestamp response based on a request, verifying if a
response corresponds to a particular request or a data file.
.PP
There is no support for sending the requests/responses automatically
over \s-1HTTP\s0 or \s-1TCP\s0 yet as suggested in \s-1RFC 3161.\s0 The users must send the
requests either by ftp or e\-mail.
.SH "OPTIONS"
.IX Header "OPTIONS"
.SS "Time Stamp Request generation"
.IX Subsection "Time Stamp Request generation"
The \fB\-query\fR switch can be used for creating and printing a timestamp
request with the following options:
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-config\fR configfile" 4
.IX Item "-config configfile"
The configuration file to use.
Optional; for a description of the default value,
see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
.IP "\fB\-data\fR file_to_hash" 4
.IX Item "-data file_to_hash"
The data file for which the timestamp request needs to be
created. stdin is the default if neither the \fB\-data\fR nor the \fB\-digest\fR
parameter is specified. (Optional)
.IP "\fB\-digest\fR digest_bytes" 4
.IX Item "-digest digest_bytes"
It is possible to specify the message imprint explicitly without the data
file. The imprint must be specified in a hexadecimal format, two characters
per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or
1AF601...). The number of bytes must match the message digest algorithm
in use. (Optional)
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
The message digest to apply to the data file.
Any digest supported by the OpenSSL \fBdgst\fR command can be used.
The default is \s-1SHA\-1.\s0 (Optional)
.IP "\fB\-tspolicy\fR object_id" 4
.IX Item "-tspolicy object_id"
The policy that the client expects the \s-1TSA\s0 to use for creating the
timestamp token. Either the dotted \s-1OID\s0 notation or \s-1OID\s0 names defined
in the config file can be used. If no policy is requested the \s-1TSA\s0 will
use its own default policy. (Optional)
.IP "\fB\-no_nonce\fR" 4
.IX Item "-no_nonce"
No nonce is specified in the request if this option is
given. Otherwise a 64 bit long pseudo-random none is
included in the request. It is recommended to use nonce to
protect against replay-attacks. (Optional)
.IP "\fB\-cert\fR" 4
.IX Item "-cert"
The \s-1TSA\s0 is expected to include its signing certificate in the
response. (Optional)
.IP "\fB\-in\fR request.tsq" 4
.IX Item "-in request.tsq"
This option specifies a previously created timestamp request in \s-1DER\s0
format that will be printed into the output file. Useful when you need
to examine the content of a request in human-readable
format. (Optional)
.IP "\fB\-out\fR request.tsq" 4
.IX Item "-out request.tsq"
Name of the output file to which the request will be written. Default
is stdout. (Optional)
.IP "\fB\-text\fR" 4
.IX Item "-text"
If this option is specified the output is human-readable text format
instead of \s-1DER.\s0 (Optional)
.SS "Time Stamp Response generation"
.IX Subsection "Time Stamp Response generation"
A timestamp response (TimeStampResp) consists of a response status
and the timestamp token itself (ContentInfo), if the token generation was
successful. The \fB\-reply\fR command is for creating a timestamp
response or timestamp token based on a request and printing the
response/token in human-readable format. If \fB\-token_out\fR is not
specified the output is always a timestamp response (TimeStampResp),
otherwise it is a timestamp token (ContentInfo).
.IP "\fB\-config\fR configfile" 4
.IX Item "-config configfile"
The configuration file to use.
Optional; for a description of the default value,
see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1).
See \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for configurable variables.
.IP "\fB\-section\fR tsa_section" 4
.IX Item "-section tsa_section"
The name of the config file section containing the settings for the
response generation. If not specified the default \s-1TSA\s0 section is
used, see \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for details. (Optional)
.IP "\fB\-queryfile\fR request.tsq" 4
.IX Item "-queryfile request.tsq"
The name of the file containing a \s-1DER\s0 encoded timestamp request. (Optional)
.IP "\fB\-passin\fR password_src" 4
.IX Item "-passin password_src"
Specifies the password source for the private key of the \s-1TSA.\s0 See
\&\*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1). (Optional)
.IP "\fB\-signer\fR tsa_cert.pem" 4
.IX Item "-signer tsa_cert.pem"
The signer certificate of the \s-1TSA\s0 in \s-1PEM\s0 format. The \s-1TSA\s0 signing
certificate must have exactly one extended key usage assigned to it:
timeStamping. The extended key usage must also be critical, otherwise
the certificate is going to be refused. Overrides the \fBsigner_cert\fR
variable of the config file. (Optional)
.IP "\fB\-inkey\fR file_or_id" 4
.IX Item "-inkey file_or_id"
The signer private key of the \s-1TSA\s0 in \s-1PEM\s0 format. Overrides the
\&\fBsigner_key\fR config file option. (Optional)
If no engine is used, the argument is taken as a file; if an engine is
specified, the argument is given to the engine as a key identifier.
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
Signing digest to use. Overrides the \fBsigner_digest\fR config file
option. (Mandatory unless specified in the config file)
.IP "\fB\-chain\fR certs_file.pem" 4
.IX Item "-chain certs_file.pem"
The collection of certificates in \s-1PEM\s0 format that will all
be included in the response in addition to the signer certificate if
the \fB\-cert\fR option was used for the request. This file is supposed to
contain the certificate chain for the signer certificate from its
issuer upwards. The \fB\-reply\fR command does not build a certificate
chain automatically. (Optional)
.IP "\fB\-tspolicy\fR object_id" 4
.IX Item "-tspolicy object_id"
The default policy to use for the response unless the client
explicitly requires a particular \s-1TSA\s0 policy. The \s-1OID\s0 can be specified
either in dotted notation or with its name. Overrides the
\&\fBdefault_policy\fR config file option. (Optional)
.IP "\fB\-in\fR response.tsr" 4
.IX Item "-in response.tsr"
Specifies a previously created timestamp response or timestamp token
(if \fB\-token_in\fR is also specified) in \s-1DER\s0 format that will be written
to the output file. This option does not require a request, it is
useful e.g. when you need to examine the content of a response or
token or you want to extract the timestamp token from a response. If
the input is a token and the output is a timestamp response a default
\&'granted' status info is added to the token. (Optional)
.IP "\fB\-token_in\fR" 4
.IX Item "-token_in"
This flag can be used together with the \fB\-in\fR option and indicates
that the input is a \s-1DER\s0 encoded timestamp token (ContentInfo) instead
of a timestamp response (TimeStampResp). (Optional)
.IP "\fB\-out\fR response.tsr" 4
.IX Item "-out response.tsr"
The response is written to this file. The format and content of the
file depends on other options (see \fB\-text\fR, \fB\-token_out\fR). The default is
stdout. (Optional)
.IP "\fB\-token_out\fR" 4
.IX Item "-token_out"
The output is a timestamp token (ContentInfo) instead of timestamp
response (TimeStampResp). (Optional)
.IP "\fB\-text\fR" 4
.IX Item "-text"
If this option is specified the output is human-readable text format
instead of \s-1DER.\s0 (Optional)
.IP "\fB\-engine\fR id" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBts\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. Default is builtin. (Optional)
.SS "Time Stamp Response verification"
.IX Subsection "Time Stamp Response verification"
The \fB\-verify\fR command is for verifying if a timestamp response or
timestamp token is valid and matches a particular timestamp request or
data file. The \fB\-verify\fR command does not use the configuration file.
.IP "\fB\-data\fR file_to_hash" 4
.IX Item "-data file_to_hash"
The response or token must be verified against file_to_hash. The file
is hashed with the message digest algorithm specified in the token.
The \fB\-digest\fR and \fB\-queryfile\fR options must not be specified with this one.
(Optional)
.IP "\fB\-digest\fR digest_bytes" 4
.IX Item "-digest digest_bytes"
The response or token must be verified against the message digest specified
with this option. The number of bytes must match the message digest algorithm
specified in the token. The \fB\-data\fR and \fB\-queryfile\fR options must not be
specified with this one. (Optional)
.IP "\fB\-queryfile\fR request.tsq" 4
.IX Item "-queryfile request.tsq"
The original timestamp request in \s-1DER\s0 format. The \fB\-data\fR and \fB\-digest\fR
options must not be specified with this one. (Optional)
.IP "\fB\-in\fR response.tsr" 4
.IX Item "-in response.tsr"
The timestamp response that needs to be verified in \s-1DER\s0 format. (Mandatory)
.IP "\fB\-token_in\fR" 4
.IX Item "-token_in"
This flag can be used together with the \fB\-in\fR option and indicates
that the input is a \s-1DER\s0 encoded timestamp token (ContentInfo) instead
of a timestamp response (TimeStampResp). (Optional)
.IP "\fB\-CApath\fR trusted_cert_path" 4
.IX Item "-CApath trusted_cert_path"
The name of the directory containing the trusted \s-1CA\s0 certificates of the
client. See the similar option of \fBverify\fR\|(1) for additional
details. Either this option or \fB\-CAfile\fR must be specified. (Optional)
.IP "\fB\-CAfile\fR trusted_certs.pem" 4
.IX Item "-CAfile trusted_certs.pem"
The name of the file containing a set of trusted self-signed \s-1CA\s0
certificates in \s-1PEM\s0 format. See the similar option of
\&\fBverify\fR\|(1) for additional details. Either this option
or \fB\-CApath\fR must be specified.
(Optional)
.IP "\fB\-untrusted\fR cert_file.pem" 4
.IX Item "-untrusted cert_file.pem"
Set of additional untrusted certificates in \s-1PEM\s0 format which may be
needed when building the certificate chain for the \s-1TSA\s0's signing
certificate. This file must contain the \s-1TSA\s0 signing certificate and
all intermediate \s-1CA\s0 certificates unless the response includes them.
(Optional)
.IP "\fIverify options\fR" 4
.IX Item "verify options"
The options \fB\-attime timestamp\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR,
\&\fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR,
\&\fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-issuer_checks\fR, \fB\-no_alt_chains\fR,
\&\fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR,
\&\fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR,
\&\fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR,
\&\fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR,
\&\fB\-verify_name\fR, and \fB\-x509_strict\fR can be used to control timestamp
verification. See \fBverify\fR\|(1).
.SH "CONFIGURATION FILE OPTIONS"
.IX Header "CONFIGURATION FILE OPTIONS"
The \fB\-query\fR and \fB\-reply\fR commands make use of a configuration file.
See \fBconfig\fR\|(5)
for a general description of the syntax of the config file. The
\&\fB\-query\fR command uses only the symbolic \s-1OID\s0 names section
and it can work without it. However, the \fB\-reply\fR command needs the
config file for its operation.
.PP
When there is a command line switch equivalent of a variable the
switch always overrides the settings in the config file.
.IP "\fBtsa\fR section, \fBdefault_tsa\fR" 4
.IX Item "tsa section, default_tsa"
This is the main section and it specifies the name of another section
that contains all the options for the \fB\-reply\fR command. This default
section can be overridden with the \fB\-section\fR command line switch. (Optional)
.IP "\fBoid_file\fR" 4
.IX Item "oid_file"
See \fBca\fR\|(1) for description. (Optional)
.IP "\fBoid_section\fR" 4
.IX Item "oid_section"
See \fBca\fR\|(1) for description. (Optional)
.IP "\fB\s-1RANDFILE\s0\fR" 4
.IX Item "RANDFILE"
See \fBca\fR\|(1) for description. (Optional)
.IP "\fBserial\fR" 4
.IX Item "serial"
The name of the file containing the hexadecimal serial number of the
last timestamp response created. This number is incremented by 1 for
each response. If the file does not exist at the time of response
generation a new file is created with serial number 1. (Mandatory)
.IP "\fBcrypto_device\fR" 4
.IX Item "crypto_device"
Specifies the OpenSSL engine that will be set as the default for
all available algorithms. The default value is builtin, you can specify
any other engines supported by OpenSSL (e.g. use chil for the NCipher \s-1HSM\s0).
(Optional)
.IP "\fBsigner_cert\fR" 4
.IX Item "signer_cert"
\&\s-1TSA\s0 signing certificate in \s-1PEM\s0 format. The same as the \fB\-signer\fR
command line option. (Optional)
.IP "\fBcerts\fR" 4
.IX Item "certs"
A file containing a set of \s-1PEM\s0 encoded certificates that need to be
included in the response. The same as the \fB\-chain\fR command line
option. (Optional)
.IP "\fBsigner_key\fR" 4
.IX Item "signer_key"
The private key of the \s-1TSA\s0 in \s-1PEM\s0 format. The same as the \fB\-inkey\fR
command line option. (Optional)
.IP "\fBsigner_digest\fR" 4
.IX Item "signer_digest"
Signing digest to use. The same as the
\&\fB\-\f(BIdigest\fB\fR command line option. (Mandatory unless specified on the command
line)
.IP "\fBdefault_policy\fR" 4
.IX Item "default_policy"
The default policy to use when the request does not mandate any
policy. The same as the \fB\-tspolicy\fR command line option. (Optional)
.IP "\fBother_policies\fR" 4
.IX Item "other_policies"
Comma separated list of policies that are also acceptable by the \s-1TSA\s0
and used only if the request explicitly specifies one of them. (Optional)
.IP "\fBdigests\fR" 4
.IX Item "digests"
The list of message digest algorithms that the \s-1TSA\s0 accepts. At least
one algorithm must be specified. (Mandatory)
.IP "\fBaccuracy\fR" 4
.IX Item "accuracy"
The accuracy of the time source of the \s-1TSA\s0 in seconds, milliseconds
and microseconds. E.g. secs:1, millisecs:500, microsecs:100. If any of
the components is missing zero is assumed for that field. (Optional)
.IP "\fBclock_precision_digits\fR" 4
.IX Item "clock_precision_digits"
Specifies the maximum number of digits, which represent the fraction of
seconds, that need to be included in the time field. The trailing zeros
must be removed from the time, so there might actually be fewer digits,
or no fraction of seconds at all. Supported only on \s-1UNIX\s0 platforms.
The maximum value is 6, default is 0.
(Optional)
.IP "\fBordering\fR" 4
.IX Item "ordering"
If this option is yes the responses generated by this \s-1TSA\s0 can always
be ordered, even if the time difference between two responses is less
than the sum of their accuracies. Default is no. (Optional)
.IP "\fBtsa_name\fR" 4
.IX Item "tsa_name"
Set this option to yes if the subject name of the \s-1TSA\s0 must be included in
the \s-1TSA\s0 name field of the response. Default is no. (Optional)
.IP "\fBess_cert_id_chain\fR" 4
.IX Item "ess_cert_id_chain"
The SignedData objects created by the \s-1TSA\s0 always contain the
certificate identifier of the signing certificate in a signed
attribute (see \s-1RFC 2634,\s0 Enhanced Security Services). If this option
is set to yes and either the \fBcerts\fR variable or the \fB\-chain\fR option
is specified then the certificate identifiers of the chain will also
be included in the SigningCertificate signed attribute. If this
variable is set to no, only the signing certificate identifier is
included. Default is no. (Optional)
.IP "\fBess_cert_id_alg\fR" 4
.IX Item "ess_cert_id_alg"
This option specifies the hash function to be used to calculate the \s-1TSA\s0's
public key certificate identifier. Default is sha1. (Optional)
.SH "EXAMPLES"
.IX Header "EXAMPLES"
All the examples below presume that \fB\s-1OPENSSL_CONF\s0\fR is set to a proper
configuration file, e.g. the example configuration file
openssl/apps/openssl.cnf will do.
.SS "Time Stamp Request"
.IX Subsection "Time Stamp Request"
To create a timestamp request for design1.txt with \s-1SHA\-1\s0
without nonce and policy and no certificate is required in the response:
.PP
.Vb 2
\& openssl ts \-query \-data design1.txt \-no_nonce \e
\& \-out design1.tsq
.Ve
.PP
To create a similar timestamp request with specifying the message imprint
explicitly:
.PP
.Vb 2
\& openssl ts \-query \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
\& \-no_nonce \-out design1.tsq
.Ve
.PP
To print the content of the previous request in human readable format:
.PP
.Vb 1
\& openssl ts \-query \-in design1.tsq \-text
.Ve
.PP
To create a timestamp request which includes the \s-1MD\-5\s0 digest
of design2.txt, requests the signer certificate and nonce,
specifies a policy id (assuming the tsa_policy1 name is defined in the
\&\s-1OID\s0 section of the config file):
.PP
.Vb 2
\& openssl ts \-query \-data design2.txt \-md5 \e
\& \-tspolicy tsa_policy1 \-cert \-out design2.tsq
.Ve
.SS "Time Stamp Response"
.IX Subsection "Time Stamp Response"
Before generating a response a signing certificate must be created for
the \s-1TSA\s0 that contains the \fBtimeStamping\fR critical extended key usage extension
without any other key usage extensions. You can add this line to the
user certificate section of the config file to generate a proper certificate;
.PP
.Vb 1
\& extendedKeyUsage = critical,timeStamping
.Ve
.PP
See \fBreq\fR\|(1), \fBca\fR\|(1), and \fBx509\fR\|(1) for instructions. The examples
below assume that cacert.pem contains the certificate of the \s-1CA,\s0
tsacert.pem is the signing certificate issued by cacert.pem and
tsakey.pem is the private key of the \s-1TSA.\s0
.PP
To create a timestamp response for a request:
.PP
.Vb 2
\& openssl ts \-reply \-queryfile design1.tsq \-inkey tsakey.pem \e
\& \-signer tsacert.pem \-out design1.tsr
.Ve
.PP
If you want to use the settings in the config file you could just write:
.PP
.Vb 1
\& openssl ts \-reply \-queryfile design1.tsq \-out design1.tsr
.Ve
.PP
To print a timestamp reply to stdout in human readable format:
.PP
.Vb 1
\& openssl ts \-reply \-in design1.tsr \-text
.Ve
.PP
To create a timestamp token instead of timestamp response:
.PP
.Vb 1
\& openssl ts \-reply \-queryfile design1.tsq \-out design1_token.der \-token_out
.Ve
.PP
To print a timestamp token to stdout in human readable format:
.PP
.Vb 1
\& openssl ts \-reply \-in design1_token.der \-token_in \-text \-token_out
.Ve
.PP
To extract the timestamp token from a response:
.PP
.Vb 1
\& openssl ts \-reply \-in design1.tsr \-out design1_token.der \-token_out
.Ve
.PP
To add 'granted' status info to a timestamp token thereby creating a
valid response:
.PP
.Vb 1
\& openssl ts \-reply \-in design1_token.der \-token_in \-out design1.tsr
.Ve
.SS "Time Stamp Verification"
.IX Subsection "Time Stamp Verification"
To verify a timestamp reply against a request:
.PP
.Vb 2
\& openssl ts \-verify \-queryfile design1.tsq \-in design1.tsr \e
\& \-CAfile cacert.pem \-untrusted tsacert.pem
.Ve
.PP
To verify a timestamp reply that includes the certificate chain:
.PP
.Vb 2
\& openssl ts \-verify \-queryfile design2.tsq \-in design2.tsr \e
\& \-CAfile cacert.pem
.Ve
.PP
To verify a timestamp token against the original data file:
openssl ts \-verify \-data design2.txt \-in design2.tsr \e
\-CAfile cacert.pem
.PP
To verify a timestamp token against a message imprint:
openssl ts \-verify \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
\-in design2.tsr \-CAfile cacert.pem
.PP
You could also look at the 'test' directory for more examples.
.SH "BUGS"
.IX Header "BUGS"
.IP "\(bu" 2
No support for timestamps over \s-1SMTP,\s0 though it is quite easy
to implement an automatic e\-mail based \s-1TSA\s0 with \fBprocmail\fR\|(1)
and \fBperl\fR\|(1). \s-1HTTP\s0 server support is provided in the form of
a separate apache module. \s-1HTTP\s0 client support is provided by
\&\fBtsget\fR\|(1). Pure \s-1TCP/IP\s0 protocol is not supported.
.IP "\(bu" 2
The file containing the last serial number of the \s-1TSA\s0 is not
locked when being read or written. This is a problem if more than one
instance of \fBopenssl\fR\|(1) is trying to create a timestamp
response at the same time. This is not an issue when using the apache
server module, it does proper locking.
.IP "\(bu" 2
Look for the \s-1FIXME\s0 word in the source files.
.IP "\(bu" 2
The source code should really be reviewed by somebody else, too.
.IP "\(bu" 2
More testing is needed, I have done only some basic tests (see
test/testtsa).
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBtsget\fR\|(1), \fBopenssl\fR\|(1), \fBreq\fR\|(1),
\&\fBx509\fR\|(1), \fBca\fR\|(1), \fBgenrsa\fR\|(1),
\&\fBconfig\fR\|(5)
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/tsget.1 b/secure/usr.bin/openssl/man/tsget.1
index 879ff1c0ea84..0b26fd53ba39 100644
--- a/secure/usr.bin/openssl/man/tsget.1
+++ b/secure/usr.bin/openssl/man/tsget.1
@@ -1,325 +1,325 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "TSGET 1"
-.TH TSGET 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH TSGET 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-tsget, tsget \- Time Stamping HTTP/HTTPS client
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBtsget\fR
\&\fB\-h\fR server_url
[\fB\-e\fR extension]
[\fB\-o\fR output]
[\fB\-v\fR]
[\fB\-d\fR]
[\fB\-k\fR private_key.pem]
[\fB\-p\fR key_password]
[\fB\-c\fR client_cert.pem]
[\fB\-C\fR CA_certs.pem]
[\fB\-P\fR CA_path]
[\fB\-r\fR file:file...]
[\fB\-g\fR EGD_socket]
[request]...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBtsget\fR command can be used for sending a timestamp request, as
specified in \fB\s-1RFC 3161\s0\fR, to a timestamp server over \s-1HTTP\s0 or \s-1HTTPS\s0 and storing
the timestamp response in a file. This tool cannot be used for creating the
requests and verifying responses, you can use the OpenSSL \fB\fBts\fB\|(1)\fR command to
do that. \fBtsget\fR can send several requests to the server without closing
the \s-1TCP\s0 connection if more than one requests are specified on the command
line.
.PP
The tool sends the following \s-1HTTP\s0 request for each timestamp request:
.PP
.Vb 7
\& POST url HTTP/1.1
\& User\-Agent: OpenTSA tsget.pl/<version>
\& Host: <host>:<port>
\& Pragma: no\-cache
\& Content\-Type: application/timestamp\-query
\& Accept: application/timestamp\-reply
\& Content\-Length: length of body
\&
\& ...binary request specified by the user...
.Ve
.PP
\&\fBtsget\fR expects a response of type application/timestamp\-reply, which is
written to a file without any interpretation.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-h\fR server_url" 4
.IX Item "-h server_url"
The \s-1URL\s0 of the \s-1HTTP/HTTPS\s0 server listening for timestamp requests.
.IP "\fB\-e\fR extension" 4
.IX Item "-e extension"
If the \fB\-o\fR option is not given this argument specifies the extension of the
output files. The base name of the output file will be the same as those of
the input files. Default extension is '.tsr'. (Optional)
.IP "\fB\-o\fR output" 4
.IX Item "-o output"
This option can be specified only when just one request is sent to the
server. The timestamp response will be written to the given output file. '\-'
means standard output. In case of multiple timestamp requests or the absence
of this argument the names of the output files will be derived from the names
of the input files and the default or specified extension argument. (Optional)
.IP "\fB\-v\fR" 4
.IX Item "-v"
The name of the currently processed request is printed on standard
error. (Optional)
.IP "\fB\-d\fR" 4
.IX Item "-d"
Switches on verbose mode for the underlying \fBcurl\fR library. You can see
detailed debug messages for the connection. (Optional)
.IP "\fB\-k\fR private_key.pem" 4
.IX Item "-k private_key.pem"
(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0
<private_key.pem> must contain the private key of the user. The private key
file can optionally be protected by a passphrase. The \fB\-c\fR option must also
be specified. (Optional)
.IP "\fB\-p\fR key_password" 4
.IX Item "-p key_password"
(\s-1HTTPS\s0) Specifies the passphrase for the private key specified by the \fB\-k\fR
argument. If this option is omitted and the key is passphrase protected \fBtsget\fR
will ask for it. (Optional)
.IP "\fB\-c\fR client_cert.pem" 4
.IX Item "-c client_cert.pem"
(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0
<client_cert.pem> must contain the X.509 certificate of the user. The \fB\-k\fR
option must also be specified. If this option is not specified no
certificate-based client authentication will take place. (Optional)
.IP "\fB\-C\fR CA_certs.pem" 4
.IX Item "-C CA_certs.pem"
(\s-1HTTPS\s0) The trusted \s-1CA\s0 certificate store. The certificate chain of the peer's
certificate must include one of the \s-1CA\s0 certificates specified in this file.
Either option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS.\s0 (Optional)
.IP "\fB\-P\fR CA_path" 4
.IX Item "-P CA_path"
(\s-1HTTPS\s0) The path containing the trusted \s-1CA\s0 certificates to verify the peer's
certificate. The directory must be prepared with the \fBc_rehash\fR
OpenSSL utility. Either option \fB\-C\fR or option \fB\-P\fR must be given in case of
\&\s-1HTTPS.\s0 (Optional)
.IP "\fB\-rand\fR file:file..." 4
.IX Item "-rand file:file..."
The files containing random data for seeding the random number
generator. Multiple files can be specified, the separator is \fB;\fR for
MS-Windows, \fB,\fR for \s-1VMS\s0 and \fB:\fR for all other platforms. (Optional)
.IP "\fB\-g\fR EGD_socket" 4
.IX Item "-g EGD_socket"
The name of an \s-1EGD\s0 socket to get random data from. (Optional)
.IP "[request]..." 4
.IX Item "[request]..."
List of files containing \fB\s-1RFC 3161\s0\fR DER-encoded timestamp requests. If no
requests are specified only one request will be sent to the server and it will be
read from the standard input. (Optional)
.SH "ENVIRONMENT VARIABLES"
.IX Header "ENVIRONMENT VARIABLES"
The \fB\s-1TSGET\s0\fR environment variable can optionally contain default
arguments. The content of this variable is added to the list of command line
arguments.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
The examples below presume that \fBfile1.tsq\fR and \fBfile2.tsq\fR contain valid
timestamp requests, tsa.opentsa.org listens at port 8080 for \s-1HTTP\s0 requests
and at port 8443 for \s-1HTTPS\s0 requests, the \s-1TSA\s0 service is available at the /tsa
absolute path.
.PP
Get a timestamp response for file1.tsq over \s-1HTTP,\s0 output is written to
file1.tsr:
.PP
.Vb 1
\& tsget \-h http://tsa.opentsa.org:8080/tsa file1.tsq
.Ve
.PP
Get a timestamp response for file1.tsq and file2.tsq over \s-1HTTP\s0 showing
progress, output is written to file1.reply and file2.reply respectively:
.PP
.Vb 2
\& tsget \-h http://tsa.opentsa.org:8080/tsa \-v \-e .reply \e
\& file1.tsq file2.tsq
.Ve
.PP
Create a timestamp request, write it to file3.tsq, send it to the server and
write the response to file3.tsr:
.PP
.Vb 3
\& openssl ts \-query \-data file3.txt \-cert | tee file3.tsq \e
\& | tsget \-h http://tsa.opentsa.org:8080/tsa \e
\& \-o file3.tsr
.Ve
.PP
Get a timestamp response for file1.tsq over \s-1HTTPS\s0 without client
authentication:
.PP
.Vb 2
\& tsget \-h https://tsa.opentsa.org:8443/tsa \e
\& \-C cacerts.pem file1.tsq
.Ve
.PP
Get a timestamp response for file1.tsq over \s-1HTTPS\s0 with certificate-based
client authentication (it will ask for the passphrase if client_key.pem is
protected):
.PP
.Vb 2
\& tsget \-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e
\& \-k client_key.pem \-c client_cert.pem file1.tsq
.Ve
.PP
You can shorten the previous command line if you make use of the \fB\s-1TSGET\s0\fR
environment variable. The following commands do the same as the previous
example:
.PP
.Vb 4
\& TSGET=\*(Aq\-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e
\& \-k client_key.pem \-c client_cert.pem\*(Aq
\& export TSGET
\& tsget file1.tsq
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBopenssl\fR\|(1), \fBts\fR\|(1), \fBcurl\fR\|(1),
\&\fB\s-1RFC 3161\s0\fR
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2006\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1
index 75bb9d16101c..da33495a9361 100644
--- a/secure/usr.bin/openssl/man/verify.1
+++ b/secure/usr.bin/openssl/man/verify.1
@@ -1,787 +1,787 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "VERIFY 1"
-.TH VERIFY 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH VERIFY 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-verify, verify \- Utility to verify certificates
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBverify\fR
[\fB\-help\fR]
[\fB\-CAfile file\fR]
[\fB\-CApath directory\fR]
[\fB\-no\-CAfile\fR]
[\fB\-no\-CApath\fR]
[\fB\-allow_proxy_certs\fR]
[\fB\-attime timestamp\fR]
[\fB\-check_ss_sig\fR]
[\fB\-CRLfile file\fR]
[\fB\-crl_download\fR]
[\fB\-crl_check\fR]
[\fB\-crl_check_all\fR]
[\fB\-engine id\fR]
[\fB\-explicit_policy\fR]
[\fB\-extended_crl\fR]
[\fB\-ignore_critical\fR]
[\fB\-inhibit_any\fR]
[\fB\-inhibit_map\fR]
[\fB\-nameopt option\fR]
[\fB\-no_check_time\fR]
[\fB\-partial_chain\fR]
[\fB\-policy arg\fR]
[\fB\-policy_check\fR]
[\fB\-policy_print\fR]
[\fB\-purpose purpose\fR]
[\fB\-suiteB_128\fR]
[\fB\-suiteB_128_only\fR]
[\fB\-suiteB_192\fR]
[\fB\-trusted_first\fR]
[\fB\-no_alt_chains\fR]
[\fB\-untrusted file\fR]
[\fB\-trusted file\fR]
[\fB\-use_deltas\fR]
[\fB\-verbose\fR]
[\fB\-auth_level level\fR]
[\fB\-verify_depth num\fR]
[\fB\-verify_email email\fR]
[\fB\-verify_hostname hostname\fR]
[\fB\-verify_ip ip\fR]
[\fB\-verify_name name\fR]
[\fB\-x509_strict\fR]
[\fB\-show_chain\fR]
[\fB\-\fR]
[certificates]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBverify\fR command verifies certificate chains.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-CAfile file\fR" 4
.IX Item "-CAfile file"
A \fBfile\fR of trusted certificates.
The file should contain one or more certificates in \s-1PEM\s0 format.
.IP "\fB\-CApath directory\fR" 4
.IX Item "-CApath directory"
A directory of trusted certificates. The certificates should have names
of the form: hash.0 or have symbolic links to them of this
form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option
of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically
create symbolic links to a directory of certificates.
.IP "\fB\-no\-CAfile\fR" 4
.IX Item "-no-CAfile"
Do not load the trusted \s-1CA\s0 certificates from the default file location.
.IP "\fB\-no\-CApath\fR" 4
.IX Item "-no-CApath"
Do not load the trusted \s-1CA\s0 certificates from the default directory location.
.IP "\fB\-allow_proxy_certs\fR" 4
.IX Item "-allow_proxy_certs"
Allow the verification of proxy certificates.
.IP "\fB\-attime timestamp\fR" 4
.IX Item "-attime timestamp"
Perform validation checks using time specified by \fBtimestamp\fR and not
current system time. \fBtimestamp\fR is the number of seconds since
01.01.1970 (\s-1UNIX\s0 time).
.IP "\fB\-check_ss_sig\fR" 4
.IX Item "-check_ss_sig"
Verify the signature of
the last certificate in a chain if the certificate is supposedly self-signed.
This is prohibited and will result in an error if it is a non-conforming \s-1CA\s0
certificate with key usage restrictions not including the keyCertSign bit.
This verification is disabled by default because it doesn't add any security.
.IP "\fB\-CRLfile file\fR" 4
.IX Item "-CRLfile file"
The \fBfile\fR should contain one or more CRLs in \s-1PEM\s0 format.
This option can be specified more than once to include CRLs from multiple
\&\fBfiles\fR.
.IP "\fB\-crl_download\fR" 4
.IX Item "-crl_download"
Attempt to download \s-1CRL\s0 information for this certificate.
.IP "\fB\-crl_check\fR" 4
.IX Item "-crl_check"
Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0
If a valid \s-1CRL\s0 cannot be found an error occurs.
.IP "\fB\-crl_check_all\fR" 4
.IX Item "-crl_check_all"
Checks the validity of \fBall\fR certificates in the chain by attempting
to look up valid CRLs.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine \fBid\fR will cause \fBverify\fR\|(1) to attempt to load the
specified engine.
The engine will then be set as the default for all its supported algorithms.
If you want to load certificates or CRLs that require engine support via any of
the \fB\-trusted\fR, \fB\-untrusted\fR or \fB\-CRLfile\fR options, the \fB\-engine\fR option
must be specified before those options.
.IP "\fB\-explicit_policy\fR" 4
.IX Item "-explicit_policy"
Set policy variable require-explicit-policy (see \s-1RFC5280\s0).
.IP "\fB\-extended_crl\fR" 4
.IX Item "-extended_crl"
Enable extended \s-1CRL\s0 features such as indirect CRLs and alternate \s-1CRL\s0
signing keys.
.IP "\fB\-ignore_critical\fR" 4
.IX Item "-ignore_critical"
Normally if an unhandled critical extension is present which is not
supported by OpenSSL the certificate is rejected (as required by \s-1RFC5280\s0).
If this option is set critical extensions are ignored.
.IP "\fB\-inhibit_any\fR" 4
.IX Item "-inhibit_any"
Set policy variable inhibit-any-policy (see \s-1RFC5280\s0).
.IP "\fB\-inhibit_map\fR" 4
.IX Item "-inhibit_map"
Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0).
.IP "\fB\-nameopt option\fR" 4
.IX Item "-nameopt option"
Option which determines how the subject or issuer names are displayed. The
\&\fBoption\fR argument can be a single option or multiple options separated by
commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to
set multiple options. See the \fBx509\fR\|(1) manual page for details.
.IP "\fB\-no_check_time\fR" 4
.IX Item "-no_check_time"
This option suppresses checking the validity period of certificates and CRLs
against the current time. If option \fB\-attime timestamp\fR is used to specify
a verification time, the check is not suppressed.
.IP "\fB\-partial_chain\fR" 4
.IX Item "-partial_chain"
Allow verification to succeed even if a \fIcomplete\fR chain cannot be built to a
self-signed trust-anchor, provided it is possible to construct a chain to a
trusted certificate that might not be self-signed.
.IP "\fB\-policy arg\fR" 4
.IX Item "-policy arg"
Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see
\&\s-1RFC5280\s0). The policy \fBarg\fR can be an object name an \s-1OID\s0 in numeric form.
This argument can appear more than once.
.IP "\fB\-policy_check\fR" 4
.IX Item "-policy_check"
Enables certificate policy processing.
.IP "\fB\-policy_print\fR" 4
.IX Item "-policy_print"
Print out diagnostics related to policy processing.
.IP "\fB\-purpose purpose\fR" 4
.IX Item "-purpose purpose"
The intended use for the certificate. If this option is not specified,
\&\fBverify\fR will not consider certificate purpose during chain verification.
Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, \fBnssslserver\fR,
\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY OPERATION\s0\fR section for more
information.
.IP "\fB\-suiteB_128_only\fR, \fB\-suiteB_128\fR, \fB\-suiteB_192\fR" 4
.IX Item "-suiteB_128_only, -suiteB_128, -suiteB_192"
Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or
192 bit, or only 192 bit Level of Security respectively.
See \s-1RFC6460\s0 for details. In particular the supported signature algorithms are
reduced to support only \s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384\s0 and only the elliptic curves
P\-256 and P\-384.
.IP "\fB\-trusted_first\fR" 4
.IX Item "-trusted_first"
When constructing the certificate chain, use the trusted certificates specified
via \fB\-CAfile\fR, \fB\-CApath\fR or \fB\-trusted\fR before any certificates specified via
\&\fB\-untrusted\fR.
This can be useful in environments with Bridge or Cross-Certified CAs.
As of OpenSSL 1.1.0 this option is on by default and cannot be disabled.
.IP "\fB\-no_alt_chains\fR" 4
.IX Item "-no_alt_chains"
By default, unless \fB\-trusted_first\fR is specified, when building a certificate
chain, if the first certificate chain found is not trusted, then OpenSSL will
attempt to replace untrusted issuer certificates with certificates from the
trust store to see if an alternative chain can be found that is trusted.
As of OpenSSL 1.1.0, with \fB\-trusted_first\fR always on, this option has no
effect.
.IP "\fB\-untrusted file\fR" 4
.IX Item "-untrusted file"
A \fBfile\fR of additional untrusted certificates (intermediate issuer CAs) used
to construct a certificate chain from the subject certificate to a trust-anchor.
The \fBfile\fR should contain one or more certificates in \s-1PEM\s0 format.
This option can be specified more than once to include untrusted certificates
from multiple \fBfiles\fR.
.IP "\fB\-trusted file\fR" 4
.IX Item "-trusted file"
A \fBfile\fR of trusted certificates, which must be self-signed, unless the
\&\fB\-partial_chain\fR option is specified.
The \fBfile\fR contains one or more certificates in \s-1PEM\s0 format.
With this option, no additional (e.g., default) certificate lists are
consulted.
That is, the only trust-anchors are those listed in \fBfile\fR.
This option can be specified more than once to include trusted certificates
from multiple \fBfiles\fR.
This option implies the \fB\-no\-CAfile\fR and \fB\-no\-CApath\fR options.
This option cannot be used in combination with either of the \fB\-CAfile\fR or
\&\fB\-CApath\fR options.
.IP "\fB\-use_deltas\fR" 4
.IX Item "-use_deltas"
Enable support for delta CRLs.
.IP "\fB\-verbose\fR" 4
.IX Item "-verbose"
Print extra information about the operations being performed.
.IP "\fB\-auth_level level\fR" 4
.IX Item "-auth_level level"
Set the certificate chain authentication security level to \fBlevel\fR.
The authentication security level determines the acceptable signature and
public key strength when verifying certificate chains.
For a certificate chain to validate, the public keys of all the certificates
must meet the specified security \fBlevel\fR.
The signature algorithm security level is enforced for all the certificates in
the chain except for the chain's \fItrust anchor\fR, which is either directly
trusted or validated by means other than its signature.
See \fBSSL_CTX_set_security_level\fR\|(3) for the definitions of the available
levels.
The default security level is \-1, or \*(L"not set\*(R".
At security level 0 or lower all algorithms are acceptable.
Security level 1 requires at least 80\-bit\-equivalent security and is broadly
interoperable, though it will, for example, reject \s-1MD5\s0 signatures or \s-1RSA\s0 keys
shorter than 1024 bits.
.IP "\fB\-verify_depth num\fR" 4
.IX Item "-verify_depth num"
Limit the certificate chain to \fBnum\fR intermediate \s-1CA\s0 certificates.
A maximal depth chain can have up to \fBnum+2\fR certificates, since neither the
end-entity certificate nor the trust-anchor certificate count against the
\&\fB\-verify_depth\fR limit.
.IP "\fB\-verify_email email\fR" 4
.IX Item "-verify_email email"
Verify if the \fBemail\fR matches the email address in Subject Alternative Name or
the email in the subject Distinguished Name.
.IP "\fB\-verify_hostname hostname\fR" 4
.IX Item "-verify_hostname hostname"
Verify if the \fBhostname\fR matches \s-1DNS\s0 name in Subject Alternative Name or
Common Name in the subject certificate.
.IP "\fB\-verify_ip ip\fR" 4
.IX Item "-verify_ip ip"
Verify if the \fBip\fR matches the \s-1IP\s0 address in Subject Alternative Name of
the subject certificate.
.IP "\fB\-verify_name name\fR" 4
.IX Item "-verify_name name"
Use default verification policies like trust model and required certificate
policies identified by \fBname\fR.
The trust model determines which auxiliary trust or reject OIDs are applicable
to verifying the given certificate chain.
See the \fB\-addtrust\fR and \fB\-addreject\fR options of the \fBx509\fR\|(1) command-line
utility.
Supported policy names include: \fBdefault\fR, \fBpkcs7\fR, \fBsmime_sign\fR,
\&\fBssl_client\fR, \fBssl_server\fR.
These mimics the combinations of purpose and trust settings used in \s-1SSL, CMS\s0
and S/MIME.
As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not
specified, so the \fB\-verify_name\fR options are functionally equivalent to the
corresponding \fB\-purpose\fR settings.
.IP "\fB\-x509_strict\fR" 4
.IX Item "-x509_strict"
For strict X.509 compliance, disable non-compliant workarounds for broken
certificates.
.IP "\fB\-show_chain\fR" 4
.IX Item "-show_chain"
Display information about the certificate chain that has been built (if
successful). Certificates in the chain that came from the untrusted list will be
flagged as \*(L"untrusted\*(R".
.IP "\fB\-\fR" 4
.IX Item "-"
Indicates the last option. All arguments following this are assumed to be
certificate files. This is useful if the first certificate filename begins
with a \fB\-\fR.
.IP "\fBcertificates\fR" 4
.IX Item "certificates"
One or more certificates to verify. If no certificates are given, \fBverify\fR
will attempt to read a certificate from standard input. Certificates must be
in \s-1PEM\s0 format.
.SH "VERIFY OPERATION"
.IX Header "VERIFY OPERATION"
The \fBverify\fR program uses the same functions as the internal \s-1SSL\s0 and S/MIME
verification, therefore, this description applies to these verify operations
too.
.PP
There is one crucial difference between the verify operations performed
by the \fBverify\fR program: wherever possible an attempt is made to continue
after an error whereas normally the verify operation would halt on the
first error. This allows all the problems with a certificate chain to be
determined.
.PP
The verify operation consists of a number of separate steps.
.PP
Firstly a certificate chain is built up starting from the supplied certificate
and ending in the root \s-1CA.\s0
It is an error if the whole chain cannot be built up.
The chain is built up by looking up the issuers certificate of the current
certificate.
If a certificate is found which is its own issuer it is assumed to be the root
\&\s-1CA.\s0
.PP
The process of 'looking up the issuers certificate' itself involves a number of
steps.
After all certificates whose subject name matches the issuer name of the current
certificate are subject to further tests.
The relevant authority key identifier components of the current certificate (if
present) must match the subject key identifier (if present) and issuer and
serial number of the candidate issuer, in addition the keyUsage extension of
the candidate issuer (if present) must permit certificate signing.
.PP
The lookup first looks in the list of untrusted certificates and if no match
is found the remaining lookups are from the trusted certificates. The root \s-1CA\s0
is always looked up in the trusted certificate list: if the certificate to
verify is a root certificate then an exact match must be found in the trusted
list.
.PP
The second operation is to check every untrusted certificate's extensions for
consistency with the supplied purpose. If the \fB\-purpose\fR option is not included
then no checks are done. The supplied or \*(L"leaf\*(R" certificate must have extensions
compatible with the supplied purpose and all other certificates must also be valid
\&\s-1CA\s0 certificates. The precise extensions required are described in more detail in
the \fB\s-1CERTIFICATE EXTENSIONS\s0\fR section of the \fBx509\fR utility.
.PP
The third operation is to check the trust settings on the root \s-1CA.\s0 The root \s-1CA\s0
should be trusted for the supplied purpose.
For compatibility with previous versions of OpenSSL, a certificate with no
trust settings is considered to be valid for all purposes.
.PP
The final operation is to check the validity of the certificate chain.
For each element in the chain, including the root \s-1CA\s0 certificate,
the validity period as specified by the \f(CW\*(C`notBefore\*(C'\fR and \f(CW\*(C`notAfter\*(C'\fR fields
is checked against the current system time.
The \fB\-attime\fR flag may be used to use a reference time other than \*(L"now.\*(R"
The certificate signature is checked as well
(except for the signature of the typically self-signed root \s-1CA\s0 certificate,
which is verified only if the \fB\-check_ss_sig\fR option is given).
.PP
If all operations complete successfully then certificate is considered valid. If
any operation fails then the certificate is not valid.
.SH "DIAGNOSTICS"
.IX Header "DIAGNOSTICS"
When a verify operation fails the output messages can be somewhat cryptic. The
general form of the error message is:
.PP
.Vb 2
\& server.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
\& error 24 at 1 depth lookup:invalid CA certificate
.Ve
.PP
The first line contains the name of the certificate being verified followed by
the subject name of the certificate. The second line contains the error number
and the depth. The depth is number of the certificate being verified when a
problem was detected starting with zero for the certificate being verified itself
then 1 for the \s-1CA\s0 that signed the certificate and so on. Finally a text version
of the error number is presented.
.PP
A partial list of the error codes and messages is shown below, this also
includes the name of the error code as defined in the header file x509_vfy.h
Some of the error codes are defined but never returned: these are described
as \*(L"unused\*(R".
.IP "\fBX509_V_OK\fR" 4
.IX Item "X509_V_OK"
The operation was successful.
.IP "\fBX509_V_ERR_UNSPECIFIED\fR" 4
.IX Item "X509_V_ERR_UNSPECIFIED"
Unspecified error; should not happen.
.IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT"
The issuer certificate of a looked up certificate could not be found. This
normally means the list of trusted certificates is not complete.
.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_GET_CRL"
The \s-1CRL\s0 of a certificate could not be found.
.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE"
The certificate signature could not be decrypted. This means that the
actual signature value could not be determined rather than it not matching
the expected value, this is only meaningful for \s-1RSA\s0 keys.
.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE"
The \s-1CRL\s0 signature could not be decrypted: this means that the actual
signature value could not be determined rather than it not matching the
expected value. Unused.
.IP "\fBX509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY"
The public key in the certificate SubjectPublicKeyInfo could not be read.
.IP "\fBX509_V_ERR_CERT_SIGNATURE_FAILURE\fR" 4
.IX Item "X509_V_ERR_CERT_SIGNATURE_FAILURE"
The signature of the certificate is invalid.
.IP "\fBX509_V_ERR_CRL_SIGNATURE_FAILURE\fR" 4
.IX Item "X509_V_ERR_CRL_SIGNATURE_FAILURE"
The signature of the certificate is invalid.
.IP "\fBX509_V_ERR_CERT_NOT_YET_VALID\fR" 4
.IX Item "X509_V_ERR_CERT_NOT_YET_VALID"
The certificate is not yet valid: the notBefore date is after the
current time.
.IP "\fBX509_V_ERR_CERT_HAS_EXPIRED\fR" 4
.IX Item "X509_V_ERR_CERT_HAS_EXPIRED"
The certificate has expired: that is the notAfter date is before the
current time.
.IP "\fBX509_V_ERR_CRL_NOT_YET_VALID\fR" 4
.IX Item "X509_V_ERR_CRL_NOT_YET_VALID"
The \s-1CRL\s0 is not yet valid.
.IP "\fBX509_V_ERR_CRL_HAS_EXPIRED\fR" 4
.IX Item "X509_V_ERR_CRL_HAS_EXPIRED"
The \s-1CRL\s0 has expired.
.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD\fR" 4
.IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD"
The certificate notBefore field contains an invalid time.
.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD\fR" 4
.IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD"
The certificate notAfter field contains an invalid time.
.IP "\fBX509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD\fR" 4
.IX Item "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD"
The \s-1CRL\s0 lastUpdate field contains an invalid time.
.IP "\fBX509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD\fR" 4
.IX Item "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD"
The \s-1CRL\s0 nextUpdate field contains an invalid time.
.IP "\fBX509_V_ERR_OUT_OF_MEM\fR" 4
.IX Item "X509_V_ERR_OUT_OF_MEM"
An error occurred trying to allocate memory. This should never happen.
.IP "\fBX509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT\fR" 4
.IX Item "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT"
The passed certificate is self-signed and the same certificate cannot
be found in the list of trusted certificates.
.IP "\fBX509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN\fR" 4
.IX Item "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN"
The certificate chain could be built up using the untrusted certificates
but the root could not be found locally.
.IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY"
The issuer certificate could not be found: this occurs if the issuer
certificate of an untrusted certificate cannot be found.
.IP "\fBX509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE"
No signatures could be verified because the chain contains only one
certificate and it is not self signed.
.IP "\fBX509_V_ERR_CERT_CHAIN_TOO_LONG\fR" 4
.IX Item "X509_V_ERR_CERT_CHAIN_TOO_LONG"
The certificate chain length is greater than the supplied maximum
depth. Unused.
.IP "\fBX509_V_ERR_CERT_REVOKED\fR" 4
.IX Item "X509_V_ERR_CERT_REVOKED"
The certificate has been revoked.
.IP "\fBX509_V_ERR_INVALID_CA\fR" 4
.IX Item "X509_V_ERR_INVALID_CA"
A \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions
are not consistent with the supplied purpose.
.IP "\fBX509_V_ERR_PATH_LENGTH_EXCEEDED\fR" 4
.IX Item "X509_V_ERR_PATH_LENGTH_EXCEEDED"
The basicConstraints pathlength parameter has been exceeded.
.IP "\fBX509_V_ERR_INVALID_PURPOSE\fR" 4
.IX Item "X509_V_ERR_INVALID_PURPOSE"
The supplied certificate cannot be used for the specified purpose.
.IP "\fBX509_V_ERR_CERT_UNTRUSTED\fR" 4
.IX Item "X509_V_ERR_CERT_UNTRUSTED"
The root \s-1CA\s0 is not marked as trusted for the specified purpose.
.IP "\fBX509_V_ERR_CERT_REJECTED\fR" 4
.IX Item "X509_V_ERR_CERT_REJECTED"
The root \s-1CA\s0 is marked to reject the specified purpose.
.IP "\fBX509_V_ERR_SUBJECT_ISSUER_MISMATCH\fR" 4
.IX Item "X509_V_ERR_SUBJECT_ISSUER_MISMATCH"
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
\&\fB\-issuer_checks\fR option.
.IP "\fBX509_V_ERR_AKID_SKID_MISMATCH\fR" 4
.IX Item "X509_V_ERR_AKID_SKID_MISMATCH"
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
\&\fB\-issuer_checks\fR option.
.IP "\fBX509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH\fR" 4
.IX Item "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH"
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
\&\fB\-issuer_checks\fR option.
.IP "\fBX509_V_ERR_KEYUSAGE_NO_CERTSIGN\fR" 4
.IX Item "X509_V_ERR_KEYUSAGE_NO_CERTSIGN"
Not used as of OpenSSL 1.1.0 as a result of the deprecation of the
\&\fB\-issuer_checks\fR option.
.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL_ISSUER\fR" 4
.IX Item "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER"
Unable to get \s-1CRL\s0 issuer certificate.
.IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_EXTENSION\fR" 4
.IX Item "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION"
Unhandled critical extension.
.IP "\fBX509_V_ERR_KEYUSAGE_NO_CRL_SIGN\fR" 4
.IX Item "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN"
Key usage does not include \s-1CRL\s0 signing.
.IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION\fR" 4
.IX Item "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION"
Unhandled critical \s-1CRL\s0 extension.
.IP "\fBX509_V_ERR_INVALID_NON_CA\fR" 4
.IX Item "X509_V_ERR_INVALID_NON_CA"
Invalid non-CA certificate has \s-1CA\s0 markings.
.IP "\fBX509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED\fR" 4
.IX Item "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED"
Proxy path length constraint exceeded.
.IP "\fBX509_V_ERR_PROXY_SUBJECT_INVALID\fR" 4
.IX Item "X509_V_ERR_PROXY_SUBJECT_INVALID"
Proxy certificate subject is invalid. It \s-1MUST\s0 be the same as the issuer
with a single \s-1CN\s0 component added.
.IP "\fBX509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE\fR" 4
.IX Item "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE"
Key usage does not include digital signature.
.IP "\fBX509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED\fR" 4
.IX Item "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED"
Proxy certificates not allowed, please use \fB\-allow_proxy_certs\fR.
.IP "\fBX509_V_ERR_INVALID_EXTENSION\fR" 4
.IX Item "X509_V_ERR_INVALID_EXTENSION"
Invalid or inconsistent certificate extension.
.IP "\fBX509_V_ERR_INVALID_POLICY_EXTENSION\fR" 4
.IX Item "X509_V_ERR_INVALID_POLICY_EXTENSION"
Invalid or inconsistent certificate policy extension.
.IP "\fBX509_V_ERR_NO_EXPLICIT_POLICY\fR" 4
.IX Item "X509_V_ERR_NO_EXPLICIT_POLICY"
No explicit policy.
.IP "\fBX509_V_ERR_DIFFERENT_CRL_SCOPE\fR" 4
.IX Item "X509_V_ERR_DIFFERENT_CRL_SCOPE"
Different \s-1CRL\s0 scope.
.IP "\fBX509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE\fR" 4
.IX Item "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE"
Unsupported extension feature.
.IP "\fBX509_V_ERR_UNNESTED_RESOURCE\fR" 4
.IX Item "X509_V_ERR_UNNESTED_RESOURCE"
\&\s-1RFC 3779\s0 resource not subset of parent's resources.
.IP "\fBX509_V_ERR_PERMITTED_VIOLATION\fR" 4
.IX Item "X509_V_ERR_PERMITTED_VIOLATION"
Permitted subtree violation.
.IP "\fBX509_V_ERR_EXCLUDED_VIOLATION\fR" 4
.IX Item "X509_V_ERR_EXCLUDED_VIOLATION"
Excluded subtree violation.
.IP "\fBX509_V_ERR_SUBTREE_MINMAX\fR" 4
.IX Item "X509_V_ERR_SUBTREE_MINMAX"
Name constraints minimum and maximum not supported.
.IP "\fBX509_V_ERR_APPLICATION_VERIFICATION\fR" 4
.IX Item "X509_V_ERR_APPLICATION_VERIFICATION"
Application verification failure. Unused.
.IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE\fR" 4
.IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE"
Unsupported name constraint type.
.IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX\fR" 4
.IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX"
Unsupported or invalid name constraint syntax.
.IP "\fBX509_V_ERR_UNSUPPORTED_NAME_SYNTAX\fR" 4
.IX Item "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX"
Unsupported or invalid name syntax.
.IP "\fBX509_V_ERR_CRL_PATH_VALIDATION_ERROR\fR" 4
.IX Item "X509_V_ERR_CRL_PATH_VALIDATION_ERROR"
\&\s-1CRL\s0 path validation error.
.IP "\fBX509_V_ERR_PATH_LOOP\fR" 4
.IX Item "X509_V_ERR_PATH_LOOP"
Path loop.
.IP "\fBX509_V_ERR_SUITE_B_INVALID_VERSION\fR" 4
.IX Item "X509_V_ERR_SUITE_B_INVALID_VERSION"
Suite B: certificate version invalid.
.IP "\fBX509_V_ERR_SUITE_B_INVALID_ALGORITHM\fR" 4
.IX Item "X509_V_ERR_SUITE_B_INVALID_ALGORITHM"
Suite B: invalid public key algorithm.
.IP "\fBX509_V_ERR_SUITE_B_INVALID_CURVE\fR" 4
.IX Item "X509_V_ERR_SUITE_B_INVALID_CURVE"
Suite B: invalid \s-1ECC\s0 curve.
.IP "\fBX509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM\fR" 4
.IX Item "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM"
Suite B: invalid signature algorithm.
.IP "\fBX509_V_ERR_SUITE_B_LOS_NOT_ALLOWED\fR" 4
.IX Item "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED"
Suite B: curve not allowed for this \s-1LOS.\s0
.IP "\fBX509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256\fR" 4
.IX Item "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256"
Suite B: cannot sign P\-384 with P\-256.
.IP "\fBX509_V_ERR_HOSTNAME_MISMATCH\fR" 4
.IX Item "X509_V_ERR_HOSTNAME_MISMATCH"
Hostname mismatch.
.IP "\fBX509_V_ERR_EMAIL_MISMATCH\fR" 4
.IX Item "X509_V_ERR_EMAIL_MISMATCH"
Email address mismatch.
.IP "\fBX509_V_ERR_IP_ADDRESS_MISMATCH\fR" 4
.IX Item "X509_V_ERR_IP_ADDRESS_MISMATCH"
\&\s-1IP\s0 address mismatch.
.IP "\fBX509_V_ERR_DANE_NO_MATCH\fR" 4
.IX Item "X509_V_ERR_DANE_NO_MATCH"
\&\s-1DANE TLSA\s0 authentication is enabled, but no \s-1TLSA\s0 records matched the
certificate chain.
This error is only possible in \fBs_client\fR\|(1).
.IP "\fBX509_V_ERR_EE_KEY_TOO_SMALL\fR" 4
.IX Item "X509_V_ERR_EE_KEY_TOO_SMALL"
\&\s-1EE\s0 certificate key too weak.
.IP "\fBX509_ERR_CA_KEY_TOO_SMALL\fR" 4
.IX Item "X509_ERR_CA_KEY_TOO_SMALL"
\&\s-1CA\s0 certificate key too weak.
.IP "\fBX509_ERR_CA_MD_TOO_WEAK\fR" 4
.IX Item "X509_ERR_CA_MD_TOO_WEAK"
\&\s-1CA\s0 signature digest algorithm too weak.
.IP "\fBX509_V_ERR_INVALID_CALL\fR" 4
.IX Item "X509_V_ERR_INVALID_CALL"
nvalid certificate verification context.
.IP "\fBX509_V_ERR_STORE_LOOKUP\fR" 4
.IX Item "X509_V_ERR_STORE_LOOKUP"
Issuer certificate lookup error.
.IP "\fBX509_V_ERR_NO_VALID_SCTS\fR" 4
.IX Item "X509_V_ERR_NO_VALID_SCTS"
Certificate Transparency required, but no valid SCTs found.
.IP "\fBX509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION\fR" 4
.IX Item "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION"
Proxy subject name violation.
.IP "\fBX509_V_ERR_OCSP_VERIFY_NEEDED\fR" 4
.IX Item "X509_V_ERR_OCSP_VERIFY_NEEDED"
Returned by the verify callback to indicate an \s-1OCSP\s0 verification is needed.
.IP "\fBX509_V_ERR_OCSP_VERIFY_FAILED\fR" 4
.IX Item "X509_V_ERR_OCSP_VERIFY_FAILED"
Returned by the verify callback to indicate \s-1OCSP\s0 verification failed.
.IP "\fBX509_V_ERR_OCSP_CERT_UNKNOWN\fR" 4
.IX Item "X509_V_ERR_OCSP_CERT_UNKNOWN"
Returned by the verify callback to indicate that the certificate is not recognized
by the \s-1OCSP\s0 responder.
.SH "BUGS"
.IX Header "BUGS"
Although the issuer checks are a considerable improvement over the old
technique they still suffer from limitations in the underlying X509_LOOKUP
\&\s-1API.\s0 One consequence of this is that trusted certificates with matching
subject name must either appear in a file (as specified by the \fB\-CAfile\fR
option) or a directory (as specified by \fB\-CApath\fR). If they occur in
both then only the certificates in the file will be recognised.
.PP
Previous versions of OpenSSL assume certificates with matching subject
name are identical and mishandled them.
.PP
Previous versions of this documentation swapped the meaning of the
\&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR and
\&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR error codes.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBx509\fR\|(1)
.SH "HISTORY"
.IX Header "HISTORY"
The \fB\-show_chain\fR option was added in OpenSSL 1.1.0.
.PP
The \fB\-issuer_checks\fR option is deprecated as of OpenSSL 1.1.0 and
is silently ignored.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1
index 88a4f71a6b83..c2e3125778ac 100644
--- a/secure/usr.bin/openssl/man/version.1
+++ b/secure/usr.bin/openssl/man/version.1
@@ -1,198 +1,198 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "VERSION 1"
-.TH VERSION 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH VERSION 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-version, version \- print OpenSSL version information
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl version\fR
[\fB\-help\fR]
[\fB\-a\fR]
[\fB\-v\fR]
[\fB\-b\fR]
[\fB\-o\fR]
[\fB\-f\fR]
[\fB\-p\fR]
[\fB\-d\fR]
[\fB\-e\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This command is used to print out version information about OpenSSL.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-a\fR" 4
.IX Item "-a"
All information, this is the same as setting all the other flags.
.IP "\fB\-v\fR" 4
.IX Item "-v"
The current OpenSSL version.
.IP "\fB\-b\fR" 4
.IX Item "-b"
The date the current version of OpenSSL was built.
.IP "\fB\-o\fR" 4
.IX Item "-o"
Option information: various options set when the library was built.
.IP "\fB\-f\fR" 4
.IX Item "-f"
Compilation flags.
.IP "\fB\-p\fR" 4
.IX Item "-p"
Platform setting.
.IP "\fB\-d\fR" 4
.IX Item "-d"
\&\s-1OPENSSLDIR\s0 setting.
.IP "\fB\-e\fR" 4
.IX Item "-e"
\&\s-1ENGINESDIR\s0 setting.
.SH "NOTES"
.IX Header "NOTES"
The output of \fBopenssl version \-a\fR would typically be used when sending
in a bug report.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.
diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1
index d43cf306a4ea..4578fd52b3d5 100644
--- a/secure/usr.bin/openssl/man/x509.1
+++ b/secure/usr.bin/openssl/man/x509.1
@@ -1,955 +1,955 @@
.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "X509 1"
-.TH X509 1 "2021-12-14" "1.1.1m" "OpenSSL"
+.TH X509 1 "2022-03-15" "1.1.1n" "OpenSSL"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
openssl\-x509, x509 \- Certificate display and signing utility
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBopenssl\fR \fBx509\fR
[\fB\-help\fR]
[\fB\-inform DER|PEM\fR]
[\fB\-outform DER|PEM\fR]
[\fB\-keyform DER|PEM|ENGINE\fR]
[\fB\-CAform DER|PEM\fR]
[\fB\-CAkeyform DER|PEM\fR]
[\fB\-in filename\fR]
[\fB\-out filename\fR]
[\fB\-serial\fR]
[\fB\-hash\fR]
[\fB\-subject_hash\fR]
[\fB\-issuer_hash\fR]
[\fB\-ocspid\fR]
[\fB\-subject\fR]
[\fB\-issuer\fR]
[\fB\-nameopt option\fR]
[\fB\-email\fR]
[\fB\-ocsp_uri\fR]
[\fB\-startdate\fR]
[\fB\-enddate\fR]
[\fB\-purpose\fR]
[\fB\-dates\fR]
[\fB\-checkend num\fR]
[\fB\-modulus\fR]
[\fB\-pubkey\fR]
[\fB\-fingerprint\fR]
[\fB\-alias\fR]
[\fB\-noout\fR]
[\fB\-trustout\fR]
[\fB\-clrtrust\fR]
[\fB\-clrreject\fR]
[\fB\-addtrust arg\fR]
[\fB\-addreject arg\fR]
[\fB\-setalias arg\fR]
[\fB\-days arg\fR]
[\fB\-set_serial n\fR]
[\fB\-signkey arg\fR]
[\fB\-passin arg\fR]
[\fB\-x509toreq\fR]
[\fB\-req\fR]
[\fB\-CA filename\fR]
[\fB\-CAkey filename\fR]
[\fB\-CAcreateserial\fR]
[\fB\-CAserial filename\fR]
[\fB\-force_pubkey key\fR]
[\fB\-text\fR]
[\fB\-ext extensions\fR]
[\fB\-certopt option\fR]
[\fB\-C\fR]
[\fB\-\f(BIdigest\fB\fR]
[\fB\-clrext\fR]
[\fB\-extfile filename\fR]
[\fB\-extensions section\fR]
[\fB\-sigopt nm:v\fR]
[\fB\-rand file...\fR]
[\fB\-writerand file\fR]
[\fB\-engine id\fR]
[\fB\-preserve_dates\fR]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
The \fBx509\fR command is a multi purpose certificate utility. It can be
used to display certificate information, convert certificates to
various forms, sign certificate requests like a \*(L"mini \s-1CA\*(R"\s0 or edit
certificate trust settings.
.PP
Since there are a large number of options they will split up into
various sections.
.SH "OPTIONS"
.IX Header "OPTIONS"
.SS "Input, Output, and General Purpose Options"
.IX Subsection "Input, Output, and General Purpose Options"
.IP "\fB\-help\fR" 4
.IX Item "-help"
Print out a usage message.
.IP "\fB\-inform DER|PEM\fR" 4
.IX Item "-inform DER|PEM"
This specifies the input format normally the command will expect an X509
certificate but this can change if other options such as \fB\-req\fR are
present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0
is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines
added. The default format is \s-1PEM.\s0
.IP "\fB\-outform DER|PEM\fR" 4
.IX Item "-outform DER|PEM"
This specifies the output format, the options have the same meaning and default
as the \fB\-inform\fR option.
.IP "\fB\-in filename\fR" 4
.IX Item "-in filename"
This specifies the input filename to read a certificate from or standard input
if this option is not specified.
.IP "\fB\-out filename\fR" 4
.IX Item "-out filename"
This specifies the output filename to write to or standard output by
default.
.IP "\fB\-\f(BIdigest\fB\fR" 4
.IX Item "-digest"
The digest to use.
This affects any signing or display option that uses a message
digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options.
Any digest supported by the OpenSSL \fBdgst\fR command can be used.
If not specified then \s-1SHA1\s0 is used with \fB\-fingerprint\fR or
the default digest for the signing algorithm is used, typically \s-1SHA256.\s0
.IP "\fB\-rand file...\fR" 4
.IX Item "-rand file..."
A file or files containing random data used to seed the random number
generator.
Multiple files can be specified separated by an OS-dependent character.
The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for
all others.
.IP "[\fB\-writerand file\fR]" 4
.IX Item "[-writerand file]"
Writes random data to the specified \fIfile\fR upon exit.
This can be used with a subsequent \fB\-rand\fR flag.
.IP "\fB\-engine id\fR" 4
.IX Item "-engine id"
Specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
.IP "\fB\-preserve_dates\fR" 4
.IX Item "-preserve_dates"
When signing a certificate, preserve the \*(L"notBefore\*(R" and \*(L"notAfter\*(R" dates instead
of adjusting them to current time and duration. Cannot be used with the \fB\-days\fR option.
.SS "Display Options"
.IX Subsection "Display Options"
Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options
but are described in the \fB\s-1TRUST SETTINGS\s0\fR section.
.IP "\fB\-text\fR" 4
.IX Item "-text"
Prints out the certificate in text form. Full details are output including the
public key, signature algorithms, issuer and subject names, serial number
any extensions present and any trust settings.
.IP "\fB\-ext extensions\fR" 4
.IX Item "-ext extensions"
Prints out the certificate extensions in text form. Extensions are specified
with a comma separated string, e.g., \*(L"subjectAltName,subjectKeyIdentifier\*(R".
See the \fBx509v3_config\fR\|(5) manual page for the extension names.
.IP "\fB\-certopt option\fR" 4
.IX Item "-certopt option"
Customise the output format used with \fB\-text\fR. The \fBoption\fR argument
can be a single option or multiple options separated by commas. The
\&\fB\-certopt\fR switch may be also be used more than once to set multiple
options. See the \fB\s-1TEXT OPTIONS\s0\fR section for more information.
.IP "\fB\-noout\fR" 4
.IX Item "-noout"
This option prevents output of the encoded version of the certificate.
.IP "\fB\-pubkey\fR" 4
.IX Item "-pubkey"
Outputs the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format.
.IP "\fB\-modulus\fR" 4
.IX Item "-modulus"
This option prints out the value of the modulus of the public key
contained in the certificate.
.IP "\fB\-serial\fR" 4
.IX Item "-serial"
Outputs the certificate serial number.
.IP "\fB\-subject_hash\fR" 4
.IX Item "-subject_hash"
Outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to
form an index to allow certificates in a directory to be looked up by subject
name.
.IP "\fB\-issuer_hash\fR" 4
.IX Item "-issuer_hash"
Outputs the \*(L"hash\*(R" of the certificate issuer name.
.IP "\fB\-ocspid\fR" 4
.IX Item "-ocspid"
Outputs the \s-1OCSP\s0 hash values for the subject name and public key.
.IP "\fB\-hash\fR" 4
.IX Item "-hash"
Synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons.
.IP "\fB\-subject_hash_old\fR" 4
.IX Item "-subject_hash_old"
Outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm
as used by OpenSSL before version 1.0.0.
.IP "\fB\-issuer_hash_old\fR" 4
.IX Item "-issuer_hash_old"
Outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm
as used by OpenSSL before version 1.0.0.
.IP "\fB\-subject\fR" 4
.IX Item "-subject"
Outputs the subject name.
.IP "\fB\-issuer\fR" 4
.IX Item "-issuer"
Outputs the issuer name.
.IP "\fB\-nameopt option\fR" 4
.IX Item "-nameopt option"
Option which determines how the subject or issuer names are displayed. The
\&\fBoption\fR argument can be a single option or multiple options separated by
commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to
set multiple options. See the \fB\s-1NAME OPTIONS\s0\fR section for more information.
.IP "\fB\-email\fR" 4
.IX Item "-email"
Outputs the email address(es) if any.
.IP "\fB\-ocsp_uri\fR" 4
.IX Item "-ocsp_uri"
Outputs the \s-1OCSP\s0 responder address(es) if any.
.IP "\fB\-startdate\fR" 4
.IX Item "-startdate"
Prints out the start date of the certificate, that is the notBefore date.
.IP "\fB\-enddate\fR" 4
.IX Item "-enddate"
Prints out the expiry date of the certificate, that is the notAfter date.
.IP "\fB\-dates\fR" 4
.IX Item "-dates"
Prints out the start and expiry dates of a certificate.
.IP "\fB\-checkend arg\fR" 4
.IX Item "-checkend arg"
Checks if the certificate expires within the next \fBarg\fR seconds and exits
nonzero if yes it will expire or zero if not.
.IP "\fB\-fingerprint\fR" 4
.IX Item "-fingerprint"
Calculates and outputs the digest of the \s-1DER\s0 encoded version of the entire
certificate (see digest options).
This is commonly called a \*(L"fingerprint\*(R". Because of the nature of message
digests, the fingerprint of a certificate is unique to that certificate and
two certificates with the same fingerprint can be considered to be the same.
.IP "\fB\-C\fR" 4
.IX Item "-C"
This outputs the certificate in the form of a C source file.
.SS "Trust Settings"
.IX Subsection "Trust Settings"
A \fBtrusted certificate\fR is an ordinary certificate which has several
additional pieces of information attached to it such as the permitted
and prohibited uses of the certificate and an \*(L"alias\*(R".
.PP
Normally when a certificate is being verified at least one certificate
must be \*(L"trusted\*(R". By default a trusted certificate must be stored
locally and must be a root \s-1CA:\s0 any certificate chain ending in this \s-1CA\s0
is then usable for any purpose.
.PP
Trust settings currently are only used with a root \s-1CA.\s0 They allow a finer
control over the purposes the root \s-1CA\s0 can be used for. For example a \s-1CA\s0
may be trusted for \s-1SSL\s0 client but not \s-1SSL\s0 server use.
.PP
See the description of the \fBverify\fR utility for more information on the
meaning of trust settings.
.PP
Future versions of OpenSSL will recognize trust settings on any
certificate: not just root CAs.
.IP "\fB\-trustout\fR" 4
.IX Item "-trustout"
This causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary
or trusted certificate can be input but by default an ordinary
certificate is output and any trust settings are discarded. With the
\&\fB\-trustout\fR option a trusted certificate is output. A trusted
certificate is automatically output if any trust settings are modified.
.IP "\fB\-setalias arg\fR" 4
.IX Item "-setalias arg"
Sets the alias of the certificate. This will allow the certificate
to be referred to using a nickname for example \*(L"Steve's Certificate\*(R".
.IP "\fB\-alias\fR" 4
.IX Item "-alias"
Outputs the certificate alias, if any.
.IP "\fB\-clrtrust\fR" 4
.IX Item "-clrtrust"
Clears all the permitted or trusted uses of the certificate.
.IP "\fB\-clrreject\fR" 4
.IX Item "-clrreject"
Clears all the prohibited or rejected uses of the certificate.
.IP "\fB\-addtrust arg\fR" 4
.IX Item "-addtrust arg"
Adds a trusted certificate use.
Any object name can be used here but currently only \fBclientAuth\fR (\s-1SSL\s0 client
use), \fBserverAuth\fR (\s-1SSL\s0 server use), \fBemailProtection\fR (S/MIME email) and
\&\fBanyExtendedKeyUsage\fR are used.
As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or
enables all purposes when trusted.
Other OpenSSL applications may define additional uses.
.IP "\fB\-addreject arg\fR" 4
.IX Item "-addreject arg"
Adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR
option.
.IP "\fB\-purpose\fR" 4
.IX Item "-purpose"
This option performs tests on the certificate extensions and outputs
the results. For a more complete description see the \fB\s-1CERTIFICATE
EXTENSIONS\s0\fR section.
.SS "Signing Options"
.IX Subsection "Signing Options"
The \fBx509\fR utility can be used to sign certificates and requests: it
can thus behave like a \*(L"mini \s-1CA\*(R".\s0
.IP "\fB\-signkey arg\fR" 4
.IX Item "-signkey arg"
This option causes the input file to be self signed using the supplied
private key or engine. The private key's format is specified with the
\&\fB\-keyform\fR option.
.Sp
If the input file is a certificate it sets the issuer name to the
subject name (i.e. makes it self signed) changes the public key to the
supplied value and changes the start and end dates. The start date is
set to the current time and the end date is set to a value determined
by the \fB\-days\fR option. Any certificate extensions are retained unless
the \fB\-clrext\fR option is supplied; this includes, for example, any existing
key identifier extensions.
.Sp
If the input is a certificate request then a self signed certificate
is created using the supplied private key using the subject name in
the request.
.IP "\fB\-sigopt nm:v\fR" 4
.IX Item "-sigopt nm:v"
Pass options to the signature algorithm during sign or verify operations.
Names and values of these options are algorithm-specific.
.IP "\fB\-passin arg\fR" 4
.IX Item "-passin arg"
The key password source. For more information about the format of \fBarg\fR
see \*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1).
.IP "\fB\-clrext\fR" 4
.IX Item "-clrext"
Delete any extensions from a certificate. This option is used when a
certificate is being created from another certificate (for example with
the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are
retained.
.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4
.IX Item "-keyform PEM|DER|ENGINE"
Specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the
\&\fB\-signkey\fR option.
.IP "\fB\-days arg\fR" 4
.IX Item "-days arg"
Specifies the number of days to make a certificate valid for. The default
is 30 days. Cannot be used with the \fB\-preserve_dates\fR option.
.IP "\fB\-x509toreq\fR" 4
.IX Item "-x509toreq"
Converts a certificate into a certificate request. The \fB\-signkey\fR option
is used to pass the required private key.
.IP "\fB\-req\fR" 4
.IX Item "-req"
By default a certificate is expected on input. With this option a
certificate request is expected instead.
.IP "\fB\-set_serial n\fR" 4
.IX Item "-set_serial n"
Specifies the serial number to use. This option can be used with either
the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR
option the serial number file (as specified by the \fB\-CAserial\fR or
\&\fB\-CAcreateserial\fR options) is not used.
.Sp
The serial number can be decimal or hex (if preceded by \fB0x\fR).
.IP "\fB\-CA filename\fR" 4
.IX Item "-CA filename"
Specifies the \s-1CA\s0 certificate to be used for signing. When this option is
present \fBx509\fR behaves like a \*(L"mini \s-1CA\*(R".\s0 The input file is signed by this
\&\s-1CA\s0 using this option: that is its issuer name is set to the subject name
of the \s-1CA\s0 and it is digitally signed using the CAs private key.
.Sp
This option is normally combined with the \fB\-req\fR option. Without the
\&\fB\-req\fR option the input is a certificate which must be self signed.
.IP "\fB\-CAkey filename\fR" 4
.IX Item "-CAkey filename"
Sets the \s-1CA\s0 private key to sign a certificate with. If this option is
not specified then it is assumed that the \s-1CA\s0 private key is present in
the \s-1CA\s0 certificate file.
.IP "\fB\-CAserial filename\fR" 4
.IX Item "-CAserial filename"
Sets the \s-1CA\s0 serial number file to use.
.Sp
When the \fB\-CA\fR option is used to sign a certificate it uses a serial
number specified in a file. This file consists of one line containing
an even number of hex digits with the serial number to use. After each
use the serial number is incremented and written out to the file again.
.Sp
The default filename consists of the \s-1CA\s0 certificate file base name with
\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called
\&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R".
.IP "\fB\-CAcreateserial\fR" 4
.IX Item "-CAcreateserial"
With this option the \s-1CA\s0 serial number file is created if it does not exist:
it will contain the serial number \*(L"02\*(R" and the certificate being signed will
have the 1 as its serial number. If the \fB\-CA\fR option is specified
and the serial number file does not exist a random number is generated;
this is the recommended practice.
.IP "\fB\-extfile filename\fR" 4
.IX Item "-extfile filename"
File containing certificate extensions to use. If not specified then
no extensions are added to the certificate.
.IP "\fB\-extensions section\fR" 4
.IX Item "-extensions section"
The section to add certificate extensions from. If this option is not
specified then the extensions should either be contained in the unnamed
(default) section or the default section should contain a variable called
\&\*(L"extensions\*(R" which contains the section to use. See the
\&\fBx509v3_config\fR\|(5) manual page for details of the
extension section format.
.IP "\fB\-force_pubkey key\fR" 4
.IX Item "-force_pubkey key"
When a certificate is created set its public key to \fBkey\fR instead of the
key in the certificate or certificate request. This option is useful for
creating certificates where the algorithm can't normally sign requests, for
example \s-1DH.\s0
.Sp
The format or \fBkey\fR can be specified using the \fB\-keyform\fR option.
.SS "Name Options"
.IX Subsection "Name Options"
The \fBnameopt\fR command line switch determines how the subject and issuer
names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R"
format is used which is compatible with previous versions of OpenSSL.
Each option is described in detail below, all options can be preceded by
a \fB\-\fR to turn the option off. Only the first four will normally be used.
.IP "\fBcompat\fR" 4
.IX Item "compat"
Use the old format.
.IP "\fB\s-1RFC2253\s0\fR" 4
.IX Item "RFC2253"
Displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR,
\&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR,
\&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR.
.IP "\fBoneline\fR" 4
.IX Item "oneline"
A oneline format which is more readable than \s-1RFC2253.\s0 It is equivalent to
specifying the \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR,
\&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR, \fBspace_eq\fR and \fBsname\fR
options. This is the \fIdefault\fR of no name options are given explicitly.
.IP "\fBmultiline\fR" 4
.IX Item "multiline"
A multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR,
\&\fBspace_eq\fR, \fBlname\fR and \fBalign\fR.
.IP "\fBesc_2253\fR" 4
.IX Item "esc_2253"
Escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field. That is
\&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string
and a space character at the beginning or end of a string.
.IP "\fBesc_2254\fR" 4
.IX Item "esc_2254"
Escape the \*(L"special\*(R" characters required by \s-1RFC2254\s0 in a field. That is
the \fB\s-1NUL\s0\fR character as well as and \fB()*\fR.
.IP "\fBesc_ctrl\fR" 4
.IX Item "esc_ctrl"
Escape control characters. That is those with \s-1ASCII\s0 values less than
0x20 (space) and the delete (0x7f) character. They are escaped using the
\&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the
character value).
.IP "\fBesc_msb\fR" 4
.IX Item "esc_msb"
Escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than
127.
.IP "\fBuse_quote\fR" 4
.IX Item "use_quote"
Escapes some characters by surrounding the whole string with \fB"\fR characters,
without the option all escaping is done with the \fB\e\fR character.
.IP "\fButf8\fR" 4
.IX Item "utf8"
Convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253.\s0 If
you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use
of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct
display of multibyte (international) characters. Is this option is not
present then multibyte characters larger than 0xff will be represented
using the format \eUXXXX for 16 bits and \eWXXXXXXXX for 32 bits.
Also if this option is off any UTF8Strings will be converted to their
character form first.
.IP "\fBignore_type\fR" 4
.IX Item "ignore_type"
This option does not attempt to interpret multibyte characters in any
way. That is their content octets are merely dumped as though one octet
represents each character. This is useful for diagnostic purposes but
will result in rather odd looking output.
.IP "\fBshow_type\fR" 4
.IX Item "show_type"
Show the type of the \s-1ASN1\s0 character string. The type precedes the
field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R".
.IP "\fBdump_der\fR" 4
.IX Item "dump_der"
When this option is set any fields that need to be hexdumped will
be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the
content octets will be displayed. Both options use the \s-1RFC2253\s0
\&\fB#XXXX...\fR format.
.IP "\fBdump_nostr\fR" 4
.IX Item "dump_nostr"
Dump non character string types (for example \s-1OCTET STRING\s0) if this
option is not set then non character string types will be displayed
as though each content octet represents a single character.
.IP "\fBdump_all\fR" 4
.IX Item "dump_all"
Dump all fields. This option when used with \fBdump_der\fR allows the
\&\s-1DER\s0 encoding of the structure to be unambiguously determined.
.IP "\fBdump_unknown\fR" 4
.IX Item "dump_unknown"
Dump any field whose \s-1OID\s0 is not recognised by OpenSSL.
.IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4
.IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline"
These options determine the field separators. The first character is
between RDNs and the second between multiple AVAs (multiple AVAs are
very rare and their use is discouraged). The options ending in
\&\*(L"space\*(R" additionally place a space after the separator to make it
more readable. The \fBsep_multiline\fR uses a linefeed character for
the \s-1RDN\s0 separator and a spaced \fB+\fR for the \s-1AVA\s0 separator. It also
indents the fields by four characters. If no field separator is specified
then \fBsep_comma_plus_space\fR is used by default.
.IP "\fBdn_rev\fR" 4
.IX Item "dn_rev"
Reverse the fields of the \s-1DN.\s0 This is required by \s-1RFC2253.\s0 As a side
effect this also reverses the order of multiple AVAs but this is
permissible.
.IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4
.IX Item "nofname, sname, lname, oid"
These options alter how the field name is displayed. \fBnofname\fR does
not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form
(\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form.
\&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for
diagnostic purpose.
.IP "\fBalign\fR" 4
.IX Item "align"
Align field values for a more readable output. Only usable with
\&\fBsep_multiline\fR.
.IP "\fBspace_eq\fR" 4
.IX Item "space_eq"
Places spaces round the \fB=\fR character which follows the field
name.
.SS "Text Options"
.IX Subsection "Text Options"
As well as customising the name output format, it is also possible to
customise the actual fields printed using the \fBcertopt\fR options when
the \fBtext\fR option is present. The default behaviour is to print all fields.
.IP "\fBcompatible\fR" 4
.IX Item "compatible"
Use the old format. This is equivalent to specifying no output options at all.
.IP "\fBno_header\fR" 4
.IX Item "no_header"
Don't print header information: that is the lines saying \*(L"Certificate\*(R"
and \*(L"Data\*(R".
.IP "\fBno_version\fR" 4
.IX Item "no_version"
Don't print out the version number.
.IP "\fBno_serial\fR" 4
.IX Item "no_serial"
Don't print out the serial number.
.IP "\fBno_signame\fR" 4
.IX Item "no_signame"
Don't print out the signature algorithm used.
.IP "\fBno_validity\fR" 4
.IX Item "no_validity"
Don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields.
.IP "\fBno_subject\fR" 4
.IX Item "no_subject"
Don't print out the subject name.
.IP "\fBno_issuer\fR" 4
.IX Item "no_issuer"
Don't print out the issuer name.
.IP "\fBno_pubkey\fR" 4
.IX Item "no_pubkey"
Don't print out the public key.
.IP "\fBno_sigdump\fR" 4
.IX Item "no_sigdump"
Don't give a hexadecimal dump of the certificate signature.
.IP "\fBno_aux\fR" 4
.IX Item "no_aux"
Don't print out certificate trust information.
.IP "\fBno_extensions\fR" 4
.IX Item "no_extensions"
Don't print out any X509V3 extensions.
.IP "\fBext_default\fR" 4
.IX Item "ext_default"
Retain default extension behaviour: attempt to print out unsupported
certificate extensions.
.IP "\fBext_error\fR" 4
.IX Item "ext_error"
Print an error message for unsupported certificate extensions.
.IP "\fBext_parse\fR" 4
.IX Item "ext_parse"
\&\s-1ASN1\s0 parse unsupported extensions.
.IP "\fBext_dump\fR" 4
.IX Item "ext_dump"
Hex dump unsupported extensions.
.IP "\fBca_default\fR" 4
.IX Item "ca_default"
The value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR,
\&\fBno_header\fR, and \fBno_version\fR.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Note: in these examples the '\e' means the example should be all on one
line.
.PP
Display the contents of a certificate:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-text
.Ve
.PP
Display the \*(L"Subject Alternative Name\*(R" extension of a certificate:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName
.Ve
.PP
Display more extensions of a certificate:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType
.Ve
.PP
Display the certificate serial number:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-serial
.Ve
.PP
Display the certificate subject name:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-subject
.Ve
.PP
Display the certificate subject name in \s-1RFC2253\s0 form:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt RFC2253
.Ve
.PP
Display the certificate subject name in oneline form on a terminal
supporting \s-1UTF8:\s0
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-noout \-subject \-nameopt oneline,\-esc_msb
.Ve
.PP
Display the certificate \s-1SHA1\s0 fingerprint:
.PP
.Vb 1
\& openssl x509 \-sha1 \-in cert.pem \-noout \-fingerprint
.Ve
.PP
Convert a certificate from \s-1PEM\s0 to \s-1DER\s0 format:
.PP
.Vb 1
\& openssl x509 \-in cert.pem \-inform PEM \-out cert.der \-outform DER
.Ve
.PP
Convert a certificate to a certificate request:
.PP
.Vb 1
\& openssl x509 \-x509toreq \-in cert.pem \-out req.pem \-signkey key.pem
.Ve
.PP
Convert a certificate request into a self signed certificate using
extensions for a \s-1CA:\s0
.PP
.Vb 2
\& openssl x509 \-req \-in careq.pem \-extfile openssl.cnf \-extensions v3_ca \e
\& \-signkey key.pem \-out cacert.pem
.Ve
.PP
Sign a certificate request using the \s-1CA\s0 certificate above and add user
certificate extensions:
.PP
.Vb 2
\& openssl x509 \-req \-in req.pem \-extfile openssl.cnf \-extensions v3_usr \e
\& \-CA cacert.pem \-CAkey key.pem \-CAcreateserial
.Ve
.PP
Set a certificate to be trusted for \s-1SSL\s0 client use and change set its alias to
\&\*(L"Steve's Class 1 \s-1CA\*(R"\s0
.PP
.Vb 2
\& openssl x509 \-in cert.pem \-addtrust clientAuth \e
\& \-setalias "Steve\*(Aqs Class 1 CA" \-out trust.pem
.Ve
.SH "NOTES"
.IX Header "NOTES"
The \s-1PEM\s0 format uses the header and footer lines:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.Ve
.PP
it will also handle files containing:
.PP
.Vb 2
\& \-\-\-\-\-BEGIN X509 CERTIFICATE\-\-\-\-\-
\& \-\-\-\-\-END X509 CERTIFICATE\-\-\-\-\-
.Ve
.PP
Trusted certificates have the lines
.PP
.Vb 2
\& \-\-\-\-\-BEGIN TRUSTED CERTIFICATE\-\-\-\-\-
\& \-\-\-\-\-END TRUSTED CERTIFICATE\-\-\-\-\-
.Ve
.PP
The conversion to \s-1UTF8\s0 format used with the name options assumes that
T61Strings use the \s-1ISO8859\-1\s0 character set. This is wrong but Netscape
and \s-1MSIE\s0 do this as do many certificates. So although this is incorrect
it is more likely to display the majority of certificates correctly.
.PP
The \fB\-email\fR option searches the subject name and the subject alternative
name extension. Only unique email addresses will be printed out: it will
not print the same address more than once.
.SH "CERTIFICATE EXTENSIONS"
.IX Header "CERTIFICATE EXTENSIONS"
The \fB\-purpose\fR option checks the certificate extensions and determines
what the certificate can be used for. The actual checks done are rather
complex and include various hacks and workarounds to handle broken
certificates and software.
.PP
The same code is used when verifying untrusted certificates in chains
so this section is useful if a chain is rejected by the verify code.
.PP
The basicConstraints extension \s-1CA\s0 flag is used to determine whether the
certificate can be used as a \s-1CA.\s0 If the \s-1CA\s0 flag is true then it is a \s-1CA,\s0
if the \s-1CA\s0 flag is false then it is not a \s-1CA.\s0 \fBAll\fR CAs should have the
\&\s-1CA\s0 flag set to true.
.PP
If the basicConstraints extension is absent then the certificate is
considered to be a \*(L"possible \s-1CA\*(R"\s0 other extensions are checked according
to the intended use of the certificate. A warning is given in this case
because the certificate should really not be regarded as a \s-1CA:\s0 however
it is allowed to be a \s-1CA\s0 to work around some broken software.
.PP
If the certificate is a V1 certificate (and thus has no extensions) and
it is self signed it is also assumed to be a \s-1CA\s0 but a warning is again
given: this is to work around the problem of Verisign roots which are V1
self signed certificates.
.PP
If the keyUsage extension is present then additional restraints are
made on the uses of the certificate. A \s-1CA\s0 certificate \fBmust\fR have the
keyCertSign bit set if the keyUsage extension is present.
.PP
The extended key usage extension places additional restrictions on the
certificate uses. If this extension is present (whether critical or not)
the key can only be used for the purposes specified.
.PP
A complete description of each test is given below. The comments about
basicConstraints and keyUsage and V1 certificates above apply to \fBall\fR
\&\s-1CA\s0 certificates.
.IP "\fB\s-1SSL\s0 Client\fR" 4
.IX Item "SSL Client"
The extended key usage extension must be absent or include the \*(L"web client
authentication\*(R" \s-1OID.\s0 keyUsage must be absent or it must have the
digitalSignature bit set. Netscape certificate type must be absent or it must
have the \s-1SSL\s0 client bit set.
.IP "\fB\s-1SSL\s0 Client \s-1CA\s0\fR" 4
.IX Item "SSL Client CA"
The extended key usage extension must be absent or include the \*(L"web client
authentication\*(R" \s-1OID.\s0 Netscape certificate type must be absent or it must have
the \s-1SSL CA\s0 bit set: this is used as a work around if the basicConstraints
extension is absent.
.IP "\fB\s-1SSL\s0 Server\fR" 4
.IX Item "SSL Server"
The extended key usage extension must be absent or include the \*(L"web server
authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. keyUsage must be absent or it
must have the digitalSignature, the keyEncipherment set or both bits set.
Netscape certificate type must be absent or have the \s-1SSL\s0 server bit set.
.IP "\fB\s-1SSL\s0 Server \s-1CA\s0\fR" 4
.IX Item "SSL Server CA"
The extended key usage extension must be absent or include the \*(L"web server
authentication\*(R" and/or one of the \s-1SGC\s0 OIDs. Netscape certificate type must
be absent or the \s-1SSL CA\s0 bit must be set: this is used as a work around if the
basicConstraints extension is absent.
.IP "\fBNetscape \s-1SSL\s0 Server\fR" 4
.IX Item "Netscape SSL Server"
For Netscape \s-1SSL\s0 clients to connect to an \s-1SSL\s0 server it must have the
keyEncipherment bit set if the keyUsage extension is present. This isn't
always valid because some cipher suites use the key for digital signing.
Otherwise it is the same as a normal \s-1SSL\s0 server.
.IP "\fBCommon S/MIME Client Tests\fR" 4
.IX Item "Common S/MIME Client Tests"
The extended key usage extension must be absent or include the \*(L"email
protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or should have the
S/MIME bit set. If the S/MIME bit is not set in Netscape certificate type
then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown:
this is because some Verisign certificates don't set the S/MIME bit.
.IP "\fBS/MIME Signing\fR" 4
.IX Item "S/MIME Signing"
In addition to the common S/MIME client tests the digitalSignature bit or
the nonRepudiation bit must be set if the keyUsage extension is present.
.IP "\fBS/MIME Encryption\fR" 4
.IX Item "S/MIME Encryption"
In addition to the common S/MIME tests the keyEncipherment bit must be set
if the keyUsage extension is present.
.IP "\fBS/MIME \s-1CA\s0\fR" 4
.IX Item "S/MIME CA"
The extended key usage extension must be absent or include the \*(L"email
protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or must have the
S/MIME \s-1CA\s0 bit set: this is used as a work around if the basicConstraints
extension is absent.
.IP "\fB\s-1CRL\s0 Signing\fR" 4
.IX Item "CRL Signing"
The keyUsage extension must be absent or it must have the \s-1CRL\s0 signing bit
set.
.IP "\fB\s-1CRL\s0 Signing \s-1CA\s0\fR" 4
.IX Item "CRL Signing CA"
The normal \s-1CA\s0 tests apply. Except in this case the basicConstraints extension
must be present.
.SH "BUGS"
.IX Header "BUGS"
Extensions in certificates are not transferred to certificate requests and
vice versa.
.PP
It is possible to produce invalid certificates or requests by specifying the
wrong private key or using inconsistent options in some cases: these should
be checked.
.PP
There should be options to explicitly set such things as start and end
dates rather than an offset from the current time.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBreq\fR\|(1), \fBca\fR\|(1), \fBgenrsa\fR\|(1),
\&\fBgendsa\fR\|(1), \fBverify\fR\|(1),
\&\fBx509v3_config\fR\|(5)
.SH "HISTORY"
.IX Header "HISTORY"
The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options
before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
canonical version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using
the old form must have their links rebuilt using \fBc_rehash\fR or similar.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright 2000\-2021 The OpenSSL Project Authors. All Rights Reserved.
.PP
Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file \s-1LICENSE\s0 in the source distribution or at
<https://www.openssl.org/source/license.html>.

File Metadata

Mime Type
application/octet-stream
Expires
Thu, May 23, 10:20 PM (2 d)
Storage Engine
chunks
Storage Format
Chunks
Storage Handle
O4G1lGbTBafz
Default Alt Text
(7 MB)

Event Timeline